def testRunGrrClientActionArtifact(self):
"""Test we can get a GRR client artifact."""
client_mock = test_lib.ActionMock("ListProcesses")
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
client.Set(client.Schema.SYSTEM("Linux"))
client.Flush()
coll1 = rdfvalue.Collector(action="RunGrrClientAction",
args={"client_action": r"ListProcesses"})
self.fakeartifact.collectors.append(coll1)
artifact_list = ["FakeArtifact"]
for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow",
client_mock,
artifact_list=artifact_list,
token=self.token,
client_id=self.client_id,
output="test_artifact"):
pass
# Test the AFF4 file that was created.
fd = aff4.FACTORY.Open(rdfvalue.RDFURN(
self.client_id).Add("test_artifact"),
token=self.token)
self.assertTrue(isinstance(list(fd)[0], rdfvalue.Process))
self.assertTrue(len(fd) > 5)
def testKnowledgeBaseRetrievalLinux(self):
"""Check we can retrieve a Linux kb."""
test_lib.ClientFixture(self.client_id, token=self.token)
config_lib.CONFIG.Set("Artifacts.knowledge_base", ["LinuxWtmp",
"NetgroupConfiguration"])
config_lib.CONFIG.Set("Artifacts.netgroup_filter_regexes", ["^login$"])
config_lib.CONFIG.Set("Artifacts.netgroup_user_blacklist", ["isaac"])
vfs.VFS_HANDLERS[
rdfvalue.PathSpec.PathType.OS] = test_lib.ClientTestDataVFSFixture
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
client.Set(client.Schema.SYSTEM("Linux"))
client.Set(client.Schema.OS_VERSION("12.04"))
client.Close()
client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find",
"HashBuffer", "ListDirectory", "HashFile")
for _ in test_lib.TestFlowHelper(
"KnowledgeBaseInitializationFlow", client_mock,
client_id=self.client_id, token=self.token):
pass
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
kb = artifact.GetArtifactKnowledgeBase(client)
self.assertEqual(kb.os_major_version, 12)
self.assertEqual(kb.os_minor_version, 4)
# user 1,2,3 from wtmp. yagharek from netgroup.
# Bert and Ernie not present (Users fixture overriden by kb).
self.assertItemsEqual([x.username for x in kb.users], ["user1", "user2",
"user3", "yagharek"])
user = kb.GetUser(username="******")
self.assertEqual(user.last_logon.AsSecondsFromEpoch(), 1296552099)
def AddFileToFileStore(pathspec=None, client_id=None, token=None):
"""Adds file with given pathspec to the hash file store."""
if pathspec is None:
raise ValueError("pathspec can't be None")
if client_id is None:
raise ValueError("client_id can't be None")
urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN(pathspec, client_id)
client_mock = test_lib.ActionMock("TransferBuffer", "StatFile",
"HashBuffer")
for _ in test_lib.TestFlowHelper("GetFile",
client_mock,
token=token,
client_id=client_id,
pathspec=pathspec):
pass
auth_state = rdfvalue.GrrMessage.AuthorizationState.AUTHENTICATED
flow.Events.PublishEvent("FileStore.AddFileToStore",
rdfvalue.GrrMessage(payload=urn,
auth_state=auth_state),
token=token)
worker = test_lib.MockWorker(token=token)
worker.Simulate()
def testUnicodeListDirectory(self):
"""Test that the ListDirectory flow works on unicode directories."""
client_mock = test_lib.ActionMock("ListDirectory", "StatFile")
# Deliberately specify incorrect casing
pb = rdfvalue.PathSpec(path=os.path.join(self.base_path,
"test_img.dd"),
pathtype=rdfvalue.PathSpec.PathType.OS)
pb.Append(path=u"入乡随俗 海外春节别样过法",
pathtype=rdfvalue.PathSpec.PathType.TSK)
for _ in test_lib.TestFlowHelper("ListDirectory",
client_mock,
client_id=self.client_id,
pathspec=pb,
token=self.token):
pass
# Check the output file is created
output_path = self.client_id.Add("fs/tsk").Add(pb.CollapsePath())
fd = aff4.FACTORY.Open(output_path, token=self.token)
children = list(fd.OpenChildren())
self.assertEqual(len(children), 1)
child = children[0]
self.assertEqual(os.path.basename(utils.SmartUnicode(child.urn)),
u"入乡随俗.txt")
def testFetchFilesFlow(self):
pattern = "test_data/*.log"
client_mock = test_lib.ActionMock("Find", "TransferBuffer", "StatFile",
"HashBuffer", "HashFile")
path = os.path.join(os.path.dirname(self.base_path), pattern)
