def testRdfFormatter(self):
"""Hints format RDF values with arbitrary values and attributes."""
# Create a complex RDF value
rdf = rdf_client.ClientSummary()
rdf.system_info.system = "Linux"
rdf.system_info.fqdn = "coreai.skynet.com"
# Users (repeated)
rdf.users = [rdf_client.User(username=u) for u in ("root", "jconnor")]
# Interface (nested, repeated)
addresses = [
rdf_client_network.NetworkAddress(human_readable_address=a)
for a in ("1.1.1.1", "2.2.2.2", "3.3.3.3")
]
eth0 = rdf_client_network.Interface(ifname="eth0", addresses=addresses[:2])
ppp0 = rdf_client_network.Interface(ifname="ppp0", addresses=addresses[2:3])
rdf.interfaces = [eth0, ppp0]
template = ("{system_info.system} {users.username} {interfaces.ifname} "
"{interfaces.addresses.human_readable_address}\n")
hinter = hints.Hinter(template=template)
expected = "Linux root,jconnor eth0,ppp0 1.1.1.1,2.2.2.2,3.3.3.3"
result = hinter.Render(rdf)
self.assertEqual(expected, result)
def setUp(self):
super(ListVADBinariesTest, self).setUp()
self.SetupClient(0, system="Windows", os_version="6.2", arch="AMD64")
self.os_overrider = vfs_test_lib.VFSOverrider(
rdf_paths.PathSpec.PathType.OS, vfs_test_lib.ClientVFSHandlerFixture)
self.reg_overrider = vfs_test_lib.VFSOverrider(
rdf_paths.PathSpec.PathType.REGISTRY,
vfs_test_lib.FakeRegistryVFSHandler)
self.os_overrider.Start()
self.reg_overrider.Start()
# Add some user accounts to this client.
fd = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token)
kb = fd.Get(fd.Schema.KNOWLEDGE_BASE)
kb.environ_systemdrive = "C:"
kb.MergeOrAddUser(
rdf_client.User(
username="******",
userdomain="testing-PC",
homedir=r"C:\Users\localservice",
sid="S-1-5-20"))
fd.Set(kb)
fd.Close()
def ParsePasswdEntry(self, line):
"""Process the passwd entry fields and primary group memberships."""
fields = ("uname", "passwd", "uid", "gid", "fullname", "homedir", "shell")
if line:
rslt = dict(zip(fields, line.split(":")))
user = self.entry.setdefault(rslt["uname"], rdf_client.User())
user.username = rslt["uname"]
user.pw_entry.store = self.GetPwStore(rslt["passwd"])
if user.pw_entry.store == self.base_store:
user.pw_entry.hash_type = self.GetHashType(rslt["passwd"])
# If the passwd file contains NIS entries they may not have uid/gid set.
if rslt["uid"]:
user.uid = int(rslt["uid"])
if rslt["gid"]:
user.gid = int(rslt["gid"])
user.homedir = rslt["homedir"]
user.shell = rslt["shell"]
user.full_name = rslt["fullname"]
# Map uid numbers to detect duplicates.
uids = self.uids.setdefault(user.uid, set())
uids.add(user.username)
# Map primary group memberships to populate memberships.
gid = self.gids.setdefault(user.gid, set())
gid.add(user.username)
def ParseFile(
self,
knowledge_base: rdf_client.KnowledgeBase,
pathspec: rdf_paths.PathSpec,
filedesc: IO[bytes],
) -> Iterator[rdf_client.User]:
del knowledge_base # Unused.
del pathspec # Unused.
