From 8187d61f70aee55cc5a1e305bd70ae89d9c107cd Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Mon, 27 Jan 2025 16:47:52 -0600
Subject: [PATCH] test: add test for lua base64

Combined test, testing base64 in rule and output context.
---
 tests/lua/lua-base64/README.md     |  5 +++
 tests/lua/lua-base64/output.lua    | 43 ++++++++++++++++++
 tests/lua/lua-base64/rule.lua      | 70 ++++++++++++++++++++++++++++++
 tests/lua/lua-base64/suricata.yaml | 18 ++++++++
 tests/lua/lua-base64/test.rules    |  3 ++
 tests/lua/lua-base64/test.yaml     | 18 ++++++++
 6 files changed, 157 insertions(+)
 create mode 100644 tests/lua/lua-base64/README.md
 create mode 100644 tests/lua/lua-base64/output.lua
 create mode 100644 tests/lua/lua-base64/rule.lua
 create mode 100644 tests/lua/lua-base64/suricata.yaml
 create mode 100644 tests/lua/lua-base64/test.rules
 create mode 100644 tests/lua/lua-base64/test.yaml

diff --git a/tests/lua/lua-base64/README.md b/tests/lua/lua-base64/README.md
new file mode 100644
index 000000000..44266a221
--- /dev/null
+++ b/tests/lua/lua-base64/README.md
@@ -0,0 +1,5 @@
+Test Lua hashing lib:
+
+```
+local hashing = require("suricata.hashing")
+```
diff --git a/tests/lua/lua-base64/output.lua b/tests/lua/lua-base64/output.lua
new file mode 100644
index 000000000..4782019ec
--- /dev/null
+++ b/tests/lua/lua-base64/output.lua
@@ -0,0 +1,43 @@
+-- Test that "suricata.base64" can be used from a Lua output
+-- script. More thourough testing of base64 in rule.lua.
+
+local base64 = require("suricata.base64")
+
+local expected_base64 = "d3d3LnN1cmljYXRhLWlkcy5vcmc="
+
+filename = "results.log"
+
+function init (args)
+   local needs = {}
+   needs["protocol"] = "dns"
+   return needs
+end
+
+function setup (args)
+   SCLogNotice("lua: setup()")
+   file = assert(io.open(SCLogPath() .. "/" .. filename, "w"))
+end
+
+function log(args)
+   queries = DnsGetQueries()
+   if queries ~= nil then
+      for n, t in pairs(queries) do
+
+         if base64.encode(t["rrname"]) == expected_base64 then
+            msg = "OK"
+         else
+            msg = "FAIL"
+         end
+
+	 write(msg)
+      end
+   end
+end
+
+function deinit(args)
+   file:close(file)
+end
+
+function write(msg)
+   file:write(msg .. "\n")
+end
diff --git a/tests/lua/lua-base64/rule.lua b/tests/lua/lua-base64/rule.lua
new file mode 100644
index 000000000..92e9c122b
--- /dev/null
+++ b/tests/lua/lua-base64/rule.lua
@@ -0,0 +1,70 @@
+local base64 = require("suricata.base64")
+
+local rrname = "www.suricata-ids.org"
+local expected_base64 = "d3d3LnN1cmljYXRhLWlkcy5vcmc="
+local expected_base64_nopad = "d3d3LnN1cmljYXRhLWlkcy5vcmc"
+
+local input_base64_with_spaces = "d3 d3 Ln N1 cm lj YX Rh LW lk cy 5v cm c="
+
+function init (args)
+   local needs = {}
+   needs["dns.rrname"] = tostring(true)
+   return needs
+end
+
+function match(args)
+   rrname = tostring(args["dns.rrname"])
+
+   encoded = base64.encode(rrname)
+   if encoded ~= expected_base64 then
+      print("base64.encode failed")
+      return 0
+   end
+
+   decoded = base64.decode(encoded)
+   if decoded ~= rrname then
+      print("base64.decode failed")
+      return 0
+   end
+
+   decoded = base64.decode_padopt(encoded)
+   if decoded ~= rrname then
+      print("base64.decode failed")
+      return 0
+   end
+
+   encoded = base64.encode_nopad(rrname)
+   if encoded ~= expected_base64_nopad then
+      print("base64.encode_nopad failed")
+      return 0
+   end
+
+   decoded = base64.decode_nopad(encoded)
+   if decoded ~= rrname then
+      print("base64.decode failed")
+      return 0
+   end
+
+   decoded = base64.decode_padopt(encoded)
+   if decoded ~= rrname then
+      print("base64.decode failed")
+      return 0
+   end
+
+   -- RFC 2045 allows spaces.
+   decoded = base64.decode_rfc2045(input_base64_with_spaces)
+   if decoded ~= rrname then
+      print("base64.decode_rfc2045 failed")
+      return 0
+   end
+
+   -- RFC 4648 does not allow spaces
+   decoded = base64.decode_rfc4648(input_base64_with_spaces)
+   if decoded ~= "w" then
+      print("base64.decode_rfc2045 failed")
+      return 0
+   end
+
+   return 1
+end
+
diff --git a/tests/lua/lua-base64/suricata.yaml b/tests/lua/lua-base64/suricata.yaml
new file mode 100644
index 000000000..6c942d4f2
--- /dev/null
+++ b/tests/lua/lua-base64/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+
+  # Extensible Event Format (nicknamed EVE) event log in JSON format
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+
+  - lua:
+      enabled: yes
+      scripts-dir: .
+      scripts:
+        - output.lua
diff --git a/tests/lua/lua-base64/test.rules b/tests/lua/lua-base64/test.rules
new file mode 100644
index 000000000..23b702759
--- /dev/null
+++ b/tests/lua/lua-base64/test.rules
@@ -0,0 +1,3 @@
+alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \
+      dns.query.name; content: "www.suricata-ids.org"; \
+      lua:rule.lua; sid:1; rev:1;)
diff --git a/tests/lua/lua-base64/test.yaml b/tests/lua/lua-base64/test.yaml
new file mode 100644
index 000000000..5f1120029
--- /dev/null
+++ b/tests/lua/lua-base64/test.yaml
@@ -0,0 +1,18 @@
+pcap: ../../cond-log-dns-dig/input.pcap
+
+requires:
+  min-version: 8
+
+args:
+  - --set security.lua.allow-rules=true
+  - --set default-rule-path=.
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+
+  - shell:
+      args: grep "OK" results.log | wc -l
+      expect: 2