def testGenerateArchiveButtonGetsDisabledAfterClick(self): pathspec = rdf_paths.PathSpec(path=os.path.join( self.base_path, "test.plist"), pathtype=rdf_paths.PathSpec.PathType.OS) for _ in test_lib.TestFlowHelper(flows_transfer.GetFile.__name__, self.action_mock, client_id=self.client_id, pathspec=pathspec, token=self.token): pass self.Open("/#c=C.0000000000000001") self.Click("css=a[grrtarget='client.flows']") self.Click("css=td:contains('GetFile')") self.Click("link=Results") self.Click("css=button.DownloadButton") self.WaitUntil(self.IsElementPresent, "css=button.DownloadButton[disabled]") self.WaitUntil(self.IsTextPresent, "Generation has started")
def _RunTSKFileFinder(self, paths): image_path = os.path.join(self.base_path, "ntfs_img.dd") with utils.Stubber( vfs, "VFS_VIRTUALROOTS", { rdf_paths.PathSpec.PathType.TSK: rdf_paths.PathSpec( path=image_path, pathtype="OS", offset=63 * 512) }): action = file_finder.FileFinderAction.Action.DOWNLOAD for _ in test_lib.TestFlowHelper( "FileFinder", self.client_mock, client_id=self.client_id, paths=paths, pathtype=rdf_paths.PathSpec.PathType.TSK, action=file_finder.FileFinderAction(action_type=action), token=self.token): pass
def testNormalGrep(self): grepspec = rdf_client.BareGrepSpec( mode=rdf_client.GrepSpec.Mode.FIRST_HIT, literal="hello") for s in test_lib.TestFlowHelper( "SearchFileContent", self.client_mock, client_id=self.client_id, paths=["/proc/10/cmdline"], pathtype=rdf_paths.PathSpec.PathType.OS, token=self.token, grep=grepspec): session_id = s fd = flow.GRRFlow.ResultCollectionForFID(session_id, token=self.token) self.assertEqual(len(fd), 1) self.assertEqual(fd[0].offset, 3) self.assertEqual(fd[0], "ls\x00hello world\'\x00-l") self.assertEqual(fd[0].length, 18)
def testShowsGenerateArchiveButtonForGetFileFlow(self): pathspec = rdf_paths.PathSpec(path=os.path.join( self.base_path, "test.plist"), pathtype=rdf_paths.PathSpec.PathType.OS) with self.ACLChecksDisabled(): for _ in test_lib.TestFlowHelper("GetFile", self.action_mock, client_id=self.client_id, pathspec=pathspec, token=self.token): pass self.Open("/#c=C.0000000000000001") self.Click("css=a:contains('Manage launched flows')") self.Click("css=td:contains('GetFile')") self.Click("link=Results") self.WaitUntil( self.IsTextPresent, "Files referenced in this collection can be downloaded")
def testLogsCanBeOpenedByClickingOnLogsTab(self): client_id = rdfvalue.ClientURN("C.0000000000000001") # RecursiveTestFlow doesn't send any results back. with self.ACLChecksDisabled(): for _ in test_lib.TestFlowHelper("RecursiveTestFlow", action_mocks.ActionMock(), client_id=client_id, token=self.token): pass self.GrantClientApproval(client_id) self.Open("/#c=C.0000000000000001") self.Click("css=a:contains('Manage launched flows')") self.Click("css=td:contains('RecursiveTestFlow')") self.Click("css=a[renderer=FlowLogView]") self.WaitUntil(self.IsTextPresent, "Subflow call 1") self.WaitUntil(self.IsTextPresent, "Subflow call 0")
def testDiskVolumeInfoOSXLinux(self): client_mock = action_mocks.UnixVolumeClientMock( "StatFile", "ListDirectory") with test_lib.Instrument(flow.GRRFlow, "SendReply") as send_reply: for _ in test_lib.TestFlowHelper("DiskVolumeInfo", client_mock, client_id=self.client_id, token=self.token, path_list=["/usr/local", "/home"]): pass results = [] for _, reply in send_reply.args: if isinstance(reply, rdfvalue.Volume): results.append(reply) self.assertItemsEqual([x.unix.mount_point for x in results], ["/", "/usr"]) self.assertEqual(len(results), 2)
