def testRunGrrClientActionArtifact(self): """Test we can get a GRR client artifact.""" client_mock = test_lib.ActionMock("ListProcesses") client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") client.Set(client.Schema.SYSTEM("Linux")) client.Flush() coll1 = rdfvalue.Collector(action="RunGrrClientAction", args={"client_action": r"ListProcesses"}) self.fakeartifact.collectors.append(coll1) artifact_list = ["FakeArtifact"] for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock, artifact_list=artifact_list, token=self.token, client_id=self.client_id, output="test_artifact"): pass # Test the AFF4 file that was created. fd = aff4.FACTORY.Open(rdfvalue.RDFURN( self.client_id).Add("test_artifact"), token=self.token) self.assertTrue(isinstance(list(fd)[0], rdfvalue.Process)) self.assertTrue(len(fd) > 5)
def testKnowledgeBaseRetrievalLinux(self): """Check we can retrieve a Linux kb.""" test_lib.ClientFixture(self.client_id, token=self.token) config_lib.CONFIG.Set("Artifacts.knowledge_base", ["LinuxWtmp", "NetgroupConfiguration"]) config_lib.CONFIG.Set("Artifacts.netgroup_filter_regexes", ["^login$"]) config_lib.CONFIG.Set("Artifacts.netgroup_user_blacklist", ["isaac"]) vfs.VFS_HANDLERS[ rdfvalue.PathSpec.PathType.OS] = test_lib.ClientTestDataVFSFixture client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") client.Set(client.Schema.SYSTEM("Linux")) client.Set(client.Schema.OS_VERSION("12.04")) client.Close() client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find", "HashBuffer", "ListDirectory", "HashFile") for _ in test_lib.TestFlowHelper( "KnowledgeBaseInitializationFlow", client_mock, client_id=self.client_id, token=self.token): pass client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") kb = artifact.GetArtifactKnowledgeBase(client) self.assertEqual(kb.os_major_version, 12) self.assertEqual(kb.os_minor_version, 4) # user 1,2,3 from wtmp. yagharek from netgroup. # Bert and Ernie not present (Users fixture overriden by kb). self.assertItemsEqual([x.username for x in kb.users], ["user1", "user2", "user3", "yagharek"]) user = kb.GetUser(username="******") self.assertEqual(user.last_logon.AsSecondsFromEpoch(), 1296552099)
def AddFileToFileStore(pathspec=None, client_id=None, token=None): """Adds file with given pathspec to the hash file store.""" if pathspec is None: raise ValueError("pathspec can't be None") if client_id is None: raise ValueError("client_id can't be None") urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN(pathspec, client_id) client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "HashBuffer") for _ in test_lib.TestFlowHelper("GetFile", client_mock, token=token, client_id=client_id, pathspec=pathspec): pass auth_state = rdfvalue.GrrMessage.AuthorizationState.AUTHENTICATED flow.Events.PublishEvent("FileStore.AddFileToStore", rdfvalue.GrrMessage(payload=urn, auth_state=auth_state), token=token) worker = test_lib.MockWorker(token=token) worker.Simulate()
def testUnicodeListDirectory(self): """Test that the ListDirectory flow works on unicode directories.""" client_mock = test_lib.ActionMock("ListDirectory", "StatFile") # Deliberately specify incorrect casing pb = rdfvalue.PathSpec(path=os.path.join(self.base_path, "test_img.dd"), pathtype=rdfvalue.PathSpec.PathType.OS) pb.Append(path=u"入乡随俗 海外春节别样过法", pathtype=rdfvalue.PathSpec.PathType.TSK) for _ in test_lib.TestFlowHelper("ListDirectory", client_mock, client_id=self.client_id, pathspec=pb, token=self.token): pass # Check the output file is created output_path = self.client_id.Add("fs/tsk").Add(pb.CollapsePath()) fd = aff4.FACTORY.Open(output_path, token=self.token) children = list(fd.OpenChildren()) self.assertEqual(len(children), 1) child = children[0] self.assertEqual(os.path.basename(utils.SmartUnicode(child.urn)), u"入乡随俗.txt")
