def testReadFilterDefinition(self):
"""Tests the _ReadFilterDefinition function."""
test_filter_file = yaml_filter_file.YAMLFilterFile()
path_filter = test_filter_file._ReadFilterDefinition({
'type':
'include',
'paths': ['/usr/bin']
})
self.assertIsNotNone(path_filter)
self.assertIsNone(path_filter.description)
self.assertEqual(path_filter.filter_type, 'include')
self.assertEqual(path_filter.path_separator, '/')
self.assertEqual(path_filter.paths, ['/usr/bin'])
with self.assertRaises(errors.ParseError):
test_filter_file._ReadFilterDefinition({})
with self.assertRaises(errors.ParseError):
test_filter_file._ReadFilterDefinition({'type': 'bogus'})
with self.assertRaises(errors.ParseError):
test_filter_file._ReadFilterDefinition({'type': 'include'})
with self.assertRaises(errors.ParseError):
test_filter_file._ReadFilterDefinition({'bogus': 'error'})
def testBuildFindSpecsWithYAMLFilterFile(self):
"""Tests the BuildFindSpecs function with YAML filter file."""
test_filter_file = yaml_filter_file.YAMLFilterFile()
test_path_filters = test_filter_file._ReadFromFileObject(
io.StringIO(self._YAML_FILTER_FILE_DATA))
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
test_helper = path_filters.PathCollectionFiltersHelper()
test_helper.BuildFindSpecs(
test_path_filters, environment_variables=[environment_variable])
self.assertEqual(len(test_helper.included_file_system_find_specs), 5)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location='.')
file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)
searcher = file_system_searcher.FileSystemSearcher(
file_system, path_spec)
path_spec_generator = searcher.Find(
find_specs=test_helper.included_file_system_find_specs)
self.assertIsNotNone(path_spec_generator)
path_specs = list(path_spec_generator)
file_system.Close()
# Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt files,
# total 6 path specifications.
self.assertEqual(len(path_specs), 6)
def testReadFromFileObject(self):
"""Tests the _ReadFromFileObject function."""
test_file_path = self._GetTestFilePath(
['filter_files', 'format_test.yaml'])
self._SkipIfPathNotExists(test_file_path)
test_filter_file = yaml_filter_file.YAMLFilterFile()
with io.open(test_file_path, 'r', encoding='utf-8') as file_object:
path_filters = list(
test_filter_file._ReadFromFileObject(file_object))
self.assertEqual(len(path_filters), 3)
def testReadFromFile(self):
"""Tests the ReadFromFile function."""
test_file_path = self._GetTestFilePath(
['filter_files', 'format_test.yaml'])
self._SkipIfPathNotExists(test_file_path)
test_filter_file = yaml_filter_file.YAMLFilterFile()
path_filters = test_filter_file.ReadFromFile(test_file_path)
self.assertEqual(len(path_filters), 3)
self.assertEqual(path_filters[0].path_separator, '/')
self.assertEqual(path_filters[0].paths, ['/usr/bin'])
self.assertEqual(path_filters[1].path_separator, '\\')
self.assertEqual(path_filters[1].paths, ['\\\\Windows\\\\System32'])
def BuildCollectionFilters(self,
artifact_definitions_path,
custom_artifacts_path,
knowledge_base_object,
artifact_filter_names=None,
filter_file_path=None):
"""Builds collection filters from artifacts or filter file if available.
Args:
artifact_definitions_path (str): path to artifact definitions file.
custom_artifacts_path (str): path to custom artifact definitions file.
knowledge_base_object (KnowledgeBase): knowledge base.
artifact_filter_names (Optional[list[str]]): names of artifact
definitions that are used for filtering file system and Windows
Registry key paths.
filter_file_path (Optional[str]): path of filter file.
Raises:
InvalidFilter: if no valid file system find specifications are built.
"""
environment_variables = knowledge_base_object.GetEnvironmentVariables()
if artifact_filter_names:
logger.debug(
'building find specification based on artifacts: {0:s}'.format(
', '.join(artifact_filter_names)))
artifacts_registry_object = BaseEngine.BuildArtifactsRegistry(
artifact_definitions_path, custom_artifacts_path)
self.collection_filters_helper = (
artifact_filters.ArtifactDefinitionsFiltersHelper(
artifacts_registry_object, knowledge_base_object))
self.collection_filters_helper.BuildFindSpecs(
artifact_filter_names,
environment_variables=environment_variables)
# If the user selected Windows Registry artifacts we have to ensure
# the Windows Registry files are parsed.
if self.collection_filters_helper.registry_find_specs:
self.collection_filters_helper.BuildFindSpecs(
self._WINDOWS_REGISTRY_FILES_ARTIFACT_NAMES,
environment_variables=environment_variables)
if not self.collection_filters_helper.included_file_system_find_specs:
raise errors.InvalidFilter(
'No valid file system find specifications were built from '
'artifacts.')
elif filter_file_path:
logger.debug(
'building find specification based on filter file: {0:s}'.
format(filter_file_path))
filter_file_path_lower = filter_file_path.lower()
if (filter_file_path_lower.endswith('.yaml')
or filter_file_path_lower.endswith('.yml')):
filter_file_object = yaml_filter_file.YAMLFilterFile()
else:
filter_file_object = filter_file.FilterFile()
filter_file_path_filters = filter_file_object.ReadFromFile(
filter_file_path)
self.collection_filters_helper = (
path_filters.PathCollectionFiltersHelper())
self.collection_filters_helper.BuildFindSpecs(
filter_file_path_filters,
environment_variables=environment_variables)
if (not self.collection_filters_helper.
excluded_file_system_find_specs and not self.
collection_filters_helper.included_file_system_find_specs):
raise errors.InvalidFilter((
'No valid file system find specifications were built from filter '
'file: {0:s}.').format(filter_file_path))
