def _CreateHuntFromFlow(self):
self.client_id = self.SetupClient(0)
flow_args = rdf_file_finder.FileFinderArgs(
paths=["a/*", "b/*"],
action=rdf_file_finder.FileFinderAction(action_type="STAT"))
flow_runner_args = rdf_flow_runner.FlowRunnerArgs(
flow_name=file_finder.FileFinder.__name__)
flow_urn = flow.StartAFF4Flow(
client_id=self.client_id,
args=flow_args,
runner_args=flow_runner_args,
token=self.token)
ref = rdf_hunts.FlowLikeObjectReference.FromFlowIdAndClientId(
flow_urn.Basename(), self.client_id.Basename())
# Modify flow_args so that there are differences.
flow_args.paths = ["b/*", "c/*"]
flow_args.action.action_type = "DOWNLOAD"
flow_args.conditions = [
rdf_file_finder.FileFinderCondition(
condition_type="SIZE",
size=rdf_file_finder.FileFinderSizeCondition(min_file_size=42))
]
return self.CreateHunt(
flow_args=flow_args,
flow_runner_args=flow_runner_args,
original_object=ref), flow_urn
def testSizeCondition(self):
client_id = self.SetupClient(0)
# There are two values, one is 20 bytes, the other 53.
session_id = self.RunFlow(client_id, [self.runkey], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.SIZE,
size=rdf_file_finder.FileFinderSizeCondition(min_file_size=50))
])
results = self.GetResults(session_id)
self.assertEqual(len(results), 1)
self.assertGreater(results[0].stat_entry.st_size, 50)
def testSizeConditionWithDifferentActions(self):
expected_files = ["dpkg.log", "dpkg_false.log"]
non_expected_files = ["auth.log"]
sizes = [
os.stat(os.path.join(self.fixture_path, f)).st_size
for f in expected_files
]
size_condition = rdf_file_finder.FileFinderCondition(
condition_type=rdf_file_finder.FileFinderCondition.Type.SIZE,
size=rdf_file_finder.FileFinderSizeCondition(
max_file_size=max(sizes) + 1))
for action in self.CONDITION_TESTS_ACTIONS:
self.RunFlowAndCheckResults(action=action,
conditions=[size_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
def testSizeAndRegexConditionsWithDifferentActions(self):
files_over_size_limit = ["auth.log"]
filtered_files = ["dpkg.log", "dpkg_false.log"]
expected_files = []
non_expected_files = files_over_size_limit + filtered_files
sizes = [
os.stat(os.path.join(self.fixture_path, f)).st_size
for f in files_over_size_limit
]
size_condition = rdf_file_finder.FileFinderCondition(
condition_type=rdf_file_finder.FileFinderCondition.Type.SIZE,
size=rdf_file_finder.FileFinderSizeCondition(
max_file_size=min(sizes) - 1))
regex_condition = rdf_file_finder.FileFinderCondition(
condition_type=(
rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH),
contents_regex_match=rdf_file_finder.
FileFinderContentsRegexMatchCondition(
mode=(rdf_file_finder.FileFinderContentsRegexMatchCondition.
Mode.ALL_HITS),
bytes_before=10,
bytes_after=10,
regex="session opened for user .*?john"))
for action in self.CONDITION_TESTS_ACTIONS:
self.RunFlowAndCheckResults(
action=action,
conditions=[size_condition, regex_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
# Check that order of conditions doesn't influence results
for action in self.CONDITION_TESTS_ACTIONS:
self.RunFlowAndCheckResults(
action=action,
conditions=[regex_condition, size_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
def _CreateHuntFromFlow(self):
self.client_id = self.SetupClient(0)
flow_args = rdf_file_finder.FileFinderArgs(
paths=["a/*", "b/*"],
action=rdf_file_finder.FileFinderAction(action_type="STAT"))
session_id = flow_test_lib.StartFlow(file_finder.FileFinder,
client_id=self.client_id,
flow_args=flow_args)
ref = rdf_hunts.FlowLikeObjectReference.FromFlowIdAndClientId(
session_id, self.client_id)
# Modify flow_args so that there are differences.
flow_args.paths = ["b/*", "c/*"]
flow_args.action.action_type = "DOWNLOAD"
flow_args.conditions = [
rdf_file_finder.FileFinderCondition(
condition_type="SIZE",
size=rdf_file_finder.FileFinderSizeCondition(min_file_size=42))
]
return self.StartHunt(flow_args=flow_args,
flow_runner_args=rdf_flow_runner.FlowRunnerArgs(
flow_name=file_finder.FileFinder.__name__),
original_object=ref), session_id
def testPassesAllConditionsToClientFileFinderWhenAllConditionsSpecified(
self):
modification_time = rdf_file_finder.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime.Now(), )
access_time = rdf_file_finder.FileFinderAccessTimeCondition(
min_last_access_time=rdfvalue.RDFDatetime.Now(), )
inode_change_time = rdf_file_finder.FileFinderInodeChangeTimeCondition(
min_last_inode_change_time=rdfvalue.RDFDatetime.Now(), )
size = rdf_file_finder.FileFinderSizeCondition(min_file_size=42, )
ext_flags = rdf_file_finder.FileFinderExtFlagsCondition(
linux_bits_set=42, )
contents_regex_match = (
rdf_file_finder.FileFinderContentsRegexMatchCondition(
regex=b"foo", ))
contents_literal_match = (
rdf_file_finder.FileFinderContentsLiteralMatchCondition(
literal=b"bar", ))
flow_id = flow_test_lib.StartFlow(
file.CollectMultipleFiles,
client_id=self.client_id,
path_expressions=["/some/path"],
modification_time=modification_time,
access_time=access_time,
inode_change_time=inode_change_time,
size=size,
ext_flags=ext_flags,
contents_regex_match=contents_regex_match,
contents_literal_match=contents_literal_match,
)
children = data_store.REL_DB.ReadChildFlowObjects(
self.client_id, flow_id)
self.assertLen(children, 1)
child = children[0]
self.assertEqual(child.flow_class_name,
file_finder.ClientFileFinder.__name__)
# We expect 7 condition-attributes to be converted
# to 7 FileFinderConditions.
self.assertLen(child.args.conditions, 7)
def _GetCondition(condition_type):
for c in child.args.conditions:
if c.condition_type == condition_type:
return c.UnionCast()
raise RuntimeError(
f"Condition of type {condition_type} not found.")
self.assertEqual(
_GetCondition(
rdf_file_finder.FileFinderCondition.Type.MODIFICATION_TIME),
modification_time)
self.assertEqual(
_GetCondition(
rdf_file_finder.FileFinderCondition.Type.ACCESS_TIME),
access_time)
self.assertEqual(
_GetCondition(
rdf_file_finder.FileFinderCondition.Type.INODE_CHANGE_TIME),
inode_change_time)
self.assertEqual(
_GetCondition(rdf_file_finder.FileFinderCondition.Type.SIZE), size)
self.assertEqual(
_GetCondition(rdf_file_finder.FileFinderCondition.Type.EXT_FLAGS),
ext_flags)
self.assertEqual(
_GetCondition(
rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH),
contents_regex_match)
self.assertEqual(
_GetCondition(rdf_file_finder.FileFinderCondition.Type.
CONTENTS_LITERAL_MATCH), contents_literal_match)
