def test_delete_threat_item_failure(self, mocked_requests_post, mocked_requests_delete): # 1. Connect successfully sim_content = '<response><sessionKey>' + self.simSessionKey + '</sessionKey></response>' mocked_requests_post.return_value = self._generateResponse( sim_content, 200) splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host, port=self.fake_port, username=self.fake_username, password=self.fake_password, verify=self.verify) # 2. Call delete with wrong threat_type item_key = "FakeKeyDoesNotExist" threat_type = "fake_intel" try: ret = splnk_utils.delete_threat_intel_item(threat_type, item_key, self.verify) except splunk_utils.RequestError: print("Delete with fake type caused exception as expected") assert True #3. Call delete with a non-existing item key threat_type = "ip_intel" mocked_requests_delete.side_effect = Exception( "No matching entries found in kvstore.") try: splnk_utils.delete_threat_intel_item(threat_type, item_key, self.verify) except Exception: print( "Calling delete with an non-exisiting key caused exception as expected." ) assert True
def test_splunk_util_getSessionKey_with_error(self, mocked_requests_post): """Test login failure case""" ret_key = None try: simContent = "Login failure" # # If the post response has status = 401, it means login failed. # The getSessionKey call shall throw an exception # mocked_requests_post.return_value = self._generateResponse( simContent, 401) splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host, port=self.fake_port, username=self.fake_username, password=self.fake_password, verify=self.verify) ret_key = splnk_utils.session_key headers = dict() headers["Accept"] = "application/html" post_data = urlparse.urlencode({ "username": self.fake_username, "password": self.fake_password }) mocked_requests_post.assert_called_with(self.auth_url, headers=headers, data=post_data, verify=self.verify) except splunk_utils.RequestError as e: assert True assert not ret_key
def test_splunk_utils_getSessionKey(self, mocked_requests_post): simContent = '<response><sessionKey>' + self.simSessionKey + '</sessionKey></response>' mocked_requests_post.return_value = self._generateResponse( simContent, 200) splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host, port=self.fake_port, username=self.fake_username, password=self.fake_password, verify=self.verify) retKey = splnk_utils.session_key headers = dict() headers["Accept"] = "application/html" post_data = urlparse.urlencode({ "username": self.fake_username, "password": self.fake_password }) # Assert that username and password are used as required mocked_requests_post.assert_called_with(self.auth_url, headers=headers, data=post_data, verify=self.verify) # Assert that we extract the session key properly from the response.content assert retKey == self.simSessionKey
def testDelete(self, mocked_requests_post, mocked_requests_delete): # 1. Connect successfully sim_content = '<response><sessionKey>' + self.simSessionKey + '</sessionKey></response>' mocked_requests_post.return_value = self._generateResponse( sim_content, 200) splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host, port=self.fake_port, username=self.fake_username, password=self.fake_password, verify=self.verify) # 2. Call delete threat_type = "ip_intel" item_key = "FakeItemKeyForItemToDelete" content_dict = { "success": True, "message": "Create operation successful." } sim_content = json.dumps(content_dict) mocked_requests_delete.return_value = self._generateResponse( sim_content, 200) ret = splnk_utils.delete_threat_intel_item(threat_type, item_key, self.verify) # 3. Verify sessionkey has been used in the post call headers = dict() headers["Authorization"] = "Splunk %s" % self.simSessionKey post_url = self.threat_post_url + threat_type + "/" + item_key mocked_requests_delete.assert_called_with(post_url, headers=headers, verify=self.verify) assert ret["status_code"] == 200
def test_update_notable_too_many_redirect(self, mocked_requests_post): """ Test update notable with wrong URL or connection issue""" print("Test update_notable returns TooManyRedirects\n") try: sim_status = 1 sim_content = '<response><sessionKey>' + self.simSessionKey + '</sessionKey></response>' mocked_requests_post.return_value = self._generateResponse( sim_content, 200) splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host, port=self.fake_port, username=self.fake_username, password=self.fake_password, verify=self.verify) mocked_requests_post.side_effect = requests.TooManyRedirects( Mock(status=404), "Ambiguous excetpion.") ret = splnk_utils.update_notable(event_id=self.simEventId, comment=self.simComment, status=sim_status, cafile=self.verify) # # request post throws exception # assert False except splunk_utils.RequestError as e: assert True
