mirror of
https://github.com/domainaware/parsedmarc.git
synced 2026-05-22 11:55:24 +00:00
Sean Whalen
b7b8383fa4
* Expand honest test coverage from 59% to 83%; fix two latent bugs 271 new tests across the output modules, ES/OS clients, CLI config parsing, and the top-level parsing surface. Coverage measured against shipped code only (see [tool.coverage.run] source = ["parsedmarc"] omit = ["*/parsedmarc/resources/maps/*.py"] in pyproject.toml). Per-module results: s3.py 38% → 100% (also fixes SMTP-TLS-to-S3 bug below) gelf.py 40% → 100% syslog.py 46% → 100% kafkaclient.py 34% → 100% splunk.py 24% → 100% loganalytics.py 56% → 100% webhook.py 78% → 100% (also removes redundant try/except) elastic.py 36% → 99% opensearch.py 40% → 99% cli.py 52% → 69% __init__.py 74% → 76% (also fixes append_json bug below) utils.py 84% (unchanged in this PR) TOTAL 59% → 83% The remaining 17% is honest. The biggest unreached blocks are _main() in cli.py and the watch-mode mailbox iteration in __init__.py, both of which would require either standing up live subsystems (real Elasticsearch, real IMAP) or mocking deep enough that the test would verify the mock rather than the code. The PR-A AGENTS.md guidance — "if 90% requires faking it, ship 85% honestly" — applies here. Bugs fixed while writing tests: 1. parsedmarc/s3.py — SMTP-TLS-to-S3 was completely broken. save_report_to_s3 unconditionally read report["report_metadata"] when building S3 object metadata, but RFC 8460 §4.3 SMTP TLS reports are flat (no report_metadata sub-object). The CLI's surrounding try/except silently swallowed the KeyError, so every SMTP-TLS report quietly failed to upload. Also fixes a related issue: parse_smtp_tls_report_json stores begin_date as the raw ISO-8601 string from the report (per the SMTPTLSReport TypedDict and RFC 8460 §4.3), but the S3 code path assumed a datetime with .year / .month / .day attributes. Both fixed; the broken metadata-extraction branch now uses the flat-report fields, and the date branch normalizes via human_timestamp_to_datetime. 2. parsedmarc/__init__.py — append_json corrupted JSON output files on the second write. The original implementation opened files in "a+" mode, then seek()ed backwards to overwrite the trailing "]" with ",\n" before appending more elements. Python's docs are explicit (https://docs.python.org/3/library/functions.html#open): on POSIX, writes in "a"/"a+" mode always go to EOF regardless of seek() position. The result was that the second call produced [...]\n],\n[...] -style corrupted output instead of a single merged array. Replaced with a read-merge-write pattern: load the existing array (if any), append the new elements, rewrite the whole file. The CSV cousin append_csv was not affected — it doesn't seek backwards. 3. parsedmarc/webhook.py — removed redundant try/except blocks in save_aggregate_report_to_webhook / save_failure_report_to_webhook / save_smtp_tls_report_to_webhook. _send_to_webhook already catches every Exception itself, so the outer except blocks were unreachable dead code (covered nothing, defended against nothing, and inflated the source-line count without testing value). Testing approach: mocks at SDK boundaries (boto3 resource, kafka producer, requests session, opensearch/elasticsearch Document/Search, azure LogsIngestionClient). Tests verify the parsedmarc-side transformation logic — document/event construction, index/topic naming, dedup queries, error wrapping — rather than asserting on mock invocations as a proxy for behaviour. Where a branch is defensive against a caller that doesn't exist in the codebase, the test is omitted (commented in code rather than hidden behind a pragma). 547 tests total (was 276), all passing. ruff check + format clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Document the two bug fixes from this PR in the 10.0.0 changelog Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Document testing standards in AGENTS.md Adds a "Testing standards" section covering the principles applied in PR-A (split) and PR-B (coverage expansion): - Coverage measures shipped code only — don't reintroduce tests/* to the scope, don't expand omit, don't use # pragma: no cover. - Honest tests assert on observable behaviour, not "the mock was called". Mock at SDK boundaries; parse the payload that gets sent. - "If 90% requires faking it, ship 85% honestly" — coverage is a