RubyGems - threatinator - Versions diffs - 0.1.6 → 0.2.0 - Mend

threatinator 0.1.6 → 0.2.0

Files changed (197) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +13 -2
data/Gemfile +18 -13
data/Rakefile +1 -1
data/VERSION +1 -1
data/feeds/ET_block-ip_reputation.feed +26 -0
data/feeds/ET_openbadlist-ip_reputation.feed +35 -0
data/feeds/bambenek_c2_masterlist-domain_reputation.feed +15 -0
data/feeds/bambenek_c2_masterlist-ip_reputation.feed +15 -0
data/feeds/bambenek_dga_feed-domain_reputation.feed +15 -0
data/feeds/berkeley-ip_reputation.feed +23 -0
data/feeds/bitcash_cz_blacklist.feed +20 -0
data/feeds/botscout-ip_reputation.feed +24 -0
data/feeds/cert_mxpoison-ip_reputation.feed +21 -0
data/feeds/chaosreigns-ip_reputation.feed +36 -0
data/feeds/cydef_torexit-ip_reputation.feed +24 -0
data/feeds/danger_bruteforce-ip_reputation.feed +23 -0
data/feeds/falconcrest-ip_reputation.feed +18 -0
data/feeds/h3x_asprox.feed +17 -0
data/feeds/hosts-file_hphostspartial-domain_reputation.feed +18 -0
data/feeds/infiltrated_vabl-ip_reputation.feed +29 -0
data/feeds/isc_suspicious_high-domain_reputation.feed +25 -0
data/feeds/isc_suspicious_low-domain_reputation.feed +25 -0
data/feeds/isc_suspicious_medium-domain_reputation.feed +25 -0
data/feeds/malwaredomainlist-url_reputation.feed +16 -0
data/feeds/malwaredomains-domain_reputation.feed +27 -0
data/feeds/malwaredomains_dyndns-domain_reputation.feed +27 -0
data/feeds/malwaredomains_justdomains-domain_reputation.feed +18 -0
data/feeds/multiproxy-ip_reputation.feed +20 -0
data/feeds/openphish-url_reputation.feed +22 -0
data/feeds/packetmail_perimeterbad-ip_reputation.feed +26 -0
data/feeds/phishtank.feed +1 -1
data/feeds/sigmaproject_atma.feed +25 -0
data/feeds/sigmaproject_spyware.feed +24 -0
data/feeds/sigmaproject_webexploit.feed +26 -0
data/feeds/snort_bpf-ip_reputation.feed +19 -0
data/feeds/steeman-ip_reputation.feed +19 -0
data/feeds/trustedsec-ip_reputation.feed +17 -0
data/feeds/virbl-ip_reputation.feed +24 -0
data/feeds/vxvault-url_reputation.feed +22 -0
data/feeds/yoyo_adservers-domain_reputation.feed +16 -0
data/lib/threatinator/actions/run/action.rb +15 -3
data/lib/threatinator/actions/run/coverage_observer.rb +12 -7
data/lib/threatinator/actions/run/status_observer.rb +37 -0
data/lib/threatinator/cli.rb +9 -3
data/lib/threatinator/cli/parser.rb +14 -4
data/lib/threatinator/config.rb +1 -0
data/lib/threatinator/config/logger.rb +14 -0
data/lib/threatinator/event.rb +28 -18
data/lib/threatinator/event_builder.rb +52 -23
data/lib/threatinator/exceptions.rb +3 -6
data/lib/threatinator/feed.rb +1 -1
data/lib/threatinator/feed_runner.rb +63 -7
data/lib/threatinator/logger.rb +66 -0
data/lib/threatinator/logging.rb +20 -0
data/lib/threatinator/model/base.rb +23 -0
data/lib/threatinator/model/collection.rb +64 -0
data/lib/threatinator/model/observables/fqdn_collection.rb +13 -0
data/lib/threatinator/model/observables/ipv4.rb +30 -0
data/lib/threatinator/model/observables/ipv4_collection.rb +14 -0
data/lib/threatinator/model/observables/url_collection.rb +16 -0
data/lib/threatinator/model/validations.rb +1 -0
data/lib/threatinator/model/validations/type.rb +21 -0
data/lib/threatinator/plugins/output/csv.rb +20 -9
data/spec/feeds/ET_block-ip_reputation_spec.rb +50 -0
data/spec/feeds/ET_compromised-ip_reputation_spec.rb +2 -5
data/spec/feeds/ET_openbadlist-ip_reputation_spec.rb +56 -0
data/spec/feeds/alienvault-ip_reputation_spec.rb +2 -5
data/spec/feeds/arbor_fastflux-domain_reputation_spec.rb +0 -3
data/spec/feeds/arbor_ssh-ip_reputation_spec.rb +2 -5
data/spec/feeds/autoshun_shunlist_spec.rb +1 -4
data/spec/feeds/bambenek_c2_masterlist-domain_reputation_spec.rb +39 -0
data/spec/feeds/bambenek_c2_masterlist-ip_reputation_spec.rb +39 -0
data/spec/feeds/bambenek_dga_feed-domain_reputation_spec.rb +39 -0
data/spec/feeds/berkeley-ip_reputation_spec.rb +47 -0
data/spec/feeds/bitcash_cz_blacklist-ip_reputation_spec.rb +50 -0
data/spec/feeds/blocklist_de_apache-ip_reputation_spec.rb +2 -5
data/spec/feeds/blocklist_de_bots-ip_reputation_spec.rb +2 -5
data/spec/feeds/blocklist_de_ftp-ip_reputation_spec.rb +2 -5
