def testPathInterpolation(self):
self.client_id = self.SetupClient(0)
bar = rdf_client.User(username="******")
baz = rdf_client.User(username="******")
kb = rdf_client.KnowledgeBase(os="foo",
domain="norf",
users=[bar, baz])
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
with client:
client.Set(client.Schema.KNOWLEDGE_BASE, kb)
with test_lib.AutoTempDirPath(remove_non_empty=True) as temp_dirpath:
self._Touch(os.path.join(temp_dirpath, "foo", "bar"))
self._Touch(os.path.join(temp_dirpath, "foo", "baz"))
self._Touch(os.path.join(temp_dirpath, "foo", "quux"))
self._Touch(os.path.join(temp_dirpath, "thud", "norf", "plugh"))
self._Touch(os.path.join(temp_dirpath, "thud", "norf", "blargh"))
paths = [
os.path.join(temp_dirpath, "%%os%%", "%%users.username%%"),
os.path.join(temp_dirpath, "thud", "%%domain%%", "plugh"),
]
action = rdf_file_finder.FileFinderAction.Action.STAT
results = self._RunCFF(paths, action)
paths = [result.stat_entry.pathspec.path for result in results]
self.assertItemsEqual(paths, [
os.path.join(temp_dirpath, "foo", "bar"),
os.path.join(temp_dirpath, "foo", "baz"),
os.path.join(temp_dirpath, "thud", "norf", "plugh")
])
def testGrep(self):
class MockCallFlow(object):
def CallFlow(self, *args, **kwargs):
self.args = args
self.kwargs = kwargs
mock_call_flow = MockCallFlow()
with utils.Stubber(collectors.ArtifactCollectorFlow, "CallFlow",
mock_call_flow.CallFlow):
collect_flow = collectors.ArtifactCollectorFlow(None,
token=self.token)
collect_flow.args = mock.Mock()
collect_flow.args.ignore_interpolation_errors = False
kb = rdf_client.KnowledgeBase()
kb.MergeOrAddUser(rdf_client.User(username="******"))
kb.MergeOrAddUser(rdf_client.User(username="******"))
collect_flow.state["knowledge_base"] = kb
collect_flow.current_artifact_name = "blah"
collector = rdf_artifacts.ArtifactSource(
type=rdf_artifacts.ArtifactSource.SourceType.GREP,
attributes={
"paths": ["/etc/passwd"],
"content_regex_list": [r"^a%%users.username%%b$"]
})
collect_flow.Grep(collector, rdf_paths.PathSpec.PathType.TSK)
conditions = mock_call_flow.kwargs["conditions"]
self.assertEqual(len(conditions), 1)
regexes = conditions[0].contents_regex_match.regex.SerializeToString()
self.assertItemsEqual(regexes.split("|"),
["(^atest1b$)", "(^atest2b$)"])
self.assertEqual(mock_call_flow.kwargs["paths"], ["/etc/passwd"])
def testUserMergeLinux(self):
"""Check Linux users are accurately merged."""
kb = rdf_client.KnowledgeBase()
self.assertEqual(len(kb.users), 0)
kb.MergeOrAddUser(rdf_client.User(username="******", last_logon=1111))
self.assertEqual(len(kb.users), 1)
# This should merge since the username is the same.
kb.MergeOrAddUser(rdf_client.User(uid="12", username="******"))
self.assertEqual(len(kb.users), 1)
# This should create a new record because the uid is different
kb.MergeOrAddUser(
rdf_client.User(
username="******", uid="13", desktop="/home/blake/Desktop"))
self.assertEqual(len(kb.users), 2)
kb.MergeOrAddUser(
rdf_client.User(
username="******", uid="14", desktop="/home/blake/Desktop"))
self.assertEqual(len(kb.users), 3)
# Check merging where we don't specify uid works
new_attrs, conflicts = kb.MergeOrAddUser(
rdf_client.User(username="******", desktop="/home/blakey/Desktop"))
self.assertEqual(len(kb.users), 3)
self.assertItemsEqual(new_attrs, ["users.username", "users.desktop"])
self.assertItemsEqual(
conflicts,
[("desktop", u"/home/blake/Desktop", u"/home/blakey/Desktop")])
def testUserMergeWindows(self):
"""Check Windows users are accurately merged."""
