def setUp(self): super(ListVADBinariesTest, self).setUp() client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") client.Set(client.Schema.SYSTEM("Windows")) client.Set(client.Schema.OS_VERSION("6.2")) client.Flush() self.os_overrider = test_lib.VFSOverrider( rdf_paths.PathSpec.PathType.OS, test_lib.ClientVFSHandlerFixture) self.reg_overrider = test_lib.VFSOverrider( rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler) self.os_overrider.Start() self.reg_overrider.Start() # Add some user accounts to this client. fd = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token) users = fd.Schema.USER() users.Append(rdf_client.User( username="******", domain="testing-PC", homedir=r"C:\Users\localservice", sid="S-1-5-20")) fd.Set(users) fd.Close() self.old_driver_flow = flow.GRRFlow.classes["LoadMemoryDriver"] flow.GRRFlow.classes["LoadMemoryDriver"] = DummyLoadMemoryDriverFlow
def testRegistryDefaultValueArtifact(self): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler): client_mock = action_mocks.ActionMock(standard.StatFile) coll1 = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType. REGISTRY_VALUE, attributes={ "key_value_pairs": [{ "key": (r"HKEY_LOCAL_MACHINE/SOFTWARE/ListingTest"), "value": "" }] }) self.fakeartifact.sources.append(coll1) artifact_list = ["FakeArtifact"] for s in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock, artifact_list=artifact_list, token=self.token, client_id=self.client_id): session_id = s fd = aff4.FACTORY.Open(session_id.Add(flow_runner.RESULTS_SUFFIX), token=self.token) self.assertTrue(isinstance(list(fd)[0], rdf_client.StatEntry)) self.assertEqual(fd[0].registry_data.GetValue(), "DefaultValue")
def setUp(self): super(ListVADBinariesTest, self).setUp() self.SetupClients(1, system="Windows", os_version="6.2", arch="AMD64") self.os_overrider = test_lib.VFSOverrider( rdf_paths.PathSpec.PathType.OS, test_lib.ClientVFSHandlerFixture) self.reg_overrider = test_lib.VFSOverrider( rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler) self.os_overrider.Start() self.reg_overrider.Start() # Add some user accounts to this client. fd = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token) kb = fd.Get(fd.Schema.KNOWLEDGE_BASE) kb.environ_systemdrive = "C:" kb.MergeOrAddUser( rdf_client.KnowledgeBaseUser(username="******", userdomain="testing-PC", homedir=r"C:\Users\localservice", sid="S-1-5-20")) fd.Set(kb) fd.Close() self.old_driver_flow = flow.GRRFlow.classes["LoadMemoryDriver"] flow.GRRFlow.classes["LoadMemoryDriver"] = DummyLoadMemoryDriverFlow
def testRetrieveDependencies(self): """Test getting an artifact without a KB using retrieve_depdendencies.""" with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler): client_mock = action_mocks.ActionMock(standard.StatFile) artifact_list = ["WinDirEnvironmentVariable"] for s in test_lib.TestFlowHelper( "ArtifactCollectorFlow", client_mock, artifact_list=artifact_list, token=self.token, client_id=self.client_id, dependencies=artifact_utils.ArtifactCollectorFlowArgs. Dependency.FETCH_NOW): session_id = s output = aff4.FACTORY.Open(session_id.Add( flow_runner.RESULTS_SUFFIX), token=self.token) self.assertEqual(len(output), 1) self.assertEqual(output[0], r"C:\Windows")
def testSystemDriveArtifact(self): self._PrepareWindowsClient() class BrokenClientMock(action_mocks.ActionMock): def StatFile(self, _): raise IOError def ListDirectory(self, _): raise IOError # No registry, broken filesystem, this should just raise. with self.assertRaises(RuntimeError): for _ in test_lib.TestFlowHelper( "ArtifactCollectorFlow", BrokenClientMock(), artifact_list=["SystemDriveEnvironmentVariable"], token=self.token, client_id=self.client_id, output="testsystemdrive"): pass # No registry, so this should use the fallback flow with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.ClientVFSHandlerFixture): self._CheckDriveAndRoot() # Registry is present, so this should use the regular artifact collection with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler): self._CheckDriveAndRoot()