tool, not a goal. PR-B's deliberate stops at cli.py 69% and __init__.py 76% are the documented precedent for when to halt. - Verify bug claims against the relevant RFC, internal types, installed SDK source, or upstream docs before changing code. Cite the source in the commit message and test docstring (RFC 8460 §4.3 and the Python open() docs for #775's two bug fixes are the pattern to follow). - Bugs found while writing tests are fixed in the same PR; the test doubles as the regression guard. - File layout (tests/test_<module>.py) is non-negotiable; module-level test loggers need fresh-handler setup so test ordering doesn't break assertLogs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Cover the corrupt-file fallback in append_json Codecov flagged 2 missing patch-coverage lines on PR #775: the except (json.JSONDecodeError, OSError) branch in append_json, which falls back to overwriting when the existing file isn't a parseable JSON array. Two new tests in tests/test_init.py:TestAppendJson exercise both paths: - test_corrupt_existing_file_is_overwritten_cleanly: existing file contains invalid JSON; append_json overwrites with the new array. - test_existing_file_with_non_list_root_is_overwritten: existing file parses as {"foo": ...} (dict, not list); the isinstance guard rejects it and we overwrite cleanly. Patch coverage now 100% on the bug fix. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
278 lines
10 KiB
Python
278 lines
10 KiB
Python
"""Tests for parsedmarc.loganalytics"""
|
|
|
|
import unittest
|
|
from unittest.mock import MagicMock, patch
|
|
|
|
from azure.core.exceptions import HttpResponseError
|
|
|
|
from parsedmarc.loganalytics import (
|
|
LogAnalyticsClient,
|
|
LogAnalyticsConfig,
|
|
LogAnalyticsException,
|
|
)
|
|
|
|
|
|
def _valid_kwargs(**overrides):
|
|
base = dict(
|
|
client_id="cid",
|
|
client_secret="csec",
|
|
tenant_id="tid",
|
|
dce="https://dce.example.com",
|
|
dcr_immutable_id="dcr-123",
|
|
dcr_aggregate_stream="agg-stream",
|
|
dcr_failure_stream="fail-stream",
|
|
dcr_smtp_tls_stream="tls-stream",
|
|
)
|
|
base.update(overrides)
|
|
return base
|
|
|
|
|
|
class TestLogAnalyticsConfig(unittest.TestCase):
|
|
"""The config dataclass holds every credential and stream needed
|
|
to push to Log Analytics. A typo on any attribute would silently
|
|
drop data into the wrong stream."""
|
|
|
|
def test_config_stores_every_field(self):
|
|
config = LogAnalyticsConfig(**_valid_kwargs())
|
|
self.assertEqual(config.client_id, "cid")
|
|
self.assertEqual(config.client_secret, "csec")
|
|
self.assertEqual(config.tenant_id, "tid")
|
|
self.assertEqual(config.dce, "https://dce.example.com")
|
|
self.assertEqual(config.dcr_immutable_id, "dcr-123")
|
|
self.assertEqual(config.dcr_aggregate_stream, "agg-stream")
|
|
self.assertEqual(config.dcr_failure_stream, "fail-stream")
|
|
self.assertEqual(config.dcr_smtp_tls_stream, "tls-stream")
|
|
|
|
|
|
class TestLogAnalyticsClientInit(unittest.TestCase):
|
|
"""The constructor's validation guards against a half-configured
|
|
deployment that would otherwise fail late inside Azure SDK calls
|
|
with confusing errors."""
|
|
|
|
def test_init_accepts_complete_config(self):
|
|
client = LogAnalyticsClient(**_valid_kwargs())
|
|
self.assertEqual(client.conf.client_id, "cid")
|
|
self.assertEqual(client.conf.dcr_immutable_id, "dcr-123")
|
|
|
|
def test_missing_client_id_raises(self):
|
|
with self.assertRaises(LogAnalyticsException):
|
|
LogAnalyticsClient(**_valid_kwargs(client_id=""))
|
|
|
|
def test_missing_client_secret_raises(self):
|
|
with self.assertRaises(LogAnalyticsException):
|
|
LogAnalyticsClient(**_valid_kwargs(client_secret=""))
|
|
|
|
def test_missing_tenant_id_raises(self):
|
|
with self.assertRaises(LogAnalyticsException):
|
|
LogAnalyticsClient(**_valid_kwargs(tenant_id=""))
|
|
|
|
def test_missing_dce_raises(self):
|
|
with self.assertRaises(LogAnalyticsException):
|
|
LogAnalyticsClient(**_valid_kwargs(dce=""))
|
|
|
|
def test_missing_dcr_immutable_id_raises(self):
|
|
with self.assertRaises(LogAnalyticsException):
|
|
LogAnalyticsClient(**_valid_kwargs(dcr_immutable_id=""))
|
|
|
|
|
|
class TestPublishJson(unittest.TestCase):
|
|
"""publish_json wraps logs_client.upload and translates Azure
|
|
HttpResponseError into the module's own exception type so the CLI
|
|
error reporter can handle it uniformly."""
