def InitializeKnowledgeBase(self):
"""Get the existing KB or create a new one if none exists."""
if data_store.AFF4Enabled():
self.client = aff4.FACTORY.Open(self.client_id, token=self.token)
# Always create a new KB to override any old values.
self.state.knowledge_base = rdf_client.KnowledgeBase()
SetCoreGRRKnowledgeBaseValues(self.state.knowledge_base,
self.client)
if not self.state.knowledge_base.os:
# If we don't know what OS this is, there is no way to proceed.
raise flow.FlowError(
"Client OS not set for: %s, cannot initialize"
" KnowledgeBase" % self.client_id)
else:
# Always create a new KB to override any old values but keep os and
# version so we know which artifacts we can run.
self.state.knowledge_base = rdf_client.KnowledgeBase()
kb = data_store.REL_DB.ReadClientSnapshot(
self.client_id).knowledge_base
if kb:
self.state.knowledge_base.os = kb.os
self.state.knowledge_base.os_minor_version = kb.os_major_version
self.state.knowledge_base.os_minor_version = kb.os_minor_version
def InitializeKnowledgeBase(self):
"""Get the existing KB or create a new one if none exists."""
if data_store.AFF4Enabled():
self.client = aff4.FACTORY.Open(self.client_id, token=self.token)
# Always create a new KB to override any old values.
self.state.knowledge_base = rdf_client.KnowledgeBase()
SetCoreGRRKnowledgeBaseValues(self.state.knowledge_base, self.client)
if not self.state.knowledge_base.os:
# If we don't know what OS this is, there is no way to proceed.
raise flow.FlowError("Client OS not set for: %s, cannot initialize"
" KnowledgeBase" % self.client_id)
else:
# Always create a new KB to override any old values but keep os and
# version so we know which artifacts we can run.
self.state.knowledge_base = rdf_client.KnowledgeBase()
snapshot = data_store.REL_DB.ReadClientSnapshot(self.client_id)
if not snapshot or not snapshot.knowledge_base:
return
kb = snapshot.knowledge_base
state_kb = self.state.knowledge_base
state_kb.os = kb.os
state_kb.os_major_version = kb.os_major_version
state_kb.os_minor_version = kb.os_minor_version
if not state_kb.os_major_version and snapshot.os_version:
version = snapshot.os_version.split(".")
try:
state_kb.os_major_version = int(version[0])
if len(version) >= 1:
state_kb.os_minor_version = int(version[1])
except ValueError:
pass
def testOldClientSnapshotFallbackUsesLatestApplicable(self):
rel_db = data_store.REL_DB
client_id = "C.0123456789abcdef"
rel_db.WriteClientMetadata(client_id, first_seen=rdfvalue.RDFDatetime.Now())
# Write some fake snapshot history.
kb_0 = rdf_client.KnowledgeBase(os="Linux", os_release="rel0")
snapshot_0 = rdf_objects.ClientSnapshot(
client_id=client_id, knowledge_base=kb_0)
rel_db.WriteClientSnapshot(snapshot_0)
kb_1 = rdf_client.KnowledgeBase(os="Linux", os_release="rel1")
snapshot_1 = rdf_objects.ClientSnapshot(
client_id=client_id, knowledge_base=kb_1)
rel_db.WriteClientSnapshot(snapshot_1)
kb_2 = rdf_client.KnowledgeBase(os="Linux")
snapshot_2 = rdf_objects.ClientSnapshot(
client_id=client_id, knowledge_base=kb_2)
rel_db.WriteClientSnapshot(snapshot_2)
with temp.AutoTempDirPath(remove_non_empty=True) as dirpath:
filesystem_test_lib.CreateFile(os.path.join(dirpath, "rel0", "quux"))
filesystem_test_lib.CreateFile(os.path.join(dirpath, "rel1", "norf"))
