def test_close_one_of_two_open_machine_incident(self): event_metadata1 = EventMetadata(event_type="test", machine_serial_number="YOLOFOMO1") event_metadata1.machine = MockMetaMachine([self.mbu1], [self.tag1], "WINDOWS", "LAPTOP", serial_number="YOLOFOMO1") event1 = BaseEvent(event_metadata1, {"joe": "jackson"}) self.assertTrue(self.probe.test_event(event1)) machine_incident1, _ = update_or_create_open_machine_incident( self.probe_source, self.probe.get_matching_event_incident_severity(event1), event1.metadata.machine_serial_number, event1.metadata.uuid) event_metadata2 = EventMetadata(event_type="test", machine_serial_number="YOLOFOMO2") event_metadata2.machine = MockMetaMachine([self.mbu1], [self.tag1], "WINDOWS", "LAPTOP", serial_number="YOLOFOMO2") event2 = BaseEvent(event_metadata2, {"joe": "jackson"}) self.assertTrue(self.probe.test_event(event2)) machine_incident2, _ = update_or_create_open_machine_incident( self.probe_source, self.probe.get_matching_event_incident_severity(event2), event2.metadata.machine_serial_number, event2.metadata.uuid) # 2 machine incidents on 1 incident self.assertNotEqual(machine_incident1, machine_incident2) self.assertEqual(machine_incident1.serial_number, "YOLOFOMO1") self.assertEqual(machine_incident2.serial_number, "YOLOFOMO2") self.assertEqual(machine_incident1.incident, machine_incident2.incident) # close one machine incident machine_incident3, event_payloads = update_or_create_open_machine_incident( self.probe_source, 0, event2.metadata.machine_serial_number, event2.metadata.uuid) self.assertEqual(machine_incident3, machine_incident2) self.assertEqual(machine_incident3.incident, machine_incident2.incident) incident = machine_incident3.incident self.assertEqual(incident.status, STATUS_OPEN) self.assertEqual(machine_incident3.status, STATUS_CLOSED) machine_incident1.refresh_from_db() self.assertEqual(machine_incident1.status, STATUS_OPEN) self.assertEqual(len(event_payloads), 1) event_payload = event_payloads[0] self.assertEqual(event_payload["action"], "closed") self.assertEqual(event_payload["machine_incident"]["pk"], machine_incident3.pk) self.assertEqual(event_payload["machine_incident"]["status"], STATUS_CLOSED)
def test_osquery_conf(self): # default machine has a subset of the queries default_machine = MockMetaMachine([], [], None, None) config = build_osquery_conf(default_machine, enrollment=None) self.assertCountEqual( ["decorators", "schedule", "file_accesses", "file_paths"], config.keys()) # no packs schedule = config["schedule"] self.assertCountEqual( [INVENTORY_QUERY_NAME, self.query_1_key, self.query_2_key], schedule.keys()) file_paths = config["file_paths"] self.assertCountEqual( file_paths.keys(), [self.query_1_filepath_hash, self.query_2_filepath_hash]) for key, file_path in ((self.query_1_filepath_hash, self.query_1_filepath), (self.query_2_filepath_hash, self.query_2_filepath)): self.assertEqual(file_paths.get(key), [file_path]) file_accesses = config["file_accesses"] self.assertEqual([self.query_2_filepath_hash], file_accesses) # mbu has all the queries mbu_machine = MockMetaMachine([1], [], None, "SERVER") config = build_osquery_conf(mbu_machine, enrollment=None) self.assertCountEqual( ["decorators", "schedule", "file_accesses", "file_paths"], config.keys()) # no packs schedule = config["schedule"] self.assertCountEqual([ INVENTORY_QUERY_NAME, self.query_1_key, self.query_2_key, self.query_mbu_key ], schedule.keys()) file_paths = config["file_paths"] self.assertCountEqual(file_paths.keys(), [ self.query_1_filepath_hash, self.query_2_filepath_hash, self.query_mbu_filepath_hash ]) for key, file_path in ((self.query_1_filepath_hash, self.query_1_filepath), (self.query_2_filepath_hash, self.query_2_filepath), (self.query_mbu_filepath_hash, self.query_mbu_filepath)): self.assertEqual(file_paths.get(key), [file_path]) file_accesses = config["file_accesses"] self.assertEqual([self.query_2_filepath_hash], file_accesses)
