empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-07 01:15:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
0ef944c0a4
fleet/server/service/service_osquery_test.go

1150 lines
29 KiB
Go
Raw Normal View History

Organizing go code (#241)
2016-09-26 18:48:55 +00:00
package service
Osqueryd Service (#119) * host service stuff * working on the osquery service api * log status and results logs
2016-09-06 21:28:07 +00:00
import (
Flesh out log ingestion endpoint/service methods (#258)
2016-10-01 02:18:27 +00:00
"bytes"
Update go-kit to 0.4.0 (#1411) Notable refactoring: - Use stdlib "context" in place of "golang.org/x/net/context" - Go-kit no longer wraps errors, so we remove the unwrap in transport_error.go - Use MakeHandler when setting up endpoint tests (fixes test bug caught during this refactoring) Closes #1411.
2017-03-15 15:55:30 +00:00
"context"
Flesh out log ingestion endpoint/service methods (#258)
2016-10-01 02:18:27 +00:00
"encoding/json"
Fix host authentication errors in case of DB failure (#1512) Closes #1511
2017-05-25 21:10:12 +00:00
"errors"
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
"fmt"
Changed default osquery logging behavior Made log rotation for osquery results and status logs optional. This required writing the logwriter package which is a drop in replacement for lumberjack. We still use lumberjack if the log rotation flag --osquery_enable_log_rotation flag is set. Note that the performance of the default is quite a bit better than lumberjack. BenchmarkLogger-8 2000000 747 ns/op BenchmarkLumberjack-8 1000000 1965 ns/op PASS BenchmarkLogger-8 2000000 731 ns/op BenchmarkLumberjack-8 1000000 2040 ns/op PASS BenchmarkLogger-8 2000000 741 ns/op BenchmarkLumberjack-8 1000000 1970 ns/op PASS BenchmarkLogger-8 2000000 737 ns/op BenchmarkLumberjack-8 1000000 1930 ns/op PASS
2017-04-03 21:48:50 +00:00
"io"
Flesh out log ingestion endpoint/service methods (#258)
2016-10-01 02:18:27 +00:00
"strings"
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
"sync"
Osqueryd Service (#119) * host service stuff * working on the osquery service api * log status and results logs
2016-09-06 21:28:07 +00:00
"testing"
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
"time"
Osqueryd Service (#119) * host service stuff * working on the osquery service api * log status and results logs
2016-09-06 21:28:07 +00:00
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
"github.com/WatchBeam/clock"
renaming kolide-ose to kolide (#1143)
2017-02-01 17:20:50 +00:00
"github.com/kolide/kolide/server/config"
hostctx "github.com/kolide/kolide/server/contexts/host"
"github.com/kolide/kolide/server/contexts/viewer"
"github.com/kolide/kolide/server/datastore/inmem"
"github.com/kolide/kolide/server/kolide"
Retrieve and store host checkin intervals (#1473) We now track the `config_tls_refresh`, `distributed_interval` and `logger_tls_period` flag values for each host. Each value is updated by a detail query agains the `osquery_flags` table, because they may be specified outside of Kolide. The flags that can be specified within Kolide are also updated when a config is returned to the host that changes their value. This will enable us to do a more accurate per-host online status calculation as discussed in #1419.