# Write a fake artifact.
art = rdf_artifacts.Artifact(
name="Quux",
doc="Lorem ipsum.",
sources=[
rdf_artifacts.ArtifactSource(
type=rdf_artifacts.ArtifactSource.SourceType.DIRECTORY,
attributes={
"paths": [os.path.join(dirpath, "%%os_release%%", "*")],
}),
])
rel_db.WriteArtifact(art)
artifact_registry.REGISTRY.ReloadDatastoreArtifacts()
flow_id = flow_test_lib.TestFlowHelper(
compatibility.GetName(collectors.ArtifactCollectorFlow),
client_mock=action_mocks.GlobClientMock(),
client_id=client_id,
artifact_list=["Quux"],
old_client_snapshot_fallback=True,
token=self.token)
results = flow_test_lib.GetFlowResults(client_id=client_id, flow_id=flow_id)
self.assertNotEmpty(results)
basenames = [os.path.basename(result.pathspec.path) for result in results]
self.assertNotIn("quux", basenames)
self.assertIn("norf", basenames)
def testInterpolateArgs(self):
args = rdf_artifacts.ArtifactCollectorFlowArgs()
collect_flow = collectors.ArtifactCollectorFlow(
rdf_flow_objects.Flow(args=args))
kb = rdf_client.KnowledgeBase()
kb.MergeOrAddUser(rdf_client.User(username="******"))
kb.MergeOrAddUser(rdf_client.User(username="******"))
collect_flow.state["knowledge_base"] = kb
collect_flow.current_artifact_name = "blah"
test_rdf = rdf_client.KnowledgeBase()
action_args = {
"usernames": ["%%users.username%%", "%%users.username%%"],
"nointerp": "asdfsdf",
"notastring": test_rdf
}
kwargs = collect_flow.InterpolateDict(action_args)
self.assertCountEqual(kwargs["usernames"],
["test1", "test2", "test1", "test2"])
self.assertEqual(kwargs["nointerp"], "asdfsdf")
self.assertEqual(kwargs["notastring"], test_rdf)
# We should be using an array since users.username will expand to multiple
# values.
self.assertRaises(ValueError, collect_flow.InterpolateDict,
{"bad": "%%users.username%%"})
list_args = collect_flow.InterpolateList(
["%%users.username%%", r"%%users.username%%\aa"])
self.assertCountEqual(list_args,
["test1", "test2", r"test1\aa", r"test2\aa"])
list_args = collect_flow.InterpolateList(["one"])
self.assertEqual(list_args, ["one"])
# Ignore the failure in users.desktop, report the others.
collect_flow.args.ignore_interpolation_errors = True
list_args = collect_flow.InterpolateList(
["%%users.desktop%%", r"%%users.username%%\aa"])
self.assertCountEqual(list_args, [r"test1\aa", r"test2\aa"])
# Both fail.
list_args = collect_flow.InterpolateList(
[r"%%users.desktop%%\aa", r"%%users.sid%%\aa"])
self.assertCountEqual(list_args, [])
def testUnknownAttributeScopeNotARealScope(self):
kb = rdf_client.KnowledgeBase(os="Linux")
with self.assertRaisesUnknownAttrs() as context:
artifact_utils.InterpolateKbAttributes("%%os.version%%", kb)
self.assertEqual(context.exception.attrs, ["os"])
def testEmptyAttribute(self):
kb = rdf_client.KnowledgeBase(environ_allusersprofile="")
with self.assertRaisesMissingAttrs() as context:
artifact_utils.InterpolateKbAttributes("%%environ_allusersprofile%%", kb)
self.assertEqual(context.exception.attrs, ["environ_allusersprofile"])
def testUnknownAttributeScopeVar(self):
kb = rdf_client.KnowledgeBase()
with self.assertRaisesUnknownAttrs() as context:
artifact_utils.InterpolateKbAttributes("%%users.nonexistent%%", kb)
self.assertEqual(context.exception.attrs, ["users.nonexistent"])
def testDirectoryArtifact(self):
"""Test the source type `DIRECTORY`."""
