def testSingleRowChunks(self): table = rdf_osquery.OsqueryTable() table.query = "SELECT foo, bar, baz FROM quux;" table.header.columns.append(rdf_osquery.OsqueryColumn(name="foo")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="bar")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="baz")) table.rows.append(rdf_osquery.OsqueryRow(values=["ABC", "DEF", "GHI"])) table.rows.append(rdf_osquery.OsqueryRow(values=["JKL", "MNO", "PQR"])) table.rows.append(rdf_osquery.OsqueryRow(values=["RST", "UVW", "XYZ"])) chunks = list(osquery.ChunkTable(table, max_chunk_size=9)) self.assertLen(chunks, 3) self.assertEqual(chunks[0].query, table.query) self.assertEqual(chunks[0].header, table.header) self.assertEqual(chunks[0].rows, [ rdf_osquery.OsqueryRow(values=["ABC", "DEF", "GHI"]), ]) self.assertEqual(chunks[1].query, table.query) self.assertEqual(chunks[1].header, table.header) self.assertEqual(chunks[1].rows, [ rdf_osquery.OsqueryRow(values=["JKL", "MNO", "PQR"]), ]) self.assertEqual(chunks[2].query, table.query) self.assertEqual(chunks[2].header, table.header) self.assertEqual(chunks[2].rows, [ rdf_osquery.OsqueryRow(values=["RST", "UVW", "XYZ"]), ])
def testSomeRows(self): table = rdf_osquery.OsqueryTable() table.query = "SELECT foo, bar, quux FROM norf;" table.header.columns.append(rdf_osquery.OsqueryColumn(name="foo")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="bar")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="quux")) table.rows.append(rdf_osquery.OsqueryRow(values=["thud", "🐺", "42"])) table.rows.append(rdf_osquery.OsqueryRow(values=["plugh", "🦊", "108"])) table.rows.append( rdf_osquery.OsqueryRow(values=["blargh", "🦍", "1337"])) results = self._Convert(table) self.assertLen(results, 3) self.assertEqual(results[0].metadata, self.metadata) self.assertEqual(results[0].foo, "thud") self.assertEqual(results[0].bar, "🐺") self.assertEqual(results[0].quux, "42") self.assertEqual(results[1].metadata, self.metadata) self.assertEqual(results[1].foo, "plugh") self.assertEqual(results[1].bar, "🦊") self.assertEqual(results[1].quux, "108") self.assertEqual(results[2].metadata, self.metadata) self.assertEqual(results[2].foo, "blargh") self.assertEqual(results[2].bar, "🦍") self.assertEqual(results[2].quux, "1337")
def testNoRows(self): table = rdf_osquery.OsqueryTable() table.query = "SELECT bar, baz FROM foo;" table.header.columns.append(rdf_osquery.OsqueryColumn(name="bar")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="baz")) self.assertEqual(self._Convert(table), [])
def testColumnIncorrect(self): table = rdf_osquery.OsqueryTable() table.header.columns.append(rdf_osquery.OsqueryColumn(name="A")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="B")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="C")) with self.assertRaises(KeyError): list(table.Column("D"))
def testColumnEmpty(self): table = rdf_osquery.OsqueryTable() table.header.columns.append(rdf_osquery.OsqueryColumn(name="A")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="B")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="C")) self.assertEmpty(list(table.Column("A"))) self.assertEmpty(list(table.Column("B"))) self.assertEmpty(list(table.Column("C")))
def testNoRows(self): table = rdf_osquery.OsqueryTable() table.header.columns.append(rdf_osquery.OsqueryColumn(name="foo")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="bar")) table.query = "SELECT * FROM quux;" chunks = list( osquery.ChunkTable(table, max_chunk_size=1024 * 1024 * 1024)) self.assertEmpty(chunks)
def testGetTableColumns(self): table = rdf_osquery.OsqueryTable() table.header.columns.append(rdf_osquery.OsqueryColumn(name="A")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="B")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="C")) result = rdf_osquery.OsqueryResult() result.table = table cols = list(result.GetTableColumns()) self.assertEqual(["A", "B", "C"], cols)
