From d374d8abc8fc0f15efdc3a862dbe8dfef0fb76f3 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Thu, 19 Mar 2026 15:00:27 +1030 Subject: [PATCH] o365: add upgrade test This tests that an already populated index can have the integration upgraded and accept more documents successfully. --- .../audit/_dev/test/scripts/upgrade.txt | 358 ++++++++++++++++++ 1 file changed, 358 insertions(+) create mode 100644 packages/o365/data_stream/audit/_dev/test/scripts/upgrade.txt diff --git a/packages/o365/data_stream/audit/_dev/test/scripts/upgrade.txt b/packages/o365/data_stream/audit/_dev/test/scripts/upgrade.txt new file mode 100644 index 00000000000..db15d7fc5c8 --- /dev/null +++ b/packages/o365/data_stream/audit/_dev/test/scripts/upgrade.txt @@ -0,0 +1,358 @@ +# Test that upgrading from the latest EPR version to the dev version does not +# break data collection. +# +# Installs the EPR version from the registry, creates a policy on it, verifies +# data collection, then installs the dev version, upgrades the policy, and +# verifies the upgraded integration collects new data. + +[!external_stack] skip 'Skipping external stack test.' +[!exec:jq] skip 'Skipping test requiring absent jq command' +[!env:LATEST_EPR_VERSION] skip 'no EPR release to upgrade from' +[!is_latest_version] skip 'dev version is not newer than latest EPR release' +[breaking_change] skip 'cannot upgrade across breaking change' + +# Connect to the running stack. +use_stack -profile ${CONFIG_PROFILES}/${PROFILE} + +# Install an agent. +install_agent -profile ${CONFIG_PROFILES}/${PROFILE} -network_name NETWORK_NAME + +# Start the mock O365 API server. +docker_up -profile ${CONFIG_PROFILES}/${PROFILE} -network ${NETWORK_NAME} o365-mock + +# Install the EPR version from the registry. +install_package_from_registry -profile ${CONFIG_PROFILES}/${PROFILE} ${PACKAGE_NAME} ${LATEST_EPR_VERSION} + +# Create a policy on the EPR version. +add_package_policy -profile ${CONFIG_PROFILES}/${PROFILE} -version ${LATEST_EPR_VERSION} test_config.yaml DATA_STREAM_NAME + +# Verify data collection: 2 data events (one per content type). +get_docs -profile ${CONFIG_PROFILES}/${PROFILE} -want 2 -confirm 15s -timeout 5m ${DATA_STREAM_NAME} +cp stdout got_docs.json + +exec jq '[.hits.hits[]._source | select(.o365.audit != null)] | length' got_docs.json +stdout '^2$' + +# Install the dev version from disk. +add_package -profile ${CONFIG_PROFILES}/${PROFILE} + +# Upgrade the policy to the dev version. +upgrade_package_latest -profile ${CONFIG_PROFILES}/${PROFILE} +stdout 'upgraded package '${PACKAGE_NAME} + +# Restart mock with new events to confirm the upgraded integration collects data. +docker_down o365-mock +cp o365-mock/config-v2.yml o365-mock/config.yml +docker_up -profile ${CONFIG_PROFILES}/${PROFILE} -network ${NETWORK_NAME} o365-mock + +# Verify 4 docs: 2 original + 2 new from post-upgrade collection. +get_docs -profile ${CONFIG_PROFILES}/${PROFILE} -want 4 -confirm 15s -timeout 5m ${DATA_STREAM_NAME} +cp stdout got_docs_after.json + +exec jq '[.hits.hits[]._source | select(.o365.audit != null)] | length' got_docs_after.json +stdout '^4$' + +# Clean up. +remove_package_policy -profile ${CONFIG_PROFILES}/${PROFILE} ${DATA_STREAM_NAME} +uninstall_agent -profile ${CONFIG_PROFILES}/${PROFILE} -timeout 1m +docker_down o365-mock + +-- test_config.yaml -- +input: cel +vars: ~ +data_stream: + vars: + url: http://o365-mock:8080 + token_url: http://o365-mock:8080 + preserve_original_event: true + client_id: test-cel-client-id + client_secret: test-cel-client-secret + azure_tenant_id: test-cel-tenant-id + content_types: "Audit.SharePoint, Audit.General" + interval: 30s + initial_interval: 1h + enable_request_tracer: false +-- o365-mock/docker-compose.yml -- +version: '2.3' +services: + o365-mock: + image: docker.elastic.co/observability/stream:v0.19.0 + hostname: o365-mock + ports: + - 8080 + environment: + PORT: "8080" + volumes: + - ./config.yml:/config.yml + command: + - http-server + - --addr=:8080 + - --config=/config.yml +-- o365-mock/config.yml -- +rules: + # Token endpoint. + - path: /test-cel-tenant-id/oauth2/v2.0/token + methods: [POST] + query_params: + client_id: test-cel-client-id + client_secret: test-cel-client-secret + grant_type: client_credentials + scope: https://manage.office.com/.default + request_headers: + Content-Type: + - "application/x-www-form-urlencoded" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + {"access_token":"test-token","token_type":"Bearer","expires_in":3600,"ext_expires_in":3600} + + # Subscribe Audit.SharePoint - success. + - path: /api/v1.0/test-cel-tenant-id/activity/feed/subscriptions/start + methods: [POST] + query_params: + contentType: "Audit.SharePoint" + PublisherIdentifier: test-cel-tenant-id + request_headers: + Authorization: + - "Bearer test-token" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + {"contentType":"Audit.SharePoint","status":"enabled","webhook":null} + + # Subscribe Audit.General - success. + - path: /api/v1.0/test-cel-tenant-id/activity/feed/subscriptions/start + methods: [POST] + query_params: + contentType: "Audit.General" + PublisherIdentifier: test-cel-tenant-id + request_headers: + Authorization: + - "Bearer test-token" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + {"contentType":"Audit.General","status":"enabled","webhook":null} + + # List content for Audit.SharePoint. + - path: /api/v1.0/test-cel-tenant-id/activity/feed/subscriptions/content + methods: [GET] + query_params: + contentType: "Audit.SharePoint" + startTime: "{startTime:.*}" + endTime: "{endTime:.*}" + PublisherIdentifier: test-cel-tenant-id + request_headers: + Authorization: + - "Bearer test-token" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + [{"contentType":"Audit.SharePoint","contentId":"sp-content-1","contentUri":"http://{{ hostname }}:{{ env "PORT" }}/api/v1.0/test-cel-tenant-id/activity/feed/audit/sp-content-1","contentCreated":"{{ .request.vars.endTime }}","contentExpiration":"2199-12-31T23:59:59.000Z"}] + + # List content for Audit.General. + - path: /api/v1.0/test-cel-tenant-id/activity/feed/subscriptions/content + methods: [GET] + query_params: + contentType: "Audit.General" + startTime: "{startTime:.*}" + endTime: "{endTime:.*}" + PublisherIdentifier: test-cel-tenant-id + request_headers: + Authorization: + - "Bearer test-token" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + [{"contentType":"Audit.General","contentId":"gen-content-1","contentUri":"http://{{ hostname }}:{{ env "PORT" }}/api/v1.0/test-cel-tenant-id/activity/feed/audit/gen-content-1","contentCreated":"{{ .request.vars.endTime }}","contentExpiration":"2199-12-31T23:59:59.000Z"}] + + # Fetch SharePoint content. + - path: /api/v1.0/test-cel-tenant-id/activity/feed/audit/sp-content-1 + methods: [GET] + request_headers: + Authorization: + - "Bearer test-token" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + [{"Id":"sp-event-001","CreationTime":"2020-02-07T16:43:53","Workload":"SharePoint","Operation":"PageViewed","RecordType":4,"OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","UserId":"user@test.onmicrosoft.com","ClientIP":"192.0.2.1"}] + + # Fetch General content. + - path: /api/v1.0/test-cel-tenant-id/activity/feed/audit/gen-content-1 + methods: [GET] + request_headers: + Authorization: + - "Bearer test-token" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + [{"Id":"gen-event-001","CreationTime":"2020-02-28T09:42:45","Workload":"Yammer","Operation":"GroupCreation","RecordType":22,"OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","UserId":"user@test.onmicrosoft.com","ClientIP":"192.0.2.2"}] +-- o365-mock/config-v2.yml -- +rules: + # Token endpoint. + - path: /test-cel-tenant-id/oauth2/v2.0/token + methods: [POST] + query_params: + client_id: test-cel-client-id + client_secret: test-cel-client-secret + grant_type: client_credentials + scope: https://manage.office.com/.default + request_headers: + Content-Type: + - "application/x-www-form-urlencoded" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + {"access_token":"test-token","token_type":"Bearer","expires_in":3600,"ext_expires_in":3600} + + # Subscribe Audit.SharePoint - success. + - path: /api/v1.0/test-cel-tenant-id/activity/feed/subscriptions/start + methods: [POST] + query_params: + contentType: "Audit.SharePoint" + PublisherIdentifier: test-cel-tenant-id + request_headers: + Authorization: + - "Bearer test-token" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + {"contentType":"Audit.SharePoint","status":"enabled","webhook":null} + + # Subscribe Audit.General - success. + - path: /api/v1.0/test-cel-tenant-id/activity/feed/subscriptions/start + methods: [POST] + query_params: + contentType: "Audit.General" + PublisherIdentifier: test-cel-tenant-id + request_headers: + Authorization: + - "Bearer test-token" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + {"contentType":"Audit.General","status":"enabled","webhook":null} + + # List content for Audit.SharePoint (includes original + new content). + - path: /api/v1.0/test-cel-tenant-id/activity/feed/subscriptions/content + methods: [GET] + query_params: + contentType: "Audit.SharePoint" + startTime: "{startTime:.