def testRetrieveDependencies(self): """Test getting an artifact without a KB using retrieve_depdendencies.""" self._PrepareWindowsClient() with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler): client_mock = action_mocks.ActionMock("TransferBuffer", "StatFile", "Find", "HashBuffer", "FingerprintFile", "ListDirectory") artifact_list = ["WinDirEnvironmentVariable"] for _ in test_lib.TestFlowHelper( "ArtifactCollectorFlow", client_mock, artifact_list=artifact_list, token=self.token, client_id=self.client_id, dependencies=artifact_utils.ArtifactCollectorFlowArgs. Dependency.FETCH_NOW, output="testRetrieveDependencies"): pass output = aff4.FACTORY.Open( self.client_id.Add("testRetrieveDependencies"), token=self.token) self.assertEqual(len(output), 1) self.assertEqual(output[0], r"C:\Windows")
def testRegistryValueArtifact(self): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler): client_mock = action_mocks.ActionMock(standard.StatFile) coll1 = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType. REGISTRY_VALUE, attributes={ "key_value_pairs": [{ "key": (r"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet" r"\Control\Session Manager"), "value": "BootExecute" }] }) self.fakeartifact.sources.append(coll1) artifact_list = ["FakeArtifact"] for s in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock, artifact_list=artifact_list, token=self.token, client_id=self.client_id): session_id = s # Test the statentry got stored with the correct aff4path. fd = aff4.FACTORY.Open(session_id.Add(flow_runner.RESULTS_SUFFIX), token=self.token) self.assertTrue(isinstance(list(fd)[0], rdf_client.StatEntry)) self.assertTrue(str(fd[0].aff4path).endswith("BootExecute"))
def testProcessCollectedArtifacts(self): """Test downloading files from artifacts.""" self._PrepareWindowsClient() with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler): self._testProcessCollectedArtifacts()
def testProcessCollectedArtifacts(self): """Test downloading files from artifacts.""" self.SetupClients(1, system="Windows", os_version="6.2") with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler): self._testProcessCollectedArtifacts()
def setUp(self): super(GrrKbWindowsTest, self).setUp() self.SetupClients(1, system="Windows", os_version="6.2", arch="AMD64") self.os_overrider = test_lib.VFSOverrider( rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler) self.reg_overrider = test_lib.VFSOverrider( rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler) self.os_overrider.Start() self.reg_overrider.Start()
def SetupWindowsMocks(self): test_lib.ClientFixture(self.client_id, token=self.token) self.SetWindowsClient() self.os_overrider = test_lib.VFSOverrider( rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler) self.reg_overrider = test_lib.VFSOverrider( rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler) self.os_overrider.Start() self.reg_overrider.Start()
def testAppliesLiteralConditionWhenMemoryPathTypeIsUsed(self): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeTestDataVFSHandler): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.MEMORY, test_lib.FakeTestDataVFSHandler): paths = [ os.path.join(os.path.dirname(self.base_path), "auth.log"), os.path.join(os.path.dirname(self.base_path), "dpkg.log") ] literal_condition = file_finder.FileFinderContentsLiteralMatchCondition all_hits = literal_condition.Mode.ALL_HITS literal_condition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type. CONTENTS_LITERAL_MATCH, contents_literal_match=literal_condition( mode=all_hits, literal="session opened for user dearjohn")) # Check this condition with all the actions. This makes sense, as we may # download memeory or send it to the socket. for action in sorted(file_finder.FileFinderAction.Action. enum_dict.values()): for _ in test_lib.TestFlowHelper( "FileFinder", self.client_mock, client_id=self.client_id, paths=paths, pathtype=rdf_paths.PathSpec.PathType.MEMORY, conditions=[literal_condition], action=file_finder.FileFinderAction( action_type=action), token=self.token, output=self.output_path): pass self.CheckFilesInCollection(["auth.log"]) fd = aff4.FACTORY.Open(self.client_id.Add( self.output_path), aff4_type="RDFValueCollection", token=self.token) self.assertEqual(fd[0].stat_entry.pathspec.CollapsePath(), paths[0]) self.assertEqual(len(fd), 1) self.assertEqual(len(fd[0].matches), 1) self.assertEqual(fd[0].matches[0].offset, 350) self.assertEqual( fd[0].matches[0].data, "session): session opened for user dearjohn by (uid=0")