def test_update_notable_wrong_url(self, mocked_requests_post): """ Test update notable with wrong URL or connection issue""" print("Testing wrong URL or connection issue...") try: sim_status = 1 # # Simulate connection error # mocked_requests_post.side_effect = requests.ConnectionError( Mock(status=404), "Max retries exceed.") splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host, port=self.fake_port, username=self.fake_username, password=self.fake_password, verify=self.verify) # # Failed to connect during login will throw exception # assert False except requests.ConnectionError as e: print("Test wrong url. ") assert True
def test_add_threat_intel_item_errors(self, mocked_requests_post): # 1. Connect successfully sim_content = '<response><sessionKey>' + self.simSessionKey + '</sessionKey></response>' mocked_requests_post.return_value = self._generateResponse( sim_content, 200) splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host, port=self.fake_port, username=self.fake_username, password=self.fake_password, verify=self.verify) # 2. Simulate wrong intel type try: splnk_utils.add_threat_intel_item("Fake type", {}, False) except splunk_utils.RequestError as e: print("Fake intel type causes exception as expected.") assert (True) # 3. Simulate RequestException threat_type = "ip_intel" mocked_requests_post.side_effect = requests.RequestException( Mock(status=404), "Ambiguous excetpion.") try: splnk_utils.add_threat_intel_item(threat_type, {}, False) except splunk_utils.RequestError: assert True # 4. Simulate ConnectionError mocked_requests_post.side_effect = requests.ConnectionError( Mock(status=404), "Ambiguous excetpion.") try: splnk_utils.add_threat_intel_item(threat_type, {}, False) except splunk_utils.RequestError: assert True # 5. Simulate HttpError mocked_requests_post.side_effect = requests.HTTPError( Mock(status=404), "Ambiguous excetpion.") try: splnk_utils.add_threat_intel_item(threat_type, {}, False) except splunk_utils.RequestError: assert True # 6. Simulate URLRequired mocked_requests_post.side_effect = requests.URLRequired( Mock(status=404), "Ambiguous excetpion.") try: splnk_utils.add_threat_intel_item(threat_type, {}, False) except splunk_utils.RequestError: assert True # 7. Simulate TooManyRedirects mocked_requests_post.side_effect = requests.TooManyRedirects( Mock(status=404), "Ambiguous excetpion.") try: splnk_utils.add_threat_intel_item(threat_type, {}, False) except splunk_utils.RequestError: assert True
def test_add_threat_intel_item(self, mocked_requests_post): sim_content = '<response><sessionKey>' + self.simSessionKey + '</sessionKey></response>' mocked_requests_post.return_value = self._generateResponse( sim_content, 200) splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host, port=self.fake_port, username=self.fake_username, password=self.fake_password, verify=self.verify) itemDict = {"ip": "8.8.8.8", "domain": "fake.domain.com"} threat_type = "ip_intel" splunk_verify = False # Simulate a successful requests post call content_dict = { "success": True, "message": "Create operation successful." } sim_content = json.dumps(content_dict) mocked_requests_post.return_value = self._generateResponse( sim_content, 201) ret = splnk_utils.add_threat_intel_item(threat_type, itemDict, splunk_verify) # Verify sessionkey has been used in the post call headers = dict() headers["Authorization"] = "Splunk %s" % self.simSessionKey item = {"item": json.dumps(itemDict)} post_url = self.threat_post_url + threat_type mocked_requests_post.assert_called_with(post_url, headers=headers, data=item, verify=splunk_verify) assert ret["status_code"] == 201
def test_update_notable(self, mocked_requests_post): """ Test update notable successfully""" try: sim_status = 1 sim_content = '<response><sessionKey>' + self.simSessionKey + '</sessionKey></response>' mocked_requests_post.return_value = self._generateResponse( sim_content, 200) splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host, port=self.fake_port, username=self.fake_username, password=self.fake_password, verify=self.verify) content_dict = {"success": True, "message": "Updated successfuly"} sim_content = json.dumps(content_dict) mocked_requests_post.return_value = self._generateResponse( sim_content, 200) ret = splnk_utils.update_notable(event_id=self.simEventId, comment=self.simComment, status=sim_status, cafile=self.verify) headers = dict() headers["Authorization"] = "Splunk %s" % self.simSessionKey args = dict() args["comment"] = self.simComment args["status"] = sim_status args["ruleUIDs"] = [self.simEventId] mocked_requests_post.assert_called_with(self.update_notable_url, headers=headers, data=args, verify=self.verify) assert ret["status_code"] == 200 except Exception as e: assert False