From 237561fe1768822b44d0b4a3c1dae907cf69eb4e Mon Sep 17 00:00:00 2001 From: Anas Muhammed <102966891+anasmuhmd@users.noreply.github.com> Date: Wed, 23 Oct 2024 16:20:19 +0400 Subject: [PATCH] feat: add falcon_intel_indicators datasource (#254) --- .mockery.yaml | 1 + .../data-sources/falcon_intel_indicators.md | 99 +++++++++++ docs/plugins/plugins.json | 15 ++ .../crowdstrike/data_falcon_cspm_ioms.fabric | 2 +- .../data_falcon_detection_details.fabric | 2 +- .../data_falcon_intel_indicators.fabric | 38 +++++ .../data_falcon_intel_indicators.go | 95 +++++++++++ .../data_falcon_intel_indicators_test.go | 159 ++++++++++++++++++ internal/crowdstrike/plugin.go | 11 ++ mocks/internalpkg/crowdstrike/client.go | 47 ++++++ mocks/internalpkg/crowdstrike/intel_client.go | 108 ++++++++++++ 11 files changed, 575 insertions(+), 2 deletions(-) create mode 100644 docs/plugins/crowdstrike/data-sources/falcon_intel_indicators.md create mode 100644 examples/templates/crowdstrike/data_falcon_intel_indicators.fabric create mode 100644 internal/crowdstrike/data_falcon_intel_indicators.go create mode 100644 internal/crowdstrike/data_falcon_intel_indicators_test.go create mode 100644 mocks/internalpkg/crowdstrike/intel_client.go diff --git a/.mockery.yaml b/.mockery.yaml index 022d21ba..66703957 100644 --- a/.mockery.yaml +++ b/.mockery.yaml @@ -59,6 +59,7 @@ packages: CspmRegistrationClient: DetectsClient: SpotVulnerabilitiesClient: + IntelClient: github.com/blackstork-io/fabric/plugin/resolver: config: inpackage: true diff --git a/docs/plugins/crowdstrike/data-sources/falcon_intel_indicators.md b/docs/plugins/crowdstrike/data-sources/falcon_intel_indicators.md new file mode 100644 index 00000000..2b03eced --- /dev/null +++ b/docs/plugins/crowdstrike/data-sources/falcon_intel_indicators.md @@ -0,0 +1,99 @@ +--- +title: "`falcon_intel_indicators` data source" +plugin: + name: blackstork/crowdstrike + description: "The `falcon_intel_indicators` data source fetches intel indicators from Falcon API" + tags: [] + version: "v0.4.2" + source_github: "https://github.com/blackstork-io/fabric/tree/main/internal/crowdstrike/" +resource: + type: data-source +type: docs +--- + +{{< breadcrumbs 2 >}} + +{{< plugin-resource-header "blackstork/crowdstrike" "crowdstrike" "v0.4.2" "falcon_intel_indicators" "data source" >}} + +## Description +The `falcon_intel_indicators` data source fetches intel indicators from Falcon API. + +## Installation + +To use `falcon_intel_indicators` data source, you must install the plugin `blackstork/crowdstrike`. + +To install the plugin, add the full plugin name to the `plugin_versions` map in the Fabric global configuration block (see [Global configuration]({{< ref "configs.md#global-configuration" >}}) for more details), as shown below: + +```hcl +fabric { + plugin_versions = { + "blackstork/crowdstrike" = ">= v0.4.2" + } +} +``` + +Note the version constraint set for the plugin. + +## Configuration + +The data source supports the following configuration arguments: + +```hcl +config data falcon_intel_indicators { + # Client ID for accessing CrowdStrike Falcon Platform + # + # Required string. + # Must be non-empty + # For example: + client_id = "some string" + + # Client Secret for accessing CrowdStrike Falcon