def test__delete_too_long_address__address_is_ok(self): parsed = RecordDict() parsed['address'] = [{'ip': i+1} for i in xrange(MAX_IPS_IN_ADDRESS)] expected = RecordDict() expected['address'] = [{'ip': i+1} for i in xrange(MAX_IPS_IN_ADDRESS)] self.meth.delete_too_long_address(parsed) self.assertEqual(parsed, expected)
def test_adding_asn_cc_if_possible(self): """Test if asn/cc are (maybe) added""" self.enricher.gi_asn.org_by_addr.side_effect = [ pygeoip.GeoIPError, "AS1234", "AS123456"] self.enricher.gi_cc.country_code_by_addr.side_effect = [ "PL", "UK", pygeoip.GeoIPError] data = RecordDict({ "address": [{"ip": "127.0.0.1"}, {"ip": "192.187.0.1"}, {"ip": "10.15.1.255"}]}) data.update(self.COMMON_DATA) self.enricher.enrich(data) self.assertEqual(data["address"], [ {"ip": "127.0.0.1", "cc": "PL"}, {"ip": "192.187.0.1", "asn": 1234, "cc": "UK"}, {"ip": "10.15.1.255", "asn": 123456}, ]) self.assertEqual(data["enriched"], ([], { "127.0.0.1": ["cc"], "192.187.0.1": ["asn", "cc"], "10.15.1.255": ["asn"], }))
def test__get_client_and_urls_matched__many_url_seq(self): test_criteria_local = [ {'org_id': 'org4', 'asn_seq': [], 'fqdn_seq': [''], 'url_seq': [u'wąska.pl', 'example.com', 'http://aaa.pl/auth.php'], }] body = self.prepare_mock(test_criteria_local) # test glob mach body[u'url_pattern'] = u'*.*' json_msg = json.dumps(body) record_dict = RecordDict.from_json(json_msg) self.assertEqual( self.filter.get_client_and_urls_matched(record_dict, self.fqdn_only_categories), (['org4'], {'org4': ['example.com', 'http://aaa.pl/auth.php', u'wąska.pl']})) # test regexp mach body[u'url_pattern'] = u'.*aaa\\.pl\\/auth.*' json_msg = json.dumps(body) record_dict = RecordDict.from_json(json_msg) self.assertEqual( self.filter.get_client_and_urls_matched(record_dict, self.fqdn_only_categories), (['org4'], {'org4': ['http://aaa.pl/auth.php']})) # test regexp mach body[u'url_pattern'] = u'.*example.*' json_msg = json.dumps(body) record_dict = RecordDict.from_json(json_msg) self.assertEqual( self.filter.get_client_and_urls_matched(record_dict, self.fqdn_only_categories), (['org4'], {'org4': ['example.com']})) # test regexp mach body[u'url_pattern'] = u'wą[a-z][xkl]a\\..*' json_msg = json.dumps(body) record_dict = RecordDict.from_json(json_msg) self.assertEqual( self.filter.get_client_and_urls_matched(record_dict, self.fqdn_only_categories), (['org4'], {'org4': [u'wąska.pl']}))
def test__enrich__with_fqdn_from_url_not_resolved(self): self.enricher._resolver.query = mock.MagicMock(side_effect=DNSException) data = self.enricher.enrich(RecordDict({"url": "http://www.nask.pl/asd"})) self.assertEqualIncludingTypes(data, RecordDict({ "enriched": (["fqdn"], {}), "url": "http://www.nask.pl/asd", "fqdn": "www.nask.pl"}))
def test__url_to_fqdn_or_ip__called_for_ip_url(self): """Test if url_to_fqdn_or_ip is called if data does not contain address and fqdn""" data = RecordDict({"url": "http://192.168.0.1"}) data.update(self.COMMON_DATA) self.enricher.url_to_fqdn_or_ip = mock.MagicMock(return_value="192.168.0.1") self.enricher.enrich(data) self.enricher.url_to_fqdn_or_ip.assert_called_with("http://192.168.0.1")
