def test_record_to_incident_american_time(self):
"""
Given:
record with american time (month first)
When:
fetching incidents
Then:
assert return dates are right
"""
client = Client(BASE_URL, '', '', '', '')
incident = INCIDENT_RECORD.copy()
incident['record']['Date/Time Reported'] = '03/26/2018 10:03 AM'
incident['raw']['Field'][1][
'@xmlConvertedValue'] = '2018-03-26T10:03:00Z'
incident, incident_created_time = client.record_to_incident(
INCIDENT_RECORD, 75, '305')
assert incident_created_time == datetime(2018,
3,
26,
10,
3,
tzinfo=timezone.utc)
assert incident['occurred'] == '2018-03-26T10:03:00Z'
def test_record_to_incident():
client = Client(BASE_URL, '', '', '', '')
incident, incident_created_time = client.record_to_incident(
INCIDENT_RECORD, 75, 'Date/Time Reported')
assert incident_created_time.strftime(
'%Y-%m-%dT%H:%M:%SZ') == '2018-03-26T10:03:32Z'
assert incident['name'] == 'RSA Archer Incident: 227602'
assert incident['occurred'] == '2018-03-26T10:03:32Z'
def test_record_to_incident(self):
client = Client(BASE_URL, '', '', '', '')
record = copy.deepcopy(INCIDENT_RECORD)
record['raw']['Field'][1]['@xmlConvertedValue'] = '2018-03-26T10:03:00Z'
incident, incident_created_time = client.record_to_incident(record, 75, '305')
assert incident_created_time == datetime(2018, 3, 26, 10, 3, tzinfo=timezone.utc)
assert incident['name'] == 'RSA Archer Incident: 227602'
assert incident['occurred'] == '2018-03-26T10:03:00Z'
def test_get_level_by_app_id(self, requests_mock):
requests_mock.post(BASE_URL + 'api/core/security/login', json={'RequestedObject': {'SessionToken': 'session-id',
}, 'IsSuccessful': True})
requests_mock.get(BASE_URL + 'api/core/system/level/module/1', json=GET_LEVEL_RES)
requests_mock.get(BASE_URL + 'api/core/system/fielddefinition/level/123', json=FIELD_DEFINITION_RES)
client = Client(BASE_URL, '', '', '', '')
levels = client.get_level_by_app_id('1')
assert levels == GET_LEVELS_BY_APP
def test_get_record_failed(self, requests_mock):
requests_mock.post(BASE_URL + 'api/core/security/login',
json={'RequestedObject': {'SessionToken': 'session-id'}})
requests_mock.get(BASE_URL + 'api/core/content/1010', json=GET_RECORD_RES_failed)
client = Client(BASE_URL, '', '', '', '')
record, res, errors = client.get_record(75, 1010)
assert errors == 'No resource found.'
assert res
assert record == {}
def test_get_record_success(self, requests_mock):
requests_mock.post(BASE_URL + 'api/core/security/login',
json={'RequestedObject': {'SessionToken': 'session-id'}})
requests_mock.get(BASE_URL + 'api/core/content/1010', json=GET_RECORD_RES_SUCCESS)
requests_mock.get(BASE_URL + 'api/core/system/level/module/1', json=GET_LEVEL_RES)
requests_mock.get(BASE_URL + 'api/core/system/fielddefinition/level/123', json=FIELD_DEFINITION_RES)
client = Client(BASE_URL, '', '', '', '')
record, res, errors = client.get_record(1, 1010)
assert errors is None
assert res
assert record == {'Device Name': 'The device name', 'Id': 1010}
def test_get_field_value_list(self, requests_mock):
cache = demisto.getIntegrationContext()
cache['fieldValueList'] = {}
demisto.setIntegrationContext(cache)
requests_mock.post(BASE_URL + 'api/core/security/login',
json={'RequestedObject': {'SessionToken': 'session-id'}})
requests_mock.get(BASE_URL + 'api/core/system/fielddefinition/304', json=GET_FIElD_DEFINITION_RES)
requests_mock.get(BASE_URL + 'api/core/system/valueslistvalue/valueslist/62', json=VALUE_LIST_RES)
client = Client(BASE_URL, '', '', '', '')
field_data = client.get_field_value_list(304)
assert VALUE_LIST_FIELD_DATA == field_data
def test_search_records(self, requests_mock):
requests_mock.post(BASE_URL + 'api/core/security/login',
json={'RequestedObject': {'SessionToken': 'session-id'}})
requests_mock.post(BASE_URL + 'ws/general.asmx', text=GET_TOKEN_SOAP)
requests_mock.get(BASE_URL + 'api/core/system/level/module/1', json=GET_LEVEL_RES)
requests_mock.get(BASE_URL + 'api/core/system/fielddefinition/level/123', json=FIELD_DEFINITION_RES)
requests_mock.post(BASE_URL + 'ws/search.asmx', text=SEARCH_RECORDS_RES)
client = Client(BASE_URL, '', '', '', '')
records, raw_res = client.search_records(1, ['External Links', 'Device Name'])
assert raw_res
assert len(records) == 1
assert records[0]['record']['Id'] == '238756'
assert records[0]['record']['Device Name'] == 'DEVICE NAME'
def test_same_record_returned_in_two_fetches(self, mocker):
"""
Given:
- Same record returned in 2 fetch queries
When:
- Fetching incidents (2 iterations)
Then:
Check that the new next fetch is greater than last_fetch on both calls.
