def testLetSingleAny(self):
query = "any Process/parent->Process/command is 'init'"
expected = expression.LetAny(
expression.Binding("Process/parent"),
expression.Equivalence(expression.Binding("Process/command"),
expression.Literal("init")))
self.assertQueryMatches(query, expected)
def testBigQuery(self):
query = ("(Process/pid is 1 and Process/command in ('init', 'initd')) "
"or any Process/children matches (Process/command not in "
"('launchd', 'foo'))")
expected = expression.Union(
expression.Intersection(
expression.Equivalence(expression.Binding("Process/pid"),
expression.Literal(1)),
expression.Membership(expression.Binding("Process/command"),
expression.Literal(("init", "initd")))),
expression.LetAny(
expression.Binding("Process/children"),
expression.Complement(
expression.Membership(
expression.Binding("Process/command"),
expression.Literal(("launchd", "foo"))))))
self.assertQueryMatches(query, expected)
def TransformLetAny(let, **kwargs):
if not isinstance(let, expression.Let):
raise ValueError("'any' must be followed by a 'matches' expression.")
context, expr = let.children
return expression.LetAny(context, expr, **kwargs)