示例#1
0
    def testExecutePythonHack(self):
        client_mock = action_mocks.ActionMock("ExecutePython")
        # This is the code we test. If this runs on the client mock we can check for
        # this attribute.
        sys.test_code_ran_here = False

        code = """
import sys
sys.test_code_ran_here = True
"""
        maintenance_utils.UploadSignedConfigBlob(
            code, aff4_path="aff4:/config/python_hacks/test", token=self.token)

        for _ in test_lib.TestFlowHelper("ExecutePythonHack",
                                         client_mock,
                                         client_id=self.client_id,
                                         hack_name="test",
                                         token=self.token):
            pass

        self.assertTrue(sys.test_code_ran_here)
示例#2
0
    def testGlobDirectory(self):
        """Test that glob expands directories."""

        # Add some usernames we can interpolate later.
        client = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token)

        kb = client.Get(client.Schema.KNOWLEDGE_BASE)
        kb.MergeOrAddUser(
            rdf_client.User(username="******", appdata="test_data/index.dat"))
        kb.MergeOrAddUser(
            rdf_client.User(username="******", appdata="test_data/History"))
        # This is a record which means something to the interpolation system. We
        # should not process this especially.
        kb.MergeOrAddUser(rdf_client.User(username="******",
                                          appdata="%%PATH%%"))

        client.Set(kb)
        client.Close()

        client_mock = action_mocks.ActionMock("Find", "StatFile")

        # This glob selects all files which start with the username on this system.
        path = os.path.join(os.path.dirname(self.base_path),
                            "%%users.appdata%%")

        # Run the flow.
        for _ in test_lib.TestFlowHelper("Glob",
                                         client_mock,
                                         client_id=self.client_id,
                                         paths=[path],
                                         token=self.token):
            pass

        path = self.client_id.Add("fs/os").Add(self.base_path).Add("index.dat")

        aff4.FACTORY.Open(path, aff4_type=aff4_grr.VFSFile, token=self.token)

        path = self.client_id.Add("fs/os").Add(self.base_path).Add("index.dat")

        aff4.FACTORY.Open(path, aff4_type=aff4_grr.VFSFile, token=self.token)
示例#3
0
    def testCollectRunKeyBinaries(self):
        """Read Run key from the client_fixtures to test parsing and storage."""
        test_lib.ClientFixture(self.client_id, token=self.token)

        client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
        client.Set(client.Schema.SYSTEM("Windows"))
        client.Set(client.Schema.OS_VERSION("6.2"))
        client.Flush()

        with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
                                   test_lib.FakeFullVFSHandler):

            client_mock = action_mocks.ActionMock(
                file_fingerprint.FingerprintFile,
                searching.Find,
                standard.StatFile,
            )

            # Get KB initialized
            for _ in test_lib.TestFlowHelper("KnowledgeBaseInitializationFlow",
                                             client_mock,
                                             client_id=self.client_id,
                                             token=self.token):
                pass

            with test_lib.Instrument(transfer.MultiGetFile,
                                     "Start") as getfile_instrument:
                # Run the flow in the emulated way.
                for _ in test_lib.TestFlowHelper("CollectRunKeyBinaries",
                                                 client_mock,
                                                 client_id=self.client_id,
                                                 token=self.token):
                    pass

                # Check MultiGetFile got called for our runkey file
                download_requested = False
                for pathspec in getfile_instrument.args[0][0].args.pathspecs:
                    if pathspec.path == u"C:\\Windows\\TEMP\\A.exe":
                        download_requested = True
                self.assertTrue(download_requested)
示例#4
0
    def testEndToEndTests(self):

        self.client_ids = [
            "aff4:/C.6000000000000000", "aff4:/C.6000000000000001",
            "aff4:/C.6000000000000002"
        ]
        for clientid in self.client_ids:
            self._SetSummaries(clientid)

        self.client_mock = action_mocks.ActionMock("ListDirectory", "StatFile")

        config_lib.CONFIG.Set("Test.end_to_end_client_ids", self.client_ids)
        with utils.MultiStubber(
            (base.AutomatedTest, "classes", {
                "MockEndToEndTest": endtoend_test.MockEndToEndTest
            }), (system.EndToEndTests, "lifetime", 0)):

