def test_and_observable_expression(): exp1 = stix2.AndBooleanExpression([ stix2.EqualityComparisonExpression("user-account:account_type", "unix"), stix2.EqualityComparisonExpression("user-account:user_id", stix2.StringConstant("1007")), stix2.EqualityComparisonExpression("user-account:account_login", "Peter") ]) exp2 = stix2.AndBooleanExpression([ stix2.EqualityComparisonExpression("user-account:account_type", "unix"), stix2.EqualityComparisonExpression("user-account:user_id", stix2.StringConstant("1008")), stix2.EqualityComparisonExpression("user-account:account_login", "Paul") ]) exp3 = stix2.AndBooleanExpression([ stix2.EqualityComparisonExpression("user-account:account_type", "unix"), stix2.EqualityComparisonExpression("user-account:user_id", stix2.StringConstant("1009")), stix2.EqualityComparisonExpression("user-account:account_login", "Mary") ]) exp = stix2.AndObservationExpression([ stix2.ObservationExpression(exp1), stix2.ObservationExpression(exp2), stix2.ObservationExpression(exp3) ]) assert str( exp ) == "[user-account:account_type = 'unix' AND user-account:user_id = '1007' AND user-account:account_login = '******'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1008' AND user-account:account_login = '******'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1009' AND user-account:account_login = '******']" # noqa
def test_multiple_file_observable_expression(): exp1 = stix2.EqualityComparisonExpression( "file:hashes.'SHA-256'", stix2.HashConstant( "bf07a7fbb825fc0aae7bf4a1177b2b31fcf8a3feeaf7092761e18c859ee52a9c", 'SHA-256')) exp2 = stix2.EqualityComparisonExpression( "file:hashes.MD5", stix2.HashConstant("cead3f77f6cda6ec00f57d76c9a6879f", "MD5")) bool1_exp = stix2.OrBooleanExpression([exp1, exp2]) exp3 = stix2.EqualityComparisonExpression( "file:hashes.'SHA-256'", stix2.HashConstant( "aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f", 'SHA-256')) op1_exp = stix2.ObservationExpression(bool1_exp) op2_exp = stix2.ObservationExpression(exp3) exp = stix2.AndObservationExpression([op1_exp, op2_exp]) assert str( exp ) == "[file:hashes.'SHA-256' = 'bf07a7fbb825fc0aae7bf4a1177b2b31fcf8a3feeaf7092761e18c859ee52a9c' OR file:hashes.MD5 = 'cead3f77f6cda6ec00f57d76c9a6879f'] AND [file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f']" # noqa