def testSystemArtifactOverwrite(self):
content = """
name: WMIActiveScriptEventConsumer
doc: here's the doc
sources:
- type: COMMAND
attributes:
args: ["-L", "-v", "-n"]
cmd: /sbin/iptables
supported_os: [Linux]
"""
artifact_registry.REGISTRY.ClearRegistry()
artifact_registry.REGISTRY.ClearSources()
artifact_registry.REGISTRY._CheckDirty()
# System artifacts come from the test file.
self.LoadTestArtifacts()
# Uploaded files go to this collection.
artifact_store_urn = aff4.ROOT_URN.Add("artifact_store")
artifact_registry.REGISTRY.AddDatastoreSources([artifact_store_urn])
# WMIActiveScriptEventConsumer is a system artifact, we can't overwrite it.
with self.assertRaises(artifact_registry.ArtifactDefinitionError):
artifact.UploadArtifactYamlFile(content)
# Override the check and upload anyways. This simulates the case
# where an artifact ends up shadowing a system artifact somehow -
# for example when the system artifact was created after the
# artifact was uploaded to the data store for testing.
artifact.UploadArtifactYamlFile(content,
overwrite_system_artifacts=True)
# The shadowing artifact is at this point stored in the
# collection. On the next full reload of the registry, there will
# be an error that we can't overwrite the system artifact. The
# artifact should automatically get deleted from the collection to
# mitigate the problem.
with self.assertRaises(artifact_registry.ArtifactDefinitionError):
artifact_registry.REGISTRY._ReloadArtifacts()
# As stated above, now this should work.
artifact_registry.REGISTRY._ReloadArtifacts()
# Make sure the artifact is now loaded and it's the version from the file.
self.assertIn("WMIActiveScriptEventConsumer",
artifact_registry.REGISTRY._artifacts)
artifact_obj = artifact_registry.REGISTRY.GetArtifact(
"WMIActiveScriptEventConsumer")
self.assertTrue(artifact_obj.loaded_from.startswith("file:"))
# The artifact is gone from the collection.
coll = artifact_registry.ArtifactCollection(artifact_store_urn)
self.assertNotIn("WMIActiveScriptEventConsumer", coll)
def testArtifactDeletion(self):
with open(self.json_file, "rb") as fd:
artifact.UploadArtifactYamlFile(fd.read())
self.Open("/#main=ArtifactManagerView")
# Check that test artifact is displayed.
self.WaitUntil(self.IsTextPresent, "TestDrivers")
# Click on TestDrivers checkbox and click Delete.
self.Click("css=grr-artifact-manager-view tr:contains('TestDrivers') "
"input[type=checkbox]")
self.Click("css=grr-artifact-manager-view button[name=DeleteArtifact]")
# Check that dialog mentions TestDrivers and click on Proceed, then Close.
self.WaitUntil(self.IsTextPresent, "Delete Selected Artifacts")
self.WaitUntil(self.IsElementPresent,
"css=grr-delete-artifacts-dialog:contains('TestDrivers')")
self.Click("css=grr-delete-artifacts-dialog button[name=Proceed]")
self.WaitUntil(self.IsTextPresent, "Artifacts were deleted successfully.")
self.Click("css=grr-delete-artifacts-dialog button[name=Close]")
# Check that artifact is indeed deleted.
self.WaitUntilNot(self.IsTextPresent, "Delete Selected Artifacts")
self.WaitUntilNot(self.IsTextPresent, "Loading...")
self.WaitUntilNot(self.IsTextPresent, "TestDrivers")
def testArtifactRemovedFromFormsImmediatelyAfterDeletion(self):
with open(self.json_file, "rb") as fd:
artifact.UploadArtifactYamlFile(fd.read())
client_id = self.SetupClient(0).Basename()
self.RequestAndGrantClientApproval(client_id)
# Test that we have TestDrivers available.
self.Open("/#/clients/%s/launch-flow" % client_id)
self.Click("css=#_Collectors")
self.Click("link=ArtifactCollectorFlow")
self.WaitUntil(self.IsTextPresent, "TestDrivers")
# Upload the artifact.
self.Click("css=a[grrtarget=artifacts]")
self.Click("css=grr-artifact-manager-view tr:contains('TestDrivers') "
"input[type=checkbox]")
self.Click("css=grr-artifact-manager-view button[name=DeleteArtifact]")
self.Click("css=grr-delete-artifacts-dialog button[name=Proceed]")
self.WaitUntil(self.IsTextPresent, "Artifacts were deleted successfully.")