def test_close_manually_changed_open_machine_incident(self): event_metadata = EventMetadata(event_type="test", machine_serial_number="YOLOFOMO") event_metadata.machine = MockMetaMachine([self.mbu1], [self.tag1], "WINDOWS", "LAPTOP", serial_number="YOLOFOMO") event = BaseEvent(event_metadata, {"joe": "jackson"}) self.assertTrue(self.probe.test_event(event)) machine_incident1, _ = update_or_create_open_machine_incident( self.probe_source, self.probe.get_matching_event_incident_severity(event), event.metadata.machine_serial_number, event.metadata.uuid ) # manually changed incident status machine_incident1.status = STATUS_IN_PROGRESS machine_incident1.save() machine_incident2, event_payloads = update_or_create_open_machine_incident( self.probe_source, 0, # severity == 0 => close event.metadata.machine_serial_number, event.metadata.uuid ) # no changes, because the machine incident was manually changed self.assertEqual(machine_incident2, None) self.assertEqual(len(event_payloads), 0)
def test_enrich_event_machine_incident_match(self): event_metadata = EventMetadata(event_type="test", machine_serial_number="YOLOFOMO") event_metadata.machine = MockMetaMachine([self.mbu1], [self.tag1], "WINDOWS", "LAPTOP", serial_number="YOLOFOMO") event = BaseEvent(event_metadata, {"joe": "jackson"}) self.assertTrue(self.probe.test_event(event)) enriched_events = list(enrich_event(event)) self.assertEqual(len(enriched_events), 3) eevent1, eevent2, eevent3 = enriched_events # first event is the incident event self.assertIsInstance(eevent1, IncidentEvent) incident = Incident.objects.all()[0] self.assertEqual(eevent1.payload["action"], "created") self.assertEqual(eevent1.payload["pk"], incident.pk) self.assertEqual(eevent1.metadata.machine_serial_number, "YOLOFOMO") # second event is the machine incident event self.assertIsInstance(eevent2, MachineIncidentEvent) self.assertEqual(eevent2.payload["action"], "created") self.assertEqual(eevent2.payload["incident"]["pk"], incident.pk) self.assertEqual(eevent2.metadata.machine_serial_number, "YOLOFOMO") machine_incident = incident.machineincident_set.all()[0] self.assertEqual(eevent2.payload["pk"], machine_incident.pk) # third event is the original event self.assertEqual(eevent3, event) # machine incident in the original event metadata incidents self.assertEqual(len(eevent3.metadata.incidents), 1) eevent3_incident = eevent3.metadata.incidents[0] self.assertEqual(eevent3_incident["pk"], machine_incident.incident.pk) self.assertEqual(eevent3_incident["machine_incident"]["pk"], machine_incident.pk)
def test_update_open_machine_incident(self): event_metadata = EventMetadata(event_type="test", machine_serial_number="YOLOFOMO") event_metadata.machine = MockMetaMachine([self.mbu1], [self.tag1], "WINDOWS", "LAPTOP", serial_number="YOLOFOMO") event = BaseEvent(event_metadata, {"joe": "jackson"}) self.assertTrue(self.probe.test_event(event)) machine_incident1, _ = update_or_create_open_machine_incident( self.probe_source, self.probe.get_matching_event_incident_severity(event), event.metadata.machine_serial_number, event.metadata.uuid ) machine_incident2, event_payloads = update_or_create_open_machine_incident( self.probe_source, self.probe.get_matching_event_incident_severity(event) + 100, event.metadata.machine_serial_number, event.metadata.uuid ) self.assertEqual(machine_incident1, machine_incident2) self.assertEqual(machine_incident2.incident, machine_incident1.incident) self.assertEqual(machine_incident2.incident.severity, SEVERITY_CRITICAL + 100) self.assertEqual(len(event_payloads), 1) event_payload = event_payloads[0] self.assertEqual(event_payload["action"], "updated") self.assertEqual(event_payload["diff"], {"removed": {"severity": SEVERITY_CRITICAL}, "added": {"severity": SEVERITY_CRITICAL + 100}}) self.assertEqual(event_payload["severity"], SEVERITY_CRITICAL + 100) self.assertEqual(event_payload.get("incident"), None) # meta machine self.assertEqual(MetaMachine("YOLOFOMO").max_incident_severity(), SEVERITY_CRITICAL + 100)