# Run the flow.
for _ in test_lib.TestFlowHelper(
"FetchFiles",
client_mock,
client_id=self.client_id,
paths=[path],
pathtype=rdfvalue.PathSpec.PathType.OS,
token=self.token):
pass
for f in "auth.log dpkg.log dpkg_false.log".split():
fd = aff4.FACTORY.Open(rdfvalue.RDFURN(
self.client_id).Add("/fs/os").Add(
os.path.join(os.path.dirname(self.base_path), "test_data",
f)),
token=self.token)
# Make sure that some data was downloaded.
self.assertTrue(fd.Get(fd.Schema.SIZE) > 100)
def testFingerprintPresence(self):
path = os.path.join(self.base_path, "winexec_img.dd")
pathspec = rdfvalue.PathSpec(pathtype=rdfvalue.PathSpec.PathType.OS,
path=path)
pathspec.Append(path="/winpmem-amd64.sys",
pathtype=rdfvalue.PathSpec.PathType.TSK)
client_mock = test_lib.ActionMock("FingerprintFile")
for _ in test_lib.TestFlowHelper("FingerprintFile",
client_mock,
token=self.token,
client_id=self.client_id,
pathspec=pathspec):
pass
urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN(
pathspec, self.client_id)
fd = aff4.FACTORY.Open(urn, token=self.token)
self.assertEqual(fd.__class__, aff4_grr.VFSFile)
fingerprint = fd.Get(fd.Schema.FINGERPRINT)
pecoff = fingerprint.GetFingerprint("pecoff")["sha1"].encode("hex")
self.assertEqual(pecoff, "1f32fa4eedfba023653c094143d90999f6b9bc4f")
hash_obj = fd.Get(fd.Schema.HASH)
self.assertEqual(hash_obj.pecoff_sha1,
"1f32fa4eedfba023653c094143d90999f6b9bc4f")
self.assertEqual(hash_obj.signed_data[0].revision, 512)
def testGlobWithWildcardsInsideTSKFileCaseInsensitive(self):
client_mock = test_lib.ActionMock("Find", "StatFile")
# This glob should find this file in test data: glob_test/a/b/foo.
path = os.path.join("*", "a", "b", "FOO*")
root_path = rdfvalue.PathSpec(path=os.path.join(
self.base_path, "test_IMG.dd"),
pathtype=rdfvalue.PathSpec.PathType.OS)
root_path.Append(path="/", pathtype=rdfvalue.PathSpec.PathType.TSK)
# Run the flow.
for _ in test_lib.TestFlowHelper(
"Glob",
client_mock,
client_id=self.client_id,
paths=[path],
root_path=root_path,
pathtype=rdfvalue.PathSpec.PathType.OS,
token=self.token):
pass
output_path = self.client_id.Add("fs/tsk").Add(
os.path.join(self.base_path, "test_img.dd", "glob_test", "a", "b"))
fd = aff4.FACTORY.Open(output_path, token=self.token)
children = list(fd.ListChildren())
self.assertEqual(len(children), 1)
self.assertEqual(children[0].Basename(), "foo")
def testGetArtifact1(self):
"""Test we can get a basic artifact."""
