def testSupportedOS(self):
"""Test supported_os inside the collector object."""
# Run with false condition.
client_mock = action_mocks.ActionMock("ListProcesses")
coll1 = rdfvalue.Collector(
collector_type=rdfvalue.Collector.CollectorType.GRR_CLIENT_ACTION,
args={"client_action": "ListProcesses"}, supported_os=["Windows"])
self.fakeartifact.collectors.append(coll1)
fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
self.assertEqual(fd.__class__.__name__, "AFF4Volume")
# Now run with matching or condition.
coll1.conditions = []
coll1.supported_os = ["Linux", "Windows"]
self.fakeartifact.collectors = []
self.fakeartifact.collectors.append(coll1)
fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
self.assertEqual(fd.__class__.__name__, "RDFValueCollection")
# Now run with impossible or condition.
coll1.conditions = ["os == 'Linux' or os == 'Windows'"]
coll1.supported_os = ["NotTrue"]
self.fakeartifact.collectors = []
self.fakeartifact.collectors.append(coll1)
fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
self.assertEqual(fd.__class__.__name__, "AFF4Volume")
def testGrep(self):
class MockCallFlow(object):
def CallFlow(self, *args, **kwargs):
self.args = args
self.kwargs = kwargs
mock_call_flow = MockCallFlow()
with utils.Stubber(collectors.ArtifactCollectorFlow, "CallFlow",
mock_call_flow.CallFlow):
collect_flow = collectors.ArtifactCollectorFlow(None, token=self.token)
collect_flow.state.Register("knowledge_base", rdfvalue.KnowledgeBase())
collect_flow.current_artifact_name = "blah"
collect_flow.state.knowledge_base.MergeOrAddUser(
rdfvalue.KnowledgeBaseUser(username="******"))
collect_flow.state.knowledge_base.MergeOrAddUser(
rdfvalue.KnowledgeBaseUser(username="******"))
collector = rdfvalue.Collector(
collector_type=rdfvalue.Collector.CollectorType.GREP,
args={"path_list": ["/etc/passwd"],
"content_regex_list": [r"^a%%users.username%%b$"]})
collect_flow.Grep(collector, rdfvalue.PathSpec.PathType.TSK)
conditions = mock_call_flow.kwargs["conditions"]
self.assertEqual(len(conditions), 1)
regexes = conditions[0].contents_regex_match.regex.SerializeToString()
self.assertItemsEqual(regexes.split("|"), ["(^atest1b$)", "(^atest2b$)"])
self.assertEqual(mock_call_flow.kwargs["paths"], ["/etc/passwd"])
def testConditions(self):
"""Test we can get a GRR client artifact with conditions."""
# Run with false condition.
client_mock = action_mocks.ActionMock("ListProcesses")
coll1 = rdfvalue.Collector(
collector_type=rdfvalue.Collector.CollectorType.GRR_CLIENT_ACTION,
args={"client_action": "ListProcesses"},
conditions=["os == 'Windows'"])
self.fakeartifact.collectors.append(coll1)
fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
self.assertEqual(fd.__class__.__name__, "AFF4Volume")
# Now run with matching or condition.
coll1.conditions = ["os == 'Linux' or os == 'Windows'"]
self.fakeartifact.collectors = []
self.fakeartifact.collectors.append(coll1)
fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
self.assertEqual(fd.__class__.__name__, "RDFValueCollection")
# Now run with impossible or condition.
coll1.conditions.append("os == 'NotTrue'")
self.fakeartifact.collectors = []
self.fakeartifact.collectors.append(coll1)
fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
self.assertEqual(fd.__class__.__name__, "AFF4Volume")
def testRunGrrClientActionArtifactSplit(self):
"""Test that artifacts get split into separate collections."""