def test__get_client_and_urls_matched__url_pattern_empty(self): test_criteria_local = [ {'org_id': 'org4', 'asn_seq': [], 'fqdn_seq': [''], 'url_seq': ['wp.pl', u'wpą.pl'], }] body = self.prepare_mock(test_criteria_local) # test empty url_pattern unicode body[u'url_pattern'] = u'' json_msg = json.dumps(body) record_dict = RecordDict.from_json(json_msg) self.assertEqual( self.filter.get_client_and_urls_matched(record_dict, self.fqdn_only_categories), ([], {})) # test empty url_pattern string body[u'url_pattern'] = '' json_msg = json.dumps(body) record_dict = RecordDict.from_json(json_msg) self.assertEqual( self.filter.get_client_and_urls_matched(record_dict, self.fqdn_only_categories), ([], {})) # # test empty url_pattern = None body[u'url_pattern'] = None json_msg = json.dumps(body) record_dict = RecordDict.from_json(json_msg) self.assertEqual( self.filter.get_client_and_urls_matched(record_dict, self.fqdn_only_categories), ([], {}))
def test__fqdn_to_ip__called(self): """Test if fqdn_to_ip is called if data does not contain address""" data = RecordDict({"fqdn": "cert.pl"}) data.update(self.COMMON_DATA) self.enricher.fqdn_to_ip = mock.MagicMock() self.enricher.enrich(data) self.enricher.fqdn_to_ip.assert_called_with("cert.pl")
def test_existing_asn_cc_always_dropped_and_new_ones_added_if_possible(self, LOGGER_mock): """Test if already existing asn/cc are removed and new ones are (maybe) added""" self.enricher.gi_asn.org_by_addr.side_effect = [ pygeoip.GeoIPError, pygeoip.GeoIPError, "AS12345"] self.enricher.gi_cc.country_code_by_addr.side_effect = [ pygeoip.GeoIPError, "PL", "UK"] data = RecordDict({ "address": [{"ip": "127.0.0.1", "cc": "JP"}, {"ip": "192.187.0.1", "cc": "US", "asn": 424242}, {"ip": "10.15.1.255", "asn": 434343}]}) data.update(self.COMMON_DATA) expected_num_of_warnings = 4 # 2 existing `cc` + 2 existing `asn` self.enricher.enrich(data) self.assertEqual(data["address"], [ {"ip": "127.0.0.1"}, {"ip": "192.187.0.1", "cc": "PL"}, {"ip": "10.15.1.255", "asn": 12345, "cc": "UK"}, ]) self.assertEqual(data["enriched"], ([], { "192.187.0.1": ["cc"], "10.15.1.255": ["asn", "cc"], })) self.assertEqual( len(LOGGER_mock.warning.mock_calls), expected_num_of_warnings)
def test__enrich__with_ip_url_given(self): data = self.enricher.enrich(RecordDict({"url": "http://192.168.0.1/asd"})) self.assertEqualIncludingTypes(data, RecordDict({ "enriched": ([], {"192.168.0.1": ["asn", "cc", "ip"]}), "url": "http://192.168.0.1/asd", "address": [{"ip": '192.168.0.1', "asn": '1234', "cc": 'PL'}]}))
def test__delete_too_long_address__address_is_too_long(self): ips = MAX_IPS_IN_ADDRESS + 1 parsed = RecordDict() parsed['id'] = '0123456789abcdef0123456789abcdef' parsed['address'] = [{'ip': i + 1} for i in xrange(ips)] expected = RecordDict() expected['id'] = '0123456789abcdef0123456789abcdef' self.meth.delete_too_long_address(parsed) self.assertEqual(parsed, expected)