def test_close_manually_changed_incident_open_machine_incident(self): event_metadata = EventMetadata(event_type="test", machine_serial_number="YOLOFOMO") event_metadata.machine = MockMetaMachine([self.mbu1], [self.tag1], "WINDOWS", "LAPTOP", serial_number="YOLOFOMO") event = BaseEvent(event_metadata, {"joe": "jackson"}) self.assertTrue(self.probe.test_event(event)) machine_incident1, _ = update_or_create_open_machine_incident( self.probe_source, self.probe.get_matching_event_incident_severity(event), event.metadata.machine_serial_number, event.metadata.uuid ) # manually changed incident status incident = machine_incident1.incident incident.status = STATUS_IN_PROGRESS incident.save() machine_incident2, event_payloads = update_or_create_open_machine_incident( self.probe_source, 0, # severity == 0 => close event.metadata.machine_serial_number, event.metadata.uuid ) self.assertEqual(machine_incident1, machine_incident2) self.assertEqual(machine_incident2.incident, machine_incident1.incident) self.assertEqual(machine_incident2.status, STATUS_CLOSED) self.assertEqual(incident.status, STATUS_IN_PROGRESS) # not touched because manually changed self.assertEqual(len(event_payloads), 1) event_payload = event_payloads[0] self.assertEqual(event_payload["action"], "closed") self.assertEqual(event_payload["pk"], machine_incident2.pk) self.assertEqual(event_payload["status"], STATUS_CLOSED) # machine incident closed self.assertEqual(event_payload["incident"]["pk"], incident.pk) self.assertEqual(event_payload["incident"]["status"], STATUS_IN_PROGRESS) # incident still in progress
def test_probes_test_event(self): default_machine = MockMetaMachine([], [], None, None) windows = MockMetaMachine([1], [1], "WINDOWS", None) tests = ( # wrong hash (self.probe_1, self.query_2_result_name, default_machine, False), (self.probe_2, self.query_1_result_name, windows, False), (self.probe_windows, self.query_1_result_name, windows, False), # ok (self.probe_1, self.query_1_result_name, default_machine, True), (self.probe_2, self.query_2_result_name, windows, True), # windows (self.probe_windows, self.query_windows_result_name, default_machine, False), (self.probe_windows, self.query_windows_result_name, windows, True), ) for probe, query_name, machine, result in tests: event = build_osquery_result_event(query_name) event.metadata.machine = machine # hack self.assertEqual(probe.test_event(event), result)
def test_santa_conf(self): def frozenrules(l): # TODO: better ? return set(frozenset(r.items()) for r in l) # default machine has a subset of the rules default_machine = MockMetaMachine([], [], None, None) config = build_santa_conf(default_machine) self.assertEqual(len(config["rules"]), 4) self.assertEqual( frozenrules(config["rules"]), frozenrules(self.blacklist_rules + self.whitelist_rules)) # tablet has all the rules tablet = MockMetaMachine([], [], None, "TABLET") config = build_santa_conf(tablet) self.assertEqual(len(config["rules"]), 6) self.assertEqual( frozenrules(config["rules"]), frozenrules(self.blacklist_rules + self.whitelist_rules + self.tablet_rules))