data/spec/feeds/blocklist_de_imap-ip_reputation_spec.rb +2 -5
data/spec/feeds/blocklist_de_pop3-ip_reputation_spec.rb +2 -5
data/spec/feeds/blocklist_de_proftpd-ip_reputation_spec.rb +2 -5
data/spec/feeds/blocklist_de_sip-ip_reputation_spec.rb +2 -5
data/spec/feeds/blocklist_de_ssh-ip_reputation_spec.rb +2 -5
data/spec/feeds/blocklist_de_strongips-ip_reputation_spec.rb +2 -5
data/spec/feeds/botscout-ip_reputation_spec.rb +50 -0
data/spec/feeds/cert_mxpoison-ip_reputation_spec.rb +47 -0
data/spec/feeds/chaosreigns-ip_reputation_spec.rb +50 -0
data/spec/feeds/ciarmy-ip_reputation_spec.rb +2 -5
data/spec/feeds/cruzit-ip_reputation_spec.rb +2 -5
data/spec/feeds/cydef_torexit-ip_reputation_spec.rb +47 -0
data/spec/feeds/dan_me_uk_torlist-ip_reputation_spec.rb +2 -5
data/spec/feeds/danger_bruteforce-ip_reputation_spec.rb +47 -0
data/spec/feeds/data/ET_block-ip_reputation.txt +80 -0
data/spec/feeds/data/ET_openbadlist-ip_reputation.txt +62 -0
data/spec/feeds/data/bambenek_c2-dommasterlist.csv +30 -0
data/spec/feeds/data/bambenek_c2-ipmasterlist.csv +27 -0
data/spec/feeds/data/bambenek_dga_feed.csv +42 -0
data/spec/feeds/data/berkeley.txt +29 -0
data/spec/feeds/data/bitcash_cz_blacklist.txt +7 -0
data/spec/feeds/data/botscout-ip-reputation.txt +713 -0
data/spec/feeds/data/cert_mxpoison-ip_reputation.txt +17 -0
data/spec/feeds/data/chaosreigns-ip-reputation.txt +26 -0
data/spec/feeds/data/cydef_torexit-ip_reputation.txt +27 -0
data/spec/feeds/data/danger_bruteforce-ip_reputation.txt +12 -0
data/spec/feeds/data/falconcrest_iplist.txt +345 -0
data/spec/feeds/data/h3x_asprox.txt +20 -0
data/spec/feeds/data/hosts-file_hphostspartial_domainlist.txt +24 -0
data/spec/feeds/data/infiltrated_vabl_iplist.txt +33 -0
data/spec/feeds/data/isc_suspicious_high_domainlist.txt +26 -0
data/spec/feeds/data/isc_suspicious_low_domainlist.txt +34 -0
data/spec/feeds/data/isc_suspicious_medium_domainlist.txt +32 -0
data/spec/feeds/data/malwaredomainlist-url-reputation.txt +8 -0
data/spec/feeds/data/malwaredomains_domainlist.txt +24 -0
data/spec/feeds/data/malwaredomains_dyndns_domainlist.txt +34 -0
data/spec/feeds/data/malwaredomains_justdomains_domainlist.txt +18 -0
data/spec/feeds/data/multiproxy_iplist.txt +15 -0
data/spec/feeds/data/openphish-url-reputation.txt +16 -0
data/spec/feeds/data/packetmail_perimeterbad-ip_reputation.txt +44 -0
data/spec/feeds/data/sigmaproject_atma.return.gz +0 -0
data/spec/feeds/data/sigmaproject_spyware.return.gz +0 -0
data/spec/feeds/data/sigmaproject_webexploit.return.gz +0 -0
data/spec/feeds/data/snort_bpf-ip_reputation.txt +16 -0
data/spec/feeds/data/steeman-ip-reputation.txt +13 -0
data/spec/feeds/data/trustedsec-ip-reputation.txt +12 -0
data/spec/feeds/data/virbl-ip_reputation.txt +14 -0
data/spec/feeds/data/vxvault-url-reputation.txt +15 -0
data/spec/feeds/data/yoyo_adservers.txt +25 -0
data/spec/feeds/dshield_attackers-top1000_spec.rb +1 -4
data/spec/feeds/falconcrest-ip_reputation_spec.rb +37 -0
data/spec/feeds/feodo-domain_reputation_spec.rb +0 -3
data/spec/feeds/feodo-ip_reputation_spec.rb +2 -5
data/spec/feeds/h3x_asprox-ip_reputation_spec.rb +50 -0
data/spec/feeds/hosts-file_hphostspartial-domain_reputation_spec.rb +47 -0
data/spec/feeds/infiltrated-ip_reputation_spec.rb +2 -5
data/spec/feeds/infiltrated_vabl-ip_reputation_spec.rb +47 -0
data/spec/feeds/isc_suspicious_high-domain_reputation_spec.rb +47 -0
data/spec/feeds/isc_suspicious_low-domain_reputation_spec.rb +47 -0
data/spec/feeds/isc_suspicious_medium-domain_reputation_spec.rb +47 -0
data/spec/feeds/malc0de-domain_reputation_spec.rb +0 -3
data/spec/feeds/malc0de-ip_reputation_spec.rb +2 -5
data/spec/feeds/malwaredomainlist_url_reputation_spec.rb +50 -0
data/spec/feeds/malwaredomains-domain_reputation_spec.rb +47 -0
data/spec/feeds/malwaredomains_dyndns-domain_reputation_spec.rb +47 -0
data/spec/feeds/malwaredomains_justdomains-domain_reputation_spec.rb +47 -0
data/spec/feeds/mirc-domain_reputation_spec.rb +0 -3
data/spec/feeds/multiproxy-ip_reputation_spec.rb +47 -0
data/spec/feeds/nothink_irc-ip_reputation_spec.rb +2 -5
data/spec/feeds/nothink_ssh-ip_reputation_spec.rb +2 -5
data/spec/feeds/openbl-ip_reputation_spec.rb +2 -5