def testLoadDriverWindows(self): """Tests the memory driver deployment flow.""" self.CreateSignedDriver() self.CreateClient() # Run the flow in the simulated way for _ in test_lib.TestFlowHelper("LoadMemoryDriver", action_mocks.MemoryClientMock(), token=self.token, client_id=self.client_id): pass device_urn = self.client_id.Add("devices/memory") fd = aff4.FACTORY.Open(device_urn, mode="r", token=self.token) runs = fd.Get(fd.Schema.LAYOUT).runs self.assertEqual(runs[0].offset, 0x1000) self.assertEqual(runs[0].length, 0x10000) self.assertEqual(runs[1].offset, 0x20000) self.assertEqual(runs[0].length, 0x10000)
def testListVolumeShadowCopies(self): """Test the list Volume Shadow Copies flow.""" flow_name = "ListVolumeShadowCopies" # Run the flow in the simulated way for _ in test_lib.TestFlowHelper(flow_name, TestClient(), token=self.token, client_id=self.client_id): pass fd = aff4.FACTORY.Open( self.client_id.Add("fs/tsk/\\\\.\\HarddiskVolumeShadowCopy3"), token=self.token) children = list(fd.ListChildren()) self.assertEqual(len(children), 10) self.assertEqual([x.Basename() for x in sorted(children)], ["file %s" % i for i in range(10)])
def testIllegalGlobAsync(self): # When running the flow asynchronously, we will not receive any errors from # the Start method, but the flow should still fail. paths = ["Test/%%Weird_illegal_attribute%%"] client_mock = action_mocks.ActionMock("Find", "StatFile") # Run the flow. session_id = None # This should not raise here since the flow is run asynchronously. for session_id in test_lib.TestFlowHelper( "Glob", client_mock, client_id=self.client_id, check_flow_errors=False, paths=paths, pathtype=rdf_paths.PathSpec.PathType.OS, token=self.token, sync=False): pass fd = aff4.FACTORY.Open(session_id, token=self.token) self.assertTrue( "KnowledgeBaseInterpolationError" in fd.state.context.backtrace) self.assertEqual("ERROR", str(fd.state.context.state))
def testFlowSerialization2(self): """Check that we can unpickle flows.""" class TestClientMock(object): in_rdfvalue = rdf_client.EchoRequest out_rdfvalue = rdf_protodict.DataBlob def __init__(self): # Register us as an action plugin. actions.ActionPlugin.classes["ReturnBlob"] = self def ReturnBlob(self, unused_args): return [rdf_protodict.DataBlob(integer=100)] # Run the flow in the simulated way for _ in test_lib.TestFlowHelper("FlowResponseSerialization", TestClientMock(), token=self.token, client_id=self.client_id): pass
def testCreatorPropagation(self): # Instantiate the flow using one username. session_id = flow.GRRFlow.StartFlow( client_id=self.client_id, flow_name="ParentFlow", sync=False, token=access_control.ACLToken(username="******", reason="testing")) # Run the flow using another user ("test"). for _ in test_lib.TestFlowHelper(session_id, ClientMock(), client_id=self.client_id, token=self.token): pass self.assertEqual(ParentFlow.success, True) subflows = list(aff4.FACTORY.Open( session_id, token=self.token).ListChildren()) self.assertEqual(len(subflows), 1) child_flow = aff4.FACTORY.Open(subflows[0], token=self.token) self.assertEqual(child_flow.GetRunner().context.creator, "original_user")
def Run(self): failing_descriptor = output_plugin.OutputPluginDescriptor( plugin_name=standard_test.FailingDummyHuntOutputPlugin.__name__) with test_lib.FakeTime(42): flow_urn = flow.GRRFlow.StartFlow( flow_name=DummyFlowWithSingleReply.__name__, client_id=self.client_id, output_plugins=[failing_descriptor], token=self.token) with test_lib.FakeTime(43): for _ in test_lib.TestFlowHelper(flow_urn, token=self.token): pass self.Check("GET", "/api/clients/%s/flows/%s/output-plugins/" "FailingDummyHuntOutputPlugin_0/errors" % (self.client_id.Basename(), flow_urn.Basename()), replace={flow_urn.Basename(): "W:ABCDEF"})
