LEFT | RIGHT |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """Preprocessing related functions and classes for testing.""" | 2 """Preprocessing related functions and classes for testing.""" |
3 | 3 |
4 from artifacts import reader as artifacts_reader | 4 from artifacts import reader as artifacts_reader |
5 from artifacts import registry as artifacts_registry | 5 from artifacts import registry as artifacts_registry |
6 from dfvfs.helpers import fake_file_system_builder | 6 from dfvfs.helpers import fake_file_system_builder |
7 from dfvfs.helpers import file_system_searcher | 7 from dfvfs.helpers import file_system_searcher |
8 from dfvfs.lib import definitions as dfvfs_definitions | 8 from dfvfs.lib import definitions as dfvfs_definitions |
9 from dfvfs.path import factory as path_spec_factory | 9 from dfvfs.path import factory as path_spec_factory |
10 from dfwinreg import registry as dfwinreg_registry | 10 from dfwinreg import registry as dfwinreg_registry |
11 from dfwinreg import registry_searcher | 11 from dfwinreg import registry_searcher |
12 | 12 |
13 from plaso.containers import artifacts | 13 from plaso.containers import artifacts |
14 from plaso.engine import knowledge_base | 14 from plaso.engine import knowledge_base |
15 from plaso.preprocessors import manager | 15 from plaso.preprocessors import manager |
16 | 16 |
17 from tests import test_lib as shared_test_lib | 17 from tests import test_lib as shared_test_lib |
18 | 18 |
19 | 19 |
20 @shared_test_lib.skipUnlessHasTestFile([u'artifacts']) | 20 @shared_test_lib.skipUnlessHasTestFile([u'artifacts']) |
21 class ArtifactMappingTestCase(shared_test_lib.BaseTestCase): | 21 class ArtifactPreprocessorPluginTestCase(shared_test_lib.BaseTestCase): |
22 """Artifact mapping test case.""" | 22 """Artifact preprocessor plugin test case.""" |
23 | 23 |
24 @classmethod | 24 @classmethod |
25 def setUpClass(cls): | 25 def setUpClass(cls): |
26 """Makes preparations before running any of the tests.""" | 26 """Makes preparations before running any of the tests.""" |
27 cls._artifacts_registry = artifacts_registry.ArtifactDefinitionsRegistry() | 27 cls._artifacts_registry = artifacts_registry.ArtifactDefinitionsRegistry() |
28 | 28 |
29 reader = artifacts_reader.YamlArtifactsReader() | 29 reader = artifacts_reader.YamlArtifactsReader() |
30 path = shared_test_lib.GetTestFilePath([u'artifacts']) | 30 path = shared_test_lib.GetTestFilePath([u'artifacts']) |
31 cls._artifacts_registry.ReadFromDirectory(reader, path) | 31 cls._artifacts_registry.ReadFromDirectory(reader, path) |
32 | 32 |
33 def _RunMappingOnFileSystem(self, file_system, mount_point, artifact_mapping): | 33 def _RunPreprocessorPluginOnFileSystem( |
34 """Runs an artifact mapping on a file system. | 34 self, file_system, mount_point, plugin): |
| 35 """Runs a preprocessor plugin on a file system. |
35 | 36 |
36 Args: | 37 Args: |
37 file_system (dfvfs.FileSystem): file system to be preprocessed. | 38 file_system (dfvfs.FileSystem): file system to be preprocessed. |
38 mount_point (dfvfs.PathSpec): mount point path specification that refers | 39 mount_point (dfvfs.PathSpec): mount point path specification that refers |
39 to the base location of the file system. | 40 to the base location of the file system. |
40 artifact_mapping (ArtifactMapping): artifact mapping. | 41 plugin (ArtifactPreprocessorPlugin): preprocessor plugin. |
41 | 42 |
42 Return: | 43 Return: |
43 KnowledgeBase: knowledge base filled with preprocessing information. | 44 KnowledgeBase: knowledge base filled with preprocessing information. |
