cti-python-stix2/stix2/test/v20/test_malware.py

import datetime as dt
import re

import pytest
import pytz

import stix2

from .constants import FAKE_TIME, MALWARE_ID, MALWARE_KWARGS

EXPECTED_MALWARE = """{
    "type": "malware",
    "spec_version": "2.1",
    "id": "malware--fedcba98-7654-3210-fedc-ba9876543210",
    "created": "2016-05-12T08:17:27.000Z",
    "modified": "2016-05-12T08:17:27.000Z",
    "name": "Cryptolocker",
    "labels": [
        "ransomware"
    ],
    "is_family": false
}"""


def test_malware_with_all_required_properties():
    now = dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)

    mal = stix2.Malware(
        type="malware",
        id=MALWARE_ID,
        created=now,
        modified=now,
        labels=["ransomware"],
        name="Cryptolocker",
        is_family=False
    )

    assert str(mal) == EXPECTED_MALWARE


def test_malware_autogenerated_properties(malware):
    assert malware.type == 'malware'
    assert malware.id == 'malware--00000000-0000-0000-0000-000000000001'
    assert malware.created == FAKE_TIME
    assert malware.modified == FAKE_TIME
    assert malware.labels == ['ransomware']
    assert malware.name == "Cryptolocker"

    assert malware['type'] == 'malware'
    assert malware['id'] == 'malware--00000000-0000-0000-0000-000000000001'
    assert malware['created'] == FAKE_TIME
    assert malware['modified'] == FAKE_TIME
    assert malware['labels'] == ['ransomware']
    assert malware['name'] == "Cryptolocker"


def test_malware_type_must_be_malware():
    with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
        stix2.Malware(type='xxx', **MALWARE_KWARGS)

    assert excinfo.value.cls == stix2.Malware
    assert excinfo.value.prop_name == "type"
    assert excinfo.value.reason == "must equal 'malware'."
    assert str(excinfo.value) == "Invalid value for Malware 'type': must equal 'malware'."


def test_malware_id_must_start_with_malware():
    with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
        stix2.Malware(id='my-prefix--', **MALWARE_KWARGS)

    assert excinfo.value.cls == stix2.Malware
    assert excinfo.value.prop_name == "id"
    assert excinfo.value.reason == "must start with 'malware--'."
    assert str(excinfo.value) == "Invalid value for Malware 'id': must start with 'malware--'."


def test_malware_required_properties():
    with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo:
        stix2.Malware()

    assert excinfo.value.cls == stix2.Malware
    assert excinfo.value.properties == ["is_family", "labels", "name"]


def test_malware_required_property_name():
    with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo:
        stix2.Malware(labels=['ransomware'], is_family=False)

    assert excinfo.value.cls == stix2.Malware
    assert excinfo.value.properties == ["name"]


def test_cannot_assign_to_malware_attributes(malware):
    with pytest.raises(stix2.exceptions.ImmutableError) as excinfo:
        malware.name = "Cryptolocker II"

    assert str(excinfo.value) == "Cannot modify 'name' property in 'Malware' after creation."


def test_invalid_kwarg_to_malware():
    with pytest.raises(stix2.exceptions.ExtraPropertiesError) as excinfo:
        stix2.Malware(my_custom_property="foo", **MALWARE_KWARGS)

    assert excinfo.value.cls == stix2.Malware
    assert excinfo.value.properties == ['my_custom_property']
    assert str(excinfo.value) == "Unexpected properties for Malware: (my_custom_property)."


@pytest.mark.parametrize("data", [
    EXPECTED_MALWARE,
    {
        "type": "malware",
        "spec_version": "2.1",
        "id": "malware--fedcba98-7654-3210-fedc-ba9876543210",
        "created": "2016-05-12T08:17:27.000Z",
        "modified": "2016-05-12T08:17:27.000Z",
        "labels": ["ransomware"],
        "name": "Cryptolocker",
        "is_family": False
    },
])
def test_parse_malware(data):
    mal = stix2.parse(data)

    assert mal.type == 'malware'
    assert mal.id == MALWARE_ID
    assert mal.created == dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)
    assert mal.modified == dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)
    assert mal.labels == ['ransomware']
    assert mal.name == "Cryptolocker"


def test_parse_malware_invalid_labels():
    data = re.compile('\\[.+\\]', re.DOTALL).sub('1', EXPECTED_MALWARE)
    with pytest.raises(ValueError) as excinfo:
        stix2.parse(data)
    assert "Invalid value for Malware 'labels'" in str(excinfo.value)