client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find",
"HashFile", "HashBuffer")
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
client.Set(client.Schema.SYSTEM("Linux"))
client.Flush()
# Dynamically add a Collector specifying the base path.
file_path = os.path.join(self.base_path, "test_img.dd")
coll1 = rdfvalue.Collector(action="GetFile", args={"path": file_path})
self.fakeartifact.collectors.append(coll1)
artifact_list = ["FakeArtifact"]
for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow",
client_mock,
artifact_list=artifact_list,
use_tsk=False,
token=self.token,
client_id=self.client_id):
pass
# Test the AFF4 file that was created.
fd1 = aff4.FACTORY.Open("%s/fs/os/%s" % (self.client_id, file_path),
token=self.token)
fd2 = open(file_path)
fd2.seek(0, 2)
self.assertEqual(fd2.tell(), int(fd1.Get(fd1.Schema.SIZE)))
def testSearchFileContentDownload(self):
pattern = "test_data/*.log"
client_mock = test_lib.ActionMock("Find", "Grep", "StatFile",
"HashFile", "HashBuffer",
"TransferBuffer")
path = os.path.join(os.path.dirname(self.base_path), pattern)
# Do not provide a Grep expression - should match all files.
args = rdfvalue.SearchFileContentArgs(paths=[path], also_download=True)
# Run the flow.
for _ in test_lib.TestFlowHelper("SearchFileContent",
client_mock,
client_id=self.client_id,
output="analysis/grep/testing",
args=args,
token=self.token):
pass
fd = aff4.FACTORY.Open(rdfvalue.RDFURN(
self.client_id).Add("/analysis/grep/testing"),
token=self.token)
self.assertEqual(len(fd), 3)
for log in aff4.FACTORY.Open(rdfvalue.RDFURN(
self.client_id).Add("/fs/os/").Add(self.base_path),
token=self.token).OpenChildren():
self.assertTrue(isinstance(log, aff4.VFSBlobImage))
# Make sure there is some data.
self.assertGreater(len(log), 0)
def testGlobRegistry(self):
"""Test that glob works on registry."""
self.SetupMocks()
client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find",
"HashBuffer", "ListDirectory")
paths = ["HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT"
"\\CurrentVersion\\ProfileList\\ProfilesDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT"
"\\CurrentVersion\\ProfileList\\AllUsersProfile"]
for _ in test_lib.TestFlowHelper(
"Glob", client_mock, paths=paths,
pathtype=rdfvalue.PathSpec.PathType.REGISTRY,
client_id=self.client_id, token=self.token):
pass
path = paths[0].replace("\\", "/")
fd = aff4.FACTORY.Open(self.client_id.Add("registry").Add(path),
token=self.token)
self.assertEqual(fd.__class__.__name__, "VFSFile")
self.assertEqual(fd.Get(fd.Schema.STAT).registry_data.GetValue(),
"%SystemDrive%\\Users")
def testRegistryMRU(self):
"""Test that the MRU discovery flow. Flow is a work in Progress."""
# Install the mock
vfs.VFS_HANDLERS[
rdfvalue.PathSpec.PathType.REGISTRY] = test_lib.ClientRegistryVFSFixture
# Mock out the Find client action.
client_mock = test_lib.ActionMock("Find")
# Add some user accounts to this client.
fd = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token)
users = fd.Schema.USER()
users.Append(rdfvalue.User(
username="******", domain="testing-PC",
homedir=r"C:\Users\testing", sid="S-1-5-21-2911950750-476812067-"
"1487428992-1001"))
fd.Set(users)
fd.Close()
# Run the flow in the emulated way.
for _ in test_lib.TestFlowHelper("GetMRU", client_mock,
client_id=self.client_id,
token=self.token):
pass
# Check that the key was read.
fd = aff4.FACTORY.Open(rdfvalue.RDFURN(self.client_id).Add(
"registry/HKEY_USERS/S-1-5-21-2911950750-476812067-1487428992-1001/"
"Software/Microsoft/Windows/CurrentVersion/Explorer/"
"ComDlg32/OpenSavePidlMRU/dd/0"), token=self.token)
self.assertEqual(fd.__class__.__name__, "VFSFile")
s = fd.Get(fd.Schema.STAT)
# TODO(user): Make this test better when the MRU flow is complete.
self.assertTrue(s.registry_data)
def CreateTimelineFixture(self):
"""Creates a new timeline fixture we can play with."""
