def CreateEventFromValues(event_values): """Creates an event and event data from event values. Args: event_values (dict[str, str]): event values. Returns: tuple[EventObject, EventData, EventDataStream]: event, event data and event data stream for testing. """ copy_of_event_values = dict(event_values) event = events.EventObject() for attribute_name in ('timestamp', 'timestamp_desc'): attribute_value = copy_of_event_values.pop(attribute_name, None) if attribute_value is not None: if attribute_name == 'timestamp' and isinstance( attribute_value, str): attribute_value = shared_test_lib.CopyTimestampFromSring( attribute_value) setattr(event, attribute_name, attribute_value) event_data_stream = events.EventDataStream() for attribute_name in ('path_spec', 'md5_hash', 'sha256_hash'): attribute_value = copy_of_event_values.pop(attribute_name, None) if attribute_value is not None: setattr(event_data_stream, attribute_name, attribute_value) event_data = events.EventData() event_data.CopyFromDict(copy_of_event_values) return event, event_data, event_data_stream
def testCopyToIsoFormat(self): """Test the CopyToIsoFormat function.""" timezone = pytz.timezone('CET') timestamp = shared_test_lib.CopyTimestampFromSring( '2013-03-14 20:20:08.850041') date_time_string = timelib.Timestamp.CopyToIsoFormat(timestamp, timezone=timezone) self.assertEqual(date_time_string, '2013-03-14T21:20:08.850041+01:00')
def testPrintStorageInformationAsJSON(self): """Tests the PrintStorageInformation function with JSON output format.""" test_filename = 'pinfo_test.plaso' session_identifier = 'c1ce225e-7eec-49a6-9f5c-35907e518ff8' session_start_time = '2020-04-04 06:40:08.695055' test_file_path = self._GetTestFilePath([test_filename]) self._SkipIfPathNotExists(test_file_path) options = test_lib.TestOptions() options.storage_file = test_file_path options.output_format = 'json' options.sections = 'events,reports,sessions,warnings' output_writer = test_lib.TestOutputWriter(encoding='utf-8') test_tool = pinfo_tool.PinfoTool(output_writer=output_writer) test_tool.ParseOptions(options) test_tool.PrintStorageInformation() output = output_writer.ReadOutput() json_output = json.loads(output) sessions = json_output.get('sessions') self.assertIsNotNone(sessions) first_session = sessions.get('session') self.assertIsNotNone(first_session) self.assertEqual( first_session['identifier'], session_identifier.replace('-', '')) expected_start_time = shared_test_lib.CopyTimestampFromSring( session_start_time) self.assertEqual(first_session['start_time'], expected_start_time) parsers_counter = first_session['parsers_counter'] self.assertEqual(parsers_counter['total'], 3) self.assertEqual(parsers_counter['filestat'], 3)
class TaggingFileTestCase(shared_test_lib.BaseTestCase): """The unit test case for a tagging file.""" _TAG_FILE = None _TEST_TIMESTAMP = shared_test_lib.CopyTimestampFromSring( '2020-04-04 14:56:39') def _CheckLabels(self, storage_writer, expected_labels): """Checks the labels of tagged events. Args: storage_writer (FakeStorageWriter): storage writer used for testing. expected_labels (list[str]): expected labels. """ labels = [] for event_tag in storage_writer.GetEventTags(): labels.extend(event_tag.labels) labels = set(labels) expected_labels = set(expected_labels) self.assertEqual(len(labels), len(expected_labels)) self.assertEqual(sorted(labels), sorted(expected_labels)) def _CheckTaggingRule(self, event_data_class, attribute_values_per_name, expected_rule_names): """Tests a tagging rule. Args: event_data_class (type): class of the event data object to use in tests. attribute_values_per_name (dict[str, list[str]): values of the event data