def test_get_forensics_timeline_command(requests_mock): mock_response = {'IncidentId': "aaa", 'Status': 'Done', 'Evidence': []} client = Client(base_url='https://server', verify=False) start_date = "1 month" end_date = "3 days" args = {'incident_id': "3", 'start_date': start_date, 'end_date': end_date} start_date_parsed, _ = parse_date_range(start_date, date_format=DATE_FORMAT, utc=True) end_date_parsed, _ = parse_date_range(end_date, date_format=DATE_FORMAT, utc=True) url = 'https://server/api/v1/forensics/timeline?incident_id=3&end_date={}&start_date={}'\ .format(end_date_parsed, start_date_parsed) requests_mock.get(url, json=mock_response) _, outputs, _ = get_forensics_timeline_command(client, args) assert outputs == { 'Illusive.Forensics(val.IncidentId == obj.IncidentId)': { 'IncidentId': '3', 'Status': 'Done', 'Evidence': { 'IncidentId': 'aaa', 'Status': 'Done', 'Evidence': [] } } }
def test_parse_date_range(): utc_now = datetime.utcnow() utc_start_time, utc_end_time = parse_date_range('2 days', utc=True) # testing UTC date time and range of 2 days assert utc_now.replace(microsecond=0) == utc_end_time.replace(microsecond=0) assert abs(utc_start_time - utc_end_time).days == 2 local_now = datetime.now() local_start_time, local_end_time = parse_date_range('73 minutes', utc=False) # testing local datetime and range of 73 minutes assert local_now.replace(microsecond=0) == local_end_time.replace(microsecond=0) assert abs(local_start_time - local_end_time).seconds / 60 == 73
def test_fetch_incidents_first_fetch(requests_mock): client = Client(base_url='https://server', verify=False) mock_response = [] first_fetch_time = "7 days" last_fetch, _ = parse_date_range(first_fetch_time, date_format=DATE_FORMAT, utc=True) requests_mock.get('https://server/api/v1/incidents?limit=10&offset=0&start_date={}'.format(last_fetch), json=mock_response) nextcheck, incidents = fetch_incidents(client, {'last_run': None}, first_fetch_time, None) assert str(nextcheck['last_run']) == last_fetch assert isinstance(incidents, list) assert len(incidents) == 0
def test_query_timestamp(args, expected_response, test_case): from CortexDataLake import query_timestamp if expected_response == '1 days': expected_start, expected_end = parse_date_range(expected_response) expected_start = expected_start.replace(microsecond=0) expected_end = expected_end.replace(microsecond=0) generated_start, generated_end = query_timestamp(args) generated_start = generated_start generated_end = generated_end assert (generated_start, generated_end) == (expected_start, expected_end), f'Failed: {test_case}' else: generated_start, generated_end = query_timestamp(args) assert (str(generated_start), str(generated_end)) == expected_response, f'Failed: {test_case}'