def testGrep(self): class MockCallFlow(object): def CallFlow(self, *args, **kwargs): self.args = args self.kwargs = kwargs mock_call_flow = MockCallFlow() with utils.Stubber(collectors.ArtifactCollectorFlow, "CallFlow", mock_call_flow.CallFlow): collect_flow = collectors.ArtifactCollectorFlow(None, token=self.token) collect_flow.args = mock.Mock() collect_flow.args.ignore_interpolation_errors = False kb = rdf_client.KnowledgeBase() kb.MergeOrAddUser(rdf_client.User(username="******")) kb.MergeOrAddUser(rdf_client.User(username="******")) collect_flow.state["knowledge_base"] = kb collect_flow.current_artifact_name = "blah" collector = rdf_artifacts.ArtifactSource( type=rdf_artifacts.ArtifactSource.SourceType.GREP, attributes={ "paths": ["/etc/passwd"], "content_regex_list": [r"^a%%users.username%%b$"] }) collect_flow.Grep(collector, rdf_paths.PathSpec.PathType.TSK) conditions = mock_call_flow.kwargs["conditions"] self.assertEqual(len(conditions), 1) regexes = conditions[0].contents_regex_match.regex.SerializeToString() self.assertItemsEqual(regexes.split("|"), ["(^atest1b$)", "(^atest2b$)"]) self.assertEqual(mock_call_flow.kwargs["paths"], ["/etc/passwd"])
def testGrepRegexCombination(self): collect_flow = collectors.ArtifactCollectorFlow(None, token=self.token) self.assertEqual(collect_flow._CombineRegex([r"simple"]), "simple") self.assertEqual(collect_flow._CombineRegex(["a", "b"]), "(a)|(b)") self.assertEqual(collect_flow._CombineRegex(["a", "b", "c"]), "(a)|(b)|(c)") self.assertEqual(collect_flow._CombineRegex(["a|b", "[^_]b", "c|d"]), "(a|b)|([^_]b)|(c|d)")
def testGrepRegexCombination(self): args = rdf_artifacts.ArtifactCollectorFlowArgs() collect_flow = collectors.ArtifactCollectorFlow( rdf_flow_objects.Flow(args=args)) self.assertEqual(collect_flow._CombineRegex([b"simple"]), b"simple") self.assertEqual(collect_flow._CombineRegex([b"a", b"b"]), b"(a)|(b)") self.assertEqual( collect_flow._CombineRegex([b"a", b"b", b"c"]), b"(a)|(b)|(c)") self.assertEqual( collect_flow._CombineRegex([b"a|b", b"[^_]b", b"c|d"]), b"(a|b)|([^_]b)|(c|d)")
def testInterpolateArgs(self): args = rdf_artifacts.ArtifactCollectorFlowArgs() collect_flow = collectors.ArtifactCollectorFlow( rdf_flow_objects.Flow(args=args)) kb = rdf_client.KnowledgeBase() kb.MergeOrAddUser(rdf_client.User(username="******")) kb.MergeOrAddUser(rdf_client.User(username="******")) collect_flow.state["knowledge_base"] = kb collect_flow.current_artifact_name = "blah" test_rdf = rdf_client.KnowledgeBase() action_args = { "usernames": ["%%users.username%%", "%%users.username%%"], "nointerp": "asdfsdf", "notastring": test_rdf } kwargs = collect_flow.InterpolateDict(action_args) self.assertCountEqual(kwargs["usernames"], ["test1", "test2", "test1", "test2"]) self.assertEqual(kwargs["nointerp"], "asdfsdf") self.assertEqual(kwargs["notastring"], test_rdf) # We should be using an array since users.username will expand to multiple # values. self.assertRaises(ValueError, collect_flow.InterpolateDict, {"bad": "%%users.username%%"}) list_args = collect_flow.InterpolateList( ["%%users.username%%", r"%%users.username%%\aa"]) self.assertCountEqual(list_args, ["test1", "test2", r"test1\aa", r"test2\aa"]) list_args = collect_flow.InterpolateList(["one"]) self.assertEqual(list_args, ["one"]) # Ignore the failure in users.desktop, report the others. collect_flow.args.ignore_interpolation_errors = True list_args = collect_flow.InterpolateList( ["%%users.desktop%%", r"%%users.username%%\aa"]) self.assertCountEqual(list_args, [r"test1\aa", r"test2\aa"]) # Both fail. list_args = collect_flow.InterpolateList( [r"%%users.desktop%%\aa", r"%%users.sid%%\aa"]) self.assertCountEqual(list_args, [])