data/spec/feeds/openphish_url_reputation_spec.rb +50 -0
data/spec/feeds/packetmail_perimeterbad-ip_reputation_spec.rb +47 -0
data/spec/feeds/palevo-domain_reputation_spec.rb +0 -3
data/spec/feeds/palevo-ip_reputation_spec.rb +2 -5
data/spec/feeds/phishtank_spec.rb +2 -5
data/spec/feeds/sigmaproject_atma_spec.rb +63 -0
data/spec/feeds/sigmaproject_spyware_spec.rb +64 -0
data/spec/feeds/sigmaproject_webexploit_spec.rb +63 -0
data/spec/feeds/snort_bpf-ip_reputation_spec.rb +47 -0
data/spec/feeds/spyeye-domain_reputation_spec.rb +0 -3
data/spec/feeds/spyeye-ip_reputation_spec.rb +2 -5
data/spec/feeds/steeman-ip_reputation_spec.rb +50 -0
data/spec/feeds/t-arend-de_ssh-ip_reputation_spec.rb +2 -5
data/spec/feeds/the_haleys_ssh-ip_reputation_spec.rb +2 -5
data/spec/feeds/trustedsec-ip_reputation_spec.rb +47 -0
data/spec/feeds/virbl-ip_reputation_spec.rb +47 -0
data/spec/feeds/vxvault_url_reputation_spec.rb +50 -0
data/spec/feeds/yourcmc_ssh-ip_reputation_spec.rb +2 -5
data/spec/feeds/yoyo_adservers_spec.rb +47 -0
data/spec/feeds/zeus-domain_reputation_spec.rb +0 -3
data/spec/feeds/zeus-ip_reputation_spec.rb +2 -5
data/spec/spec_helper.rb +2 -0
data/spec/support/factories/event.rb +11 -7
data/spec/support/factories/feed.rb +28 -1
data/spec/support/factories/ipv4.rb +36 -0
data/spec/support/factories/url.rb +34 -0
data/spec/support/shared/feed_runner_observer.rb +136 -0
data/spec/support/shared/feeds.rb +19 -4
data/spec/support/shared/model/collection.rb +164 -0
data/spec/threatinator/actions/run/action_spec.rb +27 -10
data/spec/threatinator/actions/run/coverage_observer_spec.rb +39 -4
data/spec/threatinator/actions/run/status_observer_spec.rb +86 -0
data/spec/threatinator/event_builder_spec.rb +111 -21
data/spec/threatinator/event_spec.rb +237 -13
data/spec/threatinator/event_spec.rb.new +319 -0
data/spec/threatinator/feed_builder_spec.rb +0 -3
data/spec/threatinator/feed_runner_spec.rb +254 -70
data/spec/threatinator/logger_spec.rb +29 -0
data/spec/threatinator/model/observables/fqdn_collection_spec.rb +42 -0
data/spec/threatinator/model/observables/ipv4_collection_spec.rb +36 -0
data/spec/threatinator/model/observables/ipv4_spec.rb +75 -0
data/spec/threatinator/model/observables/url_collection_spec.rb +45 -0
data/spec/threatinator/model/validations/type_spec.rb +37 -0
data/spec/threatinator/plugins/output/csv_spec.rb +4 -3
metadata +216 -19
data/lib/threatinator/property_definer.rb +0 -101
data/spec/threatinator/property_definer_spec.rb +0 -155

data/spec/threatinator/event_builder_spec.rb CHANGED Viewed

@@ -2,32 +2,122 @@ require 'spec_helper'
 require 'threatinator/event_builder'
 describe Threatinator::EventBuilder do
-  let(:feed) { build(:feed, provider: "my_provider", name: "my_feed" ) }
-  let(:event_builder) { described_class.new(feed) }
-  describe "#create_event" do
-    it "should yield an event" do
-      expect { |b| event_builder.create_event(&b) }.to yield_with_args(kind_of(Threatinator::Event))
-    end
-    it "should increment the count each time it has been called" do
-      expect(event_builder.count).to eq(0)
-      event_builder.create_event { |e| }
-      expect(event_builder.count).to eq(1)
-      10.times do
-        event_builder.create_event { |e| }
-      end
-      expect(event_builder.count).to eq(11)
+  let(:feed_provider) { 'my_provider' }
+  let(:feed_name) { 'my_feed' }
+  let(:event_builder) { described_class.new(feed_provider, feed_name) }
+  let(:type) { :c2 }
+  before :each do
+    event_builder.type = :c2
+  end
+  describe "#reset" do
+    it "resets 'type' to nil" do
+      event_builder.type = :c2
+      event_builder.reset
+      expect {
+        event_builder.build
+      }.to raise_error(Threatinator::Exceptions::EventBuildError)
+    end
+    it "resets the fqdns" do
+      event_builder.add_fqdn('foo.com')
+      event_builder.reset
+      event_builder.type = :c2
+      event1 = event_builder.build
+      expect(event1.fqdns).to be_empty
+    end
+    it "resets the ipv4s" do
+      event_builder.add_ipv4('1.2.3.4')
+      event_builder.reset
+      event_builder.type = :c2
+      event1 = event_builder.build