Check the wanted next_fetch is equals to the date in the incident in both calls.
Assert occurred time
"""
client = Client(BASE_URL, '', '', '', '')
mocker.patch.object(
client, 'search_records', side_effect=[
([INCIDENT_RECORD_US_TZ], {}),
([INCIDENT_RECORD_US_TZ], {})
]
)
params = {
'applicationId': '75',
'applicationDateField': 'created date'
}
field_time_id = '53075'
first_fetch = parser('2021-02-24T08:45:55Z')
incidents, first_next_fetch = fetch_incidents(client, params, first_fetch, field_time_id)
assert first_fetch < first_next_fetch
assert first_next_fetch == datetime(2021, 2, 25, 8, 45, 55, 977000, tzinfo=timezone.utc)
assert incidents[0]['occurred'] == '2021-02-25T08:45:55.977Z'
# first_next_fetch_dt simulates the set to last_run done in fetch-incidents
first_next_fetch_dt = parser(first_next_fetch.strftime(OCCURRED_FORMAT))
incidents, second_next_fetch = fetch_incidents(client, params, first_next_fetch_dt, field_time_id)
assert first_next_fetch == datetime(2021, 2, 25, 8, 45, 55, 977000, tzinfo=timezone.utc)
assert not incidents
def test_fetch_time_change(self, mocker):
"""
Given:
incident with date/time reported
european time (day first) - True or false
When:
Fetching incidents
Then:
Check that the new next fetch is greater than last_fetch
Check the wanted next_fetch is true
Assert occurred time
"""
client = Client(BASE_URL, '', '', '', '')
date_time_reported = '2018-04-03T10:03:00.000Z'
params = {
'applicationId': '75',
'applicationDateField': 'Date/Time Reported'
}
record = copy.deepcopy(INCIDENT_RECORD)
record['record']['Date/Time Reported'] = date_time_reported
record['raw']['Field'][1]['@xmlConvertedValue'] = date_time_reported
last_fetch = get_fetch_time(
{'last_fetch': '2018-03-01T10:03:00Z'}, params.get('fetch_time', '3 days')
)
mocker.patch.object(client, 'search_records', return_value=([record], {}))
incidents, next_fetch = fetch_incidents(client, params, last_fetch, '305')
assert last_fetch < next_fetch
assert next_fetch == datetime(2018, 4, 3, 10, 3, tzinfo=timezone.utc)
assert incidents[0]['occurred'] == date_time_reported
def test_fetch_time_change_with_offset(self, mocker):
"""
Given:
offset of -120 (2 hours)
When:
Fetching incidents
Then:
Check that the new last fetch is equals to record reported time (no delta) and is after the last_fetch
Assert occurred time
"""
client = Client(BASE_URL, '', '', '', '')
record = copy.deepcopy(INCIDENT_RECORD)
record['record']['Date/Time Reported'] = '03/04/2018 10:03 AM'
params = {
'applicationId': '75',
'applicationDateField': 'Date/Time Reported',
'time_zone': -120,
'useEuropeanTime': 'true'
}
last_fetch = get_fetch_time({'last_fetch': '2018-03-24T10:03:00Z'},
params.get('fetch_time', '3 days'), 0)
mocker.patch.object(client,
'search_records',
return_value=([record], {}))
incidents, next_fetch = fetch_incidents(client, params, last_fetch)
assert last_fetch < next_fetch
assert next_fetch == datetime(2018, 4, 3, 10, 3, tzinfo=timezone.utc)
assert incidents[0]['occurred'] == '2018-04-03T12:03:00Z'
def test_search_records_by_report_command(self, mocker):
"""
Given:
- search_records_by_report_command command args
When:
- run search_records_by_report_command
Then:
- Verify response outputs
- verify response readable output
"""
mock_args = {'reportGuid': 'id'}
client = Client(BASE_URL, '', '', '', '', 400)
mocker.patch.object(client,
'do_soap_request',
return_value=[
SEARCH_RECORDS_BY_REPORT_RES,
SEARCH_RECORDS_BY_REPORT_RES
])
mocker.patch.object(client, 'do_request', return_value=GET_LEVEL_RES_2)