def test__enrich__with_fqdn_given(self): data = self.enricher.enrich(RecordDict({"fqdn": "cert.pl"})) self.enricher._resolver.asert_called_once_with("cert.pl") self.assertEqualIncludingTypes(data, RecordDict({ "enriched": ([], {"127.0.0.1": ["asn", "cc", "ip"]}), "fqdn": "cert.pl", "address": [{"ip": '127.0.0.1', "asn": '1234', "cc": 'PL'}]}))
def test__enrich__with_fqdn_given__with_nodns_flag(self): data = self.enricher.enrich(RecordDict({ "fqdn": "cert.pl", "_do_not_resolve_fqdn_to_ip": True})) self.enricher._resolver.asert_called_once_with("cert.pl") self.assertEqualIncludingTypes(data, RecordDict({ "enriched": ([], {}), "fqdn": "cert.pl", "_do_not_resolve_fqdn_to_ip": True}))
def test__fqdn_to_ip__not_called(self): """Test if fqdn_to_ip not called if address already present""" data = RecordDict({ "address": [{"ip": "127.0.0.1"}, {"ip": "192.187.0.1"}, {"ip": "10.15.1.255"}]}) data.update(self.COMMON_DATA) self.enricher.fqdn_to_ip = mock.MagicMock(return_value="127.0.0.1") self.enricher.enrich(data) self.assertFalse(self.enricher.fqdn_to_ip.called)
def test__enrich__with_url_given(self): data = self.enricher.enrich(RecordDict({"url": "http://www.nask.pl/asd"})) self.enricher._resolver.asert_called_once_with("www.nask.pl") self.assertEqualIncludingTypes(data, RecordDict({ "enriched": (["fqdn"], {"127.0.0.1": ["asn", "cc", "ip"]}), "url": "http://www.nask.pl/asd", "fqdn": "www.nask.pl", "address": [{"ip": '127.0.0.1', "asn": '1234', "cc": 'PL'}]}))
def test__enrich__with_url_given__with_nodns_flag(self): data = self.enricher.enrich(RecordDict({ "url": "http://www.nask.pl/asd", "_do_not_resolve_fqdn_to_ip": True})) self.enricher._resolver.asert_called_once_with("www.nask.pl") self.assertEqualIncludingTypes(data, RecordDict({ "enriched": (["fqdn"], {}), "url": "http://www.nask.pl/asd", "fqdn": "www.nask.pl", "_do_not_resolve_fqdn_to_ip": True}))
def test__enrich__with_address_and_fqdn_given(self): data = self.enricher.enrich(RecordDict({ "fqdn": "cert.pl", "address": [{"ip": "10.20.30.40"}]})) self.assertEqualIncludingTypes(data, RecordDict({ "enriched": ([], {"10.20.30.40": ["asn", "cc"]}), "fqdn": "cert.pl", "address": [{"ip": '10.20.30.40', "asn": '1234', "cc": 'PL'}]}))
def test__enrich__with_address_and_url_given(self): data = self.enricher.enrich(RecordDict({ "url": "http://www.nask.pl/asd", "address": [{"ip": "10.20.30.40"}]})) self.assertEqualIncludingTypes(data, RecordDict({ "enriched": (["fqdn"], {"10.20.30.40": ["asn", "cc"]}), "url": "http://www.nask.pl/asd", "fqdn": "www.nask.pl", "address": [{"ip": '10.20.30.40', "asn": '1234', "cc": 'PL'}]}))
def test__ip_to_cc__called(self): """Test if ip_to_cc was called for all ips""" data = RecordDict({ "address": [{"ip": "127.0.0.1"}, {"ip": "192.187.0.1"}, {"ip": "10.15.1.255"}]}) data.update(self.COMMON_DATA) self.enricher.ip_to_cc = mock.MagicMock(return_value="") self.enricher.enrich(data) for addr in data["address"]: self.enricher.ip_to_cc.assert_any_call(addr["ip"]) self.assertEqual(len(data["address"]), self.enricher.ip_to_cc.call_count)
