def testDupeBan(self):
bit9_binary = test_utils.CreateBit9Binary()
file_catalog = bit9_test_utils.CreateFileCatalog(
id=bit9_binary.file_catalog_id,
sha256=bit9_binary.key.id(),
certificate_state=bit9_constants.APPROVAL_STATE.BANNED,
file_state=bit9_constants.APPROVAL_STATE.APPROVED,
publisher_state=bit9_constants.APPROVAL_STATE.APPROVED)
self.assertEntityCount(base_db.Note, 0)
sync._PersistBanNote(file_catalog).wait()
self.assertEntityCount(base_db.Note, 1)
sync._PersistBanNote(file_catalog).wait()
self.assertEntityCount(base_db.Note, 1)
def testNoFileInstances(self):
binary = test_utils.CreateBit9Binary(file_catalog_id='1111')
user = test_utils.CreateUser()
local_rule = test_utils.CreateBit9Rule(
binary.key, host_id='2222', user_key=user.key,
policy=constants.RULE_POLICY.WHITELIST, is_fulfilled=False)
# Simulate getting no fileInstances from Bit9.
self.PatchApiRequests([])
change_set.ChangeLocalState(
binary, local_rule, bit9_constants.APPROVAL_STATE.APPROVED)
self.assertFalse(local_rule.key.get().is_fulfilled)
self.assertNoBigQueryInsertions()
def testNoChanges(self):
bit9_binary = test_utils.CreateBit9Binary(detected_installer=False)
event, signing_chain = _CreateEventTuple(
file_catalog=bit9_test_utils.CreateFileCatalog(
id=bit9_binary.file_catalog_id,
sha256=bit9_binary.key.id(),
file_flags=0x0))
file_catalog = event.get_expand(api.Event.file_catalog_id)
changed = sync._PersistBit9Binary(
event, file_catalog, signing_chain).get_result()
self.assertFalse(changed)
# Empty because Binary is not new and State is not BANNED.
self.assertTaskCount(constants.TASK_QUEUE.BQ_PERSISTENCE, 0)
def testNoChanges(self):
bit9_binary = test_utils.CreateBit9Binary(detected_installer=False)
file_catalog_kwargs = {
'id': bit9_binary.file_catalog_id,
'sha256': bit9_binary.key.id(),
'file_flags': 0x0}
event, cert = _CreateEventAndCert(file_catalog_kwargs=file_catalog_kwargs)
file_catalog = event.get_expand(api.Event.file_catalog_id)
changed = sync._PersistBit9Binary(
event, file_catalog, [cert]).get_result()
self.assertFalse(changed)
# Empty because Binary is not new and State is not BANNED.
self.assertNoBigQueryInsertions()
def testFileCatalogIdInitiallyMissing(self):
bit9_binary = test_utils.CreateBit9Binary(file_catalog_id=None)
sha256 = bit9_binary.key.id()
file_catalog_kwargs = {'id': '12345', 'sha256': sha256}
event, cert = _CreateEventAndCert(file_catalog_kwargs=file_catalog_kwargs)
file_catalog = event.get_expand(api.Event.file_catalog_id)
changed = sync._PersistBit9Binary(
event, file_catalog, [cert]).get_result()
self.assertTrue(changed)
bit9_binary = bit9_models.Bit9Binary.get_by_id(sha256)
self.assertEqual('12345', bit9_binary.file_catalog_id)
# Should be Empty: No new Binary or BANNED State.
self.assertNoBigQueryInsertions()
def testPost_Admin_Reset_CaseInsensitiveID(self, mock_reset):
sha256 = test_utils.RandomSHA256()
test_utils.CreateBit9Binary(id=sha256,
id_type=constants.ID_TYPE.SHA256,
file_name='some_binary')
params = {'reset': 'reset'}
with self.LoggedInUser(admin=True):
self.testapp.post(self.ROUTE % sha256.lower(),
params,
status=httplib.OK)
self.testapp.post(self.ROUTE % sha256.upper(),
params,
status=httplib.OK)
self.assertEqual(2, mock_reset.call_count)
def testWhitelist_HasEvent(self):
binary = test_utils.CreateBit9Binary(file_catalog_id='1111')
user = test_utils.CreateUser()
local_rule = test_utils.CreateBit9Rule(
binary.key, host_id='2222', user_key=user.key,
policy=constants.RULE_POLICY.WHITELIST, is_fulfilled=False)
