def testRuleAdding(self):
foreman = aff4.FACTORY.Open("aff4:/foreman",
mode="rw",
token=self.token)
rules = foreman.Get(foreman.Schema.RULES)
# Make sure there are no rules yet in the foreman.
self.assertEqual(len(rules), 0)
client_rule_set = rdf_foreman.ForemanClientRuleSet(rules=[
rdf_foreman.ForemanClientRule(
rule_type=rdf_foreman.ForemanClientRule.Type.REGEX,
regex=rdf_foreman.ForemanRegexClientRule(
field="CLIENT_NAME", attribute_regex="HUNT")),
rdf_foreman.ForemanClientRule(
rule_type=rdf_foreman.ForemanClientRule.Type.INTEGER,
integer=rdf_foreman.ForemanIntegerClientRule(
field="CLIENT_CLOCK",
operator=rdf_foreman.ForemanIntegerClientRule.Operator.
GREATER_THAN,
value=1336650631137737))
])
hunt = implementation.GRRHunt.StartHunt(
hunt_name=standard.SampleHunt.__name__,
client_rule_set=client_rule_set,
client_rate=0,
token=self.token)
# Push the rules to the foreman.
with hunt:
hunt.GetRunner().Start()
foreman = aff4.FACTORY.Open("aff4:/foreman",
mode="rw",
token=self.token)
rules = foreman.Get(foreman.Schema.RULES)
# Make sure they were written correctly.
self.assertEqual(len(rules), 1)
rule = rules[0]
self.assertEqual(rule.client_rule_set, client_rule_set)
self.assertEqual(len(rule.actions), 1)
self.assertEqual(rule.actions[0].hunt_name, "SampleHunt")
# Running a second time should not change the rules any more.
with hunt:
hunt.GetRunner().Start()
foreman = aff4.FACTORY.Open("aff4:/foreman",
mode="rw",
token=self.token)
rules = foreman.Get(foreman.Schema.RULES)
# Still just one rule.
self.assertEqual(len(rules), 1)
def testEvaluatesRaisesWithUnsetField(self):
r = rdf_foreman.ForemanIntegerClientRule(
operator=rdf_foreman.ForemanIntegerClientRule.Operator.EQUAL,
value=123)
client_id = self.SetupClient(0)
with self.assertRaises(ValueError):
r.Evaluate(aff4.FACTORY.Open(client_id, token=self.token))
def testEvaluatesRaisesWithUnsetField(self):
r = rdf_foreman.ForemanIntegerClientRule(
operator=rdf_foreman.ForemanIntegerClientRule.Operator.EQUAL,
value=123)
client = self.SetupTestClientObject(0)
info = data_store.REL_DB.ReadClientFullInfo(client.client_id)
with self.assertRaises(ValueError):
r.Evaluate(info)
def testEvaluatesSizeLessThanEqualValueToFalse(self):
now = rdfvalue.RDFDatetime().Now()
client = self.SetupTestClientObject(0, last_boot_time=now)
info = data_store.REL_DB.ReadClientFullInfo(client.client_id)
r = rdf_foreman.ForemanIntegerClientRule(
field="LAST_BOOT_TIME",
operator=rdf_foreman.ForemanIntegerClientRule.Operator.LESS_THAN,
value=now.AsSecondsSinceEpoch())
# The values are the same, less than should not trigger.
self.assertFalse(r.Evaluate(info))
def testEvaluatesSizeLessThanEqualValueToFalse(self):
now = rdfvalue.RDFDatetime().Now()
client_id = self.SetupClient(0, last_boot_time=now)
client = aff4.FACTORY.Open(client_id, mode="rw", token=self.token)
r = rdf_foreman.ForemanIntegerClientRule(
field="LAST_BOOT_TIME",
operator=rdf_foreman.ForemanIntegerClientRule.Operator.LESS_THAN,
value=now.AsSecondsSinceEpoch())
# The values are the same, less than should not trigger.
self.assertFalse(r.Evaluate(client))
def testEvaluatesSizeGreaterThanSmallerValueToTrue(self):
now = rdfvalue.RDFDatetime().Now()
client = self.SetupTestClientObject(0, last_boot_time=now)
info = data_store.REL_DB.ReadClientFullInfo(client.client_id)
before_boot = now - 1
r = rdf_foreman.ForemanIntegerClientRule(
field="LAST_BOOT_TIME",
operator=rdf_foreman.ForemanIntegerClientRule.Operator.
