示例#1
0
 def GenerateSample(self, number=0):
     result = rdfvalue.Artifact(name="artifact%s" % number,
                                doc="Doco",
                                provides="environ_windir",
                                supported_os="Windows",
                                urls="http://blah")
     return result
示例#2
0
def ArtifactsFromYaml(yaml_content):
  """Get a list of Artifacts from json."""
  try:
    raw_list = list(yaml.safe_load_all(yaml_content))
  except ValueError as e:
    raise ArtifactDefinitionError("Invalid json for artifact: %s" % e)

  # Try to do the right thing with json/yaml formatted as a list.
  if (isinstance(raw_list, list) and len(raw_list) == 1 and
      isinstance(raw_list[0], list)):
    raw_list = raw_list[0]

  # Convert json into artifact and validate.
  valid_artifacts = []
  for artifact_dict in raw_list:
    # In this case we are feeding parameters directly from potentially
    # untrusted yaml/json to our RDFValue class. However, safe_load ensures
    # these are all primitive types as long as there is no other deserialization
    # involved, and we are passing these into protobuf primitive types.
    try:
      artifact_value = rdfvalue.Artifact(**artifact_dict)
      valid_artifacts.append(artifact_value)
    except (TypeError, AttributeError) as e:
      raise ArtifactDefinitionError("Invalid artifact definition for %s: %s" %
                                    (artifact_dict.get("name"), e))

  return valid_artifacts
示例#3
0
    def testGetArtifactPathDependencies(self):
        collectors = [{
            "collector_type": rdfvalue.Collector.CollectorType.REGISTRY_VALUE,
            "args": {
                "path":
                r"%%current_control_set%%\Control\Session "
                r"Manager\Environment\Path"
            }
        }, {
            "collector_type": rdfvalue.Collector.CollectorType.WMI,
            "args": {
                "query":
                "SELECT * FROM Win32_UserProfile "
                "WHERE SID='%%users.sid%%'"
            }
        }, {
            "collector_type": rdfvalue.Collector.CollectorType.GREP,
            "args": {
                "content_regex_list": ["^%%users.username%%:"]
            }
        }]

        artifact = rdfvalue.Artifact(name="artifact",
                                     doc="Doco",
                                     provides=["environ_windir"],
                                     supported_os=["Windows"],
                                     urls=["http://blah"],
                                     collectors=collectors)

        self.assertItemsEqual([
            x["collector_type"]
            for x in artifact.ToPrimitiveDict()["collectors"]
        ], ["REGISTRY_VALUE", "WMI", "GREP"])

        class Parser1(object):
            knowledgebase_dependencies = ["appdata", "sid"]

        class Parser2(object):
            knowledgebase_dependencies = ["sid", "desktop"]

        @classmethod
        def MockGetClassesByArtifact(unused_cls, _):
            return [Parser1, Parser2]

        with utils.Stubber(parsers.Parser, "GetClassesByArtifact",
                           MockGetClassesByArtifact):
            self.assertItemsEqual(artifact.GetArtifactPathDependencies(), [
                "appdata", "sid", "desktop", "current_control_set",
                "users.sid", "users.username"
            ])
示例#4
0
    def testValidateSyntaxBadProvides(self):
        collectors = [{
            "collector_type": rdfvalue.Collector.CollectorType.FILE,
            "args": {
                "path_list": [r"%%environ_systemdrive%%\Temp"]
            }
        }]

        artifact = rdfvalue.Artifact(name="bad",
                                     doc="Doco",
                                     provides=["windir"],
                                     supported_os=["Windows"],
                                     urls=["http://blah"],
                                     collectors=collectors)
        with self.assertRaises(artifact_lib.ArtifactDefinitionError):
            artifact.ValidateSyntax()
示例#5
0
    def testValidateSyntaxBadProvides(self):
        sources = [{
            "type": rdfvalue.ArtifactSource.SourceType.FILE,
            "attributes": {
                "paths": [r"%%environ_systemdrive%%\Temp"]
            }
        }]

        artifact = rdfvalue.Artifact(name="bad",
                                     doc="Doco",
                                     provides=["windir"],
                                     supported_os=["Windows"],
                                     urls=["http://blah"],
                                     sources=sources)
        with self.assertRaises(artifact_lib.ArtifactDefinitionError):
            artifact.ValidateSyntax()
示例#6
0
    def testValidateSyntax(self):
        collectors = [{
            "collector_type": rdfvalue.Collector.CollectorType.REGISTRY_VALUE,
            "args": {
                "path_list": [
                    r"%%current_control_set%%\Control\Session "
                    r"Manager\Environment\Path"
                ]
            }
        }, {
            "collector_type": rdfvalue.Collector.CollectorType.FILE,
            "args": {
                "path_list": [r"%%environ_systemdrive%%\Temp"]
            }
        }]

        artifact = rdfvalue.Artifact(name="good",
                                     doc="Doco",
                                     provides=["environ_windir"],
                                     supported_os=["Windows"],
                                     urls=["http://blah"],
                                     collectors=collectors)
        artifact.ValidateSyntax()
示例#7
0
    def testValidateSyntax(self):
        sources = [{
            "type": rdfvalue.ArtifactSource.SourceType.REGISTRY_KEY,
            "attributes": {
                "keys": [
                    r"%%current_control_set%%\Control\Session "
                    r"Manager\Environment\Path"
                ]
            }
        }, {
            "type": rdfvalue.ArtifactSource.SourceType.FILE,
            "attributes": {
                "paths": [r"%%environ_systemdrive%%\Temp"]
            }
        }]

        artifact = rdfvalue.Artifact(name="good",
                                     doc="Doco",
                                     provides=["environ_windir"],
                                     supported_os=["Windows"],
                                     urls=["http://blah"],
                                     sources=sources)
        artifact.ValidateSyntax()