def testProcessPathSpecFile(self):
"""Tests the ProcessPathSpec function on a file."""
knowledge_base_values = {u'year': 2016}
session = sessions.Session()
path_spec = self._GetTestFilePathSpec([u'syslog'])
storage_writer = fake_storage.FakeStorageWriter(session)
self._TestProcessPathSpec(
storage_writer, path_spec, knowledge_base_values=knowledge_base_values)
self.assertEqual(storage_writer.number_of_events, 19)
def testProcessPathSpecCompressedFileBZIP2(self):
"""Tests the ProcessPathSpec function on a bzip2 compressed file."""
knowledge_base_values = {'year': 2016}
session = sessions.Session()
path_spec = self._GetTestFilePathSpec(['syslog.bz2'])
storage_writer = fake_writer.FakeStorageWriter(session)
self._TestProcessPathSpec(
storage_writer, path_spec, knowledge_base_values=knowledge_base_values)
self.assertEqual(storage_writer.number_of_events, 15)
def _ParseAndAnalyzeFile(self,
path_segments,
parser,
plugin,
knowledge_base_values=None):
"""Parses and analyzes a file using the parser and analysis plugin.
Args:
path_segments (list[str]): path segments inside the test data directory.
parser (BaseParser): parser.
plugin (AnalysisPlugin): plugin.
knowledge_base_values (Optional[dict[str, str]]): knowledge base values.
Returns:
FakeStorageWriter: storage writer.
Raises:
SkipTest: if the path inside the test data directory does not exist and
the test should be skipped.
"""
session = sessions.Session()
knowledge_base_object = self._SetUpKnowledgeBase(
knowledge_base_values=knowledge_base_values)
storage_writer = self._ParseFile(path_segments, parser,
knowledge_base_object)
mediator = analysis_mediator.AnalysisMediator(session,
knowledge_base_object)
mediator.SetStorageWriter(storage_writer)
for event in storage_writer.GetSortedEvents():
event_data = None
event_data_identifier = event.GetEventDataIdentifier()
if event_data_identifier:
event_data = storage_writer.GetAttributeContainerByIdentifier(
events.EventData.CONTAINER_TYPE, event_data_identifier)
event_data_stream = None
if event_data:
event_data_stream_identifier = event_data.GetEventDataStreamIdentifier(
)
if event_data_stream_identifier:
event_data_stream = storage_writer.GetAttributeContainerByIdentifier(
events.EventDataStream.CONTAINER_TYPE,
event_data_stream_identifier)
plugin.ExamineEvent(mediator, event, event_data, event_data_stream)
analysis_report = plugin.CompileReport(mediator)
storage_writer.AddAttributeContainer(analysis_report)
return storage_writer
def testGetLatestYear(self):
"""Tests the GetLatestYear function."""
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter(session)
knowledge_base_object = knowledge_base.KnowledgeBase()
parser_mediator = mediator.ParserMediator(storage_writer,
knowledge_base_object)
expected_latest_year = parser_mediator.GetCurrentYear()
latest_year = parser_mediator.GetLatestYear()
self.assertEqual(latest_year, expected_latest_year)
def testAnalyzeEvents(self):
"""Tests the AnalyzeEvents function."""
storage_file_path = self._GetTestFilePath(['psort_test.plaso'])
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
formatter_mediator = formatters_mediator.FormatterMediator()
formatter_mediator.SetPreferredLanguageIdentifier('en-US')
output_mediator_object = output_mediator.OutputMediator(
knowledge_base_object, formatter_mediator)
output_module = null.NullOutputModule(output_mediator_object)
data_location = ''
analysis_plugin = tagging.TaggingAnalysisPlugin()
analysis_plugins = {'tagging': analysis_plugin}
# TODO: set tag file.
configuration = configurations.ProcessingConfiguration()
test_engine = psort.PsortMultiProcessEngine()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(storage_file_path, temp_file)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT, session, temp_file)
counter = test_engine.AnalyzeEvents(
knowledge_base_object, storage_writer, output_module, data_location,
analysis_plugins, configuration)
# TODO: assert if tests were successful.
_ = counter
test_filter = filters_test_lib.TestEventFilter()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(storage_file_path, temp_file)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT, session, temp_file)
counter = test_engine.AnalyzeEvents(
knowledge_base_object, storage_writer, data_location,
analysis_plugins, configuration, event_filter=test_filter)
# TODO: assert if tests were successful.
_ = counter
def testProcessPathSpec(self):
"""Tests the ProcessPathSpec function on an archive file."""