users = {}
wtmp = filedesc.read()
while wtmp:
try:
record = UtmpStruct(wtmp)
except utils.ParsingError:
break
wtmp = wtmp[record.size:]
# Users only appear for USER_PROCESS events, others are system.
if record.ut_type != 7:
continue
# Lose the null termination
record.user = record.user.split(b"\x00", 1)[0]
# Store the latest login time.
# TODO(user): remove the 0 here once RDFDatetime can support times
# pre-epoch properly.
try:
users[record.user] = max(users[record.user], record.sec, 0)
except KeyError:
users[record.user] = record.sec
for user, last_login in users.items():
yield rdf_client.User(
username=utils.SmartUnicode(user), last_logon=last_login * 1000000)
def testTimeEncoding(self):
fast_proto = rdf_client.User(username="******")
datetime = rdfvalue.RDFDatetime.FromHumanReadable("2013-04-05 16:00:03")
# Check that we can coerce an int to an RDFDatetime.
# TODO(hanuszczak): Yeah, but why would we...?
fast_proto.last_logon = datetime.AsMicrosecondsSinceEpoch()
self.assertEqual(fast_proto.last_logon, datetime)
# Check that this is backwards compatible with the old protobuf library.
proto = knowledge_base_pb2.User()
proto.ParseFromString(fast_proto.SerializeToString())
# Old implementation should just see the last_logon field as an integer.
self.assertEqual(proto.last_logon, datetime.AsMicrosecondsSinceEpoch())
self.assertEqual(type(proto.last_logon), long)
# fast protobufs interoperate with old serialized formats.
serialized_data = proto.SerializeToString()
fast_proto = rdf_client.User.FromSerializedString(serialized_data)
self.assertEqual(fast_proto.last_logon, datetime.AsMicrosecondsSinceEpoch())
self.assertEqual(type(fast_proto.last_logon), rdfvalue.RDFDatetime)
def RDFStructCreateAndSerializeSetValue():
s = rdf_client.User()
for k, v in self.USER_ACCOUNT.items():
setattr(s, k, v)
s.SerializeToBytes()
def RDFStructCreateAndSerialize():
s = rdf_client.User(**self.USER_ACCOUNT)
s.SerializeToBytes()
def _SetupClientImpl(self,
client_nr,
index=None,
arch="x86_64",
fqdn=None,
install_time=None,
last_boot_time=None,
kernel="4.0.0",
os_version="buster/sid",
ping=None,
system="Linux",
memory_size=None,
add_cert=True,
fleetspeak_enabled=False):
client_id_urn = rdf_client.ClientURN("C.1%015x" % client_nr)
with aff4.FACTORY.Create(client_id_urn,
aff4_grr.VFSGRRClient,
mode="rw",
token=self.token) as fd:
if add_cert:
cert = self.ClientCertFromPrivateKey(
config.CONFIG["Client.private_key"])
fd.Set(fd.Schema.CERT, cert)
fd.Set(fd.Schema.CLIENT_INFO, self._TestClientInfo())
fd.Set(fd.Schema.PING, ping or rdfvalue.RDFDatetime.Now())
if fqdn is not None:
fd.Set(fd.Schema.HOSTNAME(fqdn.split(".", 1)[0]))
fd.Set(fd.Schema.FQDN(fqdn))
else:
fd.Set(fd.Schema.HOSTNAME("Host-%x" % client_nr))
fd.Set(fd.Schema.FQDN("Host-%x.example.com" % client_nr))
fd.Set(
fd.Schema.MAC_ADDRESS("aabbccddee%02x\nbbccddeeff%02x" %
(client_nr, client_nr)))
fd.Set(
fd.Schema.HOST_IPS("192.168.0.%d\n2001:abcd::%x" %
(client_nr, client_nr)))
if system:
fd.Set(fd.Schema.SYSTEM(system))
if os_version:
fd.Set(fd.Schema.OS_VERSION(os_version))
if arch:
fd.Set(fd.Schema.ARCH(arch))
if kernel:
fd.Set(fd.Schema.KERNEL(kernel))
if memory_size:
fd.Set(fd.Schema.MEMORY_SIZE(memory_size))
if last_boot_time:
fd.Set(fd.Schema.LAST_BOOT_TIME(last_boot_time))
if install_time:
fd.Set(fd.Schema.INSTALL_DATE(install_time))
if fleetspeak_enabled:
fd.Set(fd.Schema.FLEETSPEAK_ENABLED, rdfvalue.RDFBool(True))
kb = rdf_client.KnowledgeBase()
kb.fqdn = fqdn or "Host-%x.example.com" % client_nr
kb.users = [
rdf_client.User(username="******"),
rdf_client.User(username="******"),
]
artifact.SetCoreGRRKnowledgeBaseValues(kb, fd)
fd.Set(fd.Schema.KNOWLEDGE_BASE, kb)
fd.Set(fd.Schema.INTERFACES(self._TestInterfaces(client_nr)))
hardware_info = fd.Schema.HARDWARE_INFO()
hardware_info.system_manufacturer = ("System-Manufacturer-%x" %
client_nr)
hardware_info.bios_version = ("Bios-Version-%x" % client_nr)
fd.Set(fd.Schema.HARDWARE_INFO, hardware_info)
fd.Flush()
index.AddClient(fd)
return client_id_urn
def GenerateSample(self, number=0):
result = rdf_client.User(username="******" % number)
result.desktop = "User Desktop %s" % number
return result
def testOldClientSnapshotFallbackIfInterpolationFails(self):
rel_db = data_store.REL_DB
client_id = "C.0123456789abcdef"
rel_db.WriteClientMetadata(client_id, first_seen=rdfvalue.RDFDatetime.Now())
# Write some fake snapshot history.
kb_0 = rdf_client.KnowledgeBase(os="Linux")
kb_0.users = [
rdf_client.User(username="******"),
rdf_client.User(username="******"),
]
snapshot_0 = rdf_objects.ClientSnapshot(
client_id=client_id, knowledge_base=kb_0)
rel_db.WriteClientSnapshot(snapshot_0)
kb_1 = rdf_client.KnowledgeBase(os="Linux")
snapshot_1 = rdf_objects.ClientSnapshot(
client_id=client_id, knowledge_base=kb_1)
rel_db.WriteClientSnapshot(snapshot_1)
kb_2 = rdf_client.KnowledgeBase(os="Linux")
snapshot_2 = rdf_objects.ClientSnapshot(
client_id=client_id, knowledge_base=kb_2)
rel_db.WriteClientSnapshot(snapshot_2)
with temp.AutoTempDirPath(remove_non_empty=True) as dirpath:
filesystem_test_lib.CreateFile(
os.path.join(dirpath, "user1", "quux", "thud"))
filesystem_test_lib.CreateFile(
os.path.join(dirpath, "user2", "quux", "norf"))
# Write a fake artifact.
path = os.path.join(dirpath, "%%users.username%%", "quux", "*")
art = rdf_artifacts.Artifact(
name="Quux",
doc="Lorem ipsum.",
sources=[
rdf_artifacts.ArtifactSource(
type=rdf_artifacts.ArtifactSource.SourceType.DIRECTORY,
attributes={
"paths": [path],
}),
])
rel_db.WriteArtifact(art)
artifact_registry.REGISTRY.ReloadDatastoreArtifacts()
flow_id = flow_test_lib.TestFlowHelper(
compatibility.GetName(collectors.ArtifactCollectorFlow),
client_mock=action_mocks.GlobClientMock(),
client_id=client_id,
artifact_list=["Quux"],
old_client_snapshot_fallback=True,
token=self.token)
results = flow_test_lib.GetFlowResults(client_id=client_id, flow_id=flow_id)
self.assertNotEmpty(results)
basenames = [os.path.basename(result.pathspec.path) for result in results]
self.assertCountEqual(basenames, ["thud", "norf"])
def RDFStructCreateAndSerializeSetValue():
s = rdf_client.User()
for k, v in iteritems(self.USER_ACCOUNT):
setattr(s, k, v)
s.SerializeToString()
def RDFStructDecode():
new_s = rdf_client.User()
new_s.ParseFromString(data)
self.assertEqual(new_s.username, "user")
self.assertEqual(new_s.username.__class__, unicode)
def SetupLinuxUser(self): user = rdf_client.User(username="******", homedir="/home/user1") return self.SetupClient(0, system="Linux", users=[user], os_version="12.04")
def RDFStructDecode():
new_s = rdf_client.User()
new_s.ParseFromString(data)
self.assertEqual(new_s.username, "user")
self.assertIsInstance(new_s.username, Text)
def testExplainComponentsReturnsEmptyExamplesOnKbError(self):