def testAppliesLiteralConditionWhenMemoryPathTypeIsUsed(self): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeTestDataVFSHandler): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.MEMORY, test_lib.FakeTestDataVFSHandler): paths = ["/var/log/auth.log", "/etc/ssh/sshd_config"] literal_condition = file_finder.FileFinderContentsLiteralMatchCondition all_hits = literal_condition.Mode.ALL_HITS literal_condition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type. CONTENTS_LITERAL_MATCH, contents_literal_match=literal_condition( mode=all_hits, bytes_before=10, bytes_after=10, literal="session opened for user dearjohn")) # Check this condition with all the actions. This makes sense, as we may # download memeory or send it to the socket. for action in self.CONDITION_TESTS_ACTIONS: for s in test_lib.TestFlowHelper( "FileFinder", self.client_mock, client_id=self.client_id, paths=paths, pathtype=rdf_paths.PathSpec.PathType.MEMORY, conditions=[literal_condition], action=file_finder.FileFinderAction( action_type=action), token=self.token): session_id = s self.CheckFilesInCollection(["auth.log"], session_id=session_id) fd = aff4.FACTORY.Open(session_id.Add( flow_runner.RESULTS_SUFFIX), aff4_type=sequential_collection. GeneralIndexedCollection, token=self.token) self.assertEqual(fd[0].stat_entry.pathspec.CollapsePath(), paths[0]) self.assertEqual(len(fd), 1) self.assertEqual(len(fd[0].matches), 1) self.assertEqual(fd[0].matches[0].offset, 350) self.assertEqual( fd[0].matches[0].data, "session): session opened for user dearjohn by (uid=0")
def testInterrogateWindows(self): """Test the Interrogate flow.""" test_lib.ClientFixture(self.client_id, token=self.token) with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler): client_mock = action_mocks.InterrogatedClient( "TransferBuffer", "StatFile", "Find", "HashBuffer", "ListDirectory", "FingerprintFile", "GetLibraryVersions") self.SetWindowsClient() client_mock.InitializeClient(system="Windows", version="6.1.7600", kernel="6.1.7601") # Run the flow in the simulated way for _ in test_lib.TestFlowHelper("Interrogate", client_mock, token=self.token, client_id=self.client_id): pass self.fd = aff4.FACTORY.Open(self.client_id, token=self.token) self._CheckAFF4Object("test_node", "Windows", 100 * 1000000) self._CheckClientInfo() self._CheckClientIndex(".*Host.*") self._CheckGRRConfig() self._CheckNotificationsCreated() self._CheckClientSummary("Windows", "6.1.7600", kernel="6.1.7601") # users Bert and Ernie added by the fixture should not be present (USERS # overriden by kb) # jim parsed from registry profile keys self._CheckUsers(["jim", "kovacs"]) self._CheckNetworkInfo() self._CheckVFS() self._CheckLabelIndex() self._CheckWindowsDiskInfo() self._CheckRegistryPathspec() self._CheckClientKwIndex(["Linux"], 0) self._CheckClientKwIndex(["Windows"], 1) self._CheckClientKwIndex(["Label2"], 1)
def testKnowledgeBaseRetrievalLinuxPasswd(self): """Check we can retrieve a Linux kb.""" self.ClearKB() with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeTestDataVFSHandler): with test_lib.ConfigOverrider({ "Artifacts.knowledge_base": ["LinuxWtmp", "LinuxPasswdHomedirs", "LinuxRelease"], "Artifacts.knowledge_base_additions": [], "Artifacts.knowledge_base_skip": []}): for _ in test_lib.TestFlowHelper( "KnowledgeBaseInitializationFlow", self.client_mock, client_id=self.client_id, token=self.token): pass client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") kb = artifact.GetArtifactKnowledgeBase(client) self.assertEqual(kb.os_major_version, 14) self.assertEqual(kb.os_minor_version, 4) # user 1,2,3 from wtmp. # Bert and Ernie not present (Users fixture overriden by kb). self.assertItemsEqual([x.username for x in kb.users], ["user1", "user2", "user3"]) user = kb.GetUser(username="******") self.assertEqual(user.last_logon.AsSecondsFromEpoch(), 1296552099) self.assertEqual(user.homedir, "/home/user1") user = kb.GetUser(username="******") self.assertEqual(user.last_logon.AsSecondsFromEpoch(), 1296552102) self.assertEqual(user.homedir, "/home/user2") self.assertFalse(kb.GetUser(username="******"))
