def testParse(self):
filt = filters.ItemFilter()
one = rdfvalue.Config(test1="1", test2=[2, 3])
foo = rdfvalue.Config(test1="foo", test2=["bar", "baz"])
fs = rdfvalue.Filesystem(device="/dev/sda1", mount_point="/root")
objs = [one, foo, fs]
results = filt.Parse(objs, "test1 is '1'")
self.assertEqual(1, len(results))
self.assertEqual("test1", results[0].k)
self.assertEqual("1", results[0].v)
results = filt.Parse(objs, "test1 is '2'")
self.assertFalse(results)
results = filt.Parse(objs, "test2 contains 3")
self.assertEqual(1, len(results))
self.assertEqual("test2", results[0].k)
self.assertEqual([2, 3], results[0].v)
results = filt.Parse(objs, "test1 is '1' or test1 contains 'foo'")
self.assertEqual(2, len(results))
self.assertEqual("test1", results[0].k)
self.assertEqual("1", results[0].v)
self.assertEqual("test1", results[1].k)
self.assertEqual("foo", results[1].v)
results = filt.Parse(objs, "mount_point is '/root'")
self.assertEqual(1, len(results))
self.assertEqual("mount_point", results[0].k)
self.assertEqual("/root", results[0].v)
def testParse(self):
filt = filters.ObjectFilter()
cfg = rdfvalue.Config(test="ok")
results = list(filt.Parse(cfg, "test is 'ok'"))
self.assertEqual([cfg], results)
cfg = rdfvalue.Config(test="miss")
results = list(filt.Parse(cfg, "test is 'ok'"))
self.assertEqual([], results)
def testParse(self):
filt = filters.ObjectFilter()
hit1 = rdfvalue.Config(test="hit1")
hit2 = rdfvalue.Config(test="hit2")
miss = rdfvalue.Config(test="miss")
objs = [hit1, hit2, miss]
results = filt.Parse(objs, "test is 'hit1'")
self.assertItemsEqual([hit1], results)
results = filt.Parse(objs, "test is 'hit2'")
self.assertItemsEqual([hit2], results)
results = filt.Parse(objs, "test inset 'hit1,hit2'")
self.assertItemsEqual([hit1, hit2], results)
def ParseObjs(self, objs, expression):
filt = self._Compile(expression)
key = expression.split(None, 1)[0]
for obj in objs:
for result in filt.Filter(obj):
val = getattr(result, key)
yield rdfvalue.Config({"k": key, "v": val})
def testParse(self):
filt = filters.RDFFilter()
cfg = rdfvalue.Config()
results = list(filt.Parse(cfg, "KnowledgeBase"))
self.assertFalse(results)
results = list(filt.Parse(cfg, "KnowledgeBase,Config"))
self.assertItemsEqual([cfg], results)
def _Load(self, expression):
self._Flush()
parser = config_file.KeyValueParser(kv_sep=":", sep=",",
term=(r"\s+", r"\n"))
parsed = {}
for entry in parser.ParseEntries(expression):
parsed.update(entry)
self.cfg = rdfvalue.Config(parsed)
return parsed
def Parse(self, obj, expression):
filt = self._Compile(expression)
key = expression.split(None, 1)[0]
for result in filt.Filter(obj):
val = getattr(result, key)