# Create a client for testing
client_id = rdfvalue.ClientURN("C.0000000000000001")
token = access_control.ACLToken(username="******", reason="fixture")
fd = aff4.FACTORY.Create(client_id, "VFSGRRClient", token=token)
cert = self.ClientCertFromPrivateKey(
config_lib.CONFIG["Client.private_key"])
client_cert = rdfvalue.RDFX509Cert(cert.as_pem())
fd.Set(fd.Schema.CERT(client_cert))
fd.Close()
# Install the mock
vfs.VFS_HANDLERS[
rdfvalue.PathSpec.PathType.OS] = test_lib.ClientVFSHandlerFixture
client_mock = test_lib.ActionMock("ListDirectory")
output_path = "analysis/Timeline/MAC"
for _ in test_lib.TestFlowHelper(
"RecursiveListDirectory", client_mock, client_id=client_id,
pathspec=rdfvalue.PathSpec(
path="/", pathtype=rdfvalue.PathSpec.PathType.OS),
token=token):
pass
# Now make a timeline
for _ in test_lib.TestFlowHelper(
"MACTimes", client_mock, client_id=client_id, token=token,
path="/", output=output_path):
pass
def testFindWithMaxFiles(self):
"""Test that the Find flow works when specifying proto directly."""
client_mock = test_lib.ActionMock("Find")
output_path = "analysis/FindFlowTest4"
# Prepare a findspec.
findspec = rdfvalue.FindSpec(
path_regex=".*",
pathspec=rdfvalue.PathSpec(path="/",
pathtype=rdfvalue.PathSpec.PathType.OS))
for _ in test_lib.TestFlowHelper("FindFiles",
client_mock,
client_id=self.client_id,
token=self.token,
findspec=findspec,
iteration_count=3,
output=output_path,
max_results=7):
pass
# Check the output file is created
fd = aff4.FACTORY.Open(self.client_id.Add(output_path),
token=self.token)
# Make sure we got the right number of results.
self.assertEqual(len(fd), 7)
def testGetFile(self):
"""Test that the GetFile flow works."""
client_mock = test_lib.ActionMock("TransferBuffer", "StatFile")
pathspec = rdfvalue.PathSpec(pathtype=rdfvalue.PathSpec.PathType.OS,
path=os.path.join(self.base_path,
"test_img.dd"))
for _ in test_lib.TestFlowHelper("GetFile",
client_mock,
token=self.token,
client_id=self.client_id,
pathspec=pathspec):
pass
# Fix path for Windows testing.
pathspec.path = pathspec.path.replace("\\", "/")
# Test the AFF4 file that was created.
urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN(
pathspec, self.client_id)
fd1 = aff4.FACTORY.Open(urn, token=self.token)
fd2 = open(pathspec.path)
fd2.seek(0, 2)
self.assertEqual(fd2.tell(), int(fd1.Get(fd1.Schema.SIZE)))
self.CompareFDs(fd1, fd2)
def setUp(self):
super(TestMemoryScanner, self).setUp()
self.output_path = "analysis/memory_scanner"
self.key = rdfvalue.AES128Key("1a5eafcc77d428863d4c2441ea26e5a5")
self.iv = rdfvalue.AES128Key("2241b14c64874b1898dad4de7173d8c0")
self.memory_file = os.path.join(config_lib.CONFIG["Test.data_dir"],
"auth.log")
with open(self.memory_file, "r") as f:
self.memory_dump = f.read()
self.assertTrue(self.memory_dump)
self.client_mock = test_lib.ActionMock("TransferBuffer", "HashBuffer",
"StatFile", "CopyPathToFile",
"SendFile",
"DeleteGRRTempFiles", "Find",
"Grep")
self.old_driver_flow = flow.GRRFlow.classes["LoadMemoryDriver"]
flow.GRRFlow.classes["LoadMemoryDriver"] = DummyLoadMemoryDriverFlow
vfs.VFS_HANDLERS[rdfvalue.PathSpec.PathType.
