-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
PrismaCloudV2_test.py
1521 lines (1311 loc) · 70.4 KB
/
PrismaCloudV2_test.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
import pytest
from unittest.mock import patch
from freezegun import freeze_time
from CommonServerPython import * # noqa: F401
from PrismaCloudV2 import Client
from test_data import input_data
AUTH_HEADER = 'auth_header'
@pytest.fixture
@patch('PrismaCloudV2.Client.generate_auth_token')
def prisma_cloud_v2_client(mocker):
from PrismaCloudV2 import HEADERS, REQUEST_CSPM_AUTH_HEADER
headers = HEADERS
headers[REQUEST_CSPM_AUTH_HEADER] = AUTH_HEADER
return Client(server_url='https://api.prismacloud.io/', verify=True, proxy=False, headers=headers,
username='username', password='password', mirror_direction=None, close_incident=False, close_alert=False)
''' COMMAND FUNCTIONS TESTS '''
def test_alert_filter_list_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-alert-filter-list command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import alert_filter_list_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
alert_filter_list_command(prisma_cloud_v2_client)
http_request.assert_called_with('GET', 'filter/alert/suggest')
def test_alert_search_command_no_next_token(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed without "next_token"
When:
- prisma-cloud-alert-search command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import alert_search_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'filters': 'alert.status=open,policy.remediable=true,cloud.type=gcp,policy.type=config',
'limit': '10',
'time_range_unit': 'week',
'time_range_value': '3'}
alert_search_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('POST', 'v2/alert', params={'detailed': 'true'},
json_data={'limit': 10,
'filters': [{'name': 'alert.status', 'operator': '=', 'value': 'open'},
{'name': 'policy.remediable', 'operator': '=', 'value': 'true'},
{'name': 'cloud.type', 'operator': '=', 'value': 'gcp'},
{'name': 'policy.type', 'operator': '=', 'value': 'config'}],
'timeRange': {'type': 'relative', 'value': {'amount': 3, 'unit': 'week'}}})
def test_alert_search_command_with_next_token(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed with "next_token"
When:
- prisma-cloud-alert-search command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import alert_search_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'limit': '10',
'time_range_unit': 'week',
'time_range_value': '3',
'next_token': 'TOKEN'}
alert_search_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('POST', 'v2/alert', params={'detailed': 'true'},
json_data={'limit': 10,
'timeRange': {'type': 'relative', 'value': {'amount': 3, 'unit': 'week'}},
'pageToken': 'TOKEN'})
def test_alert_get_details_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-alert-get-details command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import alert_get_details_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'alert_id': 'P-123456'}
alert_get_details_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('GET', 'alert/P-123456', params={'detailed': 'true'})
def test_alert_dismiss_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed when dismissing alert
When:
- prisma-cloud-alert-dismiss command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import alert_dismiss_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'alert_ids': 'P-123456', 'policy_ids': 'a11b2cc3-1111-2222-33aa-a1b23ccc4dd5', 'dismissal_note': 'from XSOAR',
'time_range_unit': 'month'}
alert_dismiss_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('POST', 'alert/dismiss',
json_data={'alerts': ['P-123456'], 'policies': ['a11b2cc3-1111-2222-33aa-a1b23ccc4dd5'],
'dismissalNote': 'from XSOAR',
'filter': {'timeRange': {'type': 'to_now', 'value': 'month'}}},
resp_type='response')
def test_alert_snooze_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed when snoozing alert
When:
- prisma-cloud-alert-dismiss command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import alert_dismiss_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'alert_ids': 'P-123456,P-111111', 'dismissal_note': 'from XSOAR', 'snooze_unit': 'hour', 'snooze_value': '1'}
alert_dismiss_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('POST', 'alert/dismiss',
json_data={'alerts': ['P-123456', 'P-111111'], 'dismissalNote': 'from XSOAR',
'dismissalTimeRange': {'type': 'relative', 'value': {'amount': 1, 'unit': 'hour'}},