self.Click("css=grr-delete-artifacts-dialog button[name=Close]")
# Test now we can choose TestDrivers in the form.
self.Click("css=a[grrtarget='client.launchFlows']")
self.Click("css=#_Collectors")
self.Click("link=ArtifactCollectorFlow")
self.WaitUntil(self.IsTextPresent, "Artifact list")
self.WaitUntilNot(self.IsTextPresent, "Loading artifacts...")
self.WaitUntilNot(self.IsTextPresent, "TestDrivers")
def testUploadArtifactYamlFileAndDumpToYaml(self):
artifact_registry.REGISTRY.ClearRegistry()
artifact_registry.REGISTRY.ClearSources()
artifact_registry.REGISTRY._CheckDirty()
try:
test_artifacts_file = os.path.join(config.CONFIG["Test.data_dir"],
"artifacts",
"test_artifacts.json")
filecontent = open(test_artifacts_file, "rb").read()
artifact.UploadArtifactYamlFile(filecontent)
loaded_artifacts = artifact_registry.REGISTRY.GetArtifacts()
self.assertGreaterEqual(len(loaded_artifacts), 20)
self.assertIn("DepsWindirRegex",
[a.name for a in loaded_artifacts])
# Now dump back to YAML.
yaml_data = artifact_registry.REGISTRY.DumpArtifactsToYaml()
for snippet in [
"name: TestFilesArtifact",
"urls: ['https://msdn.microsoft.com/en-us/library/aa384749%28v=vs.85",
"returned_types: [SoftwarePackage]",
"args: [--list]",
"cmd: /usr/bin/dpkg",
]:
self.assertIn(snippet, yaml_data)
finally:
artifact.ArtifactLoader().RunOnce()
def testUploadArtifactYamlFileMissingDoc(self):
content = """name: Nodoc
sources:
- type: GREP
attributes:
paths: [/etc/blah]
content_regex_list: ["stuff"]
supported_os: [Linux]
"""
with self.assertRaises(artifact_registry.ArtifactDefinitionError):
artifact.UploadArtifactYamlFile(content)
def testUploadArtifactYamlFileBadList(self):
content = """name: BadList
doc: here's the doc
sources:
- type: GREP
attributes:
paths: /etc/blah
content_regex_list: ["stuff"]
supported_os: [Linux]
"""
with self.assertRaises(artifact_registry.ArtifactDefinitionError):
artifact.UploadArtifactYamlFile(content)
def testUploadArtifactYamlFileMissingNamesAttribute(self):
content = """name: BadGroupMissingNames
doc: broken
sources:
- type: ARTIFACT_GROUP
attributes:
- 'One'
- 'Two'
supported_os: [Linux]
"""
with self.assertRaises(artifact_registry.ArtifactDefinitionError):
artifact.UploadArtifactYamlFile(content)
def testCommandArgumentOrderIsPreserved(self):
content = """name: CommandOrder
doc: here's the doc
sources:
- type: COMMAND
attributes:
args: ["-L", "-v", "-n"]
cmd: /sbin/iptables
supported_os: [Linux]
"""
artifact.UploadArtifactYamlFile(content)
artifact_obj = artifact_registry.REGISTRY.GetArtifacts(
name_list=["CommandOrder"]).pop()
arglist = artifact_obj.sources[0].attributes.get("args")
self.assertEqual(arglist, ["-L", "-v", "-n"])
# Check serialize/deserialize doesn't change order.
serialized = artifact_obj.SerializeToString()
artifact_obj = artifacts.Artifact.FromSerializedString(serialized)
arglist = artifact_obj.sources[0].attributes.get("args")
self.assertEqual(arglist, ["-L", "-v", "-n"])
def _UploadCustomArtifacts(self):
artifact_registry.REGISTRY.ClearRegistry()
test_artifacts_file = os.path.join(config.CONFIG["Test.data_dir"],
"artifacts", "test_artifacts.json")
with open(test_artifacts_file, "rb") as fd:
artifact.UploadArtifactYamlFile(fd.read())
config.Set(flags.FLAGS.var, flags.FLAGS.val)
config.Write()
elif flags.FLAGS.subparser_name == "upload_raw":
if not flags.FLAGS.dest_path:
flags.FLAGS.dest_path = aff4.ROOT_URN.Add("config").Add("raw")
uploaded = UploadRaw(flags.FLAGS.file,
flags.FLAGS.dest_path,
token=token)
print "Uploaded to %s" % uploaded
elif flags.FLAGS.subparser_name == "upload_artifact":
yaml.load(open(flags.FLAGS.file, "rb")) # Check it will parse.