mocker.patch.object(demisto, 'results')
search_records_by_report_command(client, mock_args)
assert demisto.results.call_args_list[0][0][0][
'HumanReadable'] == MOCK_READABLE_SEARCH_RECORDS_BY_REPORT
assert demisto.results.call_args_list[0][0][0][
'Contents'] == MOCK_RESULTS_SEARCH_RECORDS_BY_REPORT
def test_fetch_times_with_impossible_date(self, mocker,
date_time_reported: str,
use_european_time: bool,
occurred: str):
"""
Given:
incident with date/time reported. The day/months can't be misplaced (29-11, 11-29)
european time (day first) - True or false
When:
Fetching incidents
Then:
Check that the new next fetch is greater than last_fetch
Check the wanted next_fetch is true
Assert occurred time
"""
client = Client(BASE_URL, '', '', '', '')
params = {
'applicationId': '75',
'applicationDateField': 'Date/Time Reported',
'time_zone': 0,
'useEuropeanTime': use_european_time
}
record = copy.deepcopy(INCIDENT_RECORD)
record['record']['Date/Time Reported'] = date_time_reported
last_fetch = get_fetch_time({'last_fetch': '2018-03-01T10:03:00Z'},
params.get('fetch_time', '3 days'), 0)
mocker.patch.object(client,
'search_records',
return_value=([record], {}))
incidents, next_fetch = fetch_incidents(client, params, last_fetch)
assert last_fetch < next_fetch
assert next_fetch == datetime(2018, 11, 29, 10, 3, tzinfo=timezone.utc)
assert incidents[0]['occurred'] == occurred
def test_generate_field_value_values_list_input(self, requests_mock):
cache = demisto.getIntegrationContext()
cache['fieldValueList'] = {}
demisto.setIntegrationContext(cache)
requests_mock.post(BASE_URL + 'api/core/security/login',
json={
'RequestedObject': {
'SessionToken': 'session-id'
},
'IsSuccessful': True
})
requests_mock.get(BASE_URL + 'api/core/system/fielddefinition/304',
json=GET_FIElD_DEFINITION_RES)
requests_mock.get(BASE_URL +
'api/core/system/valueslistvalue/valueslist/62',
json=VALUE_LIST_RES)
client = Client(BASE_URL, '', '', '', '', 400)
field_key, field_value = generate_field_value(client, "", {
'Type': 4,
'FieldId': 304
}, ["High"])
assert field_key == 'Value'
assert field_value == {'ValuesListIds': [473]}
def test_generate_field_users_groups_input(self):
"""
Given:
Valid value from dictionary type under "fieldsToValues" argument
When:
- running archer-update-record
Then:
- assert fields are generated correctly
"""
client = Client(BASE_URL, '', '', '', '', 400)
field_key, field_value = generate_field_value(client, "", {'Type': 8},
{
"users": [20],
"groups": [30]
})
assert field_key == 'Value'
assert field_value == {
"UserList": [{
"ID": 20
}],
"GroupList": [{
"ID": 30
}]
}
def test_fetch_got_exact_same_time(self, mocker):
"""
Given:
last_fetch is in the exact same time as the incident
When:
Fetching incidents
Then:
Check that the next fetch is equals last fetch (no new incident)
Check that no incidents brought back
"""
client = Client(BASE_URL, '', '', '', '')
date_time_reported = '2018-03-01T10:02:00.000Z'
params = {
'applicationId': '75',
'applicationDateField': 'Date/Time Reported'
}
record = copy.deepcopy(INCIDENT_RECORD)
record['record']['Date/Time Reported'] = date_time_reported
record['raw']['Field'][1]['@xmlConvertedValue'] = date_time_reported
last_fetch = get_fetch_time(
{'last_fetch': date_time_reported}, params.get('fetch_time', '3 days')
)
mocker.patch.object(client, 'search_records', return_value=([record], {}))
incidents, next_fetch = fetch_incidents(client, params, last_fetch, '305')
assert last_fetch == next_fetch
assert not incidents, 'Should not get new incidents.'
