refactor(cli): leverage anonymous lql

ALLY-928
lacework · Mar 16, 2022 · c607d81 · c607d81
1 parent 36e0c8c
commit c607d81
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 21 deletions.
diff --git a/cli/cmd/lql.go b/cli/cmd/lql.go
@@ -315,7 +315,7 @@ Please validate that the JSON is formatted properly and adheres to the following
 
 {
     "queryId": "MyLQL",
-    "queryText": "MyLQL { source { CloudTrailRawEvents } filter { EVENT_SOURCE = 's3.amazonaws.com' } return { INSERT_ID } }"
+    "queryText": "{ source { CloudTrailRawEvents } filter { EVENT_SOURCE = 's3.amazonaws.com' } return { INSERT_ID } }"
 }
 `)
 	}
@@ -327,7 +327,7 @@ Please validate that the text adheres to the following schema:
 
 queryId: MyLQL
 queryText: |-
-  MyLQL {
+  {
       source {
           CloudTrailRawEvents
       }

diff --git a/cli/cmd/lql_create.go b/cli/cmd/lql_create.go
@@ -45,12 +45,12 @@ To launch your default editor and create a new query.
 
     lacework lql create
 
-The following example comes from Lacework's implementation of a policy query:
+The following example comes from Lacework's implementation of a query:
 
     ---
     queryId: LW_Global_AWS_CTA_AccessKeyDeleted
     queryText: |-
-      LW_Global_AWS_CTA_AccessKeyDeleted {
+      {
           source {
               CloudTrailRawEvents
           }
@@ -67,12 +67,11 @@ The following example comes from Lacework's implementation of a policy query:
           }
       }
 
-Identifier of the query that executes while running the policy
-
-This query specifies an identifier named 'LW_Global_AWS_CTA_AccessKeyDeleted'.
-Policy evaluation uses this dataset (along with the filters) to identify AWS
-CloudTrail events that signify that an IAM access key was deleted. The query
-is delimited by '{ }' and contains three sections:
+A query is represented using JSON or YAML markup and must specify both 'queryId'
+and 'queryText' keys.  The above query uses YAML, specifies an identifier of
+'LW_Global_AWS_CTA_AccessKeyDeleted', and identifies AWS CloudTrail events signifying
+that an IAM access key was deleted.  The queryText is expressed in Lacework Query
+Language (LQL) syntax which is delimited by '{ }' and contains three sections:
 
   * Source data is specified in the 'source' clause. The source of data is the
   'CloudTrailRawEvents' dataset. LQL queries generally refer to other datasets,

diff --git a/integration/lql_constants.go b/integration/lql_constants.go
@@ -23,8 +23,8 @@ const (
 	evaluatorID       string = "Cloudtrail"
 	queryID           string = "LW_CLI_AWS_CTA_IntegrationTest"
 	queryHostID       string = "LW_CLI_Host_Files_IntegrationTest"
-	queryText         string = "LW_CLI_AWS_CTA_IntegrationTest { source { CloudTrailRawEvents } return { INSERT_ID } }"
-	queryUpdateText   string = "LW_CLI_AWS_CTA_IntegrationTest { source { CloudTrailRawEvents } return { INSERT_ID, INSERT_TIME } }"
+	queryText         string = "{ source { CloudTrailRawEvents } return { INSERT_ID } }"
+	queryUpdateText   string = "{ source { CloudTrailRawEvents } return { INSERT_ID, INSERT_TIME } }"
 	queryJSONTemplate string = `{
 	"queryID": "%s",
 	"queryText": "%s"

diff --git a/integration/policy_test.go b/integration/policy_test.go
@@ -339,7 +339,7 @@ func TestPolicyBadSeverity(t *testing.T) {
 func TestPolicySeverityCritical(t *testing.T) {
 	out, err, exitcode := LaceworkCLIWithTOMLConfig("policy", "list", "--severity", "critical")
 	assert.Contains(t, out.String(), "lacework-global-8")
-	assert.NotContains(t, out.String(), "lacework-global-1 ")
+	assert.NotContains(t, out.String(), "high")
 	assert.Empty(t, err.String(), "STDERR should be empty")
 	assert.Equal(t, 0, exitcode, "EXITCODE is not the expected one")
 }

diff --git a/integration/test_resources/help/query_create b/integration/test_resources/help/query_create
@@ -15,12 +15,12 @@ To launch your default editor and create a new query.
 
     lacework lql create
 
-The following example comes from Lacework's implementation of a policy query:
+The following example comes from Lacework's implementation of a query:
 
     ---
     queryId: LW_Global_AWS_CTA_AccessKeyDeleted
     queryText: |-
-      LW_Global_AWS_CTA_AccessKeyDeleted {
+      {
           source {
               CloudTrailRawEvents
           }
@@ -37,12 +37,11 @@ The following example comes from Lacework's implementation of a policy query:
           }
       }
 
-Identifier of the query that executes while running the policy
-
-This query specifies an identifier named 'LW_Global_AWS_CTA_AccessKeyDeleted'.
-Policy evaluation uses this dataset (along with the filters) to identify AWS
-CloudTrail events that signify that an IAM access key was deleted. The query
-is delimited by '{ }' and contains three sections:
+A query is represented using JSON or YAML markup and must specify both 'queryId'
+and 'queryText' keys.  The above query uses YAML, specifies an identifier of
+'LW_Global_AWS_CTA_AccessKeyDeleted', and identifies AWS CloudTrail events signifying
+that an IAM access key was deleted.  The queryText is expressed in Lacework Query
+Language (LQL) syntax which is delimited by '{ }' and contains three sections:
 
   * Source data is specified in the 'source' clause. The source of data is the
   'CloudTrailRawEvents' dataset. LQL queries generally refer to other datasets,