|
|
|
|
def test_publish_json_forwards_to_logs_client(self):
|
|
client = LogAnalyticsClient(**_valid_kwargs())
|
|
logs_client = MagicMock()
|
|
client.publish_json([{"a": 1}], logs_client, "agg-stream")
|
|
logs_client.upload.assert_called_once_with("dcr-123", "agg-stream", [{"a": 1}])
|
|
|
|
def test_publish_json_translates_http_error(self):
|
|
client = LogAnalyticsClient(**_valid_kwargs())
|
|
logs_client = MagicMock()
|
|
logs_client.upload.side_effect = HttpResponseError("forbidden")
|
|
with self.assertRaises(LogAnalyticsException) as ctx:
|
|
client.publish_json([{"a": 1}], logs_client, "stream")
|
|
self.assertIn("forbidden", str(ctx.exception))
|
|
|
|
|
|
class TestPublishResults(unittest.TestCase):
|
|
"""publish_results gates each report type behind both a config flag
|
|
(save_aggregate / save_failure / save_smtp_tls) and a configured
|
|
stream name. Both gates need to work — a missing stream alone is a
|
|
config bug that should be silent, but an explicit save_*=False
|
|
means the operator opted out."""
|
|
|
|
def _publish_with(self, results, **flags):
|
|
flags.setdefault("save_aggregate", True)
|
|
flags.setdefault("save_failure", True)
|
|
flags.setdefault("save_smtp_tls", True)
|
|
client = LogAnalyticsClient(**_valid_kwargs())
|
|
with (
|
|
patch("parsedmarc.loganalytics.ClientSecretCredential"),
|
|
patch("parsedmarc.loganalytics.LogsIngestionClient") as mock_client_cls,
|
|
):
|
|
mock_logs_client = mock_client_cls.return_value
|
|
client.publish_results(results, **flags)
|
|
return mock_logs_client
|
|
|
|
def test_aggregate_published_to_aggregate_stream(self):
|
|
logs_client = self._publish_with(
|
|
{
|
|
"aggregate_reports": [{"id": "a"}],
|
|
"failure_reports": [],
|
|
"smtp_tls_reports": [],
|
|
}
|
|
)
|
|
logs_client.upload.assert_called_once_with(
|
|
"dcr-123", "agg-stream", [{"id": "a"}]
|
|
)
|
|
|
|
def test_failure_published_to_failure_stream(self):
|
|
logs_client = self._publish_with(
|
|
{
|
|
"aggregate_reports": [],
|
|
"failure_reports": [{"id": "f"}],
|
|
"smtp_tls_reports": [],
|
|
}
|
|
)
|
|
logs_client.upload.assert_called_once_with(
|
|
"dcr-123", "fail-stream", [{"id": "f"}]
|
|
)
|
|
|
|
def test_smtp_tls_published_to_smtp_tls_stream(self):
|
|
logs_client = self._publish_with(
|
|
{
|
|
"aggregate_reports": [],
|
|
"failure_reports": [],
|
|
"smtp_tls_reports": [{"id": "t"}],
|
|
}
|
|
)
|
|
logs_client.upload.assert_called_once_with(
|
|
"dcr-123", "tls-stream", [{"id": "t"}]
|
|
)
|
|
|
|
def test_all_three_published_together(self):
|
|
logs_client = self._publish_with(
|
|
{
|
|
"aggregate_reports": [{"id": "a"}],
|
|
"failure_reports": [{"id": "f"}],
|
|
"smtp_tls_reports": [{"id": "t"}],
|
|
}
|
|
)
|
|
self.assertEqual(logs_client.upload.call_count, 3)
|
|
streams_uploaded = {call.args[1] for call in logs_client.upload.call_args_list}
|
|
self.assertEqual(streams_uploaded, {"agg-stream", "fail-stream", "tls-stream"})
|
|
|
|
def test_save_aggregate_false_skips_aggregate(self):
|
|
logs_client = self._publish_with(
|
|
{
|
|
"aggregate_reports": [{"id": "a"}],
|
|
"failure_reports": [],
|
|
"smtp_tls_reports": [],
|
|
},
|
|
