def test_replace_error(self, event, caplog):
eve = event()
rule = get_rule_class(FILE)(token())
rule.get_file_path = MagicMock(return_value=(DUMMY_FILE_PATH, 0))
with patch("builtins.open", MagicMock(side_effect=IOError)):
assert list(rule.replace(eve, 2)) == []
assert caplog.messages == ["File not found : /dummy/path/to/file"]
def test_replace(self, event):
eve = event()
rule = get_rule_class(DESTPORT)(token())
with get_patch(CHOICE, 22):
assert list(rule.replace(eve, 2)) == [
token_value(key=22, value=22),
token_value(key=22, value=22),
]
def test_replace(self, event):
eve = event()
rule = get_rule_class(SRCPORT)(token())
with get_patch("randint", 4211):
assert list(rule.replace(eve, 2)) == [
token_value(key=4211, value=4211),
token_value(key=4211, value=4211),
]
def test_replace(self, event, replacement, expected):
eve = event()
rule = get_rule_class(URL)(token(replacement=replacement))
with get_patch(CHOICE, "a"), get_patch("randint", 3), patch.object(
rule.fake,
URL,
MagicMock(return_value="http://example.com"),
):
assert list(rule.replace(eve, 2)) == expected
def test_guid_rule(event):
eve = event()
rule = get_rule_class(GUID)(token())
_uuid = "123e4567-e89b-12d3-a456-426614174000"
with get_patch("uuid.uuid4", _uuid):
assert list(rule.replace(eve, 2)) == [
token_value(key=_uuid, value=_uuid),
token_value(key=_uuid, value=_uuid),
]
def test_ip_rule(event, class_name, return_value):
eve = event()
rule = get_rule_class(class_name)(token())
with patch.object(rule.fake, class_name,
MagicMock(return_value=return_value)):
assert list(rule.replace(eve, 2)) == [
token_value(key=return_value, value=return_value),
token_value(key=return_value, value=return_value),
]
def test_replace(self, event, class_name, replacement, replacement_values,
expected):
eve = event()
rule = get_rule_class(class_name)(token(replacement=replacement))
with patch.object(
rule,
"get_rule_replacement_values",
MagicMock(return_value=replacement_values),
), get_patch(CHOICE, ELEM_2):
assert list(rule.replace(eve, 2)) == expected
def test_user_and_email_rule(event, class_name, replacement, replacement_map,
index_list, expected):
rule = get_rule_class(class_name)(token(replacement=replacement))
eve = event()
eve.replacement_map = replacement_map
with patch.object(
rule,
"get_lookup_value",
MagicMock(return_value=(index_list, ["one", "two", "three"])),
), get_patch(CHOICE, 1):
assert list(rule.replace(eve, 2)) == expected
def test_replace(self, event, index_sample_se):
eve = event()
rule = get_rule_class(FILE)(token())
rule.get_file_path = MagicMock(return_value=(DUMMY_FILE_PATH, "2"))
rule.indexed_sample_file = MagicMock(side_effect=[index_sample_se])
token_value_mock = MagicMock(return_value=TOKEN_DATA)
rule.token_value = token_value_mock
rule.lookupfile = MagicMock(return_value=(ELEM_1, ELEM_2))
assert list(rule.replace(eve, 4)) == [TOKEN_DATA] * 2
token_value_mock.assert_has_calls(
[call(ELEM_1, ELEM_1), call(ELEM_2, ELEM_2)])
def test_replace_index_not_set(self, event, replacement_type, token_cnt,
expected):
eve = event()
rule = get_rule_class(FILE)(token(replacement_type=replacement_type))
rule.get_file_path = MagicMock(return_value=(DUMMY_FILE_PATH, 0))
token_value_mock = MagicMock(return_value=TOKEN_DATA)
rule.token_value = token_value_mock
data = f"{ELEM_1}\n{ELEM_2}\n{ELEM_3}"
with patch("builtins.open",
mock_open(read_data=data)), get_patch(CHOICE, ELEM_1):
assert list(rule.replace(eve, 2)) == [TOKEN_DATA] * token_cnt
token_value_mock.assert_has_calls(expected)
def test_rule(event, monkeypatch, repl_type, repl, expected, class_name,
to_mock, ret_value):
rule = get_rule_class(class_name)(token(replacement=repl,
replacement_type=repl_type))
eve = event()
monkeypatch.setattr(
pytest_splunk_addon.standard_lib.sample_generation.rule,
to_mock,
MagicMock(return_value=ret_value),
)
assert list(rule.replace(
eve, 2)) == [rule.token_value(i, j) for i, j in expected]
def test_replace(self, event, replacement, replacement_values, metadata,
expected):
eve = event()
eve.metadata = metadata
eve.get_host = lambda: "host_1"
rule = get_rule_class(HOST)(token(replacement=replacement))
with patch.object(
rule,
"get_rule_replacement_values",
MagicMock(return_value=replacement_values),
), get_patch(CHOICE, ELEM_2):
assert list(rule.replace(eve, 2)) == expected
def test_replace(self, event, earliest, latest, expected):
eve = event()
rule = get_rule_class(TIME)(token(),
eventgen_params={
"earliest": earliest,
"latest": latest
})
with get_patch(
"time_parse.convert_to_time",
mocked_datetime), get_patch("randint", 1439905910), get_patch(
"datetime.fromtimestamp",
mocked_datetime), get_patch("mktime",
1616779126) as mktime_mock:
assert list(rule.replace(eve, 3)) == expected
mktime_mock.assert_has_calls([call(mocked_datetime.timetuple())] *
3)
def test_replace_local_timezone(self, event, timezone, replacement,
expected):
eve = event()
rule = get_rule_class(TIME)(
token(replacement=replacement),
eventgen_params={
"earliest": "24h",
"latest": "6h",
"timezone": timezone
},
)
with get_patch("time_parse.convert_to_time",
mocked_datetime), get_patch(
"randint", 1616801099), get_patch(
"time_parse.get_timezone_time",
mocked_datetime), patch.object(
rule, "invert_timezone",
MagicMock(return_value="0000")), get_patch(
"mktime", 1616779126) as mktime_mock:
assert list(rule.replace(eve, 2)) == expected
mktime_mock.assert_has_calls([call(mocked_datetime.timetuple())] *
2)
def test_int_rule_no_match(event, caplog, class_name, warning_message):
rule = get_rule_class(class_name)(token())
eve = event()
assert list(rule.replace(eve, 40)) == []
assert caplog.messages == [warning_message]
def test_replace(self, event, replacement, expected):
eve = event()
rule = get_rule_class(HEX)(token(replacement=replacement))
with get_patch("randint", 8):
assert list(rule.replace(eve, 2)) == expected
