def testDownloadActionSkip(self, upload): opts = rdf_file_finder.FileFinderDownloadActionOptions( max_size=0, oversized_file_policy="SKIP") results = self._RunFileFinderDownloadHello(upload, opts=opts) self.assertEquals(len(results), 1) self.assertFalse(upload.called) self.assertFalse(results[0].HasField("uploaded_file"))
class TestFileFinderOSDarwin(base.VFSPathContentIsMachO): platforms = ["Darwin"] flow = "FileFinder" download = rdf_file_finder.FileFinderDownloadActionOptions() action = rdf_file_finder.FileFinderAction( action_type=rdf_file_finder.FileFinderAction.Action.DOWNLOAD, download=download) args = {"paths": ["/bin/ps"], "action": action} test_output_path = "/fs/os/bin/ps"
def testDownloadActionTruncate(self, upload): opts = rdf_file_finder.FileFinderDownloadActionOptions( max_size=42, oversized_file_policy="DOWNLOAD_TRUNCATED") results = self._RunFileFinderDownloadHello(upload, opts=opts) self.assertEquals(len(results), 1) self.assertTrue(upload.called_with(max_bytes=42)) self.assertTrue(results[0].HasField("uploaded_file")) self.assertEquals(results[0].uploaded_file, upload.return_value)
def testDownloadActionHash(self, upload): opts = rdf_file_finder.FileFinderDownloadActionOptions( max_size=42, oversized_file_policy="HASH_TRUNCATED") results = self._RunFileFinderDownloadHello(upload, opts=opts) self.assertEquals(len(results), 1) self.assertFalse(upload.called) self.assertFalse(results[0].HasField("uploaded_file")) self.assertTrue(results[0].HasField("hash_entry")) self.assertTrue(results[0].HasField("stat_entry")) self.assertEqual(results[0].hash_entry.num_bytes, 42) self.assertGreater(results[0].stat_entry.st_size, 42)
class TestFileFinderTSKWindows(base.VFSPathContentIsPE): """Download notepad with TSK on windows.""" platforms = ["Windows"] flow = "FileFinder" test_output_path = "/fs/tsk/.*/Windows/System32/notepad.exe" download = rdf_file_finder.FileFinderDownloadActionOptions() action = rdf_file_finder.FileFinderAction( action_type=rdf_file_finder.FileFinderAction.Action.DOWNLOAD, download=download) args = { "paths": ["%%environ_systemroot%%\\System32\\notepad.*"], "action": action, "pathtype": "TSK" }
class TestFileFinderOSLinux(base.VFSPathContentIsELF): """Download a file with FileFinder.""" platforms = ["Linux"] flow = file_finder.FileFinder.__name__ test_output_path = "/fs/os/bin/ps" sizecondition = rdf_file_finder.FileFinderSizeCondition(max_file_size=1000000) filecondition = rdf_file_finder.FileFinderCondition( condition_type=rdf_file_finder.FileFinderCondition.Type.SIZE, size=sizecondition) download = rdf_file_finder.FileFinderDownloadActionOptions() action = rdf_file_finder.FileFinderAction( action_type=rdf_file_finder.FileFinderAction.Action.DOWNLOAD, download=download) args = {"paths": ["/bin/ps"], "conditions": filecondition, "action": action}
class TestFileFinderOSLinuxProc(base.VFSPathContentExists): """Download a /proc/sys entry with FileFinder.""" platforms = ["Linux"] flow = file_finder.FileFinder.__name__ test_output_path = "/fs/os/proc/sys/net/ipv4/ip_forward" client_min_version = 3007 sizecondition = rdf_file_finder.FileFinderSizeCondition(max_file_size=1000000) filecondition = rdf_file_finder.FileFinderCondition( condition_type=rdf_file_finder.FileFinderCondition.Type.SIZE, size=sizecondition) download = rdf_file_finder.FileFinderDownloadActionOptions() action = rdf_file_finder.FileFinderAction( action_type=rdf_file_finder.FileFinderAction.Action.DOWNLOAD, download=download) args = { "paths": ["/proc/sys/net/ipv4/ip_forward"], "conditions": filecondition, "action": action }
def testFileFinderDownloadMaxFileSizeCanBeOverriden(self): router = self._CreateRouter( file_finder_flow=rr.RobotRouterFileFinderFlowParams( enabled=True, max_file_size=42)) da = rdf_file_finder.FileFinderDownloadActionOptions() da.max_size = 80 da.oversized_file_policy = da.OversizedFilePolicy.DOWNLOAD_TRUNCATED path = "/foo/bar" handler = router.CreateFlow(api_flow.ApiCreateFlowArgs( flow=api_flow.ApiFlow(name=file_finder.FileFinder.__name__, args=rdf_file_finder.FileFinderArgs( paths=[path], action=rdf_file_finder.FileFinderAction( action_type="DOWNLOAD", download=da))), client_id=self.client_id), token=self.token) da = handler.override_flow_args.action.download self.assertEqual(da.oversized_file_policy, da.OversizedFilePolicy.SKIP) self.assertEqual(da.max_size, 42)
def testClientFileFinderUploadSkip(self): paths = [os.path.join(self.base_path, "**/*.plist")] action_type = rdf_file_finder.FileFinderAction.Action.DOWNLOAD download_action = rdf_file_finder.FileFinderDownloadActionOptions( oversized_file_policy="SKIP", max_size=300) action = rdf_file_finder.FileFinderAction( action_type=action_type, download=download_action) session_id = self._RunClientFileFinder(paths, action) collection = aff4.FACTORY.Open(session_id.Add("Results"), token=self.token) results = list(collection) # Only two instead of the usual four results. self.assertEqual(len(results), 2) relpaths = [ os.path.relpath(p.stat_entry.pathspec.path, self.base_path) for p in results ] self.assertItemsEqual(relpaths, ["History.plist", "test.plist"]) for r in results: aff4_obj = aff4.FACTORY.Open( r.stat_entry.pathspec.AFF4Path(self.client_id), token=self.token) self.assertEqual( aff4_obj.Read(100), open(r.stat_entry.pathspec.path, "rb").read(100))
class TestFileFinderOSWindows(base.VFSPathContentIsPE): """Download a file with FileFinder. Exercise globbing, interpolation and filtering. """ platforms = ["Windows"] flow = file_finder.FileFinder.__name__ test_output_path = "/fs/os/C:/Windows/System32/notepad.exe" sizecondition = rdf_file_finder.FileFinderSizeCondition(max_file_size=1000000) filecondition = rdf_file_finder.FileFinderCondition( condition_type=rdf_file_finder.FileFinderCondition.Type.SIZE, size=sizecondition) download = rdf_file_finder.FileFinderDownloadActionOptions() action = rdf_file_finder.FileFinderAction( action_type=rdf_file_finder.FileFinderAction.Action.DOWNLOAD, download=download) args = { "paths": ["%%environ_systemroot%%\\System32\\notepad.*"], "conditions": filecondition, "action": action }