def testKnowledgeBaseRetrievalDarwin(self): """Check we can retrieve a Darwin kb.""" self.ClearKB() with test_lib.ConfigOverrider({"Artifacts.knowledge_base": ["OSXUsers"]}): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.ClientVFSHandlerFixture): for _ in test_lib.TestFlowHelper( "KnowledgeBaseInitializationFlow", self.client_mock, client_id=self.client_id, token=self.token): pass client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") kb = artifact.GetArtifactKnowledgeBase(client) self.assertEqual(kb.os_major_version, 10) self.assertEqual(kb.os_minor_version, 9) # scalzi from /Users dir listing. self.assertItemsEqual([x.username for x in kb.users], ["scalzi"]) user = kb.GetUser(username="******") self.assertEqual(user.homedir, "/Users/scalzi")
def testGlobRegistry(self): """Test that glob works on registry.""" paths = ["HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT" "\\CurrentVersion\\ProfileList\\ProfilesDirectory", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT" "\\CurrentVersion\\ProfileList\\AllUsersProfile"] for _ in test_lib.TestFlowHelper( "Glob", self.client_mock, paths=paths, pathtype=rdf_paths.PathSpec.PathType.REGISTRY, client_id=self.client_id, token=self.token): pass path = paths[0].replace("\\", "/") fd = aff4.FACTORY.Open(self.client_id.Add("registry").Add(path), token=self.token) self.assertEqual(fd.__class__.__name__, "VFSFile") self.assertEqual(fd.Get(fd.Schema.STAT).registry_data.GetValue(), "%SystemDrive%\\Users")
def testSystemRootFallback(self): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.ClientVFSHandlerFixture): client_mock = action_mocks.ActionMock("ListDirectory", "StatFile") for _ in test_lib.TestFlowHelper( "SystemRootSystemDriveFallbackFlow", client_mock, client_id=self.client_id, token=self.token, artifact_name="SystemRoot", output="systemroot"): pass output_fd = aff4.FACTORY.Open(self.client_id.Add("systemroot"), token=self.token) self.assertEqual(len(output_fd), 1) self.assertEqual(str(output_fd[0].registry_data.GetValue()), r"C:\WINDOWS")
def ReadTestImage(self, size_threshold): path = os.path.join(self.base_path, "test_img.dd") urn = rdfvalue.RDFURN(self.client_id.Add("fs/os").Add(path)) pathspec = rdf_paths.PathSpec( path=path, pathtype=rdf_paths.PathSpec.PathType.OS) client_mock = action_mocks.ActionMock("FingerprintFile", "HashBuffer", "HashFile", "StatFile", "Find", "TransferBuffer", "ReadBuffer") # Get everything as an AFF4SparseImage for _ in test_lib.TestFlowHelper( "MakeNewAFF4SparseImage", client_mock, client_id=self.client_id, token=self.token, size_threshold=size_threshold, pathspec=pathspec): pass fd = aff4.FACTORY.Open(urn, token=self.token) return fd
def testGRRVersionBreakDown(self): """Check that all client stats cron jobs are run. All machines should be in All once. Windows machines should be in Label1 and Label2. There should be no stats for UserLabel. """ for _ in test_lib.TestFlowHelper("GRRVersionBreakDown", token=self.token): pass histogram = aff4_stats.ClientFleetStats.SchemaCls.GRRVERSION_HISTOGRAM self._CheckVersionStats("All", histogram, [0, 0, 20, 20]) self._CheckVersionStats("Label1", histogram, [0, 0, 10, 10]) self._CheckVersionStats("Label2", histogram, [0, 0, 10, 10]) # This shouldn't exist since it isn't a system label aff4.FACTORY.Open("aff4:/stats/ClientFleetStats/UserLabel", aff4.AFF4Volume, token=self.token)