def test_osquery_conf(self): # default machine has a subset of the queries default_machine = MockMetaMachine([], [], None, None) config = build_osquery_conf(default_machine) # schedule with query 1 schedule = config["schedule"] self.assertIsInstance(schedule, dict) self.assertCountEqual( [DEFAULT_ZENTRAL_INVENTORY_QUERY_NAME, self.query_1_key], schedule.keys()) # 1 pack with query 2 packs = config["packs"] self.assertIsInstance(packs, dict) self.assertCountEqual([self.query_pack_key], packs.keys()) pack = packs[self.query_pack_key] self.assertIsInstance(pack, dict) self.assertCountEqual(["discovery", "queries"], pack.keys()) self.assertCountEqual(pack["discovery"], self.query_pack_discovery) pack_queries = pack["queries"] self.assertCountEqual([self.query_2_key], pack_queries.keys()) # windows has all the queries windows = MockMetaMachine([1], [1], "WINDOWS", None) config = build_osquery_conf(windows) # schedule with query 1 schedule = config["schedule"] self.assertIsInstance(schedule, dict) self.assertCountEqual( [DEFAULT_ZENTRAL_INVENTORY_QUERY_NAME, self.query_1_key], schedule.keys()) # 1 pack with query 2 and query windows packs = config["packs"] self.assertIsInstance(packs, dict) self.assertCountEqual([self.query_pack_key], packs.keys()) pack = packs[self.query_pack_key] self.assertIsInstance(pack, dict) self.assertCountEqual(["discovery", "queries"], pack.keys()) self.assertCountEqual(pack["discovery"], self.query_pack_discovery) pack_queries = pack["queries"] self.assertCountEqual([self.query_2_key, self.query_windows_key], pack_queries.keys())
def test_probes_test_event(self): default_machine = MockMetaMachine([], [], None, None) tag_machine = MockMetaMachine([1], [1], "WINDOWS", None) tests = ( # wrong hash (self.probe_pfu, self.query_pfg_key, default_machine, False), (self.probe_pfg, self.query_pfu_key, default_machine, False), (self.probe_fc, self.query_pfu_key, tag_machine, False), (self.probe_tag, self.query_pfu_key, tag_machine, False), # ok (self.probe_pfu, self.query_pfu_key, default_machine, True), (self.probe_pfg, self.query_pfg_key, default_machine, True), (self.probe_tag, self.query_tag_key, tag_machine, True), # tag (self.probe_tag, self.query_tag_key, default_machine, False), (self.probe_tag, self.query_tag_key, tag_machine, True), ) for probe, query_name, machine, result in tests: event = build_osquery_result_event(query_name) event.metadata.machine = machine # hack self.assertEqual(probe.test_event(event), result)
def test_probe_test_event(self): for mbuis, tis, p, t, result in (([1238971298], [self.tag1.id], "WINDOWS", "LAPTOP", False), ([self.mbu1.id], [self.tag1.id], "WINDOWS", "LAPTOP", True), ([self.mbu1.id], [self.tag1.id], "WINDOWS", "VM", True), ): event = _build_event("base", machine_serial_number="YO") event_metadata = event.metadata # TODO hack event_metadata.machine = MockMetaMachine(mbuis, tis, p, t) event = BaseEvent(event_metadata, {"godzilla": "kommt"}) self.assertEqual(self.probe.test_event(event), result) self.assertEqual(self.error_probe.test_event(event), False)
def test_probes_test_event(self): default_machine = MockMetaMachine([], [], None, None) windows = MockMetaMachine([1], [1], "WINDOWS", None) tests = ( # wrong probe id (self.probe_1, self.probe_2.pk, default_machine, False), (self.probe_2, self.probe_1.pk, windows, False), (self.probe_windows, self.probe_1.pk, windows, False), # ok (self.probe_1, self.probe_1.pk, default_machine, True), (self.probe_2, self.probe_2.pk, windows, True), # windows (self.probe_windows, self.probe_windows.pk, default_machine, False ), (self.probe_windows, self.probe_windows.pk, windows, True), ) for probe, query_id, machine, result in tests: event = build_osquery_distributed_query_result_event( "NAME NOT TESTED", query_id) event.metadata.machine = machine # hack self.assertEqual(probe.test_event(event), result)
def test_default_machine_distributed_queries(self): default_machine = MockMetaMachine([], [], None, None, serial_number="MSN1") queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( default_machine) self.assertEqual(len(queries), 2) for key, query in ((self.query_1_key, self.query_1), (self.query_2_key, self.query_2)): self.assertEqual(queries[key], query) extra_queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( default_machine) self.assertEqual(extra_queries, {})
