Fix formatting

SigmaHQ · Jun 19, 2024 · cebb793 · cebb793
1 parent 3bd8bdd
commit cebb793
Show file tree

Hide file tree

Showing 3 changed files with 118 additions and 49 deletions.
diff --git a/tests/test_backend_elasticsearch_esql.py b/tests/test_backend_elasticsearch_esql.py
@@ -2,13 +2,17 @@
 from sigma.collection import SigmaCollection
 from sigma.backends.elasticsearch.elasticsearch_esql import ESQLBackend
 
+
 @pytest.fixture
 def esql_backend():
     return ESQLBackend()
 
-def test_elasticsearch_esql_and_expression(esql_backend : ESQLBackend):
-    assert esql_backend.convert(
-        SigmaCollection.from_yaml("""
+
+def test_elasticsearch_esql_and_expression(esql_backend: ESQLBackend):
+    assert (
+        esql_backend.convert(
+            SigmaCollection.from_yaml(
+                """
             title: Test
             status: test
             logsource:
@@ -19,12 +23,18 @@ def test_elasticsearch_esql_and_expression(esql_backend : ESQLBackend):
                     fieldA: valueA
                     fieldB: valueB
                 condition: sel
-        """)
-    ) == ['from * | where fieldA=="valueA" and fieldB=="valueB"']
+        """
+            )
+        )
+        == ['from * | where fieldA=="valueA" and fieldB=="valueB"']
+    )
+
 
-def test_elasticsearch_esql_or_expression(esql_backend : ESQLBackend):
-    assert esql_backend.convert(
-        SigmaCollection.from_yaml("""
+def test_elasticsearch_esql_or_expression(esql_backend: ESQLBackend):
+    assert (
+        esql_backend.convert(
+            SigmaCollection.from_yaml(
+                """
             title: Test
             status: test
             logsource:
@@ -36,12 +46,18 @@ def test_elasticsearch_esql_or_expression(esql_backend : ESQLBackend):
                 sel2:
                     fieldB: valueB
                 condition: 1 of sel*
-        """)
-    ) == ['from * | where fieldA=="valueA" or fieldB=="valueB"']
+        """
+            )
+        )
+        == ['from * | where fieldA=="valueA" or fieldB=="valueB"']
+    )
 
-def test_elasticsearch_esql_and_or_expression(esql_backend : ESQLBackend):
-    assert esql_backend.convert(
-        SigmaCollection.from_yaml("""
+
+def test_elasticsearch_esql_and_or_expression(esql_backend: ESQLBackend):
+    assert (
+        esql_backend.convert(
+            SigmaCollection.from_yaml(
+                """
             title: Test
             status: test
             logsource:
@@ -56,12 +72,20 @@ def test_elasticsearch_esql_and_or_expression(esql_backend : ESQLBackend):
                         - valueB1
                         - valueB2
                 condition: sel
-        """)
-    ) == ['from * | where (fieldA in ("valueA1", "valueA2")) and (fieldB in ("valueB1", "valueB2"))']
+        """
+            )
+        )
+        == [
+            'from * | where (fieldA in ("valueA1", "valueA2")) and (fieldB in ("valueB1", "valueB2"))'
+        ]
+    )
+
 
-def test_elasticsearch_esql_or_and_expression(esql_backend : ESQLBackend):
-    assert esql_backend.convert(
-        SigmaCollection.from_yaml("""
+def test_elasticsearch_esql_or_and_expression(esql_backend: ESQLBackend):
+    assert (
+        esql_backend.convert(
+            SigmaCollection.from_yaml(
+                """
             title: Test
             status: test
             logsource:
@@ -75,12 +99,20 @@ def test_elasticsearch_esql_or_and_expression(esql_backend : ESQLBackend):
                     fieldA: valueA2
                     fieldB: valueB2
                 condition: 1 of sel*
-        """)
-    ) == ['from * | where fieldA=="valueA1" and fieldB=="valueB1" or fieldA=="valueA2" and fieldB=="valueB2"']
+        """
+            )
+        )
+        == [
+            'from * | where fieldA=="valueA1" and fieldB=="valueB1" or fieldA=="valueA2" and fieldB=="valueB2"'
+        ]
+    )
 
-def test_elasticsearch_esql_in_expression(esql_backend : ESQLBackend):
-    assert esql_backend.convert(
-        SigmaCollection.from_yaml("""
+
+def test_elasticsearch_esql_in_expression(esql_backend: ESQLBackend):
+    assert (
+        esql_backend.convert(
+            SigmaCollection.from_yaml(
+                """
             title: Test
             status: test
             logsource:
@@ -93,12 +125,18 @@ def test_elasticsearch_esql_in_expression(esql_backend : ESQLBackend):
                         - valueB
                         - valueC
                 condition: sel
-        """)
-    ) == ['from * | where fieldA in ("valueA", "valueB", "valueC")']
+        """
+            )
+        )
+        == ['from * | where fieldA in ("valueA", "valueB", "valueC")']
+    )
+
 
-def test_elasticsearch_esql_wildcard_expressions(esql_backend : ESQLBackend):
-    assert esql_backend.convert(
-        SigmaCollection.from_yaml("""
+def test_elasticsearch_esql_wildcard_expressions(esql_backend: ESQLBackend):
+    assert (
+        esql_backend.convert(
+            SigmaCollection.from_yaml(
+                """
             title: Test
             status: test
             logsource:
@@ -111,12 +149,20 @@ def test_elasticsearch_esql_wildcard_expressions(esql_backend : ESQLBackend):
                         - "*valueB"
                         - "valueC*"
                 condition: sel
-        """)
-    ) == ['from * | where fieldA like "val*A" or ends_with(fieldA, "valueB") or starts_with(fieldA, "valueC")']
+        """
+            )
+        )
+        == [
+            'from * | where fieldA like "val*A" or ends_with(fieldA, "valueB") or starts_with(fieldA, "valueC")'
+        ]
+    )
+
 