knowledge_base_values = {'year': 2016}
session = sessions.Session()
test_file_path = self._GetTestFilePath(['syslog.tar'])
self._SkipIfPathNotExists(test_file_path)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TAR, location='/syslog',
parent=path_spec)
storage_writer = fake_writer.FakeStorageWriter(session)
expected_event_counters = {
'fs:stat': 1,
'syslog:cron:task_run': 3,
'syslog:line': 9}
self._TestProcessPathSpec(
storage_writer, path_spec, expected_event_counters,
knowledge_base_values=knowledge_base_values)
# Process an archive file without "process archive files" mode.
path_spec = self._GetTestFilePathSpec(['syslog.tar'])
storage_writer = fake_writer.FakeStorageWriter(session)
# Typically there are 3 filestat events, but there can be 4 on platforms
# that support os.stat_result st_birthtime.
expected_event_counters = {
'fs:stat': [3, 4]}
self._TestProcessPathSpec(
storage_writer, path_spec, expected_event_counters,
knowledge_base_values=knowledge_base_values)
# Process an archive file with "process archive files" mode.
path_spec = self._GetTestFilePathSpec(['syslog.tar'])
storage_writer = fake_writer.FakeStorageWriter(session)
# Typically there are 3 filestat events, but there can be 4 on platforms
# that support os.stat_result st_birthtime. There is 1 additional filestat
# event from the .tar file.
expected_event_counters = {
'fs:stat': [4, 5],
'syslog:cron:task_run': 3,
'syslog:line': 9}
self._TestProcessPathSpec(
storage_writer, path_spec, expected_event_counters,
knowledge_base_values=knowledge_base_values, process_archives=True)
def testCopyAttributesFromSessionCompletion(self):
"""Tests the CopyAttributesFromSessionCompletion function."""
attribute_container = sessions.Session()
session_completion = sessions.SessionCompletion(
identifier=attribute_container.identifier)
attribute_container.CopyAttributesFromSessionCompletion(session_completion)
with self.assertRaises(ValueError):
session_completion = sessions.SessionCompletion()
attribute_container.CopyAttributesFromSessionCompletion(
session_completion)
def testAnalyzeEvents(self):
"""Tests the AnalyzeEvents function."""
storage_file_path = self._GetTestFilePath([u'psort_test.json.plaso'])
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
formatter_mediator = formatters_mediator.FormatterMediator()
formatter_mediator.SetPreferredLanguageIdentifier(u'en-US')
output_mediator_object = output_mediator.OutputMediator(
knowledge_base_object, formatter_mediator)
output_module = null.NullOutputModule(output_mediator_object)
data_location = u''
analysis_plugin = tagging.TaggingAnalysisPlugin()
# TODO: set tag file.
test_engine = psort.PsortMultiProcessEngine()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
shutil.copyfile(storage_file_path, temp_file)
storage_writer = storage_zip_file.ZIPStorageFileWriter(
session, temp_file)
counter = test_engine.AnalyzeEvents(knowledge_base_object,
storage_writer, output_module,
data_location,
[analysis_plugin])
# TODO: assert if tests were successful.
_ = counter
test_filter = filters_test_lib.TestEventFilter()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
shutil.copyfile(storage_file_path, temp_file)
storage_writer = storage_zip_file.ZIPStorageFileWriter(
session, temp_file)
counter = test_engine.AnalyzeEvents(knowledge_base_object,
storage_writer,
data_location,
[analysis_plugin],
event_filter=test_filter)
# TODO: assert if tests were successful.
_ = counter
def testProducePreprocessingWarning(self):
"""Tests the ProducePreprocessingWarning method."""
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter()
knowledge_base_object = knowledge_base.KnowledgeBase()
parser_mediator = mediator.PreprocessMediator(session, storage_writer,
knowledge_base_object)
storage_writer.Open()
parser_mediator.ProducePreprocessingWarning('test_plugin',
'test message')
def _ParseOLECFFileWithPlugin(self,
path_segments,
plugin,
codepage='cp1252',
knowledge_base_values=None):
"""Parses a file as an OLE compound file and returns an event generator.
