def setUp(self): super(SantaModelTest, self).setUp() self.santa_blockable = santa.SantaBlockable( id='aaaabbbbccccdddd', id_type=constants.ID_TYPE.SHA256, blockable_hash='aaaabbbbccccdddd', file_name='Mac.app', publisher='Arple', product_name='New Shiny', version='2.0') self.santa_certificate = santa.SantaCertificate( id='mmmmnnnnoooopppp', id_type=constants.ID_TYPE.SHA256, blockable_hash='mmmmnnnnoooopppp', file_name='MagicCert', publisher='Total Legit CA', version='7.0', common_name='Trustee', organization='Big Lucky', organizational_unit='The Unit') quarantine = santa.QuarantineMetadata( data_url='http://notbad.com', referer_url='http://sourceforge.com', downloaded_dt=datetime.datetime.utcnow(), agent_bundle_id='123456') now = datetime.datetime.utcnow() self.santa_event = santa.SantaEvent( blockable_key=self.santa_blockable.key, event_type=constants.EVENT_TYPE.ALLOW_BINARY, file_name='Mac.app', file_path='/', executing_user='******', first_blocked_dt=now, last_blocked_dt=now, quarantine=quarantine) self.santa_blockable.put() self.santa_certificate.put() self.santa_event.put() self.PatchEnv(settings.ProdEnv, ENABLE_BIGQUERY_STREAMING=True)
def _GenerateSantaEventsFromJsonEvent(self, event): """Creates all SantaEvent associated with the JSON uploaded from a client. Args: event: A single JSON event uploaded by the client. Returns: A list of the created-but-not-persisted SantaEvent entities. """ dbevent = santa_db.SantaEvent() dbevent.host_id = self.host_key.id() dbevent.file_name = event.get(santa_const.EVENT_UPLOAD.FILE_NAME) dbevent.file_path = event.get(santa_const.EVENT_UPLOAD.FILE_PATH) dbevent.version = event.get( santa_const.EVENT_UPLOAD.FILE_BUNDLE_VERSION) dbevent.executing_user = event.get( santa_const.EVENT_UPLOAD.EXECUTING_USER) dbevent.event_type = event.get(santa_const.EVENT_UPLOAD.DECISION) dbevent.bundle_path = event.get( santa_const.EVENT_UPLOAD.FILE_BUNDLE_PATH) dbevent.bundle_key = self._GetBundleKeyFromJsonEvent(event) blockable_id = event.get(santa_const.EVENT_UPLOAD.FILE_SHA256) if blockable_id: dbevent.blockable_key = ndb.Key(santa_db.SantaBlockable, blockable_id) publisher, cert_sha256 = ( self._GetPublisherAndCertFingerprintFromJsonEvent(event)) dbevent.publisher = publisher if cert_sha256: dbevent.cert_key = ndb.Key(santa_db.SantaCertificate, cert_sha256) occurred_dt = datetime.datetime.utcfromtimestamp( event.get(santa_const.EVENT_UPLOAD.EXECUTION_TIME, 0)) dbevent.first_blocked_dt = occurred_dt dbevent.last_blocked_dt = occurred_dt quarantine_timestamp = event.get( santa_const.EVENT_UPLOAD.QUARANTINE_TIMESTAMP, 0) if quarantine_timestamp: quarantine_time = datetime.datetime.utcfromtimestamp(quarantine_timestamp) dbevent.quarantine = santa_db.QuarantineMetadata( data_url=event.get(santa_const.EVENT_UPLOAD.QUARANTINE_DATA_URL), referer_url=event.get( santa_const.EVENT_UPLOAD.QUARANTINE_REFERER_URL), agent_bundle_id=event.get( santa_const.EVENT_UPLOAD.QUARANTINE_AGENT_BUNDLE_ID), downloaded_dt=quarantine_time) usernames = event.get(santa_const.EVENT_UPLOAD.LOGGED_IN_USERS, []) bigquery.ExecutionRow.DeferCreate( sha256=blockable_id, device_id=dbevent.host_id, timestamp=occurred_dt, platform=dbevent.GetPlatformName(), client=dbevent.GetClientName(), bundle_path=dbevent.bundle_path, file_path=dbevent.file_path, file_name=dbevent.file_name, executing_user=dbevent.executing_user, associated_users=usernames, decision=dbevent.event_type) return [ utils.CopyEntity(dbevent, new_key=key) for key in dbevent.GetKeysToInsert(usernames, [self.host.primary_user])]
