def testHasAttributeContainers(self):
"""Tests the HasAttributeContainers function."""
event_data_stream = events.EventDataStream()
with shared_test_lib.TempDirectory() as temp_directory:
test_path = os.path.join(temp_directory, 'plaso.sqlite')
test_store = sqlite_file.SQLiteStorageFile()
test_store.Open(path=test_path, read_only=False)
try:
result = test_store.HasAttributeContainers(
event_data_stream.CONTAINER_TYPE)
self.assertFalse(result)
test_store.AddAttributeContainer(event_data_stream)
result = test_store.HasAttributeContainers(
event_data_stream.CONTAINER_TYPE)
self.assertTrue(result)
result = test_store.HasAttributeContainers('bogus')
self.assertFalse(result)
finally:
test_store.Close()
def testGetAttributeContainers(self):
"""Tests the _GetAttributeContainers function."""
event_data = events.EventData()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
containers = list(
storage_file._GetAttributeContainers(
storage_file._CONTAINER_TYPE_EVENT_DATA))
self.assertEqual(len(containers), 0)
storage_file._AddAttributeContainer(
storage_file._CONTAINER_TYPE_EVENT_DATA, event_data)
storage_file._WriteSerializedAttributeContainerList(
storage_file._CONTAINER_TYPE_EVENT_DATA)
containers = list(
storage_file._GetAttributeContainers(
storage_file._CONTAINER_TYPE_EVENT_DATA))
self.assertEqual(len(containers), 1)
with self.assertRaises(IOError):
list(storage_file._GetAttributeContainers('bogus'))
storage_file.Close()
def testGetAttributeContainerByIdentifier(self):
"""Tests the GetAttributeContainerByIdentifier function."""
event_data_stream = events.EventDataStream()
with shared_test_lib.TempDirectory() as temp_directory:
test_path = os.path.join(temp_directory, 'plaso.sqlite')
test_store = sqlite_file.SQLiteStorageFile()
test_store.Open(path=test_path, read_only=False)
try:
test_store.AddAttributeContainer(event_data_stream)
identifier = event_data_stream.GetIdentifier()
container = test_store.GetAttributeContainerByIdentifier(
event_data_stream.CONTAINER_TYPE, identifier)
self.assertIsNotNone(container)
identifier.sequence_number = 99
container = test_store.GetAttributeContainerByIdentifier(
event_data_stream.CONTAINER_TYPE, identifier)
self.assertIsNone(container)
finally:
test_store.Close()
def testUpdateAttributeContainer(self):
"""Tests the UpdateAttributeContainer function."""
event_data_stream = events.EventDataStream()
with shared_test_lib.TempDirectory() as temp_directory:
test_path = os.path.join(temp_directory, 'plaso.sqlite')
test_store = sqlite_file.SQLiteStorageFile()
test_store.Open(path=test_path, read_only=False)
number_of_containers = test_store.GetNumberOfAttributeContainers(
event_data_stream.CONTAINER_TYPE)
self.assertEqual(number_of_containers, 0)
with self.assertRaises(IOError):
test_store.UpdateAttributeContainer(event_data_stream)
test_store.AddAttributeContainer(event_data_stream)
number_of_containers = test_store.GetNumberOfAttributeContainers(
event_data_stream.CONTAINER_TYPE)
self.assertEqual(number_of_containers, 1)
test_store.UpdateAttributeContainer(event_data_stream)
number_of_containers = test_store.GetNumberOfAttributeContainers(
event_data_stream.CONTAINER_TYPE)
self.assertEqual(number_of_containers, 1)
test_store.Close()
def testGetAttributeContainerByIndex(self):
"""Tests the GetAttributeContainerByIndex function."""
event_data_stream = events.EventDataStream()
with shared_test_lib.TempDirectory() as temp_directory:
test_path = os.path.join(temp_directory, 'plaso.sqlite')
test_store = sqlite_file.SQLiteStorageFile()
test_store.Open(path=test_path, read_only=False)
try:
container = test_store.GetAttributeContainerByIndex(
event_data_stream.CONTAINER_TYPE, 0)
self.assertIsNone(container)
test_store.AddAttributeContainer(event_data_stream)
container = test_store.GetAttributeContainerByIndex(
event_data_stream.CONTAINER_TYPE, 0)
self.assertIsNotNone(container)
with self.assertRaises(IOError):
test_store.GetAttributeContainerByIndex('bogus', 0)
finally:
test_store.Close()
def testGetNumberOfAttributeContainers(self):
"""Tests the GetNumberOfAttributeContainers function."""