Args:
path_segments (list[str]): path segments inside the test data directory.
plugin (OLECFPlugin): OLE CF plugin.
codepage (Optional[str]): codepage.
knowledge_base_values (Optional[dict[str, object]]): knowledge base
values.
Returns:
FakeStorageWriter: storage writer.
Raises:
SkipTest: if the path inside the test data directory does not exist and
the test should be skipped.
"""
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter(session)
storage_writer.Open()
file_entry = self._GetTestFileEntry(path_segments)
parser_mediator = self._CreateParserMediator(
storage_writer,
file_entry=file_entry,
knowledge_base_values=knowledge_base_values)
file_object = file_entry.GetFileObject()
try:
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(codepage)
olecf_file.open_file_object(file_object)
# Get a list of all root items from the OLE CF file.
root_item = olecf_file.root_item
item_names = [item.name for item in root_item.sub_items]
plugin.Process(parser_mediator,
root_item=root_item,
item_names=item_names)
olecf_file.close()
finally:
file_object.close()
return storage_writer
def testAnalyzeEventsWithEventFilter(self):
"""Tests the AnalyzeEvents function with an event filter."""
test_file_path = self._GetTestFilePath(['psort_test.plaso'])
self._SkipIfPathNotExists(test_file_path)
test_tagging_file_path = self._GetTestFilePath(
['tagging_file', 'valid.txt'])
self._SkipIfPathNotExists(test_tagging_file_path)
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
data_location = ''
analysis_plugin = tagging.TaggingAnalysisPlugin()
analysis_plugin.SetAndLoadTagFile(test_tagging_file_path)
analysis_plugins = {'tagging': analysis_plugin}
configuration = configurations.ProcessingConfiguration()
test_engine = analysis_engine.AnalysisMultiProcessEngine()
test_filter = filters_test_lib.TestEventFilter()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(test_file_path, temp_file)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT)
storage_writer.Open(path=temp_file)
try:
number_of_reports = storage_writer.GetNumberOfAttributeContainers(
'analysis_report')
self.assertEqual(number_of_reports, 2)
test_engine.AnalyzeEvents(session,
knowledge_base_object,
storage_writer,
data_location,
analysis_plugins,
configuration,
event_filter=test_filter,
storage_file_path=temp_directory)
number_of_reports = storage_writer.GetNumberOfAttributeContainers(
'analysis_report')
self.assertEqual(number_of_reports, 3)
finally:
storage_writer.Close()
def _ParseDatabaseFileWithPlugin(
self, path_segments, plugin, knowledge_base_values=None,
wal_path_segments=None):
"""Parses a file as a SQLite database with a specific plugin.
This method will first test if a SQLite database contains the required
tables and columns using plugin.CheckRequiredTablesAndColumns() and then
extracts events using plugin.Process().
Args:
path_segments (list[str]): path segments inside the test data directory.
plugin (SQLitePlugin): SQLite database plugin.
knowledge_base_values (Optional[dict[str, object]]): knowledge base
values.
wal_path_segments (list[str]): path segments inside the test data
directory of the SQLite WAL file.
Returns:
FakeStorageWriter: storage writer.
Raises:
SkipTest: if the path inside the test data directory does not exist and
the test should be skipped.
"""
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter()
storage_writer.Open()
file_entry, database = self._OpenDatabaseFile(
path_segments, wal_path_segments=wal_path_segments)
required_tables_and_column_exist = plugin.CheckRequiredTablesAndColumns(
database)
self.assertTrue(required_tables_and_column_exist)
parser_mediator = self._CreateParserMediator(
session, storage_writer, file_entry=file_entry,
knowledge_base_values=knowledge_base_values)
parser_mediator.SetFileEntry(file_entry)
# AppendToParserChain needs to be run after SetFileEntry.
parser_mediator.AppendToParserChain(plugin)
try:
cache = sqlite.SQLiteCache()
plugin.Process(parser_mediator, cache=cache, database=database)
finally:
database.Close()
return storage_writer
def testGetDisplayNameForPathSpec(self):
"""Tests the GetDisplayNameForPathSpec function."""