def testFetchFilesFlow(self): pattern = "test_data/*.log" client_mock = test_lib.ActionMock("Find", "TransferBuffer", "StatFile", "HashBuffer", "HashFile") path = os.path.join(os.path.dirname(self.base_path), pattern) # Run the flow. for _ in test_lib.TestFlowHelper( "FetchFiles", client_mock, client_id=self.client_id, paths=[path], pathtype=rdfvalue.PathSpec.PathType.OS, token=self.token): pass for f in "auth.log dpkg.log dpkg_false.log".split(): fd = aff4.FACTORY.Open(rdfvalue.RDFURN( self.client_id).Add("/fs/os").Add( os.path.join(os.path.dirname(self.base_path), "test_data", f)), token=self.token) # Make sure that some data was downloaded. self.assertTrue(fd.Get(fd.Schema.SIZE) > 100)
def testFingerprintPresence(self): path = os.path.join(self.base_path, "winexec_img.dd") pathspec = rdfvalue.PathSpec(pathtype=rdfvalue.PathSpec.PathType.OS, path=path) pathspec.Append(path="/winpmem-amd64.sys", pathtype=rdfvalue.PathSpec.PathType.TSK) client_mock = test_lib.ActionMock("FingerprintFile") for _ in test_lib.TestFlowHelper("FingerprintFile", client_mock, token=self.token, client_id=self.client_id, pathspec=pathspec): pass urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN( pathspec, self.client_id) fd = aff4.FACTORY.Open(urn, token=self.token) self.assertEqual(fd.__class__, aff4_grr.VFSFile) fingerprint = fd.Get(fd.Schema.FINGERPRINT) pecoff = fingerprint.GetFingerprint("pecoff")["sha1"].encode("hex") self.assertEqual(pecoff, "1f32fa4eedfba023653c094143d90999f6b9bc4f") hash_obj = fd.Get(fd.Schema.HASH) self.assertEqual(hash_obj.pecoff_sha1, "1f32fa4eedfba023653c094143d90999f6b9bc4f") self.assertEqual(hash_obj.signed_data[0].revision, 512)
def testGlobWithWildcardsInsideTSKFileCaseInsensitive(self): client_mock = test_lib.ActionMock("Find", "StatFile") # This glob should find this file in test data: glob_test/a/b/foo. path = os.path.join("*", "a", "b", "FOO*") root_path = rdfvalue.PathSpec(path=os.path.join( self.base_path, "test_IMG.dd"), pathtype=rdfvalue.PathSpec.PathType.OS) root_path.Append(path="/", pathtype=rdfvalue.PathSpec.PathType.TSK) # Run the flow. for _ in test_lib.TestFlowHelper( "Glob", client_mock, client_id=self.client_id, paths=[path], root_path=root_path, pathtype=rdfvalue.PathSpec.PathType.OS, token=self.token): pass output_path = self.client_id.Add("fs/tsk").Add( os.path.join(self.base_path, "test_img.dd", "glob_test", "a", "b")) fd = aff4.FACTORY.Open(output_path, token=self.token) children = list(fd.ListChildren()) self.assertEqual(len(children), 1) self.assertEqual(children[0].Basename(), "foo")
def testGetArtifact1(self): """Test we can get a basic artifact.""" client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find", "HashFile", "HashBuffer") client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") client.Set(client.Schema.SYSTEM("Linux")) client.Flush() # Dynamically add a Collector specifying the base path. file_path = os.path.join(self.base_path, "test_img.dd") coll1 = rdfvalue.Collector(action="GetFile", args={"path": file_path}) self.fakeartifact.collectors.append(coll1) artifact_list = ["FakeArtifact"] for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock, artifact_list=artifact_list, use_tsk=False, token=self.token, client_id=self.client_id): pass # Test the AFF4 file that was created. fd1 = aff4.FACTORY.Open("%s/fs/os/%s" % (self.client_id, file_path), token=self.token) fd2 = open(file_path) fd2.seek(0, 2) self.assertEqual(fd2.tell(), int(fd1.Get(fd1.Schema.SIZE)))