MEMORY] = test_lib.ClientTestDataVFSFixture
def testFindDirectories(self):
"""Test that the Find flow works with directories."""
client_mock = test_lib.ActionMock("Find")
output_path = "analysis/FindFlowTest2"
# Prepare a findspec.
findspec = rdfvalue.FindSpec(
path_regex="bin",
pathspec=rdfvalue.PathSpec(path="/",
pathtype=rdfvalue.PathSpec.PathType.OS))
for _ in test_lib.TestFlowHelper("FindFiles",
client_mock,
client_id=self.client_id,
token=self.token,
output=output_path,
findspec=findspec):
pass
# Check the output file is created
fd = aff4.FACTORY.Open(self.client_id.Add(output_path),
token=self.token)
# Make sure that bin is a directory
self.assertEqual(len(fd), 2)
for child in fd:
path = utils.SmartStr(child.aff4path)
self.assertTrue("bin" in path)
self.assertEqual(child.__class__.__name__, "StatEntry")
def testMultiGetFile(self):
"""Test MultiGetFile."""
client_mock = test_lib.ActionMock("TransferBuffer", "HashFile",
"StatFile", "HashBuffer")
pathspec = rdfvalue.PathSpec(pathtype=rdfvalue.PathSpec.PathType.OS,
path=os.path.join(self.base_path,
"test_img.dd"))
args = rdfvalue.MultiGetFileArgs(pathspecs=[pathspec, pathspec])
with test_lib.Instrument(transfer.MultiGetFile,
"StoreStat") as storestat_instrument:
for _ in test_lib.TestFlowHelper("MultiGetFile",
client_mock,
token=self.token,
client_id=self.client_id,
args=args):
pass
# We should only have called StoreStat once because the two paths
# requested were identical.
self.assertEqual(len(storestat_instrument.args), 1)
# Fix path for Windows testing.
pathspec.path = pathspec.path.replace("\\", "/")
# Test the AFF4 file that was created.
urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN(
pathspec, self.client_id)
fd1 = aff4.FACTORY.Open(urn, token=self.token)
fd2 = open(pathspec.path)
fd2.seek(0, 2)
self.assertEqual(fd2.tell(), int(fd1.Get(fd1.Schema.SIZE)))
self.CompareFDs(fd1, fd2)
def setUp(self):
super(TestWebHistory, self).setUp()
# Set up client info
self.client = aff4.FACTORY.Open(self.client_id,
mode="rw",
token=self.token)
self.client.Set(self.client.Schema.SYSTEM("Linux"))
user_list = self.client.Schema.USER()
user_list.Append(
rdfvalue.User(username="******",
full_name="test user",
homedir="/home/test/",
last_logon=250))
self.client.AddAttribute(self.client.Schema.USER, user_list)
self.client.Close()
self.client_mock = test_lib.ActionMock("ReadBuffer", "HashFile",
"HashBuffer", "TransferBuffer",
"StatFile", "Find",
"ListDirectory")
# Mock the client to make it look like the root partition is mounted off the
# test image. This will force all flow access to come off the image.
def MockGetMountpoints():
return {"/": (os.path.join(self.base_path, "test_img.dd"), "ext2")}
self.orig_linux_mp = client_utils_linux.GetMountpoints
self.orig_osx_mp = client_utils_osx.GetMountpoints
client_utils_linux.GetMountpoints = MockGetMountpoints
client_utils_osx.GetMountpoints = MockGetMountpoints
# We wiped the data_store so we have to retransmit all blobs.
standard.HASH_CACHE = utils.FastStore(100)
def testFindFilesWithGlob(self):
"""Test that the Find flow works with glob."""
client_mock = test_lib.ActionMock("Find")
output_path = "analysis/FindFlowTest1"
# Prepare a findspec.
findspec = rdfvalue.FindSpec(
path_glob="bash*",
pathspec=rdfvalue.PathSpec(path="/",
pathtype=rdfvalue.PathSpec.PathType.OS))
for _ in test_lib.TestFlowHelper("FindFiles",
client_mock,
client_id=self.client_id,
token=self.token,
output=output_path,
findspec=findspec):
pass
# Check the output file is created
fd = aff4.FACTORY.Open(self.client_id.Add(output_path),
token=self.token)
# Make sure that bash is a file.
matches = set([x.aff4path.Basename() for x in fd])
self.assertEqual(sorted(matches), ["bash"])
self.assertEqual(len(fd), 2)
for child in fd:
path = utils.SmartStr(child.aff4path)
self.assertTrue(path.endswith("bash"))
self.assertEqual(child.__class__.__name__, "StatEntry")
def testBootstrapKnowledgeBaseFlow(self):
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
client.Set(client.Schema.SYSTEM("Windows"))
client.Set(client.Schema.OS_VERSION("6.2"))
client.Flush()
vfs.VFS_HANDLERS[rdfvalue.PathSpec.PathType.
