def Validate(self):
"""Check the collector is well constructed."""
# Catch common mistake of path vs paths.
if self.args.GetItem("path_list"):
if not isinstance(self.args.GetItem("path_list"), list):
raise artifact_lib.ArtifactDefinitionError(
"Arg 'path_list' that is not a list.")
if self.args.GetItem("path"):
if not isinstance(self.args.GetItem("path"), basestring):
raise artifact_lib.ArtifactDefinitionError(
"Arg 'path' is not a string.")
# Check all returned types.
if self.returned_types:
for rdf_type in self.returned_types:
if rdf_type not in rdfvalue.RDFValue.classes:
raise artifact_lib.ArtifactDefinitionError(
"Invalid return type %s" % rdf_type)
if str(self.collector_type) not in artifact_lib.TYPE_MAP:
raise artifact_lib.ArtifactDefinitionError(
"Invalid collector_type %s." % self.collector_type)
collector_type = artifact_lib.TYPE_MAP[str(self.collector_type)]
required_args = collector_type.get("required_args", [])
missing_args = set(required_args).difference(self.args.keys())
if missing_args:
raise artifact_lib.ArtifactDefinitionError(
"Missing required args: %s." % missing_args)
def Validate(self):
"""Attempt to validate the artifact has been well defined.
This is used to enforce Artifact rules. Since it checks all dependencies are
present, this method can only be called once all artifacts have been loaded
into the registry. Use ValidateSyntax to check syntax for each artifact on
import.
Raises:
ArtifactDefinitionError: If artifact is invalid.
"""
cls_name = self.name
self.ValidateSyntax()
# Check all path dependencies exist in the knowledge base.
valid_fields = rdfvalue.KnowledgeBase().GetKbFieldNames()
for dependency in self.GetArtifactPathDependencies():
if dependency not in valid_fields:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has an invalid path dependency %s. Artifacts must use "
"defined knowledge attributes." % (cls_name, dependency))
# Check all artifact dependencies exist.
for dependency in self.GetArtifactDependencies():
if dependency not in artifact_lib.ArtifactRegistry.artifacts:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has an invalid dependency %s . Could not find artifact"
" definition." % (cls_name, dependency))
def ValidateSyntax(self):
"""Validate artifact syntax.
This method can be used to validate individual artifacts as they are loaded,
without needing all artifacts to be loaded first, as for Validate().
Raises:
ArtifactDefinitionError: If artifact is invalid.
"""
cls_name = self.name
if not self.doc:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has missing doc" % cls_name)
for supp_os in self.supported_os:
if supp_os not in artifact_lib.SUPPORTED_OS_LIST:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has invalid supported_os %s" % (cls_name, supp_os))
for condition in self.conditions:
try:
of = objectfilter.Parser(condition).Parse()
of.Compile(objectfilter.BaseFilterImplementation)
except artifact_lib.ConditionError as e:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has invalid condition %s. %s" % (
cls_name, condition, e))
for label in self.labels:
if label not in artifact_lib.ARTIFACT_LABELS:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has an invalid label %s. Please use one from "
"ARTIFACT_LABELS." % (cls_name, label))
# Anything listed in provides must be defined in the KnowledgeBase
valid_provides = rdfvalue.KnowledgeBase().GetKbFieldNames()
for kb_var in self.provides:
if kb_var not in valid_provides:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has broken provides: '%s' not in KB fields: %s" % (
cls_name, kb_var, valid_provides))
# Any %%blah%% path dependencies must be defined in the KnowledgeBase
for dep in self.GetArtifactPathDependencies():
if dep not in valid_provides:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has an invalid path dependency: '%s', not in KB "
"fields: %s" % (cls_name, dep, valid_provides))
for collector in self.collectors:
try:
collector.Validate()
except artifact_lib.Error as e:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has bad collector. %s" % (cls_name, e))
def testRDFMaps(self):
"""Validate the RDFMaps."""