def testNotifiesUserWithDownloadFileNotification(self): with utils.Stubber(email_alerts.EMAIL_ALERTER, "SendEmail", self.SendEmailMock): self.email_messages = [] for _ in test_lib.TestFlowHelper("ExportHuntResultFilesAsArchive", None, hunt_urn=self.hunt_urn, token=self.token): pass self._CheckEmailMessage(self.email_messages) user_fd = aff4.FACTORY.Open(aff4.ROOT_URN.Add("users").Add("test"), token=self.token) notifications = user_fd.Get(user_fd.Schema.PENDING_NOTIFICATIONS) self.assertEqual(len(notifications), 1) self.assertEqual(notifications[0].type, "DownloadFile") self.assertTrue(notifications[0].message.startswith( "Hunt results ready for download (archived 2 out of 2 results"))
def testDoesNotFetchDuplicates(self): process = "\\WINDOWS\\bar.exe" client_mock = ListVADBinariesActionMock([process, process]) for s in test_lib.TestFlowHelper("ListVADBinaries", client_mock, client_id=self.client_id, fetch_binaries=True, token=self.token): session_id = s fd = flow.GRRFlow.ResultCollectionForFID(session_id, token=self.token) binaries = list(fd) self.assertEqual(len(binaries), 1) self.assertEqual(binaries[0].pathspec.CollapsePath(), "/C:/WINDOWS/bar.exe") fd = aff4.FACTORY.Open(binaries[0].AFF4Path(self.client_id), token=self.token) self.assertEqual(fd.Read(1024), "just bar")
def testHashesAreDisplayedCorrectly(self): with self.ACLChecksDisabled(): for _ in test_lib.TestFlowHelper( "FlowWithOneHashEntryResult", self.action_mock, client_id=self.client_id, token=self.token): pass self.Open("/#c=C.0000000000000001") self.Click("css=a[grrtarget='client.flows']") self.Click("css=td:contains('FlowWithOneHashEntryResult')") self.Click("css=li[heading=Results]") self.WaitUntil(self.IsTextPresent, "9e8dc93e150021bb4752029ebbff51394aa36f069cf19901578" "e4f06017acdb5") self.WaitUntil(self.IsTextPresent, "6dd6bee591dfcb6d75eb705405302c3eab65e21a") self.WaitUntil(self.IsTextPresent, "8b0a15eefe63fd41f8dc9dee01c5cf9a")
def RunFlow(self, artifact_list=None, use_tsk=False): if artifact_list is None: artifact_list = ["WindowsRunKeys"] urn = flow.GRRFlow.StartFlow(flow_name="ArtifactFilesDownloaderFlow", client_id=self.client_id, artifact_list=artifact_list, use_tsk=use_tsk, token=self.token) for _ in test_lib.TestFlowHelper(urn, token=self.token): pass try: results_fd = aff4.FACTORY.Open( urn.Add(flow_runner.RESULTS_SUFFIX), aff4_type=sequential_collection.GeneralIndexedCollection, token=self.token) return list(results_fd) except aff4.InstantiationError: return []
def testGlobWithStarStarRootPath(self): """Test ** expressions with root_path.""" # Add some usernames we can interpolate later. client = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token) kb = client.Get(client.Schema.KNOWLEDGE_BASE) kb.MergeOrAddUser(rdf_client.User(username="******")) kb.MergeOrAddUser(rdf_client.User(username="******")) client.Set(kb) client.Close() client_mock = action_mocks.ActionMock("Find", "StatFile") # Glob for foo at a depth of 4. path = os.path.join("foo**4") root_path = rdf_paths.PathSpec(path=os.path.join( self.base_path, "test_img.dd"), pathtype=rdf_paths.PathSpec.PathType.OS) root_path.Append(path="/", pathtype=rdf_paths.PathSpec.PathType.TSK) # Run the flow. for _ in test_lib.TestFlowHelper( "Glob", client_mock, client_id=self.client_id, paths=[path], root_path=root_path, pathtype=rdf_paths.PathSpec.PathType.OS, token=self.token): pass output_path = self.client_id.Add("fs/tsk").Add( self.base_path.replace("\\", "/")).Add("test_img.dd/glob_test/a/b") children = [] fd = aff4.FACTORY.Open(output_path, token=self.token) for child in fd.ListChildren(): children.append(child.Basename()) # We should find some files. self.assertEqual(children, ["foo"])