-def test_elasticsearch_esql_regex_query(esql_backend : ESQLBackend):
-    assert esql_backend.convert(
-        SigmaCollection.from_yaml("""
+def test_elasticsearch_esql_regex_query(esql_backend: ESQLBackend):
+    assert (
+        esql_backend.convert(
+            SigmaCollection.from_yaml(
+                """
             title: Test
             status: test
             logsource:
@@ -127,12 +173,18 @@ def test_elasticsearch_esql_regex_query(esql_backend : ESQLBackend):
                     fieldA|re: "foo.*bar"
                     fieldB: foo
                 condition: sel
-        """)
-    ) == ['from * | where fieldA rlike "foo.*bar" and fieldB=="foo"']
+        """
+            )
+        )
+        == ['from * | where fieldA rlike "foo.*bar" and fieldB=="foo"']
+    )
 
-def test_elasticsearch_esql_cidr_query(esql_backend : ESQLBackend):
-    assert esql_backend.convert(
-        SigmaCollection.from_yaml("""
+
+def test_elasticsearch_esql_cidr_query(esql_backend: ESQLBackend):
+    assert (
+        esql_backend.convert(
+            SigmaCollection.from_yaml(
+                """
             title: Test
             status: test
             logsource:
@@ -142,12 +194,18 @@ def test_elasticsearch_esql_cidr_query(esql_backend : ESQLBackend):
                 sel:
                     field|cidr: 192.168.0.0/16
                 condition: sel
-        """)
-    ) == ['from * | where cidr_match(field, "192.168.0.0/16")']
+        """
+            )
+        )
+        == ['from * | where cidr_match(field, "192.168.0.0/16")']
+    )
+
 
-def test_elasticsearch_esql_field_name_with_whitespace(esql_backend : ESQLBackend):
-    assert esql_backend.convert(
-        SigmaCollection.from_yaml("""
+def test_elasticsearch_esql_field_name_with_whitespace(esql_backend: ESQLBackend):
+    assert (
+        esql_backend.convert(
+            SigmaCollection.from_yaml(
+                """
             title: Test
             status: test
             logsource:
@@ -157,5 +215,8 @@ def test_elasticsearch_esql_field_name_with_whitespace(esql_backend : ESQLBacken
                 sel:
                     field name: value
                 condition: sel
-        """)
-    ) == ['from * | where `field name`=="value"']
+        """
+            )
+        )
+        == ['from * | where `field name`=="value"']
+    )
diff --git a/tests/test_backend_elasticsearch_esql_correlations.py b/tests/test_backend_elasticsearch_esql_correlations.py
@@ -3,7 +3,8 @@
 from sigma.backends.elasticsearch.elasticsearch_esql import ESQLBackend
 from tests.test_backend_elasticsearch_esql import esql_backend
 
-def test_event_count_correlation_rule_stats_query(esql_backend : ESQLBackend):
+
+def test_event_count_correlation_rule_stats_query(esql_backend: ESQLBackend):
     correlation_rule = SigmaCollection.from_yaml(
         """
 title: Base rule
@@ -37,7 +38,10 @@ def test_event_count_correlation_rule_stats_query(esql_backend : ESQLBackend):
 | where event_count >= 10"""
     ]
 
-def test_event_count_correlation_rule_stats_query_no_group_field(esql_backend : ESQLBackend):
+
+def test_event_count_correlation_rule_stats_query_no_group_field(
+    esql_backend: ESQLBackend,
+):
     correlation_rule = SigmaCollection.from_yaml(
         """
 title: Base rule
@@ -68,6 +72,7 @@ def test_event_count_correlation_rule_stats_query_no_group_field(esql_backend :
 | where event_count >= 10"""
     ]
 
+
 def test_value_count_correlation_rule_stats_query(esql_backend):
     correlation_rule = SigmaCollection.from_yaml(
         """
@@ -102,6 +107,7 @@ def test_value_count_correlation_rule_stats_query(esql_backend):
 | where value_count < 10"""
     ]
 
+
 def test_temporal_correlation_rule_stats_query(esql_backend):
     correlation_rule = SigmaCollection.from_yaml(
         """
@@ -144,4 +150,4 @@ def test_temporal_correlation_rule_stats_query(esql_backend):
 | eval event_type=case(fieldA=="value1" and fieldB=="value2", "base_rule_1", fieldA=="value3" and fieldB=="value4", "base_rule_2")
 | eval timebucket=date_trunc(15minutes, @timestamp) | stats event_type_count=count_distinct(event_type) by timebucket, fieldC
 | where event_type_count >= 2"""
-    ]
+    ]
diff --git a/tests/test_backend_elasticsearch_lucene.py b/tests/test_backend_elasticsearch_lucene.py
@@ -224,7 +224,9 @@ def test_lucene_cidr_ipv6_query(lucene_backend: LuceneBackend):
                 condition: sel
         """
     )
-    assert lucene_backend.convert(rule) == ["field:\:\:1\\/128 OR field:fc00\:\:\/7 OR field:2603\:1080\:\:\/25"]
+    assert lucene_backend.convert(rule) == [
+        "field:\:\:1\\/128 OR field:fc00\:\:\/7 OR field:2603\:1080\:\:\/25"
+    ]
 
 
 def test_lucene_field_name_with_whitespace(lucene_backend: LuceneBackend):