            # The test harness doesn't understand the callstate at a later time that
            # this flow is doing, so we need to disable check_flow_errors.
            for _ in test_lib.TestFlowHelper("EndToEndTests",
                                             self.client_mock,
                                             client_id=self.client_id,
                                             check_flow_errors=False,
                                             token=self.token):
                pass

        test_lib.TestHuntHelperWithMultipleMocks({},
                                                 check_flow_errors=False,
                                                 token=self.token)
        hunt_ids = list(
            aff4.FACTORY.Open("aff4:/hunts", token=self.token).ListChildren())
        # We have only created one hunt, and we should have started with clean aff4
        # space.
        self.assertEqual(len(hunt_ids), 1)

        hunt_obj = aff4.FACTORY.Open(hunt_ids[0],
                                     token=self.token,
                                     age=aff4.ALL_TIMES)
        self.assertItemsEqual(sorted(hunt_obj.GetClients()),
                              sorted(self.client_ids))
示例#5
0
    def testKnowledgeBaseRetrievalLinuxPasswd(self):
        """Check we can retrieve a Linux kb."""
        test_lib.ClientFixture(self.client_id, token=self.token)
        vfs.VFS_HANDLERS[
            rdfvalue.PathSpec.PathType.OS] = test_lib.FakeTestDataVFSHandler
        client_mock = action_mocks.ActionMock("TransferBuffer", "StatFile",
                                              "Find", "HashBuffer",
                                              "ListDirectory",
                                              "FingerprintFile", "Grep")

        self.SetLinuxClient()
        config_lib.CONFIG.Set(
            "Artifacts.knowledge_base",
            ["LinuxWtmp", "LinuxPasswdHomedirs", "LinuxRelease"])
        config_lib.CONFIG.Set("Artifacts.knowledge_base_additions", [])
        config_lib.CONFIG.Set("Artifacts.knowledge_base_skip", [])

        for _ in test_lib.TestFlowHelper("KnowledgeBaseInitializationFlow",
                                         client_mock,
                                         client_id=self.client_id,
                                         token=self.token):
            pass

        client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
        kb = artifact.GetArtifactKnowledgeBase(client)
        self.assertEqual(kb.os_major_version, 14)
        self.assertEqual(kb.os_minor_version, 4)
        # user 1,2,3 from wtmp.
        # Bert and Ernie not present (Users fixture overriden by kb).
        self.assertItemsEqual([x.username for x in kb.users],
                              ["user1", "user2", "user3"])
        user = kb.GetUser(username="******")
        self.assertEqual(user.last_logon.AsSecondsFromEpoch(), 1296552099)
        self.assertEqual(user.homedir, "/home/user1")

        user = kb.GetUser(username="******")
        self.assertEqual(user.last_logon.AsSecondsFromEpoch(), 1296552102)
        self.assertEqual(user.homedir, "/home/user2")

        self.assertFalse(kb.GetUser(username="******"))
示例#6
0
  def testDownloadDirectory(self):
    """Test a FileFinder flow with depth=1."""
    with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
                               test_lib.ClientVFSHandlerFixture):
      # Mock the client actions FileFinder uses.
      client_mock = action_mocks.ActionMock(
          "FingerprintFile", "HashBuffer", "HashFile", "StatFile", "Find",
          "TransferBuffer")

      for _ in test_lib.TestFlowHelper(
          "FileFinder", client_mock, client_id=self.client_id,
          paths=["/c/Downloads/*"],
          action=file_finder.FileFinderAction(
              action_type=file_finder.FileFinderAction.Action.DOWNLOAD),
          token=self.token):
        pass

      # Check if the base path was created
      output_path = self.client_id.Add("fs/os/c/Downloads")

      output_fd = aff4.FACTORY.Open(output_path, token=self.token)

      children = list(output_fd.OpenChildren())

      # There should be 6 children:
      expected_children = u"a.txt b.txt c.txt d.txt sub1 中国新闻网新闻中.txt"

      self.assertEqual(len(children), 6)

      self.assertEqual(expected_children.split(),
                       sorted([child.urn.Basename() for child in children]))

      # Find the child named: a.txt
      for child in children:
        if child.urn.Basename() == "a.txt":
          break

      # Check the AFF4 type of the child, it should have changed
      # from VFSFile to VFSBlobImage
      self.assertEqual(child.__class__.__name__, "VFSBlobImage")
示例#7
0
  def testGlobWithStarStarRootPath(self):
    """Test ** expressions with root_path."""

    # Add some usernames we can interpolate later.
    client = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token)
    kb = client.Get(client.Schema.KNOWLEDGE_BASE)
    kb.MergeOrAddUser(rdf_client.User(username="******"))
    kb.MergeOrAddUser(rdf_client.User(username="******"))
    client.Set(kb)
    client.Close()

    client_mock = action_mocks.ActionMock("Find", "StatFile")

    # Glob for foo at a depth of 4.
    path = os.path.join("foo**4")
    root_path = rdf_paths.PathSpec(
        path=os.path.join(self.base_path, "test_img.dd"),
        pathtype=rdf_paths.PathSpec.PathType.OS)
    root_path.Append(path="/", pathtype=rdf_paths.PathSpec.PathType.TSK)