'filter':
{'timeRange': {'type': 'relative', 'value': {'amount': 1, 'unit': 'hour'}}}},
resp_type='response')
def test_alert_reopen_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-alert-reopen command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import alert_reopen_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'policy_ids': 'a11b2cc3-1111-2222-33aa-a1b23ccc4dd5', 'filters': 'alert.status=dismissed',
'time_range_date_from': '01/31/2023', 'time_range_date_to': '02/01/2023'}
alert_reopen_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('POST', 'alert/reopen',
json_data={'policies': ['a11b2cc3-1111-2222-33aa-a1b23ccc4dd5'],
'dismissalTimeRange': {'type': 'absolute',
'value': {'startTime': 1675123200000,
'endTime': 1675209600000}},
'filter': {'timeRange': {'type': 'absolute',
'value': {'startTime': 1675123200000,
'endTime': 1675209600000}},
'filters': [
{'name': 'alert.status', 'operator': '=', 'value': 'dismissed'}]}},
resp_type='response')
def test_remediation_command_list_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-remediation-command-list command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import remediation_command_list_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'policy_id': 'a11b2cc3-1111-2222-33aa-a1b23ccc4dd5'}
remediation_command_list_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('POST', 'alert/remediation',
json_data={'filter': {'timeRange': {'type': 'to_now', 'value': 'epoch'}},
'policies': ['a11b2cc3-1111-2222-33aa-a1b23ccc4dd5']})
def test_alert_remediate_command_pass(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-alert-remediate command is executed with an alert id that can be remediated
Then:
- The http request is called with the right arguments and the right result is returned
"""
from PrismaCloudV2 import alert_remediate_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'alert_id': 'P-123456'}
command_results = alert_remediate_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('PATCH', 'alert/remediation/P-123456', resp_type='response')
assert command_results.outputs == {'alertId': 'P-123456', 'successful': True}
def test_alert_remediate_command_fail(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-alert-remediate command is executed with an alert id that cannot be remediated
Then:
- The http request is called with the right arguments and the right result is returned
"""
from PrismaCloudV2 import alert_remediate_command
class MockRes:
def __init__(self, headers, status_code) -> None:
self.headers = headers
self.status_code = status_code
error_header = '[{"i18nKey":"remediation_unavailable","severity":"error","subject":null}]'
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request',
side_effect=DemistoException(message='Error in API call [405] - Method Not Allowed',
res=MockRes({'x-redlock-status': error_header}, 405)))
args = {'alert_id': 'P-123456'}
command_results = alert_remediate_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('PATCH', 'alert/remediation/P-123456', resp_type='response')
assert command_results.outputs == {'alertId': 'P-123456', 'successful': False, 'failureReason': 'remediation unavailable',
'errorValue': None}
def test_config_search_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-config-search command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import config_search_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'query': "config from cloud.resource where cloud.region = 'AWS Ohio' ", 'limit': '1'}
config_search_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('POST', 'search/config',
json_data={'limit': 1, 'query': "config from cloud.resource where cloud.region = 'AWS Ohio' ",
'sort': [{'direction': 'desc', 'field': 'insertTs'}],
'timeRange': {'type': 'to_now', 'value': 'epoch'}})
def test_event_search_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-event-search command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import event_search_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'query': "event from cloud.audit_logs where cloud.type = 'aws'", 'limit': '5'}
event_search_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('POST', 'search/event',
json_data={'limit': 5, 'query': "event from cloud.audit_logs where cloud.type = 'aws'",
'timeRange': {'type': 'to_now', 'value': 'epoch'}})
def test_network_search_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-network-search command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import network_search_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'query': "network from vpc.flow_record where cloud.account = 'AWS Prod' AND "
