def testSingleRowChunks(self):
table = rdf_osquery.OsqueryTable()
table.query = "SELECT foo, bar, baz FROM quux;"
table.header.columns.append(rdf_osquery.OsqueryColumn(name="foo"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="bar"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="baz"))
table.rows.append(rdf_osquery.OsqueryRow(values=["ABC", "DEF", "GHI"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["JKL", "MNO", "PQR"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["RST", "UVW", "XYZ"]))
chunks = list(osquery.ChunkTable(table, max_chunk_size=9))
self.assertLen(chunks, 3)
self.assertEqual(chunks[0].query, table.query)
self.assertEqual(chunks[0].header, table.header)
self.assertEqual(chunks[0].rows, [
rdf_osquery.OsqueryRow(values=["ABC", "DEF", "GHI"]),
])
self.assertEqual(chunks[1].query, table.query)
self.assertEqual(chunks[1].header, table.header)
self.assertEqual(chunks[1].rows, [
rdf_osquery.OsqueryRow(values=["JKL", "MNO", "PQR"]),
])
self.assertEqual(chunks[2].query, table.query)
self.assertEqual(chunks[2].header, table.header)
self.assertEqual(chunks[2].rows, [
rdf_osquery.OsqueryRow(values=["RST", "UVW", "XYZ"]),
])
def testSomeRows(self):
table = rdf_osquery.OsqueryTable()
table.query = "SELECT foo, bar, quux FROM norf;"
table.header.columns.append(rdf_osquery.OsqueryColumn(name="foo"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="bar"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="quux"))
table.rows.append(rdf_osquery.OsqueryRow(values=["thud", "🐺", "42"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["plugh", "🦊", "108"]))
table.rows.append(
rdf_osquery.OsqueryRow(values=["blargh", "🦍", "1337"]))
results = self._Convert(table)
self.assertLen(results, 3)
self.assertEqual(results[0].metadata, self.metadata)
self.assertEqual(results[0].foo, "thud")
self.assertEqual(results[0].bar, "🐺")
self.assertEqual(results[0].quux, "42")
self.assertEqual(results[1].metadata, self.metadata)
self.assertEqual(results[1].foo, "plugh")
self.assertEqual(results[1].bar, "🦊")
self.assertEqual(results[1].quux, "108")
self.assertEqual(results[2].metadata, self.metadata)
self.assertEqual(results[2].foo, "blargh")
self.assertEqual(results[2].bar, "🦍")
self.assertEqual(results[2].quux, "1337")
def testNoRows(self):
table = rdf_osquery.OsqueryTable()
table.query = "SELECT bar, baz FROM foo;"
table.header.columns.append(rdf_osquery.OsqueryColumn(name="bar"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="baz"))
self.assertEqual(self._Convert(table), [])
def testColumnIncorrect(self):
table = rdf_osquery.OsqueryTable()
table.header.columns.append(rdf_osquery.OsqueryColumn(name="A"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="B"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="C"))
with self.assertRaises(KeyError):
list(table.Column("D"))
def testColumnEmpty(self):
table = rdf_osquery.OsqueryTable()
table.header.columns.append(rdf_osquery.OsqueryColumn(name="A"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="B"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="C"))
self.assertEmpty(list(table.Column("A")))
self.assertEmpty(list(table.Column("B")))
self.assertEmpty(list(table.Column("C")))
def testNoRows(self):
table = rdf_osquery.OsqueryTable()
table.header.columns.append(rdf_osquery.OsqueryColumn(name="foo"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="bar"))
table.query = "SELECT * FROM quux;"
chunks = list(
osquery.ChunkTable(table, max_chunk_size=1024 * 1024 * 1024))
self.assertEmpty(chunks)
def testGetTableColumns(self):
table = rdf_osquery.OsqueryTable()
table.header.columns.append(rdf_osquery.OsqueryColumn(name="A"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="B"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="C"))
result = rdf_osquery.OsqueryResult()