    # Run the flow.
    for _ in test_lib.TestFlowHelper("Glob",
                                     client_mock,
                                     client_id=self.client_id,
                                     paths=[path],
                                     root_path=root_path,
                                     pathtype=rdf_paths.PathSpec.PathType.OS,
                                     token=self.token):
      pass

    output_path = self.client_id.Add("fs/tsk").Add(self.base_path.replace(
        "\\", "/")).Add("test_img.dd/glob_test/a/b")

    children = []
    fd = aff4.FACTORY.Open(output_path, token=self.token)
    for child in fd.ListChildren():
      children.append(child.Basename())

    # We should find some files.
    self.assertEqual(children, ["foo"])
示例#8
0
    def testMACTimes(self):
        """Test that the timelining works with files."""
        with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
                                   test_lib.ClientVFSHandlerFixture):

            client_mock = action_mocks.ActionMock("ListDirectory")

            pathspec = rdf_paths.PathSpec(
                path="/", pathtype=rdf_paths.PathSpec.PathType.OS)

            for _ in test_lib.TestFlowHelper("RecursiveListDirectory",
                                             client_mock,
                                             client_id=self.client_id,
                                             pathspec=pathspec,
                                             token=self.token):
                pass

            # Now make a timeline
            for s in test_lib.TestFlowHelper("MACTimes",
                                             client_mock,
                                             client_id=self.client_id,
                                             token=self.token,
                                             path="/"):
                session_id = s

            fd = aff4.FACTORY.Open(session_id.Add(flow_runner.RESULTS_SUFFIX),
                                   token=self.token)

            timestamp = 0
            events = list(fd.Query("event.stat.pathspec.path contains grep"))

            for event in events:
                # Check the times are monotonously increasing.
                self.assertGreaterEqual(event.event.timestamp, timestamp)
                timestamp = event.event.timestamp

                self.assertIn("grep", event.event.stat.pathspec.path)

            # 9 files, each having mac times = 27 events.
            self.assertEqual(len(events), 27)
示例#9
0
    def testCollectionOverwriting(self):
        """Test we overwrite the collection every time the flow is executed."""

        client_mock = action_mocks.ActionMock("Find")
        output_path = "analysis/FindFlowTest5"

        # Prepare a findspec.
        findspec = rdfvalue.FindSpec()
        findspec.path_regex = "bin"
        findspec.pathspec.path = "/"
        findspec.pathspec.pathtype = rdfvalue.PathSpec.PathType.OS

        for _ in test_lib.TestFlowHelper("FindFiles",
                                         client_mock,
                                         client_id=self.client_id,
                                         token=self.token,
                                         findspec=findspec,
                                         output=output_path):
            pass

        # Check the output file with the right number of results.
        fd = aff4.FACTORY.Open(self.client_id.Add(output_path),
                               token=self.token)

        self.assertEqual(len(fd), 2)

        # Now find a new result, should overwrite the collection
        findspec.path_regex = "dd"
        for _ in test_lib.TestFlowHelper("FindFiles",
                                         client_mock,
                                         client_id=self.client_id,
                                         token=self.token,
                                         findspec=findspec,
                                         output=output_path,
                                         max_results=1):
            pass

        fd = aff4.FACTORY.Open(self.client_id.Add(output_path),
                               token=self.token)
        self.assertEqual(len(fd), 1)
示例#10
0
  def testVFSFileStartsNewMultiGetFileWhenLockingFlowHasFinished(self):
    """A new MultiFileGet can be started when the locking flow has finished."""
    client_id = self.SetupClients(1)[0]
    test_lib.ClientFixture(client_id, token=self.token)
    # We need to choose a file path having a pathsepc.
    path = "fs/os/c/bin/bash"

    with aff4.FACTORY.Create(
        client_id.Add(path),
        aff4_type=aff4_grr.VFSFile,
        mode="rw",
        token=self.token) as file_fd:
      # Starts a MultiGetFile flow.
      first_update_flow_urn = file_fd.Update()

    # Check that there is exactly one flow on the client.
    flows_fd = aff4.FACTORY.Open(client_id.Add("flows"), token=self.token)
    flows = list(flows_fd.ListChildren())
    self.assertEqual(len(flows), 1)

    # Finish the flow holding the lock.
    client_mock = action_mocks.ActionMock()
    for _ in test_lib.TestFlowHelper(
        flows[0], client_mock, client_id=client_id, token=self.token):
      pass

    # The flow holding the lock has finished, so Update() should start a new
    # flow.
    second_update_flow_urn = file_fd.Update()

    # There should be two flows now.
    flows_fd = aff4.FACTORY.Open(client_id.Add("flows"), token=self.token)
    flows = list(flows_fd.ListChildren())
    self.assertEqual(len(flows), 2)