def test_inventory_filter_test_machine(self): inventory_filter = self.probe.inventory_filters[0] for mbuis, tis, p, t, result in (([], [], None, None, False), ([self.mbu1.id], [], "WINDOWS", "LAPTOP", False), ([self.mbu1.id], [12983719238], "WINDOWS", "LAPTOP", False), ([1238971298], [self.tag1.id], "WINDOWS", "LAPTOP", False), ([self.mbu1.id], [self.tag1.id], None, "LAPTOP", False), ([self.mbu1.id], [self.tag1.id], "WINDOWS", None, False), ([self.mbu1.id], [self.tag1.id], "WINDOWS", "LAPTOP", True)): mmm = MockMetaMachine(mbuis, tis, p, t) self.assertEqual(inventory_filter.test_machine(mmm), result) self.assertEqual(self.probe.test_machine(mmm), result) self.assertEqual(self.error_probe.test_machine(mmm), False)
def test_osquery_conf(self): # default machine has a subset of the queries default_machine = MockMetaMachine([], [], None, None) config = build_osquery_conf(default_machine) self.assertCountEqual( ["decorators", "schedule"], config.keys()) # no file_paths, file_accesses or packs schedule = config["schedule"] self.assertCountEqual([ INVENTORY_QUERY_NAME, self.query_pfu_key, self.query_pfg_key, self.query_fc_key ], schedule.keys()) # tag has all the queries tag_machine = MockMetaMachine([], [1], None, "SERVER") config = build_osquery_conf(tag_machine) self.assertCountEqual( ["decorators", "schedule"], config.keys()) # no file_paths, file_accesses or packs schedule = config["schedule"] self.assertCountEqual([ INVENTORY_QUERY_NAME, self.query_pfu_key, self.query_pfg_key, self.query_fc_key, self.query_tag_key ], schedule.keys())
def test_windows_machine_distributed_queries(self): windows_machine = MockMetaMachine([], [], "WINDOWS", None, serial_number="MSN2") queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( windows_machine) self.assertEqual(len(queries), 3) for key, query in ((self.query_1_key, self.query_1), (self.query_2_key, self.query_2), (self.query_windows_key, self.query_windows)): self.assertEqual(queries[key], query) extra_queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( windows_machine) self.assertEqual(extra_queries, {})
def test_close_open_machine_incident(self): event_metadata = EventMetadata(event_type="test", machine_serial_number="YOLOFOMO") event_metadata.machine = MockMetaMachine([self.mbu1], [self.tag1], "WINDOWS", "LAPTOP", serial_number="YOLOFOMO") event = BaseEvent(event_metadata, {"joe": "jackson"}) self.assertTrue(self.probe.test_event(event)) machine_incident1, _ = update_or_create_open_machine_incident( self.probe_source, self.probe.get_matching_event_incident_severity(event), event.metadata.machine_serial_number, event.metadata.uuid ) self.assertEqual(machine_incident1.status, STATUS_OPEN) self.assertEqual(machine_incident1.incident.status, STATUS_OPEN) machine_incident2, event_payloads = update_or_create_open_machine_incident( self.probe_source, 0, # severity == 0 => close event.metadata.machine_serial_number, event.metadata.uuid ) self.assertEqual(machine_incident1, machine_incident2) self.assertEqual(machine_incident2.incident, machine_incident1.incident) self.assertEqual(machine_incident2.status, STATUS_CLOSED) incident = machine_incident2.incident self.assertEqual(incident.severity, SEVERITY_CRITICAL) self.assertEqual(incident.status, STATUS_CLOSED) self.assertEqual(len(event_payloads), 2) event_payload1, event_payload2 = event_payloads # machine incident event payload self.assertEqual(event_payload1["action"], "closed") self.assertEqual(event_payload1["incident"]["pk"], incident.pk) self.assertEqual(event_payload1["incident"]["status"], STATUS_OPEN) # Incident still open