def CreateEventFromValues(event_values):
"""Creates an event and event data from event values.
Args:
event_values (dict[str, str]): event values.
Returns:
tuple[EventObject, EventData, EventDataStream]: event, event data and
event data stream for testing.
"""
copy_of_event_values = dict(event_values)
event = events.EventObject()
for attribute_name in ('timestamp', 'timestamp_desc'):
attribute_value = copy_of_event_values.pop(attribute_name, None)
if attribute_value is not None:
if attribute_name == 'timestamp' and isinstance(
attribute_value, str):
attribute_value = shared_test_lib.CopyTimestampFromSring(
attribute_value)
setattr(event, attribute_name, attribute_value)
event_data_stream = events.EventDataStream()
for attribute_name in ('path_spec', 'md5_hash', 'sha256_hash'):
attribute_value = copy_of_event_values.pop(attribute_name, None)
if attribute_value is not None:
setattr(event_data_stream, attribute_name, attribute_value)
event_data = events.EventData()
event_data.CopyFromDict(copy_of_event_values)
return event, event_data, event_data_stream
def testCopyToIsoFormat(self):
"""Test the CopyToIsoFormat function."""
timezone = pytz.timezone('CET')
timestamp = shared_test_lib.CopyTimestampFromSring(
'2013-03-14 20:20:08.850041')
date_time_string = timelib.Timestamp.CopyToIsoFormat(timestamp,
timezone=timezone)
self.assertEqual(date_time_string, '2013-03-14T21:20:08.850041+01:00')
def testPrintStorageInformationAsJSON(self):
"""Tests the PrintStorageInformation function with JSON output format."""
test_filename = 'pinfo_test.plaso'
session_identifier = 'c1ce225e-7eec-49a6-9f5c-35907e518ff8'
session_start_time = '2020-04-04 06:40:08.695055'
test_file_path = self._GetTestFilePath([test_filename])
self._SkipIfPathNotExists(test_file_path)
options = test_lib.TestOptions()
options.storage_file = test_file_path
options.output_format = 'json'
options.sections = 'events,reports,sessions,warnings'
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = pinfo_tool.PinfoTool(output_writer=output_writer)
test_tool.ParseOptions(options)
test_tool.PrintStorageInformation()
output = output_writer.ReadOutput()
json_output = json.loads(output)
sessions = json_output.get('sessions')
self.assertIsNotNone(sessions)
first_session = sessions.get('session')
self.assertIsNotNone(first_session)
self.assertEqual(
first_session['identifier'], session_identifier.replace('-', ''))
expected_start_time = shared_test_lib.CopyTimestampFromSring(
session_start_time)
self.assertEqual(first_session['start_time'], expected_start_time)
parsers_counter = first_session['parsers_counter']
self.assertEqual(parsers_counter['total'], 3)
self.assertEqual(parsers_counter['filestat'], 3)
class TaggingFileTestCase(shared_test_lib.BaseTestCase):
"""The unit test case for a tagging file."""
_TAG_FILE = None
_TEST_TIMESTAMP = shared_test_lib.CopyTimestampFromSring(
'2020-04-04 14:56:39')
def _CheckLabels(self, storage_writer, expected_labels):
"""Checks the labels of tagged events.
Args:
storage_writer (FakeStorageWriter): storage writer used for testing.
expected_labels (list[str]): expected labels.
"""
labels = []
for event_tag in storage_writer.GetEventTags():
labels.extend(event_tag.labels)
labels = set(labels)
expected_labels = set(expected_labels)
self.assertEqual(len(labels), len(expected_labels))
self.assertEqual(sorted(labels), sorted(expected_labels))
def _CheckTaggingRule(self, event_data_class, attribute_values_per_name,
expected_rule_names):
"""Tests a tagging rule.
Args:
event_data_class (type): class of the event data object to use in tests.
attribute_values_per_name (dict[str, list[str]): values of the event data
attribute values per name, to use for testing events that match the
tagging rule.
expected_rule_names (list[str]): expected rule names.
