def from_dict(value: dict, system: "ace.system.ACESystem") -> "AnalysisRequest": assert isinstance(value, dict) data = AnalysisRequestModel(**value) root = None if isinstance(data.root, RootAnalysisModel): root = RootAnalysis.from_dict(data.root.dict(), system=system) observable = None if data.observable: observable = Observable.from_dict(data.observable.dict(), root) observable = root.get_observable(observable) type = None if data.type: type = AnalysisModuleType.from_dict(data.type.dict()) ar = AnalysisRequest(system, root, observable, type) ar.id = data.id # ar.dependency_analysis = json_data["dependency_analysis"] ar.status = data.status ar.owner = data.owner if data.original_root: ar.original_root = RootAnalysis.from_dict( data.original_root.dict(), system) if data.modified_root: ar.modified_root = RootAnalysis.from_dict( data.modified_root.dict(), system) return ar
async def test_EVENT_CACHE_HIT(system): handler = TestEventHandler() await system.register_event_handler(EVENT_CACHE_HIT, handler) amt = AnalysisModuleType("test", "", cache_ttl=60) await system.register_analysis_module_type(amt) root = system.new_root() observable = root.add_observable("test", "test") root_request = root.create_analysis_request() await system.process_analysis_request(root_request) request = await system.get_next_analysis_request("owner", amt, 0) request.initialize_result() request.modified_observable.add_analysis(type=amt, details={"test": "test"}) await system.process_analysis_request(request) assert handler.event is None root = system.new_root() observable = root.add_observable("test", "test") root_request = root.create_analysis_request() await system.process_analysis_request(root_request) await handler.wait() assert handler.event.name == EVENT_CACHE_HIT event_root = RootAnalysis.from_dict(handler.event.args[0], system) assert event_root.uuid == root.uuid and event_root.version is not None assert handler.event.args[1]["type"] == observable.type assert handler.event.args[1]["value"] == observable.value assert isinstance(AnalysisRequest.from_dict(handler.event.args[2], system), AnalysisRequest)
def test_observable_serialization(): root = RootAnalysis() o_time = utc_now() target = root.add_observable("test", "other") o1 = root.add_observable( "test", "test", time=o_time, context="text context", directives=["directive1", "directive2"], limited_analysis=["limit1", "limit2"], excluded_analysis=["excluded1", "excluded2"], requested_analysis=["requested1", "requested2"], ) o1.add_relationship("test", target) root = RootAnalysis.from_dict(root.to_model().dict()) o2 = root.get_observable(o1) # should be two separate instances assert id(o1) != id(o2) assert o1.type == o2.type assert o1.value == o2.value assert o1.time == o2.time assert o1.context == o2.context assert o1.directives == o2.directives assert o1.limited_analysis == o2.limited_analysis assert o1.excluded_analysis == o2.excluded_analysis assert o1.requested_analysis == o2.requested_analysis assert o1.relationships == o2.relationships
async def get_root_analysis(self, uuid: str) -> Union[RootAnalysis, None]: assert isinstance(uuid, str) async with self.get_client() as client: response = await client.get(f"/analysis_tracking/root/{uuid}") if response.status_code == 404: return None _raise_exception_on_error(response) return RootAnalysis.from_dict(response.json())
async def test_EVENT_ANALYSIS_ROOT_EXPIRED(system): handler = TestEventHandler() await system.register_event_handler(EVENT_ANALYSIS_ROOT_EXPIRED, handler) root = system.new_root(expires=True) await root.submit() await handler.wait() assert handler.event.name == EVENT_ANALYSIS_ROOT_EXPIRED event_root = RootAnalysis.from_dict(handler.event.args, system) assert event_root.uuid == root.uuid and event_root.version is not None
def test_root_analysis_serialization(): root = RootAnalysis( tool="test", tool_instance="test", alert_type="test", desc="test", event_time=datetime.datetime.now(), name="test", analysis_mode="test", queue="test", instructions="test", ) amt = AnalysisModuleType("test", "") observable = root.add_observable("test", "test") analysis = observable.add_analysis(type=amt, details={"test": "test"}) root.add_detection_point("test") new_root = RootAnalysis.from_dict(root.to_dict()) assert root == new_root assert root.tool == new_root.tool assert root.tool_instance == new_root.tool assert root.alert_type == new_root.alert_type assert root.description == new_root.description assert root.event_time == new_root.event_time assert root.name == new_root.name assert root.analysis_mode == new_root.analysis_mode assert root.queue == new_root.queue assert root.instructions == new_root.instructions assert root.detections == new_root.detections # the observable property for the root should always be None assert root.observable is None assert len(root.observables) == 1 new_root = RootAnalysis.from_json(root.to_json()) assert root == new_root assert root.tool == new_root.tool assert root.tool_instance == new_root.tool assert root.alert_type == new_root.alert_type assert root.description == new_root.description assert root.event_time == new_root.event_time assert root.name == new_root.name assert root.analysis_mode == new_root.analysis_mode assert root.queue == new_root.queue assert root.instructions == new_root.instructions # the observable property for the root should always be None assert root.observable is None assert len(root.observables) == 1
def test_analysis_eq(): amt_1 = AnalysisModuleType("test1", "") amt_2 = AnalysisModuleType("test2", "") root = RootAnalysis() observable_1 = root.add_observable("test", "test") analysis_1 = observable_1.add_analysis(type=amt_1) analysis_2 = observable_1.add_analysis(type=amt_2) observable_2 = root.add_observable("test2", "test") analysis_3 = observable_2.add_analysis(type=amt_1) # different amt assert analysis_1 != analysis_2 # different observable assert analysis_1 != analysis_3 # wrong object type assert analysis_1 != object() root_1 = RootAnalysis.from_dict(root.to_dict()) root_2 = RootAnalysis.from_dict(root.to_dict()) # same amt and observable assert root_1.get_observable(observable_1).get_analysis( amt_1) == root_2.get_observable(observable_1).get_analysis(amt_1)
async def test_EVENT_ANALYSIS_ROOT_MODIFIED(system): handler = TestEventHandler() await system.register_event_handler(EVENT_ANALYSIS_ROOT_MODIFIED, handler) root = system.new_root() await system.track_root_analysis(root) assert handler.event is None handler = TestEventHandler() await system.register_event_handler(EVENT_ANALYSIS_ROOT_MODIFIED, handler) # already tracked so should fire as modified await system.track_root_analysis(root) await handler.wait() assert handler.event.name == EVENT_ANALYSIS_ROOT_MODIFIED assert RootAnalysis.from_dict(handler.event.args, system) == root
async def test_EVENT_ANALYSIS_DETAILS_NEW(system): handler = TestEventHandler() await system.register_event_handler(EVENT_ANALYSIS_DETAILS_NEW, handler) root = system.new_root(details={"test": "test"}) await system.track_root_analysis(root) await system.track_analysis_details(root, root.uuid, await root.get_details()) await handler.wait() assert handler.event.name == EVENT_ANALYSIS_DETAILS_NEW assert RootAnalysis.from_dict(handler.event.args[0], system) == root assert handler.event.args[1] == root.uuid handler = TestEventHandler() await system.register_event_handler(EVENT_ANALYSIS_DETAILS_NEW, handler) # already tracked await system.track_analysis_details(root, root.uuid, await root.get_details()) assert handler.event is None