2017-04-06 18:55:24 +00:00
"github.com/kolide/kolide/server/mock"
renaming kolide-ose to kolide (#1143)
2017-02-01 17:20:50 +00:00
"github.com/kolide/kolide/server/pubsub"
"github.com/kolide/kolide/server/test"
Osqueryd Service (#119) * host service stuff * working on the osquery service api * log status and results logs
2016-09-06 21:28:07 +00:00
"github.com/stretchr/testify/assert"
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
"github.com/stretchr/testify/require"
Osqueryd Service (#119) * host service stuff * working on the osquery service api * log status and results logs
2016-09-06 21:28:07 +00:00
)
func TestEnrollAgent(t *testing.T) {
move osquery enroll secret to appconfig (#1004) For #995
2017-01-20 19:48:54 +00:00
ds, svc, _ := setupOsqueryTests(t)
Osqueryd Service (#119) * host service stuff * working on the osquery service api * log status and results logs
2016-09-06 21:28:07 +00:00
ctx := context.Background()
Apply consistent naming conventions across server files (#310)
2016-10-14 15:59:27 +00:00
hosts, err := ds.ListHosts(kolide.ListOptions{})
Osqueryd Service (#119) * host service stuff * working on the osquery service api * log status and results logs
2016-09-06 21:28:07 +00:00
assert.Nil(t, err)
assert.Len(t, hosts, 0)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
nodeKey, err := svc.EnrollAgent(ctx, "", "host123")
move osquery enroll secret to appconfig (#1004) For #995
2017-01-20 19:48:54 +00:00
require.Nil(t, err)
Osqueryd Service (#119) * host service stuff * working on the osquery service api * log status and results logs
2016-09-06 21:28:07 +00:00
assert.NotEmpty(t, nodeKey)
Apply consistent naming conventions across server files (#310)
2016-10-14 15:59:27 +00:00
hosts, err = ds.ListHosts(kolide.ListOptions{})
Osqueryd Service (#119) * host service stuff * working on the osquery service api * log status and results logs
2016-09-06 21:28:07 +00:00
assert.Nil(t, err)
assert.Len(t, hosts, 1)
}
func TestEnrollAgentIncorrectEnrollSecret(t *testing.T) {
move osquery enroll secret to appconfig (#1004) For #995
2017-01-20 19:48:54 +00:00
ds, svc, _ := setupOsqueryTests(t)
Osqueryd Service (#119) * host service stuff * working on the osquery service api * log status and results logs
2016-09-06 21:28:07 +00:00
ctx := context.Background()
Apply consistent naming conventions across server files (#310)
2016-10-14 15:59:27 +00:00
hosts, err := ds.ListHosts(kolide.ListOptions{})
Osqueryd Service (#119) * host service stuff * working on the osquery service api * log status and results logs
2016-09-06 21:28:07 +00:00
assert.Nil(t, err)
assert.Len(t, hosts, 0)
nodeKey, err := svc.EnrollAgent(ctx, "not_correct", "host123")
assert.NotNil(t, err)
assert.Empty(t, nodeKey)
Apply consistent naming conventions across server files (#310)
2016-10-14 15:59:27 +00:00
hosts, err = ds.ListHosts(kolide.ListOptions{})
Osqueryd Service (#119) * host service stuff * working on the osquery service api * log status and results logs
2016-09-06 21:28:07 +00:00
assert.Nil(t, err)
assert.Len(t, hosts, 0)
}
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
Remove extraneous calls to MarkHostSeen (#1441) The seen time should only be updated once per request from the osquery agent to the Kolide server. We now do that only in AuthenticateHost (which every request besides enrollment must go through).
2017-03-30 15:31:05 +00:00
func TestAuthenticateHost(t *testing.T) {
move osquery enroll secret to appconfig (#1004) For #995
2017-01-20 19:48:54 +00:00
ds, svc, mockClock := setupOsqueryTests(t)
Flesh out log ingestion endpoint/service methods (#258)
2016-10-01 02:18:27 +00:00
ctx := context.Background()
Remove extraneous calls to MarkHostSeen (#1441) The seen time should only be updated once per request from the osquery agent to the Kolide server. We now do that only in AuthenticateHost (which every request besides enrollment must go through).
2017-03-30 15:31:05 +00:00
nodeKey, err := svc.EnrollAgent(ctx, "", "host123")
require.Nil(t, err)
mockClock.AddTime(1 * time.Minute)
host, err := svc.AuthenticateHost(ctx, nodeKey)
require.Nil(t, err)
// Verify that the update time is set appropriately
checkHost, err := ds.Host(host.ID)
require.Nil(t, err)
assert.Equal(t, mockClock.Now(), checkHost.UpdatedAt)
// Advance clock time and check that seen time is updated
mockClock.AddTime(1*time.Minute + 27*time.Second)
_, err = svc.AuthenticateHost(ctx, nodeKey)
require.Nil(t, err)
checkHost, err = ds.Host(host.ID)
require.Nil(t, err)
assert.Equal(t, mockClock.Now(), checkHost.UpdatedAt)
}
Changed default osquery logging behavior Made log rotation for osquery results and status logs optional. This required writing the logwriter package which is a drop in replacement for lumberjack. We still use lumberjack if the log rotation flag --osquery_enable_log_rotation flag is set. Note that the performance of the default is quite a bit better than lumberjack. BenchmarkLogger-8 2000000 747 ns/op BenchmarkLumberjack-8 1000000 1965 ns/op PASS BenchmarkLogger-8 2000000 731 ns/op BenchmarkLumberjack-8 1000000 2040 ns/op PASS BenchmarkLogger-8 2000000 741 ns/op BenchmarkLumberjack-8 1000000 1970 ns/op PASS BenchmarkLogger-8 2000000 737 ns/op BenchmarkLumberjack-8 1000000 1930 ns/op PASS
2017-04-03 21:48:50 +00:00
type nopCloserWriter struct {
io.Writer
}
func (n *nopCloserWriter) Close() error { return nil }
Remove extraneous calls to MarkHostSeen (#1441) The seen time should only be updated once per request from the osquery agent to the Kolide server. We now do that only in AuthenticateHost (which every request besides enrollment must go through).