REGISTRY] = test_lib.ClientRegistryVFSFixture
client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find",
"HashBuffer", "HashFile",
"ListDirectory")
for _ in test_lib.TestFlowHelper("BootStrapKnowledgeBaseFlow",
client_mock,
token=self.token,
client_id=self.client_id,
output="bootstrap"):
pass
fd = aff4.FACTORY.Open(rdfvalue.RDFURN(
self.client_id).Add("bootstrap"),
token=self.token)
self.assertEqual(len(fd), 1)
bootstrap = fd[0]
self.assertEqual(bootstrap["environ_systemdrive"], "C:")
self.assertEqual(bootstrap["environ_systemroot"], "C:\\Windows")
def testSearchFileContents(self):
pattern = "test_data/*.log"
client_mock = test_lib.ActionMock("Find", "Grep", "StatFile")
path = os.path.join(os.path.dirname(self.base_path), pattern)
args = rdfvalue.SearchFileContentArgs(
paths=[path], pathtype=rdfvalue.PathSpec.PathType.OS)
args.grep.literal = "session opened for user dearjohn"
args.grep.mode = rdfvalue.GrepSpec.Mode.ALL_HITS
# Run the flow.
for _ in test_lib.TestFlowHelper("SearchFileContent",
client_mock,
client_id=self.client_id,
output="analysis/grep/testing",
args=args,
token=self.token):
pass
fd = aff4.FACTORY.Open(rdfvalue.RDFURN(
self.client_id).Add("/analysis/grep/testing"),
token=self.token)
# Make sure that there is a hit.
self.assertEqual(len(fd), 1)
first = fd[0]
self.assertEqual(first.offset, 350)
self.assertEqual(
first.data, "session): session opened for user dearjohn by (uid=0")
def setUp(self):
super(TestSearchFileContentWithFixture, self).setUp()
# Install the mock
vfs.VFS_HANDLERS[
rdfvalue.PathSpec.PathType.OS] = test_lib.ClientVFSHandlerFixture
self.client_mock = test_lib.ActionMock("Grep", "StatFile", "Find")
def testKnowledgeBaseRetrievalDarwin(self):
"""Check we can retrieve a Darwin kb."""
test_lib.ClientFixture(self.client_id, token=self.token)
vfs.VFS_HANDLERS[
rdfvalue.PathSpec.PathType.OS] = test_lib.ClientVFSHandlerFixture
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
client.Set(client.Schema.SYSTEM("Darwin"))
client.Set(client.Schema.OS_VERSION("10.9"))
client.Close()
client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find",
"HashBuffer", "ListDirectory", "HashFile")
for _ in test_lib.TestFlowHelper(
"KnowledgeBaseInitializationFlow", client_mock,
client_id=self.client_id, token=self.token):
pass
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
kb = artifact.GetArtifactKnowledgeBase(client)
self.assertEqual(kb.os_major_version, 10)
self.assertEqual(kb.os_minor_version, 9)
# scalzi from /Users dir listing.
# Bert and Ernie not present (Users fixture overriden by kb).
self.assertItemsEqual([x.username for x in kb.users], ["scalzi"])
user = kb.GetUser(username="******")
self.assertEqual(user.homedir, "/Users/scalzi")
def testKnowledgeBaseRetrievalWindows(self):
"""Check we can retrieve a knowledge base from a client."""
self.SetupMocks()
client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find",
"HashBuffer", "ListDirectory", "HashFile")
for _ in test_lib.TestFlowHelper(
"KnowledgeBaseInitializationFlow", client_mock,
client_id=self.client_id, token=self.token):
pass
# The client should now be populated with the data we care about.
client = aff4.FACTORY.Open(self.client_id, token=self.token)
kb = artifact.GetArtifactKnowledgeBase(client)
self.assertEqual(kb.environ_systemroot, "C:\\Windows")
self.assertEqual(kb.time_zone, "US/Alaska")
self.assertEqual(kb.code_page, "cp_1252")
self.assertEqual(kb.environ_windir, "C:\\Windows")
self.assertEqual(kb.environ_allusersprofile, "C:\\Users\\All Users")
self.assertEqual(kb.environ_allusersappdata, "C:\\ProgramData")
self.assertEqual(kb.environ_temp, "C:\\Windows\\TEMP")
self.assertEqual(kb.environ_systemdrive, "C:")
self.assertItemsEqual([x.username for x in kb.users],
["jim", "kovacs"])
user = kb.GetUser(username="******")
self.assertEqual(user.username, "jim")
self.assertEqual(user.sid, "S-1-5-21-702227068-2140022151-3110739409-1000")
def testArtifactOutput(self):
"""Check we can run command based artifacts."""