    # Make sure that each Update() started a new flow and that the second flow
    # is holding the lock.
    self.assertNotEqual(first_update_flow_urn, second_update_flow_urn)
    self.assertEqual(second_update_flow_urn,
                     file_fd.Get(file_fd.Schema.CONTENT_LOCK))
示例#11
0
    def testExportTabIsEnabledForStatEntryResults(self):
        client_id = rdfvalue.ClientURN("C.0000000000000001")

        with self.ACLChecksDisabled():
            for _ in test_lib.TestFlowHelper("FlowWithOneStatEntryResult",
                                             action_mocks.ActionMock(),
                                             client_id=client_id,
                                             token=self.token):
                pass

            self.GrantClientApproval(client_id)

        self.Open("/#c=C.0000000000000001")
        self.Click("css=a:contains('Manage launched flows')")
        self.Click("css=td:contains('FlowWithOneStatEntryResult')")
        self.Click("css=#Export")

        self.WaitUntil(
            self.IsTextPresent,
            "--username test --reason 'Running tests' collection_files "
            "--path aff4:/C.0000000000000001/analysis/FlowWithOneStatEntryResult"
        )
示例#12
0
    def testKnowledgeBaseMultiProvides(self):
        """Check we can handle multi-provides."""
        self.SetupWindowsMocks()
        # Replace some artifacts with test one that will run the MultiProvideParser.
        self.LoadTestArtifacts()
        config_lib.CONFIG.Set("Artifacts.knowledge_base",
                              ["DepsProvidesMultiple"])
        client_mock = action_mocks.ActionMock("TransferBuffer", "StatFile",
                                              "Find", "HashBuffer",
                                              "ListDirectory",
                                              "FingerprintFile")
        for _ in test_lib.TestFlowHelper("KnowledgeBaseInitializationFlow",
                                         client_mock,
                                         client_id=self.client_id,
                                         token=self.token):
            pass

        # The client should now be populated with the data we care about.
        client = aff4.FACTORY.Open(self.client_id, token=self.token)
        kb = artifact.GetArtifactKnowledgeBase(client)
        self.assertEqual(kb.environ_temp, "tempvalue")
        self.assertEqual(kb.environ_path, "pathvalue")
示例#13
0
    def setUp(self):
        super(ApiGetHuntFilesArchiveHandlerTest, self).setUp()

        self.handler = hunt_plugin.ApiGetHuntFilesArchiveHandler()

        self.hunt = hunts.GRRHunt.StartHunt(
            hunt_name="GenericHunt",
            flow_runner_args=flow_runner.FlowRunnerArgs(
                flow_name=file_finder.FileFinder.__name__),
            flow_args=file_finder.FileFinderArgs(
                paths=[os.path.join(self.base_path, "test.plist")],
                action=file_finder.FileFinderAction(action_type="DOWNLOAD"),
            ),
            client_rate=0,
            token=self.token)
        self.hunt.Run()

        client_ids = self.SetupClients(10)
        self.AssignTasksToClients(client_ids=client_ids)
        action_mock = action_mocks.ActionMock("TransferBuffer", "StatFile",
                                              "HashFile", "HashBuffer")
        test_lib.TestHuntHelper(action_mock, client_ids, token=self.token)
示例#14
0
  def testGlob(self):
    """Test that glob works properly."""

    # Add some usernames we can interpolate later.
    client = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token)
    users = client.Schema.USER()
    users.Append(username="******")
    users.Append(username="******")
    client.Set(users)
    client.Close()

    client_mock = action_mocks.ActionMock("Find", "StatFile")

    # This glob selects all files which start with the username on this system.
    paths = [os.path.join(self.base_path, "%%Users.username%%*"),
             os.path.join(self.base_path, "wtmp")]

    # Set iterator really low to force iteration.
    with utils.Stubber(filesystem.Glob, "FILE_MAX_PER_DIR", 2):
      for _ in test_lib.TestFlowHelper(
          "Glob", client_mock, client_id=self.client_id,
          paths=paths, pathtype=rdfvalue.PathSpec.PathType.OS,
          token=self.token, sync=False, check_flow_errors=False):
        pass

    output_path = self.client_id.Add("fs/os").Add(
        self.base_path.replace("\\", "/"))

    children = []
    fd = aff4.FACTORY.Open(output_path, token=self.token)
    for child in fd.ListChildren():
      children.append(child.Basename())

    # We should find some files.
    self.assertEqual(sorted(children),
                     sorted(["syslog", "syslog_compress.gz",
                             "syslog_false.gz", "test_artifacts.json",
                             "test_artifact.json", "test_img.dd", "test.plist",
                             "tests", "tests_long", "wtmp"]))
示例#15
0
    def testRegistryMRU(self):
        """Test that the MRU discovery flow. Flow is a work in Progress."""
        # Install the mock
        vfs.VFS_HANDLERS[rdf_paths.PathSpec.PathType.
                         REGISTRY] = test_lib.FakeRegistryVFSHandler