paths = [
os.path.join(self.base_path, "%%Users.username%%*"),
os.path.join(self.base_path, "VFSFixture", "var", "*", "wtmp")
]
expected = [
os.path.join(self.base_path, "test.plist"),
os.path.join(self.base_path, "test_img.dd"),
os.path.join(self.base_path, "tests"),
os.path.join(self.base_path, "tests_long"),
os.path.join(self.base_path, "syslog"),
os.path.join(self.base_path, "syslog_compress.gz"),
os.path.join(self.base_path, "syslog_false.gz"),
os.path.join(self.base_path, "VFSFixture", "var", "log", "wtmp"),
]
source = rdf_artifact.ArtifactSource(type=self.source_type.DIRECTORY,
attributes={"paths": paths})
knowledge_base = rdf_client.KnowledgeBase(users=[
rdf_client.User(username="******"),
rdf_client.User(username="******")
])
request = GetRequest(source, "TestDirectory", knowledge_base)
collected_artifact = self.RunArtifactCollector(request)
self.assertGreater(len(collected_artifact.action_results), 0)
for file_stat in collected_artifact.action_results:
self.assertIsInstance(file_stat.value, rdf_client_fs.StatEntry)
self.assertIn(file_stat.value.pathspec.path, expected)
def testPathInterpolation(self):
self.client_id = self.SetupClient(0)
bar = rdf_client.User(username="******")
baz = rdf_client.User(username="******")
kb = rdf_client.KnowledgeBase(os="foo",
domain="norf",
users=[bar, baz])
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
with client:
client.Set(client.Schema.KNOWLEDGE_BASE, kb)
with test_lib.AutoTempDirPath(remove_non_empty=True) as temp_dirpath:
self._Touch(os.path.join(temp_dirpath, "foo", "bar"))
self._Touch(os.path.join(temp_dirpath, "foo", "baz"))
self._Touch(os.path.join(temp_dirpath, "foo", "quux"))
self._Touch(os.path.join(temp_dirpath, "thud", "norf", "plugh"))
self._Touch(os.path.join(temp_dirpath, "thud", "norf", "blargh"))
paths = [
os.path.join(temp_dirpath, "%%os%%", "%%users.username%%"),
os.path.join(temp_dirpath, "thud", "%%domain%%", "plugh"),
]
action = rdf_file_finder.FileFinderAction.Action.STAT
results = self._RunCFF(paths, action)
paths = [result.stat_entry.pathspec.path for result in results]
self.assertItemsEqual(paths, [
os.path.join(temp_dirpath, "foo", "bar"),
os.path.join(temp_dirpath, "foo", "baz"),
os.path.join(temp_dirpath, "thud", "norf", "plugh")
])
def testKnowledgeBaseRootAttributesGetMappedCorrectly(self):
kb = rdf_client.KnowledgeBase(
environ_path="the_path",
environ_temp="the_temp",
environ_systemroot="the_systemroot",
environ_windir="the_windir",
environ_programfiles="the_programfiles",
environ_programfilesx86="the_programfilesx86",
environ_systemdrive="the_systemdrive",
environ_allusersprofile="the_allusersprofile",
environ_allusersappdata="the_allusersappdata")
mapping = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
self.assertEqual(
mapping, {
"allusersappdata": "the_allusersappdata",
"allusersprofile": "the_allusersprofile",
"path": "the_path",
"programdata": "the_allusersprofile",
"programfiles": "the_programfiles",
"programfiles(x86)": "the_programfilesx86",
"programw6432": "the_programfiles",
"systemdrive": "the_systemdrive",
"systemroot": "the_systemroot",
"temp": "the_temp",
"windir": "the_windir"
})
def testGlobExpressionSplitsIntoExplainableComponents(self):
kb = rdf_client.KnowledgeBase(users=[
rdf_client.User(homedir="/home/foo"),
rdf_client.User(homedir="/home/bar"),
rdf_client.User(homedir="/home/baz"),
])