session = sessions.Session()
storage_writer = fake_storage.FakeStorageWriter(session)
parsers_mediator = self._CreateParserMediator(storage_writer)
test_path = self._GetTestFilePath([u'syslog.gz'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_path)
expected_display_name = u'OS:{0:s}'.format(test_path)
display_name = parsers_mediator.GetDisplayNameForPathSpec(os_path_spec)
self.assertEqual(display_name, expected_display_name)
def testAddEventSource(self):
"""Tests the AddEventSource function."""
session = sessions.Session()
event_source = event_sources.EventSource()
storage_writer = fake_storage.FakeStorageWriter(session)
storage_writer.Open()
storage_writer.AddEventSource(event_source)
storage_writer.Close()
with self.assertRaises(IOError):
storage_writer.AddEventSource(event_source)
def testAddAnalysisWarning(self):
"""Tests the AddAnalysisWarning function."""
session = sessions.Session()
warning = warnings.AnalysisWarning(message='Test analysis warning')
storage_writer = fake_writer.FakeStorageWriter(session)
storage_writer.Open()
storage_writer.AddAnalysisWarning(warning)
storage_writer.Close()
with self.assertRaises(IOError):
storage_writer.AddAnalysisWarning(warning)
def testParseHeader(self):
"""Tests the _ParseHeader function."""
file_system_builder = fake_file_system_builder.FakeFileSystemBuilder()
file_system_builder.AddFile('/cups_ipp', b'')
test_path_spec = fake_path_spec.FakePathSpec(location='/cups_ipp')
test_file_entry = file_system_builder.file_system.GetFileEntryByPathSpec(
test_path_spec)
session = sessions.Session()
storage_writer = self._CreateStorageWriter()
parser_mediator = self._CreateParserMediator(
session, storage_writer, file_entry=test_file_entry)
parser = cups_ipp.CupsIppParser()
header_data = self._CreateHeaderData(parser)
file_object = self._CreateFileObject('cups_ipp', header_data)
parser._ParseHeader(parser_mediator, file_object)
# Test with header data too small.
file_object = self._CreateFileObject('cups_ipp', header_data[:-1])
with self.assertRaises(errors.UnableToParseFile):
parser._ParseHeader(parser_mediator, file_object)
# Test with unsupported format version.
header_map = parser._GetDataTypeMap('cups_ipp_header')
header = header_map.CreateStructureValues(major_version=99,
minor_version=1,
operation_identifier=5,
request_identifier=0)
header_data = header_map.FoldByteStream(header)
file_object = self._CreateFileObject('cups_ipp', header_data)
with self.assertRaises(errors.UnableToParseFile):
parser._ParseHeader(parser_mediator, file_object)
# Test with unsupported operation identifier.
header = header_map.CreateStructureValues(major_version=1,
minor_version=1,
operation_identifier=99,
request_identifier=0)
header_data = header_map.FoldByteStream(header)
file_object = self._CreateFileObject('cups_ipp', header_data)
parser._ParseHeader(parser_mediator, file_object)
def testInternalAnalyzeEvents(self):
"""Tests the _AnalyzeEvents function."""
test_file_path = self._GetTestFilePath(['psort_test.plaso'])
self._SkipIfPathNotExists(test_file_path)
test_tagging_file_path = self._GetTestFilePath([
'tagging_file', 'valid.txt'])
self._SkipIfPathNotExists(test_tagging_file_path)
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
analysis_plugin = tagging.TaggingAnalysisPlugin()
analysis_plugin.SetAndLoadTagFile(test_tagging_file_path)
analysis_plugins = {'tagging': analysis_plugin}
configuration = configurations.ProcessingConfiguration()
test_engine = analysis_engine.AnalysisMultiProcessEngine()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(test_file_path, temp_file)
self._ReadSessionConfiguration(temp_file, knowledge_base_object)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT)
test_engine._processing_configuration = configuration
test_engine._session = session
test_engine._storage_file_path = temp_directory
test_engine._StartTaskStorage(definitions.STORAGE_FORMAT_SQLITE)
test_engine._StartAnalysisProcesses(analysis_plugins)
storage_writer.Open(path=temp_file)
try:
events_counter = test_engine._AnalyzeEvents(
storage_writer, analysis_plugins)
finally:
storage_writer.Close()
test_engine._StopAnalysisProcesses()
self.assertIsNotNone(events_counter)
self.assertEqual(events_counter['Events filtered'], 0)
self.assertEqual(events_counter['Events processed'], 38)
def testProcessSources(self):
"""Tests the ProcessSources function."""