+      expect(event1.ipv4s).to be_empty
+    end
+    it "does not reset feed_provider or feed_name" do
+      event_builder.reset
+      event_builder.type = :c2
+      event1 = event_builder.build
+      expect(event1.feed_provider).to eq('my_provider')
+      expect(event1.feed_name).to eq('my_feed')
+    end
+  end
+  describe "#type=(type)" do
+    it "sets the 'type' for built events" do
+      event1 = event_builder.build
+      expect(event1.type).to eq(:c2)
+    end
+  end
+  describe "#add_ipv4(ipv4)" do
+    it "adds the provided ipv4s to built events" do
+      event_builder.add_ipv4('1.2.3.4')
+      event_builder.add_ipv4('8.8.8.8')
+      event1 = event_builder.build
+      expect(event1.ipv4s).to contain_exactly(build(:ipv4, ipv4:'1.2.3.4'), build(:ipv4, ipv4: '8.8.8.8'))
+    end
+  end
+  describe "#add_fqdn(fqdn)" do
+    it "adds the provided fqdns to built events" do
+      event_builder.add_fqdn('google.com')
+      event_builder.add_fqdn('yahoo.com')
+      event1 = event_builder.build
+      expect(event1.fqdns).to contain_exactly('google.com', 'yahoo.com')
     end
+  end
+  describe "#add_url(url)" do
+    it "converts the provided URLs strings into Addressable::URI objects and adds them to the built events" do
+      event_builder.add_url('http://google.com/foo/bar')
+      event_builder.add_url('http://yahoo.com')
+      event = event_builder.build
+      expect(event.urls).to contain_exactly(
+        ::Addressable::URI.parse('http://google.com/foo/bar'),
+        ::Addressable::URI.parse('http://yahoo.com')
+      )
+    end
+  end
-    describe "the yielded event" do
-      let(:event) { e = nil; event_builder.create_event { |x| e = x }; e }
-      specify "#feed_name is set to the feed's provider" do
-        expect(event.feed_name).to eq('my_feed')
+  describe "#build" do
+    it "generates a new event with each call" do
+      event1 = event_builder.build
+      event2 = event_builder.build
+      expect(event1).not_to be(event2)
+    end
+    specify "successively built events will == each other if the builder has not been changed" do
+      event_builder.type = :c2
+      event_builder.add_ipv4('1.2.3.4')
+      event_builder.add_fqdn('foo.com')
+      event1 = event_builder.build
+      event2 = event_builder.build
+      expect(event1).to be == event2
+    end
+    context "when an added URL is not parseable as a URI" do
+      it "raises EventBuildError" do
+        event_builder.type = :c2
+        event_builder.add_url(1234)
+        expect {
+          event_builder.build
+        }.to raise_error(Threatinator::Exceptions::EventBuildError)
       end
-      specify "#feed_provider is set to the feed's provider" do
-        expect(event.feed_provider).to eq('my_provider')
+    end
+    context "when an added URL is not absolute" do
+      it "raises EventBuildError" do
+        event_builder.type = :c2
+        event_builder.add_url("/foo/bar")
+        expect {
+          event_builder.build
+        }.to raise_error(Threatinator::Exceptions::EventBuildError)
       end
     end
   end
 end

data/spec/threatinator/event_spec.rb CHANGED Viewed

@@ -2,29 +2,253 @@ require 'spec_helper'
 require 'threatinator/event'
 describe Threatinator::Event do
-  describe "#type" do
-    it "should default to nil"
-    it "should return the value if set"
+  let(:event_opts) { { feed_provider: 'foo', feed_name: 'bar', type: :c2 } }
+  describe "initialization" do
+    it "requires at least :feed_provider, :feed_name, and :type to be valid" do
+      expect {
+        described_class.new(feed_provider: 'foo', feed_name: 'bar', type: :c2)
+      }.not_to raise_error
+    end
+  end
+  describe "#==(other)" do
+    it "returns true when compared to an identically configured event" do
+      event_opts.merge!(ipv4s: build(:ipv4s, values: ['1.2.3.4']), fqdns: ['foo.com'])
+      event1 = described_class.new(event_opts)
+      event2 = described_class.new(event_opts)
+      expect(event1).to be == event2
+    end
+    it "returns true when compared to an identically configured event" do