for rdf_name, dat in artifact.GRRArtifactMappings.rdf_map.items():
# "info/software", "InstalledSoftwarePackages", "INSTALLED_PACKAGES",
# "Append"
_, aff4_type, aff4_attribute, operator = dat
if operator not in ["Set", "Append"]:
raise artifact_lib.ArtifactDefinitionError(
"Bad RDFMapping, unknown operator %s in %s" %
(operator, rdf_name))
if aff4_type not in aff4.AFF4Object.classes:
raise artifact_lib.ArtifactDefinitionError(
"Bad RDFMapping, invalid AFF4 Object %s in %s" %
(aff4_type, rdf_name))
attr = getattr(aff4.AFF4Object.classes[aff4_type].SchemaCls,
aff4_attribute)()
if not isinstance(attr, rdfvalue.RDFValue):
raise artifact_lib.ArtifactDefinitionError(
"Bad RDFMapping, bad attribute %s for %s" %
(aff4_attribute, rdf_name))
def ValidateSyntax(self):
"""Validate artifact syntax.
This method can be used to validate individual artifacts as they are loaded,
without needing all artifacts to be loaded first, as for Validate().
Raises:
ArtifactDefinitionError: If artifact is invalid.
"""
cls_name = self.name
if not self.doc:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has missing doc" % cls_name)
for supp_os in self.supported_os:
if supp_os not in artifact_lib.SUPPORTED_OS_LIST:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has invalid supported_os %s" %
(cls_name, supp_os))
for condition in self.conditions:
try:
of = objectfilter.Parser(condition).Parse()
of.Compile(objectfilter.BaseFilterImplementation)
except artifact_lib.ConditionError as e:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has invalid condition %s. %s" %
(cls_name, condition, e))
for label in self.labels:
if label not in artifact_lib.ARTIFACT_LABELS:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has an invalid label %s. Please use one from "
"ARTIFACT_LABELS." % (cls_name, label))
for kb_var in self.provides:
if len(kb_var) < 3: # Someone probably interpreted string as list.
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has broken provides. %s" %
(cls_name, self.provides))
for collector in self.collectors:
try:
collector.Validate()
except artifact_lib.Error as e:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has bad collector. %s" % (cls_name, e))
def Validate(self):
"""Attempt to validate the artifact has been well defined.
This is used to enforce Artifact rules.
Raises:
ArtifactDefinitionError: If artifact is invalid.
"""
cls_name = self.name
if not self.doc:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has missing doc" % cls_name)
for supp_os in self.supported_os:
if supp_os not in artifact_lib.SUPPORTED_OS_LIST:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has invalid supported_os %s" %
(cls_name, supp_os))
for condition in self.conditions:
try:
of = objectfilter.Parser(condition).Parse()
of.Compile(objectfilter.BaseFilterImplementation)
except artifact_lib.ConditionError as e:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has invalid condition %s. %s" %
(cls_name, condition, e))
for label in self.labels:
if label not in artifact_lib.ARTIFACT_LABELS:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has an invalid label %s. Please use one from "
"ARTIFACT_LABELS." % (cls_name, label))
# Check all path dependencies exist in the knowledge base.
valid_fields = rdfvalue.KnowledgeBase().GetKbFieldNames()
for dependency in self.GetArtifactPathDependencies():
if dependency not in valid_fields:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has an invalid path dependency %s. Artifacts must use "
"defined knowledge attributes." % (cls_name, dependency))
# Check all artifact dependencies exist.
for dependency in self.GetArtifactDependencies():
if dependency not in artifact_lib.ArtifactRegistry.artifacts:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has an invalid dependency %s . Could not find artifact"
" definition." % (cls_name, dependency))
for collector in self.collectors:
try:
collector.Validate()
except artifact_lib.Error as e:
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has bad collector. %s" % (cls_name, e))
for kb_var in self.provides:
if len(kb_var) < 3: # Someone probably interpreted string as list.
raise artifact_lib.ArtifactDefinitionError(
"Artifact %s has broken provides. %s" %
(cls_name, self.provides))