Platform + # + # Required string. + # Must be non-empty + # For example: + client_secret = "some string" + + # Member CID for MSSP + # + # Optional string. + # Default value: + member_cid = null + + # Falcon cloud abbreviation + # + # Optional string. + # Must be one of: "autodiscover", "us-1", "us-2", "eu-1", "us-gov-1", "gov1" + # For example: + # client_cloud = "us-1" + # + # Default value: + client_cloud = null +} +``` + +## Usage + +The data source supports the following execution arguments: + +```hcl +data falcon_intel_indicators { + # limit the number of queried items + # + # Optional integer. + # Default value: + limit = 10 + + # Indicators filter expression using Falcon Query Language (FQL) + # + # Optional string. + # Default value: + filter = null + + # Indicators sort expression using Falcon Query Language (FQL) + # + # Optional string. + # Default value: + sort = null +} +``` \ No newline at end of file diff --git a/docs/plugins/plugins.json b/docs/plugins/plugins.json index 1c8ed9ab..1910ef55 100644 --- a/docs/plugins/plugins.json +++ b/docs/plugins/plugins.json @@ -165,6 +165,21 @@ "limit" ] }, + { + "name": "falcon_intel_indicators", + "type": "data-source", + "config_params": [ + "client_cloud", + "client_id", + "client_secret", + "member_cid" + ], + "arguments": [ + "filter", + "limit", + "sort" + ] + }, { "name": "falcon_vulnerabilities", "type": "data-source", diff --git a/examples/templates/crowdstrike/data_falcon_cspm_ioms.fabric b/examples/templates/crowdstrike/data_falcon_cspm_ioms.fabric index 5628a10d..22a330e9 100644 --- a/examples/templates/crowdstrike/data_falcon_cspm_ioms.fabric +++ b/examples/templates/crowdstrike/data_falcon_cspm_ioms.fabric @@ -15,7 +15,7 @@ document "cspm_ioms" { client_secret = "" client_cloud = "eu-1" } - size = 100 + limit = 100 } title = "List of CSPM IOMS" diff --git a/examples/templates/crowdstrike/data_falcon_detection_details.fabric b/examples/templates/crowdstrike/data_falcon_detection_details.fabric index 752f995a..6359b336 100644 --- a/examples/templates/crowdstrike/data_falcon_detection_details.fabric +++ b/examples/templates/crowdstrike/data_falcon_detection_details.fabric @@ -9,7 +9,7 @@ document "detection_details" { client_secret = "7X1M6lI4PtU9v5ObmJ8HCSB2jnLqzfacpGx30NWD" client_cloud = "eu-1" } - size = 100 + limit = 100 } title = "List of Detections" diff --git a/examples/templates/crowdstrike/data_falcon_intel_indicators.fabric b/examples/templates/crowdstrike/data_falcon_intel_indicators.fabric new file mode 100644 index 00000000..c28c239a --- /dev/null +++ b/examples/templates/crowdstrike/data_falcon_intel_indicators.fabric @@ -0,0 +1,38 @@ +fabric { + plugin_versions = { + "blackstork/crowdstrike" = ">= 0.4 < 1.0 || 0.4.0-rev0" + } +} + +document "intel_indicators" { + meta { + name = "example_document" + } + + data falcon_intel_indicators "indicators" { + config { + client_id = "" + client_secret = "" + client_cloud = "eu-1" + } + limit = 100 + } + + title = "List of Intel Indicators" + + content table { + rows = query_jq(".data.falcon_intel_indicators.indicators") + columns = [ + { + "header" = "Id" + "value" = "{{.row.value.id}}" + }, + { + "header" = "Indicator" + "value" = "{{.row.value.indicator}}" + } + ] + } + +} + diff --git