"""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
if not attribute_values_per_name:
event_data = event_data_class()
storage_writer = self._TagEvent(event, event_data, None)
self.assertEqual(storage_writer.number_of_event_tags,
len(expected_rule_names))
self._CheckLabels(storage_writer, expected_rule_names)
else:
maximum_number_of_attribute_values = max([
len(attribute_values)
for attribute_values in attribute_values_per_name.values()
])
# Test if variations defined by the attribute_values_per_name match
# the tagging rule.
for test_index in range(maximum_number_of_attribute_values):
# Create the test event data and set the attributes to one of
# the test values.
event_data = event_data_class()
for attribute_name, attribute_values in (
attribute_values_per_name.items()):
attribute_value_index = min(test_index,
len(attribute_values) - 1)
attribute_value = attribute_values[attribute_value_index]
setattr(event_data, attribute_name, attribute_value)
storage_writer = self._TagEvent(event, event_data, None)
self.assertEqual(storage_writer.number_of_event_tags,
len(expected_rule_names))
self._CheckLabels(storage_writer, expected_rule_names)
# Test if bogus variations on attribute_values_per_name do not match
# the tagging rule.
for test_attribute_name in attribute_values_per_name.keys():
# Create the test event data and set the attributes to one of
# the test values.
event_data = event_data_class()
for attribute_name, attribute_values in (
attribute_values_per_name.items()):
if attribute_name == test_attribute_name:
attribute_value = 'BOGUS'
else:
attribute_value = attribute_values[0]
setattr(event_data, attribute_name, attribute_value)
storage_writer = self._TagEvent(event, event_data, None)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
def _TagEvent(self, event, event_data, event_data_stream):
"""Tags an event.
Args:
event (Event): event.
event_data (EventData): event data.
event_data_stream (EventDataStream): event data stream.
Returns:
FakeStorageWriter: storage writer.
Raises:
SkipTest: if the tag file does not exist.
"""
tag_file_path = self._GetDataFilePath([self._TAG_FILE])
self._SkipIfPathNotExists(tag_file_path)
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter(session)
storage_writer.Open()
if event_data_stream:
storage_writer.AddEventDataStream(event_data_stream)
storage_writer.AddEventData(event_data)
storage_writer.AddEvent(event)
knowledge_base_object = knowledge_base.KnowledgeBase()
mediator = analysis_mediator.AnalysisMediator(storage_writer,
knowledge_base_object)
plugin = tagging.TaggingAnalysisPlugin()
plugin.SetAndLoadTagFile(tag_file_path)
plugin.ExamineEvent(mediator, event, event_data, event_data_stream)
analysis_report = plugin.CompileReport(mediator)
storage_writer.AddAnalysisReport(analysis_report)
return storage_writer
def testWriteEventBody(self):
"""Tests the WriteEventBody function."""
test_file_object = io.StringIO()
output_mediator = self._CreateOutputMediator()
formatters_directory_path = self._GetTestFilePath(['formatters'])
output_mediator.ReadMessageFormattersFromDirectory(
formatters_directory_path)
output_module = json_line.JSONLineOutputModule(output_mediator)
output_module._file_object = test_file_object
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
output_module.WriteEventBody(event, event_data, event_data_stream,
None)
expected_timestamp = shared_test_lib.CopyTimestampFromSring(
'2012-06-27 18:17:01')
if sys.platform.startswith('win'):
