1# Copyright (c) 2017, The MITRE Corporation. All rights reserved.
2# See LICENSE.txt for complete terms.
3
4import unittest
5
6from stix.test import EntityTestCase, assert_warnings
7from stix.test import data_marking_test
8from stix.test.common import related_test, identity_test, kill_chains_test
9from stix.test.extensions.identity import ciq_identity_3_0_test
10
11from stix.core import STIXPackage
12import stix.ttp as ttp
13from stix.ttp import (
14    resource, infrastructure, exploit_targets, malware_instance, exploit,
15    attack_pattern, behavior, victim_targeting
16)
17
18
19class ExploitTargetsTests(EntityTestCase, unittest.TestCase):
20    klass = exploit_targets.ExploitTargets
21
22    _full_dict = {
23        'scope': 'inclusive',
24        'exploit_targets': [
25            related_test.RelatedExploitTargetTests._full_dict
26        ]
27    }
28
29
30class PersonasTests(EntityTestCase, unittest.TestCase):
31    klass = resource.Personas
32
33    _full_dict = [
34        identity_test.IdentityTests._full_dict
35    ]
36
37
38class PersonasWithCIQTests(EntityTestCase, unittest.TestCase):
39    klass = resource.Personas
40
41    _full_dict = [
42        ciq_identity_3_0_test.CIQIdentity3_0InstanceTests._full_dict
43    ]
44
45
46class InfrastructureTests(EntityTestCase, unittest.TestCase):
47    klass = infrastructure.Infrastructure
48
49    _full_dict = {
50        'title': 'Title',
51        'description': 'Description',
52        'short_description': 'Short Description',
53        'types': ['foo', 'bar'],
54        'observable_characterization':  {
55            'cybox_major_version': '2',
56            'cybox_minor_version': '1',
57            'cybox_update_version': '0',
58            'observables': [
59                {
60                    'idref': "example:Observable-1"
61                }
62            ]
63        }
64    }
65
66
67class ResourcesTests(EntityTestCase, unittest.TestCase):
68    klass = ttp.Resource
69
70    _full_dict = {
71        'personas': PersonasTests._full_dict,
72        'tools':  [
73            {
74                'title': "Tool",
75                'type': [
76                    {
77                        'value': 'Malware',
78                        'xsi:type': 'stixVocabs:AttackerToolTypeVocab-1.0'
79                    }
80                ]
81            }
82        ],
83        'infrastructure': InfrastructureTests._full_dict
84    }
85
86
87class MalwareInstanceTests(EntityTestCase, unittest.TestCase):
88    klass = malware_instance.MalwareInstance
89
90    _full_dict = {
91        'id': 'example:test-1',
92        'title': 'Title',
93        'description': 'Description',
94        'short_description': 'Short Description',
95        'types': ['foo', 'bar']
96    }
97
98
99class MalwareInstancesTests(EntityTestCase, unittest.TestCase):
100    klass = behavior.MalwareInstances
101
102    _full_dict = [
103        MalwareInstanceTests._full_dict
104    ]
105
106
107class ExploitTests(EntityTestCase, unittest.TestCase):
108    klass = exploit.Exploit
109
110    _full_dict = {
111        'id': 'example:test-1',
112        'title': 'Title',
113        'description': 'Description',
114        'short_description': 'Short Description',
115    }
116
117
118class ExploitsTests(EntityTestCase, unittest.TestCase):
119    klass = behavior.Exploits
120
121    _full_dict = [
122        ExploitTests._full_dict
123    ]
124
125
126class AttackPatternTests(EntityTestCase, unittest.TestCase):
127    klass = attack_pattern.AttackPattern
128
129    _full_dict = {
130        'id': 'example:test-1',
131        'title': 'Title',
132        'description': 'Description',
133        'short_description': 'Short Description',
134        'capec_id': '12345'
135    }
136
137    def idref_test(self):
138        ap = attack_pattern.AttackPattern()
139        ap.id_ = 'foo'
140
141        self.assertEqual(ap.id_, 'foo')
142
143        ap.idref = 'bar'
144        self.assertEqual(ap.idref, 'bar')
145        self.assertEqual(ap.id_, None)
146
147
148class AttackPatternsTests(EntityTestCase, unittest.TestCase):
