def test_delete_threat_item_failure(self, mocked_requests_post,
mocked_requests_delete):
# 1. Connect successfully
sim_content = '<response><sessionKey>' + self.simSessionKey + '</sessionKey></response>'
mocked_requests_post.return_value = self._generateResponse(
sim_content, 200)
splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host,
port=self.fake_port,
username=self.fake_username,
password=self.fake_password,
verify=self.verify)
# 2. Call delete with wrong threat_type
item_key = "FakeKeyDoesNotExist"
threat_type = "fake_intel"
try:
ret = splnk_utils.delete_threat_intel_item(threat_type, item_key,
self.verify)
except splunk_utils.RequestError:
print("Delete with fake type caused exception as expected")
assert True
#3. Call delete with a non-existing item key
threat_type = "ip_intel"
mocked_requests_delete.side_effect = Exception(
"No matching entries found in kvstore.")
try:
splnk_utils.delete_threat_intel_item(threat_type, item_key,
self.verify)
except Exception:
print(
"Calling delete with an non-exisiting key caused exception as expected."
)
assert True
def test_splunk_util_getSessionKey_with_error(self, mocked_requests_post):
"""Test login failure case"""
ret_key = None
try:
simContent = "Login failure"
#
# If the post response has status = 401, it means login failed.
# The getSessionKey call shall throw an exception
#
mocked_requests_post.return_value = self._generateResponse(
simContent, 401)
splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host,
port=self.fake_port,
username=self.fake_username,
password=self.fake_password,
verify=self.verify)
ret_key = splnk_utils.session_key
headers = dict()
headers["Accept"] = "application/html"
post_data = urlparse.urlencode({
"username": self.fake_username,
"password": self.fake_password
})
mocked_requests_post.assert_called_with(self.auth_url,
headers=headers,
data=post_data,
verify=self.verify)
except splunk_utils.RequestError as e:
assert True
assert not ret_key
def test_splunk_utils_getSessionKey(self, mocked_requests_post):
simContent = '<response><sessionKey>' + self.simSessionKey + '</sessionKey></response>'
mocked_requests_post.return_value = self._generateResponse(
simContent, 200)
splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host,
port=self.fake_port,
username=self.fake_username,
password=self.fake_password,
verify=self.verify)
retKey = splnk_utils.session_key
headers = dict()
headers["Accept"] = "application/html"
post_data = urlparse.urlencode({
"username": self.fake_username,
"password": self.fake_password
})
# Assert that username and password are used as required
mocked_requests_post.assert_called_with(self.auth_url,
headers=headers,
data=post_data,
verify=self.verify)
# Assert that we extract the session key properly from the response.content
assert retKey == self.simSessionKey
def testDelete(self, mocked_requests_post, mocked_requests_delete):
# 1. Connect successfully
sim_content = '<response><sessionKey>' + self.simSessionKey + '</sessionKey></response>'
mocked_requests_post.return_value = self._generateResponse(
sim_content, 200)
splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host,
port=self.fake_port,
username=self.fake_username,
password=self.fake_password,
verify=self.verify)
# 2. Call delete
threat_type = "ip_intel"
item_key = "FakeItemKeyForItemToDelete"
content_dict = {
"success": True,
"message": "Create operation successful."
}
sim_content = json.dumps(content_dict)
mocked_requests_delete.return_value = self._generateResponse(
sim_content, 200)
ret = splnk_utils.delete_threat_intel_item(threat_type, item_key,
self.verify)
# 3. Verify sessionkey has been used in the post call
headers = dict()
headers["Authorization"] = "Splunk %s" % self.simSessionKey
post_url = self.threat_post_url + threat_type + "/" + item_key
mocked_requests_delete.assert_called_with(post_url,
headers=headers,
verify=self.verify)
assert ret["status_code"] == 200
def test_update_notable_too_many_redirect(self, mocked_requests_post):
""" Test update notable with wrong URL or connection issue"""
print("Test update_notable returns TooManyRedirects\n")
try:
sim_status = 1
sim_content = '<response><sessionKey>' + self.simSessionKey + '</sessionKey></response>'
mocked_requests_post.return_value = self._generateResponse(
sim_content, 200)
splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host,
port=self.fake_port,
username=self.fake_username,
password=self.fake_password,
verify=self.verify)
mocked_requests_post.side_effect = requests.TooManyRedirects(
Mock(status=404), "Ambiguous excetpion.")
ret = splnk_utils.update_notable(event_id=self.simEventId,
comment=self.simComment,
status=sim_status,
cafile=self.verify)
#
# request post throws exception
#
assert False
except splunk_utils.RequestError as e:
assert True
def test_update_notable_wrong_url(self, mocked_requests_post):
""" Test update notable with wrong URL or connection issue"""
print("Testing wrong URL or connection issue...")