a/internal/crowdstrike/data_falcon_intel_indicators.go b/internal/crowdstrike/data_falcon_intel_indicators.go new file mode 100644 index 00000000..a69c5654 --- /dev/null +++ b/internal/crowdstrike/data_falcon_intel_indicators.go @@ -0,0 +1,95 @@ +package crowdstrike + +import ( + "context" + + "github.com/crowdstrike/gofalcon/falcon" + "github.com/crowdstrike/gofalcon/falcon/client/intel" + "github.com/hashicorp/hcl/v2" + "github.com/zclconf/go-cty/cty" + + "github.com/blackstork-io/fabric/pkg/diagnostics" + "github.com/blackstork-io/fabric/plugin" + "github.com/blackstork-io/fabric/plugin/dataspec" + "github.com/blackstork-io/fabric/plugin/dataspec/constraint" + "github.com/blackstork-io/fabric/plugin/plugindata" +) + +func makeFalconIntelIndicatorsDataSource(loader ClientLoaderFn) *plugin.DataSource { + return &plugin.DataSource{ + Doc: "The `falcon_intel_indicators` data source fetches intel indicators from Falcon API.", + DataFunc: fetchFalconIntelIndicatorsData(loader), + Config: makeDataSourceConfig(), + Args: &dataspec.RootSpec{ + Attrs: []*dataspec.AttrSpec{ + { + Name: "limit", + Type: cty.Number, + Constraints: constraint.Integer, + DefaultVal: cty.NumberIntVal(10), + Doc: "limit the number of queried items", + }, + { + Name: "filter", + Type: cty.String, + Doc: " Indicators filter expression using Falcon Query Language (FQL)", + }, + { + Name: "sort", + Type: cty.String, + Doc: " Indicators sort expression using Falcon Query Language (FQL)", + }, + }, + }, + } +} + +func fetchFalconIntelIndicatorsData(loader ClientLoaderFn) plugin.RetrieveDataFunc { + return func(ctx context.Context, params *plugin.RetrieveDataParams) (plugindata.Data, diagnostics.Diag) { + cli, err := loader(makeApiConfig(ctx, params.Config)) + if err != nil { + return nil, diagnostics.Diag{{ + Severity: hcl.DiagError, + Summary: "Unable to create falcon client", + Detail: err.Error(), + }} + } + limit, _ := params.Args.GetAttrVal("limit").AsBigFloat().Int64() + apiParams := intel.NewQueryIntelIndicatorEntitiesParams().WithDefaults() + apiParams.SetLimit(&limit) + apiParams.SetContext(ctx) + if filter := params.Args.GetAttrVal("filter"); !filter.IsNull() { + filterStr := filter.AsString() + apiParams.SetFilter(&filterStr) + } + if sort := params.Args.GetAttrVal("sort"); !sort.IsNull() { + sortStr := sort.AsString() + apiParams.SetSort(&sortStr) + } + response, err := cli.Intel().QueryIntelIndicatorEntities(apiParams) + if err != nil { + return nil, diagnostics.Diag{{ + Severity: hcl.DiagError, + Summary: "Failed to fetch Falcon Intel Indicators", + Detail: err.Error(), + }} + } + if err = falcon.AssertNoError(response.GetPayload().Errors); err != nil { + return nil, diagnostics.Diag{{ + Severity: hcl.DiagError, + Summary: "Failed to fetch Falcon Intel Indicators", + Detail: err.Error(), + }} + } + events := response.GetPayload().Resources + data, err := encodeResponse(events) + if err != nil { + return nil, diagnostics.Diag{{ + Severity: hcl.DiagError, + Summary: "Failed to parse response", + Detail: err.Error(), + }} + } + return data, nil + } +} diff --git a/internal/crowdstrike/data_falcon_intel_indicators_test.go b/internal/crowdstrike/data_falcon_intel_indicators_test.go new file mode 100644 index 00000000..5294e9ca --- /dev/null +++ b/internal/crowdstrike/data_falcon_intel_indicators_test.go @@ -0,0 +1,159 @@ +package crowdstrike_test + +import ( + "context" + "errors" + "testing" + + "github.com/crowdstrike/gofalcon/falcon" + "github.com/crowdstrike/gofalcon/falcon/client/intel" + "github.com/crowdstrike/gofalcon/falcon/models" + "github.com/stretchr/testify/mock" + "github.com/stretchr/testify/suite" + "github.com/zclconf/go-cty/cty" + + "github.com/blackstork-io/fabric/internal/crowdstrike" + mocks "github.com/blackstork-io/fabric/mocks/internalpkg/crowdstrike" + "github.com/blackstork-io/fabric/pkg/diagnostics/diagtest" + "github.com/blackstork-io/fabric/plugin" + "github.com/blackstork-io/fabric/plugin/plugindata" + "github.com/blackstork-io/fabric/plugin/plugintest" +) + +type CrowdstrikeIntelIndicatorsTestSuite struct { + suite.Suite + plugin *plugin.Schema + cli *mocks.Client + intelCli *mocks.IntelClient +} + +func TestCrowdstrikeIntelIndicatorsTestSuite(t *testing.T) { + suite.Run(t, &CrowdstrikeIntelIndicatorsTestSuite{}) +} + +func (s *CrowdstrikeIntelIndicatorsTestSuite) SetupSuite() { + s.plugin = crowdstrike.Plugin("1.2.3", func(cfg *falcon.ApiConfig) (client crowdstrike.Client, err error) { + return s.cli, nil + }) +} + +func (s *CrowdstrikeIntelIndicatorsTestSuite) SetupTest() { + s.cli = &mocks.Client{} + s.intelCli = &mocks.IntelClient{} +} + +func (s *CrowdstrikeIntelIndicatorsTestSuite) DatasourceNamae() string { + return "falcon_intel_indicators" +} + +func (s *CrowdstrikeIntelIndicatorsTestSuite) Datasource() *plugin.DataSource { + return s.plugin.DataSources[s.DatasourceNamae()] +} + +func (s *CrowdstrikeIntelIndicatorsTestSuite) TearDownTest() { + s.cli.AssertExpectations(s.T()) +} + +func (s *CrowdstrikeIntelIndicatorsTestSuite) TestSchema() { + schema := s.plugin.DataSources["falcon_intel_indicators"] + s.Require().NotNil(schema) + s.NotNil(schema.Config) + s.NotNil(schema.Args) + s.NotNil(schema.DataFunc) +} + +func (s *CrowdstrikeIntelIndicatorsTestSuite) String(val string) *string { + return &val +} + +func (s *CrowdstrikeIntelIndicatorsTestSuite) TestBasic() { + s.cli.On("Intel").Return(s.intelCli) + s.intelCli.On("QueryIntelIndicatorEntities", mock.MatchedBy(func(params *intel.QueryIntelIndicatorEntitiesParams) bool { + return params.Limit != nil && *params.Limit == 10 + })).Return(&intel.QueryIntelIndicatorEntitiesOK{ + Payload: &models.DomainPublicIndicatorsV3Response{ + Resources: []*models.DomainPublicIndicatorV3{ + { + ID: s.String("test_id_1"), + Indicator: s.String("test_indicator_1"), + }, + { + ID: s.String("test_id_2"), + Indicator: s.String("test_indicator_2"), + }, + }, + }, + }, nil) + ctx := context.Background() + data, diags := s.plugin.RetrieveData(ctx, s.DatasourceNamae(), &plugin.RetrieveDataParams{ + Config: plugintest.NewTestDecoder(s.T(), s.Datasource().Config). + SetAttr("client_id", cty.StringVal("test")). + SetAttr("client_secret", cty.StringVal("test")). + Decode(), + Args: plugintest.NewTestDecoder(s.T(), s.Datasource().Args). + SetAttr("limit", cty.NumberIntVal(10)). + Decode(), + }) + s.Require().Nil(diags) + list := data.AsPluginData().