kb = rdf_client.KnowledgeBase()
self.assertEqual(len(kb.users), 0)
kb.MergeOrAddUser(rdf_client.User(sid="1234"))
self.assertEqual(len(kb.users), 1)
kb.MergeOrAddUser(rdf_client.User(sid="5678", username="******"))
self.assertEqual(len(kb.users), 2)
_, conflicts = kb.MergeOrAddUser(
rdf_client.User(sid="5678", username="******"))
self.assertEqual(len(kb.users), 2)
self.assertEqual(conflicts[0], ("username", "test1", "test2"))
self.assertEqual(kb.GetUser(sid="5678").username, "test2")
# This should merge on user name as we have no other data.
kb.MergeOrAddUser(rdf_client.User(username="******", homedir="a"))
self.assertEqual(len(kb.users), 2)
# This should create a new user since the sid is different.
new_attrs, conflicts = kb.MergeOrAddUser(
rdf_client.User(username="******", sid="12345", temp="/blah"))
self.assertEqual(len(kb.users), 3)
self.assertItemsEqual(new_attrs,
["users.username", "users.temp", "users.sid"])
self.assertEqual(conflicts, [])
def SetupTestClientObject(self,
client_nr,
add_cert=True,
arch="x86_64",
install_time=None,
last_boot_time=None,
fqdn=None,
kernel="4.0.0",
memory_size=None,
os_version="buster/sid",
ping=None,
system="Linux",
labels=None):
"""Prepares a test client object."""
client_id = "C.1%015x" % client_nr
client = rdf_objects.ClientSnapshot(client_id=client_id)
client.startup_info.client_info = self._TestClientInfo()
if last_boot_time is not None:
client.startup_info.boot_time = last_boot_time
client.knowledge_base.fqdn = fqdn or "Host-%x.example.com" % client_nr
client.knowledge_base.os = system
client.knowledge_base.users = [
rdf_client.User(username="******"),
rdf_client.User(username="******"),
]
client.os_version = os_version
client.arch = arch
client.kernel = kernel
client.interfaces = self._TestInterfaces(client_nr)
client.install_time = install_time
client.hardware_info = rdf_client.HardwareInfo(
system_manufacturer="System-Manufacturer-%x" % client_nr,
bios_version="Bios-Version-%x" % client_nr)
if memory_size is not None:
client.memory_size = memory_size
ping = ping or rdfvalue.RDFDatetime.Now()
if add_cert:
cert = self.ClientCertFromPrivateKey(config.CONFIG["Client.private_key"])
else:
cert = None
data_store.REL_DB.WriteClientMetadata(
client_id, last_ping=ping, certificate=cert, fleetspeak_enabled=False)
data_store.REL_DB.WriteClientSnapshot(client)
client_index.ClientIndex().AddClient(client)
if labels:
data_store.REL_DB.AddClientLabels(client_id, "GRR", labels)
client_index.ClientIndex().AddClientLabels(
client_id, data_store.REL_DB.ReadClientLabels(client_id))
return client
def testInterpolation(self):
"""Check we can interpolate values from the knowledge base."""
