From 8d877a06bea22e444642c2f8ac4b5719d648b18d Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 25 Jun 2020 13:59:57 +0000 Subject: [PATCH 1/2] Test outputs --- .../Code42/Integrations/Code42/Code42_test.py | 208 ++++++++++++------ 1 file changed, 135 insertions(+), 73 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42_test.py b/Packs/Code42/Integrations/Code42/Code42_test.py index e30512bac844..c0bd00c8843f 100644 --- a/Packs/Code42/Integrations/Code42/Code42_test.py +++ b/Packs/Code42/Integrations/Code42/Code42_test.py @@ -884,7 +884,8 @@ "status": "OPEN", "cloudUsernames": ["test@example.com"], "totalBytes": 139856482, - "numEvents": 11 + "numEvents": 11, + "departureDate": "2020-07-20" }, { "type$": "DEPARTING_EMPLOYEE_V2", @@ -987,6 +988,10 @@ """ +_TEST_USER_ID = "123412341234123412" # value found in GET_USER_RESPONSE +_TEST_USERNAME = "user1@example.com" + + @pytest.fixture def code42_sdk_mock(mocker): code42_mock = mocker.MagicMock(spec=SDKClient) @@ -1071,6 +1076,20 @@ def get_empty_detectionlist_response(mocker, base_text): return create_mock_code42_sdk_response_generator(mocker, [no_employees_response_text]) +def assert_departingemployee_outputs_match_response(outputs_list, response_items): + assert_detection_list_outputs_match_response_items(outputs_list, response_items) + for i in range(0, len(outputs_list)): + assert outputs_list[i]["DepartureDate"] == response_items[i].get("departureDate") + + +def assert_detection_list_outputs_match_response_items(outputs_list, response_items): + assert len(outputs_list) == len(response_items) + for i in range(0, len(outputs_list)): + assert outputs_list[i]["Username"] == response_items[i]["userName"] + assert outputs_list[i]["UserID"] == response_items[i]["userId"] + assert outputs_list[i]["Note"] == response_items[i]["notes"] + + """TESTS""" @@ -1136,45 +1155,52 @@ def test_map_to_file_context(): def test_alert_get_command(code42_alerts_mock): client = create_client(code42_alerts_mock) - _, _, res = alert_get_command(client, {"id": "36fb8ca5-0533-4d25-9763-e09d35d60610"}) + _, outputs, res = alert_get_command(client, {"id": "36fb8ca5-0533-4d25-9763-e09d35d60610"}) assert res["ruleId"] == "4576576e-13cb-4f88-be3a-ee77739de649" + assert outputs == {"Code42.SecurityAlert": [MOCK_CODE42_ALERT_CONTEXT[0]]} def test_alert_resolve_command(code42_alerts_mock): client = create_client(code42_alerts_mock) - _, _, res = alert_resolve_command(client, {"id": "36fb8ca5-0533-4d25-9763-e09d35d60610"}) + _, outputs, res = alert_resolve_command(client, {"id": "36fb8ca5-0533-4d25-9763-e09d35d60610"}) assert res["id"] == "36fb8ca5-0533-4d25-9763-e09d35d60610" + assert outputs == {"Code42.SecurityAlert": [MOCK_CODE42_ALERT_CONTEXT[0]]} def test_departingemployee_add_command(code42_sdk_mock): client = create_client(code42_sdk_mock) - _, _, res = departingemployee_add_command( + date = "2020-01-01" + note = "Dummy note" + _, outputs, res = departingemployee_add_command( client, - {"username": "user1@example.com", "departuredate": "2020-01-01", "note": "Dummy note"}, + {"username": _TEST_USERNAME, "departuredate": date, "note": note}, ) - expected_user_id = "123412341234123412" # value found in GET_USER_RESPONSE - assert res == expected_user_id add_func = code42_sdk_mock.detectionlists.departing_employee.add - add_func.assert_called_once_with(expected_user_id, departure_date="2020-01-01") - code42_sdk_mock.detectionlists.update_user_notes.assert_called_once_with( - expected_user_id, "Dummy note" - ) + assert res == _TEST_USER_ID + assert outputs["Code42.DepartingEmployee"]["DepartureDate"] == date + assert outputs["Code42.DepartingEmployee"]["Note"] == note + assert outputs["Code42.DepartingEmployee"]["Username"] == _TEST_USERNAME + assert outputs["Code42.DepartingEmployee"]["UserID"] == _TEST_USER_ID + add_func.assert_called_once_with(_TEST_USER_ID, departure_date=date) + code42_sdk_mock.detectionlists.update_user_notes.assert_called_once_with(_TEST_USER_ID, note) def test_departingemployee_remove_command(code42_sdk_mock): client = create_client(code42_sdk_mock) - _, _, res = departingemployee_remove_command(client, {"username": "user1@example.com"}) - expected = "123412341234123412" # value found in GET_USER_RESPONSE - assert res == expected - code42_sdk_mock.detectionlists.departing_employee.remove.assert_called_once_with(expected) + _, outputs, res = departingemployee_remove_command(client, {"username": _TEST_USERNAME}) + assert res == _TEST_USER_ID + code42_sdk_mock.detectionlists.departing_employee.remove.assert_called_once_with(_TEST_USER_ID) + assert outputs["Code42.DepartingEmployee"]["Username"] == _TEST_USERNAME + assert outputs["Code42.DepartingEmployee"]["UserID"] == _TEST_USER_ID def test_departingemployee_get_all_command(code42_departing_employee_mock): client = create_client(code42_departing_employee_mock) - _, _, res = departingemployee_get_all_command(client, {"username": "user1@example.com"}) + _, outputs, res = departingemployee_get_all_command(client, {"username": _TEST_USERNAME}) + outputs_list = outputs["Code42.DepartingEmployee(val.UserID && val.UserID == obj.UserID)"] expected = json.loads(MOCK_GET_ALL_DEPARTING_EMPLOYEES_RESPONSE)["items"] assert res == expected - assert code42_departing_employee_mock.detectionlists.departing_employee.get_all.call_count == 1 + assert_departingemployee_outputs_match_response(outputs_list, expected) def test_departingemployee_get_all_command_gets_employees_from_multiple_pages( @@ -1190,13 +1216,14 @@ def test_departingemployee_get_all_command_gets_employees_from_multiple_pages( employee_page_generator ) client = create_client(code42_departing_employee_mock) - - _, _, res = departingemployee_get_all_command(client, {"username": "user1@example.com"}) + _, outputs, res = departingemployee_get_all_command(client, {"username": _TEST_USERNAME}) + outputs_list = outputs["Code42.DepartingEmployee(val.UserID && val.UserID == obj.UserID)"] # Expect to have employees from 3 pages in the result expected_page = json.loads(MOCK_GET_ALL_DEPARTING_EMPLOYEES_RESPONSE)["items"] expected = expected_page + expected_page + expected_page assert res == expected + assert_departingemployee_outputs_match_response(outputs_list, res) def test_departingemployee_get_all_command_when_no_employees( @@ -1209,7 +1236,7 @@ def test_departingemployee_get_all_command_when_no_employees( no_employees_response ) client = create_client(code42_departing_employee_mock) - _, _, res = departingemployee_get_all_command( + _, outputs, res = departingemployee_get_all_command( client, { "risktags": [ @@ -1219,19 +1246,24 @@ def test_departingemployee_get_all_command_when_no_employees( ] }, ) + outputs_list = outputs["Code42.DepartingEmployee(val.UserID && val.UserID == obj.UserID)"] + # Only first employee has the given risk tags expected = [] assert res == expected assert code42_departing_employee_mock.detectionlists.departing_employee.get_all.call_count == 1 + assert_departingemployee_outputs_match_response(outputs_list, res) def test_highriskemployee_add_command(code42_high_risk_employee_mock): client = create_client(code42_high_risk_employee_mock) - _, _, res = highriskemployee_add_command( - client, {"username": "user1@example.com", "note": "Dummy note"} + _, outputs, res = highriskemployee_add_command( + client, {"username": _TEST_USERNAME, "note": "Dummy note"} ) expected_user_id = "123412341234123412" # value found in