def test_generate_field_external_link_input(self):
client = Client(BASE_URL, '', '', '', '')
field_key, field_value = generate_field_value(client, "", {'Type': 7},
[{"value": "github", "link": "https://github.com"},
{"value": "google", "link": "https://google.com"}])
assert field_key == 'Value'
assert field_value == [{"Name": "github", "URL": "https://github.com"},
{"Name": "google", "URL": "https://google.com"}]
def test_generate_field_users_groups_input():
client = Client(BASE_URL, '', '', '', '')
field_key, field_value = generate_field_value(client, "", {'Type': 8}, {
"users": [20],
"groups": [30]
})
assert field_key == 'Value'
assert field_value == {"UserList": [{"ID": 20}], "GroupList": [{"ID": 30}]}
def test_update_session_fail_parsing(self, mocker):
"""
Given:
an exception raised from _http_request who failed to pares json object
When:
- initiating session
Then:
- Raise exception with message to check the provided url
"""
mocker.patch.object(Client, '_http_request', side_effect=DemistoException("Failed to parse json object from "
"response: b\"<html><head><script>"
"window.top.location='/Default.aspx';"
"</script></head><body>"
"</body></html>"))
client = Client(BASE_URL, '', '', '', '')
with pytest.raises(DemistoException) as e:
client.update_session()
assert "Check the given URL, it can be a redirect issue" in str(e.value)
def test_record_to_incident_american_time(self):
"""
Given:
record with american time (month first)
When:
fetching incidents
Then:
assert return dates are right
"""
client = Client(BASE_URL, '', '', '', '')
incident = INCIDENT_RECORD.copy()
incident['record']['Date/Time Reported'] = '03/26/2018 10:03 AM'
incident, incident_created_time = client.record_to_incident(
INCIDENT_RECORD, 75, 'Date/Time Reported', day_first=False)
assert incident_created_time.strftime(
'%Y-%m-%dT%H:%M:%SZ') == '2018-03-26T10:03:00Z'
assert incident['occurred'] == '2018-03-26T10:03:00Z'
def test_generate_invalid_field_users_groups_input(self):
"""
Given:
Invalid value under "fieldsToValues" argument with type 8 (lists)
When:
- running archer-update-record
Then:
- Raise exception indicates that the value is not with the right format
"""
client = Client(BASE_URL, '', '', '', '')
with pytest.raises(DemistoException) as e:
generate_field_value(client, "test", {'Type': 8}, 'user1, user2')
assert "The value of the field: test must be a dictionary type and include a list under \"users\" key or " \
"\"groups\" key e.g: {\"Policy Owner\":{\"users\":[20],\"groups\":[30]}}" in str(e.value)
def test_update_session(self, mocker, requests_mock, requested_object, is_successful):
requests_mock.post(BASE_URL + 'api/core/security/login', json=requested_object)
mocker.patch.object(demisto, 'results')
client = Client(BASE_URL, '', '', '', '')
if is_successful:
client.update_session()
assert demisto.results.call_count == 0
else:
with pytest.raises(SystemExit) as e:
# in case login wasn't successful, return_error will exit with a reason (for example, LoginNotValid)
# return_error reached
client.update_session()
assert e
def test_two_fetches(self, mocker):
"""
Given:
2 incident with date/time reported
running two fetches.