def testSearchFileContentDownload(self): pattern = "test_data/*.log" client_mock = test_lib.ActionMock("Find", "Grep", "StatFile", "HashFile", "HashBuffer", "TransferBuffer") path = os.path.join(os.path.dirname(self.base_path), pattern) # Do not provide a Grep expression - should match all files. args = rdfvalue.SearchFileContentArgs(paths=[path], also_download=True) # Run the flow. for _ in test_lib.TestFlowHelper("SearchFileContent", client_mock, client_id=self.client_id, output="analysis/grep/testing", args=args, token=self.token): pass fd = aff4.FACTORY.Open(rdfvalue.RDFURN( self.client_id).Add("/analysis/grep/testing"), token=self.token) self.assertEqual(len(fd), 3) for log in aff4.FACTORY.Open(rdfvalue.RDFURN( self.client_id).Add("/fs/os/").Add(self.base_path), token=self.token).OpenChildren(): self.assertTrue(isinstance(log, aff4.VFSBlobImage)) # Make sure there is some data. self.assertGreater(len(log), 0)
def testGlobRegistry(self): """Test that glob works on registry.""" self.SetupMocks() client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find", "HashBuffer", "ListDirectory") paths = ["HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT" "\\CurrentVersion\\ProfileList\\ProfilesDirectory", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT" "\\CurrentVersion\\ProfileList\\AllUsersProfile"] for _ in test_lib.TestFlowHelper( "Glob", client_mock, paths=paths, pathtype=rdfvalue.PathSpec.PathType.REGISTRY, client_id=self.client_id, token=self.token): pass path = paths[0].replace("\\", "/") fd = aff4.FACTORY.Open(self.client_id.Add("registry").Add(path), token=self.token) self.assertEqual(fd.__class__.__name__, "VFSFile") self.assertEqual(fd.Get(fd.Schema.STAT).registry_data.GetValue(), "%SystemDrive%\\Users")
def testRegistryMRU(self): """Test that the MRU discovery flow. Flow is a work in Progress.""" # Install the mock vfs.VFS_HANDLERS[ rdfvalue.PathSpec.PathType.REGISTRY] = test_lib.ClientRegistryVFSFixture # Mock out the Find client action. client_mock = test_lib.ActionMock("Find") # Add some user accounts to this client. fd = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token) users = fd.Schema.USER() users.Append(rdfvalue.User( username="******", domain="testing-PC", homedir=r"C:\Users\testing", sid="S-1-5-21-2911950750-476812067-" "1487428992-1001")) fd.Set(users) fd.Close() # Run the flow in the emulated way. for _ in test_lib.TestFlowHelper("GetMRU", client_mock, client_id=self.client_id, token=self.token): pass # Check that the key was read. fd = aff4.FACTORY.Open(rdfvalue.RDFURN(self.client_id).Add( "registry/HKEY_USERS/S-1-5-21-2911950750-476812067-1487428992-1001/" "Software/Microsoft/Windows/CurrentVersion/Explorer/" "ComDlg32/OpenSavePidlMRU/dd/0"), token=self.token) self.assertEqual(fd.__class__.__name__, "VFSFile") s = fd.Get(fd.Schema.STAT) # TODO(user): Make this test better when the MRU flow is complete. self.assertTrue(s.registry_data)
