tests/alerts/plugins/test_possible_usernames.py

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at https://mozilla.org/MPL/2.0/.
# Copyright (c) 2017 Mozilla Corporation

import os
import sys


class TestPossibleUsernames:
    def setup(self):
        self._orig_path = os.getcwd()

        self._alerts_path = os.path.join(
            os.path.dirname(__file__),
            '../../../alerts')

        sys.path.insert(0, self._alerts_path)

    def teardown(self):
        os.chdir(self._orig_path)

        sys.path.remove(self._alerts_path)

        if 'lib' in sys.modules:
            del sys.modules['lib']

    def test_enrichment(self):
        from alerts.plugins.possible_usernames import enrich

        events = [
            {
                # Expected event
                'details': {
                    'username': 'tester1'
                }
            },
            {
                # No username
                'details': {
                    'otherthing': 'somevalue'
                }
            },
            {
                # No details
                'notwhatwewant': {
                    'something': 'else'
                }
            },
            {
                # Duplicate user
                'details': {
                    'username': 'tester1'
                }
            }
        ]

        alert = {
            'details': {
                'username': 'tester2'
            }
        }

        enriched = enrich(alert, events)

        # Ensure old fields still present.
        assert enriched['details']['username'] == 'tester2'

        # Ensure possible users found and duplicates removed.
        assert len(enriched['details']['possible_usernames']) == 1
        assert enriched['details']['possible_usernames'][0] == 'tester1'
        assert 'tester1' in enriched['summary']

    def test_hostname_detection(self):
        from alerts.plugins.possible_usernames import _most_common_hostname

        # Stripped down version of events expected to be in alert['events'].
        events = [
            {
                # First hostname
                'documentsource': {
                    'hostname': 'host1',
                },
            },
            {
                # Missing documentsource
                'notdocsource': {
                    'hostname': 'host1',
                },
            },
            {
                # Missing hostname
                'documentsource': {
                    'nothostname': 'notahost',
                },
            },
            {
                # Duplicate hostname
                'documentsource': {
                    'hostname': 'host1',
                },
            },
            {
                # Alternative hostname
                'documentsource': {
                    'hostname': 'host2',
                },
            },
        ]

        hostname = _most_common_hostname(events)

        # host1 appears twice, host2 appears once.
        assert hostname == 'host1'