kb = rdf_client.KnowledgeBase()
# No users yet, this should raise
self.assertRaises(
artifact_utils.KnowledgeBaseInterpolationError, list,
artifact_utils.InterpolateKbAttributes("test%%users.username%%test",
kb))
# Now we have two users
kb.users.Append(rdf_client.User(username="******", uid=1))
kb.users.Append(rdf_client.User(username="******", uid=2))
kb.Set("environ_allusersprofile", "c:\\programdata")
paths = artifact_utils.InterpolateKbAttributes("test%%users.username%%test",
kb)
paths = list(paths)
self.assertEqual(len(paths), 2)
self.assertItemsEqual(paths, ["testjoetest", "testjimtest"])
paths = artifact_utils.InterpolateKbAttributes(
"%%environ_allusersprofile%%\\a", kb)
self.assertEqual(list(paths), ["c:\\programdata\\a"])
# Check a bad attribute raises
self.assertRaises(
artifact_utils.KnowledgeBaseInterpolationError, list,
artifact_utils.InterpolateKbAttributes("%%nonexistent%%\\a", kb))
# Empty values should also raise
kb.Set("environ_allusersprofile", "")
self.assertRaises(
artifact_utils.KnowledgeBaseInterpolationError, list,
artifact_utils.InterpolateKbAttributes("%%environ_allusersprofile%%\\a",
kb))
# No users have temp defined, so this should raise
self.assertRaises(
artifact_utils.KnowledgeBaseInterpolationError, list,
artifact_utils.InterpolateKbAttributes("%%users.temp%%\\a", kb))
# One user has users.temp defined, the others do not. This is common on
# windows where users have been created but have never logged in. We should
# get just one value back.
kb.users.Append(
rdf_client.User(
username="******",
uid=1,
temp="C:\\Users\\jason\\AppData\\Local\\Temp"))
paths = artifact_utils.InterpolateKbAttributes(r"%%users.temp%%\abcd", kb)
self.assertItemsEqual(paths,
["C:\\Users\\jason\\AppData\\Local\\Temp\\abcd"])
def Run(self, unused_args):
"""Enumerates all the users on this system."""
users = self.ParseWtmp()
for user, last_login in users.iteritems():
# Lose the null termination
username = user.split("\x00", 1)[0]
if username:
# Somehow the last login time can be < 0. There is no documentation
# what this means so we just set it to 0 (the rdfvalue field is
# unsigned so we can't send negative values).
if last_login < 0:
last_login = 0
result = rdf_client.User(username=utils.SmartUnicode(username),
last_logon=last_login * 1000000)
try:
pwdict = pwd.getpwnam(username)
result.homedir = utils.SmartUnicode(pwdict.pw_dir)
result.full_name = utils.SmartUnicode(pwdict.pw_gecos)
result.uid = pwdict.pw_uid
result.gid = pwdict.pw_gid
result.shell = utils.SmartUnicode(pwdict.pw_shell)
except KeyError:
pass
self.SendReply(result)
def setUp(self):
"""Make sure things are initialized."""
super(ArtifactFlowLinuxTest, self).setUp()
with aff4.FACTORY.Open(
self.SetupClient(0, system="Linux", os_version="12.04"),
mode="rw",
token=self.token) as fd:
# Add some users
kb = fd.Get(fd.Schema.KNOWLEDGE_BASE)
kb.MergeOrAddUser(rdf_client.User(username="******"))
kb.MergeOrAddUser(rdf_client.User(username="******"))
kb.MergeOrAddUser(rdf_client.User(username="******"))
fd.Set(kb)
self.LoadTestArtifacts()
def Parse(self, stat, knowledge_base):
"""Parse each returned registry value."""
_ = knowledge_base # Unused.
sid_str = stat.pathspec.Dirname().Basename()
if SID_RE.match(sid_str):
kb_user = rdf_client.User()
kb_user.sid = sid_str
if stat.pathspec.Basename() == "ProfileImagePath":
if stat.resident:
# Support old clients.
kb_user.homedir = utils.SmartUnicode(stat.resident)
else:
kb_user.homedir = stat.registry_data.GetValue()
kb_user.userprofile = kb_user.homedir
try:
# Assume username is the last component of the path. This is not
# robust, but other user artifacts will override it if there is a
# better match.
kb_user.username = kb_user.homedir.rsplit("\\", 1)[-1]
except IndexError:
pass
yield kb_user
def ParsePasswdEntry(self, line):
"""Process the passwd entry fields and primary group memberships."""
