From c733642c874d7a9c1a4df25f4c36199e8141d870 Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Thu, 1 May 2025 13:21:04 -0300
Subject: [PATCH] pgsql: add test for copy in mode

Task #7645
---
 tests/pgsql/pgsql-copy-data-in/README.md      |  10 ++++++
 .../TLPW-Jason-copyfrom-small.pcap            | Bin 0 -> 5513 bytes
 tests/pgsql/pgsql-copy-data-in/suricata.yaml  |  18 +++++++++++
 tests/pgsql/pgsql-copy-data-in/test.yaml      |  29 ++++++++++++++++++
 4 files changed, 57 insertions(+)
 create mode 100644 tests/pgsql/pgsql-copy-data-in/README.md
 create mode 100644 tests/pgsql/pgsql-copy-data-in/TLPW-Jason-copyfrom-small.pcap
 create mode 100644 tests/pgsql/pgsql-copy-data-in/suricata.yaml
 create mode 100644 tests/pgsql/pgsql-copy-data-in/test.yaml

diff --git a/tests/pgsql/pgsql-copy-data-in/README.md b/tests/pgsql/pgsql-copy-data-in/README.md
new file mode 100644
index 000000000..8d30e28d3
--- /dev/null
+++ b/tests/pgsql/pgsql-copy-data-in/README.md
@@ -0,0 +1,10 @@
+A simple test for the CopyIn sub-protocol/ mode for PGSQL
+
+Checks only for the most relevant PGSQL messages from the pcap
+
+PCAP provided by Jason Ish.
+
+Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/7645
+
diff --git a/tests/pgsql/pgsql-copy-data-in/TLPW-Jason-copyfrom-small.pcap b/tests/pgsql/pgsql-copy-data-in/TLPW-Jason-copyfrom-small.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..984dc71bc5a568a628ff512b8e7e8bd232926215
GIT binary patch
literal 5513
zc-qC7e{9@l8ONPpYwnVC*J*{e(8*+#maMtN_Stv#WlNhTX_Kb;L2@l?qxE=gzs{NX
zY}fWBy{=u0*1-yBOdxe^gtntdY!d=0LkuDDN5fPNI-vacgFjeNhbF{eFzC_&(h$$<
zyIhi+cd0-bk(@jGec#XXzTfA2kNx`BKbm`{nyRIi{%WZz_<zZMb8>TJ9kmy}lf&qI
z{T|^5qkp=2;*C^2)kjhHMQV0ZJ8!%5(Qu@y0gmuX^Bct-7ax9*FfLU8>#d(ZN>SCd
zb>FS6t`D#0F5N?}SJl+4BjmabOXLExz%P&~ijcQGMyQ0oQG98BqUrj5KtFupj(<OP
zqic!${JOsn68a)J59D1y-4!%vK2qz?`3q%pJ`D8xPerP3-gOS<SXG!WArs<@8!D<$
z=Mx_ZByOs@S#!EXY#~H|)Yty<Lmh;ix?^ds?@@uDJxj=+{b!j9_XAynxxRbX;{|e2
zffhm>|7Jba1GJtXqA>fUPkbkkxT)&ht6NLNIYJyJ$QJ-vLD1X$<$tbh`5Iumh@e|9
zmzMuUf+fT)&(>290qvn6Vm7kQCyoXZLC}dqCE^o=2oQ;?p{SgT9m>fW*rinDAsM;2
zc#3S>&=utAmYFtD7E`u+#3(rY_s`Z>%D`6w_3DD@oF^IBdb*_73uHQk*mX8UjR0*V
zh}b>*lu!I)AQ3XK<Mk5pEkYavN+TR~S6)0dPw;aWL(~*pm<rPF!AQNYUAj!W^AKW?
zX!rdum$bV|LfAlQ$*O`Xvq)00h%`nKRGw!TA;AkGs|b>YC6)KJ`r$W1m9%==U)e(0
z$_63)%S5Y>{;agJ8zej-{^nSix&Xz79OcBSFU@|H5I=J^kO*4s)E0?1?j=N`RXr&(
z<8W*VPC9AYtQa~ry)-rzOV!OuYJY0C=(l{h7kPNx%Nv*)7$0e)hk6edM(C!8C$W<T
zV_{Fvf~PFgZ~4dov^dkqD2%c#*PC>pnY7)hyJ<IPW5;)9almHyJ`JSz2Iq?{aJVpO
zijB3i65Y~^WgVHce->ri?MZc#<(Tbkt3QZ#u}gZVQO?U)j(*HvaMAaq!`-fjOcgn5
zTCq&ca<ULJ?RpM;loqiu1xq?)nV9PHl#czW9%`^)yRqt#;qRP0MEo~E@@1U}QxkAD
z5oErhNXR#zS!TYMCz@V+4)V3|3wqIf^YtWW9|y{&o{`amw3oH%-D4v|^mwXwVAwa?
zxrf7*%r@(r?Z!%Ly!IS~yH3ou<qsumY$xFe@zaMJC>3aG5b?n5*L>pDKq8oJZn{KN
z32_flK1NYZ)cgMVf~6a%H|i+=C>N~mw~;W3x&B(2VAmn;6<Ec><4>0a+ePBS%)`Hn
zC1O0!G9fO`GGbf|v7ywS0lI(xaEcz!xwfw8R?elz{S4CsrflU*m2Mf$BPVM)w5A)F
zMvkXzNb%g(5OFIuJ2E-bgZ?38V8^2~o@dkB`W{I2jSYA2OAq&@Xk_N;XcxV$e`Khy
zbfG2dP9~fGhw#mvv}RZ{Nem{H4c*OPwUY*)dhqj1Hs4Jbhcz#|s5w@awhPzO4w-fq
zr=f$Y6Qe6Q$p90%UfM<;{4&i>+QAxjFlov;Mq3scGswa1CZ2ISypEh{BV`Ka8Z9!T
z(_++B9NqTZ4vA%$IK(!P>w0+`CuO8YbLNz3%>dWc)nqXVB*=7<?Q9Kk3@1dHSd`^x
zHlAeSNsislFd>mkFfoN^cvj_*Aj=63#Tn?!XsRGHEPlUnD=)|RB*V2!0x8a`w`w6X
zXBgpvU)Z8wq~(4YLPjxPJz#*T=%`~I&C{R2G9<z<=<dZl(Yi_Zr&6Qz7<O&Tba5ry
ztZ)cehI|B=<-d*{;F&hhN*8K+r$32yr`R{0!AQl<GW)<FFXtYQA(~^31Ikt$oNVqm
z+_EF77?z8VyE#RHlB$7p`PPmx=;CDnm$3{rNjyLsdRF(^XwL!P&~iTQI!YT<VTho*
zbew5}SfC2cmKzTSOzW<%8<-EAXOo+W+W|@B8J3IPg3qK?eI_I{H4*0(O_0O{Cnp$D
z6*X4o1uZUOMqGQJaRr|xnB_hjBnw%V@jfqu9X*$&yHypmb?Fh=zxS!ZzVZ~i<f7GT
z&@G3mTzZ(J8WvP7-i;WkTU1nu=@H{{0-+d(Vvvb$ZMO)&Vo8&l1M*BN{|Tu4C!y+}
z466J`A`PVS-`>Bn@}EBASAMuvhQGbC@+(mT$!@!1Wjj=uV{|eD4;oQeThz4_I3Wut
zT%5rO9w4GJxKp*DoI#RUfmc;Y5^up`31(G`sqmbrFi7AvENhsR;|#-NjTbeB=b_9g
zYi_Yv(PC^Ri|xWnCdSdbbWgFMf~>vKRtZ?yZnDB2nMOG7sUDZpcp(=Pm7HiFJ8CHL
z7<P~5JjNBgJm+MC?Dm0~gI(1eF_FQ7rg5ySi3y$&WGRLd9NhdcMse7Zt+_e)qB*!q
z=GccPk&^!a&9O?r%I0AErGpuDuly-t-@&ZaEgjg;YrU2^B_D_-22;5Mc<=w!6x^z&
z;532bW1Px!30V=@1h4Uuti>=&Aj}DIZ4FJKkk?uMo0d;DRN79Q^B?~IR`&3JWyi%c
zmrq5iTW{Z4dickrBopHI?ro$}KuZM?ch8>piPr*&o2pwMdAme>iV(^Bng)L_Bv4EH
ztzT_#q{v2NPtbl#iZuHBt&=NnB4;i`oL9+BWbV(Uo5(bY^T47Q3xKWgMyDz0h1QuX
zK6XRZ!uq#YVhQnEZH<-Wz2J-S*D^6)B~&8s`b#Usm?p%gpHw71;}ic9Kzzj~K3O8p
yFA{(JPDSF^ed3#e#0^0Fe2MteMPm3Lm2@n=#C)Pm$5()QjqL6gi9mavQ2zs<9d_9O