result.table = table
cols = list(result.GetTableColumns())
self.assertEqual(["A", "B", "C"], cols)
def testSimple(self):
header = rdf_osquery.OsqueryHeader()
header.columns.append(rdf_osquery.OsqueryColumn(name="foo"))
header.columns.append(rdf_osquery.OsqueryColumn(name="bar"))
header.columns.append(rdf_osquery.OsqueryColumn(name="baz"))
row = osquery.ParseRow(header, {
"foo": "quux",
"bar": "norf",
"baz": "thud",
})
self.assertEqual(row.values, ["quux", "norf", "thud"])
def testColumnValues(self):
table = rdf_osquery.OsqueryTable()
table.header.columns.append(rdf_osquery.OsqueryColumn(name="A"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="B"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="C"))
table.rows.append(rdf_osquery.OsqueryRow(values=["foo", "bar", "baz"]))
table.rows.append(
rdf_osquery.OsqueryRow(values=["quux", "norf", "thud"]))
table.rows.append(
rdf_osquery.OsqueryRow(values=["blarg", "shme", "ztesh"]))
self.assertEqual(list(table.Column("A")), ["foo", "quux", "blarg"])
self.assertEqual(list(table.Column("B")), ["bar", "norf", "shme"])
self.assertEqual(list(table.Column("C")), ["baz", "thud", "ztesh"])
def ParseHeader(table: Any) -> rdf_osquery.OsqueryHeader:
"""Parses header of osquery output.
Args:
table: A table in a "parsed JSON" representation.
Returns:
A parsed `rdf_osquery.OsqueryHeader` instance.
"""
precondition.AssertIterableType(table, dict)
prototype = None # type: List[Text]
for row in table:
columns = list(row.keys())
if prototype is None:
prototype = columns
elif prototype != columns:
message = "Expected columns '{expected}', got '{actual}' for table {json}"
message = message.format(expected=prototype,
actual=columns,
json=table)
raise ValueError(message)
result = rdf_osquery.OsqueryHeader()
for name in prototype or []:
result.columns.append(rdf_osquery.OsqueryColumn(name=name))
return result
def testSomeTextToCsvBytes(self):
table = rdf_osquery.OsqueryTable()
table.header.columns.append(rdf_osquery.OsqueryColumn(name="A"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="B"))
table.rows.append(rdf_osquery.OsqueryRow(values=["1-A", "1-B"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["2-A", "2-B"]))
result = rdf_osquery.OsqueryResult()
result.table = table
output_bytes = api_osquery._ParseToCsvBytes([result])
output_text = list(map(lambda b: b.decode("utf-8"), output_bytes))
self.assertListEqual(["A,B\r\n", "1-A,1-B\r\n", "2-A,2-B\r\n"],
output_text)
def testMultiByteStrings(self):
table = rdf_osquery.OsqueryTable()
table.query = "SELECT foo, bar, baz FROM quux;"
table.header.columns.append(rdf_osquery.OsqueryColumn(name="foo"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="bar"))
table.rows.append(rdf_osquery.OsqueryRow(values=["🐔", "🐓"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["🐣", "🐤"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["🐥", "🦆"]))
chunks = list(osquery.ChunkTable(table, max_chunk_size=10))
self.assertLen(chunks, 3)
self.assertEqual(chunks[0].rows,
[rdf_osquery.OsqueryRow(values=["🐔", "🐓"])])
self.assertEqual(chunks[1].rows,
[rdf_osquery.OsqueryRow(values=["🐣", "🐤"])])
self.assertEqual(chunks[2].rows,
[rdf_osquery.OsqueryRow(values=["🐥", "🦆"])])
def testTruncation(self):
table = rdf_osquery.OsqueryTable()
table.header.columns.append(rdf_osquery.OsqueryColumn(name="A"))
table.rows.append(rdf_osquery.OsqueryRow(values=["cell1"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["cell2"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["cell3"]))
truncated = table.Truncated(1)
column_values = list(truncated.Column("A"))
self.assertLen(truncated.rows, 1)
self.assertEqual(column_values, ["cell1"])
def testMetadataColumn(self):
table = rdf_osquery.OsqueryTable()
table.query = "SELECT metadata FROM foo;"