test_artifacts_path = self._GetTestFilePath(['artifacts'])
self._SkipIfPathNotExists(test_artifacts_path)
test_file_path = self._GetTestFilePath(['ímynd.dd'])
self._SkipIfPathNotExists(test_file_path)
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
registry.ReadFromDirectory(reader, test_artifacts_path)
test_engine = extraction_engine.SingleProcessEngine()
resolver_context = context.Context()
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
source_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
location='/',
parent=os_path_spec)
session = sessions.Session()
configuration = configurations.ProcessingConfiguration()
configuration.parser_filter_expression = 'filestat'
storage_writer = fake_writer.FakeStorageWriter()
storage_writer.Open()
try:
test_engine.PreprocessSources(registry, [source_path_spec],
session, storage_writer)
test_engine.ProcessSources(session, [source_path_spec],
storage_writer, resolver_context,
configuration)
finally:
storage_writer.Close()
self.assertEqual(storage_writer.number_of_events, 15)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
expected_parsers_counter = collections.Counter({
'filestat': 15,
'total': 15
})
self.assertEqual(session.parsers_counter, expected_parsers_counter)
def _ParseKeyWithPlugin(self,
registry_key,
plugin,
file_entry=None,
knowledge_base_values=None,
parser_chain=None,
timezone='UTC'):
"""Parses a key within a Windows Registry file using the plugin.
Args:
registry_key (dfwinreg.WinRegistryKey): Windows Registry Key.
plugin (WindowsRegistryPlugin): Windows Registry plugin.
file_entry (Optional[dfvfs.FileEntry]): file entry.
knowledge_base_values (Optional[dict[str, str]]): knowledge base values.
parser_chain (Optional[str]): parsing chain up to this point.
timezone (Optional[str]): timezone.
Returns:
FakeStorageWriter: storage writer.
"""
self.assertIsNotNone(registry_key)
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter()
storage_writer.Open()
parser_mediator = self._CreateParserMediator(
session,
storage_writer,
file_entry=file_entry,
knowledge_base_values=knowledge_base_values,
timezone=timezone)
# Most tests aren't explicitly checking for parser chain values,
# or setting them, so we'll just append the plugin name if no explicit
# parser chain argument is supplied.
if parser_chain is None:
# AppendToParserChain needs to be run after SetFileEntry.
parser_mediator.AppendToParserChain(plugin)
else:
# In the rare case that a test is checking for a particular chain, we
# provide a way set it directly. There's no public API for this,
# as access to the parser chain should be very infrequent.
parser_mediator._parser_chain_components = parser_chain.split('/')
plugin.Process(parser_mediator, registry_key)
return storage_writer
def testAnalyzeFileObject(self):
"""Tests the _AnalyzeFileObject function."""
knowledge_base_values = {'year': 2016}
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter(session)
knowledge_base_object = knowledge_base.KnowledgeBase()
if knowledge_base_values:
for identifier, value in knowledge_base_values.items():
knowledge_base_object.SetValue(identifier, value)
resolver_context = context.Context()
mediator = parsers_mediator.ParserMediator(
storage_writer,
knowledge_base_object,
preferred_year=2016,
resolver_context=resolver_context)
extraction_worker = worker.EventExtractionWorker()
test_analyzer = analyzers_manager_test.TestAnalyzer()
self.assertEqual(len(test_analyzer.GetResults()), 0)
extraction_worker._analyzers = [test_analyzer]
storage_writer.Open()
storage_writer.WriteSessionStart()
file_entry = self._GetTestFileEntry(['ímynd.dd'])
mediator.SetFileEntry(file_entry)
file_object = file_entry.GetFileObject()
display_name = mediator.GetDisplayName()
event_data_stream = events.EventDataStream()
try:
extraction_worker._AnalyzeFileObject(file_object, display_name,
event_data_stream)
finally:
file_object.close()
storage_writer.WriteSessionCompletion()
storage_writer.Close()
self.assertIsNotNone(event_data_stream)
event_attribute = getattr(event_data_stream, 'test_result', None)
self.assertEqual(event_attribute, 'is_vegetable')
def testAddAnalysisReport(self):
"""Tests the AddAnalysisReport function."""