2017-03-30 15:31:05 +00:00
func TestSubmitStatusLogs(t *testing.T) {
ds, svc, _ := setupOsqueryTests(t)
ctx := context.Background()
move osquery enroll secret to appconfig (#1004) For #995
2017-01-20 19:48:54 +00:00
_, err := svc.EnrollAgent(ctx, "", "host123")
require.Nil(t, err)
Flesh out log ingestion endpoint/service methods (#258)
2016-10-01 02:18:27 +00:00
Apply consistent naming conventions across server files (#310)
2016-10-14 15:59:27 +00:00
hosts, err := ds.ListHosts(kolide.ListOptions{})
Flesh out log ingestion endpoint/service methods (#258)
2016-10-01 02:18:27 +00:00
require.Nil(t, err)
require.Len(t, hosts, 1)
host := hosts[0]
Remove extraneous calls to MarkHostSeen (#1441) The seen time should only be updated once per request from the osquery agent to the Kolide server. We now do that only in AuthenticateHost (which every request besides enrollment must go through).
2017-03-30 15:31:05 +00:00
ctx = hostctx.NewContext(ctx, *host)
Flesh out log ingestion endpoint/service methods (#258)
2016-10-01 02:18:27 +00:00
// Hack to get at the service internals and modify the writer
serv := ((svc.(validationMiddleware)).Service).(service)
var statusBuf bytes.Buffer
Changed default osquery logging behavior Made log rotation for osquery results and status logs optional. This required writing the logwriter package which is a drop in replacement for lumberjack. We still use lumberjack if the log rotation flag --osquery_enable_log_rotation flag is set. Note that the performance of the default is quite a bit better than lumberjack. BenchmarkLogger-8 2000000 747 ns/op BenchmarkLumberjack-8 1000000 1965 ns/op PASS BenchmarkLogger-8 2000000 731 ns/op BenchmarkLumberjack-8 1000000 2040 ns/op PASS BenchmarkLogger-8 2000000 741 ns/op BenchmarkLumberjack-8 1000000 1970 ns/op PASS BenchmarkLogger-8 2000000 737 ns/op BenchmarkLumberjack-8 1000000 1930 ns/op PASS
2017-04-03 21:48:50 +00:00
serv.osqueryStatusLogWriter = &nopCloserWriter{&statusBuf}
Flesh out log ingestion endpoint/service methods (#258)
2016-10-01 02:18:27 +00:00
logs := []string{
`{"severity":"0","filename":"tls.cpp","line":"216","message":"some message","version":"1.8.2","decorations":{"host_uuid":"uuid_foobar","username":"zwass"}}`,
`{"severity":"1","filename":"buffered.cpp","line":"122","message":"warning!","version":"1.8.2","decorations":{"host_uuid":"uuid_foobar","username":"zwass"}}`,
}
logJSON := fmt.Sprintf("[%s]", strings.Join(logs, ","))
var status []kolide.OsqueryStatusLog
err = json.Unmarshal([]byte(logJSON), &status)
require.Nil(t, err)
err = serv.SubmitStatusLogs(ctx, status)
assert.Nil(t, err)
statusJSON := statusBuf.String()
statusJSON = strings.TrimRight(statusJSON, "\n")
statusLines := strings.Split(statusJSON, "\n")
if assert.Equal(t, len(logs), len(statusLines)) {
for i, line := range statusLines {
assert.JSONEq(t, logs[i], line)
}
}
}
func TestSubmitResultLogs(t *testing.T) {
Remove extraneous calls to MarkHostSeen (#1441) The seen time should only be updated once per request from the osquery agent to the Kolide server. We now do that only in AuthenticateHost (which every request besides enrollment must go through).
2017-03-30 15:31:05 +00:00
ds, svc, _ := setupOsqueryTests(t)
Flesh out log ingestion endpoint/service methods (#258)
2016-10-01 02:18:27 +00:00
ctx := context.Background()
move osquery enroll secret to appconfig (#1004) For #995
2017-01-20 19:48:54 +00:00
_, err := svc.EnrollAgent(ctx, "", "host123")
require.Nil(t, err)
Flesh out log ingestion endpoint/service methods (#258)
2016-10-01 02:18:27 +00:00
Apply consistent naming conventions across server files (#310)
2016-10-14 15:59:27 +00:00
hosts, err := ds.ListHosts(kolide.ListOptions{})
Flesh out log ingestion endpoint/service methods (#258)
2016-10-01 02:18:27 +00:00
require.Nil(t, err)
require.Len(t, hosts, 1)
host := hosts[0]
Remove extraneous calls to MarkHostSeen (#1441) The seen time should only be updated once per request from the osquery agent to the Kolide server. We now do that only in AuthenticateHost (which every request besides enrollment must go through).