"source.publicnetwork IN ( 'Suspicious IPs' ) AND bytes > 0 "}
network_search_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('POST', 'search',
json_data={'query': "network from vpc.flow_record where cloud.account = 'AWS Prod' AND "
"source.publicnetwork IN ( 'Suspicious IPs' ) AND bytes > 0 ",
'timeRange': {'type': 'to_now', 'value': 'epoch'}})
def test_trigger_scan_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-trigger-scan command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import trigger_scan_command, HEADERS, REQUEST_CCS_AUTH_HEADER
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
headers = HEADERS
headers[REQUEST_CCS_AUTH_HEADER] = AUTH_HEADER
trigger_scan_command(prisma_cloud_v2_client)
http_request.assert_called_with('POST', 'code/api/v1/scans/integrations', headers=headers)
def test_error_file_list_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-error-file-list command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import error_file_list_command, HEADERS, REQUEST_CCS_AUTH_HEADER
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'repository': 'name/Name', 'source_types': 'Github', 'limit': '10'}
headers = HEADERS
headers[REQUEST_CCS_AUTH_HEADER] = AUTH_HEADER
error_file_list_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('POST', 'code/api/v1/errors/files',
json_data={'repository': 'name/Name', 'sourceTypes': ['Github']},
headers=headers)
def test_resource_get_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-resource-get command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import resource_get_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'rrn': 'rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25'}
resource_get_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('POST', 'resource', json_data={'rrn': 'rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25'})
def test_resource_list_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-resource-list command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import resource_list_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'list_type': 'TAG'}
resource_list_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('GET', 'v1/resource_list', params={'listType': 'TAG'})
def test_user_roles_list_command_with_user(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-user-roles-list command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import user_roles_list_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request', return_value={'id': 'a1b2-a1b2'})
args = {'role_id': 'a1b2-a1b2'}
user_roles_list_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('GET', 'user/role/a1b2-a1b2')
def test_user_roles_list_command_without_user(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-user-roles-list command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import user_roles_list_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {}
user_roles_list_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('GET', 'user/role')
def test_users_list_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-users-list command is executed
Then:
- The http request is called with the right arguments and the right result is returned
"""
from PrismaCloudV2 import users_list_command
return_value = [{"displayName": "User Test", "email": "test@paloaltonetworks.com", "enabled": True,
"roles": [{"id": "a4b4", "name": "Read Only", "type": "Account Group Read Only"},
{"id": "b2n3", "name": "Other Role", "type": "Role"}],
"type": "USER_ACCOUNT", "username": "test@paloaltonetworks.com"},
{"displayName": "User Other", "email": "other@paloaltonetworks.com", "enabled": True,
"roles": [{"id": "a4b4", "name": "Read Only", "type": "Account Group Read Only"}],
"type": "USER_ACCOUNT", "username": "other@paloaltonetworks.com"},
{"displayName": "User Not Listed", "email": "mail", "enabled": True,
"roles": [{"id": "a4b4", "name": "Read Only", "type": "Account Group Read Only"}],
"type": "USER_ACCOUNT", "username": "not_to_appear"},
]
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request', return_value=return_value)
args = {'usernames': 'test@paloaltonetworks.com,other@paloaltonetworks.com'}
command_results = users_list_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('GET', 'v3/user')