client_mock = action_mocks.ActionMock("ListProcesses", "StatFile")
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
client.Set(client.Schema.SYSTEM("Linux"))
client.Flush()
coll1 = rdfvalue.Collector(
collector_type=rdfvalue.Collector.CollectorType.GRR_CLIENT_ACTION,
args={"client_action": r"ListProcesses"})
self.fakeartifact.collectors.append(coll1)
self.fakeartifact2.collectors.append(coll1)
artifact_list = ["FakeArtifact", "FakeArtifact2"]
for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock,
artifact_list=artifact_list,
token=self.token, client_id=self.client_id,
output="test_artifact",
split_output_by_artifact=True):
pass
# Check that we got two separate collections based on artifact name
fd = aff4.FACTORY.Open(rdfvalue.RDFURN(
self.client_id).Add("test_artifact_FakeArtifact"),
token=self.token)
self.assertTrue(isinstance(list(fd)[0], rdfvalue.Process))
self.assertTrue(len(fd) > 5)
fd = aff4.FACTORY.Open(rdfvalue.RDFURN(
self.client_id).Add("test_artifact_FakeArtifact2"),
token=self.token)
self.assertTrue(len(fd) > 5)
self.assertTrue(isinstance(list(fd)[0], rdfvalue.Process))
def testGetArtifact1(self):
"""Test we can get a basic artifact."""
client_mock = action_mocks.ActionMock("TransferBuffer", "StatFile", "Find",
"FingerprintFile", "HashBuffer")
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
client.Set(client.Schema.SYSTEM("Linux"))
client.Flush()
# Dynamically add a Collector specifying the base path.
file_path = os.path.join(self.base_path, "test_img.dd")
coll1 = rdfvalue.Collector(
collector_type=rdfvalue.Collector.CollectorType.FILE,
args={"path_list": [file_path]})
self.fakeartifact.collectors.append(coll1)
artifact_list = ["FakeArtifact"]
for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock,
artifact_list=artifact_list, use_tsk=False,
token=self.token, client_id=self.client_id
):
pass
# Test the AFF4 file that was created.
fd1 = aff4.FACTORY.Open("%s/fs/os/%s" % (self.client_id, file_path),
token=self.token)
fd2 = open(file_path)
fd2.seek(0, 2)
self.assertEqual(fd2.tell(), int(fd1.Get(fd1.Schema.SIZE)))
def testRunGrrClientActionArtifact(self):
"""Test we can get a GRR client artifact."""
client_mock = action_mocks.ActionMock("ListProcesses")
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
client.Set(client.Schema.SYSTEM("Linux"))
client.Flush()
coll1 = rdfvalue.Collector(
collector_type=rdfvalue.Collector.CollectorType.GRR_CLIENT_ACTION,
args={"client_action": r"ListProcesses"})
self.fakeartifact.collectors.append(coll1)
artifact_list = ["FakeArtifact"]
for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow",
client_mock,
artifact_list=artifact_list,
token=self.token,
client_id=self.client_id,
output="test_artifact"):
pass
# Test the AFF4 file that was created.
fd = aff4.FACTORY.Open(rdfvalue.RDFURN(
self.client_id).Add("test_artifact"),
token=self.token)
self.assertTrue(isinstance(list(fd)[0], rdfvalue.Process))
self.assertTrue(len(fd) > 5)
def testGrep(self):
class MockCallFlow(object):
def CallFlow(self, *args, **kwargs):
self.args = args
self.kwargs = kwargs
mock_call_flow = MockCallFlow()
with test_lib.Stubber(collectors.ArtifactCollectorFlow, "CallFlow",
mock_call_flow.CallFlow):
collect_flow = collectors.ArtifactCollectorFlow(None,
token=self.token)
collect_flow.state.Register("knowledge_base",
rdfvalue.KnowledgeBase())
collect_flow.current_artifact_name = "blah"
collect_flow.state.knowledge_base.MergeOrAddUser(
rdfvalue.KnowledgeBaseUser(username="******"))
collect_flow.state.knowledge_base.MergeOrAddUser(
rdfvalue.KnowledgeBaseUser(username="******"))
collector = rdfvalue.Collector(action="Grep",
args={
"path_list": ["/etc/passwd"],
"content_regex_list":
[r"^a%%users.username%%b$"]
})
collect_flow.Grep(collector, rdfvalue.PathSpec.PathType.TSK)
filters = mock_call_flow.kwargs["filters"]
regexes = [
f.contents_regex_match.regex.SerializeToString() for f in filters
]
self.assertItemsEqual(regexes, [r"^atest1b$", r"^atest2b$"])
self.assertEqual(mock_call_flow.kwargs["paths"], ["/etc/passwd"])
