def setUp(self):
super(SantaModelTest, self).setUp()
self.santa_blockable = santa.SantaBlockable(
id='aaaabbbbccccdddd',
id_type=constants.ID_TYPE.SHA256,
blockable_hash='aaaabbbbccccdddd',
file_name='Mac.app',
publisher='Arple',
product_name='New Shiny',
version='2.0')
self.santa_certificate = santa.SantaCertificate(
id='mmmmnnnnoooopppp',
id_type=constants.ID_TYPE.SHA256,
blockable_hash='mmmmnnnnoooopppp',
file_name='MagicCert',
publisher='Total Legit CA',
version='7.0',
common_name='Trustee',
organization='Big Lucky',
organizational_unit='The Unit')
quarantine = santa.QuarantineMetadata(
data_url='http://notbad.com',
referer_url='http://sourceforge.com',
downloaded_dt=datetime.datetime.utcnow(),
agent_bundle_id='123456')
now = datetime.datetime.utcnow()
self.santa_event = santa.SantaEvent(
blockable_key=self.santa_blockable.key,
event_type=constants.EVENT_TYPE.ALLOW_BINARY,
file_name='Mac.app',
file_path='/',
executing_user='******',
first_blocked_dt=now,
last_blocked_dt=now,
quarantine=quarantine)
self.santa_blockable.put()
self.santa_certificate.put()
self.santa_event.put()
self.PatchEnv(settings.ProdEnv, ENABLE_BIGQUERY_STREAMING=True)
def _GenerateSantaEventsFromJsonEvent(self, event):
"""Creates all SantaEvent associated with the JSON uploaded from a client.
Args:
event: A single JSON event uploaded by the client.
Returns:
A list of the created-but-not-persisted SantaEvent entities.
"""
dbevent = santa_db.SantaEvent()
dbevent.host_id = self.host_key.id()
dbevent.file_name = event.get(santa_const.EVENT_UPLOAD.FILE_NAME)
dbevent.file_path = event.get(santa_const.EVENT_UPLOAD.FILE_PATH)
dbevent.version = event.get(
santa_const.EVENT_UPLOAD.FILE_BUNDLE_VERSION)
dbevent.executing_user = event.get(
santa_const.EVENT_UPLOAD.EXECUTING_USER)
dbevent.event_type = event.get(santa_const.EVENT_UPLOAD.DECISION)
dbevent.bundle_path = event.get(
santa_const.EVENT_UPLOAD.FILE_BUNDLE_PATH)
dbevent.bundle_key = self._GetBundleKeyFromJsonEvent(event)
blockable_id = event.get(santa_const.EVENT_UPLOAD.FILE_SHA256)
if blockable_id:
dbevent.blockable_key = ndb.Key(santa_db.SantaBlockable, blockable_id)
publisher, cert_sha256 = (
self._GetPublisherAndCertFingerprintFromJsonEvent(event))
dbevent.publisher = publisher
if cert_sha256:
dbevent.cert_key = ndb.Key(santa_db.SantaCertificate, cert_sha256)
occurred_dt = datetime.datetime.utcfromtimestamp(
event.get(santa_const.EVENT_UPLOAD.EXECUTION_TIME, 0))
dbevent.first_blocked_dt = occurred_dt
dbevent.last_blocked_dt = occurred_dt
quarantine_timestamp = event.get(
santa_const.EVENT_UPLOAD.QUARANTINE_TIMESTAMP, 0)
if quarantine_timestamp:
quarantine_time = datetime.datetime.utcfromtimestamp(quarantine_timestamp)
dbevent.quarantine = santa_db.QuarantineMetadata(
data_url=event.get(santa_const.EVENT_UPLOAD.QUARANTINE_DATA_URL),
referer_url=event.get(
santa_const.EVENT_UPLOAD.QUARANTINE_REFERER_URL),
agent_bundle_id=event.get(
santa_const.EVENT_UPLOAD.QUARANTINE_AGENT_BUNDLE_ID),
downloaded_dt=quarantine_time)
usernames = event.get(santa_const.EVENT_UPLOAD.LOGGED_IN_USERS, [])
bigquery.ExecutionRow.DeferCreate(
sha256=blockable_id,
device_id=dbevent.host_id,
timestamp=occurred_dt,
platform=dbevent.GetPlatformName(),
client=dbevent.GetClientName(),
bundle_path=dbevent.bundle_path,
file_path=dbevent.file_path,
file_name=dbevent.file_name,
executing_user=dbevent.executing_user,
associated_users=usernames,
decision=dbevent.event_type)
return [
utils.CopyEntity(dbevent, new_key=key)
for key in dbevent.GetKeysToInsert(usernames, [self.host.primary_user])]
def _GenerateSantaEventsFromJsonEvent(cls, event, host):
"""Creates all SantaEvent associated with the JSON uploaded from a client.