# Test for preservation of **/ because it behaves different to **.
ge = rdf_paths.GlobExpression("/foo/**/{bar,baz}/bar?/.*baz")
components = ge.ExplainComponents(2, kb)
self.assertEqual(
[c.glob_expression for c in components],
["/foo/", "**/", "{bar,baz}", "/bar", "?", "/.", "*", "baz"])
ge = rdf_paths.GlobExpression("/foo/**bar")
components = ge.ExplainComponents(2, kb)
self.assertEqual([c.glob_expression for c in components],
["/foo/", "**", "bar"])
ge = rdf_paths.GlobExpression("/foo/**10bar")
components = ge.ExplainComponents(2, kb)
self.assertEqual([c.glob_expression for c in components],
["/foo/", "**10", "bar"])
ge = rdf_paths.GlobExpression("/{foo,bar,baz}")
components = ge.ExplainComponents(2, kb)
self.assertEqual(components[1].examples, ["foo", "bar"])
ge = rdf_paths.GlobExpression("%%users.homedir%%/foo")
components = ge.ExplainComponents(2, kb)
self.assertEqual([c.glob_expression for c in components],
["%%users.homedir%%", "/foo"])
self.assertEqual(components[0].examples, ["/home/foo", "/home/bar"])
def testApplyMultiResponseSuccess(self):
class QuuxParser(parsers.MultiResponseParser):
supported_artifacts = ["Quux"]
def ParseResponses(
self,
knowledge_base: rdf_client.KnowledgeBase,
responses: Collection[rdf_client_fs.StatEntry],
) -> Iterable[rdfvalue.RDFInteger]:
return [stat_entry.st_dev for stat_entry in responses]
with parser_test_lib._ParserContext("Quux", QuuxParser):
factory = parsers.ArtifactParserFactory("Quux")
client_id = self.client_id
knowledge_base = rdf_client.KnowledgeBase()
applicator = artifact.ParserApplicator(factory, client_id,
knowledge_base)
applicator.Apply([
rdf_client_fs.StatEntry(st_dev=42),
rdf_client_fs.StatEntry(st_dev=1337),
])
errors = list(applicator.Errors())
self.assertEmpty(errors)
responses = list(applicator.Responses())
self.assertCountEqual(responses, [42, 1337])
def testApplyMultipleParsersError(self):
class QuuxParseError(parsers.ParseError):
pass
class QuuxParser(parsers.MultiResponseParser):
supported_artifacts = ["Quux"]
def ParseResponses(
self,
knowledge_base: rdf_client.KnowledgeBase,
responses: Collection[rdf_client_fs.StatEntry],
) -> Iterable[rdfvalue.RDFInteger]:
del knowledge_base, responses # Unused.
raise QuuxParseError("Lorem ipsum.")
with parser_test_lib._ParserContext("Quux", QuuxParser):
factory = parsers.ArtifactParserFactory("Quux")
client_id = self.client_id
knowledge_base = rdf_client.KnowledgeBase()
applicator = artifact.ParserApplicator(factory, client_id,
knowledge_base)
applicator.Apply([rdf_client_fs.StatEntry()])
errors = list(applicator.Errors())
self.assertLen(errors, 1)
self.assertIsInstance(errors[0], QuuxParseError)
responses = list(applicator.Responses())
self.assertEmpty(responses)
def testApplySingleResponseSuccessful(self):
class FooParser(parsers.SingleResponseParser):
supported_artifacts = ["Foo"]
def ParseResponse(
self,
knowledge_base: rdf_client.KnowledgeBase,
response: rdf_client_fs.StatEntry,
) -> Iterable[rdfvalue.RDFString]:
return [
rdfvalue.RDFString(
f"{knowledge_base.os}:{response.st_dev}")
]
with parser_test_lib._ParserContext("Foo", FooParser):
factory = parsers.ArtifactParserFactory("Foo")
client_id = self.client_id
knowledge_base = rdf_client.KnowledgeBase(os="Redox")
applicator = artifact.ParserApplicator(factory, client_id,
knowledge_base)
applicator.Apply([rdf_client_fs.StatEntry(st_dev=1337)])
errors = list(applicator.Errors())
self.assertEmpty(errors)
responses = list(applicator.Responses())
self.assertEqual(responses, ["Redox:1337"])
def testApplySingleResponseError(self):
class FooParseError(parsers.ParseError):
pass
class FooParser(parsers.SingleResponseParser):
supported_artifacts = ["Foo"]
def ParseResponse(
self,
knowledge_base: rdf_client.KnowledgeBase,
response: rdf_client_fs.StatEntry,
) -> Iterable[rdfvalue.RDFString]:
del knowledge_base, response # Unused.