def CreateTimelineFixture(self): """Creates a new timeline fixture we can play with.""" # Create a client for testing client_id = rdfvalue.ClientURN("C.0000000000000001") token = access_control.ACLToken(username="******", reason="fixture") fd = aff4.FACTORY.Create(client_id, "VFSGRRClient", token=token) cert = self.ClientCertFromPrivateKey( config_lib.CONFIG["Client.private_key"]) client_cert = rdfvalue.RDFX509Cert(cert.as_pem()) fd.Set(fd.Schema.CERT(client_cert)) fd.Close() # Install the mock vfs.VFS_HANDLERS[ rdfvalue.PathSpec.PathType.OS] = test_lib.ClientVFSHandlerFixture client_mock = test_lib.ActionMock("ListDirectory") output_path = "analysis/Timeline/MAC" for _ in test_lib.TestFlowHelper( "RecursiveListDirectory", client_mock, client_id=client_id, pathspec=rdfvalue.PathSpec( path="/", pathtype=rdfvalue.PathSpec.PathType.OS), token=token): pass # Now make a timeline for _ in test_lib.TestFlowHelper( "MACTimes", client_mock, client_id=client_id, token=token, path="/", output=output_path): pass
def testFindWithMaxFiles(self): """Test that the Find flow works when specifying proto directly.""" client_mock = test_lib.ActionMock("Find") output_path = "analysis/FindFlowTest4" # Prepare a findspec. findspec = rdfvalue.FindSpec( path_regex=".*", pathspec=rdfvalue.PathSpec(path="/", pathtype=rdfvalue.PathSpec.PathType.OS)) for _ in test_lib.TestFlowHelper("FindFiles", client_mock, client_id=self.client_id, token=self.token, findspec=findspec, iteration_count=3, output=output_path, max_results=7): pass # Check the output file is created fd = aff4.FACTORY.Open(self.client_id.Add(output_path), token=self.token) # Make sure we got the right number of results. self.assertEqual(len(fd), 7)
def testGetFile(self): """Test that the GetFile flow works.""" client_mock = test_lib.ActionMock("TransferBuffer", "StatFile") pathspec = rdfvalue.PathSpec(pathtype=rdfvalue.PathSpec.PathType.OS, path=os.path.join(self.base_path, "test_img.dd")) for _ in test_lib.TestFlowHelper("GetFile", client_mock, token=self.token, client_id=self.client_id, pathspec=pathspec): pass # Fix path for Windows testing. pathspec.path = pathspec.path.replace("\\", "/") # Test the AFF4 file that was created. urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN( pathspec, self.client_id) fd1 = aff4.FACTORY.Open(urn, token=self.token) fd2 = open(pathspec.path) fd2.seek(0, 2) self.assertEqual(fd2.tell(), int(fd1.Get(fd1.Schema.SIZE))) self.CompareFDs(fd1, fd2)
def setUp(self): super(TestMemoryScanner, self).setUp() self.output_path = "analysis/memory_scanner" self.key = rdfvalue.AES128Key("1a5eafcc77d428863d4c2441ea26e5a5") self.iv = rdfvalue.AES128Key("2241b14c64874b1898dad4de7173d8c0") self.memory_file = os.path.join(config_lib.CONFIG["Test.data_dir"], "auth.log") with open(self.memory_file, "r") as f: self.memory_dump = f.read() self.assertTrue(self.memory_dump) self.client_mock = test_lib.ActionMock("TransferBuffer", "HashBuffer", "StatFile", "CopyPathToFile", "SendFile", "DeleteGRRTempFiles", "Find", "Grep") self.old_driver_flow = flow.GRRFlow.classes["LoadMemoryDriver"] flow.GRRFlow.classes["LoadMemoryDriver"] = DummyLoadMemoryDriverFlow vfs.VFS_HANDLERS[rdfvalue.PathSpec.PathType. MEMORY] = test_lib.ClientTestDataVFSFixture
def testFindDirectories(self): """Test that the Find flow works with directories.""" client_mock = test_lib.ActionMock("Find") output_path = "analysis/FindFlowTest2" # Prepare a findspec. findspec = rdfvalue.FindSpec( path_regex="bin", pathspec=rdfvalue.PathSpec(path="/", pathtype=rdfvalue.PathSpec.PathType.OS)) for _ in test_lib.TestFlowHelper("FindFiles", client_mock, client_id=self.client_id, token=self.token, output=output_path, findspec=findspec): pass # Check the output file is created fd = aff4.FACTORY.Open(self.client_id.Add(output_path), token=self.token) # Make sure that bin is a directory self.assertEqual(len(fd), 2) for child in fd: path = utils.SmartStr(child.aff4path) self.assertTrue("bin" in path) self.assertEqual(child.__class__.__name__, "StatEntry")