149    klass = behavior.AttackPatterns
150
151    _full_dict = [
152        AttackPatternTests._full_dict
153    ]
154
155
156class BehaviorTests(EntityTestCase, unittest.TestCase):
157    klass = behavior.Behavior
158
159    _full_dict = {
160        'malware_instances': MalwareInstancesTests._full_dict,
161        'exploits': ExploitsTests._full_dict,
162        'attack_patterns': AttackPatternsTests._full_dict
163    }
164
165
166class VictimTargetingTests(EntityTestCase, unittest.TestCase):
167    klass = victim_targeting.VictimTargeting
168
169    _full_dict = {
170        'identity': {
171            'specification': {
172                'organisation_info': {
173                    'industry_type': 'Electricity, Industrial Control Systems'
174                }
175            },
176            'xsi:type': 'stix-ciqidentity:CIQIdentity3.0InstanceType'
177        },
178        'targeted_systems': [
179            {
180                'value': 'Industrial Control Systems',
181                'xsi:type': 'stixVocabs:SystemTypeVocab-1.0'
182            }
183        ],
184        'targeted_information': [
185            {
186                'value': 'Information Assets - Intellectual Property',
187                'xsi:type': 'stixVocabs:InformationTypeVocab-1.0'
188            }
189        ],
190        'targeted_technical_details': {
191            'cybox_major_version': '2',
192            'cybox_minor_version': '1',
193            'cybox_update_version': '0',
194            'observables': [
195                {
196                    'idref': "example:Observable-2"
197                }
198            ]
199        }
200    }
201
202
203class TTPTests(EntityTestCase, unittest.TestCase):
204    klass = ttp.TTP
205    _full_dict = {
206        'id': 'example:ttp-1',
207        'version': '1.1',
208        'title': "TTP1",
209        'description': "This is a long description about a ttp",
210        'short_description': "a TTP",
211        'resources': ResourcesTests._full_dict,
212        'handling': data_marking_test.MarkingTests._full_dict,
213        'exploit_targets': ExploitTargetsTests._full_dict,
214        'behavior': BehaviorTests._full_dict,
215        'related_packages': related_test.RelatedPackageRefsTests._full_dict,
216        'kill_chain_phases': kill_chains_test.KillChainPhasesReferenceTests._full_dict,
217        'victim_targeting': VictimTargetingTests._full_dict
218    }
219
220    def test_add_description(self):
221        o1 = self.klass()
222        o2 = self.klass()
223
224        o1.add_description("Test")
225        o2.descriptions.add("Test")
226
227        self.assertEqual(
228            o1.descriptions.to_dict(),
229            o2.descriptions.to_dict()
230        )
231
232    def test_add_short_description(self):
233        o1 = self.klass()
234        o2 = self.klass()
235
236        o1.add_short_description("Test")
237        o2.short_descriptions.add("Test")
238
239        self.assertEqual(
240            o1.short_descriptions.to_dict(),
241            o2.short_descriptions.to_dict()
242        )
243
244    @assert_warnings
245    def test_deprecated_related_packages(self):
246        t = ttp.TTP()
247        t.related_packages.append(STIXPackage())
248        self.assertEqual(len(t.related_packages), 1)
249
250
251class TTPIdentityTests(EntityTestCase, unittest.TestCase):
252    klass = ttp.TTP
253    _full_dict = {
254        "id": "example:ttp-775591f7-7e01-4546-9522-d4211df4aac7",
255        "timestamp": "2016-10-04T19:57:44.446575+00:00",
256        "title": "Victim Targeting: Electricity Sector and Industrial Control System Sector",
257        "victim_targeting": {
258            "identity": {
259                "specification": {
260                    "organisation_info": {
261                        "industry_type": "Electricity, Industrial Control Systems"
262                    }
263                },
264                "xsi:type": "stix-ciqidentity:CIQIdentity3.0InstanceType"
265            }
266        }
267    }
268
269
270if __name__ == "__main__":
271    unittest.main()
272