self.assertEqual(event_payload1["pk"], machine_incident2.pk) self.assertEqual(event_payload1["status"], machine_incident2.status) self.assertEqual(event_payload1["event_id"], str(event.metadata.uuid)) self.assertEqual(event_payload1["diff"], {"removed": {"status": STATUS_OPEN}, "added": {"status": STATUS_CLOSED}}) # incident event payload self.assertEqual(event_payload2["action"], "closed") self.assertEqual(event_payload2["pk"], incident.pk) self.assertEqual(event_payload2["status"], STATUS_CLOSED) # Incident closed now self.assertEqual(event_payload2.get("incident"), None) self.assertEqual(event_payload2["diff"], {"removed": {"status": STATUS_OPEN}, "added": {"status": STATUS_CLOSED}}) # meta machine self.assertEqual(MetaMachine("YOLOFOMO").max_incident_severity(), None)
def test_default_machine_older_distributed_queries(self): default_machine = MockMetaMachine([], [], None, None, serial_number="MSN3") # simulate all_probes sync all_probes.clear() # consume all queries queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( default_machine) self.assertEqual(len(queries), 2) queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( default_machine) self.assertEqual(len(queries), 0) # make a query that is one hour too old probe_source_too_old = ProbeSource.objects.create( model="OsqueryDistributedQueryProbe", name="QUERY TOO OLD", status=ProbeSource.ACTIVE, body={"distributed_query": "SELECT 'QUERY TOO OLD';"}, ) # simulate all_probes sync all_probes.clear() probe_source_too_old.created_at = timezone.now( ) - MAX_DISTRIBUTED_QUERY_AGE - timedelta(hours=1) probe_source_too_old.save() queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( default_machine) # it's not there self.assertEqual(len(queries), 0) # make a query that is one hour younger than the limit probe_source_ok = ProbeSource.objects.create( model="OsqueryDistributedQueryProbe", name="QUERY OK", status=ProbeSource.ACTIVE, body={"distributed_query": "SELECT 'QUERY OK';"}, ) probe_source_ok.created_at = timezone.now( ) - MAX_DISTRIBUTED_QUERY_AGE + timedelta(hours=1) probe_source_ok.save() # simulate all_probes sync all_probes.clear() # it's there queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( default_machine) self.assertEqual(len(queries), 1) self.assertEqual(queries["dq_{}".format(probe_source_ok.pk)], "SELECT 'QUERY OK';")
def build_munki_event(name, install_type, unattended, machine_tag_id): MunkiEvent = event_types["munki_event"] payload = payload_template.copy() payload["name"] = name payload["display_name"] = name.capitalize() payload["type"] = install_type payload["unattended"] = unattended event = MunkiEvent( EventMetadata(machine_serial_number="YO", event_type=MunkiEvent.event_type), payload) if machine_tag_id: # hack event.metadata.machine = MockMetaMachine([], [machine_tag_id], None, None, serial_number="YO") return event
def test_create_open_machine_incident(self): event_metadata = EventMetadata(event_type="test", machine_serial_number="YOLOFOMO") event_metadata.machine = MockMetaMachine([self.mbu1], [self.tag1], "WINDOWS", "LAPTOP", serial_number="YOLOFOMO") event = BaseEvent(event_metadata, {"joe": "jackson"}) self.assertTrue(self.probe.test_event(event)) machine_incident, event_payloads = update_or_create_open_machine_incident( self.probe_source, self.probe.get_matching_event_incident_severity(event), event.metadata.machine_serial_number, event.metadata.uuid) # machine incident self.assertEqual([machine_incident], list(MachineIncident.objects.all())) self.assertEqual(machine_incident.status, STATUS_OPEN) self.assertEqual(machine_incident.event_id, event.metadata.uuid) # incident incident = machine_incident.incident self.assertEqual([incident], list(Incident.objects.all())) self.assertEqual(incident.probe_source, self.probe_source) self.assertEqual(incident.name, "base probe") self.assertEqual(incident.status, STATUS_OPEN) self.assertEqual(incident.severity, SEVERITY_CRITICAL) self.assertEqual(incident.event_id, event.metadata.uuid) # event