kb = rdf_client.KnowledgeBase(users=[rdf_client.User()])
ge = rdf_paths.GlobExpression("%%users.appdir%%/foo")
components = ge.ExplainComponents(2, kb)
self.assertEqual(components[0].examples, [])
def testGetClientSummary(self):
hostname = "test"
system = "Linux"
os_release = "12.02"
kernel = "3.15-rc2"
fqdn = "test.test.com"
arch = "amd64"
install_time = rdfvalue.RDFDatetime.Now()
user = "******"
userobj = rdf_client.User(username=user)
interface = rdf_client.Interface(ifname="eth0")
google_cloud_instance = rdf_cloud.GoogleCloudInstance(
instance_id="1771384456894610289",
zone="projects/123456789733/zones/us-central1-a",
project_id="myproject",
unique_id="us-central1-a/myproject/1771384456894610289")
cloud_instance = rdf_cloud.CloudInstance(cloud_type="GOOGLE",
google=google_cloud_instance)
serial_number = "DSD33679FZ"
system_manufacturer = "Foobar Inc."
system_uuid = "C31292AD-6Z4F-55D8-28AC-EC1100E42222"
hwinfo = rdf_client.HardwareInfo(
serial_number=serial_number,
system_manufacturer=system_manufacturer,
system_uuid=system_uuid)
timestamp = 1
with utils.Stubber(time, "time", lambda: timestamp):
with aff4.FACTORY.Create("C.0000000000000000",
aff4_grr.VFSGRRClient,
mode="rw",
token=self.token) as fd:
kb = rdf_client.KnowledgeBase()
kb.users.Append(userobj)
empty_summary = fd.GetSummary()
self.assertEqual(empty_summary.client_id, "C.0000000000000000")
self.assertFalse(empty_summary.system_info.version)
self.assertEqual(empty_summary.timestamp.AsSecondsSinceEpoch(),
1)
# This will cause TYPE to be written with current time = 101 when the
# object is closed
timestamp += 100
fd.Set(fd.Schema.HOSTNAME(hostname))
fd.Set(fd.Schema.SYSTEM(system))
fd.Set(fd.Schema.OS_RELEASE(os_release))
fd.Set(fd.Schema.KERNEL(kernel))
fd.Set(fd.Schema.FQDN(fqdn))
fd.Set(fd.Schema.ARCH(arch))
fd.Set(fd.Schema.INSTALL_DATE(install_time))
fd.Set(fd.Schema.KNOWLEDGE_BASE(kb))
fd.Set(fd.Schema.USERNAMES([user]))
fd.Set(fd.Schema.HARDWARE_INFO(hwinfo))
fd.Set(fd.Schema.INTERFACES([interface]))
fd.Set(fd.Schema.CLOUD_INSTANCE(cloud_instance))
with aff4.FACTORY.Open("C.0000000000000000",
aff4_grr.VFSGRRClient,
mode="rw",
token=self.token) as fd:
summary = fd.GetSummary()
self.assertEqual(summary.system_info.system, system)
self.assertEqual(summary.system_info.release, os_release)
self.assertEqual(summary.system_info.kernel, kernel)
self.assertEqual(summary.system_info.fqdn, fqdn)
self.assertEqual(summary.system_info.machine, arch)
self.assertEqual(summary.system_info.install_date,
install_time)
self.assertItemsEqual(summary.users, [userobj])
self.assertItemsEqual(summary.interfaces, [interface])
self.assertFalse(summary.client_info)
self.assertEqual(summary.timestamp.AsSecondsSinceEpoch(), 101)
self.assertEqual(summary.cloud_type, "GOOGLE")
self.assertEqual(
summary.cloud_instance_id,
"us-central1-a/myproject/1771384456894610289")
self.assertEqual(summary.serial_number, serial_number)
self.assertEqual(summary.system_manufacturer,
system_manufacturer)
self.assertEqual(summary.system_uuid, system_uuid)
def _SetupTestClientObject(self,
client_nr,
add_cert=True,
arch="x86_64",
fqdn=None,
install_time=None,
last_boot_time=None,
kernel="4.0.0",
memory_size=None,
os_version="buster/sid",
ping=None,
system="Linux",
users=None,
labels=None,
fleetspeak_enabled=False):
"""Prepares a test client object."""