def CreateTimelineFixture(self): """Creates a new timeline fixture we can play with.""" # Create a client for testing client_id = rdf_client.ClientURN("C.0000000000000001") token = access_control.ACLToken(username="******", reason="fixture") fd = aff4.FACTORY.Create(client_id, "VFSGRRClient", token=token) cert = self.ClientCertFromPrivateKey( config_lib.CONFIG["Client.private_key"]) client_cert = rdf_crypto.RDFX509Cert(cert.as_pem()) fd.Set(fd.Schema.CERT(client_cert)) fd.Close() with test_lib.VFSOverrider( rdf_paths.PathSpec.PathType.OS, test_lib.ClientVFSHandlerFixture): client_mock = action_mocks.ActionMock("ListDirectory") output_path = "analysis/Timeline/MAC" for _ in test_lib.TestFlowHelper( "RecursiveListDirectory", client_mock, client_id=client_id, pathspec=rdf_paths.PathSpec( path="/", pathtype=rdf_paths.PathSpec.PathType.OS), token=token): pass # Now make a timeline for _ in test_lib.TestFlowHelper( "MACTimes", client_mock, client_id=client_id, token=token, path="/", output=output_path): pass
def testIteratedDirectoryListing(self): """Test that the client iterator works.""" with test_lib.VFSOverrider( rdf_paths.PathSpec.PathType.OS, MockVFSHandler): path = "/" # Run the flow in the simulated way client_mock = action_mocks.ActionMock("IteratedListDirectory") for _ in test_lib.TestFlowHelper( "IteratedListDirectory", client_mock, client_id=self.client_id, pathspec=rdf_paths.PathSpec(path="/", pathtype=rdf_paths.PathSpec.PathType.OS), token=self.token): pass fd = aff4.FACTORY.Open(self.client_id.Add("fs/os").Add(path), token=self.token) directory = [ch for ch in fd.OpenChildren()] pb = rdf_paths.PathSpec(path=path, pathtype=rdf_paths.PathSpec.PathType.OS) directory2 = list(vfs.VFSOpen(pb).ListFiles()) directory.sort() result = [x.Get(x.Schema.STAT) for x in directory] # Make sure that the resulting directory is what it should be for x, y in zip(result, directory2): x.aff4path = None self.assertEqual(x.st_mode, y.st_mode) self.assertRDFValueEqual(x, y)
def testKnowledgeBaseRetrievalDarwin(self): """Check we can retrieve a Darwin kb.""" self.ClearKB() with test_lib.ConfigOverrider( {"Artifacts.knowledge_base": ["OSXUsers"]}): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.ClientVFSHandlerFixture): for _ in test_lib.TestFlowHelper( "KnowledgeBaseInitializationFlow", self.client_mock, client_id=self.client_id, token=self.token): pass client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") kb = artifact.GetArtifactKnowledgeBase(client) self.assertEqual(kb.os_major_version, 10) self.assertEqual(kb.os_minor_version, 9) # scalzi from /Users dir listing. self.assertItemsEqual([x.username for x in kb.users], ["scalzi"]) user = kb.GetUser(username="******") self.assertEqual(user.homedir, "/Users/scalzi")
def testKnowledgeBaseRetrievalLinuxNoUsers(self): """Cause a users.username dependency failure.""" self.ClearKB() with test_lib.ConfigOverrider({ "Artifacts.knowledge_base": [ "NetgroupConfiguration", "NssCacheLinuxPasswdHomedirs", "LinuxRelease" ], "Artifacts.netgroup_filter_regexes": ["^doesntexist$"] }): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeTestDataVFSHandler): for _ in test_lib.TestFlowHelper( "KnowledgeBaseInitializationFlow", self.client_mock, require_complete=False, client_id=self.client_id, token=self.token): pass client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") kb = artifact.GetArtifactKnowledgeBase(client) self.assertEqual(kb.os_major_version, 14) self.assertEqual(kb.os_minor_version, 4) self.assertItemsEqual([x.username for x in kb.users], [])