def testSimple(self): header = rdf_osquery.OsqueryHeader() header.columns.append(rdf_osquery.OsqueryColumn(name="foo")) header.columns.append(rdf_osquery.OsqueryColumn(name="bar")) header.columns.append(rdf_osquery.OsqueryColumn(name="baz")) row = osquery.ParseRow(header, { "foo": "quux", "bar": "norf", "baz": "thud", }) self.assertEqual(row.values, ["quux", "norf", "thud"])
def testColumnValues(self): table = rdf_osquery.OsqueryTable() table.header.columns.append(rdf_osquery.OsqueryColumn(name="A")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="B")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="C")) table.rows.append(rdf_osquery.OsqueryRow(values=["foo", "bar", "baz"])) table.rows.append( rdf_osquery.OsqueryRow(values=["quux", "norf", "thud"])) table.rows.append( rdf_osquery.OsqueryRow(values=["blarg", "shme", "ztesh"])) self.assertEqual(list(table.Column("A")), ["foo", "quux", "blarg"]) self.assertEqual(list(table.Column("B")), ["bar", "norf", "shme"]) self.assertEqual(list(table.Column("C")), ["baz", "thud", "ztesh"])
def ParseHeader(table: Any) -> rdf_osquery.OsqueryHeader: """Parses header of osquery output. Args: table: A table in a "parsed JSON" representation. Returns: A parsed `rdf_osquery.OsqueryHeader` instance. """ precondition.AssertIterableType(table, dict) prototype = None # type: List[Text] for row in table: columns = list(row.keys()) if prototype is None: prototype = columns elif prototype != columns: message = "Expected columns '{expected}', got '{actual}' for table {json}" message = message.format(expected=prototype, actual=columns, json=table) raise ValueError(message) result = rdf_osquery.OsqueryHeader() for name in prototype or []: result.columns.append(rdf_osquery.OsqueryColumn(name=name)) return result
def testSomeTextToCsvBytes(self): table = rdf_osquery.OsqueryTable() table.header.columns.append(rdf_osquery.OsqueryColumn(name="A")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="B")) table.rows.append(rdf_osquery.OsqueryRow(values=["1-A", "1-B"])) table.rows.append(rdf_osquery.OsqueryRow(values=["2-A", "2-B"])) result = rdf_osquery.OsqueryResult() result.table = table output_bytes = api_osquery._ParseToCsvBytes([result]) output_text = list(map(lambda b: b.decode("utf-8"), output_bytes)) self.assertListEqual(["A,B\r\n", "1-A,1-B\r\n", "2-A,2-B\r\n"], output_text)
def testMultiByteStrings(self): table = rdf_osquery.OsqueryTable() table.query = "SELECT foo, bar, baz FROM quux;" table.header.columns.append(rdf_osquery.OsqueryColumn(name="foo")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="bar")) table.rows.append(rdf_osquery.OsqueryRow(values=["🐔", "🐓"])) table.rows.append(rdf_osquery.OsqueryRow(values=["🐣", "🐤"])) table.rows.append(rdf_osquery.OsqueryRow(values=["🐥", "🦆"])) chunks = list(osquery.ChunkTable(table, max_chunk_size=10)) self.assertLen(chunks, 3) self.assertEqual(chunks[0].rows, [rdf_osquery.OsqueryRow(values=["🐔", "🐓"])]) self.assertEqual(chunks[1].rows, [rdf_osquery.OsqueryRow(values=["🐣", "🐤"])]) self.assertEqual(chunks[2].rows, [rdf_osquery.OsqueryRow(values=["🐥", "🦆"])])
def testTruncation(self): table = rdf_osquery.OsqueryTable() table.header.columns.append(rdf_osquery.OsqueryColumn(name="A")) table.rows.append(rdf_osquery.OsqueryRow(values=["cell1"])) table.rows.append(rdf_osquery.OsqueryRow(values=["cell2"])) table.rows.append(rdf_osquery.OsqueryRow(values=["cell3"])) truncated = table.Truncated(1) column_values = list(truncated.Column("A")) self.assertLen(truncated.rows, 1) self.assertEqual(column_values, ["cell1"])