assert command_results.outputs == [{'displayName': 'User Test', 'email': 'test@paloaltonetworks.com', 'enabled': True,
'roles': [{'id': 'a4b4', 'name': 'Read Only', 'type': 'Account Group Read Only'},
{'id': 'b2n3', 'name': 'Other Role', 'type': 'Role'}],
'roles names': ['Read Only', 'Other Role'], 'type': 'USER_ACCOUNT',
'username': 'test@paloaltonetworks.com'},
{'displayName': 'User Other', 'email': 'other@paloaltonetworks.com', 'enabled': True,
'roles': [{'id': 'a4b4', 'name': 'Read Only', 'type': 'Account Group Read Only'}],
'roles names': ['Read Only'], 'type': 'USER_ACCOUNT',
'username': 'other@paloaltonetworks.com'}]
def test_account_list_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-account-list command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import account_list_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {}
account_list_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('GET', 'cloud', json_data={'excludeAccountGroupDetails': 'false'})
def test_account_status_get_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-account-status-get command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import account_status_get_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request', return_value=[{'name': 'Config', 'status': 'ok'}])
args = {'account_ids': '222222333333'}
account_status_get_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('GET', 'account/222222333333/config/status')
def test_account_owner_list_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-account-owner-list command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import account_owner_list_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request', return_value=['foo@test.com'])
args = {'account_ids': '222222333333'}
account_owner_list_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('GET', 'cloud/222222333333/owners')
def test_host_finding_list_command(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-host-finding-list command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import host_finding_list_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'rrn': 'rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25',
'finding_types': 'guard_duty_host,guard_duty_iam'}
host_finding_list_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('POST', 'resource/external_finding',
json_data={'rrn': 'rrn::name:place:111:a1b2:a%3Ajj55-2023-01-29-09-25',
'findingType': ['guard_duty_host', 'guard_duty_iam']})
def test_permission_list_command_no_next_token(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed
When:
- prisma-cloud-permission-list command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import permission_list_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'query': "config from iam where source.cloud.service.name = 'EC2'", 'limit': '2'}
permission_list_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('POST', 'api/v1/permission',
json_data={'limit': 2, 'query': "config from iam where source.cloud.service.name = 'EC2'"})
def test_permission_list_command_with_next_token(mocker, prisma_cloud_v2_client):
"""
Given:
- All relevant arguments for the command that is executed, with "next_token"
When:
- prisma-cloud-permission-list command is executed
Then:
- The http request is called with the right arguments
"""
from PrismaCloudV2 import permission_list_command
http_request = mocker.patch.object(prisma_cloud_v2_client, '_http_request')
args = {'next_token': 'TOKEN', 'limit': '2'}
permission_list_command(prisma_cloud_v2_client, args)
http_request.assert_called_with('POST', 'api/v1/permission/page', json_data={'limit': 2, 'pageToken': 'TOKEN'})
''' HELPER FUNCTIONS TESTS '''
@pytest.mark.parametrize('dict_input, url_field, expected_result', (input_data.nested_url_field,
input_data.outer_url_field,
input_data.suffix_with_beginning_char,
input_data.url_field_nonexistent))
def test_concatenate_url(prisma_cloud_v2_client, dict_input, url_field, expected_result):
"""
Given:
- A url entry in a dictionary, with the value of the suffix only
When:
- The url is about to be shown to the user
Then:
- Update the dictionary given with the url value as base and suffix
"""
prisma_cloud_v2_client._concatenate_url(dict_input, url_field)
assert dict_input == expected_result
@pytest.mark.parametrize('url_to_format, formatted_url', (('https://api.prismacloud.io', 'https://api.prismacloud.io/'),
('https://app.prismacloud.io/', 'https://api.prismacloud.io/'),
('https://other.prismacloud.io/', 'https://other.prismacloud.io/'),