def LaunchRekallPlugin(self, request): """Launch AnalyzeClientMemory flow and return its output as a string. Args: request: A RekallRequest() proto. """ # For this test we force the client to write the profile cache in the temp # directory. This forces the profiles to always be downloaded from the # server (since each test run gets a new temp directory). with test_lib.ConfigOverrider( {"Client.rekall_profile_cache_path": self.temp_dir}): image_path = os.path.join(self.base_path, "win7_trial_64bit.raw") request.device.path = image_path self.CreateClient() # Allow the real RekallAction to run against the image. for _ in test_lib.TestFlowHelper("AnalyzeClientMemory", action_mocks.MemoryClientMock( "RekallAction", "WriteRekallProfile", "DeleteGRRTempFiles"), token=self.token, client_id=self.client_id, request=request, output="analysis/memory"): pass # Check that the profiles are also cached locally. test_profile_dir = os.path.join(config_lib.CONFIG["Test.data_dir"], "profiles") self.assertEqual( json.load(gzip.open(os.path.join(self.temp_dir, "v1.0/pe.gz"))), json.load( gzip.open(os.path.join(test_profile_dir, "v1.0/pe.gz")))) p_name = "v1.0/nt/GUID/F8E2A8B5C9B74BF4A6E4A48F180099942.gz" self.assertEqual( json.load(gzip.open(os.path.join(self.temp_dir, p_name))), json.load(gzip.open(os.path.join(test_profile_dir, p_name))))
def testVFSFileStartsNewMultiGetFileWhenLockingFlowHasFinished(self): """A new MultiFileGet can be started when the locking flow has finished.""" client_id = self.SetupClients(1)[0] test_lib.ClientFixture(client_id, token=self.token) # We need to choose a file path having a pathsepc. path = "fs/os/c/bin/bash" with aff4.FACTORY.Create(client_id.Add(path), aff4_type=aff4_grr.VFSFile, mode="rw", token=self.token) as file_fd: # Starts a MultiGetFile flow. first_update_flow_urn = file_fd.Update() # Check that there is exactly one flow on the client. flows_fd = aff4.FACTORY.Open(client_id.Add("flows"), token=self.token) flows = list(flows_fd.ListChildren()) self.assertEqual(len(flows), 1) # Finish the flow holding the lock. client_mock = action_mocks.ActionMock() for _ in test_lib.TestFlowHelper(flows[0], client_mock, client_id=client_id, token=self.token): pass # The flow holding the lock has finished, so Update() should start a new # flow. second_update_flow_urn = file_fd.Update() # There should be two flows now. flows_fd = aff4.FACTORY.Open(client_id.Add("flows"), token=self.token) flows = list(flows_fd.ListChildren()) self.assertEqual(len(flows), 2) # Make sure that each Update() started a new flow and that the second flow # is holding the lock. self.assertNotEqual(first_update_flow_urn, second_update_flow_urn) self.assertEqual(second_update_flow_urn, file_fd.Get(file_fd.Schema.CONTENT_LOCK))
def testLastRunStatusGetsUpdatedOnEveryRun(self): cron_manager = cronjobs.CronManager() cron_args = cronjobs.CreateCronJobFlowArgs() cron_args.flow_runner_args.flow_name = "OccasionallyFailingFakeCronJob" cron_args.periodicity = "30s" cron_job_urn = cron_manager.ScheduleFlow(cron_args=cron_args, token=self.token) for fake_time in [0, 60]: with test_lib.FakeTime(fake_time): # This call should start a new cron job flow cron_manager.RunOnce(token=self.token) cron_job = aff4.FACTORY.Open(cron_job_urn, aff4_type=cronjobs.CronJob, token=self.token) cron_flow_urn = cron_job.Get(cron_job.Schema.CURRENT_FLOW_URN) for _ in test_lib.TestFlowHelper(cron_flow_urn, check_flow_errors=False, token=self.token): pass # This RunOnce call should determine that the flow has finished