event_data_stream = events.EventDataStream()
with shared_test_lib.TempDirectory() as temp_directory:
test_path = os.path.join(temp_directory, 'plaso.sqlite')
test_store = sqlite_file.SQLiteStorageFile()
test_store.Open(path=test_path, read_only=False)
number_of_containers = test_store.GetNumberOfAttributeContainers(
event_data_stream.CONTAINER_TYPE)
self.assertEqual(number_of_containers, 0)
test_store.AddAttributeContainer(event_data_stream)
number_of_containers = test_store.GetNumberOfAttributeContainers(
event_data_stream.CONTAINER_TYPE)
self.assertEqual(number_of_containers, 1)
with self.assertRaises(ValueError):
test_store.GetNumberOfAttributeContainers('bogus')
# Test for a supported container type that does not have a table
# present in the storage file.
query = 'DROP TABLE {0:s}'.format(event_data_stream.CONTAINER_TYPE)
test_store._cursor.execute(query)
number_of_containers = test_store.GetNumberOfAttributeContainers(
event_data_stream.CONTAINER_TYPE)
self.assertEqual(number_of_containers, 0)
test_store.Close()
def testCountStoredAttributeContainers(self):
"""Tests the _CountStoredAttributeContainers function."""
event_data = events.EventData()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
number_of_containers = storage_file._CountStoredAttributeContainers(
storage_file._CONTAINER_TYPE_EVENT_DATA)
self.assertEqual(number_of_containers, 0)
storage_file._AddAttributeContainer(
storage_file._CONTAINER_TYPE_EVENT_DATA, event_data)
storage_file._WriteSerializedAttributeContainerList(
storage_file._CONTAINER_TYPE_EVENT_DATA)
number_of_containers = storage_file._CountStoredAttributeContainers(
storage_file._CONTAINER_TYPE_EVENT_DATA)
self.assertEqual(number_of_containers, 1)
with self.assertRaises(ValueError):
storage_file._CountStoredAttributeContainers('bogus')
# Test for a supported container type that does not have a table
# present in the storage file.
query = 'DROP TABLE {0:s}'.format(
storage_file._CONTAINER_TYPE_EVENT_DATA)
storage_file._cursor.execute(query)
number_of_containers = storage_file._CountStoredAttributeContainers(
storage_file._CONTAINER_TYPE_EVENT_DATA)
self.assertEqual(number_of_containers, 0)
storage_file.Close()
def testExtractEventsFromSourcesWithFilestat(self):
"""Tests the ExtractEventsFromSources function with filestat parser."""
output_writer = test_lib.TestOutputWriter(
encoding=self._OUTPUT_ENCODING)
test_tool = log2timeline_tool.Log2TimelineTool(
output_writer=output_writer)
source_path = self._GetTestFilePath(['test_pe.exe'])
options = self._CreateExtractionOptions(source_path)
options.parsers = 'filestat,pe'
with shared_test_lib.TempDirectory() as temp_directory:
options.storage_file = os.path.join(temp_directory,
'storage.plaso')
options.storage_format = definitions.STORAGE_FORMAT_SQLITE
options.task_storage_format = definitions.STORAGE_FORMAT_SQLITE
test_tool.ParseOptions(options)
test_tool.ExtractEventsFromSources()
storage_file = sqlite_file.SQLiteStorageFile()
try:
storage_file.Open(path=options.storage_file, read_only=True)
except IOError as exception:
self.fail((
'Unable to open storage file after processing with error: '
'{0!s}.').format(exception))
# There should be 3 filestat and 3 pe parser generated events.
# Typically there are 3 filestat events, but there can be 4 on platforms
# that support os.stat_result st_birthtime.
expected_event_counters = {'fs:stat': [3, 4], 'pe': 3}
self.CheckEventCounters(storage_file, expected_event_counters)
def testGetAttributeContainers(self):
"""Tests the GetAttributeContainers function."""
event_data_stream = events.EventDataStream()
with shared_test_lib.TempDirectory() as temp_directory:
test_path = os.path.join(temp_directory, 'plaso.sqlite')
test_store = sqlite_file.SQLiteStorageFile()
test_store.Open(path=test_path, read_only=False)
containers = list(
test_store.GetAttributeContainers(
event_data_stream.CONTAINER_TYPE))
self.assertEqual(len(containers), 0)
test_store.AddAttributeContainer(event_data_stream)
containers = list(
test_store.GetAttributeContainers(
event_data_stream.CONTAINER_TYPE))
self.assertEqual(len(containers), 1)
with self.assertRaises(IOError):
list(test_store.GetAttributeContainers('bogus'))
test_store.Close()
def testExtractEventsFromSourcesWithFilestat(self):
"""Tests the ExtractEventsFromSources function with filestat parser."""