# Create a Bit9Event corresponding to the Bit9Rule.
pairs = [
('User', user.email),
('Host', '2222'),
('Blockable', binary.key.id()),
('Event', '1')]
event_key = ndb.Key(pairs=pairs)
first_blocked_dt = datetime.datetime.utcnow() - datetime.timedelta(hours=3)
test_utils.CreateBit9Event(
binary, key=event_key, first_blocked_dt=first_blocked_dt)
# Mock out the Bit9 API interactions.
file_instance = api.FileInstance(
id=3333,
file_catalog_id=1111,
computer_id=2222,
local_state=bit9_constants.APPROVAL_STATE.UNAPPROVED)
self.PatchApiRequests([file_instance], file_instance)
change_set.ChangeLocalState(
binary, local_rule, bit9_constants.APPROVAL_STATE.APPROVED)
# Verify the Bit9 API interactions.
self.mock_ctx.ExecuteRequest.assert_has_calls([
mock.call(
'GET', api_route='fileInstance',
query_args=[r'q=computerId:2222', 'q=fileCatalogId:1111']),
mock.call(
'POST', api_route='fileInstance',
data={'id': 3333,
'localState': 2,
'fileCatalogId': 1111,
'computerId': 2222},
query_args=None)])
self.assertTrue(local_rule.key.get().is_fulfilled)
self.assertBigQueryInsertion(constants.BIGQUERY_TABLE.RULE)
def setUp(self):
super(Bit9EventTest, self).setUp()
self.user = test_utils.CreateUser()
self.bit9_host = test_utils.CreateBit9Host()
self.bit9_binary = test_utils.CreateBit9Binary()
now = test_utils.Now()
self.bit9_event = test_utils.CreateBit9Event(
self.bit9_binary,
host_id=self.bit9_host.key.id(),
executing_user=self.user.nickname,
first_blocked_dt=now,
last_blocked_dt=now,
id='1',
parent=utils.ConcatenateKeys(self.user.key, self.bit9_host.key,
self.bit9_binary.key))
def testFileCatalogIdInitiallyMissing(self):
bit9_binary = test_utils.CreateBit9Binary(file_catalog_id=None)
sha256 = bit9_binary.key.id()
event, signing_chain = _CreateEventTuple(
file_catalog=bit9_test_utils.CreateFileCatalog(
id='12345',
sha256=sha256))
file_catalog = event.get_expand(api.Event.file_catalog_id)
changed = sync._PersistBit9Binary(
event, file_catalog, signing_chain).get_result()
self.assertTrue(changed)
bit9_binary = bit9_db.Bit9Binary.get_by_id(sha256)
self.assertEqual('12345', bit9_binary.file_catalog_id)
# Should be Empty: No new Binary or BANNED State.
self.assertTaskCount(constants.TASK_QUEUE.BQ_PERSISTENCE, 0)
def testAll(self, mock_metric):
other_binary = test_utils.CreateBit9Binary()
# Create two changeset so we're sure we're doing only 1 task per blockable.
real_change = test_utils.CreateRuleChangeSet(other_binary.key)
unused_change = test_utils.CreateRuleChangeSet(other_binary.key)
self.assertTrue(real_change.recorded_dt < unused_change.recorded_dt)
self.testapp.get('/')
self.assertEqual(2, mock_metric.Set.call_args_list[0][0][0])
self.assertTaskCount(constants.TASK_QUEUE.BIT9_COMMIT_CHANGE, 2)
with mock.patch.object(change_set, 'CommitChangeSet') as mock_commit:
self.RunDeferredTasks(constants.TASK_QUEUE.BIT9_COMMIT_CHANGE)
expected_calls = [
mock.call(self.change.key),
mock.call(real_change.key)
]
self.assertSameElements(expected_calls, mock_commit.mock_calls)
def testStateChangedToBanned(self):
bit9_binary = test_utils.CreateBit9Binary(state=constants.STATE.UNTRUSTED)
sha256 = bit9_binary.key.id()
event_kwargs = {'subtype': bit9_constants.SUBTYPE.BANNED}
file_catalog_kwargs = {'id': '12345', 'sha256': sha256}
event, cert = _CreateEventAndCert(
event_kwargs=event_kwargs, file_catalog_kwargs=file_catalog_kwargs)
file_catalog = event.get_expand(api.Event.file_catalog_id)
changed = sync._PersistBit9Binary(
event, file_catalog, [cert]).get_result()
self.assertTrue(changed)
bit9_binary = bit9_models.Bit9Binary.get_by_id(sha256)
self.assertEqual(constants.STATE.BANNED, bit9_binary.state)