self.SetLinuxClient()
# Update the artifact path to point to the test directory.
art_reg = artifact_lib.ArtifactRegistry.artifacts
art_reg["TestFileArtifact"].collectors[0].args["path"] = (
os.path.join(self.base_path, "auth.log"))
client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "HashFile",
"HashBuffer", "ListDirectory", "Find")
# Will raise if something goes wrong.
self.RunCollectorAndGetCollection(["TestFileArtifact"],
client_mock=client_mock)
# Will raise if something goes wrong.
self.RunCollectorAndGetCollection(["TestFileArtifact"],
client_mock=client_mock,
split_output_by_artifact=True)
# Test the no_results_errors option.
with self.assertRaises(RuntimeError) as context:
self.RunCollectorAndGetCollection(
["NullArtifact"], client_mock=client_mock,
split_output_by_artifact=True, no_results_errors=True)
if "collector returned 0 responses" not in str(context.exception):
raise RuntimeError("0 responses should have been returned")
def setUp(self):
super(TestNetworkByteLimits, self).setUp()
pathspec = rdfvalue.PathSpec(path="/nothing",
pathtype=rdfvalue.PathSpec.PathType.OS)
self.buffer_ref = rdfvalue.BufferReference(pathspec=pathspec, length=5000)
self.data = "X" * 500
self.old_read = standard.vfs.ReadVFS
standard.vfs.ReadVFS = lambda x, y, z: self.data
self.transfer_buf = test_lib.ActionMock("TransferBuffer")
def testExecuteBinariesWithArgs(self):
client_mock = test_lib.ActionMock("ExecuteBinaryCommand")
code = "I am a binary file"
upload_path = config_lib.CONFIG["Executables.aff4_path"].Add(
"test.exe")
maintenance_utils.UploadSignedConfigBlob(code,
aff4_path=upload_path,
token=self.token)
class Popen(object):
"""A mock object for subprocess.Popen."""
def __init__(self, run, stdout, stderr, stdin):
Popen.running_args = run
Popen.stdout = stdout
Popen.stderr = stderr
Popen.stdin = stdin
Popen.returncode = 0
# Store the content of the executable file.
Popen.binary = open(run[0]).read()
def communicate(self): # pylint: disable=g-bad-name
return "stdout here", "stderr here"
# This flow has an acl, the user needs to be admin.
user = aff4.FACTORY.Create("aff4:/users/%s" % self.token.username,
mode="rw",
aff4_type="GRRUser",
token=self.token)
user.SetLabels("admin")
user.Close()
with test_lib.Stubber(subprocess, "Popen", Popen):
for _ in test_lib.TestFlowHelper("LaunchBinary",
client_mock,
client_id=self.client_id,
binary=upload_path,
command_line="--value 356",
token=self.token):
pass
# Check that the executable file contains the code string.
self.assertEqual(Popen.binary, code)
# At this point, the actual binary should have been cleaned up by the
# client action so it should not exist.
self.assertRaises(IOError, open, Popen.running_args[0])
# Check the binary was run with the correct command line.
self.assertEqual(Popen.running_args[1], "--value")
self.assertEqual(Popen.running_args[2], "356")
# Check the command was in the tmp file.
self.assertTrue(Popen.running_args[0].startswith(
config_lib.CONFIG["Client.tempdir"]))
def testKnowledgeBaseNoOS(self):
"""Check unset OS dies."""