def testMetadataColumn(self): table = rdf_osquery.OsqueryTable() table.query = "SELECT metadata FROM foo;" table.header.columns.append(rdf_osquery.OsqueryColumn(name="metadata")) table.rows.append(rdf_osquery.OsqueryRow(values=["bar"])) table.rows.append(rdf_osquery.OsqueryRow(values=["baz"])) results = self._Convert(table) self.assertLen(results, 2) self.assertEqual(results[0].metadata, self.metadata) self.assertEqual(results[0].__metadata__, "bar") self.assertEqual(results[1].metadata, self.metadata) self.assertEqual(results[1].__metadata__, "baz")
def testGetTableRows(self): table = rdf_osquery.OsqueryTable() table.header.columns.append(rdf_osquery.OsqueryColumn(name="A")) table.rows.append(rdf_osquery.OsqueryRow(values=["cell1"])) table.rows.append(rdf_osquery.OsqueryRow(values=["cell2"])) table.rows.append(rdf_osquery.OsqueryRow(values=["cell3"])) result = rdf_osquery.OsqueryResult() result.table = table rows = list(result.GetTableRows()) self.assertEqual([["cell1"], ["cell2"], ["cell3"]], rows)
def testTextWithCommasToCsvBytes(self): table = rdf_osquery.OsqueryTable() table.header.columns.append( rdf_osquery.OsqueryColumn(name="c,o,l,u,m,n")) table.rows.append(rdf_osquery.OsqueryRow(values=["c,e,l,l"])) result = rdf_osquery.OsqueryResult() result.table = table output_bytes = api_osquery._ParseToCsvBytes([result]) output_text = list(map(lambda b: b.decode("utf-8"), output_bytes)) self.assertListEqual(["\"c,o,l,u,m,n\"\r\n", "\"c,e,l,l\"\r\n"], output_text)
def testMultiRowChunks(self): table = rdf_osquery.OsqueryTable() table.query = "SELECT foo, bar, baz FROM quux;" table.header.columns.append(rdf_osquery.OsqueryColumn(name="foo")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="bar")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="baz")) table.rows.append(rdf_osquery.OsqueryRow(values=["A", "B", "C"])) table.rows.append(rdf_osquery.OsqueryRow(values=["D", "E", "F"])) table.rows.append(rdf_osquery.OsqueryRow(values=["G", "H", "I"])) table.rows.append(rdf_osquery.OsqueryRow(values=["J", "K", "L"])) table.rows.append(rdf_osquery.OsqueryRow(values=["M", "N", "O"])) table.rows.append(rdf_osquery.OsqueryRow(values=["P", "Q", "R"])) table.rows.append(rdf_osquery.OsqueryRow(values=["S", "T", "U"])) table.rows.append(rdf_osquery.OsqueryRow(values=["V", "W", "X"])) chunks = list(osquery.ChunkTable(table, max_chunk_size=10)) self.assertLen(chunks, 3) self.assertEqual(chunks[0].query, table.query) self.assertEqual(chunks[0].header, table.header) self.assertEqual(chunks[0].rows, [ rdf_osquery.OsqueryRow(values=["A", "B", "C"]), rdf_osquery.OsqueryRow(values=["D", "E", "F"]), rdf_osquery.OsqueryRow(values=["G", "H", "I"]), ]) self.assertEqual(chunks[1].query, table.query) self.assertEqual(chunks[1].header, table.header) self.assertEqual(chunks[1].rows, [ rdf_osquery.OsqueryRow(values=["J", "K", "L"]), rdf_osquery.OsqueryRow(values=["M", "N", "O"]), rdf_osquery.OsqueryRow(values=["P", "Q", "R"]), ]) self.assertEqual(chunks[2].query, table.query) self.assertEqual(chunks[2].header, table.header) self.assertEqual(chunks[2].rows, [ rdf_osquery.OsqueryRow(values=["S", "T", "U"]), rdf_osquery.OsqueryRow(values=["V", "W", "X"]), ])
def testQueryMetadata(self): table = rdf_osquery.OsqueryTable() table.query = " SELECT foo FROM quux; " table.header.columns.append(rdf_osquery.OsqueryColumn(name="foo")) table.rows.append(rdf_osquery.OsqueryRow(values=["norf"])) table.rows.append(rdf_osquery.OsqueryRow(values=["thud"])) table.rows.append(rdf_osquery.OsqueryRow(values=["blargh"])) results = self._Convert(table) self.assertLen(results, 3) self.assertEqual(results[0].__query__, "SELECT foo FROM quux;") self.assertEqual(results[0].foo, "norf") self.assertEqual(results[1].__query__, "SELECT foo FROM quux;") self.assertEqual(results[1].foo, "thud") self.assertEqual(results[2].__query__, "SELECT foo FROM quux;") self.assertEqual(results[2].foo, "blargh")