def testKnowledgeBaseRetrievalLinux(self): """Check we can retrieve a Linux kb.""" self.ClearKB() with test_lib.ConfigOverrider({ "Artifacts.knowledge_base": [ "LinuxWtmp", "NetgroupConfiguration", "LinuxPasswdHomedirs", "LinuxRelease" ], "Artifacts.netgroup_filter_regexes": ["^login$"], "Artifacts.netgroup_user_blacklist": ["isaac"] }): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeTestDataVFSHandler): for _ in test_lib.TestFlowHelper( "KnowledgeBaseInitializationFlow", self.client_mock, client_id=self.client_id, token=self.token): pass client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") kb = artifact.GetArtifactKnowledgeBase(client) self.assertEqual(kb.os_major_version, 14) self.assertEqual(kb.os_minor_version, 4) # user 1,2,3 from wtmp. yagharek from netgroup. self.assertItemsEqual([x.username for x in kb.users], ["user1", "user2", "user3", "yagharek"]) user = kb.GetUser(username="******") self.assertEqual(user.last_logon.AsSecondsFromEpoch(), 1296552099) self.assertEqual(user.homedir, "/home/user1")
def testKnowledgeBaseRetrievalDarwin(self): """Check we can retrieve a Darwin kb.""" test_lib.ClientFixture(self.client_id, token=self.token) self.SetDarwinClient() with test_lib.ConfigOverrider( {"Artifacts.knowledge_base": ["OSXUsers"]}): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.ClientVFSHandlerFixture): client_mock = action_mocks.ActionMock("TransferBuffer", "StatFile", "Find", "HashBuffer", "ListDirectory", "FingerprintFile") for _ in test_lib.TestFlowHelper( "KnowledgeBaseInitializationFlow", client_mock, client_id=self.client_id, token=self.token): pass client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") kb = artifact.GetArtifactKnowledgeBase(client) self.assertEqual(kb.os_major_version, 10) self.assertEqual(kb.os_minor_version, 9) # scalzi from /Users dir listing. # Bert and Ernie not present (Users fixture overriden by kb). self.assertItemsEqual([x.username for x in kb.users], ["scalzi"]) user = kb.GetUser(username="******") self.assertEqual(user.homedir, "/Users/scalzi")
def setUp(self): super(TestMemoryCollector, self).setUp() self.output_path = "analysis/memory_scanner" self.key = rdf_crypto.AES128Key("1a5eafcc77d428863d4c2441ea26e5a5") self.iv = rdf_crypto.AES128Key("2241b14c64874b1898dad4de7173d8c0") self.memory_file = os.path.join(config_lib.CONFIG["Test.data_dir"], "searching/auth.log") with open(self.memory_file, "r") as f: self.memory_dump = f.read() self.assertTrue(self.memory_dump) self.client_mock = action_mocks.ActionMock("TransferBuffer", "HashBuffer", "StatFile", "CopyPathToFile", "SendFile", "DeleteGRRTempFiles", "GetConfiguration", "Find", "Grep") self.old_driver_flow = flow.GRRFlow.classes["LoadMemoryDriver"] flow.GRRFlow.classes["LoadMemoryDriver"] = DummyLoadMemoryDriverFlow self.old_diskvolume_flow = flow.GRRFlow.classes["DiskVolumeInfo"] flow.GRRFlow.classes["DiskVolumeInfo"] = DummyDiskVolumeInfo self.vfs_overrider = test_lib.VFSOverrider( rdf_paths.PathSpec.PathType.MEMORY, test_lib.FakeTestDataVFSHandler) self.vfs_overrider.Start()
def testArtifactOutput(self): """Check we can run command based artifacts.""" self.SetLinuxClient() with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeTestDataVFSHandler): client_mock = action_mocks.ActionMock("TransferBuffer", "StatFile", "FingerprintFile", "HashBuffer", "ListDirectory", "Find") # Will raise if something goes wrong. self.RunCollectorAndGetCollection(["TestFilesArtifact"], client_mock=client_mock) # Will raise if something goes wrong. self.RunCollectorAndGetCollection(["TestFilesArtifact"], client_mock=client_mock, split_output_by_artifact=True) # Test the on_no_results_error option. with self.assertRaises(RuntimeError) as context: self.RunCollectorAndGetCollection( ["NullArtifact"], client_mock=client_mock, split_output_by_artifact=True, on_no_results_error=True) if "collector returned 0 responses" not in str(context.exception): raise RuntimeError("0 responses should have been returned")