('https://app.prismacloud.io/app', 'https://api.prismacloud.io/app/'),
))
def test_format_url(url_to_format, formatted_url):
"""
Given:
- URL is given in integration parameters
When:
- A command is executed
Then:
- The URL is changed to support API
"""
from PrismaCloudV2 import format_url
assert format_url(url_to_format) == formatted_url
def test_extract_nested_values():
"""
Given:
- A response with nested fields
When:
- Creating a human readable response
Then:
- The wanted nested fields are extracted
"""
from PrismaCloudV2 import extract_nested_values
readable_response = {'id': 'P-1234567', 'status': 'open', 'reason': 'NEW_ALERT', 'firstSeen': 1660654610830,
'lastSeen': 1660654610830, 'alertTime': 1660654610830, 'eventOccurred': 1660654610256,
'resource': {'id': '-123456712345679737', 'name': 'AssumeRole', 'account': 'MyAccount',
'accountId': '123456797356',
'regionId': 'us-east-1', 'resourceType': 'EVENT', 'data': {'country': 'USA'},
'resourceDetailsAvailable': False}, 'triggeredBy': '188612342792',
'policy': {'remediable': False}}
nested_headers = {'resource.name': 'Resource Name', 'resource.id': 'Resource ID', 'resource.account': 'Account',
'resource.accountId': 'Account ID', 'resource.resourceType': 'Resource Type',
'resource.data.country': 'Country', 'policy.remediable': 'Is Remediable', 'id': 'Alert ID'}
extract_nested_values(readable_response, nested_headers)
assert set(nested_headers.values()).issubset(set(readable_response.keys()))
assert readable_response['Resource Name'] == 'AssumeRole'
assert readable_response['Resource ID'] == '-123456712345679737'
assert readable_response['Account'] == 'MyAccount'
assert readable_response['Account ID'] == '123456797356'
assert readable_response['Resource Type'] == 'EVENT'
assert readable_response['Country'] == 'USA'
assert readable_response['Is Remediable'] is False
assert readable_response['Alert ID'] == 'P-1234567'
def test_extract_nested_values_nonexistent_key():
"""
Given:
- A response with nested fields, and nested headers that do not exist in it partly or fully
When:
- Creating a human readable response
Then:
- The wanted nested fields that exist partly are extracted with None, and that don't exist are not extracted
"""
from PrismaCloudV2 import extract_nested_values
readable_response = {'id': 'P-1234567', 'status': 'open', 'reason': 'NEW_ALERT', 'firstSeen': 1660654610830,
'lastSeen': 1660654610830, 'alertTime': 1660654610830, 'eventOccurred': 1660654610256,
'resource': {'id': '-123456712345679737', 'name': 'AssumeRole', 'account': 'MyAccount',
'accountId': '123456797356',
'regionId': 'us-east-1', 'resourceType': 'EVENT', 'data': {'country': 'USA'},
'resourceDetailsAvailable': False}, 'triggeredBy': '188612342792'}
nested_headers = {'resource.othername': 'Resource Other Name', 'nonexistent.b': 'b'}
extract_nested_values(readable_response, nested_headers)
assert readable_response.get('Resource Other Name') is None
def test_change_timestamp_to_datestring_in_dict():
"""
Given:
- A dictionary with timestamps values in time fields
When:
- Creating a human readable response
Then:
- The time fields are changed to datestrings
"""
from PrismaCloudV2 import change_timestamp_to_datestring_in_dict
response_with_timestamp = {'id': 'P-11111',
'status': 'open',
'reason': 'RESOURCE_UPDATED',
'policyId': 'a11b2cc3-1111-2222-33aa-a1b23ccc4dd5',
'firstSeen': 1557254018605,
'lastSeen': 1668017403014,
'alertTime': 1668017403014,
'lastUpdated': 1669196436771}
response_with_datestring = {'id': 'P-11111',
'status': 'open',
'reason': 'RESOURCE_UPDATED',
'policyId': 'a11b2cc3-1111-2222-33aa-a1b23ccc4dd5',
'firstSeen': '2019-05-07T18:33:38Z',
'lastSeen': '2022-11-09T18:10:03Z',
'alertTime': '2022-11-09T18:10:03Z',
'lastUpdated': '2022-11-23T09:40:36Z'}
change_timestamp_to_datestring_in_dict(response_with_timestamp)
assert response_with_timestamp == response_with_datestring
@pytest.mark.parametrize('date_str, epoch_date', (('07/11/1998', 900115200000), ('now', 1000000130000)))
@freeze_time('2001-09-09 01:48:50 UTC')
def test_convert_date_to_unix(date_str, epoch_date):
"""
Given:
- A date in a human readable format
When:
- Creating a time filter for a request
Then:
- The date in milliseconds since epoch format is returned
"""
from PrismaCloudV2 import convert_date_to_unix
assert convert_date_to_unix(date_str) == epoch_date
@pytest.mark.parametrize('base_case, unit_value, amount_value, time_from, time_to, expected_output',
(input_data.only_unit_value,
input_data.unit_amount_and_unit_value,