attribute values per name, to use for testing events that match the tagging rule. expected_rule_names (list[str]): expected rule names. """ event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN if not attribute_values_per_name: event_data = event_data_class() storage_writer = self._TagEvent(event, event_data, None) self.assertEqual(storage_writer.number_of_event_tags, len(expected_rule_names)) self._CheckLabels(storage_writer, expected_rule_names) else: maximum_number_of_attribute_values = max([ len(attribute_values) for attribute_values in attribute_values_per_name.values() ]) # Test if variations defined by the attribute_values_per_name match # the tagging rule. for test_index in range(maximum_number_of_attribute_values): # Create the test event data and set the attributes to one of # the test values. event_data = event_data_class() for attribute_name, attribute_values in ( attribute_values_per_name.items()): attribute_value_index = min(test_index, len(attribute_values) - 1) attribute_value = attribute_values[attribute_value_index] setattr(event_data, attribute_name, attribute_value) storage_writer = self._TagEvent(event, event_data, None) self.assertEqual(storage_writer.number_of_event_tags, len(expected_rule_names)) self._CheckLabels(storage_writer, expected_rule_names) # Test if bogus variations on attribute_values_per_name do not match # the tagging rule. for test_attribute_name in attribute_values_per_name.keys(): # Create the test event data and set the attributes to one of # the test values. event_data = event_data_class() for attribute_name, attribute_values in ( attribute_values_per_name.items()): if attribute_name == test_attribute_name: attribute_value = 'BOGUS' else: attribute_value = attribute_values[0] setattr(event_data, attribute_name, attribute_value) storage_writer = self._TagEvent(event, event_data, None) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) def _TagEvent(self, event, event_data, event_data_stream): """Tags an event. Args: event (Event): event. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. Returns: FakeStorageWriter: storage writer. Raises: SkipTest: if the tag file does not exist. """ tag_file_path = self._GetDataFilePath([self._TAG_FILE]) self._SkipIfPathNotExists(tag_file_path) session = sessions.Session() storage_writer = fake_writer.FakeStorageWriter(session) storage_writer.Open() if event_data_stream: storage_writer.AddEventDataStream(event_data_stream) storage_writer.AddEventData(event_data) storage_writer.AddEvent(event) knowledge_base_object = knowledge_base.KnowledgeBase() mediator = analysis_mediator.AnalysisMediator(storage_writer, knowledge_base_object) plugin = tagging.TaggingAnalysisPlugin() plugin.SetAndLoadTagFile(tag_file_path) plugin.ExamineEvent(mediator, event, event_data, event_data_stream) analysis_report = plugin.CompileReport(mediator) storage_writer.AddAnalysisReport(analysis_report) return storage_writer
def testWriteEventBody(self): """Tests the WriteEventBody function.""" test_file_object = io.StringIO() output_mediator = self._CreateOutputMediator() formatters_directory_path = self._GetTestFilePath(['formatters']) output_mediator.ReadMessageFormattersFromDirectory( formatters_directory_path) output_module = json_line.JSONLineOutputModule(output_mediator) output_module._file_object = test_file_object event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) output_module.WriteEventBody(event, event_data, event_data_stream, None) expected_timestamp = shared_test_lib.CopyTimestampFromSring( '2012-06-27 18:17:01') if sys.platform.startswith('win'): # The dict comparison is very picky on Windows hence we # have to make sure