def testFlowNotification(self): FlowDoneListener.received_events = [] with test_lib.VFSOverrider( rdf_paths.PathSpec.PathType.OS, MockVFSHandler): path = rdf_paths.PathSpec(path="/", pathtype=rdf_paths.PathSpec.PathType.OS) # Run the flow in the simulated way client_mock = action_mocks.ActionMock("IteratedListDirectory") for _ in test_lib.TestFlowHelper( "IteratedListDirectory", client_mock, client_id=self.client_id, notification_urn=rdfvalue.SessionID(queue=rdfvalue.RDFURN("EV"), flow_name="FlowDone"), pathspec=path, token=self.token): pass # The event goes to an external queue so we need another worker. worker = test_lib.MockWorker(queues=[rdfvalue.RDFURN("EV")], token=self.token) worker.Simulate() self.assertEqual(len(FlowDoneListener.received_events), 1) flow_event = FlowDoneListener.received_events[0].payload self.assertEqual(flow_event.flow_name, "IteratedListDirectory") self.assertEqual(flow_event.client_id, "aff4:/C.1000000000000000") self.assertEqual(flow_event.status, rdf_flows.FlowNotification.Status.OK)
def setUp(self): super(FindTest, self).setUp() # Install the mock self.vfs_overrider = test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, MockVFSHandlerFind) self.vfs_overrider.Start()
def testVFSVirtualRoot(self): # Let's open a file in the virtual root. os_root = "os:%s" % self.base_path with test_lib.ConfigOverrider({"Client.vfs_virtualroots": [os_root]}): # We need to reset the vfs.VFS_VIRTUALROOTS too. vfs.VFSInit().Run() fd = vfs.VFSOpen( rdf_paths.PathSpec(path="/morenumbers.txt", pathtype=rdf_paths.PathSpec.PathType.OS)) data = fd.read(10) self.assertEqual(data, "1\n2\n3\n4\n5\n") # This should also work with TSK. tsk_root = "tsk:%s" % os.path.join(self.base_path, "test_img.dd") with test_lib.ConfigOverrider({"Client.vfs_virtualroots": [tsk_root]}): vfs.VFSInit().Run() image_file_ps = rdf_paths.PathSpec( path=u"איןד ןד ש אקדא/איןד.txt", pathtype=rdf_paths.PathSpec.PathType.TSK) fd = vfs.VFSOpen(image_file_ps) data = fd.read(10) self.assertEqual(data, "1\n2\n3\n4\n5\n") # This should not influence vfs handlers other than OS and TSK. reg_type = rdf_paths.PathSpec.PathType.REGISTRY os_handler = vfs.VFS_HANDLERS[rdf_paths.PathSpec.PathType.OS] with test_lib.VFSOverrider(reg_type, os_handler): with self.assertRaises(IOError): image_file_ps.pathtype = reg_type vfs.VFSOpen(image_file_ps)
def setUp(self): super(TestSearchFileContentWithFixture, self).setUp() self.client_mock = action_mocks.ActionMock("Grep", "StatFile", "Find") self.vfs_overrider = test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.ClientVFSHandlerFixture) self.vfs_overrider.Start()
def testFilesArtifact(self): """Check GetFiles artifacts.""" with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeTestDataVFSHandler): self.RunCollectorAndGetCollection(["TestFilesArtifact"], client_mock=self.client_mock) urn = self.client_id.Add("fs/os/").Add("var/log/auth.log") aff4.FACTORY.Open(urn, aff4_type="VFSBlobImage", token=self.token)
def setUp(self): super(GrepTest, self).setUp() # Install the mock self.vfs_overrider = test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, MockVFSHandlerFind) self.vfs_overrider.Start() self.filename = "/mock2/directory1/grepfile.txt"
def testInterrogateWindows(self): """Test the Interrogate flow.""" test_lib.ClientFixture(self.client_id, token=self.token) self.SetupClients(1, system="Windows", os_version="6.2", arch="AMD64") with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler): client_mock = action_mocks.InterrogatedClient() client_mock.InitializeClient(system="Windows", version="6.1.7600", kernel="6.1.7601") # Run the flow in the simulated way for _ in test_lib.TestFlowHelper("Interrogate", client_mock, token=self.token, client_id=self.client_id): pass self.fd = aff4.FACTORY.Open(self.client_id, token=self.token) self._CheckAFF4Object("test_node", "Windows", 100 * 1000000) self._CheckClientInfo() self._CheckGRRConfig() self._CheckNotificationsCreated() self._CheckClientSummary("Windows", "6.1.7600", kernel="6.1.7601") # jim parsed from registry profile keys self._CheckUsers(["jim", "kovacs"]) self._CheckNetworkInfo() self._CheckVFS() self._CheckLabelIndex() self._CheckWindowsDiskInfo() self._CheckRegistryPathspec() self._CheckClientKwIndex(["Linux"], 0) self._CheckClientKwIndex(["Windows"], 1) self._CheckClientKwIndex(["Label2"], 1) self._CheckMemory()