input_data.only_time_to,
input_data.time_from_and_time_to,
input_data.use_given_base_case,
input_data.use_default_base_case,
))
def test_handle_time_filter(base_case, unit_value, amount_value, time_from, time_to, expected_output):
"""
Given:
- Relevant time filter arguments given from the user
When:
- Creating the time filter for the request
Then:
- The right time filter is returned
"""
from PrismaCloudV2 import handle_time_filter
assert handle_time_filter(base_case, unit_value, amount_value, time_from, time_to) == expected_output
@pytest.mark.parametrize('base_case, unit_value, amount_value, time_from, time_to, expected_error',
(input_data.only_amount_value,
input_data.wrong_unit_value_relative,
input_data.wrong_unit_value_to_now,
input_data.only_time_from,
input_data.unit_amount_and_time_to,
input_data.unit_value_and_time_to,
))
def test_handle_time_filter_error(base_case, unit_value, amount_value, time_from, time_to, expected_error):
"""
Given:
- Some time filter arguments given from the user, not the way they should
When:
- Creating the time filter for the request
Then:
- A relevant error is raised
"""
from PrismaCloudV2 import handle_time_filter
with pytest.raises(DemistoException) as de:
handle_time_filter(base_case, unit_value, amount_value, time_from, time_to)
assert de.value.message == expected_error
@pytest.mark.parametrize('input_filters,expected_parsed_filters', (input_data.with_filters,
input_data.empty_filters))
def test_handle_filters(input_filters, expected_parsed_filters):
"""
Given:
- A list of filters given from the user, in the format of filtername=filtervalue
When:
- Creating the list of filters in the format that the request expects
Then:
- The returned list is in the right format
"""
from PrismaCloudV2 import handle_filters
filters = argToList(input_filters)
parsed_filters = handle_filters(filters)
assert parsed_filters == expected_parsed_filters
@pytest.mark.parametrize('filter_name', ('no_equal_sign', 'too=many=equal_signs', ' ', 'no_value= ', '=no_name'))
def test_handle_filters_error(filter_name):
"""
Given:
- A list of filters given from the user, in a wrong format
When:
- Creating the list of filters in the format that the request expects
Then:
- An error is raised with the name of the wrong filter
"""
from PrismaCloudV2 import handle_filters
filters = argToList(filter_name)
with pytest.raises(DemistoException) as de:
handle_filters(filters)
assert de.value.message == f'Filters should be in the format of "filtername1=filtervalue1,filtername2=filtervalue2". ' \
f'The filter "{filters[0]}" doesn\'t meet this requirement.'
def test_handle_tags():
"""
Given:
- A list of tags given from the user, in the format of tagkey=tagvalue
When:
- Creating the list of tags in the format that the request expects
Then:
- The returned list is in the right format
"""
from PrismaCloudV2 import handle_tags
filters = argToList('Environment=local.resource_prefix.value')
parsed_filters = handle_tags(filters)
assert parsed_filters == [{'key': 'Environment', 'value': 'local.resource_prefix.value'}]
@pytest.mark.parametrize('tag_name', ('no_equal_sign', 'too=many=equal_signs', ' ', 'no_value= ', '=no_key'))
def test_handle_tags_error(tag_name):
"""
Given:
- A list of tags given from the user, in a wrong format
When:
- Creating the list of tags in the format that the request expects
Then:
- An error is raised with the name of the wrong tag
"""
from PrismaCloudV2 import handle_tags
filters = argToList(tag_name)
with pytest.raises(DemistoException) as de:
handle_tags(filters)
assert de.value.message == f'Tags should be in the format of "tagkey1=tagvalue1,tagkey2=tagvalue2". ' \
f'The tag "{filters[0]}" doesn\'t meet this requirement.'
def test_validate_array_arg():
"""
Given:
- An array argument given from the user, one having right values and second having wrong values
When:
- Preparing for a request and checking that the provided arguments have the right values
Then:
- An error is raised only when an argument value that is not in the list of available options is found
"""
from PrismaCloudV2 import validate_array_arg
options = ['good', 'another_good', 'more_good']
validate_array_arg(argToList('good,another_good'), 'Good Name', options) # should just pass
with pytest.raises(DemistoException) as de:
validate_array_arg(argToList('more_good,bad,good'), 'Bad Name', options)
assert de.value.message == 'Bad Name values are unexpected, must be of the following: good, another_good, more_good.'
