logs/internal/ingest/syslog_parse_test.go

package ingest

import (
	"encoding/json"
	"net"
	"testing"
	"time"

	"git.apinb.com/ops/logs/internal/models"
	"github.com/gosnmp/gosnmp"
)

func TestParseSyslogPayloadPri(t *testing.T) {
	p := parseSyslogPayload([]byte("<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8"))
	if p.Priority != 34 {
		t.Fatalf("priority=%d", p.Priority)
	}
}

func TestParseSyslogPayloadRFC3164Hostname(t *testing.T) {
	p := parseSyslogPayload([]byte("Oct 11 22:14:15 mymachine su: failed"))
	if p.Hostname != "mymachine" {
		t.Fatalf("hostname=%q", p.Hostname)
	}
	if p.Tag != "su" {
		t.Fatalf("tag=%q", p.Tag)
	}
	if p.Message != "failed" {
		t.Fatalf("message=%q", p.Message)
	}
}

func TestForwardAlertBodyIncludesRawData(t *testing.T) {
	raw := []byte(`{"source":"syslog","parsed":{}}`)
	b := AlertReceiveBody{
		AlertName: "a",
		RawData:   raw,
	}
	data, err := json.Marshal(b)
	if err != nil {
		t.Fatal(err)
	}
	var dec map[string]json.RawMessage
	if err := json.Unmarshal(data, &dec); err != nil {
		t.Fatal(err)
	}
	if string(dec["raw_data"]) != string(raw) {
		t.Fatalf("raw_data %s", dec["raw_data"])
	}
}

func TestInTimeWindowsInvalidJSONReturnsFalse(t *testing.T) {
	now := time.Date(2026, 1, 1, 10, 0, 0, 0, time.Local)
	if inTimeWindows(now, "{invalid") {
		t.Fatal("invalid json should not be treated as always effective")
	}
}

func TestTrapShieldedAllowsEmptySourceIPCIDR(t *testing.T) {
	e := &Engine{
		shields: []models.TrapShield{
			{
				Enabled:        true,
				SourceIPCIDR:   "",
				OIDPrefix:      "1.3.6.1.4.1",
				InterfaceHint:  "",
				TimeWindowsJSON: "",
			},
		},
	}
	addr := &net.UDPAddr{IP: net.ParseIP("10.0.0.1"), Port: 162}
	pkt := &gosnmp.SnmpPacket{}
	if !trapShielded(e, addr, "1.3.6.1.4.1.999", pkt) {
		t.Fatal("shield should match when source_ip_cidr is empty and other conditions match")
	}
}