# Should be 1 for the BANNED State.
self.assertBigQueryInsertions([constants.BIGQUERY_TABLE.BINARY])
def testGetEventKeysToInsert_Superuser(self):
bit9_host = test_utils.CreateBit9Host()
bit9_binary = test_utils.CreateBit9Binary()
now = test_utils.Now()
bit9_event = test_utils.CreateBit9Event(
bit9_binary,
host_id=bit9_host.key.id(),
executing_user=constants.LOCAL_ADMIN.WINDOWS,
first_blocked_dt=now,
last_blocked_dt=now,
id='1',
parent=datastore_utils.ConcatenateKeys(
self.user.key, bit9_host.key, bit9_binary.key))
users = [self.user.nickname]
self.assertEquals(
[bit9_event.key],
model_utils.GetEventKeysToInsert(bit9_event, users, users))
def testWhitelist_NoEvent(self):
binary = test_utils.CreateBit9Binary(file_catalog_id='1111')
user = test_utils.CreateUser()
local_rule = test_utils.CreateBit9Rule(
binary.key,
host_id='2222',
user_key=user.key,
policy=constants.RULE_POLICY.WHITELIST,
is_fulfilled=False)
# Mock out the Bit9 API interactions.
file_instance = api.FileInstance(
id=3333,
file_catalog_id=1111,
computer_id=2222,
local_state=bit9_constants.APPROVAL_STATE.UNAPPROVED)
self.PatchApiRequests([file_instance], file_instance)
change_set.ChangeLocalState(binary, local_rule,
bit9_constants.APPROVAL_STATE.APPROVED)
# Verify the Bit9 API interactions.
self.mock_ctx.ExecuteRequest.assert_has_calls([
mock.call(
'GET',
api_route='fileInstance',
query_args=[r'q=computerId:2222', 'q=fileCatalogId:1111']),
mock.call('POST',
api_route='fileInstance',
data={
'id': 3333,
'localState': 2,
'fileCatalogId': 1111,
'computerId': 2222
},
query_args=None)
])
self.assertTrue(local_rule.key.get().is_fulfilled)
self.assertBigQueryInsertion(constants.BIGQUERY_TABLE.RULE)
def testStateChangedToBanned(self):
bit9_binary = test_utils.CreateBit9Binary(state=constants.STATE.UNTRUSTED)
sha256 = bit9_binary.key.id()
event, signing_chain = _CreateEventTuple(
subtype=bit9_constants.SUBTYPE.BANNED,
file_catalog=bit9_test_utils.CreateFileCatalog(
id='12345',
sha256=sha256))
file_catalog = event.get_expand(api.Event.file_catalog_id)
changed = sync._PersistBit9Binary(
event, file_catalog, signing_chain).get_result()
self.assertTrue(changed)
bit9_binary = bit9_db.Bit9Binary.get_by_id(sha256)
self.assertEqual(constants.STATE.BANNED, bit9_binary.state)
# Should be 1 for the BANNED State.
self.DrainTaskQueue(constants.TASK_QUEUE.BQ_PERSISTENCE)
self.assertEntityCount(bigquery_db.BinaryRow, 1)
def testChangeState(self):
# Verify the Bit9Binary is in the default state of UNTRUSTED.
binary = test_utils.CreateBit9Binary()
blockable_hash = binary.blockable_hash
binary = binary_models.Bit9Binary.get_by_id(blockable_hash)
self.assertIsNotNone(binary)
self.assertEqual(constants.STATE.UNTRUSTED, binary.state)
# Note the state change timestamp.
old_state_change_dt = binary.state_change_dt
# Change the state.
binary.ChangeState(constants.STATE.BANNED)
# Reload, and verify the state change.
binary = binary_models.Bit9Binary.get_by_id(blockable_hash)
self.assertIsNotNone(binary)
self.assertEqual(constants.STATE.BANNED, binary.state)
self.assertBigQueryInsertion(constants.BIGQUERY_TABLE.BINARY)
# And the state change timestamp should be increased.
self.assertGreater(binary.state_change_dt, old_state_change_dt)
def testForcedInstaller_PreexistingRule_ConflictingPolicy(self):
bit9_binary = test_utils.CreateBit9Binary(
detected_installer=False, is_installer=False)
test_utils.CreateBit9Rule(
bit9_binary.key,
is_committed=True,
policy=constants.RULE_POLICY.FORCE_NOT_INSTALLER)
event, signing_chain = _CreateEventTuple(
file_catalog=bit9_test_utils.CreateFileCatalog(
id=bit9_binary.file_catalog_id,
sha256=bit9_binary.key.id(),
file_flags=bit9_constants.FileFlags.MARKED_INSTALLER))
file_catalog = event.get_expand(api.Event.file_catalog_id)
changed = sync._PersistBit9Binary(
event, file_catalog, signing_chain).get_result()
self.assertTrue(changed)
self.assertTrue(bit9_binary.key.get().is_installer)
