def testDownloadActionSkip(self, upload):
opts = rdf_file_finder.FileFinderDownloadActionOptions(
max_size=0, oversized_file_policy="SKIP")
results = self._RunFileFinderDownloadHello(upload, opts=opts)
self.assertEquals(len(results), 1)
self.assertFalse(upload.called)
self.assertFalse(results[0].HasField("uploaded_file"))
class TestFileFinderOSDarwin(base.VFSPathContentIsMachO):
platforms = ["Darwin"]
flow = "FileFinder"
download = rdf_file_finder.FileFinderDownloadActionOptions()
action = rdf_file_finder.FileFinderAction(
action_type=rdf_file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
args = {"paths": ["/bin/ps"], "action": action}
test_output_path = "/fs/os/bin/ps"
def testDownloadActionTruncate(self, upload):
opts = rdf_file_finder.FileFinderDownloadActionOptions(
max_size=42, oversized_file_policy="DOWNLOAD_TRUNCATED")
results = self._RunFileFinderDownloadHello(upload, opts=opts)
self.assertEquals(len(results), 1)
self.assertTrue(upload.called_with(max_bytes=42))
self.assertTrue(results[0].HasField("uploaded_file"))
self.assertEquals(results[0].uploaded_file, upload.return_value)
def testDownloadActionHash(self, upload):
opts = rdf_file_finder.FileFinderDownloadActionOptions(
max_size=42, oversized_file_policy="HASH_TRUNCATED")
results = self._RunFileFinderDownloadHello(upload, opts=opts)
self.assertEquals(len(results), 1)
self.assertFalse(upload.called)
self.assertFalse(results[0].HasField("uploaded_file"))
self.assertTrue(results[0].HasField("hash_entry"))
self.assertTrue(results[0].HasField("stat_entry"))
self.assertEqual(results[0].hash_entry.num_bytes, 42)
self.assertGreater(results[0].stat_entry.st_size, 42)
class TestFileFinderTSKWindows(base.VFSPathContentIsPE):
"""Download notepad with TSK on windows."""
platforms = ["Windows"]
flow = "FileFinder"
test_output_path = "/fs/tsk/.*/Windows/System32/notepad.exe"
download = rdf_file_finder.FileFinderDownloadActionOptions()
action = rdf_file_finder.FileFinderAction(
action_type=rdf_file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
args = {
"paths": ["%%environ_systemroot%%\\System32\\notepad.*"],
"action": action,
"pathtype": "TSK"
}
class TestFileFinderOSLinux(base.VFSPathContentIsELF):
"""Download a file with FileFinder."""
platforms = ["Linux"]
flow = file_finder.FileFinder.__name__
test_output_path = "/fs/os/bin/ps"
sizecondition = rdf_file_finder.FileFinderSizeCondition(max_file_size=1000000)
filecondition = rdf_file_finder.FileFinderCondition(
condition_type=rdf_file_finder.FileFinderCondition.Type.SIZE,
size=sizecondition)
download = rdf_file_finder.FileFinderDownloadActionOptions()
action = rdf_file_finder.FileFinderAction(
action_type=rdf_file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
args = {"paths": ["/bin/ps"], "conditions": filecondition, "action": action}
class TestFileFinderOSLinuxProc(base.VFSPathContentExists):
"""Download a /proc/sys entry with FileFinder."""
platforms = ["Linux"]
flow = file_finder.FileFinder.__name__
test_output_path = "/fs/os/proc/sys/net/ipv4/ip_forward"
client_min_version = 3007
sizecondition = rdf_file_finder.FileFinderSizeCondition(max_file_size=1000000)
filecondition = rdf_file_finder.FileFinderCondition(
condition_type=rdf_file_finder.FileFinderCondition.Type.SIZE,
size=sizecondition)
download = rdf_file_finder.FileFinderDownloadActionOptions()
action = rdf_file_finder.FileFinderAction(
action_type=rdf_file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
args = {
"paths": ["/proc/sys/net/ipv4/ip_forward"],
"conditions": filecondition,
"action": action
}
def testFileFinderDownloadMaxFileSizeCanBeOverriden(self):
router = self._CreateRouter(
file_finder_flow=rr.RobotRouterFileFinderFlowParams(
enabled=True, max_file_size=42))
da = rdf_file_finder.FileFinderDownloadActionOptions()
da.max_size = 80
da.oversized_file_policy = da.OversizedFilePolicy.DOWNLOAD_TRUNCATED
path = "/foo/bar"
handler = router.CreateFlow(api_flow.ApiCreateFlowArgs(
flow=api_flow.ApiFlow(name=file_finder.FileFinder.__name__,
args=rdf_file_finder.FileFinderArgs(
paths=[path],
action=rdf_file_finder.FileFinderAction(
action_type="DOWNLOAD",
download=da))),
client_id=self.client_id),
token=self.token)
da = handler.override_flow_args.action.download
self.assertEqual(da.oversized_file_policy, da.OversizedFilePolicy.SKIP)
self.assertEqual(da.max_size, 42)
def testClientFileFinderUploadSkip(self):
paths = [os.path.join(self.base_path, "**/*.plist")]
action_type = rdf_file_finder.FileFinderAction.Action.DOWNLOAD
download_action = rdf_file_finder.FileFinderDownloadActionOptions(
oversized_file_policy="SKIP", max_size=300)
action = rdf_file_finder.FileFinderAction(
action_type=action_type, download=download_action)
session_id = self._RunClientFileFinder(paths, action)
collection = aff4.FACTORY.Open(session_id.Add("Results"), token=self.token)
results = list(collection)
# Only two instead of the usual four results.
self.assertEqual(len(results), 2)
relpaths = [
os.path.relpath(p.stat_entry.pathspec.path, self.base_path)
for p in results
]
self.assertItemsEqual(relpaths, ["History.plist", "test.plist"])
for r in results:
aff4_obj = aff4.FACTORY.Open(
r.stat_entry.pathspec.AFF4Path(self.client_id), token=self.token)
self.assertEqual(
aff4_obj.Read(100), open(r.stat_entry.pathspec.path, "rb").read(100))
class TestFileFinderOSWindows(base.VFSPathContentIsPE):
"""Download a file with FileFinder.
Exercise globbing, interpolation and filtering.
"""
platforms = ["Windows"]
flow = file_finder.FileFinder.__name__
test_output_path = "/fs/os/C:/Windows/System32/notepad.exe"
sizecondition = rdf_file_finder.FileFinderSizeCondition(max_file_size=1000000)
filecondition = rdf_file_finder.FileFinderCondition(
condition_type=rdf_file_finder.FileFinderCondition.Type.SIZE,
size=sizecondition)
download = rdf_file_finder.FileFinderDownloadActionOptions()
action = rdf_file_finder.FileFinderAction(
action_type=rdf_file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
args = {
"paths": ["%%environ_systemroot%%\\System32\\notepad.*"],
"conditions": filecondition,
"action": action
}