save_aggregate=False,
|
|
)
|
|
logs_client.upload.assert_not_called()
|
|
|
|
def test_save_failure_false_skips_failure(self):
|
|
logs_client = self._publish_with(
|
|
{
|
|
"aggregate_reports": [],
|
|
"failure_reports": [{"id": "f"}],
|
|
"smtp_tls_reports": [],
|
|
},
|
|
save_failure=False,
|
|
)
|
|
logs_client.upload.assert_not_called()
|
|
|
|
def test_save_smtp_tls_false_skips_smtp_tls(self):
|
|
logs_client = self._publish_with(
|
|
{
|
|
"aggregate_reports": [],
|
|
"failure_reports": [],
|
|
"smtp_tls_reports": [{"id": "t"}],
|
|
},
|
|
save_smtp_tls=False,
|
|
)
|
|
logs_client.upload.assert_not_called()
|
|
|
|
def test_empty_results_publishes_nothing(self):
|
|
logs_client = self._publish_with(
|
|
{
|
|
"aggregate_reports": [],
|
|
"failure_reports": [],
|
|
"smtp_tls_reports": [],
|
|
}
|
|
)
|
|
logs_client.upload.assert_not_called()
|
|
|
|
def test_missing_aggregate_stream_skips_aggregate(self):
|
|
"""If the operator hasn't configured a stream for one of the
|
|
report types, the corresponding publish branch is skipped
|
|
silently — matching the existing CLI deployment pattern where
|
|
a single client object handles whatever streams are set."""
|
|
client = LogAnalyticsClient(**_valid_kwargs(dcr_aggregate_stream=""))
|
|
with (
|
|
patch("parsedmarc.loganalytics.ClientSecretCredential"),
|
|
patch("parsedmarc.loganalytics.LogsIngestionClient") as mock_client_cls,
|
|
):
|
|
mock_logs_client = mock_client_cls.return_value
|
|
client.publish_results(
|
|
{
|
|
"aggregate_reports": [{"id": "a"}],
|
|
"failure_reports": [],
|
|
"smtp_tls_reports": [],
|
|
},
|
|
save_aggregate=True,
|
|
save_failure=True,
|
|
save_smtp_tls=True,
|
|
)
|
|
mock_logs_client.upload.assert_not_called()
|
|
|
|
def test_credential_built_from_config(self):
|
|
"""ClientSecretCredential is constructed with the conf's three
|
|
identity fields — a rename or order shuffle would auth as the
|
|
wrong principal."""
|
|
client = LogAnalyticsClient(**_valid_kwargs())
|
|
with (
|
|
patch("parsedmarc.loganalytics.ClientSecretCredential") as mock_cred,
|
|
patch("parsedmarc.loganalytics.LogsIngestionClient"),
|
|
):
|
|
client.publish_results(
|
|
{
|
|
"aggregate_reports": [],
|
|
"failure_reports": [],
|
|
"smtp_tls_reports": [],
|
|
},
|
|
save_aggregate=True,
|
|
save_failure=True,
|
|
save_smtp_tls=True,
|
|
)
|
|
mock_cred.assert_called_once_with(
|
|
tenant_id="tid", client_id="cid", client_secret="csec"
|
|
)
|
|
|
|
def test_logs_ingestion_client_built_from_dce_and_credential(self):
|
|
client = LogAnalyticsClient(**_valid_kwargs())
|
|
with (
|
|
patch("parsedmarc.loganalytics.ClientSecretCredential") as mock_cred,
|
|
patch("parsedmarc.loganalytics.LogsIngestionClient") as mock_client_cls,
|
|
):
|
|
client.publish_results(
|
|
{
|
|
"aggregate_reports": [],
|
|
"failure_reports": [],
|
|
"smtp_tls_reports": [],
|
|
},
|
|
save_aggregate=True,
|
|
save_failure=True,
|
|
save_smtp_tls=True,
|
|
)
|
|
mock_client_cls.assert_called_once_with(
|
|
"https://dce.example.com", credential=mock_cred.return_value
|
|
)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
unittest.main(verbosity=2)
|