def test_remove_empty_values():
"""
Given:
- A dictionary to remove empty values from
When:
- Removing empty values from the given dict and from the nested dicts and lists in it
Then:
- The returned dictionary is the original dictionary without the empty values and nested values
"""
from PrismaCloudV2 import remove_empty_values
dict_input = {'empty1': [],
'empty2': None,
'empty3': False,
'empty4': {},
'empty5': '',
'empty6': {'v1': None, 'v2': [], 'v3': {}},
'empty7': {'v1': {'empty': {'nested_empty': None}}},
'empty8': [{'v1': None}, {'v2': ''}],
'with_value1': 'text',
'with_value2': ['v1', 'v2'],
'with_value3': {'v1', 'v2'},
'with_value4': {'v1': None, 'v2': 'v3'},
'with_value5': {'timeRange': {'type': 'to_now', 'value': 'epoch'},
'filters': [{"name": "string1", "operator": "=", "value": "string1"},
{"name": "string2", "operator": "=", "value": "string2"}],
},
'with_value6': 'false',
}
dict_expected_output = {'with_value1': 'text',
'with_value2': ['v1', 'v2'],
'with_value3': {'v1', 'v2'},
'with_value4': {'v2': 'v3'},
'with_value5': {
'timeRange': {'type': 'to_now', 'value': 'epoch'},
'filters': [{"name": "string1", "operator": "=", "value": "string1"},
{"name": "string2", "operator": "=", "value": "string2"}]},
'with_value6': 'false',
}
assert remove_empty_values(dict_input) == dict_expected_output
@pytest.mark.parametrize('page_size, page_number, offset', ((100, 1, 0),
(2, 2, 2),
(5, 3, 10),
))
def test_calculate_offset(page_size, page_number, offset):
"""
Given:
- 'page_size' and 'page_number' arguments
When:
- A command that has paging is executed
Then:
- Returns the right offset that will be sent to the request
"""
from PrismaCloudV2 import calculate_offset
assert calculate_offset(page_size, page_number) == (page_size, offset)
def test_extract_namespace():
"""
Given:
- A response to extract namespace from.
When:
- Extracting namespaces from resource list items.
Then:
- The response is updated with the right namespaces.
"""
from PrismaCloudV2 import extract_namespace
res = [{'id': '1', 'name': 'No namespaces', 'resourceListType': 'TAG',
'description': 'some values',
'lastModifiedBy': 'name@company.com', 'lastModifiedTs': 1611682405313,
'members': [{'env': 'env'}, {'projec': 'project'}, {'securit': 'security'}]},
{'id': '2', 'name': 'Members is strings', 'resourceListType': 'RESOURCE_GROUP',
'description': '', 'lastModifiedBy': 'name@company.com', 'lastModifiedTs': 1648181381197,
'members': ['common']},
{'id': '3', 'name': 'Have namespaces',
'resourceListType': 'GROUP', 'description': 'Have namespaces',
'lastModifiedBy': 'name@company.com', 'lastModifiedTs': 1648507192479,
'members': [{'hosts': ['*'], 'appIDs': ['*'], 'images': ['*'], 'labels': ['*'], 'clusters': ['*'],
'codeRepos': ['*'], 'functions': ['*'], 'containers': ['*'], 'namespaces': ['*']}]}]
expected_res = [{'id': '1', 'name': 'No namespaces', 'resourceListType': 'TAG',
'description': 'some values',
'lastModifiedBy': 'name@company.com', 'lastModifiedTs': 1611682405313,
'members': [{'env': 'env'}, {'projec': 'project'}, {'securit': 'security'}]},
{'id': '2', 'name': 'Members is strings', 'resourceListType': 'RESOURCE_GROUP',
'description': '', 'lastModifiedBy': 'name@company.com', 'lastModifiedTs': 1648181381197,
'members': ['common']},
{'id': '3', 'name': 'Have namespaces',
'resourceListType': 'GROUP', 'description': 'Have namespaces',
'lastModifiedBy': 'name@company.com', 'lastModifiedTs': 1648507192479,
'members': [{'hosts': ['*'], 'appIDs': ['*'], 'images': ['*'], 'labels': ['*'],
'clusters': ['*'], 'codeRepos': ['*'], 'functions': ['*'],