        # Mock out the Find client action.
        client_mock = action_mocks.ActionMock("Find")

        # Add some user accounts to this client.
        fd = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token)
        users = fd.Schema.USER()
        users.Append(
            rdf_client.User(username="******",
                            domain="testing-PC",
                            homedir=r"C:\Users\testing",
                            sid="S-1-5-21-2911950750-476812067-"
                            "1487428992-1001"))
        fd.Set(users)
        fd.Close()

        # Run the flow in the emulated way.
        for _ in test_lib.TestFlowHelper("GetMRU",
                                         client_mock,
                                         client_id=self.client_id,
                                         token=self.token):
            pass

        # Check that the key was read.
        fd = aff4.FACTORY.Open(rdfvalue.RDFURN(self.client_id).Add(
            "registry/HKEY_USERS/S-1-5-21-2911950750-476812067-1487428992-1001/"
            "Software/Microsoft/Windows/CurrentVersion/Explorer/"
            "ComDlg32/OpenSavePidlMRU/dd/0"),
                               token=self.token)

        self.assertEqual(fd.__class__.__name__, "VFSFile")
        s = fd.Get(fd.Schema.STAT)
        # TODO(user): Make this test better when the MRU flow is complete.
        self.assertTrue(s.registry_data)
示例#16
0
  def setUp(self):
    super(TestEndToEndTestFlow, self).setUp()
    install_time = rdfvalue.RDFDatetime().Now()
    user = "******"
    userobj = rdf_client.User(username=user)
    interface = rdf_client.Interface(ifname="eth0")
    self.client = aff4.FACTORY.Create(self.client_id, "VFSGRRClient", mode="rw",
                                      token=self.token, age=aff4.ALL_TIMES)
    self.client.Set(self.client.Schema.HOSTNAME("hostname"))
    self.client.Set(self.client.Schema.SYSTEM("Linux"))
    self.client.Set(self.client.Schema.OS_RELEASE("debian"))
    self.client.Set(self.client.Schema.OS_VERSION("14.04"))
    self.client.Set(self.client.Schema.KERNEL("3.15-rc2"))
    self.client.Set(self.client.Schema.FQDN("hostname.example.com"))
    self.client.Set(self.client.Schema.ARCH("x86_64"))
    self.client.Set(self.client.Schema.INSTALL_DATE(install_time))
    self.client.Set(self.client.Schema.USER([userobj]))
    self.client.Set(self.client.Schema.USERNAMES([user]))
    self.client.Set(self.client.Schema.LAST_INTERFACES([interface]))
    self.client.Flush()

    self.client_mock = action_mocks.ActionMock("ListDirectory", "StatFile")
示例#17
0
    def testKnowledgeBaseRetrievalLinux(self):
        """Check we can retrieve a Linux kb."""
        test_lib.ClientFixture(self.client_id, token=self.token)
        self.SetLinuxClient()
        with test_lib.ConfigOverrider({
                "Artifacts.knowledge_base": [
                    "LinuxWtmp", "NetgroupConfiguration",
                    "LinuxPasswdHomedirs", "LinuxRelease"
                ],
                "Artifacts.netgroup_filter_regexes": ["^login$"],
                "Artifacts.netgroup_user_blacklist": ["isaac"]
        }):
            with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
                                       test_lib.FakeTestDataVFSHandler):

                client_mock = action_mocks.ActionMock(
                    "TransferBuffer", "StatFile", "Find", "HashBuffer",
                    "ListDirectory", "FingerprintFile", "Grep")

                for _ in test_lib.TestFlowHelper(
                        "KnowledgeBaseInitializationFlow",
                        client_mock,
                        client_id=self.client_id,
                        token=self.token):
                    pass
                client = aff4.FACTORY.Open(self.client_id,
                                           token=self.token,
                                           mode="rw")
                kb = artifact.GetArtifactKnowledgeBase(client)
                self.assertEqual(kb.os_major_version, 14)
                self.assertEqual(kb.os_minor_version, 4)
                # user 1,2,3 from wtmp. yagharek from netgroup.
                # Bert and Ernie not present (Users fixture overriden by kb).
                self.assertItemsEqual([x.username for x in kb.users],
                                      ["user1", "user2", "user3", "yagharek"])
                user = kb.GetUser(username="******")
                self.assertEqual(user.last_logon.AsSecondsFromEpoch(),
                                 1296552099)
                self.assertEqual(user.homedir, "/home/user1")
示例#18
0
  def testEndToEndTestsResultChecking(self):

    self.client_ids = ["aff4:/C.6000000000000000", "aff4:/C.6000000000000001",
                       "aff4:/C.6000000000000002"]
    for clientid in self.client_ids:
      self._SetSummaries(clientid)

    self.client_mock = action_mocks.ActionMock("ListDirectory", "StatFile")

    endtoend = system.EndToEndTests(None, token=self.token)
    endtoend.state.Register("hunt_id", "aff4:/temphuntid")
    endtoend.state.Register("client_ids", set(self.client_ids))
    endtoend.state.Register("client_ids_failures", set())
    endtoend.state.Register("client_ids_result_reported", set())