table.header.columns.append(rdf_osquery.OsqueryColumn(name="metadata"))
table.rows.append(rdf_osquery.OsqueryRow(values=["bar"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["baz"]))
results = self._Convert(table)
self.assertLen(results, 2)
self.assertEqual(results[0].metadata, self.metadata)
self.assertEqual(results[0].__metadata__, "bar")
self.assertEqual(results[1].metadata, self.metadata)
self.assertEqual(results[1].__metadata__, "baz")
def testGetTableRows(self):
table = rdf_osquery.OsqueryTable()
table.header.columns.append(rdf_osquery.OsqueryColumn(name="A"))
table.rows.append(rdf_osquery.OsqueryRow(values=["cell1"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["cell2"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["cell3"]))
result = rdf_osquery.OsqueryResult()
result.table = table
rows = list(result.GetTableRows())
self.assertEqual([["cell1"], ["cell2"], ["cell3"]], rows)
def testTextWithCommasToCsvBytes(self):
table = rdf_osquery.OsqueryTable()
table.header.columns.append(
rdf_osquery.OsqueryColumn(name="c,o,l,u,m,n"))
table.rows.append(rdf_osquery.OsqueryRow(values=["c,e,l,l"]))
result = rdf_osquery.OsqueryResult()
result.table = table
output_bytes = api_osquery._ParseToCsvBytes([result])
output_text = list(map(lambda b: b.decode("utf-8"), output_bytes))
self.assertListEqual(["\"c,o,l,u,m,n\"\r\n", "\"c,e,l,l\"\r\n"],
output_text)
def testMultiRowChunks(self):
table = rdf_osquery.OsqueryTable()
table.query = "SELECT foo, bar, baz FROM quux;"
table.header.columns.append(rdf_osquery.OsqueryColumn(name="foo"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="bar"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="baz"))
table.rows.append(rdf_osquery.OsqueryRow(values=["A", "B", "C"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["D", "E", "F"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["G", "H", "I"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["J", "K", "L"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["M", "N", "O"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["P", "Q", "R"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["S", "T", "U"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["V", "W", "X"]))
chunks = list(osquery.ChunkTable(table, max_chunk_size=10))
self.assertLen(chunks, 3)
self.assertEqual(chunks[0].query, table.query)
self.assertEqual(chunks[0].header, table.header)
self.assertEqual(chunks[0].rows, [
rdf_osquery.OsqueryRow(values=["A", "B", "C"]),
rdf_osquery.OsqueryRow(values=["D", "E", "F"]),
rdf_osquery.OsqueryRow(values=["G", "H", "I"]),
])
self.assertEqual(chunks[1].query, table.query)
self.assertEqual(chunks[1].header, table.header)
self.assertEqual(chunks[1].rows, [
rdf_osquery.OsqueryRow(values=["J", "K", "L"]),
rdf_osquery.OsqueryRow(values=["M", "N", "O"]),
rdf_osquery.OsqueryRow(values=["P", "Q", "R"]),
])
self.assertEqual(chunks[2].query, table.query)
self.assertEqual(chunks[2].header, table.header)
self.assertEqual(chunks[2].rows, [
rdf_osquery.OsqueryRow(values=["S", "T", "U"]),
rdf_osquery.OsqueryRow(values=["V", "W", "X"]),
])
def testQueryMetadata(self):
table = rdf_osquery.OsqueryTable()
table.query = " SELECT foo FROM quux; "
table.header.columns.append(rdf_osquery.OsqueryColumn(name="foo"))
table.rows.append(rdf_osquery.OsqueryRow(values=["norf"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["thud"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["blargh"]))
results = self._Convert(table)
self.assertLen(results, 3)
self.assertEqual(results[0].__query__, "SELECT foo FROM quux;")
self.assertEqual(results[0].foo, "norf")
self.assertEqual(results[1].__query__, "SELECT foo FROM quux;")
self.assertEqual(results[1].foo, "thud")
self.assertEqual(results[2].__query__, "SELECT foo FROM quux;")
self.assertEqual(results[2].foo, "blargh")