# Use a Config. KeyValueRDF values don't support attribute or dict
# expansion for objectfilter expressions, and Dict RDF values require
# a DictExpander. Using Config keeps the interface to objects consistent.
yield rdfvalue.Config({"k": key, "v": val})
def testParse(self):
filt = filters.AttrFilter()
hit = rdfvalue.Config(test1="1", test2=2, test3=[3, 4])
miss = rdfvalue.Config(test1="5", test2=6, test3=[7, 8])
metacfg = rdfvalue.Config(hit=hit, miss=miss)
result = list(filt.Parse(hit, "test1 test2"))
self.assertEqual(2, len(result))
self.assertEqual("test1", result[0].k)
self.assertEqual("1", result[0].v)
self.assertEqual("test2", result[1].k)
self.assertEqual(2, result[1].v)
result = list(filt.Parse(metacfg, "hit.test3"))
self.assertEqual(1, len(result))
self.assertEqual("hit.test3", result[0].k)
self.assertEqual([3, 4], result[0].v)
def testParse(self):
filt = filters.RDFFilter()
cfg = rdfvalue.Config()
anom = rdfvalue.Anomaly()
objs = [cfg, anom]
results = filt.Parse(objs, "KnowledgeBase")
self.assertFalse(results)
results = filt.Parse(objs, "Config,KnowledgeBase")
self.assertItemsEqual([cfg], results)
results = filt.Parse(objs, "Anomaly,Config,KnowledgeBase")
self.assertItemsEqual(objs, results)
def testParse(self):
filt = filters.AttrFilter()
hit1 = rdfvalue.Config(k1="hit1", k2="found1", k3=[3, 4])
hit2 = rdfvalue.Config(k1="hit2", k2="found2")
meta = rdfvalue.Config(one=hit1, two=hit2)
objs = [hit1, hit2, meta]
results = filt.Parse(objs, "k1 k2 one.k3")
self.assertEqual(5, len(results))
r1, r2, r3, r4, r5 = results
self.assertEqual("k1", r1.k)
self.assertEqual("hit1", r1.v)
self.assertEqual("k1", r2.k)
self.assertEqual("hit2", r2.v)
self.assertEqual("k2", r3.k)
self.assertEqual("found1", r3.v)
self.assertEqual("k2", r4.k)
self.assertEqual("found2", r4.v)
self.assertEqual("one.k3", r5.k)
self.assertEqual([3, 4], r5.v)
def testParse(self):
filt = filters.ItemFilter()
cfg = rdfvalue.Config(test1="1", test2=[2, 3])
result = list(filt.Parse(cfg, "test1 is '1'"))
self.assertEqual(1, len(result))
self.assertEqual("test1", result[0].k)
self.assertEqual("1", result[0].v)
result = list(filt.Parse(cfg, "test1 is '2'"))
self.assertFalse(result)
result = list(filt.Parse(cfg, "test2 contains 3"))
self.assertEqual(1, len(result))
self.assertEqual("test2", result[0].k)
self.assertEqual([2, 3], result[0].v)
# Ensure this works on other RDF types, not just Configs.
cfg = rdfvalue.Filesystem(device="/dev/sda1", mount_point="/root")
result = list(filt.Parse(cfg, "mount_point is '/root'"))
self.assertEqual(1, len(result))
self.assertEqual("mount_point", result[0].k)
self.assertEqual("/root", result[0].v)
def testParseFileObjs(self):
"""Multiple file types are parsed successfully."""
filt = filters.StatFilter()
ok = self._GenStat(path="/etc/shadow",
st_uid=0,
st_gid=0,
st_mode=0100640)
link = self._GenStat(path="/etc/shadow",
st_uid=0,
st_gid=0,
st_mode=0120640)
user = self._GenStat(path="/etc/shadow",
st_uid=1000,
st_gid=1000,
st_mode=0100640)
writable = self._GenStat(path="/etc/shadow",
st_uid=0,
st_gid=0,
st_mode=0100666)
cfg = {
"path": "/etc/shadow",
"st_uid": 0,
"st_gid": 0,
"st_mode": 0100640
}
invalid = rdfvalue.Config(**cfg)
objs = [ok, link, user, writable, invalid]
results = list(filt.Parse(objs, "uid:>=0 gid:>=0"))
self.assertItemsEqual([ok, link, user, writable], results)
results = list(filt.Parse(objs, "uid:=0 mode:0440 mask:0440"))
self.assertItemsEqual([ok, link, writable], results)
results = list(filt.Parse(objs, "uid:=0 mode:0440 mask:0444"))
self.assertItemsEqual([ok, link], results)
results = list(
filt.Parse(objs, "uid:=0 mode:0440 mask:0444 file_type:regular"))
self.assertItemsEqual([ok], results)
def ParseObjs(self, objs, expression):
for key in self._Attrs(expression):
for obj in objs:
val = self._GetVal(obj, key)
if val:
yield rdfvalue.Config({"k": key, "v": val})
def Parse(self, obj, expression):
for key in self._Attrs(expression):
val = self._GetVal(obj, key)
yield rdfvalue.Config({"k": key, "v": val})
def GenerateSample(self, number=0):
return rdfvalue.Config({"number": number})
def ParseMultiple(self, stats, file_objs, _):
config = {}
for stat, file_obj in zip(stats, file_objs):
k, v = self._Parse(stat, file_obj)
config[k] = v
return rdfvalue.Config(config)