GREATER_THAN,
value=before_boot.AsSecondsSinceEpoch())
self.assertTrue(r.Evaluate(info))
def testEvaluatesSizeGreaterThanSmallerValueToTrue(self):
now = rdfvalue.RDFDatetime().Now()
client_id = self.SetupClient(0, last_boot_time=now)
client = aff4.FACTORY.Open(client_id, mode="rw", token=self.token)
before_boot = now - 1
r = rdf_foreman.ForemanIntegerClientRule(
field="LAST_BOOT_TIME",
operator=rdf_foreman.ForemanIntegerClientRule.Operator.
GREATER_THAN,
value=before_boot.AsSecondsSinceEpoch())
self.assertTrue(r.Evaluate(client))
def testEvaluation(self):
now = rdfvalue.RDFDatetime().Now()
client = self.SetupTestClientObject(0, last_boot_time=now)
info = data_store.REL_DB.ReadClientFullInfo(client.client_id)
for f in rdf_foreman.ForemanIntegerClientRule.ForemanIntegerField.enum_dict:
if f == "UNSET":
continue
r = rdf_foreman.ForemanIntegerClientRule(
field=f,
operator=rdf_foreman.ForemanIntegerClientRule.Operator.
LESS_THAN,
value=now.AsSecondsSinceEpoch())
r.Evaluate(info)
def testStopping(self):
"""Tests if we can stop a hunt."""
foreman = aff4.FACTORY.Open("aff4:/foreman",
mode="rw",
token=self.token)
rules = foreman.Get(foreman.Schema.RULES)
# Make sure there are no rules yet.
self.assertEqual(len(rules), 0)
now = rdfvalue.RDFDatetime.Now()
expires = rdfvalue.Duration("1h").Expiry()
# Add some rules.
rules = [
rdf_foreman.ForemanRule(created=now,
expires=expires,
description="Test rule1"),
rdf_foreman.ForemanRule(created=now,
expires=expires,
description="Test rule2")
]
self.AddForemanRules(rules)
client_rule_set = rdf_foreman.ForemanClientRuleSet(rules=[
rdf_foreman.ForemanClientRule(
rule_type=rdf_foreman.ForemanClientRule.Type.REGEX,
regex=rdf_foreman.ForemanRegexClientRule(
field="CLIENT_NAME", attribute_regex="HUNT")),
rdf_foreman.ForemanClientRule(
rule_type=rdf_foreman.ForemanClientRule.Type.INTEGER,
integer=rdf_foreman.ForemanIntegerClientRule(
field="CLIENT_CLOCK",
operator=rdf_foreman.ForemanIntegerClientRule.Operator.
GREATER_THAN,
value=1336650631137737))
])
hunt = implementation.GRRHunt.StartHunt(
hunt_name=standard.SampleHunt.__name__,
client_rule_set=client_rule_set,
client_rate=0,
token=self.token)
with hunt:
runner = hunt.GetRunner()
runner.Start()
# Add some more rules.
rules = [
rdf_foreman.ForemanRule(created=now,
expires=expires,
description="Test rule3"),
rdf_foreman.ForemanRule(created=now,
expires=expires,
description="Test rule4")
]
self.AddForemanRules(rules)
foreman = aff4.FACTORY.Open("aff4:/foreman",
mode="rw",
token=self.token)
rules = foreman.Get(foreman.Schema.RULES)
self.assertEqual(len(rules), 5)
# It should be running.
self.assertTrue(runner.IsHuntStarted())
# Now we stop the hunt.
hunt.Stop()
foreman = aff4.FACTORY.Open("aff4:/foreman",
mode="rw",
token=self.token)
rules = foreman.Get(foreman.Schema.RULES)
# The rule for this hunt should be deleted but the rest should be there.
self.assertEqual(len(rules), 4)
# And the hunt should report no outstanding requests any more.
with hunt:
self.assertFalse(hunt.GetRunner().IsHuntStarted())
def GenerateSample(self, number=0):
# Sample rule matches clients with the attribute size equal to number
return rdf_foreman.ForemanIntegerClientRule(
field="LAST_BOOT_TIME",
operator=rdf_foreman.ForemanIntegerClientRule.Operator.EQUAL,
value=number)