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = log2timeline_tool.Log2TimelineTool(
output_writer=output_writer)
options = test_lib.TestOptions()
options.artifact_definitions_path = self._GetTestFilePath(
['artifacts'])
options.quiet = True
options.parsers = 'filestat,pe'
options.single_process = True
options.status_view_mode = 'none'
options.source = self._GetTestFilePath(['test_pe.exe'])
with shared_test_lib.TempDirectory() as temp_directory:
options.storage_file = os.path.join(temp_directory,
'storage.plaso')
options.storage_format = definitions.STORAGE_FORMAT_SQLITE
test_tool.ParseOptions(options)
test_tool.ExtractEventsFromSources()
storage_file = sqlite_file.SQLiteStorageFile()
try:
storage_file.Open(path=options.storage_file, read_only=True)
except IOError as exception:
self.fail((
'Unable to open storage file after processing with error: '
'{0:s}.').format(exception))
# There should be 3 filestat and 3 pe parser generated events.
events = list(storage_file.GetSortedEvents())
self.assertEqual(len(events), 6)
def _CreateTestStorageFileWithTags(self, path):
"""Creates a storage file with event tags for testing.
Args:
path (str): path of the storage file.
"""
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=path, read_only=False)
test_events = []
for event, event_data, event_data_stream in (
containers_test_lib.CreateEventsFromValues(self._TEST_EVENTS)):
storage_file.AddAttributeContainer(event_data_stream)
event_data.SetEventDataStreamIdentifier(
event_data_stream.GetIdentifier())
storage_file.AddAttributeContainer(event_data)
event.SetEventDataIdentifier(event_data.GetIdentifier())
storage_file.AddAttributeContainer(event)
test_events.append(event)
test_event_tags = self._CreateTestEventTags(test_events)
for event_tag in test_event_tags[:-1]:
storage_file.AddAttributeContainer(event_tag)
for event_tag in test_event_tags[-1:]:
storage_file.AddAttributeContainer(event_tag)
storage_file.Close()
def Open(self, path=None, **unused_kwargs):
"""Opens the storage writer.
Args:
path (Optional[str]): path to the output file.
Raises:
IOError: if the storage writer is already opened.
OSError: if the storage writer is already opened.
"""
if self._store:
raise IOError('Storage writer already opened.')
self._store = sqlite_file.SQLiteStorageFile()
if self._serializers_profiler:
self._store.SetSerializersProfiler(self._serializers_profiler)
if self._storage_profiler:
self._store.SetStorageProfiler(self._storage_profiler)
self._store.Open(path=path, read_only=False)
number_of_event_sources = self._store.GetNumberOfAttributeContainers(
self._CONTAINER_TYPE_EVENT_SOURCE)
self._first_written_event_source_index = number_of_event_sources
self._written_event_source_index = self._first_written_event_source_index
def _CreateStorageFile(self):
"""Creates a storage file.
Returns:
SQLiteStorageFile: storage file.
"""
return sqlite_file.SQLiteStorageFile(storage_type=self._storage_type)
def testAddEventTag(self):
"""Tests the AddEventTag function."""
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
test_events = []
for event, event_data, event_data_stream in (
containers_test_lib.CreateEventsFromValues(
self._TEST_EVENTS)):
storage_file.AddEventDataStream(event_data_stream)
event_data.SetEventDataStreamIdentifier(
event_data_stream.GetIdentifier())
storage_file.AddEventData(event_data)
event.SetEventDataIdentifier(event_data.GetIdentifier())
storage_file.AddEvent(event)
test_events.append(event)
test_event_tags = self._CreateTestEventTags(test_events)
for event_tag in test_event_tags:
storage_file.AddEventTag(event_tag)
storage_file.Close()
def testWriteSerializedAttributeContainerList(self):
"""Tests the _WriteSerializedAttributeContainerList function."""
event_data = events.EventData()
event = events.EventObject()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
storage_file._AddAttributeContainer(
storage_file._CONTAINER_TYPE_EVENT_DATA, event_data)
storage_file._WriteSerializedAttributeContainerList(
storage_file._CONTAINER_TYPE_EVENT_DATA)
event.timestamp = 0x7fffffffffffffff
storage_file._AddSerializedEvent(event)
storage_file._WriteSerializedAttributeContainerList(
storage_file._CONTAINER_TYPE_EVENT)
event.timestamp = 0x8000000000000000
storage_file._AddSerializedEvent(event)
with self.assertRaises(OverflowError):
storage_file._WriteSerializedAttributeContainerList(
storage_file._CONTAINER_TYPE_EVENT)
storage_file.Close()
def testHasAttributeContainers(self):
"""Tests the _HasAttributeContainers function."""
event_data = events.EventData()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
result = storage_file._HasAttributeContainers(
storage_file._CONTAINER_TYPE_EVENT_DATA)
self.assertFalse(result)
storage_file._AddAttributeContainer(
storage_file._CONTAINER_TYPE_EVENT_DATA, event_data)
storage_file._WriteSerializedAttributeContainerList(
storage_file._CONTAINER_TYPE_EVENT_DATA)
result = storage_file._HasAttributeContainers(
storage_file._CONTAINER_TYPE_EVENT_DATA)
self.assertTrue(result)
with self.assertRaises(ValueError):
storage_file._HasAttributeContainers('bogus')
storage_file.Close()
def __init__(self, path):
"""Initializes a storage reader.