raise FooParseError("Lorem ipsum.")
with parser_test_lib._ParserContext("Foo", FooParser):
factory = parsers.ArtifactParserFactory("Foo")
client_id = self.client_id
knowledge_base = rdf_client.KnowledgeBase()
applicator = artifact.ParserApplicator(factory, client_id,
knowledge_base)
applicator.Apply([rdf_client_fs.StatEntry()])
errors = list(applicator.Errors())
self.assertLen(errors, 1)
self.assertIsInstance(errors[0], FooParseError)
responses = list(applicator.Responses())
self.assertEmpty(responses)
def testKnowledgeBase(self):
kb = rdf_client.KnowledgeBase()
kb.os = "Windows"
artifact_bundle = collectors.GetArtifactCollectorArgs(kb, set(), [])
self.assertEqual(artifact_bundle.knowledge_base.os, "Windows")
def testMissingAttributeScope(self):
kb = rdf_client.KnowledgeBase()
with self.assertRaisesMissingAttrs() as context:
artifact_utils.InterpolateKbAttributes("test%%users.username%%test", kb)
self.assertEqual(context.exception.attrs, ["users"])
def testRekallVadArtifact(self):
"""Check we can run Rekall based artifacts."""
client_id = self.SetupClient(0, system="Windows")
# The client should now be populated with the data we care about.
kb = rdf_client.KnowledgeBase(os="Windows", environ_systemdrive=r"c:")
if data_store.RelationalDBReadEnabled():
client = data_store.REL_DB.ReadClientSnapshot(client_id.Basename())
client.knowledge_base = kb
data_store.REL_DB.WriteClientSnapshot(client)
else:
with aff4.FACTORY.Open(client_id, mode="rw",
token=self.token) as fd:
fd.Set(fd.Schema.KNOWLEDGE_BASE, kb)
with test_lib.ConfigOverrider({
"Rekall.enabled":
True,
"Rekall.profile_server":
rekall_test_lib.TestRekallRepositoryProfileServer.__name__
}):
fd = self.RunCollectorAndGetCollection(
["FullVADBinaryList"],
RekallMock(client_id, "rekall_vad_result.dat.gz"),
client_id=client_id)
self.assertLen(fd, 1705)
self.assertEqual(fd[0].path, u"c:\\Windows\\System32\\ntdll.dll")
for x in fd:
self.assertEqual(x.pathtype, "OS")
extension = x.path.lower().split(".")[-1]
self.assertIn(extension,
["exe", "dll", "pyd", "drv", "mui", "cpl"])
def testUserMergeWindows(self):
"""Check Windows users are accurately merged."""