*}" + endTime: "{endTime:.*}" + PublisherIdentifier: test-cel-tenant-id + request_headers: + Authorization: + - "Bearer test-token" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + [{"contentType":"Audit.SharePoint","contentId":"sp-content-1","contentUri":"http://{{ hostname }}:{{ env "PORT" }}/api/v1.0/test-cel-tenant-id/activity/feed/audit/sp-content-1","contentCreated":"{{ .request.vars.endTime }}","contentExpiration":"2199-12-31T23:59:59.000Z"},{"contentType":"Audit.SharePoint","contentId":"sp-content-2","contentUri":"http://{{ hostname }}:{{ env "PORT" }}/api/v1.0/test-cel-tenant-id/activity/feed/audit/sp-content-2","contentCreated":"{{ .request.vars.endTime }}","contentExpiration":"2199-12-31T23:59:59.000Z"}] + + # List content for Audit.General (includes original + new content). + - path: /api/v1.0/test-cel-tenant-id/activity/feed/subscriptions/content + methods: [GET] + query_params: + contentType: "Audit.General" + startTime: "{startTime:.*}" + endTime: "{endTime:.*}" + PublisherIdentifier: test-cel-tenant-id + request_headers: + Authorization: + - "Bearer test-token" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + [{"contentType":"Audit.General","contentId":"gen-content-1","contentUri":"http://{{ hostname }}:{{ env "PORT" }}/api/v1.0/test-cel-tenant-id/activity/feed/audit/gen-content-1","contentCreated":"{{ .request.vars.endTime }}","contentExpiration":"2199-12-31T23:59:59.000Z"},{"contentType":"Audit.General","contentId":"gen-content-2","contentUri":"http://{{ hostname }}:{{ env "PORT" }}/api/v1.0/test-cel-tenant-id/activity/feed/audit/gen-content-2","contentCreated":"{{ .request.vars.endTime }}","contentExpiration":"2199-12-31T23:59:59.000Z"}] + + # Fetch SharePoint content (original). + - path: /api/v1.0/test-cel-tenant-id/activity/feed/audit/sp-content-1 + methods: [GET] + request_headers: + Authorization: + - "Bearer test-token" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + [{"Id":"sp-event-001","CreationTime":"2020-02-07T16:43:53","Workload":"SharePoint","Operation":"PageViewed","RecordType":4,"OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","UserId":"user@test.onmicrosoft.com","ClientIP":"192.0.2.1"}] + + # Fetch SharePoint content (new, post-upgrade). + - path: /api/v1.0/test-cel-tenant-id/activity/feed/audit/sp-content-2 + methods: [GET] + request_headers: + Authorization: + - "Bearer test-token" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + [{"Id":"sp-event-002","CreationTime":"2020-02-07T17:10:22","Workload":"SharePoint","Operation":"FileUploaded","RecordType":6,"OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","UserId":"user@test.onmicrosoft.com","ClientIP":"192.0.2.1"}] + + # Fetch General content (original). + - path: /api/v1.0/test-cel-tenant-id/activity/feed/audit/gen-content-1 + methods: [GET] + request_headers: + Authorization: + - "Bearer test-token" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + [{"Id":"gen-event-001","CreationTime":"2020-02-28T09:42:45","Workload":"Yammer","Operation":"GroupCreation","RecordType":22,"OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","UserId":"user@test.onmicrosoft.com","ClientIP":"192.0.2.2"}] + + # Fetch General content (new, post-upgrade). + - path: /api/v1.0/test-cel-tenant-id/activity/feed/audit/gen-content-2 + methods: [GET] + request_headers: + Authorization: + - "Bearer test-token" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + [{"Id":"gen-event-002","CreationTime":"2020-02-28T10:15:33","Workload":"Yammer","Operation":"GroupUpdated","RecordType":22,"OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","UserId":"user@test.onmicrosoft.com","ClientIP":"192.0.2.2"}]