def test_parse_malware_kill_chain_phases():
    kill_chain = """
      "kill_chain_phases": [
        {
          "kill_chain_name": "lockheed-martin-cyber-kill-chain",
          "phase_name": "reconnaissance"
        }
      ]"""
    data = EXPECTED_MALWARE.replace('malware"', 'malware",%s' % kill_chain)
    mal = stix2.parse(data)
    assert mal.kill_chain_phases[0].kill_chain_name == "lockheed-martin-cyber-kill-chain"
    assert mal.kill_chain_phases[0].phase_name == "reconnaissance"
    assert mal['kill_chain_phases'][0]['kill_chain_name'] == "lockheed-martin-cyber-kill-chain"
    assert mal['kill_chain_phases'][0]['phase_name'] == "reconnaissance"


def test_parse_malware_clean_kill_chain_phases():
    kill_chain = """
      "kill_chain_phases": [
        {
          "kill_chain_name": "lockheed-martin-cyber-kill-chain",
          "phase_name": 1
        }
      ]"""
    data = EXPECTED_MALWARE.replace('2.1"', '2.1",%s' % kill_chain)
    mal = stix2.parse(data)
    assert mal['kill_chain_phases'][0]['phase_name'] == "1"
Split up test functions 2017-03-22 13:46:39 +01:00			`import datetime as dt`
Fix import order, add flake8-import-order plugin to Tox 2017-04-25 00:29:56 +02:00			`import re`
Split up test functions 2017-03-22 13:46:39 +01:00
			`import pytest`
			`import pytz`
Switch to isort for checking import order because it has a pre-commit hook 2017-05-09 21:10:53 +02:00
Split up test functions 2017-03-22 13:46:39 +01:00			`import stix2`

			`from .constants import FAKE_TIME, MALWARE_ID, MALWARE_KWARGS`

			`EXPECTED_MALWARE = """{`
Update all tests. Re-organize EXPECTED values, update some regex expressions. 2017-08-15 19:41:51 +02:00			`"type": "malware",`
Update many unit tests to work with the malware2.1 API changes I made. The bundle tests and Bundle itself have not been fixed yet in this commit. 2018-06-11 23:33:50 +02:00			`"spec_version": "2.1",`
Split up test functions 2017-03-22 13:46:39 +01:00			`"id": "malware--fedcba98-7654-3210-fedc-ba9876543210",`
Update all tests. Re-organize EXPECTED values, update some regex expressions. 2017-08-15 19:41:51 +02:00			`"created": "2016-05-12T08:17:27.000Z",`
Add timestamp precision for `created` and `modified` Fix #24 2017-06-23 00:47:35 +02:00			`"modified": "2016-05-12T08:17:27.000Z",`
Split up test functions 2017-03-22 13:46:39 +01:00			`"name": "Cryptolocker",`
Update all tests. Re-organize EXPECTED values, update some regex expressions. 2017-08-15 19:41:51 +02:00			`"labels": [`
			`"ransomware"`
Update many unit tests to work with the malware2.1 API changes I made. The bundle tests and Bundle itself have not been fixed yet in this commit. 2018-06-11 23:33:50 +02:00			`],`
			`"is_family": false`
Split up test functions 2017-03-22 13:46:39 +01:00			`}"""`


Replace 'field' with 'property' to be consistent with the specification 2017-05-16 18:27:30 +02:00			`def test_malware_with_all_required_properties():`
Split up test functions 2017-03-22 13:46:39 +01:00			`now = dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)`

Fix or ignore Flake8 warnings. 2017-03-22 14:05:59 +01:00			`mal = stix2.Malware(`
Split up test functions 2017-03-22 13:46:39 +01:00			`type="malware",`
			`id=MALWARE_ID,`
			`created=now,`
			`modified=now,`
			`labels=["ransomware"],`
			`name="Cryptolocker",`
Update many unit tests to work with the malware2.1 API changes I made. The bundle tests and Bundle itself have not been fixed yet in this commit. 2018-06-11 23:33:50 +02:00			`is_family=False`
Split up test functions 2017-03-22 13:46:39 +01:00			`)`

Fix or ignore Flake8 warnings. 2017-03-22 14:05:59 +01:00			`assert str(mal) == EXPECTED_MALWARE`
Split up test functions 2017-03-22 13:46:39 +01:00

Replace 'field' with 'property' to be consistent with the specification 2017-05-16 18:27:30 +02:00			`def test_malware_autogenerated_properties(malware):`
Split up test functions 2017-03-22 13:46:39 +01:00			`assert malware.type == 'malware'`
			`assert malware.id == 'malware--00000000-0000-0000-0000-000000000001'`
			`assert malware.created == FAKE_TIME`
			`assert malware.modified == FAKE_TIME`
			`assert malware.labels == ['ransomware']`
			`assert malware.name == "Cryptolocker"`