GET_USER_RESPONSE assert res == expected_user_id + assert outputs["Code42.HighRiskEmployee"]["UserID"] == _TEST_USER_ID + assert outputs["Code42.HighRiskEmployee"]["Username"] == _TEST_USERNAME code42_high_risk_employee_mock.detectionlists.high_risk_employee.add.assert_called_once_with( expected_user_id ) @@ -1242,41 +1274,21 @@ def test_highriskemployee_add_command(code42_high_risk_employee_mock): def test_highriskemployee_remove_command(code42_sdk_mock): client = create_client(code42_sdk_mock) - _, _, res = highriskemployee_remove_command(client, {"username": "user1@example.com"}) - expected = "123412341234123412" # value found in GET_USER_RESPONSE - assert res == expected - code42_sdk_mock.detectionlists.high_risk_employee.remove.assert_called_once_with(expected) - - -def test_fetch_when_no_significant_file_categories_ignores_filter( - code42_fetch_incidents_mock, mocker -): - response_text = MOCK_ALERT_DETAILS_RESPONSE.replace( - '"isSignificant": true', '"isSignificant": false' - ) - alert_details_response = create_mock_code42_sdk_response(mocker, response_text) - code42_fetch_incidents_mock.alerts.get_details.return_value = alert_details_response - client = create_client(code42_fetch_incidents_mock) - _, _, _ = fetch_incidents( - client=client, - last_run={"last_fetch": None}, - first_fetch_time=MOCK_FETCH_TIME, - event_severity_filter=None, - fetch_limit=10, - include_files=True, - integration_context=None, - ) - actual_query = str(code42_fetch_incidents_mock.securitydata.search_file_events.call_args[0][0]) - assert "fileCategory" not in actual_query - assert "IMAGE" not in actual_query + _, outputs, res = highriskemployee_remove_command(client, {"username": _TEST_USERNAME}) + assert res == _TEST_USER_ID + assert outputs["Code42.HighRiskEmployee"]["UserID"] == _TEST_USER_ID + assert outputs["Code42.HighRiskEmployee"]["Username"] == _TEST_USERNAME + code42_sdk_mock.detectionlists.high_risk_employee.remove.assert_called_once_with(_TEST_USER_ID) def test_highriskemployee_get_all_command(code42_high_risk_employee_mock): client = create_client(code42_high_risk_employee_mock) - _, _, res = highriskemployee_get_all_command(client, {}) + _, outputs, res = highriskemployee_get_all_command(client, {}) + outputs_list = outputs["Code42.HighRiskEmployee(val.UserID && val.UserID == obj.UserID)"] expected = json.loads(MOCK_GET_ALL_HIGH_RISK_EMPLOYEES_RESPONSE)["items"] assert res == expected assert code42_high_risk_employee_mock.detectionlists.high_risk_employee.get_all.call_count == 1 + assert_detection_list_outputs_match_response_items(outputs_list, expected) def test_highriskemployee_get_all_command_gets_employees_from_multiple_pages( @@ -1293,19 +1305,21 @@ def test_highriskemployee_get_all_command_gets_employees_from_multiple_pages( ) client = create_client(code42_high_risk_employee_mock) - _, _, res = highriskemployee_get_all_command(client, {"username": "user1@example.com"}) + _, outputs, res = highriskemployee_get_all_command(client, {"username": _TEST_USERNAME}) + outputs_list = outputs["Code42.HighRiskEmployee(val.UserID && val.UserID == obj.UserID)"] # Expect to have employees from 3 pages in the result expected_page = json.loads(MOCK_GET_ALL_HIGH_RISK_EMPLOYEES_RESPONSE)["items"] expected = expected_page + expected_page + expected_page assert res == expected + assert_detection_list_outputs_match_response_items(outputs_list, expected) def test_highriskemployee_get_all_command_when_given_risk_tags_only_gets_employees_with_tags( code42_high_risk_employee_mock ): client = create_client(code42_high_risk_employee_mock) - _, _, res = highriskemployee_get_all_command( + _, outputs, res = highriskemployee_get_all_command( client, { "risktags": [ @@ -1315,10 +1329,12 @@ def test_highriskemployee_get_all_command_when_given_risk_tags_only_gets_employe ] }, ) + outputs_list = outputs["Code42.HighRiskEmployee(val.UserID && val.UserID == obj.UserID)"] # Only first employee has the given risk tags expected = [json.loads(MOCK_GET_ALL_HIGH_RISK_EMPLOYEES_RESPONSE)["items"][0]] assert res == expected assert code42_high_risk_employee_mock.detectionlists.high_risk_employee.get_all.call_count == 1 + assert_detection_list_outputs_match_response_items(outputs_list, expected) def test_highriskemployee_get_all_command_when_no_employees(code42_high_risk_employee_mock, mocker): @@ -1329,7 +1345,7 @@ def test_highriskemployee_get_all_command_when_no_employees(code42_high_risk_emp no_employees_response ) client = create_client(code42_high_risk_employee_mock) - _, _, res = highriskemployee_get_all_command( + _, outputs, res = highriskemployee_get_all_command( client, { "risktags": [ @@ -1339,50 +1355,96 @@ def test_highriskemployee_get_all_command_when_no_employees(code42_high_risk_emp ] }, ) + outputs_list = outputs["Code42.HighRiskEmployee(val.UserID && val.UserID == obj.UserID)"] # Only first employee has the given risk tags expected = [] assert res == expected assert code42_high_risk_employee_mock.detectionlists.high_risk_employee.get_all.call_count == 1 + assert_detection_list_outputs_match_response_items(outputs_list, expected) def test_highriskemployee_add_risk_tags_command(code42_sdk_mock): + tags = "FLIGHT_RISK" client = create_client(code42_sdk_mock) - _, _, res = highriskemployee_add_risk_tags_command( - client, {"username": "user1@example.com", "risktags": "FLIGHT_RISK"} + _, outputs, res = highriskemployee_add_risk_tags_command( + client, {"username": _TEST_USERNAME, "risktags": "FLIGHT_RISK"} ) - expected_user_id = "123412341234123412" # value found in GET_USER_RESPONSE - assert res == expected_user_id + assert res == _TEST_USER_ID + assert outputs["Code42.HighRiskEmployee"]["UserID"] == _TEST_USER_ID + assert outputs["Code42.HighRiskEmployee"]["Username"] == _TEST_USERNAME + assert outputs["Code42.HighRiskEmployee"]["RiskTags"] == tags code42_sdk_mock.detectionlists.add_user_risk_tags.assert_called_once_with( - expected_user_id, "FLIGHT_RISK" + _TEST_USER_ID, "FLIGHT_RISK" ) def test_highriskemployee_remove_risk_tags_command(code42_sdk_mock): + tags = ["FLIGHT_RISK", "CONTRACT_EMPLOYEE"] client = create_client(code42_sdk_mock) - _, _, res = highriskemployee_remove_risk_tags_command( - client, {"username": "user1@example.com", "risktags": ["FLIGHT_RISK", "CONTRACT_EMPLOYEE"]} + _, outputs, res = highriskemployee_remove_risk_tags_command( + client, {"username": _TEST_USERNAME, "risktags": ["FLIGHT_RISK", "CONTRACT_EMPLOYEE"]} ) - expected_user_id = "123412341234123412" # value found in GET_USER_RESPONSE - assert res == expected_user_id + assert res == _TEST_USER_ID + assert outputs["Code42.HighRiskEmployee"]["UserID"] == _TEST_USER_ID + assert outputs["Code42.HighRiskEmployee"]["Username"] == _TEST_USERNAME + assert outputs["Code42.HighRiskEmployee"]["RiskTags"] == tags code42_sdk_mock.detectionlists.remove_user_risk_tags.assert_called_once_with( - expected_user_id, ["FLIGHT_RISK", "CONTRACT_EMPLOYEE"] + _TEST_USER_ID, ["FLIGHT_RISK", "CONTRACT_EMPLOYEE"] ) def test_security_data_search_command(code42_file_events_mock): client = create_client(code42_file_events_mock) - _, _, res = securitydata_search_command(client, MOCK_SECURITY_DATA_SEARCH_QUERY) - assert len(res) == 3 + _, outputs, res = securitydata_search_command(client, MOCK_SECURITY_DATA_SEARCH_QUERY) + outputs_list = outputs["Code42.SecurityData(val.EventID && val.EventID == obj.EventID)"] actual_query = code42_file_events_mock.securitydata.search_file_events.call_args[0][0] filter_groups = json.loads(str(actual_query))["groups"] - assert filter_groups[0]["filters"][0]["term"] == "md5Checksum" - assert filter_groups[0]["filters"][0]["value"] == "d41d8cd98f00b204e9800998ecf8427e" - assert filter_groups[1]["filters"][0]["term"] == "osHostName" - assert filter_groups[1]["filters"][0]["value"] == "DESKTOP-0001" - assert filter_groups[2]["filters"][0]["term"] == "deviceUserName" - assert filter_groups[2]["filters"][0]["value"] == "user3@example.com" - assert filter_groups[3]["filters"][0]["term"] == "exposure" - assert filter_groups[3]["filters"][0]["value"] == "ApplicationRead" + expected_query_items = [ + ("md5Checksum", "d41d8cd98f00b204e9800998ecf8427e"), + ("osHostName", "DESKTOP-0001"), + ("deviceUserName", "user3@example.com"), + ("exposure", "ApplicationRead") + ] + expected_file_events = json.loads(MOCK_SECURITY_EVENT_RESPONSE)["fileEvents"] + + # Assert that the correct query gets made + assert len(filter_groups) == len(expected_query_items) + for i in range(0, len(filter_groups)): + _filter = filter_groups[i]["filters"][0] + assert _filter["term"] == expected_query_items[i][0] + assert _filter["value"] == expected_query_items[i][1] + + assert len(res) == len(outputs_list) == 3 + assert res == expected_file_events + + # Assert that the Outputs are mapped from the file events. + for i in range(0, len(expected_file_events)): + mapped_event = map_to_code42_event_context(expected_file_events[i]) + output_item = outputs_list[i] + assert output_item == mapped_event + + +def test_fetch_when_no_significant_file_categories_ignores_filter( + code42_fetch_incidents_mock, mocker +): + response_text = MOCK_ALERT_DETAILS_RESPONSE.replace( + '"isSignificant": true', '"isSignificant": false' + ) + alert_details_response = create_mock_code42_sdk_response(mocker, response_text) + code42_fetch_incidents_mock.alerts.get_details.return_value = alert_details_response + client = create_client(code42_fetch_incidents_mock) + _, _, _ = fetch_incidents( + client=client, + last_run={"last_fetch": None}, + first_fetch_time=MOCK_FETCH_TIME, + event_severity_filter=None, + fetch_limit=10, + include_files=True, + integration_context=None, + ) + actual_query = str(code42_fetch_incidents_mock.securitydata.search_file_events.call_args[0][0]) + assert "fileCategory" not in actual_query + assert "IMAGE" not in actual_query def test_fetch_incidents_handles_single_severity(code42_sdk_mock): From 3c2f9772d09b1ce327b0b76d842b7487a9c14bb3 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 25 Jun 2020 14:02:09 +0000 Subject: [PATCH 2/2] Use test id --- Packs/Code42/Integrations/Code42/Code42_test.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42_test.py b/Packs/Code42/Integrations/Code42/Code42_test.py index c0bd00c8843f..eaf5e83622ca 100644 --- a/Packs/Code42/Integrations/Code42/Code42_test.py +++ b/Packs/Code42/Integrations/Code42/Code42_test.py @@ -1260,15 +1260,14 @@ def test_highriskemployee_add_command(code42_high_risk_employee_mock): _, outputs, res = highriskemployee_add_command( client, {"username": _TEST_USERNAME, "note": "Dummy note"} ) - expected_user_id = "123412341234123412" # value found in GET_USER_RESPONSE - assert res == expected_user_id + assert res == _TEST_USER_ID assert outputs["Code42.HighRiskEmployee"]["UserID"] == _TEST_USER_ID assert outputs["Code42.HighRiskEmployee"]["Username"] == _TEST_USERNAME code42_high_risk_employee_mock.detectionlists.high_risk_employee.add.assert_called_once_with( - expected_user_id + _TEST_USER_ID ) code42_high_risk_employee_mock.detectionlists.update_user_notes.assert_called_once_with( - expected_user_id, "Dummy note" + _TEST_USER_ID, "Dummy note" )