cron_manager.RunOnce(token=self.token) cron_job = aff4.FACTORY.Open(cron_job_urn, age=aff4.ALL_TIMES, token=self.token) statuses = list( cron_job.GetValuesForAttribute(cron_job.Schema.LAST_RUN_STATUS)) statuses = sorted(statuses, key=lambda x: x.age) self.assertEqual(len(statuses), 2) self.assertEqual(statuses[0].age, rdfvalue.RDFDatetime().FromSecondsFromEpoch(0)) self.assertEqual(statuses[1].age, rdfvalue.RDFDatetime().FromSecondsFromEpoch(60)) self.assertEqual(statuses[0].status, grr_rdf.CronJobRunStatus.Status.OK) self.assertEqual(statuses[1].status, grr_rdf.CronJobRunStatus.Status.ERROR)
def testExecuteBinariesWithArgs(self): client_mock = action_mocks.ActionMock("ExecuteBinaryCommand") code = "I am a binary file" upload_path = config_lib.CONFIG["Executables.aff4_path"].Add("test.exe") maintenance_utils.UploadSignedConfigBlob(code, aff4_path=upload_path, token=self.token) # This flow has an acl, the user needs to be admin. user = aff4.FACTORY.Create("aff4:/users/%s" % self.token.username, mode="rw", aff4_type=users.GRRUser, token=self.token) user.SetLabels("admin", owner="GRR") user.Close() with utils.Stubber(subprocess, "Popen", test_lib.Popen): for _ in test_lib.TestFlowHelper("LaunchBinary", client_mock, client_id=self.client_id, binary=upload_path, command_line="--value 356", token=self.token): pass # Check that the executable file contains the code string. self.assertEqual(test_lib.Popen.binary, code) # At this point, the actual binary should have been cleaned up by the # client action so it should not exist. self.assertRaises(IOError, open, test_lib.Popen.running_args[0]) # Check the binary was run with the correct command line. self.assertEqual(test_lib.Popen.running_args[1], "--value") self.assertEqual(test_lib.Popen.running_args[2], "356") # Check the command was in the tmp file. self.assertTrue(test_lib.Popen.running_args[0].startswith( config_lib.CONFIG["Client.tempdir_roots"][0]))
def testInterrogateWindows(self): """Test the Interrogate flow.""" test_lib.ClientFixture(self.client_id, token=self.token) vfs.VFS_HANDLERS[ rdfvalue.PathSpec.PathType.REGISTRY] = test_lib.FakeRegistryVFSHandler vfs.VFS_HANDLERS[ rdfvalue.PathSpec.PathType.OS] = test_lib.FakeFullVFSHandler client_mock = action_mocks.InterrogatedClient("TransferBuffer", "StatFile", "Find", "HashBuffer", "ListDirectory", "FingerprintFile") self.SetWindowsClient() client_mock.InitializeClient(system="Windows", version="6.1.7600") # Run the flow in the simulated way for _ in test_lib.TestFlowHelper("Interrogate", client_mock, token=self.token, client_id=self.client_id): pass self.fd = aff4.FACTORY.Open(self.client_id, token=self.token) self._CheckAFF4Object("test_node", "Windows", 100 * 1000000) self._CheckClientInfo() self._CheckClientIndex(".*Host.*") self._CheckGRRConfig() self._CheckNotificationsCreated() self._CheckClientSummary("Windows", "6.1.7600") # users Bert and Ernie added by the fixture should not be present (USERS # overriden by kb) # jim parsed from registry profile keys self._CheckUsers(["jim", "kovacs"]) self._CheckNetworkInfo() self._CheckVFS() self._CheckLabelIndex() self._CheckWindowsDiskInfo() self._CheckRegistryPathspec()