fields = ("uname", "passwd", "uid", "gid", "fullname", "homedir",
"shell")
if line:
rslt = dict(zip(fields, line.split(":")))
user = self.entry.setdefault(rslt["uname"], rdf_client.User())
user.username = rslt["uname"]
user.pw_entry.store = self.GetPwStore(rslt["passwd"])
if user.pw_entry.store == self.base_store:
user.pw_entry.hash_type = self.GetHashType(rslt["passwd"])
# If the passwd file contains NIS entries they may not have uid/gid set.
if rslt["uid"]:
user.uid = int(rslt["uid"])
if rslt["gid"]:
user.gid = int(rslt["gid"])
user.homedir = rslt["homedir"]
user.shell = rslt["shell"]
user.full_name = rslt["fullname"]
# Map uid numbers to detect duplicates.
uids = self.uids.setdefault(user.uid, set())
uids.add(user.username)
# Map primary group memberships to populate memberships.
gid = self.gids.setdefault(user.gid, set())
gid.add(user.username)
def testFindsKeyWithInterpolatedGlobWithoutConditions(self):
# Initialize client's knowledge base in order for the interpolation
# to work.
user = rdf_client.User(sid="S-1-5-20")
kb = rdf_client.KnowledgeBase(users=[user])
client_id = self.SetupClient(0)
with aff4.FACTORY.Open(client_id, mode="rw",
token=self.token) as client:
client.Set(client.Schema.KNOWLEDGE_BASE, kb)
session_id = self.RunFlow(client_id, [
"HKEY_USERS/%%users.sid%%/Software/Microsoft/Windows/"
"CurrentVersion/*"
])
results = self.GetResults(session_id)
self.assertEqual(len(results), 1)
key = ("/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run")
self.assertEqual(results[0].stat_entry.AFF4Path(client_id),
"aff4:/C.1000000000000000/registry" + key)
self.assertEqual(results[0].stat_entry.pathspec.path, key)
self.assertEqual(results[0].stat_entry.pathspec.pathtype,
rdf_paths.PathSpec.PathType.REGISTRY)
def ParseMultiple(self, stats, knowledge_base):
"""Parse each returned registry value."""
user_dict = {}
for stat in stats:
sid_str = stat.pathspec.path.split("/", 3)[2]
if SID_RE.match(sid_str):
if sid_str not in user_dict:
user_dict[sid_str] = rdf_client.User(sid=sid_str)
if stat.registry_data.GetValue():
# Look up in the mapping if we can use this entry to populate a user
# attribute, and if so, set it.
reg_key_name = stat.pathspec.Dirname().Basename()
if reg_key_name in self.key_var_mapping:
map_dict = self.key_var_mapping[reg_key_name]
reg_key = stat.pathspec.Basename()
kb_attr = map_dict.get(reg_key)
if kb_attr:
value = artifact_utils.ExpandWindowsEnvironmentVariables(
stat.registry_data.GetValue(), knowledge_base)
value = artifact_utils.ExpandWindowsUserEnvironmentVariables(
value, knowledge_base, sid=sid_str)
user_dict[sid_str].Set(kb_attr, value)
# Now yield each user we found.
return user_dict.itervalues()
def Parse(self, stat, file_object, knowledge_base):
"""Parse the wtmp file."""
_, _ = stat, knowledge_base
users = {}
wtmp = file_object.read()
while wtmp:
try:
record = UtmpStruct(wtmp)
except utils.ParsingError:
break
wtmp = wtmp[record.size:]
# Users only appear for USER_PROCESS events, others are system.
if record.ut_type != 7:
continue
# Lose the null termination
record.user = record.user.split("\x00", 1)[0]