44 """ | 45 """ |
45 artifact_definition = self._artifacts_registry.GetDefinitionByName( | 46 artifact_definition = self._artifacts_registry.GetDefinitionByName( |
46 artifact_mapping.ARTIFACT_DEFINTION_NAME) | 47 plugin.ARTIFACT_DEFINITION_NAME) |
47 self.assertIsNotNone(artifact_definition) | 48 self.assertIsNotNone(artifact_definition) |
48 | 49 |
49 knowledge_base_object = knowledge_base.KnowledgeBase() | 50 knowledge_base_object = knowledge_base.KnowledgeBase() |
50 | 51 |
51 searcher = file_system_searcher.FileSystemSearcher(file_system, mount_point) | 52 searcher = file_system_searcher.FileSystemSearcher(file_system, mount_point) |
52 | 53 |
53 artifact_mapping.Collect( | 54 plugin.Collect( |
54 knowledge_base_object, artifact_definition, searcher, file_system) | 55 knowledge_base_object, artifact_definition, searcher, file_system) |
55 | 56 |
56 return knowledge_base_object | 57 return knowledge_base_object |
57 | 58 |
58 def _RunMappingOnWindowsRegistryValue( | 59 def _RunPreprocessorPluginOnWindowsRegistryValue( |
59 self, file_system, mount_point, artifact_mapping): | 60 self, file_system, mount_point, plugin): |
60 """Runs an artifact mapping on a Windows Registry value. | 61 """Runs a preprocessor plugin on a Windows Registry value. |
61 | 62 |
62 Args: | 63 Args: |
63 file_system (dfvfs.FileSystem): file system to be preprocessed. | 64 file_system (dfvfs.FileSystem): file system to be preprocessed. |
64 mount_point (dfvfs.PathSpec): mount point path specification that refers | 65 mount_point (dfvfs.PathSpec): mount point path specification that refers |
65 to the base location of the file system. | 66 to the base location of the file system. |
66 artifact_mapping (ArtifactMapping): artifact mapping. | 67 plugin (ArtifactPreprocessorPlugin): preprocessor plugin. |
67 | 68 |
68 Return: | 69 Return: |
69 KnowledgeBase: knowledge base filled with preprocessing information. | 70 KnowledgeBase: knowledge base filled with preprocessing information. |
70 """ | 71 """ |
71 artifact_definition = self._artifacts_registry.GetDefinitionByName( | 72 artifact_definition = self._artifacts_registry.GetDefinitionByName( |
72 artifact_mapping.ARTIFACT_DEFINTION_NAME) | 73 plugin.ARTIFACT_DEFINITION_NAME) |
73 self.assertIsNotNone(artifact_definition) | 74 self.assertIsNotNone(artifact_definition) |
74 | 75 |
75 environment_variable = artifacts.EnvironmentVariableArtifact( | 76 environment_variable = artifacts.EnvironmentVariableArtifact( |
76 case_sensitive=False, name=u'SystemRoot', value=u'C:\\Windows') | 77 case_sensitive=False, name=u'SystemRoot', value=u'C:\\Windows') |
77 | 78 |
78 registry_file_reader = manager.FileSystemWinRegistryFileReader( | 79 registry_file_reader = manager.FileSystemWinRegistryFileReader( |
79 file_system, mount_point, environment_variables=[environment_variable]) | 80 file_system, mount_point, environment_variables=[environment_variable]) |
80 win_registry = dfwinreg_registry.WinRegistry( | 81 win_registry = dfwinreg_registry.WinRegistry( |
81 registry_file_reader=registry_file_reader) | 82 registry_file_reader=registry_file_reader) |
82 | 83 |
83 knowledge_base_object = knowledge_base.KnowledgeBase() | 84 knowledge_base_object = knowledge_base.KnowledgeBase() |
84 | 85 |
85 searcher = registry_searcher.WinRegistrySearcher(win_registry) | 86 searcher = registry_searcher.WinRegistrySearcher(win_registry) |
86 | 87 |
87 artifact_mapping.Collect( | 88 plugin.Collect(knowledge_base_object, artifact_definition, searcher) |
