コード例 #1
0
    def testComplexSelect(self):
        query = ("(SELECT proc.parent.pid AS ppid, proc.pid FROM pslist(10) "
                 "WHERE COUNT(proc.open_files) > 10) and True")

        expected = ast.Intersection(
            ast.Map(
                ast.Filter(
                    ast.Apply(ast.Var("pslist"), ast.Literal(10)),
                    ast.StrictOrderedSet(
                        ast.Apply(
                            ast.Var("COUNT"),
                            ast.Resolve(ast.Var("proc"),
                                        ast.Literal("open_files"))),
                        ast.Literal(10))),
                ast.Bind(
                    ast.Pair(
                        ast.Literal("ppid"),
                        ast.Resolve(
                            ast.Resolve(ast.Var("proc"),
                                        ast.Literal("parent")),
                            ast.Literal("pid"))),
                    ast.Pair(ast.Literal("pid"),
                             ast.Resolve(ast.Var("proc"),
                                         ast.Literal("pid"))))),
            ast.Literal(True))

        self.assertQueryMatches(query, expected)
コード例 #2
0
 def testSelectWhereOrder(self):
     self.assertQueryMatches(
         "SELECT * FROM pslist() WHERE pid == 1 ORDER BY command DESC",
         ast.Apply(
             ast.Var("reverse"),
             ast.Sort(
                 ast.Filter(ast.Apply(ast.Var("pslist")),
                            ast.Equivalence(ast.Var("pid"),
                                            ast.Literal(1))),
                 ast.Var("command"))))
コード例 #3
0
ファイル: parser.py プロジェクト: rekall-innovations/efilter
    def select_where(self, source_expression):
        start = self.tokens.matched.start
        filter_expression = ast.Filter(source_expression, self.expression(),
                                       start=start, end=self.tokens.matched.end,
                                       source=self.original)

        if self.tokens.accept(grammar.select_order):
            return self.select_order(filter_expression)

        if self.tokens.accept(grammar.select_limit):
            return self.select_limit(filter_expression)

        return filter_expression
コード例 #4
0
ファイル: parser.py プロジェクト: rekall-innovations/efilter
    def testFullSelect(self):
        query = ("SELECT proc.parent.pid AS ppid_column, proc.pid"
                 " FROM pslist(pid: 10, ppid: 20)"
                 " WHERE count(proc.open_files) > 10"
                 " ORDER BY proc.command DESC"
                 " LIMIT 10 - 9 OFFSET add(5, 10)")

        expected = ast.Map(
            ast.Apply(
                ast.Var("take"), ast.Difference(ast.Literal(10),
                                                ast.Literal(9)),
                ast.Apply(
                    ast.Var("drop"),
                    ast.Apply(ast.Var("add"), ast.Literal(5), ast.Literal(10)),
                    ast.Apply(
                        ast.Var("reverse"),
                        ast.Sort(
                            ast.Filter(
                                ast.Apply(
                                    ast.Var("pslist"),
                                    ast.Pair(ast.Var("pid"), ast.Literal(10)),
                                    ast.Pair(ast.Var("ppid"),
                                             ast.Literal(20))),
                                ast.StrictOrderedSet(
                                    ast.Literal(10),
                                    ast.Apply(
                                        ast.Var("count"),
                                        ast.Resolve(
                                            ast.Var("proc"),
                                            ast.Literal("open_files"))),
                                )),
                            ast.Resolve(ast.Var("proc"),
                                        ast.Literal("command")))))),
            ast.Bind(
                ast.Pair(
                    ast.Literal("ppid_column"),
                    ast.Resolve(
                        ast.Resolve(ast.Var("proc"), ast.Literal("parent")),
                        ast.Literal("pid"))),
                ast.Pair(ast.Literal("pid"),
                         ast.Resolve(ast.Var("proc"), ast.Literal("pid")))))

        self.assertQueryMatches(query, expected)
コード例 #5
0
    def testBuiltins(self):
        self.assertQueryMatches(
            "filter(pslist(), proc.pid == 1)",
            ast.Filter(
                ast.Apply(ast.Var("pslist")),
                ast.Equivalence(
                    ast.Resolve(ast.Var("proc"), ast.Literal("pid")),
                    ast.Literal(1))))

        self.assertQueryMatches(
            "map(pslist(), [proc.pid, proc['command']])",
            ast.Map(
                ast.Apply(ast.Var("pslist")),
                ast.Tuple(ast.Resolve(ast.Var("proc"), ast.Literal("pid")),
                          ast.Select(ast.Var("proc"),
                                     ast.Literal("command")))))

        self.assertQueryMatches(
            "bind(x: 1, y: 2)",
            ast.Bind(ast.Pair(ast.Var("x"), ast.Literal(1)),
                     ast.Pair(ast.Var("y"), ast.Literal(2))))

        self.assertQueryRaises("bind (x: 1, y: 2)")
コード例 #6
0
 def testSelectWhere(self):
     self.assertQueryMatches(
         "SELECT * FROM pslist() WHERE pid == 1",
         ast.Filter(ast.Apply(ast.Var("pslist")),
                    ast.Equivalence(ast.Var("pid"), ast.Literal(1))))