literal 0
Hc-jL100001

diff --git a/tests/pgsql/pgsql-copy-data-in/suricata.yaml b/tests/pgsql/pgsql-copy-data-in/suricata.yaml
new file mode 100644
index 000000000..bade98943
--- /dev/null
+++ b/tests/pgsql/pgsql-copy-data-in/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - pgsql:
+            passwords: false
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
+      stream-depth: 0
+
diff --git a/tests/pgsql/pgsql-copy-data-in/test.yaml b/tests/pgsql/pgsql-copy-data-in/test.yaml
new file mode 100644
index 000000000..742814dba
--- /dev/null
+++ b/tests/pgsql/pgsql-copy-data-in/test.yaml
@@ -0,0 +1,29 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 6
+    match:
+      event_type: pgsql
+- filter:
+    count: 1
+    match:
+      event_type: pgsql
+      pcap_cnt: 17
+      pgsql.tx_id: 4
+      pgsql.request.simple_query: "COPY tmp FROM STDIN"
+      pgsql.response.copy_in_response.columns: 13
+- filter:
+    count: 1
+    match:
+      event_type: pgsql
+      pcap_cnt: 21
+      pgsql.tx_id: 5
+      pgsql.request.copy_data_in.msg_count: 1
+      pgsql.request.copy_data_in.data_size: 2779
+      pgsql.request.message: "copy_done"
+      pgsql.response.command_completed: "COPY 5"
-- 
2.47.2