# The dict comparison is very picky on Windows hence we
# have to make sure the drive letter is in the same case.
expected_os_location = os.path.abspath('\\{0:s}'.format(
os.path.join('cases', 'image.dd')))
else:
expected_os_location = '{0:s}{1:s}'.format(
os.path.sep, os.path.join('cases', 'image.dd'))
expected_json_dict = {
'__container_type__':
'event',
'__type__':
'AttributeContainer',
'date_time': {
'__class_name__': 'PosixTimeInMicroseconds',
'__type__': 'DateTimeValues',
'timestamp': 1340821021000000,
},
'data_type':
'test:event',
'display_name':
'TSK:/var/log/syslog.1',
'filename':
'/var/log/syslog.1',
'hostname':
'ubuntu',
'inode':
'15',
'message': ('Reporter <CRON> PID: |8442| (pam_unix(cron:session): '
'session closed for user root)'),
'pathspec': {
'__type__': 'PathSpec',
'type_indicator': 'TSK',
'location': '/var/log/syslog.1',
'inode': 15,
'parent': {
'__type__': 'PathSpec',
'type_indicator': 'OS',
'location': expected_os_location,
}
},
'text': ('Reporter <CRON> PID: |8442| (pam_unix(cron:session): '
'session\n closed for user root)'),
'timestamp':
expected_timestamp,
'timestamp_desc':
definitions.TIME_DESCRIPTION_UNKNOWN,
'username':
'******',
}
event_body = test_file_object.getvalue()
# We need to compare dicts since we cannot determine the order
# of values in the string.
json_dict = json.loads(event_body)
self.assertEqual(json_dict, expected_json_dict)
def testWriteEventBody(self):
"""Tests the WriteEventBody function."""
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
formatters_manager.FormattersManager.RegisterFormatter(
formatters_test_lib.TestEventFormatter)
try:
self._output_module.WriteEventBody(event, event_data,
event_data_stream, None)
finally:
formatters_manager.FormattersManager.DeregisterFormatter(
formatters_test_lib.TestEventFormatter)
expected_timestamp = shared_test_lib.CopyTimestampFromSring(
'2012-06-27 18:17:01')
if sys.platform.startswith('win'):
# The dict comparison is very picky on Windows hence we
# have to make sure the drive letter is in the same case.
expected_os_location = os.path.abspath('\\{0:s}'.format(
os.path.join('cases', 'image.dd')))
else:
expected_os_location = '{0:s}{1:s}'.format(
os.path.sep, os.path.join('cases', 'image.dd'))
expected_json_dict = {
'__container_type__':
'event',
'__type__':
'AttributeContainer',
'data_type':
'test:event',
'display_name':
'OS: /var/log/syslog.1',
'hostname':
'ubuntu',
'inode':
12345678,
'message': ('Reporter <CRON> PID: |8442| (pam_unix(cron:session): '
'session closed for user root)'),
'pathspec': {
'__type__': 'PathSpec',
'type_indicator': 'TSK',
'location': '/var/log/syslog.1',
'inode': 15,
'parent': {
'__type__': 'PathSpec',
'type_indicator': 'OS',
'location': expected_os_location,
}
},
'text': ('Reporter <CRON> PID: |8442| (pam_unix(cron:session): '
'session\n closed for user root)'),
'timestamp':
expected_timestamp,
'timestamp_desc':
definitions.TIME_DESCRIPTION_UNKNOWN,
'username':
'******',
}
event_body = self._output_writer.ReadOutput()
# We need to compare dicts since we cannot determine the order
# of values in the string.
json_dict = json.loads(event_body)
self.assertEqual(json_dict, expected_json_dict)
def testLocaltimeToUTC(self):
"""Test the localtime to UTC conversion."""
timezone = pytz.timezone('CET')
local_timestamp = shared_test_lib.CopyTimestampFromSring(
'2013-01-01 01:00:00')
timestamp = timelib.Timestamp.LocaltimeToUTC(local_timestamp, timezone)
expected_timestamp = shared_test_lib.CopyTimestampFromSring(
'2013-01-01 00:00:00')
self.assertEqual(timestamp, expected_timestamp)
local_timestamp = shared_test_lib.CopyTimestampFromSring(
'2013-07-01 02:00:00')
timestamp = timelib.Timestamp.LocaltimeToUTC(local_timestamp, timezone)
expected_timestamp = shared_test_lib.CopyTimestampFromSring(
'2013-07-01 00:00:00')
self.assertEqual(timestamp, expected_timestamp)
