[Bug] Allow duplicative queries across different rule types (#704)

2020-12-08 23:16:59 +01:00
parent 8c92ae7348
commit 200fbe939e
1 changed files with 15 additions and 8 deletions
@@ -79,6 +79,7 @@ def load_rules(file_lookup=None, verbose=True, error=True):
    rules = []  # type: list[Rule]
    errors = []
    queries = []
+    query_check_index = []
    rule_ids = set()
    rule_names = set()

@@ -87,22 +88,28 @@ def load_rules(file_lookup=None, verbose=True, error=True):
            rule = Rule(rule_file, rule_contents)

            if rule.id in rule_ids:
-                raise KeyError("Rule has duplicate ID to {}".format(next(r for r in rules if r.id == rule.id).path))
+                existing = next(r for r in rules if r.id == rule.id)
+                raise KeyError(f'{rule.path} has duplicate ID with \n{existing.path}')

            if rule.name in rule_names:
-                raise KeyError("Rule has duplicate name to {}".format(
-                    next(r for r in rules if r.name == rule.name).path))
+                existing = next(r for r in rules if r.name == rule.name)
+                raise KeyError(f'{rule.path} has duplicate name with \n{existing.path}')

            parsed_query = rule.parsed_query
            if parsed_query is not None:
-                if parsed_query in queries:
-                    raise KeyError("Rule has duplicate query with {}".format(
-                        next(r for r in rules if r.parsed_query == parsed_query).path))
+                # duplicate logic is ok across query and threshold rules
+                threshold = rule.contents.get('threshold', {})
+                duplicate_key = (parsed_query, rule.type, threshold.get('field'), threshold.get('value'))
+                query_check_index.append(rule)

-                queries.append(parsed_query)
+                if duplicate_key in queries:
+                    existing = query_check_index[queries.index(duplicate_key)]
+                    raise KeyError(f'{rule.path} has duplicate query with \n{existing.path}')
+
+                queries.append(duplicate_key)

            if not re.match(FILE_PATTERN, os.path.basename(rule.path)):
-                raise ValueError(f"Rule {rule.path} does not meet rule name standard of {FILE_PATTERN}")
+                raise ValueError(f'{rule.path} does not meet rule name standard of {FILE_PATTERN}')

            rules.append(rule)
            rule_ids.add(rule.id)