kb = rdf_client.KnowledgeBase()
self.assertEmpty(kb.users)
kb.MergeOrAddUser(rdf_client.User(sid="1234"))
self.assertLen(kb.users, 1)
kb.MergeOrAddUser(rdf_client.User(sid="5678", username="******"))
self.assertLen(kb.users, 2)
_, conflicts = kb.MergeOrAddUser(
rdf_client.User(sid="5678", username="******"))
self.assertLen(kb.users, 2)
self.assertEqual(conflicts[0], ("username", "test1", "test2"))
self.assertEqual(kb.GetUser(sid="5678").username, "test2")
# This should merge on user name as we have no other data.
kb.MergeOrAddUser(rdf_client.User(username="******", homedir="a"))
self.assertLen(kb.users, 2)
# This should create a new user since the sid is different.
new_attrs, conflicts = kb.MergeOrAddUser(
rdf_client.User(username="******", sid="12345", temp="/blah"))
self.assertLen(kb.users, 3)
self.assertCountEqual(new_attrs,
["users.username", "users.temp", "users.sid"])
self.assertEqual(conflicts, [])
def testSingleFileResponse(self):
class NorfParser(parsers.SingleFileParser):
supported_artifacts = ["Norf"]
def ParseFile(
self,
knowledge_base: rdf_client.KnowledgeBase,
pathspec: rdf_paths.PathSpec,
filedesc: file_store.BlobStream,
) -> Iterable[rdfvalue.RDFBytes]:
del knowledge_base, pathspec # Unused.
return [rdfvalue.RDFBytes(filedesc.Read())]
with parser_test_lib._ParserContext("Norf", NorfParser):
factory = parsers.ArtifactParserFactory("Norf")
client_id = self.client_id
knowledge_base = rdf_client.KnowledgeBase()
stat_entry = rdf_client_fs.StatEntry()
stat_entry.pathspec.path = "foo/bar/baz"
stat_entry.pathspec.pathtype = rdf_paths.PathSpec.PathType.OS
self._WriteFile(stat_entry.pathspec.path, b"4815162342")
applicator = artifact.ParserApplicator(factory, client_id,
knowledge_base)
applicator.Apply([stat_entry])
errors = list(applicator.Errors())
self.assertEmpty(errors)
responses = list(applicator.Responses())
self.assertLen(responses, 1)
self.assertEqual(responses[0], b"4815162342")
def testUserMergeLinux(self):
"""Check Linux users are accurately merged."""
kb = rdf_client.KnowledgeBase()
self.assertEmpty(kb.users)
kb.MergeOrAddUser(rdf_client.User(username="******", last_logon=1111))
self.assertLen(kb.users, 1)
# This should merge since the username is the same.
kb.MergeOrAddUser(rdf_client.User(uid="12", username="******"))
self.assertLen(kb.users, 1)
# This should create a new record because the uid is different
kb.MergeOrAddUser(
rdf_client.User(username="******",
uid="13",
desktop="/home/blake/Desktop"))
self.assertLen(kb.users, 2)
kb.MergeOrAddUser(
rdf_client.User(username="******",
uid="14",
desktop="/home/blake/Desktop"))
self.assertLen(kb.users, 3)
# Check merging where we don't specify uid works
new_attrs, conflicts = kb.MergeOrAddUser(
rdf_client.User(username="******",
desktop="/home/blakey/Desktop"))
self.assertLen(kb.users, 3)
self.assertCountEqual(new_attrs, ["users.username", "users.desktop"])
self.assertCountEqual(
conflicts,
[("desktop", u"/home/blake/Desktop", u"/home/blakey/Desktop")])
def testFindsKeyWithInterpolatedGlobWithoutConditions(self):
# Initialize client's knowledge base in order for the interpolation
# to work.
user = rdf_client.User(sid="S-1-5-20")
kb = rdf_client.KnowledgeBase(users=[user])
client_id = self.SetupClient(0)
with aff4.FACTORY.Open(client_id, mode="rw",
token=self.token) as client:
client.Set(client.Schema.KNOWLEDGE_BASE, kb)
session_id = self.RunFlow(client_id, [
"HKEY_USERS/%%users.sid%%/Software/Microsoft/Windows/"
"CurrentVersion/*"
])
results = self.GetResults(session_id)
self.assertEqual(len(results), 1)
key = ("/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run")
self.assertEqual(results[0].stat_entry.AFF4Path(client_id),
"aff4:/C.1000000000000000/registry" + key)
self.assertEqual(results[0].stat_entry.pathspec.path, key)
self.assertEqual(results[0].stat_entry.pathspec.pathtype,
rdf_paths.PathSpec.PathType.REGISTRY)
def GetKnowledgeBase(rdf_client_obj, allow_uninitialized=False):
"""Returns a knowledgebase from an rdf client object."""
