def testValidateSyntaxSimple(self):
artifact = rdf_artifacts.Artifact(name="Foo",
doc="This is Foo.",
provides=["fqdn", "domain"],
supported_os=["Windows"],
urls=["https://example.com"])
ar.ValidateSyntax(artifact)
def testValidateSyntaxWithSources(self):
registry_key_source = {
"type": rdf_artifacts.ArtifactSource.SourceType.REGISTRY_KEY,
"attributes": {
"keys": [
r"%%current_control_set%%\Control\Session "
r"Manager\Environment\Path"
],
}
}
file_source = {
"type": rdf_artifacts.ArtifactSource.SourceType.FILE,
"attributes": {
"paths": [r"%%environ_systemdrive%%\Temp"]
}
}
artifact = rdf_artifacts.Artifact(
name="Bar",
doc="This is Bar.",
provides=["environ_windir"],
supported_os=["Windows"],
urls=["https://example.com"],
sources=[registry_key_source, file_source])
ar.ValidateSyntax(artifact)
def ArtifactsFromYaml(self, yaml_content):
"""Get a list of Artifacts from yaml."""
raw_list = list(yaml.safe_load_all(yaml_content))
# TODO(hanuszczak): I am very sceptical about that "doing the right thing"
# below. What are the real use cases?
# Try to do the right thing with json/yaml formatted as a list.
if (isinstance(raw_list, list) and len(raw_list) == 1 and
isinstance(raw_list[0], list)):
raw_list = raw_list[0]
# Convert json into artifact and validate.
valid_artifacts = []
for artifact_dict in raw_list:
# In this case we are feeding parameters directly from potentially
# untrusted yaml/json to our RDFValue class. However, safe_load ensures
# these are all primitive types as long as there is no other
# deserialization involved, and we are passing these into protobuf
# primitive types.
try:
artifact_value = rdf_artifacts.Artifact(**artifact_dict)
valid_artifacts.append(artifact_value)
except (TypeError, AttributeError, type_info.TypeValueError) as e:
name = artifact_dict.get("name")
raise rdf_artifacts.ArtifactDefinitionError(
name, "invalid definition", cause=e)
return valid_artifacts
def GenerateSample(self, number=0):
result = rdf_artifacts.Artifact(name="artifact%s" % number,
doc="Doco",
provides="environ_windir",
supported_os="Windows",
urls="http://blah")
return result
def testValidateSyntaxMissingDoc(self):
artifact = rdf_artifacts.Artifact(name="Baz",
provides=["os"],
supported_os=["Linux"])
with self.assertRaisesRegexp(rdf_artifacts.ArtifactSyntaxError,
"missing doc"):
ar.ValidateSyntax(artifact)
def testValidateSyntaxBrokenProvides(self):
artifact = rdf_artifacts.Artifact(name="Thud",
doc="This is Thud.",
provides=["fqdn", "garbage"],
labels=["Network"])
with self.assertRaisesRegexp(rdf_artifacts.ArtifactSyntaxError,
"'garbage'"):
ar.ValidateSyntax(artifact)
def testValidateSyntaxInvalidLabel(self):
artifact = rdf_artifacts.Artifact(name="Norf",
doc="This is Norf.",
provides=["domain"],
labels=["Mail", "Browser", "Reddit"],
supported_os=["Darwin"])
with self.assertRaisesRegexp(rdf_artifacts.ArtifactSyntaxError,
"'Reddit'"):
ar.ValidateSyntax(artifact)
def testValidateSyntaxInvalidSupportedOs(self):
artifact = rdf_artifacts.Artifact(name="Quux",
doc="This is Quux.",
provides=["os"],
labels=["Cloud", "Logs"],
supported_os=["Solaris"])
with self.assertRaisesRegexp(rdf_artifacts.ArtifactSyntaxError,
"'Solaris'"):
ar.ValidateSyntax(artifact)
def testGetArtifactPathDependencies(self):
sources = [{
"type": rdf_artifacts.ArtifactSource.SourceType.REGISTRY_KEY,
"attributes": {
"keys": [
r"%%current_control_set%%\Control\Session "
r"Manager\Environment\Path"
]
}
}, {
"type": rdf_artifacts.ArtifactSource.SourceType.WMI,
"attributes": {
"query": "SELECT * FROM Win32_UserProfile "
"WHERE SID='%%users.sid%%'"
}
}, {
"type": rdf_artifacts.ArtifactSource.SourceType.GREP,
"attributes": {
"content_regex_list": ["^%%users.username%%:"]
}
}]
artifact = rdf_artifacts.Artifact(
name="artifact",
doc="Doco",
provides=["environ_windir"],
supported_os=["Windows"],
urls=["http://blah"],
sources=sources)
self.assertItemsEqual(
[x["type"] for x in artifact.ToPrimitiveDict()["sources"]],
["REGISTRY_KEY", "WMI", "GREP"])
class Parser1(object):
knowledgebase_dependencies = ["appdata", "sid"]
class Parser2(object):
knowledgebase_dependencies = ["sid", "desktop"]
@classmethod
def MockGetClassesByArtifact(unused_cls, _):
return [Parser1, Parser2]
with utils.Stubber(parser.Parser, "GetClassesByArtifact",
MockGetClassesByArtifact):
self.assertItemsEqual(
ar.GetArtifactPathDependencies(artifact), [
"appdata", "sid", "desktop", "current_control_set", "users.sid",
"users.username"
])
def testValidateSyntaxBadSource(self):
source = {
"type": rdf_artifacts.ArtifactSource.SourceType.ARTIFACT_GROUP,
"attributes": {}
}
artifact = rdf_artifacts.Artifact(name="Barf",
doc="This is Barf.",
provides=["os"],
labels=["Logs", "Memory"],
sources=[source])
with self.assertRaisesRegexp(rdf_artifacts.ArtifactSyntaxError,
"required attributes"):
ar.ValidateSyntax(artifact)
def testValidateSyntaxBadPathDependency(self):
sources = [{
"type": rdf_artifacts.ArtifactSource.SourceType.FILE,
"attributes": {
"paths": [r"%%systemdrive%%\Temp"]
}
}]
artifact = rdf_artifacts.Artifact(name="bad",
doc="Doco",
provides=["environ_windir"],
supported_os=["Windows"],
urls=["http://blah"],
sources=sources)
with self.assertRaises(rdf_artifacts.ArtifactDefinitionError):
ar.ValidateSyntax(artifact)
def testValidateSyntax(self):
sources = [{
"type": rdf_artifacts.ArtifactSource.SourceType.REGISTRY_KEY,
"attributes": {
"keys": [
r"%%current_control_set%%\Control\Session "
r"Manager\Environment\Path"
]
}
}, {
"type": rdf_artifacts.ArtifactSource.SourceType.FILE,
"attributes": {
"paths": [r"%%environ_systemdrive%%\Temp"]
}
}]
artifact = rdf_artifacts.Artifact(name="good",
doc="Doco",
provides=["environ_windir"],
supported_os=["Windows"],
urls=["http://blah"],
sources=sources)
ar.ValidateSyntax(artifact)