client_id = u"C.1%015x" % client_nr
client = rdf_objects.ClientSnapshot(client_id=client_id)
client.startup_info.client_info = self._TestClientInfo(labels=labels)
if last_boot_time is not None:
client.startup_info.boot_time = last_boot_time
client.knowledge_base.fqdn = fqdn or "Host-%x.example.com" % client_nr
client.knowledge_base.os = system
client.knowledge_base.users = users or [
rdf_client.User(username=u"user1"),
rdf_client.User(username=u"user2"),
]
client.os_version = os_version
client.arch = arch
client.kernel = kernel
client.interfaces = self._TestInterfaces(client_nr)
client.install_time = install_time
client.hardware_info = rdf_client.HardwareInfo(
system_manufacturer="System-Manufacturer-%x" % client_nr,
bios_version="Bios-Version-%x" % client_nr)
if memory_size is not None:
client.memory_size = memory_size
ping = ping or rdfvalue.RDFDatetime.Now()
if add_cert:
cert = self.ClientCertFromPrivateKey(config.CONFIG["Client.private_key"])
else:
cert = None
data_store.REL_DB.WriteClientMetadata(
client_id,
last_ping=ping,
certificate=cert,
fleetspeak_enabled=fleetspeak_enabled)
data_store.REL_DB.WriteClientSnapshot(client)
client_index.ClientIndex().AddClient(client)
if labels is not None:
data_store.REL_DB.AddClientLabels(client_id, u"GRR", labels)
client_index.ClientIndex().AddClientLabels(client_id, labels)
return client
def testGlob(self):
"""Test that glob works properly."""
client_id = self.SetupClient(0)
# Add some usernames we can interpolate later.
client = aff4.FACTORY.Open(client_id, mode="rw", token=self.token)
kb = client.Get(client.Schema.KNOWLEDGE_BASE)
kb.MergeOrAddUser(rdf_client.User(username="******"))
kb.MergeOrAddUser(rdf_client.User(username="******"))
client.Set(kb)
client.Close()
client_mock = action_mocks.GlobClientMock()
# This glob selects all files which start with the username on this system.
paths = [
os.path.join(self.base_path, "%%Users.username%%*"),
os.path.join(self.base_path, "VFSFixture/var/*/wtmp")
]
# Set iterator really low to force iteration.
with utils.Stubber(filesystem.Glob, "FILE_MAX_PER_DIR", 2):
flow_test_lib.TestFlowHelper(
filesystem.Glob.__name__,
client_mock,
client_id=client_id,
paths=paths,
pathtype=rdf_paths.PathSpec.PathType.OS,
token=self.token,
sync=False,
check_flow_errors=False)
output_path = client_id.Add("fs/os").Add(
self.base_path.replace("\\", "/"))
children = []
fd = aff4.FACTORY.Open(output_path, token=self.token)
for child in fd.ListChildren():
filename = child.Basename()
if filename != "VFSFixture":
children.append(filename)
expected = [
filename for filename in os.listdir(self.base_path)
if filename.startswith("test") or filename.startswith("syslog")
]
self.assertTrue([x for x in expected if x.startswith("test")],
"Need a file starting with 'test'"
" in test_data for this test!")
self.assertTrue([x for x in expected if x.startswith("syslog")],
"Need a file starting with 'syslog'"
" in test_data for this test!")
self.assertItemsEqual(expected, children)
children = []
fd = aff4.FACTORY.Open(output_path.Add("VFSFixture/var/log"),
token=self.token)
for child in fd.ListChildren():
children.append(child.Basename())
self.assertItemsEqual(children, ["wtmp"])