if not allow_uninitialized:
if rdf_client_obj is None:
raise artifact_utils.KnowledgeBaseUninitializedError(
"No client snapshot given.")
if rdf_client_obj.knowledge_base is None:
raise artifact_utils.KnowledgeBaseUninitializedError(
"KnowledgeBase empty for %s." % rdf_client_obj.client_id)
kb = rdf_client_obj.knowledge_base
if not kb.os:
raise artifact_utils.KnowledgeBaseAttributesMissingError(
"KnowledgeBase missing OS for %s. Knowledgebase content: %s" %
(rdf_client_obj.client_id, kb))
if rdf_client_obj is None or rdf_client_obj.knowledge_base is None:
return rdf_client.KnowledgeBase()
version = rdf_client_obj.os_version.split(".")
kb = rdf_client_obj.knowledge_base
try:
kb.os_major_version = int(version[0])
if len(version) > 1:
kb.os_minor_version = int(version[1])
except ValueError:
pass
return kb
def testParse(self):
parser = osx_launchd.DarwinPersistenceMechanismsParser()
serv_info = rdf_client.OSXServiceInformation(label="blah",
args=["/blah/test", "-v"])
results = list(
parser.ParseResponse(rdf_client.KnowledgeBase(), serv_info))
self.assertEqual(results[0].pathspec.path, "/blah/test")
def testGrep(self):
class MockCallFlow(object):
def CallFlow(self, *args, **kwargs):
self.args = args
self.kwargs = kwargs
mock_call_flow = MockCallFlow()
with utils.Stubber(aff4_flows.ArtifactCollectorFlow, "CallFlow",
mock_call_flow.CallFlow):
collect_flow = aff4_flows.ArtifactCollectorFlow(None,
token=self.token)
collect_flow.args = mock.Mock()
collect_flow.args.ignore_interpolation_errors = False
kb = rdf_client.KnowledgeBase()
kb.MergeOrAddUser(rdf_client.User(username="******"))
kb.MergeOrAddUser(rdf_client.User(username="******"))
collect_flow.state["knowledge_base"] = kb
collect_flow.current_artifact_name = "blah"
collector = rdf_artifacts.ArtifactSource(
type=rdf_artifacts.ArtifactSource.SourceType.GREP,
attributes={
"paths": ["/etc/passwd"],
"content_regex_list": [r"^a%%users.username%%b$"]
})
collect_flow.Grep(collector, rdf_paths.PathSpec.PathType.TSK)
conditions = mock_call_flow.kwargs["conditions"]
self.assertLen(conditions, 1)
regexes = conditions[0].contents_regex_match.regex.SerializeToString()
self.assertCountEqual(regexes.split("|"),
["(^atest1b$)", "(^atest2b$)"])
self.assertEqual(mock_call_flow.kwargs["paths"], ["/etc/passwd"])
def testPrepareArtifactFilesBundle(self):
"""Test the preparation of ArtifactFiles Args."""