def testMultiGetFile(self): """Test MultiGetFile.""" client_mock = test_lib.ActionMock("TransferBuffer", "HashFile", "StatFile", "HashBuffer") pathspec = rdfvalue.PathSpec(pathtype=rdfvalue.PathSpec.PathType.OS, path=os.path.join(self.base_path, "test_img.dd")) args = rdfvalue.MultiGetFileArgs(pathspecs=[pathspec, pathspec]) with test_lib.Instrument(transfer.MultiGetFile, "StoreStat") as storestat_instrument: for _ in test_lib.TestFlowHelper("MultiGetFile", client_mock, token=self.token, client_id=self.client_id, args=args): pass # We should only have called StoreStat once because the two paths # requested were identical. self.assertEqual(len(storestat_instrument.args), 1) # Fix path for Windows testing. pathspec.path = pathspec.path.replace("\\", "/") # Test the AFF4 file that was created. urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN( pathspec, self.client_id) fd1 = aff4.FACTORY.Open(urn, token=self.token) fd2 = open(pathspec.path) fd2.seek(0, 2) self.assertEqual(fd2.tell(), int(fd1.Get(fd1.Schema.SIZE))) self.CompareFDs(fd1, fd2)
def setUp(self): super(TestWebHistory, self).setUp() # Set up client info self.client = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token) self.client.Set(self.client.Schema.SYSTEM("Linux")) user_list = self.client.Schema.USER() user_list.Append( rdfvalue.User(username="******", full_name="test user", homedir="/home/test/", last_logon=250)) self.client.AddAttribute(self.client.Schema.USER, user_list) self.client.Close() self.client_mock = test_lib.ActionMock("ReadBuffer", "HashFile", "HashBuffer", "TransferBuffer", "StatFile", "Find", "ListDirectory") # Mock the client to make it look like the root partition is mounted off the # test image. This will force all flow access to come off the image. def MockGetMountpoints(): return {"/": (os.path.join(self.base_path, "test_img.dd"), "ext2")} self.orig_linux_mp = client_utils_linux.GetMountpoints self.orig_osx_mp = client_utils_osx.GetMountpoints client_utils_linux.GetMountpoints = MockGetMountpoints client_utils_osx.GetMountpoints = MockGetMountpoints # We wiped the data_store so we have to retransmit all blobs. standard.HASH_CACHE = utils.FastStore(100)
def testFindFilesWithGlob(self): """Test that the Find flow works with glob.""" client_mock = test_lib.ActionMock("Find") output_path = "analysis/FindFlowTest1" # Prepare a findspec. findspec = rdfvalue.FindSpec( path_glob="bash*", pathspec=rdfvalue.PathSpec(path="/", pathtype=rdfvalue.PathSpec.PathType.OS)) for _ in test_lib.TestFlowHelper("FindFiles", client_mock, client_id=self.client_id, token=self.token, output=output_path, findspec=findspec): pass # Check the output file is created fd = aff4.FACTORY.Open(self.client_id.Add(output_path), token=self.token) # Make sure that bash is a file. matches = set([x.aff4path.Basename() for x in fd]) self.assertEqual(sorted(matches), ["bash"]) self.assertEqual(len(fd), 2) for child in fd: path = utils.SmartStr(child.aff4path) self.assertTrue(path.endswith("bash")) self.assertEqual(child.__class__.__name__, "StatEntry")
