def test_msg(mocker):
"""
Given:
- A msg file
When:
- run the ParseEmailFilesV2 script
Then:
- Ensure its was parsed successfully
"""
info = 'CDFV2 Microsoft Outlook Message'
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto,
'executeCommand',
side_effect=exec_command_for_file('smime-p7s.msg',
info=info))
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
main()
# assert demisto.results.call_count == 1
# call_args is tuple (args list, kwargs). we only need the first one
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email']['Subject'] == 'test'
def test_eml_contains_msg(mocker):
"""
Given:
- A eml file contains msg
When:
- run the ParseEmailFilesV2 script
Then:
- Ensure the was parsed successfully
- Ensure both files was parsed
- Ensure the attachments was returned
"""
def executeCommand(name, args=None):
if name == 'getFilePath':
return [{
'Type': entryTypes['note'],
'Contents': {
'path': 'test_data/DONT_OPEN-MALICIOUS.eml',
'name': 'DONT_OPEN-MALICIOUS.eml'
}
}]
elif name == 'getEntry':
return [{
'Type': entryTypes['file'],
'FileMetadata': {
'info': 'news or mail text, ASCII text'
}
}]
else:
raise ValueError('Unimplemented command called: {}'.format(name))
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
main()
results = demisto.results.call_args_list
assert demisto.results.call_count == 3
assert len(results) == 3
assert results[0].args[0]['File'] == 'Attacker+email+.msg'
assert results[1].args[0]['EntryContext']['Email'][
'Subject'] == 'DONT OPEN - MALICIOS'
assert 'Attacker+email+.msg' in results[1].args[0]['EntryContext'][
'Email']['Attachments']
assert 'Attacker+email+.msg' in results[1].args[0]['EntryContext'][
'Email']['AttachmentsData'][0]['Name']
assert results[1].args[0]['EntryContext']['Email']['Depth'] == 0
assert results[2].args[0]['EntryContext']['Email'][
"Subject"] == 'Attacker email'
assert results[2].args[0]['EntryContext']['Email']['Depth'] == 1
def test_eml_type(mocker):
"""
Given:
- A eml file
When:
- run the ParseEmailFilesV2 script
Then:
- Ensure its was parsed successfully
"""
def executeCommand(name, args=None):
if name == 'getFilePath':
return [{
'Type': entryTypes['note'],
'Contents': {
'path': 'test_data/smtp_email_type.eml',
'name': 'smtp_email_type.eml'
}
}]
elif name == 'getEntry':
return [{
'Type': entryTypes['file'],
'FileMetadata': {
'info':
'SMTP mail, UTF-8 Unicode text, with CRLF terminators'
}
}]
else:
raise ValueError('Unimplemented command called: {}'.format(name))
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
# assert demisto.executeCommand('getFilePath', {})[0]['Type'] == entryTypes['note']
main()
assert demisto.results.call_count == 1
# call_args is tuple (args list, kwargs). we only need the first one
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email']['Subject'] == 'Test Smtp Email'
def test_no_content_type_file(mocker):
"""
Given:
- A eml with no_content_type
When:
- run the ParseEmailFilesV2 script
Then:
- Ensure its was parsed successfully
"""
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto,
'executeCommand',
side_effect=exec_command_for_file(
'no_content_type.eml', info="ascii text"))
mocker.patch.object(demisto, 'results')
main()
results = demisto.results.call_args[0]
assert len(results) == 1
assert results[0]['Type'] == entryTypes['note']
assert results[0]['EntryContext']['Email']['Subject'] == 'No content type'
def test_no_content_file(mocker):
"""
Given:
- A eml without content
When:
- run the ParseEmailFilesV2 script
Then:
- Ensure a error is returned
"""
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto,
'executeCommand',
side_effect=exec_command_for_file('no_content.eml',
info="ascii text"))
mocker.patch.object(demisto, 'results')
try:
main()
except SystemExit:
gotexception = True
assert gotexception
results = demisto.results.call_args[0]
assert len(results) == 1
assert 'Could not extract email from file' in results[0]['Contents']
def test_eml_contains_eml(mocker):
"""
Given:
- A eml file contains eml
When:
- run the ParseEmailFilesV2 script
Then:
- Ensure the was parsed successfully
- Ensure both files was parsed
- Ensure the attachments was returned
"""
def executeCommand(name, args=None):
if name == 'getFilePath':
return [{
'Type': entryTypes['note'],
'Contents': {
'path': 'test_data/Fwd_test-inner_attachment_eml.eml',
'name': 'Fwd_test-inner_attachment_eml.eml'
}
}]
elif name == 'getEntry':
return [{
'Type': entryTypes['file'],
'FileMetadata': {
'info': 'news or mail text, ASCII text'
}
}]
else:
raise ValueError('Unimplemented command called: {}'.format(name))
mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'})
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
mocker.patch.object(demisto, 'results')
# validate our mocks are good
assert demisto.args()['entryid'] == 'test'
main()
assert demisto.results.call_count == 4
# call_args is tuple (args list, kwargs). we only need the first one
results = demisto.results.call_args_list
assert len(results) == 4
assert results[0].args[0]['File'] == 'ArcSight_ESM_fixes.yml'
assert results[1].args[0]['File'] == 'test - inner attachment eml.eml'
assert results[2].args[0]['EntryContext']['Email'][
'Subject'] == 'Fwd: test - inner attachment eml'
assert 'ArcSight_ESM_fixes.yml' in results[2].args[0]['EntryContext'][
'Email']['Attachments']
assert 'ArcSight_ESM_fixes.yml' in results[2].args[0]['EntryContext'][
'Email']['AttachmentsData'][0]['Name']
assert 'test - inner attachment eml.eml' in results[2].args[0][
'EntryContext']['Email']['Attachments']
assert 'test - inner attachment eml.eml' in results[2].args[0][
'EntryContext']['Email']['AttachmentsData'][1]['Name']
assert results[2].args[0]['EntryContext']['Email']['Depth'] == 0
assert results[3].args[0]['EntryContext']['Email'][
"Subject"] == 'test - inner attachment eml'
assert results[3].args[0]['EntryContext']['Email']['Depth'] == 1