    # No results at all
    self.assertRaises(flow.FlowError, endtoend._CheckForSuccess, [])

    # Not enough client results
    endtoend.state.Register("client_ids_failures", set())
    endtoend.state.Register("client_ids_result_reported", set())
    self.assertRaises(flow.FlowError, endtoend._CheckForSuccess,
                      [self._CreateResult(True, "aff4:/C.6000000000000001")])

    # All clients succeeded
    endtoend.state.Register("client_ids_failures", set())
    endtoend.state.Register("client_ids_result_reported", set())
    endtoend._CheckForSuccess([self._CreateResult(
        True, "aff4:/C.6000000000000000"), self._CreateResult(
            True, "aff4:/C.6000000000000001"), self._CreateResult(
                True, "aff4:/C.6000000000000002")])

    # All clients complete, but some failures
    endtoend.state.Register("client_ids_failures", set())
    endtoend.state.Register("client_ids_result_reported", set())
    self.assertRaises(flow.FlowError, endtoend._CheckForSuccess,
                      [self._CreateResult(True, "aff4:/C.6000000000000000"),
                       self._CreateResult(False, "aff4:/C.6000000000000001"),
                       self._CreateResult(False, "aff4:/C.6000000000000002")])
示例#19
0
  def ReadFromSparseImage(self, length, offset):

    fd = self.CreateNewSparseImage()
    urn = fd.urn

    self.client_mock = action_mocks.ActionMock("FingerprintFile", "HashBuffer",
                                               "HashFile", "StatFile", "Find",
                                               "TransferBuffer", "ReadBuffer")
    for _ in test_lib.TestFlowHelper("FetchBufferForSparseImage",
                                     self.client_mock,
                                     client_id=self.client_id,
                                     token=self.token,
                                     file_urn=urn,
                                     length=length,
                                     offset=offset):
      pass

    # Reopen the object so we can read the freshest version of the size
    # attribute.
    fd = aff4.FACTORY.Open(urn, token=self.token)

    return fd
示例#20
0
    def testMultiGetFileSizeLimit(self):
        client_mock = action_mocks.ActionMock("TransferBuffer", "HashFile",
                                              "StatFile", "HashBuffer")
        image_path = os.path.join(self.base_path, "test_img.dd")
        pathspec = rdf_paths.PathSpec(pathtype=rdf_paths.PathSpec.PathType.OS,
                                      path=image_path)

        # Read a bit more than one chunk (600 * 1024).
        expected_size = 750 * 1024
        args = transfer.MultiGetFileArgs(pathspecs=[pathspec],
                                         file_size=expected_size)
        for _ in test_lib.TestFlowHelper("MultiGetFile",
                                         client_mock,
                                         token=self.token,
                                         client_id=self.client_id,
                                         args=args):
            pass

        urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN(
            pathspec, self.client_id)
        blobimage = aff4.FACTORY.Open(urn, token=self.token)
        # Make sure a VFSBlobImage got written.
        self.assertTrue(isinstance(blobimage, aff4_grr.VFSBlobImage))

        self.assertEqual(len(blobimage), expected_size)
        data = blobimage.read(100 * expected_size)
        self.assertEqual(len(data), expected_size)

        expected_data = open(image_path, "rb").read(expected_size)

        self.assertEqual(data, expected_data)
        hash_obj = blobimage.Get(blobimage.Schema.HASH)

        d = hashlib.sha1()
        d.update(expected_data)
        expected_hash = d.hexdigest()

        self.assertEqual(hash_obj.sha1, expected_hash)
示例#21
0
  def testCallClientWellKnown(self):
    """Well known flows can also call the client."""
    cls = flow.GRRFlow.classes["GetClientStatsAuto"]
    flow_obj = cls(cls.well_known_session_id, mode="rw", token=self.token)

    flow_obj.CallClient(self.client_id, admin.GetClientStats)

    # Check that a message went out to the client
    manager = queue_manager.QueueManager(token=self.token)
    tasks = manager.Query(self.client_id, limit=100)

    self.assertEqual(len(tasks), 1)

    message = tasks[0]