def test__enrich__with_ip_url_given__with_nodns_flag(self): data = self.enricher.enrich(RecordDict({ "url": "http://192.168.0.1/asd", "_do_not_resolve_fqdn_to_ip": True})) self.assertEqualIncludingTypes(data, RecordDict({ # (here the '_do_not_resolve_fqdn_to_ip' flag did *not* change behaviour) "enriched": ([], {"192.168.0.1": ["asn", "cc", "ip"]}), "url": "http://192.168.0.1/asd", "address": [{"ip": '192.168.0.1', "asn": '1234', "cc": 'PL'}], "_do_not_resolve_fqdn_to_ip": True}))
def test__enrich__with_excluded_ips_config__with_some_ip_to_exclude__2(self): self.enricher._enrich_config = {'dnshost': '8.8.8.8', 'dnsport': '53', 'geoippath': '/usr/share/GeoIP', 'excluded_ips': '127.0.0.1, 2.2.2.2, 3.3.3.3'} self.enricher.excluded_ips = self.enricher._get_excluded_ips() data = self.enricher.enrich(RecordDict({"url": "http://www.nask.pl/asd"})) self.enricher._resolver.asert_called_once_with("www.nask.pl") self.assertEqualIncludingTypes(data, RecordDict({ "enriched": (["fqdn"], {}), "url": "http://www.nask.pl/asd", "fqdn": "www.nask.pl"})) # (note: emptied `address` removed)
def test__enrich__with_address_and_fqdn_given__with_nodns_flag(self): data = self.enricher.enrich(RecordDict({ "fqdn": "cert.pl", "address": [{"ip": "10.20.30.40"}], "_do_not_resolve_fqdn_to_ip": True})) self.assertEqualIncludingTypes(data, RecordDict({ # (here the '_do_not_resolve_fqdn_to_ip' flag did *not* change behaviour) "enriched": ([], {"10.20.30.40": ["asn", "cc"]}), "fqdn": "cert.pl", "address": [{"ip": '10.20.30.40', "asn": '1234', "cc": 'PL'}], "_do_not_resolve_fqdn_to_ip": True}))
def test__delete_too_long_address__address_is_empty(self): parsed = RecordDict() parsed.update({'source': 'foo.bar'}) expected = RecordDict() expected.update({'source': 'foo.bar'}) self.meth.delete_too_long_address(parsed) self.assertEqual(parsed, expected)
def test__filter_out_excluded_ips__with_no_ip_in_excluded_ips(self): self.enricher.excluded_ips = iptools.IpRangeList('1.1.1.1', '2.2.2.2', '3.3.3.3') data = RecordDict({ "url": "http://www.nask.pl/asd", "address": [{'ip': '1.1.1.5'}, {'ip': '2.1.1.1'}], }) expected = RecordDict({ "url": "http://www.nask.pl/asd", "address": [{'ip': '1.1.1.5'}, {'ip': '2.1.1.1'}], }) ip_to_enr_mock = mock.MagicMock() ip_to_enr_expected_calls = [] self.enricher._filter_out_excluded_ips(data, ip_to_enr_mock) self.assertEqualIncludingTypes(expected, data) self.assertEqual(ip_to_enr_mock.mock_calls, ip_to_enr_expected_calls)
def test__filter_out_excluded_ips__with_excluded_ips_being_None(self): self.enricher.excluded_ips = None data = RecordDict({ "url": "http://www.nask.pl/asd", "address": [{'ip': "127.0.0.1"}], }) expected = RecordDict({ "url": "http://www.nask.pl/asd", "address": [{'ip': "127.0.0.1"}], }) ip_to_enr_mock = mock.MagicMock() ip_to_enr_expected_calls = [] self.enricher._filter_out_excluded_ips(data, ip_to_enr_mock) self.assertEqualIncludingTypes(expected, data) self.assertEqual(ip_to_enr_mock.mock_calls, ip_to_enr_expected_calls)