def testBootstrapKnowledgeBaseFlow(self): client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") client.Set(client.Schema.SYSTEM("Windows")) client.Set(client.Schema.OS_VERSION("6.2")) client.Flush() vfs.VFS_HANDLERS[rdfvalue.PathSpec.PathType. REGISTRY] = test_lib.ClientRegistryVFSFixture client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find", "HashBuffer", "HashFile", "ListDirectory") for _ in test_lib.TestFlowHelper("BootStrapKnowledgeBaseFlow", client_mock, token=self.token, client_id=self.client_id, output="bootstrap"): pass fd = aff4.FACTORY.Open(rdfvalue.RDFURN( self.client_id).Add("bootstrap"), token=self.token) self.assertEqual(len(fd), 1) bootstrap = fd[0] self.assertEqual(bootstrap["environ_systemdrive"], "C:") self.assertEqual(bootstrap["environ_systemroot"], "C:\\Windows")
def testSearchFileContents(self): pattern = "test_data/*.log" client_mock = test_lib.ActionMock("Find", "Grep", "StatFile") path = os.path.join(os.path.dirname(self.base_path), pattern) args = rdfvalue.SearchFileContentArgs( paths=[path], pathtype=rdfvalue.PathSpec.PathType.OS) args.grep.literal = "session opened for user dearjohn" args.grep.mode = rdfvalue.GrepSpec.Mode.ALL_HITS # Run the flow. for _ in test_lib.TestFlowHelper("SearchFileContent", client_mock, client_id=self.client_id, output="analysis/grep/testing", args=args, token=self.token): pass fd = aff4.FACTORY.Open(rdfvalue.RDFURN( self.client_id).Add("/analysis/grep/testing"), token=self.token) # Make sure that there is a hit. self.assertEqual(len(fd), 1) first = fd[0] self.assertEqual(first.offset, 350) self.assertEqual( first.data, "session): session opened for user dearjohn by (uid=0")
def setUp(self): super(TestSearchFileContentWithFixture, self).setUp() # Install the mock vfs.VFS_HANDLERS[ rdfvalue.PathSpec.PathType.OS] = test_lib.ClientVFSHandlerFixture self.client_mock = test_lib.ActionMock("Grep", "StatFile", "Find")
def testKnowledgeBaseRetrievalDarwin(self): """Check we can retrieve a Darwin kb.""" test_lib.ClientFixture(self.client_id, token=self.token) vfs.VFS_HANDLERS[ rdfvalue.PathSpec.PathType.OS] = test_lib.ClientVFSHandlerFixture client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") client.Set(client.Schema.SYSTEM("Darwin")) client.Set(client.Schema.OS_VERSION("10.9")) client.Close() client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find", "HashBuffer", "ListDirectory", "HashFile") for _ in test_lib.TestFlowHelper( "KnowledgeBaseInitializationFlow", client_mock, client_id=self.client_id, token=self.token): pass client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") kb = artifact.GetArtifactKnowledgeBase(client) self.assertEqual(kb.os_major_version, 10) self.assertEqual(kb.os_minor_version, 9) # scalzi from /Users dir listing. # Bert and Ernie not present (Users fixture overriden by kb). self.assertItemsEqual([x.username for x in kb.users], ["scalzi"]) user = kb.GetUser(username="******") self.assertEqual(user.homedir, "/Users/scalzi")
def testKnowledgeBaseRetrievalWindows(self): """Check we can retrieve a knowledge base from a client.""" self.SetupMocks() client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find", "HashBuffer", "ListDirectory", "HashFile") for _ in test_lib.TestFlowHelper( "KnowledgeBaseInitializationFlow", client_mock, client_id=self.client_id, token=self.token): pass # The client should now be populated with the data we care about. client = aff4.FACTORY.Open(self.client_id, token=self.token) kb = artifact.GetArtifactKnowledgeBase(client) self.assertEqual(kb.environ_systemroot, "C:\\Windows") self.assertEqual(kb.time_zone, "US/Alaska") self.assertEqual(kb.code_page, "cp_1252") self.assertEqual(kb.environ_windir, "C:\\Windows") self.assertEqual(kb.environ_allusersprofile, "C:\\Users\\All Users") self.assertEqual(kb.environ_allusersappdata, "C:\\ProgramData") self.assertEqual(kb.environ_temp, "C:\\Windows\\TEMP") self.assertEqual(kb.environ_systemdrive, "C:") self.assertItemsEqual([x.username for x in kb.users], ["jim", "kovacs"]) user = kb.GetUser(username="******") self.assertEqual(user.username, "jim") self.assertEqual(user.sid, "S-1-5-21-702227068-2140022151-3110739409-1000")