    # If we don't specify where to send the replies, they go to the devnull flow
    devnull = flow.GRRFlow.classes["IgnoreResponses"]
    self.assertEqual(message.session_id, devnull.well_known_session_id)
    self.assertEqual(message.request_id, 0)
    self.assertEqual(message.name, admin.GetClientStats.__name__)

    messages = []

    def StoreMessage(_, msg):
      messages.append(msg)

    with utils.Stubber(devnull, "ProcessMessage", StoreMessage):
      client_mock = action_mocks.ActionMock(admin.GetClientStats)
      for _ in test_lib.TestFlowHelper(
          "ClientActionRunner",
          client_mock,
          client_id=self.client_id,
          action="GetClientStats",
          token=self.token):
        pass

    # Make sure the messages arrived.
    self.assertEqual(len(messages), 1)
示例#22
0
  def testFindWithMaxFiles(self):
    """Test that the Find flow works when specifying proto directly."""

    client_mock = action_mocks.ActionMock("Find")
    output_path = "analysis/FindFlowTest4"

    # Prepare a findspec.
    findspec = rdf_client.FindSpec(
        path_regex=".*",
        pathspec=rdf_paths.PathSpec(path="/",
                                    pathtype=rdf_paths.PathSpec.PathType.OS))

    for _ in test_lib.TestFlowHelper(
        "FindFiles", client_mock, client_id=self.client_id, token=self.token,
        findspec=findspec, iteration_count=3, output=output_path,
        max_results=7):
      pass

    # Check the output file is created
    fd = aff4.FACTORY.Open(self.client_id.Add(output_path), token=self.token)

    # Make sure we got the right number of results.
    self.assertEqual(len(fd), 7)
示例#23
0
  def testFlowLogging(self):
    """Check that flows log correctly."""
    flow_urn = None
    for session_id in test_lib.TestFlowHelper("DummyLogFlow",
                                              action_mocks.ActionMock(),
                                              token=self.token,
                                              client_id=self.client_id):
      flow_urn = session_id

    with aff4.FACTORY.Open(flow_urn.Add("Logs"), age=aff4.ALL_TIMES,
                           token=self.token) as log_collection:
      count = 0
      # Can't use len with PackedVersionCollection
      for log in log_collection:
        self.assertEqual(log.client_id, self.client_id)
        self.assertTrue(log.log_message in ["First", "Second", "Third",
                                            "Fourth", "Uno", "Dos", "Tres",
                                            "Cuatro"])
        self.assertTrue(log.flow_name in ["DummyLogFlow",
                                          "DummyLogFlowChild"])
        self.assertTrue(str(flow_urn) in str(log.urn))
        count += 1
      self.assertEqual(count, 8)
示例#24
0
  def testRunGrrClientActionArtifact(self):
    """Test we can get a GRR client artifact."""
    client_mock = action_mocks.ActionMock("ListProcesses")
    client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
    client.Set(client.Schema.SYSTEM("Linux"))
    client.Flush()

    coll1 = artifact_registry.ArtifactSource(
        type=artifact_registry.ArtifactSource.SourceType.GRR_CLIENT_ACTION,
        attributes={"client_action": r"ListProcesses"})
    self.fakeartifact.sources.append(coll1)
    artifact_list = ["FakeArtifact"]
    for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock,
                                     artifact_list=artifact_list,
                                     token=self.token, client_id=self.client_id,
                                     output="test_artifact"):
      pass

    # Test the AFF4 file that was created.
    fd = aff4.FACTORY.Open(rdfvalue.RDFURN(self.client_id).Add("test_artifact"),
                           token=self.token)
    self.assertTrue(isinstance(list(fd)[0], rdf_client.Process))
    self.assertTrue(len(fd) > 5)
示例#25
0
    def RunFlow(self, keys_paths=None, conditions=None):
        if keys_paths is None:
            keys_paths = [
                "HKEY_USERS/S-1-5-20/Software/Microsoft/"
                "Windows/CurrentVersion/Run/*"
            ]
        if conditions is None:
            conditions = []

        client_mock = action_mocks.ActionMock(
            searching.Find,
            searching.Grep,
        )

        for s in test_lib.TestFlowHelper("RegistryFinder",
                                         client_mock,
                                         client_id=self.client_id,
                                         keys_paths=keys_paths,
                                         conditions=conditions,
                                         token=self.token):
            session_id = s

        return session_id
示例#26
0
    def ReadTestImage(self, size_threshold):
        path = os.path.join(self.base_path, "test_img.dd")

        urn = rdfvalue.RDFURN(self.client_id.Add("fs/os").Add(path))

        pathspec = rdf_paths.PathSpec(path=path,
                                      pathtype=rdf_paths.PathSpec.PathType.OS)

        client_mock = action_mocks.ActionMock("FingerprintFile", "HashBuffer",
                                              "HashFile", "StatFile", "Find",
                                              "TransferBuffer", "ReadBuffer")