'containers': ['*'], 'namespaces': ['*']}],
'namespaces': ['*']}]
extract_namespace(res)
assert res == expected_res
''' FETCH HELPER FUNCTIONS TESTS '''
@pytest.mark.parametrize('given_alert, expected_severity', (({'policy': {'severity': 'high'}}, IncidentSeverity.HIGH),
({'policy': {'severity': 'medium'}}, IncidentSeverity.MEDIUM),
({'policy': {'severity': 'low'}}, IncidentSeverity.LOW),
({'policy': {'severity': 'critical'}}, IncidentSeverity.CRITICAL),
({'policy': {'severity': 'informational'}}, IncidentSeverity.INFO),
({'policy': {'severity': 'other'}}, IncidentSeverity.UNKNOWN),
({'policy': {}}, IncidentSeverity.UNKNOWN),
({}, IncidentSeverity.UNKNOWN),
))
def test_translate_severity(given_alert, expected_severity):
"""
Given:
- An alert with or without the severity of their policy
When:
- Fetching incident and creating the incident context from a given alert
Then:
- Returns the right severity for this alert
"""
from PrismaCloudV2 import translate_severity
assert translate_severity(given_alert) == expected_severity
def test_expire_stored_ids():
"""
Given:
- Fetched alerts IDs with their alert time
- The next fetch run time according to the last alert time
- The fetch look back time given from the user
When:
- Fetching incident and preparing the values to save for the next run
Then:
- Returns the fetched alerts IDs with their alert time, that their alert time will be fetched in the next fetch
"""
from PrismaCloudV2 import expire_stored_ids, FETCH_LOOK_BACK_TIME
updated_last_run_time = 1000000000000
fetched_ids = {'N-111111': 1000000000000, # same time
'P-222222': 999996400000, # 1 hour before (FETCH_LOOK_BACK_TIME*3)
'P-333333': 999998800000, # 20 minutes before
'P-444444': 999996340000, # 61 minutes before
'N-555555': 999992800000, # 2 hours before
'N-666666': 999996460000, # 59 minutes before
}
expected_fetched_ids = {'N-111111': 1000000000000, # same time
'P-222222': 999996400000, # 1 hour before
'P-333333': 999998800000, # 20 minutes before
'N-666666': 999996460000, # 59 minutes before
}
assert expire_stored_ids(fetched_ids, updated_last_run_time, FETCH_LOOK_BACK_TIME) == expected_fetched_ids
@pytest.mark.parametrize('now, first_fetch, look_back, last_run_time, expected_fetch_time_range',
(input_data.start_at_first_fetch_default,
input_data.start_at_first_fetch,
input_data.start_at_first_fetch2,
input_data.start_at_last_run_time_with_look_back,
input_data.start_at_last_run_time,
))
@freeze_time('2023-02-10 11:00:00 UTC')
def test_calculate_fetch_time_range(now, first_fetch, look_back, last_run_time, expected_fetch_time_range):
"""
Given:
- All relevant times to calculate the fetch time range
When:
- Creating the arguments for the fetch incidents request
Then:
- Returns the right fetch time range for the request
"""
from PrismaCloudV2 import calculate_fetch_time_range
assert calculate_fetch_time_range(now, first_fetch, look_back, last_run_time) == expected_fetch_time_range
@pytest.mark.parametrize('last_run_epoch_time, look_back_minutes, expected_epoch_time',
((1676023200000, 20, 1676022000000),
(1676023200000, 60, 1676019600000),
(1676023200000, 0, 1676023200000),
))
def test_add_look_back(last_run_epoch_time, look_back_minutes, expected_epoch_time):
"""
Given:
- Last run time and time in minutes to look back.
When:
- Creating the arguments for the fetch incidents request and calculating the time to start fetching from
Then:
- Returns the right fetch time with look back added to it
"""
from PrismaCloudV2 import add_look_back
assert add_look_back(last_run_epoch_time, look_back_minutes) == expected_epoch_time