the drive letter is in the same case. expected_os_location = os.path.abspath('\\{0:s}'.format( os.path.join('cases', 'image.dd'))) else: expected_os_location = '{0:s}{1:s}'.format( os.path.sep, os.path.join('cases', 'image.dd')) expected_json_dict = { '__container_type__': 'event', '__type__': 'AttributeContainer', 'date_time': { '__class_name__': 'PosixTimeInMicroseconds', '__type__': 'DateTimeValues', 'timestamp': 1340821021000000, }, 'data_type': 'test:event', 'display_name': 'TSK:/var/log/syslog.1', 'filename': '/var/log/syslog.1', 'hostname': 'ubuntu', 'inode': '15', 'message': ('Reporter <CRON> PID: |8442| (pam_unix(cron:session): ' 'session closed for user root)'), 'pathspec': { '__type__': 'PathSpec', 'type_indicator': 'TSK', 'location': '/var/log/syslog.1', 'inode': 15, 'parent': { '__type__': 'PathSpec', 'type_indicator': 'OS', 'location': expected_os_location, } }, 'text': ('Reporter <CRON> PID: |8442| (pam_unix(cron:session): ' 'session\n closed for user root)'), 'timestamp': expected_timestamp, 'timestamp_desc': definitions.TIME_DESCRIPTION_UNKNOWN, 'username': '******', } event_body = test_file_object.getvalue() # We need to compare dicts since we cannot determine the order # of values in the string. json_dict = json.loads(event_body) self.assertEqual(json_dict, expected_json_dict)
def testWriteEventBody(self): """Tests the WriteEventBody function.""" event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) formatters_manager.FormattersManager.RegisterFormatter( formatters_test_lib.TestEventFormatter) try: self._output_module.WriteEventBody(event, event_data, event_data_stream, None) finally: formatters_manager.FormattersManager.DeregisterFormatter( formatters_test_lib.TestEventFormatter) expected_timestamp = shared_test_lib.CopyTimestampFromSring( '2012-06-27 18:17:01') if sys.platform.startswith('win'): # The dict comparison is very picky on Windows hence we # have to make sure the drive letter is in the same case. expected_os_location = os.path.abspath('\\{0:s}'.format( os.path.join('cases', 'image.dd'))) else: expected_os_location = '{0:s}{1:s}'.format( os.path.sep, os.path.join('cases', 'image.dd')) expected_json_dict = { '__container_type__': 'event', '__type__': 'AttributeContainer', 'data_type': 'test:event', 'display_name': 'OS: /var/log/syslog.1', 'hostname': 'ubuntu', 'inode': 12345678, 'message': ('Reporter <CRON> PID: |8442| (pam_unix(cron:session): ' 'session closed for user root)'), 'pathspec': { '__type__': 'PathSpec', 'type_indicator': 'TSK', 'location': '/var/log/syslog.1', 'inode': 15, 'parent': { '__type__': 'PathSpec', 'type_indicator': 'OS', 'location': expected_os_location, } }, 'text': ('Reporter <CRON> PID: |8442| (pam_unix(cron:session): ' 'session\n closed for user root)'), 'timestamp': expected_timestamp, 'timestamp_desc': definitions.TIME_DESCRIPTION_UNKNOWN, 'username': '******', } event_body = self._output_writer.ReadOutput() # We need to compare dicts since we cannot determine the order # of values in the string. json_dict = json.loads(event_body) self.assertEqual(json_dict, expected_json_dict)
def testLocaltimeToUTC(self): """Test the localtime to UTC conversion.""" timezone = pytz.timezone('CET') local_timestamp = shared_test_lib.CopyTimestampFromSring( '2013-01-01 01:00:00') timestamp = timelib.Timestamp.LocaltimeToUTC(local_timestamp, timezone) expected_timestamp = shared_test_lib.CopyTimestampFromSring( '2013-01-01 00:00:00') self.assertEqual(timestamp, expected_timestamp) local_timestamp = shared_test_lib.CopyTimestampFromSring( '2013-07-01 02:00:00') timestamp = timelib.Timestamp.LocaltimeToUTC(local_timestamp, timezone) expected_timestamp = shared_test_lib.CopyTimestampFromSring( '2013-07-01 00:00:00') self.assertEqual(timestamp, expected_timestamp) # In the local timezone this is a non-existent timestamp. local_timestamp = shared_test_lib.CopyTimestampFromSring( '2013-03-31 02:00:00') with self.assertRaises(pytz.NonExistentTimeError): timelib.Timestamp.LocaltimeToUTC(local_timestamp, timezone, is_dst=None) timestamp = timelib.Timestamp.LocaltimeToUTC(local_timestamp, timezone, is_dst=True) expected_timestamp = shared_test_lib.CopyTimestampFromSring( '2013-03-31 00:00:00') self.assertEqual(timestamp, expected_timestamp) timestamp = timelib.Timestamp.LocaltimeToUTC(local_timestamp, timezone, is_dst=False) expected_timestamp = shared_test_lib.CopyTimestampFromSring( '2013-03-31 01:00:00') self.assertEqual(timestamp, expected_timestamp) # In the local timezone this is an ambiguous timestamp. local_timestamp = shared_test_lib.CopyTimestampFromSring( '2013-10-27 02:30:00') with self.assertRaises(pytz.AmbiguousTimeError): timelib.Timestamp.LocaltimeToUTC(local_timestamp, timezone, is_dst=None) timestamp = timelib.Timestamp.LocaltimeToUTC(local_timestamp, timezone, is_dst=True) expected_timestamp = shared_test_lib.CopyTimestampFromSring( '2013-10-27 00:30:00') self.assertEqual(timestamp, expected_timestamp) timestamp = timelib.Timestamp.LocaltimeToUTC(local_timestamp, timezone) expected_timestamp = shared_test_lib.CopyTimestampFromSring( '2013-10-27 01:30:00') self.assertEqual(timestamp, expected_timestamp) # Use the UTC timezone. self.assertEqual( timelib.Timestamp.LocaltimeToUTC(local_timestamp, pytz.UTC), local_timestamp) # Use a timezone in the Western Hemisphere. timezone = pytz.timezone('EST') local_timestamp = shared_test_lib.CopyTimestampFromSring( '2013-01-01 00:00:00') timestamp = timelib.Timestamp.LocaltimeToUTC(local_timestamp, timezone) expected_timestamp = shared_test_lib.CopyTimestampFromSring( '2013-01-01 05:00:00') self.assertEqual(timestamp, expected_timestamp)
def testWriteSerializedDict(self): """Tests the _WriteSerializedDict function.""" output_mediator = self._CreateOutputMediator() formatters_directory_path = self._GetTestFilePath(['formatters']) output_mediator.ReadMessageFormattersFromDirectory( formatters_directory_path) formatting_helper = shared_json.JSONEventFormattingHelper( output_mediator) event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) expected_timestamp = shared_test_lib.CopyTimestampFromSring( '2012-06-27 18:17:01') if sys.platform.startswith('win'): # The dict comparison is very picky on Windows hence we # have to make sure the drive letter is in the same case. expected_os_location = os.path.abspath('\\{0:s}'.format( os.path.join('cases', 'image.dd'))) else: expected_os_location = '{0:s}{1:s}'.format( os.path.sep, os.path.join('cases', 'image.dd')) expected_json_dict = { '__container_type__': 'event', '__type__': 'AttributeContainer', 'data_type': 'test:event', 'display_name': 'OS: /var/log/syslog.1', 'hostname': 'ubuntu', 'inode': 12345678, 'message': ('Reporter <CRON> PID: |8442| (pam_unix(cron:session): session ' 'closed for user root)'), 'pathspec': { '__type__': 'PathSpec', 'type_indicator': 'TSK', 'location': '/var/log/syslog.1', 'inode': 15, 'parent': { '__type__': 'PathSpec', 'type_indicator': 'OS', 'location': expected_os_location, } }, 'text': ('Reporter <CRON> PID: |8442| (pam_unix(cron:session): ' 'session\n closed for user root)'), 'timestamp': expected_timestamp, 'timestamp_desc': definitions.TIME_DESCRIPTION_UNKNOWN, 'username': '******', } json_dict = formatting_helper._WriteSerializedDict( event, event_data, event_data_stream, None) self.assertEqual(json_dict, expected_json_dict)