        # Get everything as an AFF4SparseImage
        for _ in test_lib.TestFlowHelper("MakeNewAFF4SparseImage",
                                         client_mock,
                                         client_id=self.client_id,
                                         token=self.token,
                                         size_threshold=size_threshold,
                                         pathspec=pathspec):
            pass

        fd = aff4.FACTORY.Open(urn, token=self.token)
        return fd
示例#27
0
  def testGetFile(self):
    """Test that the GetFile flow works."""

    client_mock = action_mocks.ActionMock("TransferBuffer", "StatFile")
    pathspec = rdf_paths.PathSpec(
        pathtype=rdf_paths.PathSpec.PathType.OS,
        path=os.path.join(self.base_path, "test_img.dd"))

    for _ in test_lib.TestFlowHelper("GetFile", client_mock, token=self.token,
                                     client_id=self.client_id,
                                     pathspec=pathspec):
      pass

    # Fix path for Windows testing.
    pathspec.path = pathspec.path.replace("\\", "/")
    # Test the AFF4 file that was created.
    urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN(pathspec, self.client_id)
    fd1 = aff4.FACTORY.Open(urn, token=self.token)
    fd2 = open(pathspec.path)
    fd2.seek(0, 2)

    self.assertEqual(fd2.tell(), int(fd1.Get(fd1.Schema.SIZE)))
    self.CompareFDs(fd1, fd2)
示例#28
0
  def testSearchFileContentsNoGrep(self):
    """Search files without a grep specification."""
    pattern = "searching/*.log"

    client_mock = action_mocks.ActionMock("Find", "Grep", "StatFile")
    path = os.path.join(self.base_path, pattern)

    # Do not provide a Grep expression - should match all files.
    args = grep.SearchFileContentArgs(paths=[path])

    # Run the flow.
    for s in test_lib.TestFlowHelper(
        "SearchFileContent",
        client_mock,
        client_id=self.client_id,
        args=args,
        token=self.token):
      session_id = s

    fd = aff4.FACTORY.Open(
        session_id.Add(flow_runner.RESULTS_SUFFIX), token=self.token)

    self.assertEqual(len(fd), 3)
示例#29
0
    def testArtifactSkipping(self):
        client_mock = action_mocks.ActionMock()
        client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
        # This does not match the Artifact so it will not be collected.
        client.Set(client.Schema.SYSTEM("Windows"))
        kb = client.Get(client.Schema.KNOWLEDGE_BASE)
        kb.os = "Windows"
        client.Set(client.Schema.KNOWLEDGE_BASE, kb)
        client.Flush()

        artifact_list = ["FakeArtifact"]
        for s in test_lib.TestFlowHelper("ArtifactCollectorFlow",
                                         client_mock,
                                         artifact_list=artifact_list,
                                         use_tsk=False,
                                         token=self.token,
                                         client_id=self.client_id):
            session_id = s
        flow_obj = aff4.FACTORY.Open(session_id, token=self.token)
        self.assertEqual(
            len(flow_obj.state.artifacts_skipped_due_to_condition), 1)
        self.assertEqual(flow_obj.state.artifacts_skipped_due_to_condition[0],
                         ["FakeArtifact", "os == 'Linux'"])
示例#30
0
    def testClickingOnInterrogateStartsInterrogateFlow(self):
        self.Open("/#c=" + self.client_id)

        # A click on the Interrogate button starts a flow, disables the button and
        # shows a loading icon within the button.
        self.Click("css=button:contains('Interrogate')")
        self.WaitUntil(self.IsElementPresent,
                       "css=button:contains('Interrogate')[disabled]")
        self.WaitUntil(self.IsElementPresent,
                       "css=button:contains('Interrogate') i")

        # Get the started flow and finish it, this will re-enable the button.
        with self.ACLChecksDisabled():
            client_id = rdf_client.ClientURN(self.client_id)

            fd = aff4.FACTORY.Open(client_id.Add("flows"), token=self.token)
            flows = list(fd.ListChildren())

            client_mock = action_mocks.ActionMock()
            for flow_urn in flows:
                for _ in test_lib.TestFlowHelper(flow_urn,
                                                 client_mock,
                                                 client_id=client_id,
                                                 token=self.token,
                                                 check_flow_errors=False):
                    pass

        self.WaitUntilNot(self.IsElementPresent,
                          "css=button:contains('Interrogate')[disabled]")

        # Check if an Interrogate flow was started.
        self.Click("css=a[grrtarget='client.flows']")
        self.Click("css=td:contains('Interrogate')")
        self.WaitUntilContains(
            "Interrogate", self.GetText,
            "css=table td.proto_key:contains('Flow name') "
            "~ td.proto_value")