|
|
"""Tests for security analysis logic.""" |
|
|
|
|
|
import pytest |
|
|
from src.analyzer import IncidentAnalyzer, RiskLevel, SecurityAnalysis |
|
|
from src.llm import MockLLMProvider |
|
|
|
|
|
|
|
|
@pytest.fixture |
|
|
def analyzer(): |
|
|
"""Create analyzer with mock provider for tests.""" |
|
|
provider = MockLLMProvider() |
|
|
return IncidentAnalyzer(provider) |
|
|
|
|
|
|
|
|
@pytest.mark.asyncio |
|
|
async def test_analyze_basic(analyzer): |
|
|
"""Test basic analysis flow.""" |
|
|
log = "Failed authentication attempts from 192.168.1.100" |
|
|
result = await analyzer.analyze(log) |
|
|
|
|
|
assert isinstance(result, SecurityAnalysis) |
|
|
assert result.summary |
|
|
assert result.risk_level in RiskLevel |
|
|
assert result.remediation |
|
|
assert result.raw_response |
|
|
|
|
|
|
|
|
def test_parse_response_critical(analyzer): |
|
|
"""Test parsing of critical risk level.""" |
|
|
response = """ |
|
|
What Happened: Ransomware detected |
|
|
Risk Level: CRITICAL |
|
|
Suggested Actions: |
|
|
- Isolate affected systems |
|
|
""" |
|
|
result = analyzer._parse_response(response) |
|
|
|
|
|
assert result.risk_level == RiskLevel.CRITICAL |
|
|
|
|
|
|
|
|
def test_parse_response_fallback_risk(analyzer): |
|
|
"""Test risk level defaults to MEDIUM if not found.""" |
|
|
response = "This is a generic response with no risk level specified" |
|
|
result = analyzer._parse_response(response) |
|
|
|
|
|
assert result.risk_level == RiskLevel.MEDIUM |
|
|
|
|
|
|
|
|
def test_parse_response_indicators(analyzer): |
|
|
"""Test extraction of indicators.""" |
|
|
response = """What Happened: Suspicious activity |
|
|
Risk Level: HIGH |
|
|
Suggested Actions: Review logs |
|
|
|
|
|
Indicators: |
|
|
- Multiple failed logins |
|
|
- Unusual IP address""" |
|
|
result = analyzer._parse_response(response) |
|
|
|
|
|
assert len(result.indicators) >= 2 |
|
|
assert any("failed" in ind.lower() for ind in result.indicators) |
|
|
|