vfs.VFS_HANDLERS[
rdfvalue.PathSpec.PathType.OS] = test_lib.ClientVFSHandlerFixture
client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find",
"HashBuffer", "ListDirectory", "HashFile")
self.assertRaises(flow.FlowError, list, test_lib.TestFlowHelper(
"KnowledgeBaseInitializationFlow", client_mock,
client_id=self.client_id, token=self.token))
def testFetchFilesGlobFlow(self):
# Very small chunks to stress test this flow.
with test_lib.MultiStubber(
(transfer.MultiGetFile, "CHUNK_SIZE", self.chunk_size),
(transfer.MultiGetFile, "MIN_CALL_TO_FILE_STORE", 3)):
with test_lib.Instrument(filestore.FileStore,
"CheckHashes") as check_hashes_instrument:
self.base_pathspec = rdfvalue.PathSpec(
path=os.path.join(self.base_path, "winexec_img.dd"),
pathtype=rdfvalue.PathSpec.PathType.OS)
self.base_pathspec.Append(
path="/", pathtype=rdfvalue.PathSpec.PathType.TSK)
inspect_path = self.base_pathspec.Copy()
inspect_path.AppendPath("Ext2IFS_1_10b.exe")
urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN(
inspect_path, self.client_id)
fd = aff4.FACTORY.Create(urn,
"AFF4MemoryStream",
token=self.token)
fd.Write("hello")
fd.Close()
# Now run the fetch all files.
client_mock = test_lib.ActionMock("TransferBuffer", "StatFile",
"Find", "HashFile",
"HashBuffer")
for _ in test_lib.TestFlowHelper(
"FetchFiles",
client_mock,
token=self.token,
paths=["*.exe", "*.sys"],
root_path=self.base_pathspec,
pathtype=rdfvalue.PathSpec.PathType.OS,
client_id=self.client_id):
pass
self.CheckFindExeFiles()
self.CheckPresenceOfSignedData()
self.CheckIndexLookup()
pathlist = ["pciide.sys"]
self.CheckExistingFile(pathlist)
# In this test we limit the maximum number of times the filestore check
# hashes is called to 3. There are 7 hits in the test data, so we
# expect 3 calls, of 3, 3, and 1:
self.assertEqual(len(check_hashes_instrument.args), 3)
self.assertEqual(len(check_hashes_instrument.args[0][1]), 3)
self.assertEqual(len(check_hashes_instrument.args[1][1]), 3)
self.assertEqual(len(check_hashes_instrument.args[2][1]), 1)
def testProcessCollectedArtifacts(self):
"""Test downloading files from artifacts."""
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
client.Set(client.Schema.SYSTEM("Windows"))
client.Set(client.Schema.OS_VERSION("6.2"))
client.Flush()
vfs.VFS_HANDLERS[rdfvalue.PathSpec.PathType.
REGISTRY] = test_lib.ClientRegistryVFSFixture
vfs.VFS_HANDLERS[
rdfvalue.PathSpec.PathType.OS] = test_lib.ClientFullVFSFixture
client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find",
"HashBuffer", "HashFile",
"ListDirectory")
# Get KB initialized
for _ in test_lib.TestFlowHelper("KnowledgeBaseInitializationFlow",
client_mock,
client_id=self.client_id,
token=self.token):
pass
artifact_list = ["WindowsPersistenceMechanismFiles"]
with test_lib.Instrument(transfer.MultiGetFile,
"Start") as getfile_instrument:
for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow",
client_mock,
artifact_list=artifact_list,
token=self.token,
client_id=self.client_id,
output="analysis/{p}/{u}-{t}",
split_output_by_artifact=True):
pass
# Check MultiGetFile got called for our runkey files
# TODO(user): RunKeys for S-1-5-20 are not found because users.sid only
# expands to users with profiles.
pathspecs = getfile_instrument.args[0][0].args.pathspecs
self.assertItemsEqual([x.path for x in pathspecs],
[u"C:\\Windows\\TEMP\\A.exe"])
artifact_list = ["BadPathspecArtifact"]
with test_lib.Instrument(transfer.MultiGetFile,
"Start") as getfile_instrument:
for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow",
client_mock,
artifact_list=artifact_list,
token=self.token,
client_id=self.client_id,
output="analysis/{p}/{u}-{t}",
split_output_by_artifact=True):
pass
self.assertFalse(getfile_instrument.args)