+      event_opts.merge!(ipv4s: build(:ipv4s, values: ['1.2.3.4']), fqdns: ['foo.com'])
+      event1 = described_class.new(event_opts)
+      event_opts.merge!(ipv4s: build(:ipv4s, values: ['8.8.8.8']), fqdns: ['foo.com'])
+      event2 = described_class.new(event_opts)
+      expect(event1).not_to be == event2
+    end
   end
-  describe "#type=" do
-    Threatinator::Event::VALID_TYPES.each do |type|
-      it "should be possible to set to #{type.inspect}"
+  describe ":feed_provider" do
+    it "can be set to a String" do
+      event_opts[:feed_provider] = "asdf"
+      expect(described_class.new(event_opts).feed_provider).to eq("asdf")
+    end
+    it "is required to be a String" do
+      event_opts[:feed_provider] = 1234
+      expect {
+        described_class.new(event_opts)
+      }.to raise_error(Threatinator::Exceptions::InvalidAttributeError)
+    end
+    it "is required" do
+      event_opts.delete(:feed_provider)
+      expect {
+        described_class.new(event_opts)
+      }.to raise_error(Threatinator::Exceptions::InvalidAttributeError)
+    end
+  end
+  describe ":feed_name" do
+    it "can be set to a String" do
+      event_opts[:feed_name] = "foo"
+      expect(described_class.new(event_opts).feed_name).to eq("foo")
+    end
+    it "is required to be a String" do
+      event_opts[:feed_name] = 1234
+      expect {
+        described_class.new(event_opts)
+      }.to raise_error(Threatinator::Exceptions::InvalidAttributeError)
+    end
+    it "is required" do
+      event_opts.delete(:feed_name)
+      expect {
+        described_class.new(event_opts)
+      }.to raise_error(Threatinator::Exceptions::InvalidAttributeError)
     end
-    it "should raise an InvalidAttributeError if set to something other than a symbol"
   end
-  describe "#ipv4s" do
-    it "should return an array"
+  describe ":type" do
+    it "cannot be be nil" do
+      event_opts[:type] = nil
+      expect {
+        described_class.new(event_opts)
+      }.to raise_error(Threatinator::Exceptions::InvalidAttributeError)
+    end
+    it "is required" do
+      event_opts.delete(:type)
+      expect {
+        described_class.new(event_opts)
+      }.to raise_error(Threatinator::Exceptions::InvalidAttributeError)
+    end
+    [:c2, :attacker, :malware_host, :spamming, :scanning, :phishing].each do |v|
+      it "can be #{v.inspect}" do
+        event_opts[:type] = v
+        expect(described_class.new(event_opts).type).to eq(v)
+      end
+    end
   end
-  describe "#fqdns" do
-    it "should return an array"
+  describe ":fqdns" do
+    context "when nil" do
+      it "is valid" do
+        event_opts[:fqdns] = nil
+        expect {
+          described_class.new(event_opts)
+        }.not_to raise_error
+      end
+      describe "#fqdns" do
+        it "returns an an empty array" do
+          event_opts[:fqdns] = nil
+          expect(described_class.new(event_opts).fqdns).to be_empty
+        end
+      end
+    end
+    context "when set to an empty array" do
+      it "is valid" do
+        event_opts[:fqdns] = nil
+        expect {
+          described_class.new(event_opts)
+        }.not_to raise_error
+      end
+      describe "#fqdns" do
+        it "returns an an empty array" do
+          event_opts[:fqdns] = []
+          expect(described_class.new(event_opts).fqdns).to be_empty
+        end
+      end
+    end
+    context "with :fqdns set to an array of fqdn strings" do
+      let(:fqdns) { ['foo.com', 'bar.com'] }
+      it "is valid" do
+        event_opts[:fqdns] = ['foo.com', 'bar.com']
+        expect {
+          described_class.new(event_opts)
+        }.not_to raise_error
+      end
+      describe "#fqdns" do
+        it "returns a collection containing the provided fqdns" do
+          event_opts[:fqdns] = ['foo.com', 'bar.com']
+          expect(described_class.new(event_opts).fqdns).to contain_exactly('foo.com', 'bar.com')
+        end
+      end
+    end
   end
-  describe "#add_ipv4" do
+  describe ":ipv4s" do
+    context "when nil" do
+      it "is valid" do
+        event_opts[:ipv4s] = nil
+        expect {
+          described_class.new(event_opts)