Args:
event: A single JSON event uploaded by the client.
host: The SantaHost entity corresponding to the syncing client.
Returns:
A list of the created-but-not-persisted SantaEvent entities.
"""
dbevent = santa_models.SantaEvent()
dbevent.host_id = host.key.id()
dbevent.file_name = event.get(_EVENT_UPLOAD.FILE_NAME)
dbevent.file_path = event.get(_EVENT_UPLOAD.FILE_PATH)
dbevent.version = event.get(_EVENT_UPLOAD.FILE_BUNDLE_VERSION)
dbevent.executing_user = event.get(_EVENT_UPLOAD.EXECUTING_USER)
dbevent.event_type = event.get(_EVENT_UPLOAD.DECISION)
dbevent.bundle_path = event.get(_EVENT_UPLOAD.FILE_BUNDLE_PATH)
dbevent.bundle_key = cls._GetBundleKeyFromJsonEvent(event)
blockable_id = event.get(_EVENT_UPLOAD.FILE_SHA256)
if blockable_id:
dbevent.blockable_key = ndb.Key(santa_models.SantaBlockable,
blockable_id)
publisher, cert_sha256 = (
cls._GetPublisherAndCertFingerprintFromJsonEvent(event))
dbevent.publisher = publisher
if cert_sha256:
dbevent.cert_key = ndb.Key(santa_models.SantaCertificate,
cert_sha256)
occurred_dt = datetime.datetime.utcfromtimestamp(
event.get(_EVENT_UPLOAD.EXECUTION_TIME, 0))
dbevent.first_blocked_dt = occurred_dt
dbevent.last_blocked_dt = occurred_dt
quarantine_timestamp = event.get(_EVENT_UPLOAD.QUARANTINE_TIMESTAMP, 0)
if quarantine_timestamp:
quarantine_time = datetime.datetime.utcfromtimestamp(
quarantine_timestamp)
dbevent.quarantine = santa_models.QuarantineMetadata(
data_url=event.get(_EVENT_UPLOAD.QUARANTINE_DATA_URL),
referer_url=event.get(_EVENT_UPLOAD.QUARANTINE_REFERER_URL),
agent_bundle_id=event.get(
_EVENT_UPLOAD.QUARANTINE_AGENT_BUNDLE_ID),
downloaded_dt=quarantine_time)
dbevent.parent_name = event.get(_EVENT_UPLOAD.PARENT_NAME)
usernames = event.get(_EVENT_UPLOAD.LOGGED_IN_USERS, [])
monitoring.event_type_uploads.Increment(dbevent.event_type)
tables.EXECUTION.InsertRow(sha256=blockable_id,
device_id=dbevent.host_id,
timestamp=occurred_dt,
platform=dbevent.GetPlatformName(),
client=dbevent.GetClientName(),
bundle_path=dbevent.bundle_path,
file_path=dbevent.file_path,
file_name=dbevent.file_name,
executing_user=dbevent.executing_user
or 'UNKNOWN',
associated_users=usernames,
decision=dbevent.event_type)
event_keys = model_utils.GetEventKeysToInsert(dbevent, usernames,
[host.primary_user])
events = [
datastore_utils.CopyEntity(dbevent, new_key=event_key)
for event_key in event_keys
]
for event in events:
if event.event_type in constants.EVENT_TYPE.SET_BLOCKED_TYPES:
body = ''
try:
evt_dict = event.to_dict()
event_key_str = event.key.urlsafe(
) if event.key else 'Unknown'
body = """Application {0[file_name]} by publisher {0[publisher]} was blocked for user {0[executing_user]} on this host: https://santaupvote.appspot.com/admin/events?hostId={0[host_id]}
More details about the application being run can be found here: https://santaupvote.appspot.com/admin/blockables/{0[blockable_id]}
The block event can be viewed here: https://santaupvote.appspot.com/admin/events/{1}""".format(
evt_dict, event_key_str)
mail.send_mail(
sender='*****@*****.**',
to="*****@*****.**",
subject="New Santa Blocked event",
body=body)
except:
logging.exception("Unable to send email: {}".format(body))
return events