def testArtifactOutput(self): """Check we can run command based artifacts.""" self.SetLinuxClient() # Update the artifact path to point to the test directory. art_reg = artifact_lib.ArtifactRegistry.artifacts art_reg["TestFileArtifact"].collectors[0].args["path"] = ( os.path.join(self.base_path, "auth.log")) client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "HashFile", "HashBuffer", "ListDirectory", "Find") # Will raise if something goes wrong. self.RunCollectorAndGetCollection(["TestFileArtifact"], client_mock=client_mock) # Will raise if something goes wrong. self.RunCollectorAndGetCollection(["TestFileArtifact"], client_mock=client_mock, split_output_by_artifact=True) # Test the no_results_errors option. with self.assertRaises(RuntimeError) as context: self.RunCollectorAndGetCollection( ["NullArtifact"], client_mock=client_mock, split_output_by_artifact=True, no_results_errors=True) if "collector returned 0 responses" not in str(context.exception): raise RuntimeError("0 responses should have been returned")
def setUp(self): super(TestNetworkByteLimits, self).setUp() pathspec = rdfvalue.PathSpec(path="/nothing", pathtype=rdfvalue.PathSpec.PathType.OS) self.buffer_ref = rdfvalue.BufferReference(pathspec=pathspec, length=5000) self.data = "X" * 500 self.old_read = standard.vfs.ReadVFS standard.vfs.ReadVFS = lambda x, y, z: self.data self.transfer_buf = test_lib.ActionMock("TransferBuffer")
def testExecuteBinariesWithArgs(self): client_mock = test_lib.ActionMock("ExecuteBinaryCommand") code = "I am a binary file" upload_path = config_lib.CONFIG["Executables.aff4_path"].Add( "test.exe") maintenance_utils.UploadSignedConfigBlob(code, aff4_path=upload_path, token=self.token) class Popen(object): """A mock object for subprocess.Popen.""" def __init__(self, run, stdout, stderr, stdin): Popen.running_args = run Popen.stdout = stdout Popen.stderr = stderr Popen.stdin = stdin Popen.returncode = 0 # Store the content of the executable file. Popen.binary = open(run[0]).read() def communicate(self): # pylint: disable=g-bad-name return "stdout here", "stderr here" # This flow has an acl, the user needs to be admin. user = aff4.FACTORY.Create("aff4:/users/%s" % self.token.username, mode="rw", aff4_type="GRRUser", token=self.token) user.SetLabels("admin") user.Close() with test_lib.Stubber(subprocess, "Popen", Popen): for _ in test_lib.TestFlowHelper("LaunchBinary", client_mock, client_id=self.client_id, binary=upload_path, command_line="--value 356", token=self.token): pass # Check that the executable file contains the code string. self.assertEqual(Popen.binary, code) # At this point, the actual binary should have been cleaned up by the # client action so it should not exist. self.assertRaises(IOError, open, Popen.running_args[0]) # Check the binary was run with the correct command line. self.assertEqual(Popen.running_args[1], "--value") self.assertEqual(Popen.running_args[2], "356") # Check the command was in the tmp file. self.assertTrue(Popen.running_args[0].startswith( config_lib.CONFIG["Client.tempdir"]))
def testKnowledgeBaseNoOS(self): """Check unset OS dies.""" vfs.VFS_HANDLERS[ rdfvalue.PathSpec.PathType.OS] = test_lib.ClientVFSHandlerFixture client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find", "HashBuffer", "ListDirectory", "HashFile") self.assertRaises(flow.FlowError, list, test_lib.TestFlowHelper( "KnowledgeBaseInitializationFlow", client_mock, client_id=self.client_id, token=self.token))