try:
artifact.UploadArtifactYamlFile(
open(flags.FLAGS.file, "rb").read(),
overwrite=flags.FLAGS.overwrite_artifact)
except rdf_artifacts.ArtifactDefinitionError as e:
print "Error %s. You may need to set --overwrite_artifact." % e
elif flags.FLAGS.subparser_name == "delete_artifacts":
artifact_list = flags.FLAGS.artifact
if not artifact_list:
raise ValueError("No artifact to delete given.")
artifact_registry.DeleteArtifactsFromDatastore(artifact_list,
token=token)
print "Artifacts %s deleted." % artifact_list
elif flags.FLAGS.subparser_name == "download_missing_rekall_profiles":
print "Downloading missing Rekall profiles."
s = rekall_profile_server.GRRRekallProfileServer()
def Handle(self, args, token=None):
artifact.UploadArtifactYamlFile(args.artifact,
overwrite=True,
overwrite_system_artifacts=False)
def UploadTestArtifacts(self):
test_artifacts_file = os.path.join(config.CONFIG["Test.data_dir"],
"artifacts", "test_artifacts.json")
with open(test_artifacts_file, "rb") as fd:
artifact.UploadArtifactYamlFile(fd.read())
def testPsCmdParserValidation(self, registry):
"""Test the PsCmdParser pass Validation() method."""
test_artifacts_file = os.path.join(config.CONFIG["Test.data_dir"],
"artifacts", "test_artifacts.json")
registry.AddFileSource(test_artifacts_file)
parser = linux_cmd_parser.PsCmdParser
# Test with no ps cmd artifact.
parser.Validate()
# Test with good ps artifacts.
content_good1 = """name: GoodPsArgs1
doc: "ps with the default/typical non-specified format."
sources:
- type: COMMAND
attributes:
cmd: "/bin/ps"
args: ["-ef"]
supported_os: [Linux]
"""
content_good2 = """name: GoodPsArgs2
doc: "ps where we specify the format."
sources:
- type: COMMAND
attributes:
cmd: "/bin/ps"
args: ["h", "-ewwo", "pid,ppid,uid,comm,cmd"]
supported_os: [Linux]
"""
artifact.UploadArtifactYamlFile(content_good1)
artifact.UploadArtifactYamlFile(content_good2)
# Add these new artifacts to the supported ones for the parser.
parser.supported_artifacts.extend(["GoodPsArgs1", "GoodPsArgs2"])
parser.Validate()
# Now add a bad ones. This should cause the validator to raise an error.
content_bad1 = """name: BadPsArgsDuplicateCmd
doc: "ps command with 'cmd' specified more than once."
sources:
- type: COMMAND
attributes:
cmd: "/bin/ps"
args: ["h", "-ewwo", "pid,ppid,uid,cmd,comm,cmd"]
supported_os: [Linux]
"""
content_bad2 = """name: BadPsArgsCmdNotAtEnd
doc: "ps command with 'cmd' specified, but not at the end."
sources:
- type: COMMAND
attributes:
cmd: "/bin/ps"
args: ["-ewwo", "pid,ppid,uid,cmd,comm"]
supported_os: [Linux]
"""
artifact.UploadArtifactYamlFile(content_bad1)
artifact.UploadArtifactYamlFile(content_bad2)
orig = parser.supported_artifacts
for bad_artifact in ["BadPsArgsDuplicateCmd", "BadPsArgsCmdNotAtEnd"]:
with self.assertRaises(lib_parser.ParserDefinitionError):
# Reset and add the new artifacts to the supported ones for the parser.
parser.supported_artifacts = list(orig)
parser.supported_artifacts.append(bad_artifact)
parser.Validate()