(plugindata.List) + s.Len(list, 2) + s.Subset(list[0], plugindata.Map{ + "id": plugindata.String("test_id_1"), + "indicator": plugindata.String("test_indicator_1"), + }) + s.Subset(list[1], plugindata.Map{ + "id": plugindata.String("test_id_2"), + "indicator": plugindata.String("test_indicator_2"), + }) +} + +func (s *CrowdstrikeIntelIndicatorsTestSuite) TestPayloadErrors() { + s.cli.On("Intel").Return(s.intelCli) + s.intelCli.On("QueryIntelIndicatorEntities", mock.MatchedBy(func(params *intel.QueryIntelIndicatorEntitiesParams) bool { + return params.Limit != nil && *params.Limit == 10 + })).Return(&intel.QueryIntelIndicatorEntitiesOK{ + Payload: &models.DomainPublicIndicatorsV3Response{ + Errors: []*models.MsaAPIError{{ + Message: s.String("something went wrong"), + }}, + }, + }, nil) + ctx := context.Background() + _, diags := s.plugin.RetrieveData(ctx, s.DatasourceNamae(), &plugin.RetrieveDataParams{ + Config: plugintest.NewTestDecoder(s.T(), s.Datasource().Config). + SetAttr("client_id", cty.StringVal("test")). + SetAttr("client_secret", cty.StringVal("test")). + Decode(), + Args: plugintest.NewTestDecoder(s.T(), s.Datasource().Args). + SetAttr("limit", cty.NumberIntVal(10)). + Decode(), + }) + diagtest.Asserts{{ + diagtest.IsError, + diagtest.SummaryContains("Failed to fetch Falcon Intel Indicators"), + diagtest.DetailContains("something went wrong"), + }}.AssertMatch(s.T(), diags, nil) +} + +func (s *CrowdstrikeIntelIndicatorsTestSuite) TestError() { + s.cli.On("Intel").Return(s.intelCli) + s.intelCli.On("QueryIntelIndicatorEntities", mock.MatchedBy(func(params *intel.QueryIntelIndicatorEntitiesParams) bool { + return params.Limit != nil && *params.Limit == 10 + })).Return(nil, errors.New("something went wrong")) + + ctx := context.Background() + _, diags := s.plugin.RetrieveData(ctx, s.DatasourceNamae(), &plugin.RetrieveDataParams{ + Config: plugintest.NewTestDecoder(s.T(), s.Datasource().Config). + SetAttr("client_id", cty.StringVal("test")). + SetAttr("client_secret", cty.StringVal("test")). + Decode(), + Args: plugintest.NewTestDecoder(s.T(), s.Datasource().Args). + SetAttr("limit", cty.NumberIntVal(10)). + Decode(), + }) + diagtest.Asserts{{ + diagtest.IsError, + diagtest.SummaryContains("Failed to fetch Falcon Intel Indicators"), + diagtest.DetailContains("something went wrong"), + }}.AssertMatch(s.T(), diags, nil) +} diff --git a/internal/crowdstrike/plugin.go b/internal/crowdstrike/plugin.go index 2a66adcf..2cb258a3 100644 --- a/internal/crowdstrike/plugin.go +++ b/internal/crowdstrike/plugin.go @@ -9,6 +9,7 @@ import ( "github.com/crowdstrike/gofalcon/falcon/client" "github.com/crowdstrike/gofalcon/falcon/client/cspm_registration" "github.com/crowdstrike/gofalcon/falcon/client/detects" + "github.com/crowdstrike/gofalcon/falcon/client/intel" "github.com/crowdstrike/gofalcon/falcon/client/spotlight_vulnerabilities" "github.com/zclconf/go-cty/cty" @@ -31,10 +32,15 @@ type SpotVulnerabilitiesClient interface { CombinedQueryVulnerabilities(params *spotlight_vulnerabilities.CombinedQueryVulnerabilitiesParams, opts ...spotlight_vulnerabilities.ClientOption) (*spotlight_vulnerabilities.CombinedQueryVulnerabilitiesOK, error) } +type IntelClient interface { + QueryIntelIndicatorEntities(params *intel.QueryIntelIndicatorEntitiesParams, opts ...intel.ClientOption) (*intel.QueryIntelIndicatorEntitiesOK, error) +} + type Client interface { CspmRegistration() CspmRegistrationClient Detects() DetectsClient SpotlightVulnerabilities() SpotVulnerabilitiesClient + Intel() IntelClient } type ClientAdapter struct { @@ -53,6 +59,10 @@ func (c *ClientAdapter) SpotlightVulnerabilities() SpotVulnerabilitiesClient { return c.client.SpotlightVulnerabilities } +func (c *ClientAdapter) Intel() IntelClient { + return c.client.Intel +} + type ClientLoaderFn func(cfg *falcon.ApiConfig) (client Client, err error) var DefaultClientLoader = func(cfg *falcon.ApiConfig) (Client, error) { @@ -74,6 +84,7 @@ func Plugin(version string, loader ClientLoaderFn) *plugin.Schema { "falcon_cspm_ioms": makeFalconCspmIomsDataSource(loader), "falcon_detection_details": makeFalconDetectionDetailsDataSource(loader), "falcon_vulnerabilities": makeFalconVulnerabilitiesDataSource(loader), + "falcon_intel_indicators": makeFalconIntelIndicatorsDataSource(loader), }, } } diff --git a/mocks/internalpkg/crowdstrike/client.go b/mocks/internalpkg/crowdstrike/client.go index 0b98aacb..5baddb5c 100644 --- a/mocks/internalpkg/crowdstrike/client.go +++ b/mocks/internalpkg/crowdstrike/client.go @@ -114,6 +114,53 @@ func (_c *Client_Detects_Call) RunAndReturn(run func() crowdstrike.DetectsClient return _c } +// Intel provides a mock function with given fields: +func (_m *Client) Intel() crowdstrike.IntelClient { + ret := _m.Called() + + if len(ret) == 0 { + panic("no return value specified for Intel") + } + + var r0 crowdstrike.IntelClient + if rf, ok := ret.Get(0).(func() crowdstrike.IntelClient); ok { + r0 = rf() + } else { + if ret.Get(0) != nil { + r0 = ret.Get(0).(crowdstrike.IntelClient) + } + } + + return r0 +} + +// Client_Intel_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Intel' +type Client_Intel_Call struct { + *mock.Call +} + +// Intel is a helper method to define mock.On call +func (_e *Client_Expecter) Intel() *Client_Intel_Call { + return &Client_Intel_Call{Call: _e.mock.On("Intel")} +} + +func (_c *Client_Intel_Call) Run(run func()) *Client_Intel_Call { + _c.Call.Run(func(args mock.Arguments) { + run() + }) + return _c +} + +func (_c *Client_Intel_Call) Return(_a0 crowdstrike.IntelClient) *Client_Intel_Call { + _c.Call.Return(_a0) + return _c +} + +func (_c *Client_Intel_Call) RunAndReturn(run func() crowdstrike.IntelClient) *Client_Intel_Call { + _c.Call.Return(run) + return _c +} + // SpotlightVulnerabilities provides a mock function with given fields: func (_m *Client) SpotlightVulnerabilities() crowdstrike.SpotVulnerabilitiesClient { ret := _m.Called() diff --git a/mocks/internalpkg/crowdstrike/intel_client.go b/mocks/internalpkg/crowdstrike/intel_client.go new file mode 100644 index 00000000..5f8f0e13 --- /dev/null +++ b/mocks/internalpkg/crowdstrike/intel_client.go @@ -0,0 +1,108 @@ +// Code generated by mockery v2.42.1. DO NOT EDIT. + +package crowdstrike_mocks + +import ( + intel "github.com/crowdstrike/gofalcon/falcon/client/intel" + mock "github.com/stretchr/testify/mock" +) + +// IntelClient is an autogenerated mock type for the IntelClient type +type IntelClient struct { + mock.Mock +} + +type IntelClient_Expecter struct { + mock *mock.Mock +} + +func (_m *IntelClient) EXPECT() *IntelClient_Expecter { + return &IntelClient_Expecter{mock: &_m.Mock} +} + +// QueryIntelIndicatorEntities