def test_msg(mocker): """ Given: - A msg file When: - run the ParseEmailFilesV2 script Then: - Ensure its was parsed successfully """ info = 'CDFV2 Microsoft Outlook Message' mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'}) mocker.patch.object(demisto, 'executeCommand', side_effect=exec_command_for_file('smime-p7s.msg', info=info)) mocker.patch.object(demisto, 'results') # validate our mocks are good assert demisto.args()['entryid'] == 'test' main() # assert demisto.results.call_count == 1 # call_args is tuple (args list, kwargs). we only need the first one results = demisto.results.call_args[0] assert len(results) == 1 assert results[0]['Type'] == entryTypes['note'] assert results[0]['EntryContext']['Email']['Subject'] == 'test'
def test_eml_contains_msg(mocker): """ Given: - A eml file contains msg When: - run the ParseEmailFilesV2 script Then: - Ensure the was parsed successfully - Ensure both files was parsed - Ensure the attachments was returned """ def executeCommand(name, args=None): if name == 'getFilePath': return [{ 'Type': entryTypes['note'], 'Contents': { 'path': 'test_data/DONT_OPEN-MALICIOUS.eml', 'name': 'DONT_OPEN-MALICIOUS.eml' } }] elif name == 'getEntry': return [{ 'Type': entryTypes['file'], 'FileMetadata': { 'info': 'news or mail text, ASCII text' } }] else: raise ValueError('Unimplemented command called: {}'.format(name)) mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'}) mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'results') # validate our mocks are good assert demisto.args()['entryid'] == 'test' main() results = demisto.results.call_args_list assert demisto.results.call_count == 3 assert len(results) == 3 assert results[0].args[0]['File'] == 'Attacker+email+.msg' assert results[1].args[0]['EntryContext']['Email'][ 'Subject'] == 'DONT OPEN - MALICIOS' assert 'Attacker+email+.msg' in results[1].args[0]['EntryContext'][ 'Email']['Attachments'] assert 'Attacker+email+.msg' in results[1].args[0]['EntryContext'][ 'Email']['AttachmentsData'][0]['Name'] assert results[1].args[0]['EntryContext']['Email']['Depth'] == 0 assert results[2].args[0]['EntryContext']['Email'][ "Subject"] == 'Attacker email' assert results[2].args[0]['EntryContext']['Email']['Depth'] == 1
def test_eml_type(mocker): """ Given: - A eml file When: - run the ParseEmailFilesV2 script Then: - Ensure its was parsed successfully """ def executeCommand(name, args=None): if name == 'getFilePath': return [{ 'Type': entryTypes['note'], 'Contents': { 'path': 'test_data/smtp_email_type.eml', 'name': 'smtp_email_type.eml' } }] elif name == 'getEntry': return [{ 'Type': entryTypes['file'], 'FileMetadata': { 'info': 'SMTP mail, UTF-8 Unicode text, with CRLF terminators' } }] else: raise ValueError('Unimplemented command called: {}'.format(name)) mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'}) mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'results') # validate our mocks are good assert demisto.args()['entryid'] == 'test' # assert demisto.executeCommand('getFilePath', {})[0]['Type'] == entryTypes['note'] main() assert demisto.results.call_count == 1 # call_args is tuple (args list, kwargs). we only need the first one results = demisto.results.call_args[0] assert len(results) == 1 assert results[0]['Type'] == entryTypes['note'] assert results[0]['EntryContext']['Email']['Subject'] == 'Test Smtp Email'
def test_no_content_type_file(mocker): """ Given: - A eml with no_content_type When: - run the ParseEmailFilesV2 script Then: - Ensure its was parsed successfully """ mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'}) mocker.patch.object(demisto, 'executeCommand', side_effect=exec_command_for_file( 'no_content_type.eml', info="ascii text")) mocker.patch.object(demisto, 'results') main() results = demisto.results.call_args[0] assert len(results) == 1 assert results[0]['Type'] == entryTypes['note'] assert results[0]['EntryContext']['Email']['Subject'] == 'No content type'
def test_no_content_file(mocker): """ Given: - A eml without content When: - run the ParseEmailFilesV2 script Then: - Ensure a error is returned """ mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'}) mocker.patch.object(demisto, 'executeCommand', side_effect=exec_command_for_file('no_content.eml', info="ascii text")) mocker.patch.object(demisto, 'results') try: main() except SystemExit: gotexception = True assert gotexception results = demisto.results.call_args[0] assert len(results) == 1 assert 'Could not extract email from file' in results[0]['Contents']
def test_eml_contains_eml(mocker): """ Given: - A eml file contains eml When: - run the ParseEmailFilesV2 script Then: - Ensure the was parsed successfully - Ensure both files was parsed - Ensure the attachments was returned """ def executeCommand(name, args=None): if name == 'getFilePath': return [{ 'Type': entryTypes['note'], 'Contents': { 'path': 'test_data/Fwd_test-inner_attachment_eml.eml', 'name': 'Fwd_test-inner_attachment_eml.eml' } }] elif name == 'getEntry': return [{ 'Type': entryTypes['file'], 'FileMetadata': { 'info': 'news or mail text, ASCII text' } }] else: raise ValueError('Unimplemented command called: {}'.format(name)) mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'}) mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'results') # validate our mocks are good assert demisto.args()['entryid'] == 'test' main() assert demisto.results.call_count == 4 # call_args is tuple (args list, kwargs). we only need the first one results = demisto.results.call_args_list assert len(results) == 4 assert results[0].args[0]['File'] == 'ArcSight_ESM_fixes.yml' assert results[1].args[0]['File'] == 'test - inner attachment eml.eml' assert results[2].args[0]['EntryContext']['Email'][ 'Subject'] == 'Fwd: test - inner attachment eml' assert 'ArcSight_ESM_fixes.yml' in results[2].args[0]['EntryContext'][ 'Email']['Attachments'] assert 'ArcSight_ESM_fixes.yml' in results[2].args[0]['EntryContext'][ 'Email']['AttachmentsData'][0]['Name'] assert 'test - inner attachment eml.eml' in results[2].args[0][ 'EntryContext']['Email']['Attachments'] assert 'test - inner attachment eml.eml' in results[2].args[0][ 'EntryContext']['Email']['AttachmentsData'][1]['Name'] assert results[2].args[0]['EntryContext']['Email']['Depth'] == 0 assert results[3].args[0]['EntryContext']['Email'][ "Subject"] == 'test - inner attachment eml' assert results[3].args[0]['EntryContext']['Email']['Depth'] == 1