# Store the latest login time.
# TODO(user): remove the 0 here once RDFDatetime can support times
# pre-epoch properly.
try:
users[record.user] = max(users[record.user], record.sec, 0)
except KeyError:
users[record.user] = record.sec
for user, last_login in users.iteritems():
yield rdf_client.User(username=utils.SmartUnicode(user),
last_logon=last_login * 1000000)
def testInterpolateArgs(self):
collect_flow = collectors.ArtifactCollectorFlow(None, token=self.token)
kb = rdf_client.KnowledgeBase()
kb.MergeOrAddUser(rdf_client.User(username="******"))
kb.MergeOrAddUser(rdf_client.User(username="******"))
collect_flow.state["knowledge_base"] = kb
collect_flow.current_artifact_name = "blah"
collect_flow.args = artifact_utils.ArtifactCollectorFlowArgs()
test_rdf = rdf_client.KnowledgeBase()
action_args = {
"usernames": ["%%users.username%%", "%%users.username%%"],
"nointerp": "asdfsdf",
"notastring": test_rdf
}
kwargs = collect_flow.InterpolateDict(action_args)
self.assertItemsEqual(kwargs["usernames"],
["test1", "test2", "test1", "test2"])
self.assertEqual(kwargs["nointerp"], "asdfsdf")
self.assertEqual(kwargs["notastring"], test_rdf)
# We should be using an array since users.username will expand to multiple
# values.
self.assertRaises(ValueError, collect_flow.InterpolateDict,
{"bad": "%%users.username%%"})
list_args = collect_flow.InterpolateList(
["%%users.username%%", r"%%users.username%%\aa"])
self.assertItemsEqual(list_args,
["test1", "test2", r"test1\aa", r"test2\aa"])
list_args = collect_flow.InterpolateList(["one"])
self.assertEqual(list_args, ["one"])
# Ignore the failure in users.desktop, report the others.
collect_flow.args.ignore_interpolation_errors = True
list_args = collect_flow.InterpolateList(
["%%users.desktop%%", r"%%users.username%%\aa"])
self.assertItemsEqual(list_args, [r"test1\aa", r"test2\aa"])
# Both fail.
list_args = collect_flow.InterpolateList(
[r"%%users.desktop%%\aa", r"%%users.sid%%\aa"])
self.assertItemsEqual(list_args, [])
def Parse(self, stat_entries, knowledge_base, path_type):
"""Parse the StatEntry objects."""
_, _ = knowledge_base, path_type
for stat_entry in stat_entries:
if stat.S_ISDIR(stat_entry.st_mode):
homedir = stat_entry.pathspec.path
username = os.path.basename(homedir)
if username not in self.blacklist:
yield rdf_client.User(username=username, homedir=homedir)
def SetLinuxKB(self):
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
kb = client.Schema.KNOWLEDGE_BASE()
kb.os = "Linux"
user = rdf_client.User(username="******", homedir="/home/user1")
kb.users = [user]
client.Set(client.Schema.KNOWLEDGE_BASE, kb)
client.Set(client.Schema.SYSTEM("Linux"))
client.Set(client.Schema.OS_VERSION("12.04"))
client.Flush()
def testKBUserBackwardsCompatibility(self):
"""Check User can be created from deprecated KBUser."""
kbuser = rdf_client.KnowledgeBaseUser()
kbuser.username = "******"
kbuser.desktop = "User Desktop 1"
user = rdf_client.User(kbuser)
self.assertEqual(user.username, "user1")
self.assertEqual(user.desktop, "User Desktop 1")
def _CreateClients(self):
# To test all search keywords, we can rely on SetupClients
# creating clients with attributes containing a numberic
# value, e.g. hostname will be Host-0, Host-1, etc.
self.client_ids = self.SetupClients(15)
self.AddClientLabel(self.client_ids[0], self.token.username,
"common_test_label")
self.AddClientLabel(self.client_ids[0], self.token.username,
"unique_test_label")
self.AddClientLabel(self.client_ids[1], self.token.username,
"common_test_label")
if data_store.RelationalDBReadEnabled():
snapshot = data_store.REL_DB.ReadClientSnapshot(
self.client_ids[0].Basename())
snapshot.knowledge_base.users.Append(
rdf_client.User(username="******"))
snapshot.knowledge_base.users.Append(
rdf_client.User(username=self.token.username))
data_store.REL_DB.WriteClientSnapshot(snapshot)
client_index.ClientIndex().AddClient(
data_store.REL_DB.ReadClientSnapshot(
self.client_ids[0].Basename()))
else:
# SetupClients adds no labels or user names.
with aff4.FACTORY.Open(self.client_ids[0],
mode="rw",
token=self.token) as client_obj:
client_obj.AddLabel("common_test_label",
owner=self.token.username)
client_obj.AddLabel("unique_test_label",
owner=self.token.username)
# Add user in knowledge base.
kb = client_obj.Get(client_obj.Schema.KNOWLEDGE_BASE)
kb.users.Append(rdf_client.User(username="******"))
kb.users.Append(rdf_client.User(username=self.token.username))
client_obj.Set(client_obj.Schema.KNOWLEDGE_BASE, kb)
# Update index, since we added users and labels.
with client_index.CreateClientIndex(token=self.token) as index:
index.AddClient(client_obj)
def testRdfFormatterFanOut(self):
rdf = rdf_protodict.Dict()
user1 = rdf_client.User(username="******")
user2 = rdf_client.User(username="******")
rdf["cataclysm"] = "GreyGoo"
rdf["thinkers"] = [user1, user2]
rdf["reference"] = {
"ecophage": ["bots", ["nanobots", ["picobots"]]],
"doomsday": {
"books": ["cats cradle", "prey"]
}
}
template = ("{cataclysm}; {thinkers.username}; {reference.ecophage}; "
"{reference.doomsday}\n")
hinter = hints.Hinter(template=template)
expected = ("GreyGoo; drexler,joy; bots,nanobots,picobots; "
"books:cats cradle,prey")
result = hinter.Render(rdf)
self.assertEqual(expected, result)
def testAnalyzeClient(self):
index = client_index.CreateClientIndex(token=self.token)
client = aff4.FACTORY.Create("aff4:/" + CLIENT_ID,
aff4_type=aff4_grr.VFSGRRClient,
mode="rw",
token=self.token)
client.Set(client.Schema.SYSTEM("Windows"))
client.Set(
client.Schema.CLIENT_INFO(client_name="grr monitor",
labels=["client-label-23"]))
kb = rdf_client.KnowledgeBase()
kb.users.Append(
rdf_client.User(
username="******",
full_name="Eric (Bertrand ) 'Russell' \"Logician\" Jacobson"))
kb.users.Append(
rdf_client.User(username="******", full_name="Steve O'Bryan"))
client.Set(client.Schema.KNOWLEDGE_BASE(kb))
_, keywords = index.AnalyzeClient(client)
# Should not contain an empty string.
self.assertNotIn("", keywords)
# OS of the client
self.assertIn("windows", keywords)
# Users of the client.
self.assertIn("bert", keywords)
self.assertIn("bertrand", keywords)
self.assertNotIn(")", keywords)
self.assertIn("russell", keywords)
self.assertIn("logician", keywords)
self.assertIn("ernie", keywords)
self.assertIn("eric", keywords)
self.assertIn("jacobson", keywords)
self.assertIn("steve o'bryan", keywords)
self.assertIn("o'bryan", keywords)
# Client information.
self.assertIn("grr monitor", keywords)
self.assertIn("client-label-23", keywords)
def GetExpectedUser(self, algo, user_store, group_store):
user = rdf_client.User(username="******",
full_name="User",
uid="1001",
gid="1001",
homedir="/home/user",
shell="/bin/bash")
user.pw_entry = rdf_client.PwEntry(store=user_store, hash_type=algo)
user.gids = [1001]
grp = rdf_client.Group(gid=1001, members=["user"], name="user")
grp.pw_entry = rdf_client.PwEntry(store=group_store, hash_type=algo)
return user, grp
def testGlobWithStarStarRootPath(self):
"""Test ** expressions with root_path."""
