def _ScheduleCollection(self):
# Schedule any new artifacts for which we have now fulfilled dependencies.
for artifact_name in self.state.awaiting_deps_artifacts:
artifact_obj = artifact_registry.REGISTRY.GetArtifact(
artifact_name)
deps = artifact_registry.GetArtifactPathDependencies(artifact_obj)
if set(deps).issubset(self.state.fulfilled_deps):
self.state.in_flight_artifacts.append(artifact_name)
self.state.awaiting_deps_artifacts.remove(artifact_name)
self.CallFlow(
# TODO(user): dependency loop with flows/general/collectors.py.
# collectors.ArtifactCollectorFlow.__name__,
"ArtifactCollectorFlow",
artifact_list=[artifact_name],
next_state="ProcessBase",
request_data={"artifact_name": artifact_name},
knowledge_base=self.state.knowledge_base)
# If we're not done but not collecting anything, start accepting the partial
# dependencies as full, and see if we can complete.
if (self.state.awaiting_deps_artifacts
and not self.state.in_flight_artifacts):
if self.state.partial_fulfilled_deps:
partial = self.state.partial_fulfilled_deps.pop()
self.Log("Accepting partially fulfilled dependency: %s",
partial)
self.state.fulfilled_deps.append(partial)
self._ScheduleCollection()
def testGetArtifactPathDependencies(self):
sources = [{
"type": rdf_artifacts.ArtifactSource.SourceType.REGISTRY_KEY,
"attributes": {
"keys": [
r"%%current_control_set%%\Control\Session "
r"Manager\Environment\Path"
]
}
}, {
"type": rdf_artifacts.ArtifactSource.SourceType.WMI,
"attributes": {
"query":
"SELECT * FROM Win32_UserProfile "
"WHERE SID='%%users.sid%%'"
}
}, {
"type": rdf_artifacts.ArtifactSource.SourceType.GREP,
"attributes": {
"content_regex_list": ["^%%users.username%%:"]
}
}]
artifact = rdf_artifacts.Artifact(name="artifact",
doc="Doco",
provides=["environ_windir"],
supported_os=["Windows"],
urls=["http://blah"],
sources=sources)
self.assertItemsEqual(
[x["type"] for x in artifact.ToPrimitiveDict()["sources"]],
["REGISTRY_KEY", "WMI", "GREP"])
class Parser1(object):
knowledgebase_dependencies = ["appdata", "sid"]
class Parser2(object):
knowledgebase_dependencies = ["sid", "desktop"]
@classmethod
def MockGetClassesByArtifact(unused_cls, _):
return [Parser1, Parser2]
with utils.Stubber(parser.Parser, "GetClassesByArtifact",
MockGetClassesByArtifact):
self.assertItemsEqual(ar.GetArtifactPathDependencies(artifact), [
"appdata", "sid", "desktop", "current_control_set",
"users.sid", "users.username"
])
def testGetArtifacts(self, registry):
registry.AddFileSource(self.test_artifacts_file)
results = registry.GetArtifacts(os_name="Windows")
for result in results:
self.assertTrue("Windows" in result.supported_os
or not result.supported_os)
results = registry.GetArtifacts(
os_name="Windows",
name_list=["TestAggregationArtifact", "TestFileArtifact"])
# TestFileArtifact doesn't match the OS criteria
self.assertItemsEqual([x.name for x in results],
["TestAggregationArtifact"])
for result in results:
self.assertTrue("Windows" in result.supported_os
or not result.supported_os)
results = registry.GetArtifacts(
os_name="Windows",
source_type=rdf_artifacts.ArtifactSource.SourceType.REGISTRY_VALUE,
name_list=["DepsProvidesMultiple"])
self.assertEqual(results.pop().name, "DepsProvidesMultiple")
# Check supported_os = [] matches any OS
results = registry.GetArtifacts(os_name="Windows",
name_list=["RekallPsList"])
self.assertEqual(len(results), 1)
self.assertEqual(results.pop().name, "RekallPsList")
results = registry.GetArtifacts(os_name="Windows",
exclude_dependents=True)
for result in results:
self.assertFalse(ar.GetArtifactPathDependencies(result))
# Check provides filtering
results = registry.GetArtifacts(os_name="Windows",
provides=["users.homedir", "domain"])
for result in results:
# provides contains at least one of the filter strings
self.assertTrue(
len(
set(result.provides).union(set(["users.homedir", "domain"
]))) >= 1)
results = registry.GetArtifacts(os_name="Windows",
provides=["nothingprovidesthis"])
self.assertEqual(len(results), 0)
def BuildArtifactDescriptors(self, artifacts_list):
result = []
for artifact_val in artifacts_list:
descriptor = artifacts.ArtifactDescriptor(
artifact=artifact_val,
dependencies=sorted(
artifact_registry.GetArtifactDependencies(artifact_val)),
path_dependencies=sorted(
artifact_registry.GetArtifactPathDependencies(
artifact_val)),
error_message=artifact_val.error_message,
is_custom=artifact_val.loaded_from.startswith("datastore:"))
for processor in parser.Parser.GetClassesByArtifact(
artifact_val.name):
descriptor.processors.append(
artifacts.ArtifactProcessorDescriptor(
name=processor.__name__,
output_types=processor.output_types,
description=processor.GetDescription()))
result.append(descriptor)
return result