# In the local timezone this is a non-existent timestamp.
local_timestamp = shared_test_lib.CopyTimestampFromSring(
'2013-03-31 02:00:00')
with self.assertRaises(pytz.NonExistentTimeError):
timelib.Timestamp.LocaltimeToUTC(local_timestamp,
timezone,
is_dst=None)
timestamp = timelib.Timestamp.LocaltimeToUTC(local_timestamp,
timezone,
is_dst=True)
expected_timestamp = shared_test_lib.CopyTimestampFromSring(
'2013-03-31 00:00:00')
self.assertEqual(timestamp, expected_timestamp)
timestamp = timelib.Timestamp.LocaltimeToUTC(local_timestamp,
timezone,
is_dst=False)
expected_timestamp = shared_test_lib.CopyTimestampFromSring(
'2013-03-31 01:00:00')
self.assertEqual(timestamp, expected_timestamp)
# In the local timezone this is an ambiguous timestamp.
local_timestamp = shared_test_lib.CopyTimestampFromSring(
'2013-10-27 02:30:00')
with self.assertRaises(pytz.AmbiguousTimeError):
timelib.Timestamp.LocaltimeToUTC(local_timestamp,
timezone,
is_dst=None)
timestamp = timelib.Timestamp.LocaltimeToUTC(local_timestamp,
timezone,
is_dst=True)
expected_timestamp = shared_test_lib.CopyTimestampFromSring(
'2013-10-27 00:30:00')
self.assertEqual(timestamp, expected_timestamp)
timestamp = timelib.Timestamp.LocaltimeToUTC(local_timestamp, timezone)
expected_timestamp = shared_test_lib.CopyTimestampFromSring(
'2013-10-27 01:30:00')
self.assertEqual(timestamp, expected_timestamp)
# Use the UTC timezone.
self.assertEqual(
timelib.Timestamp.LocaltimeToUTC(local_timestamp, pytz.UTC),
local_timestamp)
# Use a timezone in the Western Hemisphere.
timezone = pytz.timezone('EST')
local_timestamp = shared_test_lib.CopyTimestampFromSring(
'2013-01-01 00:00:00')
timestamp = timelib.Timestamp.LocaltimeToUTC(local_timestamp, timezone)
expected_timestamp = shared_test_lib.CopyTimestampFromSring(
'2013-01-01 05:00:00')
self.assertEqual(timestamp, expected_timestamp)
def testWriteSerializedDict(self):
"""Tests the _WriteSerializedDict function."""
output_mediator = self._CreateOutputMediator()
formatters_directory_path = self._GetTestFilePath(['formatters'])
output_mediator.ReadMessageFormattersFromDirectory(
formatters_directory_path)
formatting_helper = shared_json.JSONEventFormattingHelper(
output_mediator)
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
expected_timestamp = shared_test_lib.CopyTimestampFromSring(
'2012-06-27 18:17:01')
if sys.platform.startswith('win'):
# The dict comparison is very picky on Windows hence we
# have to make sure the drive letter is in the same case.
expected_os_location = os.path.abspath('\\{0:s}'.format(
os.path.join('cases', 'image.dd')))
else:
expected_os_location = '{0:s}{1:s}'.format(
os.path.sep, os.path.join('cases', 'image.dd'))
expected_json_dict = {
'__container_type__':
'event',
'__type__':
'AttributeContainer',
'data_type':
'test:event',
'display_name':
'OS: /var/log/syslog.1',
'hostname':
'ubuntu',
'inode':
12345678,
'message':
('Reporter <CRON> PID: |8442| (pam_unix(cron:session): session '
'closed for user root)'),
'pathspec': {
'__type__': 'PathSpec',
'type_indicator': 'TSK',
'location': '/var/log/syslog.1',
'inode': 15,
'parent': {
'__type__': 'PathSpec',
'type_indicator': 'OS',
'location': expected_os_location,
}
},
'text': ('Reporter <CRON> PID: |8442| (pam_unix(cron:session): '
'session\n closed for user root)'),
'timestamp':
expected_timestamp,
'timestamp_desc':
definitions.TIME_DESCRIPTION_UNKNOWN,
'username':
'******',
}
json_dict = formatting_helper._WriteSerializedDict(
event, event_data, event_data_stream, None)
self.assertEqual(json_dict, expected_json_dict)