def _GenerateSantaEventsFromJsonEvent(cls, event, host): """Creates all SantaEvent associated with the JSON uploaded from a client. Args: event: A single JSON event uploaded by the client. host: The SantaHost entity corresponding to the syncing client. Returns: A list of the created-but-not-persisted SantaEvent entities. """ dbevent = santa_models.SantaEvent() dbevent.host_id = host.key.id() dbevent.file_name = event.get(_EVENT_UPLOAD.FILE_NAME) dbevent.file_path = event.get(_EVENT_UPLOAD.FILE_PATH) dbevent.version = event.get(_EVENT_UPLOAD.FILE_BUNDLE_VERSION) dbevent.executing_user = event.get(_EVENT_UPLOAD.EXECUTING_USER) dbevent.event_type = event.get(_EVENT_UPLOAD.DECISION) dbevent.bundle_path = event.get(_EVENT_UPLOAD.FILE_BUNDLE_PATH) dbevent.bundle_key = cls._GetBundleKeyFromJsonEvent(event) blockable_id = event.get(_EVENT_UPLOAD.FILE_SHA256) if blockable_id: dbevent.blockable_key = ndb.Key(santa_models.SantaBlockable, blockable_id) publisher, cert_sha256 = ( cls._GetPublisherAndCertFingerprintFromJsonEvent(event)) dbevent.publisher = publisher if cert_sha256: dbevent.cert_key = ndb.Key(santa_models.SantaCertificate, cert_sha256) occurred_dt = datetime.datetime.utcfromtimestamp( event.get(_EVENT_UPLOAD.EXECUTION_TIME, 0)) dbevent.first_blocked_dt = occurred_dt dbevent.last_blocked_dt = occurred_dt quarantine_timestamp = event.get(_EVENT_UPLOAD.QUARANTINE_TIMESTAMP, 0) if quarantine_timestamp: quarantine_time = datetime.datetime.utcfromtimestamp( quarantine_timestamp) dbevent.quarantine = santa_models.QuarantineMetadata( data_url=event.get(_EVENT_UPLOAD.QUARANTINE_DATA_URL), referer_url=event.get(_EVENT_UPLOAD.QUARANTINE_REFERER_URL), agent_bundle_id=event.get( _EVENT_UPLOAD.QUARANTINE_AGENT_BUNDLE_ID), downloaded_dt=quarantine_time) dbevent.parent_name = event.get(_EVENT_UPLOAD.PARENT_NAME) usernames = event.get(_EVENT_UPLOAD.LOGGED_IN_USERS, []) monitoring.event_type_uploads.Increment(dbevent.event_type) tables.EXECUTION.InsertRow(sha256=blockable_id, device_id=dbevent.host_id, timestamp=occurred_dt, platform=dbevent.GetPlatformName(), client=dbevent.GetClientName(), bundle_path=dbevent.bundle_path, file_path=dbevent.file_path, file_name=dbevent.file_name, executing_user=dbevent.executing_user or 'UNKNOWN', associated_users=usernames, decision=dbevent.event_type) event_keys = model_utils.GetEventKeysToInsert(dbevent, usernames, [host.primary_user]) events = [ datastore_utils.CopyEntity(dbevent, new_key=event_key) for event_key in event_keys ] for event in events: if event.event_type in constants.EVENT_TYPE.SET_BLOCKED_TYPES: body = '' try: evt_dict = event.to_dict() event_key_str = event.key.urlsafe( ) if event.key else 'Unknown' body = """Application {0[file_name]} by publisher {0[publisher]} was blocked for user {0[executing_user]} on this host: https://santaupvote.appspot.com/admin/events?hostId={0[host_id]} More details about the application being run can be found here: https://santaupvote.appspot.com/admin/blockables/{0[blockable_id]} The block event can be viewed here: https://santaupvote.appspot.com/admin/events/{1}""".format( evt_dict, event_key_str) mail.send_mail( sender='*****@*****.**', to="*****@*****.**", subject="New Santa Blocked event", body=body) except: logging.exception("Unable to send email: {}".format(body)) return events