self.client_id = self.SetupClient(0)
# Add some usernames we can interpolate later.
client = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token)
kb = client.Get(client.Schema.KNOWLEDGE_BASE)
kb.MergeOrAddUser(rdf_client.User(username="******"))
kb.MergeOrAddUser(rdf_client.User(username="******"))
client.Set(kb)
client.Close()
client_mock = action_mocks.GlobClientMock()
# Glob for foo at a depth of 4.
path = os.path.join("foo**4")
root_path = rdf_paths.PathSpec(path=os.path.join(
self.base_path, "test_img.dd"),
pathtype=rdf_paths.PathSpec.PathType.OS)
root_path.Append(path="/", pathtype=rdf_paths.PathSpec.PathType.TSK)
# Run the flow.
flow_test_lib.TestFlowHelper(filesystem.Glob.__name__,
client_mock,
client_id=self.client_id,
paths=[path],
root_path=root_path,
pathtype=rdf_paths.PathSpec.PathType.OS,
token=self.token)
output_path = self.client_id.Add("fs/tsk").Add(
self.base_path.replace("\\", "/")).Add("test_img.dd/glob_test/a/b")
children = []
fd = aff4.FACTORY.Open(output_path, token=self.token)
for child in fd.ListChildren():
children.append(child.Basename())
# We should find some files.
self.assertEqual(children, ["foo"])
def testGlobDirectory(self):
"""Test that glob expands directories."""
self.client_id = self.SetupClient(0)
# Add some usernames we can interpolate later.
client = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token)
kb = client.Get(client.Schema.KNOWLEDGE_BASE)
kb.MergeOrAddUser(
rdf_client.User(username="******", appdata="test_data/index.dat"))
kb.MergeOrAddUser(
rdf_client.User(username="******", appdata="test_data/History"))
# This is a record which means something to the interpolation system. We
# should not process this especially.
kb.MergeOrAddUser(rdf_client.User(username="******",
appdata="%%PATH%%"))
client.Set(kb)
client.Close()
client_mock = action_mocks.GlobClientMock()
# This glob selects all files which start with the username on this system.
path = os.path.join(os.path.dirname(self.base_path),
"%%users.appdata%%")
# Run the flow.
flow_test_lib.TestFlowHelper(filesystem.Glob.__name__,
client_mock,
client_id=self.client_id,
paths=[path],
token=self.token)
path = self.client_id.Add("fs/os").Add(self.base_path).Add("index.dat")
aff4.FACTORY.Open(path, aff4_type=aff4_grr.VFSFile, token=self.token)
path = self.client_id.Add("fs/os").Add(self.base_path).Add("index.dat")
aff4.FACTORY.Open(path, aff4_type=aff4_grr.VFSFile, token=self.token)
def testKnowlegeBaseUsersAttributesExpandIntoLists(self):
kb = rdf_client.KnowledgeBase()
kb.users.append(
rdf_client.User(appdata="the_appdata_1",
localappdata="the_localappdata_1",
userdomain="the_userdomain_1",
userprofile="the_userprofile_1"))
kb.users.append(
rdf_client.User(appdata="the_appdata_2",
localappdata="the_localappdata_2",
userdomain="the_userdomain_2",
userprofile="the_userprofile_2"))
mapping = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
self.assertEqual(
mapping, {
"appdata": ["the_appdata_1", "the_appdata_2"],
"localappdata": ["the_localappdata_1", "the_localappdata_2"],
"userdomain": ["the_userdomain_1", "the_userdomain_2"],
"userprofile": ["the_userprofile_1", "the_userprofile_2"]
})
def _MakeClientRecord(self):
# Set up client info
client_id = self.SetupClient(0)
client = aff4.FACTORY.Open(client_id, mode="rw", token=self.token)
client.Set(client.Schema.SYSTEM("Windows"))
kb = client.Get(client.Schema.KNOWLEDGE_BASE)
kb.users.Append(
rdf_client.User(username="******",
userdomain="TESTDOMAIN",
full_name="test user",
homedir="c:\\Users\\test",
last_logon=rdfvalue.RDFDatetime.FromHumanReadable(
"2012-11-10")))
kb.users.Append(
rdf_client.User(username="******",
userdomain="TESTDOMAIN",
full_name="test user 2",
homedir="c:\\Users\\test2",
last_logon=100))
client.Set(kb)
client.Flush()
return client
def testAnalyzeClient(self):
index = client_index.ClientIndex()
client = rdf_objects.ClientSnapshot(client_id="C.0000000000000000")
client.knowledge_base.os = "Windows"
client.startup_info.client_info.client_name = "grr monitor"
client.startup_info.client_info.labels = ["client-label-23"]
kb = client.knowledge_base
kb.users = [
rdf_client.User(
username="******",
full_name="Eric (Bertrand ) 'Russell' \"Logician\" Jacobson"),
rdf_client.User(username="******", full_name="Steve O'Bryan")
]
keywords = index.AnalyzeClient(client)