def testProcessListingFilterConnectionState(self): p1 = rdf_client.Process(pid=2, ppid=1, cmdline=["cmd.exe"], exe="c:\\windows\\cmd.exe", ctime=long(1333718907.167083 * 1e6), connections=rdf_client.NetworkConnection( family="INET", state="CLOSED")) p2 = rdf_client.Process(pid=3, ppid=1, cmdline=["cmd2.exe"], exe="c:\\windows\\cmd2.exe", ctime=long(1333718907.167083 * 1e6), connections=rdf_client.NetworkConnection( family="INET", state="LISTEN")) p3 = rdf_client.Process(pid=4, ppid=1, cmdline=["missing_exe.exe"], ctime=long(1333718907.167083 * 1e6), connections=rdf_client.NetworkConnection( family="INET", state="ESTABLISHED")) client_mock = ListProcessesMock([p1, p2, p3]) flow_urn = flow.GRRFlow.StartFlow( client_id=self.client_id, flow_name="ListProcesses", connection_states=["ESTABLISHED", "LISTEN"], token=self.token) for s in test_lib.TestFlowHelper(flow_urn, client_mock, client_id=self.client_id, token=self.token): session_id = s processes = flow.GRRFlow.ResultCollectionForFID(session_id, token=self.token) self.assertEqual(len(processes), 2) states = set() for process in processes: states.add(str(process.connections[0].state)) self.assertItemsEqual(states, ["ESTABLISHED", "LISTEN"])
def testInterrogateLinuxWithWtmp(self): """Test the Interrogate flow.""" test_lib.ClientFixture(self.client_id, token=self.token) vfs.VFS_HANDLERS[ rdf_paths.PathSpec.PathType.OS] = test_lib.FakeTestDataVFSHandler config_lib.CONFIG.Set("Artifacts.knowledge_base", ["LinuxWtmp", "NetgroupConfiguration", "LinuxRelease"]) config_lib.CONFIG.Set("Artifacts.netgroup_filter_regexes", [r"^login$"]) self.SetLinuxClient() client_mock = action_mocks.InterrogatedClient( "TransferBuffer", "StatFile", "Find", "HashBuffer", "ListDirectory", "FingerprintFile", "GetLibraryVersions") client_mock.InitializeClient() for _ in test_lib.TestFlowHelper("Interrogate", client_mock, token=self.token, client_id=self.client_id): pass self.fd = aff4.FACTORY.Open(self.client_id, token=self.token) self._CheckAFF4Object("test_node", "Linux", 100 * 1000000) self._CheckClientInfo() self._CheckClientIndex(".*test.*") self._CheckGRRConfig() self._CheckNotificationsCreated() self._CheckClientSummary("Linux", "14.4", release="Ubuntu", kernel="3.13.0-39-generic") self._CheckRelease("Ubuntu", "14.4") # users 1,2,3 from wtmp # users yagharek, isaac from netgroup self._CheckUsers(["yagharek", "isaac", "user1", "user2", "user3"]) self._CheckNetworkInfo() self._CheckVFS() self._CheckLabelIndex() self._CheckClientKwIndex(["Linux"], 1) self._CheckClientKwIndex(["Label2"], 1) self._CheckClientLibraries()
def RunFlowAndCheckResults(self, conditions=None, action=rdfvalue.FileFinderAction.Action.STAT, expected_files=None, non_expected_files=None): conditions = conditions or [] expected_files = expected_files or [] non_expected_files = non_expected_files or [] for fname in expected_files + non_expected_files: aff4.FACTORY.Delete(self.FileNameToURN(fname), token=self.token) with test_lib.Instrument(flow.GRRFlow, "SendReply") as send_reply: for _ in test_lib.TestFlowHelper( "FileFinder", self.client_mock, client_id=self.client_id, paths=[self.path], pathtype=rdfvalue.PathSpec.PathType.OS, action=rdfvalue.FileFinderAction(action_type=action), conditions=conditions, token=self.token, output=self.output_path): pass self.CheckReplies(send_reply.args, action, expected_files) self.CheckFilesInCollection(expected_files) if action == rdfvalue.FileFinderAction.Action.STAT: self.CheckFilesNotDownloaded(expected_files + non_expected_files) self.CheckFilesNotHashed(expected_files + non_expected_files) elif action == rdfvalue.FileFinderAction.Action.DOWNLOAD: self.CheckFilesDownloaded(expected_files) self.CheckFilesNotDownloaded(non_expected_files) # Downloaded files are hashed to allow for deduping. elif action == rdfvalue.FileFinderAction.Action.HASH: self.CheckFilesNotDownloaded(expected_files + non_expected_files) self.CheckFilesHashed(expected_files) self.CheckFilesNotHashed(non_expected_files)