artifact_list = ["TestArtifactFilesArtifact"]
kb = rdf_client.KnowledgeBase()
kb.os = "Linux"
file_path = os.path.join(self.base_path, "numbers.txt")
source = rdf_artifacts.ArtifactSource(
type=rdf_artifacts.ArtifactSource.SourceType.FILE,
attributes={"paths": [file_path]})
artifact_obj = artifact_registry.REGISTRY.GetArtifact("TestFileArtifact")
artifact_obj.sources.append(source)
artifact_bundle = collectors.GetArtifactCollectorArgs(kb, artifact_list)
art_obj = artifact_bundle.artifacts[0]
self.assertEqual(art_obj.name, "TestArtifactFilesArtifact")
source = art_obj.sources[0]
self.assertEqual(source.base_source.type, "ARTIFACT_FILES")
sub_artifact_source = source.artifact_sources[0]
self.assertEqual(sub_artifact_source.base_source.type, "FILE")
def setUp(self):
super(CheckRegistryTests, self).setUp()
if self.sw_chk is None:
self.sw_chk = self._LoadCheck("sw.yaml", "SW-CHECK")
checks.CheckRegistry.RegisterCheck(check=self.sw_chk,
source="dpkg.out",
overwrite_if_exists=True)
if self.sshd_chk is None:
self.sshd_chk = self._LoadCheck("sshd.yaml", "SSHD-CHECK")
checks.CheckRegistry.RegisterCheck(check=self.sshd_chk,
source="sshd_config",
overwrite_if_exists=True)
if self.sshd_perms is None:
self.sshd_perms = self._LoadCheck("sshd.yaml", "SSHD-PERMS")
checks.CheckRegistry.RegisterCheck(check=self.sshd_perms,
source="sshd_config",
overwrite_if_exists=True)
self.kb = rdf_client.KnowledgeBase()
self.kb.fqdn = "test.example.com"
self.host_data = {
"KnowledgeBase": self.kb,
"WMIInstalledSoftware": GetWMIData(),
"DebianPackagesStatus": GetDPKGData(),
"SshdConfigFile": GetSSHDConfig()
}
def testGetKBDependencies(self):
"""Test that KB dependencies are calculated correctly."""
artifact_registry.REGISTRY.ClearSources()
try:
test_artifacts_file = os.path.join(config.CONFIG["Test.data_dir"],
"artifacts", "test_artifacts.json")
artifact_registry.REGISTRY.AddFileSource(test_artifacts_file)
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base": [
"DepsParent", "DepsDesktop", "DepsHomedir", "DepsWindir",
"DepsWindirRegex", "DepsControlSet", "FakeArtifact"
],
"Artifacts.knowledge_base_additions": ["DepsHomedir2"],
"Artifacts.knowledge_base_skip": ["DepsWindir"],
"Artifacts.knowledge_base_heavyweight": ["FakeArtifact"]
}):
args = artifact.KnowledgeBaseInitializationArgs(lightweight=True)
kb_init = artifact.KnowledgeBaseInitializationFlow(
rdf_flow_objects.Flow(args=args))
kb_init.state["all_deps"] = set()
kb_init.state["awaiting_deps_artifacts"] = []
kb_init.state["knowledge_base"] = rdf_client.KnowledgeBase(os="Windows")
no_deps = kb_init.GetFirstFlowsForCollection()
self.assertCountEqual(no_deps, ["DepsControlSet", "DepsHomedir2"])
self.assertCountEqual(kb_init.state.all_deps, [
"users.homedir", "users.desktop", "users.username",
"environ_windir", "current_control_set"
])
self.assertCountEqual(
kb_init.state.awaiting_deps_artifacts,
["DepsParent", "DepsDesktop", "DepsHomedir", "DepsWindirRegex"])
finally:
artifact.LoadArtifactsOnce()
def SetKnowledgeBase(fqdn="test.example.com", host_os="Linux",
host_data=None):
"""Generates a KnowledgeBase entry in the host_data used by checks."""
if not host_data:
host_data = {}
host_data["KnowledgeBase"] = rdf_client.KnowledgeBase(fqdn=fqdn, os=host_os)
return host_data
def testMissingAttributeScopeVar(self):
kb = rdf_client.KnowledgeBase()
kb.users.Append(rdf_client.User(username="******", uid=42))
with self.assertRaisesMissingAttrs() as context:
artifact_utils.InterpolateKbAttributes("test%%users.temp%%test", kb)
self.assertEqual(context.exception.attrs, ["users.temp"])