88 knowledge_base_object, artifact_definition, searcher) | |
89 | 89 |
90 return knowledge_base_object | 90 return knowledge_base_object |
91 | 91 |
92 def _RunMappingOnWindowsRegistryValueSoftware(self, artifact_mapping): | 92 def _RunPreprocessorPluginOnWindowsRegistryValueSoftware(self, plugin): |
93 """Runs an artifact mapping on a Windows Registry value in SOFTWARE. | 93 """Runs a preprocessor plugin on a Windows Registry value in SOFTWARE. |
94 | 94 |
95 Args: | 95 Args: |
96 artifact_mapping (ArtifactMapping): artifact mapping. | 96 plugin (ArtifactPreprocessorPlugin): preprocessor plugin. |
97 | 97 |
98 Return: | 98 Return: |
99 KnowledgeBase: knowledge base filled with preprocessing information. | 99 KnowledgeBase: knowledge base filled with preprocessing information. |
100 """ | 100 """ |
101 file_system_builder = fake_file_system_builder.FakeFileSystemBuilder() | 101 file_system_builder = fake_file_system_builder.FakeFileSystemBuilder() |
102 test_file_path = self._GetTestFilePath([u'SOFTWARE']) | 102 test_file_path = self._GetTestFilePath([u'SOFTWARE']) |
103 file_system_builder.AddFileReadData( | 103 file_system_builder.AddFileReadData( |
104 u'/Windows/System32/config/SOFTWARE', test_file_path) | 104 u'/Windows/System32/config/SOFTWARE', test_file_path) |
105 | 105 |
106 mount_point = path_spec_factory.Factory.NewPathSpec( | 106 mount_point = path_spec_factory.Factory.NewPathSpec( |
107 dfvfs_definitions.TYPE_INDICATOR_FAKE, location=u'/') | 107 dfvfs_definitions.TYPE_INDICATOR_FAKE, location=u'/') |
108 | 108 |
109 return self._RunMappingOnWindowsRegistryValue( | 109 return self._RunPreprocessorPluginOnWindowsRegistryValue( |
110 file_system_builder.file_system, mount_point, artifact_mapping) | 110 file_system_builder.file_system, mount_point, plugin) |
111 | 111 |
112 def _RunMappingOnWindowsRegistryValueSystem(self, artifact_mapping): | 112 def _RunPreprocessorPluginOnWindowsRegistryValueSystem(self, plugin): |
113 """Runs an artifact mapping on a Windows Registry value in SYSTEM. | 113 """Runs a preprocessor plugin on a Windows Registry value in SYSTEM. |
114 | 114 |
115 Args: | 115 Args: |
116 artifact_mapping (ArtifactMapping): artifact mapping. | 116 plugin (ArtifactPreprocessorPlugin): preprocessor plugin. |
117 | 117 |
118 Return: | 118 Return: |
119 KnowledgeBase: knowledge base filled with preprocessing information. | 119 KnowledgeBase: knowledge base filled with preprocessing information. |
120 """ | 120 """ |
121 file_system_builder = fake_file_system_builder.FakeFileSystemBuilder() | 121 file_system_builder = fake_file_system_builder.FakeFileSystemBuilder() |
122 test_file_path = self._GetTestFilePath([u'SYSTEM']) | 122 test_file_path = self._GetTestFilePath([u'SYSTEM']) |
123 file_system_builder.AddFileReadData( | 123 file_system_builder.AddFileReadData( |
124 u'/Windows/System32/config/SYSTEM', test_file_path) | 124 u'/Windows/System32/config/SYSTEM', test_file_path) |
125 | 125 |
126 mount_point = path_spec_factory.Factory.NewPathSpec( | 126 mount_point = path_spec_factory.Factory.NewPathSpec( |
127 dfvfs_definitions.TYPE_INDICATOR_FAKE, location=u'/') | 127 dfvfs_definitions.TYPE_INDICATOR_FAKE, location=u'/') |
128 | 128 |
129 return self._RunMappingOnWindowsRegistryValue( | 129 return self._RunPreprocessorPluginOnWindowsRegistryValue( |
130 file_system_builder.file_system, mount_point, artifact_mapping) | 130 file_system_builder.file_system, mount_point, plugin) |
LEFT | RIGHT |