# Should not contain an empty string.
self.assertNotIn("", keywords)
# OS of the client
self.assertIn("windows", keywords)
# Users of the client.
self.assertIn("bert", keywords)
self.assertIn("bertrand", keywords)
self.assertNotIn(")", keywords)
self.assertIn("russell", keywords)
self.assertIn("logician", keywords)
self.assertIn("ernie", keywords)
self.assertIn("eric", keywords)
self.assertIn("jacobson", keywords)
self.assertIn("steve o'bryan", keywords)
self.assertIn("o'bryan", keywords)
# Client information.
self.assertIn("grr monitor", keywords)
self.assertIn("client-label-23", keywords)
def Parse(self, query, result, knowledge_base):
"""Parse the WMI Win32_UserAccount output."""
_ = query, knowledge_base
kb_user = rdf_client.User()
for wmi_key, kb_key in self.account_mapping.items():
try:
kb_user.Set(kb_key, result[wmi_key])
except KeyError:
pass
# We need at least a sid or a username. If these are missing its likely we
# retrieved just the userdomain for an AD account that has a name collision
# with a local account that is correctly populated. We drop the bogus
# domain account.
if kb_user.sid or kb_user.username:
yield kb_user
def testClientSubfieldGet(self):
"""Test we can get subfields of the client."""
fd = aff4.FACTORY.Create(
"C.0000000000000000", aff4_grr.VFSGRRClient, token=self.token)
kb = fd.Schema.KNOWLEDGE_BASE()
for i in range(5):
kb.users.Append(rdf_client.User(username="******" % i))
fd.Set(kb)
fd.Close()
fd = aff4.FACTORY.Open(
"C.0000000000000000", aff4_grr.VFSGRRClient, token=self.token)
for i, user in enumerate(fd.Get(fd.Schema.KNOWLEDGE_BASE).users):
self.assertEqual(user.username, "user%s" % i)
def setUp(self):
super(TestWebHistoryWithArtifacts, self).setUp()
self.client_id = self.SetupClient(0, system="Linux", os_version="12.04")
fd = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
self.kb = fd.Get(fd.Schema.KNOWLEDGE_BASE)
self.kb.users.Append(
rdf_client.User(
username="******",
full_name="test user",
homedir="/home/test/",
last_logon=250))
fd.AddAttribute(fd.Schema.KNOWLEDGE_BASE, self.kb)
fd.Flush()
self.client_mock = action_mocks.FileFinderClientMock()
def testCompatibility(self):
proto = knowledge_base_pb2.User(username="******")
proto.desktop = "User Desktop 1"
serialized = proto.SerializeToString()
rdf_from_serialized = rdf_client.User.FromSerializedString(serialized)
self.assertEqual(rdf_from_serialized.username, proto.username)
self.assertEqual(rdf_from_serialized.desktop, proto.desktop)
rdf_direct = rdf_client.User(username="******",
desktop="User Desktop 1")
self.assertRDFValuesEqual(rdf_from_serialized, rdf_direct)