def testBuildFindSpecsWithYAMLFilterFile(self): """Tests the BuildFindSpecs function with YAML filter file.""" test_filter_file = yaml_filter_file.YAMLFilterFile() test_path_filters = test_filter_file._ReadFromFileObject( io.StringIO(self._YAML_FILTER_FILE_DATA)) environment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name='SystemRoot', value='C:\\Windows') test_helper = path_filters.PathCollectionFiltersHelper() test_helper.BuildFindSpecs( test_path_filters, environment_variables=[environment_variable]) self.assertEqual(len(test_helper.included_file_system_find_specs), 5) path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location='.') file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec) searcher = file_system_searcher.FileSystemSearcher( file_system, path_spec) path_spec_generator = searcher.Find( find_specs=test_helper.included_file_system_find_specs) self.assertIsNotNone(path_spec_generator) path_specs = list(path_spec_generator) file_system.Close() # Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt files, # total 6 path specifications. self.assertEqual(len(path_specs), 6)
def BuildCollectionFilters(self, artifact_definitions_path, custom_artifacts_path, knowledge_base_object, artifact_filter_names=None, filter_file_path=None): """Builds collection filters from artifacts or filter file if available. Args: artifact_definitions_path (str): path to artifact definitions file. custom_artifacts_path (str): path to custom artifact definitions file. knowledge_base_object (KnowledgeBase): knowledge base. artifact_filter_names (Optional[list[str]]): names of artifact definitions that are used for filtering file system and Windows Registry key paths. filter_file_path (Optional[str]): path of filter file. Raises: InvalidFilter: if no valid file system find specifications are built. """ environment_variables = knowledge_base_object.GetEnvironmentVariables() if artifact_filter_names: logger.debug( 'building find specification based on artifacts: {0:s}'.format( ', '.join(artifact_filter_names))) artifacts_registry_object = BaseEngine.BuildArtifactsRegistry( artifact_definitions_path, custom_artifacts_path) self.collection_filters_helper = ( artifact_filters.ArtifactDefinitionsFiltersHelper( artifacts_registry_object, knowledge_base_object)) self.collection_filters_helper.BuildFindSpecs( artifact_filter_names, environment_variables=environment_variables) # If the user selected Windows Registry artifacts we have to ensure # the Windows Registry files are parsed. if self.collection_filters_helper.registry_find_specs: self.collection_filters_helper.BuildFindSpecs( self._WINDOWS_REGISTRY_FILES_ARTIFACT_NAMES, environment_variables=environment_variables) if not self.collection_filters_helper.included_file_system_find_specs: raise errors.InvalidFilter( 'No valid file system find specifications were built from ' 'artifacts.') elif filter_file_path: logger.debug( 'building find specification based on filter file: {0:s}'. format(filter_file_path)) filter_file_path_lower = filter_file_path.lower() if (filter_file_path_lower.endswith('.yaml') or filter_file_path_lower.endswith('.yml')): filter_file_object = yaml_filter_file.YAMLFilterFile() else: filter_file_object = filter_file.FilterFile() filter_file_path_filters = filter_file_object.ReadFromFile( filter_file_path) self.collection_filters_helper = ( path_filters.PathCollectionFiltersHelper()) self.collection_filters_helper.BuildFindSpecs( filter_file_path_filters, environment_variables=environment_variables) if (not self.collection_filters_helper. excluded_file_system_find_specs and not self. collection_filters_helper.included_file_system_find_specs): raise errors.InvalidFilter(( 'No valid file system find specifications were built from filter ' 'file: {0:s}.').format(filter_file_path))