def testFetchFilesGlobFlow(self): # Very small chunks to stress test this flow. with test_lib.MultiStubber( (transfer.MultiGetFile, "CHUNK_SIZE", self.chunk_size), (transfer.MultiGetFile, "MIN_CALL_TO_FILE_STORE", 3)): with test_lib.Instrument(filestore.FileStore, "CheckHashes") as check_hashes_instrument: self.base_pathspec = rdfvalue.PathSpec( path=os.path.join(self.base_path, "winexec_img.dd"), pathtype=rdfvalue.PathSpec.PathType.OS) self.base_pathspec.Append( path="/", pathtype=rdfvalue.PathSpec.PathType.TSK) inspect_path = self.base_pathspec.Copy() inspect_path.AppendPath("Ext2IFS_1_10b.exe") urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN( inspect_path, self.client_id) fd = aff4.FACTORY.Create(urn, "AFF4MemoryStream", token=self.token) fd.Write("hello") fd.Close() # Now run the fetch all files. client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find", "HashFile", "HashBuffer") for _ in test_lib.TestFlowHelper( "FetchFiles", client_mock, token=self.token, paths=["*.exe", "*.sys"], root_path=self.base_pathspec, pathtype=rdfvalue.PathSpec.PathType.OS, client_id=self.client_id): pass self.CheckFindExeFiles() self.CheckPresenceOfSignedData() self.CheckIndexLookup() pathlist = ["pciide.sys"] self.CheckExistingFile(pathlist) # In this test we limit the maximum number of times the filestore check # hashes is called to 3. There are 7 hits in the test data, so we # expect 3 calls, of 3, 3, and 1: self.assertEqual(len(check_hashes_instrument.args), 3) self.assertEqual(len(check_hashes_instrument.args[0][1]), 3) self.assertEqual(len(check_hashes_instrument.args[1][1]), 3) self.assertEqual(len(check_hashes_instrument.args[2][1]), 1)
def testProcessCollectedArtifacts(self): """Test downloading files from artifacts.""" client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") client.Set(client.Schema.SYSTEM("Windows")) client.Set(client.Schema.OS_VERSION("6.2")) client.Flush() vfs.VFS_HANDLERS[rdfvalue.PathSpec.PathType. REGISTRY] = test_lib.ClientRegistryVFSFixture vfs.VFS_HANDLERS[ rdfvalue.PathSpec.PathType.OS] = test_lib.ClientFullVFSFixture client_mock = test_lib.ActionMock("TransferBuffer", "StatFile", "Find", "HashBuffer", "HashFile", "ListDirectory") # Get KB initialized for _ in test_lib.TestFlowHelper("KnowledgeBaseInitializationFlow", client_mock, client_id=self.client_id, token=self.token): pass artifact_list = ["WindowsPersistenceMechanismFiles"] with test_lib.Instrument(transfer.MultiGetFile, "Start") as getfile_instrument: for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock, artifact_list=artifact_list, token=self.token, client_id=self.client_id, output="analysis/{p}/{u}-{t}", split_output_by_artifact=True): pass # Check MultiGetFile got called for our runkey files # TODO(user): RunKeys for S-1-5-20 are not found because users.sid only # expands to users with profiles. pathspecs = getfile_instrument.args[0][0].args.pathspecs self.assertItemsEqual([x.path for x in pathspecs], [u"C:\\Windows\\TEMP\\A.exe"]) artifact_list = ["BadPathspecArtifact"] with test_lib.Instrument(transfer.MultiGetFile, "Start") as getfile_instrument: for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock, artifact_list=artifact_list, token=self.token, client_id=self.client_id, output="analysis/{p}/{u}-{t}", split_output_by_artifact=True): pass self.assertFalse(getfile_instrument.args)