def test_perform_long_running_loop(mocker, test_data, test_name): """ Given: - socket: Socket to retrieve Syslog messages from. - message_regex: Message regex to match if exists. When: - Performing one loop in the long-running execution Cases: Case 1: Log format is RFC 3164, no message regex. Case 2: Log format is RFC 3164, message regex, passes filter. Case 3: Log format is RFC 3164, message regex, doesn't pass filter. Case 4: Log format is RFC 5424, no message regex. Case 5: Log format is RFC 5424, message regex, passes filter. Case 6: Log format is RFC 5424, message regex, doesn't pass filter. Then: - Ensure incident is created if needed for each case, and exists in context data. """ import Syslogv2 tmp_reg = Syslogv2.MESSAGE_REGEX test_name_data = test_data[test_name] Syslogv2.MESSAGE_REGEX = test_name_data.get('message_regex') set_integration_context({}) incident_mock = mocker.patch.object(demisto, 'createIncidents') if test_name_data.get('expected'): perform_long_running_loop(test_data['log_message'].encode()) assert incident_mock.call_args[0][0] == test_name_data.get('expected') assert get_integration_context() == { 'samples': test_name_data.get('expected') } else: perform_long_running_loop(test_data['log_message'].encode()) assert not demisto.createIncidents.called assert not get_integration_context() Syslogv2.MESSAGE_REGEX = tmp_reg
def test_reset_offset_command(requests_mock, offset_data, context_data, offset, expected_text, expected_offset): """ Given: - different stored offset configurations and desired offset parameters When: - running the reset offset command Then: - I am told what happened in a human-readable form - the new context has been stored in the integration context """ set_integration_context(context_data) feed = "ip_reputation" requests_mock.get(BASE_URL + "/info?format=jsonl&feedId={}_v2".format(feed), json=offset_data, request_headers=_expected_headers()) client = _create_client(feed) args = dict() if offset is not None: args["offset"] = offset result = reset_offset_command(client, args) assert result.readable_output == expected_text assert get_integration_context() == dict(offset=expected_offset)
def test_perform_long_running_loop(mocker, test_data, test_name): """ Given: - socket: Socket to retrieve Syslog messages from. - message_regex: Message regex to match if exists. When: - Performing one loop in the long-running execution Cases: Case 1: Log format is RFC 3164, no message regex. Case 2: Log format is RFC 3164, message regex, passes filter. Case 3: Log format is RFC 3164, message regex, doesn't pass filter. Case 4: Log format is RFC 5424, no message regex. Case 5: Log format is RFC 5424, message regex, passes filter. Case 6: Log format is RFC 5424, message regex, doesn't pass filter. Then: - Ensure incident is created if needed for each case, and exists in context data. """ import Syslogv2 tmp_reg = Syslogv2.MESSAGE_REGEX test_name_data = test_data[test_name] Syslogv2.MESSAGE_REGEX = test_name_data.get('message_regex') set_integration_context({}) incident_mock = mocker.patch.object(demisto, 'createIncidents') if test_name_data.get('expected'): perform_long_running_loop(test_data['log_message'].encode()) # Deleting timestamp, because it is retrieved by current year. current_year = str(datetime.now().year) for res in test_name_data['expected']: for replace_field in ['rawJSON', 'name', 'details']: res[replace_field] = res[replace_field].replace( 'REPLACE_WITH_CURRENT_YEAR', current_year) assert incident_mock.call_args[0][0] == test_name_data.get('expected') assert get_integration_context() == { 'samples': test_name_data.get('expected') } else: perform_long_running_loop(test_data['log_message'].encode()) assert not demisto.createIncidents.called assert not get_integration_context() Syslogv2.MESSAGE_REGEX = tmp_reg
def test_creds_changed(context, client_id, as_expected) -> None: """ Scenario: To detect changes in credentials. When: - When user changes credentials (identity_code). Then: - Change in credentials should be detected correctly. """ from Lansweeper import creds_changed set_integration_context(context) assert creds_changed(get_integration_context(), client_id) is as_expected
def test_invalidate_context(context) -> None: """ Scenario: Demisto integration context should be invalidated if credentials are changed. Given: - User has provided new credentials. When: - When user changes credentials (identity_code). Then: - Integration context should be invalidated. """ from Lansweeper import update_context set_integration_context(context) update_context("new_identity_code") assert get_integration_context() == {"identity_code": "new_identity_code"}
def test_update_integration_context_samples(init_ctx, incident, sample_size, expected_context): """ Given: - incident: Incident. When: - Updating the samples with the given incident. Cases: Case 1: Context is empty. Case 2: Context is not empty, samples size not reached. Case 2: Context is not empty, samples size reached. Case 2: Context is not empty, samples size reached. Then: - Ensure context is updated as expected """ set_integration_context(init_ctx) update_integration_context_samples(incident, sample_size) assert get_integration_context() == {'samples': expected_context}
def test_get_indicators(requests_mock, phishing_urls, context_data, offsets, max_indicators, expected_offset, expected_count): """ Given: - the phishing URL feed When: - running get-indicators Then: - no adjustments made to the integration context - the number of indicators is taken from the response, meaning 4 entries """ set_integration_context(context_data) _, get = _create_instance(requests_mock, "phishing_urls", phishing_urls, offsets, expected_offset, expected_count) result = get(max_indicators) assert len(result.raw_response) == 8 assert get_integration_context() == context_data
def test_fetch_indicators_offsets(requests_mock, ip_reputation, context_data, offsets, initial_count, max_indicators, expected_offset, expected_count): """ Given: - the IP reputation feed When: - running fetch-indicators Then: - the new offset in the integration context is the max offset from the entries + 1 - the number of imported indicators is the number of IP's in the feed """ set_integration_context(context_data) fetch, _ = _create_instance(requests_mock, "ip_reputation", ip_reputation, offsets, expected_offset, expected_count) created = fetch(initial_count, max_indicators, True) assert len(created) == 8 assert get_integration_context() == dict(offset=50007)