# Empty because Binary is not new and State is not BANNED.
self.assertTaskCount(constants.TASK_QUEUE.BQ_PERSISTENCE, 0)
def testForcedInstaller_PreexistingRule_ConflictingPolicy(self):
bit9_binary = test_utils.CreateBit9Binary(
detected_installer=False, is_installer=False)
test_utils.CreateBit9Rule(
bit9_binary.key,
is_committed=True,
policy=constants.RULE_POLICY.FORCE_NOT_INSTALLER)
file_catalog_kwargs = {
'id': bit9_binary.file_catalog_id,
'sha256': bit9_binary.key.id(),
'file_flags': bit9_constants.FileFlags.MARKED_INSTALLER}
event, cert = _CreateEventAndCert(file_catalog_kwargs=file_catalog_kwargs)
file_catalog = event.get_expand(api.Event.file_catalog_id)
changed = sync._PersistBit9Binary(
event, file_catalog, [cert]).get_result()
self.assertTrue(changed)
self.assertTrue(bit9_binary.key.get().is_installer)
# Empty because Binary is not new and State is not BANNED.
self.assertNoBigQueryInsertions()
def setUp(self):
super(CommitBlockableChangeSetTest, self).setUp()
# Set up a fake Bit9ApiAuth entity in Datastore.
os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = os.path.join(
absltest.get_default_test_srcdir(), 'upvote/gae/modules/bit9_api',
'fake_credentials.json')
self.Patch(change_set.bit9_utils.bit9.kms_ndb.EncryptedBlobProperty,
'_Encrypt',
return_value='blah')
self.Patch(change_set.bit9_utils.bit9.kms_ndb.EncryptedBlobProperty,
'_Decrypt',
return_value='blah')
bit9.Bit9ApiAuth.SetInstance(api_key='blah')
self.mock_ctx = mock.Mock(spec=change_set.bit9_utils.api.Context)
self.Patch(change_set.bit9_utils.api,
'Context',
return_value=self.mock_ctx)
self.binary = test_utils.CreateBit9Binary(file_catalog_id='1234')
self.local_rule = test_utils.CreateBit9Rule(self.binary.key,
host_id='5678')
self.global_rule = test_utils.CreateBit9Rule(self.binary.key)
def setUp(self):
super(RuleChangeSetTest, self).setUp()
self.bit9_binary = test_utils.CreateBit9Binary()
def setUp(self):
super(CommitBlockableChangeSetTest, self).setUp()
self.binary = test_utils.CreateBit9Binary(file_catalog_id='1234')
self.local_rule = test_utils.CreateBit9Rule(self.binary.key, host_id='5678')
self.global_rule = test_utils.CreateBit9Rule(self.binary.key)
def setUp(self):
super(Bit9BinaryTest, self).setUp()
self.bit9_binary = test_utils.CreateBit9Binary()
self.PatchEnv(settings.ProdEnv, ENABLE_BIGQUERY_STREAMING=True)
def testIsInstance(self):
binary = test_utils.CreateBit9Binary()
self.assertTrue(binary.IsInstance('Blockable'))
self.assertTrue(binary.IsInstance('Binary'))
self.assertTrue(binary.IsInstance('Bit9Binary'))
self.assertFalse(binary.IsInstance('SomethingElse'))
def setUp(self):
app = webapp2.WSGIApplication(routes=[events.ROUTES])
super(EventsTest, self).setUp(wsgi_app=app)
self.santa_cert = test_utils.CreateSantaCertificate()
self.santa_blockable1 = test_utils.CreateSantaBlockable(
id='aaaabbbbccccddddeeeeffffgggg',
file_name='Product.app',
cert_key=self.santa_cert.key,
cert_sha256=self.santa_cert.key.id())
self.santa_blockable2 = test_utils.CreateSantaBlockable(
id='hhhhiiiijjjjkkkkllllmmmmnnnn', file_name='Another Product.app')
self.bit9_blockable1 = test_utils.CreateBit9Binary(
id='zzzzaaaayyyybbbbxxxxccccwwww', file_name='notepad++.exe')
self.user_1 = test_utils.CreateUser()
self.user_2 = test_utils.CreateUser()
self.santa_host1 = test_utils.CreateSantaHost(
id='AAAAAAAA-1111-BBBB-2222-CCCCCCCCCCCC',
recorded_dt=datetime.datetime(2015, 2, 1, 1, 0, 0))
self.santa_host2 = test_utils.CreateSantaHost(