2017-03-30 15:31:05 +00:00
ctx = hostctx.NewContext(ctx, *host)
Flesh out log ingestion endpoint/service methods (#258)
2016-10-01 02:18:27 +00:00
// Hack to get at the service internals and modify the writer
serv := ((svc.(validationMiddleware)).Service).(service)
var resultBuf bytes.Buffer
Changed default osquery logging behavior Made log rotation for osquery results and status logs optional. This required writing the logwriter package which is a drop in replacement for lumberjack. We still use lumberjack if the log rotation flag --osquery_enable_log_rotation flag is set. Note that the performance of the default is quite a bit better than lumberjack. BenchmarkLogger-8 2000000 747 ns/op BenchmarkLumberjack-8 1000000 1965 ns/op PASS BenchmarkLogger-8 2000000 731 ns/op BenchmarkLumberjack-8 1000000 2040 ns/op PASS BenchmarkLogger-8 2000000 741 ns/op BenchmarkLumberjack-8 1000000 1970 ns/op PASS BenchmarkLogger-8 2000000 737 ns/op BenchmarkLumberjack-8 1000000 1930 ns/op PASS
2017-04-03 21:48:50 +00:00
serv.osqueryResultLogWriter = &nopCloserWriter{&resultBuf}
Flesh out log ingestion endpoint/service methods (#258)
2016-10-01 02:18:27 +00:00
logs := []string{
`{"name":"system_info","hostIdentifier":"some_uuid","calendarTime":"Fri Sep 30 17:55:15 2016 UTC","unixTime":"1475258115","decorations":{"host_uuid":"some_uuid","username":"zwass"},"columns":{"cpu_brand":"Intel(R) Core(TM) i7-4770HQ CPU @ 2.20GHz","hostname":"hostimus","physical_memory":"17179869184"},"action":"added"}`,
`{"name":"encrypted","hostIdentifier":"some_uuid","calendarTime":"Fri Sep 30 21:19:15 2016 UTC","unixTime":"1475270355","decorations":{"host_uuid":"4740D59F-699E-5B29-960B-979AAF9BBEEB","username":"zwass"},"columns":{"encrypted":"1","name":"\/dev\/disk1","type":"AES-XTS","uid":"","user_uuid":"","uuid":"some_uuid"},"action":"added"}`,
Fix result log struct to support snapshot logs (#866) Snapshot logs have a different schema, and are now (un)serialized correctly. Fixes #841
2017-01-10 20:54:35 +00:00
`{"snapshot":[{"hour":"20","minutes":"8"}],"action":"snapshot","name":"time","hostIdentifier":"1379f59d98f4","calendarTime":"Tue Jan 10 20:08:51 2017 UTC","unixTime":"1484078931","decorations":{"host_uuid":"EB714C9D-C1F8-A436-B6DA-3F853C5502EA"}}`,
Flesh out log ingestion endpoint/service methods (#258)
2016-10-01 02:18:27 +00:00
}
logJSON := fmt.Sprintf("[%s]", strings.Join(logs, ","))
var results []kolide.OsqueryResultLog
err = json.Unmarshal([]byte(logJSON), &results)
require.Nil(t, err)
err = serv.SubmitResultLogs(ctx, results)
assert.Nil(t, err)
resultJSON := resultBuf.String()
resultJSON = strings.TrimRight(resultJSON, "\n")
resultLines := strings.Split(resultJSON, "\n")
if assert.Equal(t, len(logs), len(resultLines)) {
for i, line := range resultLines {
assert.JSONEq(t, logs[i], line)
}
}
}
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
func TestHostDetailQueries(t *testing.T) {
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
mockClock := clock.NewMockClock()
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
host := kolide.Host{
Datastore refactor (#439) Removed Gorm, replaced it with Sqlx * Added SQL bundling command to Makfile * Using go-kit logger * Added soft delete capability * Changed SearchLabel to accept a variadic param for optional omit list instead of array * Gorm removed * Refactor table structures to use CURRENT_TIMESTAMP mysql function * Moved Inmem datastore into it's own package * Updated README * Implemented code review suggestions from @zwass * Removed reference to Gorm from glide.yaml
2016-11-16 13:47:49 +00:00
ID: 1,
UpdateCreateTimestamps: kolide.UpdateCreateTimestamps{
UpdateTimestamp: kolide.UpdateTimestamp{
UpdatedAt: mockClock.Now(),
},
CreateTimestamp: kolide.CreateTimestamp{
CreatedAt: mockClock.Now(),
},
},
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
DetailUpdateTime: mockClock.Now(),
NodeKey: "test_key",
HostName: "test_hostname",
UUID: "test_uuid",
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
}
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
svc := service{clock: mockClock}
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
queries := svc.hostDetailQueries(host)
assert.Empty(t, queries)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
// Advance the time