payloads self.assertEqual(len(event_payloads), 2) event_payload1, event_payload2 = event_payloads # incident event payload self.assertEqual(event_payload1["action"], "created") self.assertEqual(event_payload1["pk"], incident.pk) self.assertEqual(event_payload1.get("machine_incident"), None) # machine incident event payload self.assertEqual(event_payload2["action"], "created") self.assertEqual( event_payload2["machine_incident"], { "pk": machine_incident.pk, "status": machine_incident.status, "event_id": str(event.metadata.uuid) }) # meta machine self.assertEqual( MetaMachine("YOLOFOMO").max_incident_severity(), SEVERITY_CRITICAL)
def test_same_open_machine_incident(self): event_metadata = EventMetadata(event_type="test", machine_serial_number="YOLOFOMO") event_metadata.machine = MockMetaMachine([self.mbu1], [self.tag1], "WINDOWS", "LAPTOP", serial_number="YOLOFOMO") event = BaseEvent(event_metadata, {"joe": "jackson"}) self.assertTrue(self.probe.test_event(event)) machine_incident1, _ = update_or_create_open_machine_incident( self.probe_source, self.probe.get_matching_event_incident_severity(event), event.metadata.machine_serial_number, event.metadata.uuid) machine_incident2, event_payloads = update_or_create_open_machine_incident( self.probe_source, self.probe.get_matching_event_incident_severity(event), event.metadata.machine_serial_number, event.metadata.uuid) self.assertEqual(machine_incident1, machine_incident2) self.assertEqual(len(event_payloads), 0)
def test_probes_test_event(self): for rule_type, sha256, decision, bl_result, wl_result in ( # wrong sha256 ("BINARY", self.certificate_sha256, "ALLOW_BINARY", False, False), ("BINARY", self.certificate_sha256, "BLOCK_BINARY", False, False), ("CERTIFICATE", self.binary_sha256, "ALLOW_CERTIFICATE", False, False), ("CERTIFICATE", self.binary_sha256, "BLOCK_CERTIFICATE", False, False), # unknown decision ("BINARY", self.binary_sha256, "ALLOW_SCOPE", False, False), ("CERTIFICATE", self.certificate_sha256, "BLOCK_SCOPE", False, False), ("BINARY", self.binary_sha256, "ALLOW_UNKNOWN", False, False), ("CERTIFICATE", self.certificate_sha256, "BLOCK_UNKNOWN", False, False), # wrong decision ("BINARY", self.binary_sha256, "ALLOW_CERTIFICATE", False, False), ("BINARY", self.binary_sha256, "BLOCK_CERTIFICATE", False, False), ("CERTIFICATE", self.certificate_sha256, "ALLOW_BINARY", False, False), ("CERTIFICATE", self.certificate_sha256, "BLOCK_BINARY", False, False), # OK ("BINARY", self.binary_sha256, "ALLOW_BINARY", False, True), ("BINARY", self.binary_sha256, "BLOCK_BINARY", True, False), ("CERTIFICATE", self.certificate_sha256, "ALLOW_CERTIFICATE", False, True), ("CERTIFICATE", self.certificate_sha256, "BLOCK_CERTIFICATE", True, False)): event = build_matching_santa_event(rule_type, sha256, decision) self.assertEqual(self.probe_blacklist.test_event(event), bl_result) self.assertEqual(self.probe_whitelist.test_event(event), wl_result) # tablet sha256 = sha256[::-1] event = build_matching_santa_event(rule_type, sha256, decision) self.assertEqual(self.probe_tablet.test_event(event), False) # hack tablet = MockMetaMachine([], [], None, "TABLET") event.metadata.machine = tablet self.assertEqual(self.probe_tablet.test_event(event), bl_result)
def build_munki_event(name, install_type, unattended, machine_tag_id, failed=False): event_type = f"munki_{install_type}" if failed: event_type += "_failed" event_cls = event_types[event_type] payload = payload_template.copy() payload["name"] = name payload["display_name"] = name.capitalize() payload["type"] = install_type payload["unattended"] = unattended event = event_cls(EventMetadata(machine_serial_number="YO"), payload) if machine_tag_id: # hack event.metadata.machine = MockMetaMachine([], [machine_tag_id], None, None, serial_number="YO") return event