+        }.not_to raise_error
+      end
+      describe "#ipv4s" do
+        it "returns an an empty collection" do
+          event_opts[:ipv4s] = nil
+          expect(described_class.new(event_opts).ipv4s).to be_empty
+        end
+      end
+    end
+    context "when set to an empty array" do
+      it "is valid" do
+        event_opts[:ipv4s] = nil
+        expect {
+          described_class.new(event_opts)
+        }.not_to raise_error
+      end
+      describe "#ipv4s" do
+        it "returns an an empty collection" do
+          event_opts[:ipv4s] = []
+          expect(described_class.new(event_opts).ipv4s).to be_empty
+        end
+      end
+    end
+    context "with :ipv4s set to an empty Ipv4Collection" do
+      it "is valid" do
+        event_opts[:ipv4s] = build(:ipv4s)
+        expect {
+          described_class.new(event_opts)
+        }.not_to raise_error
+      end
+      describe "#ipv4s" do
+        it "returns an an empty collection" do
+          event_opts[:ipv4s] = []
+          expect(described_class.new(event_opts).ipv4s).to be_empty
+        end
+      end
+    end
+    context "with :ipv4s set to an array of Ipv4 observables" do
+      it "is valid" do
+        event_opts[:ipv4s] = [build(:ipv4, ipv4: '1.2.3.4'), build(:ipv4, ipv4: '8.8.8.8')]
+        expect {
+          described_class.new(event_opts)
+        }.not_to raise_error
+      end
+      describe "#ipv4s" do
+        it "returns a collection containing the provided Ipv4 observables" do
+          o1 = build(:ipv4, ipv4: '1.2.3.4')
+          o2 = build(:ipv4, ipv4: '8.8.8.8')
+          event_opts[:ipv4s] = [o1, o2]
+          expect(described_class.new(event_opts).ipv4s).to contain_exactly(o1, o2)
+        end
+      end
+    end
   end
-  describe "#add_fqdn" do
+  describe ":urls" do
+    context "when nil" do
+      it "is valid" do
+        event_opts[:urls] = nil
+        expect {
+          described_class.new(event_opts)
+        }.not_to raise_error
+      end
+      describe "#urls" do
+        it "returns an an empty array" do
+          event_opts[:urls] = nil
+          expect(described_class.new(event_opts).urls).to be_empty
+        end
+      end
+    end
+    context "when set to an empty array" do
+      it "is valid" do
+        event_opts[:urls] = nil
+        expect {
+          described_class.new(event_opts)
+        }.not_to raise_error
+      end
+      describe "#urls" do
+        it "returns an an empty array" do
+          event_opts[:urls] = []
+          expect(described_class.new(event_opts).urls).to be_empty
+        end
+      end
+    end
+    context "with :urls set to an array of url strings" do
+      let(:urls) {
+        [
+          Addressable::URI.parse('http://yahoo.com'),
+          Addressable::URI.parse('http://google.com'),
+        ]
+      }
+      it "is valid" do
+        event_opts[:urls] = urls
+        expect {
+          described_class.new(event_opts)
+        }.not_to raise_error
+      end
+      describe "#urls" do
+        it "returns a collection containing the provided urls" do
+          event_opts[:urls] = urls
+          expect(described_class.new(event_opts).urls).to match_array(urls)
+        end
+      end
+    end
   end
 end

data/spec/threatinator/event_spec.rb.new ADDED Viewed

@@ -0,0 +1,319 @@
+require 'spec_helper'
+require 'threatinator/event'
+describe Threatinator::Event do
+  it "requires at least :feed_provider, :feed_name, and :type to be valid" do
+    event = described_class.new(feed_provider: 'foo', feed_name: 'bar', type: :c2)
+    expect(event).to be_valid
+  end
+  let(:event_opts) { { feed_provider: 'foo', feed_name: 'bar', type: :c2 } }
+  describe "#validate!" do
+    context "when the event is valid" do
+      it "does not raise anything" do
+        event = described_class.new(event_opts)
+        expect(event).to be_valid
+        expect { event.validate! }.not_to raise_error
+      end
+    end
+    context "when the event is not valid" do
+      it "raises an InvalidAttributeError" do
+        event_opts.delete(:feed_name)
+        event = described_class.new(event_opts)