			`assert malware['type'] == 'malware'`
			`assert malware['id'] == 'malware--00000000-0000-0000-0000-000000000001'`
			`assert malware['created'] == FAKE_TIME`
			`assert malware['modified'] == FAKE_TIME`
			`assert malware['labels'] == ['ransomware']`
			`assert malware['name'] == "Cryptolocker"`


			`def test_malware_type_must_be_malware():`
Rename exception class. 2017-04-18 21:42:59 +02:00			`with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:`
Fix or ignore Flake8 warnings. 2017-03-22 14:05:59 +01:00			`stix2.Malware(type='xxx', **MALWARE_KWARGS)`
Split up test functions 2017-03-22 13:46:39 +01:00
Add exception for invalid Property values. 2017-04-18 21:19:16 +02:00			`assert excinfo.value.cls == stix2.Malware`
			`assert excinfo.value.prop_name == "type"`
			`assert excinfo.value.reason == "must equal 'malware'."`
Split up test functions 2017-03-22 13:46:39 +01:00			`assert str(excinfo.value) == "Invalid value for Malware 'type': must equal 'malware'."`


			`def test_malware_id_must_start_with_malware():`
Rename exception class. 2017-04-18 21:42:59 +02:00			`with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:`
Fix or ignore Flake8 warnings. 2017-03-22 14:05:59 +01:00			`stix2.Malware(id='my-prefix--', **MALWARE_KWARGS)`
Split up test functions 2017-03-22 13:46:39 +01:00
Add exception for invalid Property values. 2017-04-18 21:19:16 +02:00			`assert excinfo.value.cls == stix2.Malware`
			`assert excinfo.value.prop_name == "id"`
			`assert excinfo.value.reason == "must start with 'malware--'."`
Split up test functions 2017-03-22 13:46:39 +01:00			`assert str(excinfo.value) == "Invalid value for Malware 'id': must start with 'malware--'."`


Replace 'field' with 'property' to be consistent with the specification 2017-05-16 18:27:30 +02:00			`def test_malware_required_properties():`
Change remaining 'fields' to 'properties' 2017-05-19 19:51:59 +02:00			`with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo:`
Fix or ignore Flake8 warnings. 2017-03-22 14:05:59 +01:00			`stix2.Malware()`
Add Exception for missing values. 2017-04-18 21:41:18 +02:00
			`assert excinfo.value.cls == stix2.Malware`
Update many unit tests to work with the malware2.1 API changes I made. The bundle tests and Bundle itself have not been fixed yet in this commit. 2018-06-11 23:33:50 +02:00			`assert excinfo.value.properties == ["is_family", "labels", "name"]`
Split up test functions 2017-03-22 13:46:39 +01:00

Replace 'field' with 'property' to be consistent with the specification 2017-05-16 18:27:30 +02:00			`def test_malware_required_property_name():`
Change remaining 'fields' to 'properties' 2017-05-19 19:51:59 +02:00			`with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo:`
Update many unit tests to work with the malware2.1 API changes I made. The bundle tests and Bundle itself have not been fixed yet in this commit. 2018-06-11 23:33:50 +02:00			`stix2.Malware(labels=['ransomware'], is_family=False)`
Add Exception for missing values. 2017-04-18 21:41:18 +02:00
			`assert excinfo.value.cls == stix2.Malware`
Replace 'field' with 'property' to be consistent with the specification 2017-05-16 18:27:30 +02:00			`assert excinfo.value.properties == ["name"]`
Split up test functions 2017-03-22 13:46:39 +01:00

Move fixtures to conftest.py 2017-04-07 22:36:42 +02:00			`def test_cannot_assign_to_malware_attributes(malware):`
Create custom exception class for modifying an immutable object. 2017-04-18 22:05:20 +02:00			`with pytest.raises(stix2.exceptions.ImmutableError) as excinfo:`
Split up test functions 2017-03-22 13:46:39 +01:00			`malware.name = "Cryptolocker II"`

Update ImmutableError test cases. 2017-06-02 13:34:37 +02:00			`assert str(excinfo.value) == "Cannot modify 'name' property in 'Malware' after creation."`
Split up test functions 2017-03-22 13:46:39 +01:00

			`def test_invalid_kwarg_to_malware():`
Change remaining 'fields' to 'properties' 2017-05-19 19:51:59 +02:00			`with pytest.raises(stix2.exceptions.ExtraPropertiesError) as excinfo:`
Fix or ignore Flake8 warnings. 2017-03-22 14:05:59 +01:00			`stix2.Malware(my_custom_property="foo", **MALWARE_KWARGS)`
Add exception for extra/invalid custom properties. 2017-04-18 21:56:16 +02:00
			`assert excinfo.value.cls == stix2.Malware`
Replace 'field' with 'property' to be consistent with the specification 2017-05-16 18:27:30 +02:00			`assert excinfo.value.properties == ['my_custom_property']`
			`assert str(excinfo.value) == "Unexpected properties for Malware: (my_custom_property)."`
Add parsing of Malware objects 2017-04-05 23:12:44 +02:00