id='DDDDDDDD-3333-EEEE-33333-FFFFFFFFFFFF',
recorded_dt=datetime.datetime(2015, 2, 1, 1, 0, 0))
self.bit9_host1 = test_utils.CreateSantaHost(
id='CHANGE-ME', recorded_dt=datetime.datetime(2015, 2, 1, 1, 0, 0))
self.bit9_host2 = test_utils.CreateSantaHost(
id='CHANGE-ME2',
recorded_dt=datetime.datetime(2015, 2, 1, 1, 0, 0))
self.santa_event1_from_user1 = test_utils.CreateSantaEvent(
self.santa_blockable1,
cert_key=self.santa_cert.key,
cert_sha256=self.santa_blockable1.cert_sha256,
executing_user=self.user_1.nickname,
event_type=constants.EVENT_TYPE.ALLOW_UNKNOWN,
file_name=self.santa_blockable1.file_name,
file_path='/Applications/Product.app/Contents/MacOs',
host_id=self.santa_host1.key.id(),
last_blocked_dt=datetime.datetime(2015, 3, 1, 1, 0, 0),
first_blocked_dt=datetime.datetime(2015, 3, 1, 1, 0, 0),
parent=utils.ConcatenateKeys(self.user_1.key, self.santa_host1.key,
self.santa_blockable1.key))
self.santa_event2_from_user1 = test_utils.CreateSantaEvent(
self.santa_blockable1,
cert_key=self.santa_cert.key,
cert_sha256=self.santa_blockable1.cert_sha256,
executing_user=self.user_1.nickname,
event_type=constants.EVENT_TYPE.ALLOW_UNKNOWN,
file_name=self.santa_blockable1.file_name,
file_path='/Applications/Product.app/Contents/MacOs',
host_id=self.santa_host2.key.id(),
last_blocked_dt=datetime.datetime(2015, 4, 1, 1, 0, 0),
first_blocked_dt=datetime.datetime(2015, 4, 1, 1, 0, 0),
parent=utils.ConcatenateKeys(self.user_1.key, self.santa_host2.key,
self.santa_blockable1.key))
self.santa_event3_from_user1 = test_utils.CreateSantaEvent(
self.santa_blockable2,
event_type=constants.EVENT_TYPE.ALLOW_UNKNOWN,
executing_user=self.user_1.nickname,
file_name=self.santa_blockable2.file_name,
file_path='/Applications/Another Product.app/Contents/MacOs',
host_id=self.santa_host1.key.id(),
last_blocked_dt=datetime.datetime(2015, 5, 1, 1, 0, 0),
first_blocked_dt=datetime.datetime(2015, 5, 1, 1, 0, 0),
parent=utils.ConcatenateKeys(self.user_1.key, self.santa_host1.key,
self.santa_blockable2.key))
self.santa_event1_from_user2 = test_utils.CreateSantaEvent(
self.santa_blockable1,
event_type=constants.EVENT_TYPE.ALLOW_UNKNOWN,
executing_user=self.user_2.nickname,
file_name=self.santa_blockable1.file_name,
file_path='/Applications/Product.app/Contents/MacOs',
host_id=self.santa_host2.key.id(),
last_blocked_dt=datetime.datetime(2015, 3, 1, 1, 0, 0),
first_blocked_dt=datetime.datetime(2015, 3, 1, 1, 0, 0),
parent=utils.ConcatenateKeys(self.user_2.key, self.santa_host2.key,
self.santa_blockable1.key))
self.bit9_event1_from_user1 = test_utils.CreateBit9Event(
self.bit9_blockable1,
executing_user=self.user_1.nickname,
file_name=self.bit9_blockable1.file_name,
file_path=r'c:\program files (x86)\notepad++',
host_id=self.bit9_host1.key.id(),
last_blocked_dt=datetime.datetime(2015, 6, 1, 1, 0, 0),
first_blocked_dt=datetime.datetime(2015, 6, 1, 1, 0, 0),
parent=utils.ConcatenateKeys(self.user_1.key, self.bit9_host1.key,
self.bit9_blockable1.key))
self.bit9_event1_from_user2 = test_utils.CreateBit9Event(
self.bit9_blockable1,
executing_user=self.user_2.nickname,
file_name='notepad++.exe',
file_path=r'c:\program files (x86)\notepad++',
host_id=self.bit9_host2.key.id(),
last_blocked_dt=datetime.datetime(2015, 4, 1, 1, 0, 0),
first_blocked_dt=datetime.datetime(2015, 4, 1, 1, 0, 0),
parent=utils.ConcatenateKeys(self.user_2.key, self.bit9_host2.key,
self.bit9_blockable1.key))
self.PatchValidateXSRFToken()