session = sessions.Session()
analysis_report = reports.AnalysisReport(
plugin_name='test', text='test report')
storage_writer = fake_storage.FakeStorageWriter(session)
storage_writer.Open()
storage_writer.AddAnalysisReport(analysis_report)
storage_writer.Close()
with self.assertRaises(IOError):
storage_writer.AddAnalysisReport(analysis_report)
def testProcessTask(self):
"""Tests the _ProcessTask function."""
session = sessions.Session()
storage_writer = self._CreateStorageWriter(session)
knowledge_base = self._CreateKnowledgeBase()
configuration = configurations.ProcessingConfiguration()
test_process = worker_process.WorkerProcess(
None, storage_writer, knowledge_base, session.identifier, configuration,
name='TestWorker')
test_process._parser_mediator = self._CreateParserMediator(
storage_writer, knowledge_base)
task = tasks.Task(session_identifier=session.identifier)
test_process._ProcessTask(task)
def testMergeFromStorage(self):
"""Tests the MergeFromStorage function."""
session = sessions.Session()
storage_writer = fake_storage.FakeStorageWriter(session)
storage_writer.Open()
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_reader = zip_file.ZIPStorageFileReader(test_file)
storage_writer.MergeFromStorage(storage_reader)
test_file = self._GetTestFilePath([u'pinfo_test.json.plaso'])
storage_reader = zip_file.ZIPStorageFileReader(test_file)
storage_writer.MergeFromStorage(storage_reader)
storage_writer.Close()
def testAddError(self):
"""Tests the AddError function."""
session = sessions.Session()
extraction_error = errors.ExtractionError(
message='Test extraction error')
storage_writer = fake_storage.FakeStorageWriter(session)
storage_writer.Open()
storage_writer.AddError(extraction_error)
storage_writer.Close()
with self.assertRaises(IOError):
storage_writer.AddError(extraction_error)
def testGetSortedEvents(self):
"""Tests the GetSortedEvents function."""
session = sessions.Session()
test_events = self._CreateTestEvents()
storage_writer = fake_writer.FakeStorageWriter(session)
storage_writer.Open()
for event in test_events:
storage_writer.AddEvent(event)
events = list(storage_writer.GetSortedEvents())
self.assertEqual(len(events), len(test_events))
storage_writer.Close()
def _TagEvent(self, event, event_data, event_data_stream):
"""Tags an event.
Args:
event (Event): event.
event_data (EventData): event data.
event_data_stream (EventDataStream): event data stream.
Returns:
FakeStorageWriter: storage writer.
Raises:
SkipTest: if the tag file does not exist.
"""
tag_file_path = self._GetDataFilePath([self._TAG_FILE])
self._SkipIfPathNotExists(tag_file_path)
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter()
storage_writer.Open()
if event_data_stream:
storage_writer.AddAttributeContainer(event_data_stream)
event_data_stream_identifier = event_data_stream.GetIdentifier()
event_data.SetEventDataStreamIdentifier(
event_data_stream_identifier)
storage_writer.AddAttributeContainer(event_data)
event_data_identifier = event_data.GetIdentifier()
event.SetEventDataIdentifier(event_data_identifier)
storage_writer.AddAttributeContainer(event)
knowledge_base_object = knowledge_base.KnowledgeBase()
mediator = analysis_mediator.AnalysisMediator(session,
knowledge_base_object)
mediator.SetStorageWriter(storage_writer)
plugin = tagging.TaggingAnalysisPlugin()
plugin.SetAndLoadTagFile(tag_file_path)
plugin.ExamineEvent(mediator, event, event_data, event_data_stream)
analysis_report = plugin.CompileReport(mediator)
storage_writer.AddAttributeContainer(analysis_report)
return storage_writer
def _ParseOLECFFileWithPlugin(self,
path_segments,
plugin,
codepage=u'cp1252',
knowledge_base_values=None):
"""Parses a file as an OLE compound file and returns an event generator.
Args:
path_segments: a list of strings containinge the path segments inside
plugin: an OLE CF plugin object (instance of OLECFPlugin).
codepage: optional string containing the codepage.
knowledge_base_values: optional dictionary containing the knowledge base
values.