Parse dictionaries as well as strings and file-like objects 2017-04-10 16:42:07 +02:00			`@pytest.mark.parametrize("data", [`
			`EXPECTED_MALWARE,`
			`{`
			`"type": "malware",`
First cut at splitting the Bundle implementation into v20 and v21 variants. Also fixed up unit tests and got them passing again. 2018-06-14 02:09:07 +02:00			`"spec_version": "2.1",`
Parse dictionaries as well as strings and file-like objects 2017-04-10 16:42:07 +02:00			`"id": "malware--fedcba98-7654-3210-fedc-ba9876543210",`
Add timestamp precision for `created` and `modified` Fix #24 2017-06-23 00:47:35 +02:00			`"created": "2016-05-12T08:17:27.000Z",`
			`"modified": "2016-05-12T08:17:27.000Z",`
Parse dictionaries as well as strings and file-like objects 2017-04-10 16:42:07 +02:00			`"labels": ["ransomware"],`
			`"name": "Cryptolocker",`
Update many unit tests to work with the malware2.1 API changes I made. The bundle tests and Bundle itself have not been fixed yet in this commit. 2018-06-11 23:33:50 +02:00			`"is_family": False`
Parse dictionaries as well as strings and file-like objects 2017-04-10 16:42:07 +02:00			`},`
			`])`
			`def test_parse_malware(data):`
			`mal = stix2.parse(data)`
Add parsing of Malware objects 2017-04-05 23:12:44 +02:00
			`assert mal.type == 'malware'`
			`assert mal.id == MALWARE_ID`
Add TimestampProperty 2017-04-11 18:10:55 +02:00			`assert mal.created == dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)`
			`assert mal.modified == dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)`
Add parsing of Malware objects 2017-04-05 23:12:44 +02:00			`assert mal.labels == ['ransomware']`
			`assert mal.name == "Cryptolocker"`
Use StringProperty and ListProperty in Malware objects, fix bugs in those properties 2017-04-07 20:53:40 +02:00

			`def test_parse_malware_invalid_labels():`
Fix deprecated 3.6 backslash-character pairs (https://docs.python.org/3/whatsnew/3.6.html#deprecated-python-behavior) 2018-04-11 21:46:17 +02:00			`data = re.compile('\\[.+\\]', re.DOTALL).sub('1', EXPECTED_MALWARE)`
Use StringProperty and ListProperty in Malware objects, fix bugs in those properties 2017-04-07 20:53:40 +02:00			`with pytest.raises(ValueError) as excinfo:`
			`stix2.parse(data)`
			`assert "Invalid value for Malware 'labels'" in str(excinfo.value)`
Rework kill chain phases 2017-04-07 23:34:06 +02:00

			`def test_parse_malware_kill_chain_phases():`
			`kill_chain = """`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "lockheed-martin-cyber-kill-chain",`
			`"phase_name": "reconnaissance"`
			`}`
			`]"""`
			`data = EXPECTED_MALWARE.replace('malware"', 'malware",%s' % kill_chain)`
			`mal = stix2.parse(data)`
			`assert mal.kill_chain_phases[0].kill_chain_name == "lockheed-martin-cyber-kill-chain"`
			`assert mal.kill_chain_phases[0].phase_name == "reconnaissance"`
			`assert mal['kill_chain_phases'][0]['kill_chain_name'] == "lockheed-martin-cyber-kill-chain"`
			`assert mal['kill_chain_phases'][0]['phase_name'] == "reconnaissance"`
Fix import order, add flake8-import-order plugin to Tox 2017-04-25 00:29:56 +02:00

			`def test_parse_malware_clean_kill_chain_phases():`
			`kill_chain = """`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "lockheed-martin-cyber-kill-chain",`
			`"phase_name": 1`
			`}`
			`]"""`
Update many unit tests to work with the malware2.1 API changes I made. The bundle tests and Bundle itself have not been fixed yet in this commit. 2018-06-11 23:33:50 +02:00			`data = EXPECTED_MALWARE.replace('2.1"', '2.1",%s' % kill_chain)`
Fix import order, add flake8-import-order plugin to Tox 2017-04-25 00:29:56 +02:00			`mal = stix2.parse(data)`
			`assert mal['kill_chain_phases'][0]['phase_name'] == "1"`