When:
Fetching incidents
Then:
Check that the new next fetch is greater than last_fetch on both calls.
Check the wanted next_fetch is equals to the date in the incident in both calls.
Assert occurred time
"""
client = Client(BASE_URL, '', '', '', '')
params = {
'applicationId': '75',
'applicationDateField': 'Date/Time Reported'
}
record1, record2 = copy.deepcopy(INCIDENT_RECORD), copy.deepcopy(
INCIDENT_RECORD)
record1['record']['Date/Time Reported'] = '18/03/2020 10:30 AM'
record2['record']['Date/Time Reported'] = '18/03/2020 03:30 PM'
record1['raw']['Field'][1][
'@xmlConvertedValue'] = '2020-03-18T10:30:00.000Z'
record2['raw']['Field'][1][
'@xmlConvertedValue'] = '2020-03-18T15:30:00.000Z'
last_fetch = parser('2020-18-03T09:00:00Z')
mocker.patch.object(client,
'search_records',
side_effect=[([record1], {}), ([record2], {})])
incidents, next_fetch = fetch_incidents(client, params, last_fetch,
'305')
assert last_fetch < next_fetch
assert next_fetch == datetime(2020, 3, 18, 10, 30, tzinfo=timezone.utc)
assert incidents[0]['occurred'] == '2020-03-18T10:30:00.000Z'
incidents, next_fetch = fetch_incidents(client, params, next_fetch,
'305')
assert last_fetch < next_fetch
assert next_fetch == datetime(2020, 3, 18, 15, 30, tzinfo=timezone.utc)
assert incidents[0]['occurred'] == '2020-03-18T15:30:00.000Z'
def test_generate_field_value(requests_mock):
"""
Given
- generate_field_value on Values List type
When
- the source is not a list
Then
- ensure generate_field_value will handle it
"""
cache = demisto.getIntegrationContext()
cache['fieldValueList'] = {}
demisto.setIntegrationContext(cache)
requests_mock.get(BASE_URL + 'api/core/system/fielddefinition/16172',
json=GET_FIElD_DEFINITION_RES)
requests_mock.post(BASE_URL + 'api/core/security/login',
json={
'RequestedObject': {
'SessionToken': 'session-id'
},
'IsSuccessful': 'yes'
})
requests_mock.get(BASE_URL +
'api/core/system/valueslistvalue/valueslist/62',
json=VALUE_LIST_RES_FOR_SOURCE)
client = Client(BASE_URL, '', '', '', '')
field_key, field_value = generate_field_value(
client, "Source", {
'FieldId': '16172',
'IsRequired': False,
'Name': 'Source',
'RelatedValuesListId': 2092,
'Type': 4
}, 'ArcSight')
assert field_key == 'Value'
assert field_value == {'ValuesListIds': [471]}
def test_generate_field_ip_address_input():
client = Client(BASE_URL, '', '', '', '')
field_key, field_value = generate_field_value(client, "", {'Type': 19},
'127.0.0.1')
assert field_key == 'IpAddressBytes'
assert field_value == '127.0.0.1'
def test_generate_field_cross_reference_input(field_value, result):
client = Client(BASE_URL, '', '', '', '')
field_key, field_value = generate_field_value(client, "", {'Type': 9},
field_value)
assert field_key == 'Value'
assert field_value == result
def test_generate_field_value_text_input():
client = Client(BASE_URL, '', '', '', '')
field_key, field_value = generate_field_value(client, "", {'Type': 1},
"Demisto")
assert field_key == 'Value'
assert field_value == 'Demisto'
def test_generate_field_contents():
client = Client(BASE_URL, '', '', '', '')
field = generate_field_contents(client, '{"Device Name":"Macbook"}',
GET_LEVELS_BY_APP[0]['mapping'])
assert field == {'2': {'Type': 1, 'Value': 'Macbook', 'FieldId': '2'}}
def test_generate_field_cross_reference_input():
client = Client(BASE_URL, '', '', '', '')
field_key, field_value = generate_field_value(client, "", {'Type': 9},
[1, 2])
assert field_key == 'Value'
assert field_value == [{"ContentID": 1}, {"ContentID": 2}]