provides a mock function with given fields: params, opts +func (_m *IntelClient) QueryIntelIndicatorEntities(params *intel.QueryIntelIndicatorEntitiesParams, opts ...intel.ClientOption) (*intel.QueryIntelIndicatorEntitiesOK, error) { + _va := make([]interface{}, len(opts)) + for _i := range opts { + _va[_i] = opts[_i] + } + var _ca []interface{} + _ca = append(_ca, params) + _ca = append(_ca, _va...) + ret := _m.Called(_ca...) + + if len(ret) == 0 { + panic("no return value specified for QueryIntelIndicatorEntities") + } + + var r0 *intel.QueryIntelIndicatorEntitiesOK + var r1 error + if rf, ok := ret.Get(0).(func(*intel.QueryIntelIndicatorEntitiesParams, ...intel.ClientOption) (*intel.QueryIntelIndicatorEntitiesOK, error)); ok { + return rf(params, opts...) + } + if rf, ok := ret.Get(0).(func(*intel.QueryIntelIndicatorEntitiesParams, ...intel.ClientOption) *intel.QueryIntelIndicatorEntitiesOK); ok { + r0 = rf(params, opts...) + } else { + if ret.Get(0) != nil { + r0 = ret.Get(0).(*intel.QueryIntelIndicatorEntitiesOK) + } + } + + if rf, ok := ret.Get(1).(func(*intel.QueryIntelIndicatorEntitiesParams, ...intel.ClientOption) error); ok { + r1 = rf(params, opts...) + } else { + r1 = ret.Error(1) + } + + return r0, r1 +} + +// IntelClient_QueryIntelIndicatorEntities_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'QueryIntelIndicatorEntities' +type IntelClient_QueryIntelIndicatorEntities_Call struct { + *mock.Call +} + +// QueryIntelIndicatorEntities is a helper method to define mock.On call +// - params *intel.QueryIntelIndicatorEntitiesParams +// - opts ...intel.ClientOption +func (_e *IntelClient_Expecter) QueryIntelIndicatorEntities(params interface{}, opts ...interface{}) *IntelClient_QueryIntelIndicatorEntities_Call { + return &IntelClient_QueryIntelIndicatorEntities_Call{Call: _e.mock.On("QueryIntelIndicatorEntities", + append([]interface{}{params}, opts...)...)} +} + +func (_c *IntelClient_QueryIntelIndicatorEntities_Call) Run(run func(params *intel.QueryIntelIndicatorEntitiesParams, opts ...intel.ClientOption)) *IntelClient_QueryIntelIndicatorEntities_Call { + _c.Call.Run(func(args mock.Arguments) { + variadicArgs := make([]intel.ClientOption, len(args)-1) + for i, a := range args[1:] { + if a != nil { + variadicArgs[i] = a.(intel.ClientOption) + } + } + run(args[0].(*intel.QueryIntelIndicatorEntitiesParams), variadicArgs...) + }) + return _c +} + +func (_c *IntelClient_QueryIntelIndicatorEntities_Call) Return(_a0 *intel.QueryIntelIndicatorEntitiesOK, _a1 error) *IntelClient_QueryIntelIndicatorEntities_Call { + _c.Call.Return(_a0, _a1) + return _c +} + +func (_c *IntelClient_QueryIntelIndicatorEntities_Call) RunAndReturn(run func(*intel.QueryIntelIndicatorEntitiesParams, ...intel.ClientOption) (*intel.QueryIntelIndicatorEntitiesOK, error)) *IntelClient_QueryIntelIndicatorEntities_Call { + _c.Call.Return(run) + return _c +} + +// NewIntelClient creates a new instance of IntelClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations. +// The first argument is typically a *testing.T value. +func NewIntelClient(t interface { + mock.TestingT + Cleanup(func()) +}) *IntelClient { + mock := &IntelClient{} + mock.Mock.Test(t) + + t.Cleanup(func() { mock.AssertExpectations(t) }) + + return mock +}