def test__enrich__with_excluded_ips_config__without_any_ip_to_exclude(self): self.enricher._enrich_config = {'dnshost': '8.8.8.8', 'dnsport': '53', 'geoippath': '/usr/share/GeoIP', 'excluded_ips': '2.2.2.2, 3.3.3.3'} self.enricher.excluded_ips = self.enricher._get_excluded_ips() data = self.enricher.enrich(RecordDict({"url": "http://www.nask.pl/asd"})) self.enricher._resolver.asert_called_once_with("www.nask.pl") self.assertEqualIncludingTypes(data, RecordDict({ "enriched": (["fqdn"], {"127.0.0.1": ["asn", "cc", "ip"]}), "url": "http://www.nask.pl/asd", "fqdn": "www.nask.pl", "address": [{"ip": '127.0.0.1', "asn": '1234', "cc": 'PL'}]}))
def actual_data_for_adding_asn_cc_if_possible(self, asn_mock, cc_mock): self.enricher.gi_asn.asn = asn_mock self.enricher.gi_cc.city = cc_mock return RecordDict({ "address": [{"ip": "127.0.0.1"}, {"ip": "192.187.0.1"}, {"ip": "10.15.1.255"}]})
def actual_data_for_existing_asn_cc_always_dropped_and_new_ones_added_if_possible(self, mock_asn, mock_cc): self.enricher.gi_asn.asn = mock_asn self.enricher.gi_cc.city = mock_cc return RecordDict({ "address": [{"ip": "127.0.0.1", "cc": "JP"}, {"ip": "192.187.0.1", "cc": "US", "asn": 424242}, {"ip": "10.15.1.255", "asn": 434343}]})
def test__get_client_and_urls_matched__2(self): body = {"category": "bots", "restriction": "public", "confidence": "medium", "sha1": "023a00e7c2ef04ee5b0f767ba73ee39734323432", "name": "virut", "proto": "tcp", "address": [{"cc": "XX", "ip": "1.1.1.1", "asn": "1"}, {"cc": "XX", "ip": "100.71.83.178", "asn": "1"}, {"cc": "XX", "ip": "102.71.83.178", "asn": "1"}], "fqdn": "domain.com", "url": "http://onet.pl", "source": "hpfeeds.dionaea", "time": "2013-07-01 20:37:20", "dport": "445", "rid": "023a00e7c2ef04ee5b0f767ba73ee397", "sport": "2147", "dip": "10.28.71.43", "id": "023a00e7c2ef04ee5b0f767ba73ee397"} # tested key:[test_value,[valid value]] input_data = {'ip': ['154.89.207.81', ['fdc']], 'cc': ['SU', ['decfba', 'fdc']], 'asn': ['45975', ['fdc']], 'fqdn': ['onetbrutalmikmokcert.eu', ['fdc']]} self.auth_api_mock._get_inside_criteria.return_value = TEST_CRITERIA for i in input_data: body = self.reset_body(body) if i == 'fqdn': body['fqdn'] = input_data[i][0] else: body['address'][0][i] = input_data[i][0] json_msg = json.dumps(body) record_dict = RecordDict.from_json(json_msg) self.assertItemsEqual( self.filter.get_client_and_urls_matched(record_dict, self.fqdn_only_categories), (input_data[i][1], {}))
def input_callback(self, routing_key, body, properties): data = RecordDict.from_json(body) with self.setting_error_event_info(data): enriched = self.enrich(data) rk = replace_segment(routing_key, 1, 'enriched') body = enriched.get_ready_json() self.publish_output(routing_key=rk, body=body)
def test_routing_key_modified(self): """Test if routing key after enrichement is set to "enriched.*" when publishing to output queue""" self.enricher.publish_output = mock.MagicMock() data = RecordDict({ "address": [{"ip": "127.0.0.1"}, {"ip": "192.187.0.1"}, {"ip": "10.15.1.255"}]}) data.update(self.COMMON_DATA) body = data.get_ready_json() initial_routing_key = "event.parsed.test.test-source" properties = None self.enricher.input_callback(initial_routing_key, body, properties) args, kwargs = self.enricher.publish_output.call_args self.assertIn("routing_key", kwargs) self.assertEqual(kwargs["routing_key"], "event.enriched.test.test-source")