+        expect(event).not_to be_valid
+        expect { event.validate! }.to raise_error(Threatinator::Exceptions::InvalidAttributeError)
+      end
+    end
+  end
+  describe "#==(other)" do
+    it "returns true when compared to an identically configured event" do
+      event_opts.merge!(ipv4s: ['1.2.3.4'], fqdns: ['foo.com'], urls: [{url: 'http://foo.com'}])
+      event1 = described_class.new(event_opts)
+      event2 = described_class.new(event_opts)
+      expect(event1).to be == event2
+    end
+    it "returns true when compared to an identically configured event" do
+      event_opts.merge!(ipv4s: ['1.2.3.4'], fqdns: ['foo.com'], urls: [{url: 'http://foo.com'}])
+      event1 = described_class.new(event_opts)
+      event_opts.merge!(ipv4s: ['8.8.8.8'], fqdns: ['foo.com'], urls: [{url: 'http://foo.com'}])
+      event2 = described_class.new(event_opts)
+      expect(event1).not_to be == event2
+    end
+  end
+  describe "feed_provider" do
+    it "can be set to a String" do
+      event_opts[:feed_provider] = "asdf"
+      expect(described_class.new(event_opts).feed_provider).to eq("asdf")
+    end
+    it "is required to be a String" do
+      event_opts[:feed_provider] = 1234
+      x = described_class.new(event_opts)
+      expect(x).not_to be_valid
+    end
+    it "is required" do
+      event_opts.delete(:feed_provider)
+      x = described_class.new(event_opts)
+      expect(x).not_to be_valid
+    end
+  end
+  describe "feed_name" do
+    it "can be set to a String" do
+      event_opts[:feed_name] = "foo"
+      expect(described_class.new(event_opts).feed_name).to eq("foo")
+    end
+    it "is required to be a String" do
+      event_opts[:feed_name] = 1234
+      x = described_class.new(event_opts)
+      expect(x).not_to be_valid
+    end
+  end
+  describe "type" do
+    let(:event) { described_class.new(event_opts) }
+    context "when nil" do
+      before :each do
+        event_opts[:type] = nil
+      end
+      it "is not valid" do
+        expect(event).not_to be_valid
+      end
+    end
+    context "when not set" do
+      before :each do
+        event_opts.delete(:type)
+      end
+      it "is not valid" do
+        expect(event).not_to be_valid
+      end
+    end
+    describe ":c2" do
+      before :each do
+        event_opts[:type] = :c2
+      end
+      it "is valid" do
+        expect(event).to be_valid
+      end
+    end
+    describe ":attacker" do
+      before :each do
+        event_opts[:type] = :attacker
+      end
+      it "is valid" do
+        expect(event).to be_valid
+      end
+    end
+    describe ":malware_host" do
+      before :each do
+        event_opts[:type] = :malware_host
+      end
+      it "is valid" do
+        expect(event).to be_valid
+      end
+    end
+    describe ":spamming" do
+      before :each do
+        event_opts[:type] = :spamming
+      end
+      it "is valid" do
+        expect(event).to be_valid
+      end
+    end
+    describe ":scanning" do
+      before :each do
+        event_opts[:type] = :scanning
+      end
+      it "is valid" do
+        expect(event).to be_valid
+      end
+    end
+    describe ":phishing" do
+      before :each do
+        event_opts[:type] = :phishing
+      end
+      it "is valid" do
+        expect(event).to be_valid
+      end
+    end
+    describe "an invalid type" do
+      before :each do
+        event_opts[:type] = :foo
+      end
+      it "is not valid" do
+        expect(event).not_to be_valid
+      end
+    end
+  end
+  describe "fqdns" do
+    let(:event) { described_class.new(event_opts.merge({ fqdns: fqdns })) }
+    context "with :fqdns set to nil" do
+      let(:fqdns) { nil }
+      it "is valid" do
+        expect(event).to be_valid
+      end
+      describe "#fqdns" do
+        it "returns an an empty array" do
+          expect(event.fqdns).to be_empty
+        end
+      end
+    end
+    context "with :fqdns set to an empty array" do
+      let(:fqdns) { [] }
+      it "is valid" do
+        expect(event).to be_valid
+      end
+      describe "#fqdns" do
+        it "returns an an empty array" do