Args:
path (str): path to the input file.
"""
super(SQLiteStorageFileReader, self).__init__(path)
self._storage_file = sqlite_file.SQLiteStorageFile()
self._storage_file.Open(path=path)
def testGetEventSources(self):
"""Tests the GetEventSources function."""
event_source = event_sources.EventSource()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
storage_file.AddEventSource(event_source)
storage_file.Close()
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file)
test_event_sources = list(storage_file.GetEventSources())
self.assertEqual(len(test_event_sources), 1)
storage_file.Close()
def testCacheAttributeContainerByIndex(self):
"""Tests the _CacheAttributeContainerByIndex function."""
event_data_stream = events.EventDataStream()
with shared_test_lib.TempDirectory():
test_store = sqlite_file.SQLiteStorageFile()
self.assertEqual(len(test_store._attribute_container_cache), 0)
test_store._CacheAttributeContainerByIndex(event_data_stream, 0)
self.assertEqual(len(test_store._attribute_container_cache), 1)
def CreateStorageFile(cls, storage_format):
"""Creates a storage file.
Args:
storage_format (str): storage format.
Returns:
StorageFile: a storage file or None if the storage file cannot be
opened or the storage format is not supported.
"""
if storage_format == definitions.STORAGE_FORMAT_SQLITE:
return sqlite_file.SQLiteStorageFile()
def testAddSerializedEvent(self):
"""Tests the _AddSerializedEvent function."""
event = events.EventObject()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
storage_file._AddSerializedEvent(event)
storage_file.Close()
def testGetSortedEvents(self):
"""Tests the GetSortedEvents function."""
test_events = self._CreateTestEvents()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
for event in test_events:
storage_file.AddEvent(event)
storage_file.Close()
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file)
test_events = list(storage_file.GetSortedEvents())
self.assertEqual(len(test_events), 4)
storage_file.Close()
def testGetWarnings(self):
"""Tests the GetWarnings function."""
extraction_warning = warnings.ExtractionWarning(
message='Test extraction warning')
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
storage_file.AddWarning(extraction_warning)
storage_file.Close()
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file)
test_warnings = list(storage_file.GetWarnings())
self.assertEqual(len(test_warnings), 1)
storage_file.Close()
def testGetAnalysisReports(self):
"""Tests the GetAnalysisReports function."""
analysis_report = reports.AnalysisReport(plugin_name='test',
text='test report')
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
storage_file.AddAnalysisReport(analysis_report)
storage_file.Close()
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file)
test_reports = list(storage_file.GetAnalysisReports())
self.assertEqual(len(test_reports), 1)
storage_file.Close()
def testAddEventSource(self):
"""Tests the AddEventSource function."""
event_source = event_sources.EventSource()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
storage_file.AddEventSource(event_source)
storage_file.Close()
def testWriteAttributeContainer(self):
"""Tests the _WriteAttributeContainer function."""
event_data = events.EventData()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
storage_file._WriteAttributeContainer(event_data)
storage_file.Close()
def testGetErrors(self):
"""Tests the GetErrors function."""
extraction_error = errors.ExtractionError(
message='Test extraction error')
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
storage_file.AddError(extraction_error)
storage_file.Close()
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file)
test_errors = list(storage_file.GetErrors())
self.assertEqual(len(test_errors), 1)
storage_file.Close()
def CreateStorageFileForFile(cls, path):
"""Creates a storage file based on the file.
Args:
path (str): path to the storage file.
Returns:
StorageFile: a storage file or None if the storage file cannot be
opened or the storage format is not supported.
"""
if sqlite_file.SQLiteStorageFile.CheckSupportedFormat(path):
return sqlite_file.SQLiteStorageFile()
def testAddWarning(self):
"""Tests the AddWarning function."""
extraction_warning = warnings.ExtractionWarning(
message='Test extraction warning')
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
storage_file.AddWarning(extraction_warning)
storage_file.Close()
def testAddEvent(self):
"""Tests the AddEvent function."""
test_events = self._CreateTestEvents()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
for event in test_events:
storage_file.AddEvent(event)
storage_file.Close()