Returns:
A storage writer object (instance of FakeStorageWriter).
"""
session = sessions.Session()
storage_writer = fake_storage.FakeStorageWriter(session)
storage_writer.Open()
file_entry = self._GetTestFileEntry(path_segments)
parser_mediator = self._CreateParserMediator(
storage_writer,
file_entry=file_entry,
knowledge_base_values=knowledge_base_values)
file_object = file_entry.GetFileObject()
try:
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(codepage)
olecf_file.open_file_object(file_object)
# Get a list of all root items from the OLE CF file.
root_item = olecf_file.root_item
item_names = [item.name for item in root_item.sub_items]
plugin.Process(parser_mediator,
root_item=root_item,
item_names=item_names)
olecf_file.close()
finally:
file_object.close()
return storage_writer
def testAnalyzeDataStream(self):
"""Tests the _AnalyzeDataStream function."""
knowledge_base_values = {'year': 2016}
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter()
knowledge_base_object = knowledge_base.KnowledgeBase()
if knowledge_base_values:
for identifier, value in knowledge_base_values.items():
knowledge_base_object.SetValue(identifier, value)
resolver_context = context.Context()
parser_mediator = parsers_mediator.ParserMediator(
knowledge_base_object, resolver_context=resolver_context)
parser_mediator.SetPreferredYear(2016)
parser_mediator.SetStorageWriter(storage_writer)
extraction_worker = worker.EventExtractionWorker()
test_analyzer = analyzers_manager_test.TestAnalyzer()
self.assertEqual(len(test_analyzer.GetResults()), 0)
extraction_worker._analyzers = [test_analyzer]
storage_writer.Open()
session_start = session.CreateSessionStart()
storage_writer.AddAttributeContainer(session_start)
file_entry = self._GetTestFileEntry(['syslog.tgz'])
parser_mediator.SetFileEntry(file_entry)
display_name = parser_mediator.GetDisplayName()
event_data_stream = events.EventDataStream()
extraction_worker._AnalyzeDataStream(file_entry, '', display_name,
event_data_stream)
session_completion = session.CreateSessionCompletion()
storage_writer.AddAttributeContainer(session_completion)
storage_writer.Close()
self.assertIsNotNone(event_data_stream)
event_attribute = getattr(event_data_stream, 'test_result', None)
self.assertEqual(event_attribute, 'is_vegetable')
def testAddEvent(self):
"""Tests the AddEvent function."""
session = sessions.Session()
test_events = self._CreateTestEvents()
storage_writer = fake_storage.FakeStorageWriter(session)
storage_writer.Open()
event = None
for event in test_events:
storage_writer.AddEvent(event)
storage_writer.Close()
with self.assertRaises(IOError):
storage_writer.AddEvent(event)
def testGetAttributeContainers(self):
"""Tests the GetAttributeContainers method."""
redis_client = self._CreateRedisClient()
session = sessions.Session()
task = tasks.Task(session_identifier=session.identifier)
test_store = redis_store.RedisStore(
storage_type=definitions.STORAGE_TYPE_TASK)
test_store.Open(redis_client=redis_client,
session_identifier=task.session_identifier,
task_identifier=task.identifier)
try:
event_data_stream = events.EventDataStream()
event_data_stream.md5_hash = '8f0bf95a7959baad9666b21a7feed79d'
containers = list(
test_store.GetAttributeContainers(
event_data_stream.CONTAINER_TYPE))
self.assertEqual(len(containers), 0)
test_store.AddAttributeContainer(event_data_stream)
containers = list(
test_store.GetAttributeContainers(
event_data_stream.CONTAINER_TYPE))
self.assertEqual(len(containers), 1)
filter_expression = 'md5_hash == "8f0bf95a7959baad9666b21a7feed79d"'
containers = list(
test_store.GetAttributeContainers(
event_data_stream.CONTAINER_TYPE,
filter_expression=filter_expression))
self.assertEqual(len(containers), 1)
filter_expression = 'md5_hash != "8f0bf95a7959baad9666b21a7feed79d"'
containers = list(
test_store.GetAttributeContainers(
event_data_stream.CONTAINER_TYPE,
filter_expression=filter_expression))
self.assertEqual(len(containers), 0)
finally:
test_store.Close()
self._RemoveSessionData(redis_client, session.identifier)