+          expect(event.fqdns).to be_empty
+        end
+      end
+    end
+    context "with :fqdns set to an array of fqdn strings" do
+      let(:fqdns) { ['foo.com', 'bar.com'] }
+      it "is valid" do
+        expect(event).to be_valid
+      end
+      describe "#fqdns" do
+        it "returns an Array of Strings" do
+          expect(event.fqdns).to contain_exactly('foo.com', 'bar.com')
+        end
+      end
+    end
+  end
+  describe "ipv4s" do
+    let(:event) { described_class.new(event_opts.merge({ ipv4s: ipv4s })) }
+    context "with :ipv4s set to nil" do
+      let(:ipv4s) { nil }
+      it "is valid" do
+        expect(event).to be_valid
+      end
+      describe "#ipv4s" do
+        it "returns an an empty array" do
+          expect(event.ipv4s).to be_empty
+        end
+      end
+    end
+    context "with :ipv4s set to an empty array" do
+      let(:ipv4s) { [] }
+      it "is valid" do
+        expect(event).to be_valid
+      end
+      describe "#ipv4s" do
+        it "returns an an empty array" do
+          expect(event.ipv4s).to be_empty
+        end
+      end
+    end
+    context "with :ipv4s set to an array of ipv4 strings" do
+      let(:ipv4s) { ['1.2.3.4', '8.8.8.8'] }
+      it "is valid" do
+        expect(event).to be_valid
+      end
+      describe "#ipv4s" do
+        it "returns an Array of Strings" do
+          expect(event.ipv4s).to contain_exactly('1.2.3.4', '8.8.8.8')
+        end
+      end
+    end
+  end
+  describe "urls" do
+    let(:event) { described_class.new(event_opts.merge({ urls: urls })) }
+    context "with :urls set to nil" do
+      let(:urls) { nil }
+      it "is valid" do
+        expect(event).to be_valid
+      end
+      describe "#urls" do
+        it "returns an empty array" do
+          expect(event.urls).to eq([])
+        end
+      end
+    end
+    context "with :urls set to an empty array" do
+      let(:urls) { [] }
+      it "is valid" do
+        expect(event).to be_valid
+      end
+      describe "#urls" do
+        it "returns an empty array" do
+          expect(event.urls).to eq([])
+        end
+      end
+    end
+    context "with :urls set to an array of Hash objects" do
+      let(:urls) {
+        [
+          {url: "http://foo.com"},
+          {url: "path/to/something"},
+          {url: 1234},
+          {url: nil},
+          {}
+        ]
+      }
+      describe "#urls" do
+        it "returns an array containing Observables::Url objects that have been coerced from the hashes" do
+          expect(event.urls).to eq([
+            Threatinator::Model::Observables::Url.new(url: "http://foo.com"),
+            Threatinator::Model::Observables::Url.new(url: "path/to/something"),
+            Threatinator::Model::Observables::Url.new(url: 1234),
+            Threatinator::Model::Observables::Url.new(url: nil),
+            Threatinator::Model::Observables::Url.new(url: nil)
+          ])
+        end
+      end
+    end
+    context "with :urls set to an array of valid Observables::Url objects" do
+      let(:urls) {
+        [
+          Threatinator::Model::Observables::Url.new(url: "http://foo.com"),
+          Threatinator::Model::Observables::Url.new(url: "http://bar.com")
+        ]
+      }
+      it "is valid" do
+        expect(event).to be_valid
+      end
+      describe "#urls" do
+        it "returns an array containing the original Observables::Url objects" do
+          expect(event.urls).to eq(urls)
+        end
+      end
+    end
+    context "when the :urls array contains any invalid Observables::Url objects" do
+      let(:urls) {
+        [
+          Threatinator::Model::Observables::Url.new(url: "http://foo.com"),
+          Threatinator::Model::Observables::Url.new(url: "http://bar.com"),
+          Threatinator::Model::Observables::Url.new(url: "relative/path/to"),
+        ]
+      }
+      it "is not valid" do
+        expect(event).not_to be_valid
+      end
+      describe "#urls" do
+        it "returns an array containing the original Observables::Url objects" do
+          expect(event.urls).to eq(urls)
+        end
+      end
+    end
+  end
+end