try:
sim_status = 1
#
# Simulate connection error
#
mocked_requests_post.side_effect = requests.ConnectionError(
Mock(status=404), "Max retries exceed.")
splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host,
port=self.fake_port,
username=self.fake_username,
password=self.fake_password,
verify=self.verify)
#
# Failed to connect during login will throw exception
#
assert False
except requests.ConnectionError as e:
print("Test wrong url. ")
assert True
def test_add_threat_intel_item_errors(self, mocked_requests_post):
# 1. Connect successfully
sim_content = '<response><sessionKey>' + self.simSessionKey + '</sessionKey></response>'
mocked_requests_post.return_value = self._generateResponse(
sim_content, 200)
splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host,
port=self.fake_port,
username=self.fake_username,
password=self.fake_password,
verify=self.verify)
# 2. Simulate wrong intel type
try:
splnk_utils.add_threat_intel_item("Fake type", {}, False)
except splunk_utils.RequestError as e:
print("Fake intel type causes exception as expected.")
assert (True)
# 3. Simulate RequestException
threat_type = "ip_intel"
mocked_requests_post.side_effect = requests.RequestException(
Mock(status=404), "Ambiguous excetpion.")
try:
splnk_utils.add_threat_intel_item(threat_type, {}, False)
except splunk_utils.RequestError:
assert True
# 4. Simulate ConnectionError
mocked_requests_post.side_effect = requests.ConnectionError(
Mock(status=404), "Ambiguous excetpion.")
try:
splnk_utils.add_threat_intel_item(threat_type, {}, False)
except splunk_utils.RequestError:
assert True
# 5. Simulate HttpError
mocked_requests_post.side_effect = requests.HTTPError(
Mock(status=404), "Ambiguous excetpion.")
try:
splnk_utils.add_threat_intel_item(threat_type, {}, False)
except splunk_utils.RequestError:
assert True
# 6. Simulate URLRequired
mocked_requests_post.side_effect = requests.URLRequired(
Mock(status=404), "Ambiguous excetpion.")
try:
splnk_utils.add_threat_intel_item(threat_type, {}, False)
except splunk_utils.RequestError:
assert True
# 7. Simulate TooManyRedirects
mocked_requests_post.side_effect = requests.TooManyRedirects(
Mock(status=404), "Ambiguous excetpion.")
try:
splnk_utils.add_threat_intel_item(threat_type, {}, False)
except splunk_utils.RequestError:
assert True
def test_add_threat_intel_item(self, mocked_requests_post):
sim_content = '<response><sessionKey>' + self.simSessionKey + '</sessionKey></response>'
mocked_requests_post.return_value = self._generateResponse(
sim_content, 200)
splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host,
port=self.fake_port,
username=self.fake_username,
password=self.fake_password,
verify=self.verify)
itemDict = {"ip": "8.8.8.8", "domain": "fake.domain.com"}
threat_type = "ip_intel"
splunk_verify = False
# Simulate a successful requests post call
content_dict = {
"success": True,
"message": "Create operation successful."
}
sim_content = json.dumps(content_dict)
mocked_requests_post.return_value = self._generateResponse(
sim_content, 201)
ret = splnk_utils.add_threat_intel_item(threat_type, itemDict,
splunk_verify)
# Verify sessionkey has been used in the post call
headers = dict()
headers["Authorization"] = "Splunk %s" % self.simSessionKey
item = {"item": json.dumps(itemDict)}
post_url = self.threat_post_url + threat_type
mocked_requests_post.assert_called_with(post_url,
headers=headers,
data=item,
verify=splunk_verify)
assert ret["status_code"] == 201
def test_update_notable(self, mocked_requests_post):
""" Test update notable successfully"""
try:
sim_status = 1
sim_content = '<response><sessionKey>' + self.simSessionKey + '</sessionKey></response>'
mocked_requests_post.return_value = self._generateResponse(
sim_content, 200)
splnk_utils = splunk_utils.SplunkUtils(host=self.fake_host,
port=self.fake_port,
username=self.fake_username,
password=self.fake_password,
verify=self.verify)
content_dict = {"success": True, "message": "Updated successfuly"}
sim_content = json.dumps(content_dict)
mocked_requests_post.return_value = self._generateResponse(
sim_content, 200)
ret = splnk_utils.update_notable(event_id=self.simEventId,
comment=self.simComment,
status=sim_status,
cafile=self.verify)
headers = dict()
headers["Authorization"] = "Splunk %s" % self.simSessionKey
args = dict()
args["comment"] = self.simComment
args["status"] = sim_status
args["ruleUIDs"] = [self.simEventId]
mocked_requests_post.assert_called_with(self.update_notable_url,
headers=headers,
data=args,
verify=self.verify)
assert ret["status_code"] == 200
except Exception as e:
assert False