mockClock.AddTime(1*time.Hour + 1*time.Minute)
queries = svc.hostDetailQueries(host)
assert.Len(t, queries, len(detailQueries))
for name, _ := range queries {
assert.True(t,
strings.HasPrefix(name, hostDetailQueryPrefix),
fmt.Sprintf("%s not prefixed with %s", name, hostDetailQueryPrefix),
)
}
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
}
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
func TestLabelQueries(t *testing.T) {
move osquery enroll secret to appconfig (#1004) For #995
2017-01-20 19:48:54 +00:00
ds, svc, mockClock := setupOsqueryTests(t)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
ctx := context.Background()
move osquery enroll secret to appconfig (#1004) For #995
2017-01-20 19:48:54 +00:00
_, err := svc.EnrollAgent(ctx, "", "host123")
require.Nil(t, err)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
Apply consistent naming conventions across server files (#310)
2016-10-14 15:59:27 +00:00
hosts, err := ds.ListHosts(kolide.ListOptions{})
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
require.Nil(t, err)
require.Len(t, hosts, 1)
host := hosts[0]
Build endpoints for osquery service methods (#245) - Establish a pattern for host authentication - Establish a pattern for error JSON - Add transport and make endpoint functions - Fix discovered bugs + update tests
2016-09-29 04:21:39 +00:00
ctx = hostctx.NewContext(ctx, *host)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
// With a new host, we should get the detail queries (and accelerate
// should be turned on so that we can quickly fill labels)
queries, acc, err := svc.GetDistributedQueries(ctx)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
assert.Nil(t, err)
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
assert.Len(t, queries, len(detailQueries))
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
assert.NotZero(t, acc)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
// Simulate the detail queries being added
host.DetailUpdateTime = mockClock.Now().Add(-1 * time.Minute)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
host.Platform = "darwin"
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
host.HostName = "zwass.local"
Build endpoints for osquery service methods (#245) - Establish a pattern for host authentication - Establish a pattern for error JSON - Add transport and make endpoint functions - Fix discovered bugs + update tests
2016-09-29 04:21:39 +00:00
ds.SaveHost(host)
ctx = hostctx.NewContext(ctx, *host)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
queries, acc, err = svc.GetDistributedQueries(ctx)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
assert.Nil(t, err)
assert.Len(t, queries, 0)
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
assert.Zero(t, acc)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
Update host labels in distributed query ingestion (#278)
2016-10-05 15:56:29 +00:00
labels := []kolide.Label{
kolide.Label{
Label API Updates (#413) close #403 close #404 close #412
2016-11-03 01:17:23 +00:00
Name: "label1",
Query: "query1",
Platform: "darwin",
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
},
Update host labels in distributed query ingestion (#278)
2016-10-05 15:56:29 +00:00
kolide.Label{
Label API Updates (#413) close #403 close #404 close #412
2016-11-03 01:17:23 +00:00
Name: "label2",
Query: "query2",
Platform: "darwin",
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
},
Update host labels in distributed query ingestion (#278)
2016-10-05 15:56:29 +00:00
kolide.Label{
Label API Updates (#413) close #403 close #404 close #412
2016-11-03 01:17:23 +00:00
Name: "label3",
Query: "query3",
Platform: "darwin,linux",
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
},
Update host labels in distributed query ingestion (#278)
2016-10-05 15:56:29 +00:00
kolide.Label{
Label API Updates (#413) close #403 close #404 close #412
2016-11-03 01:17:23 +00:00
Name: "label4",
Query: "query4",
Platform: "linux",
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
},
}
for _, label := range labels {
Update host labels in distributed query ingestion (#278)
2016-10-05 15:56:29 +00:00
_, err := ds.NewLabel(&label)
Implement osquery datastore methods for inmem datastore (#255) - Implement osquery datastore methods - Update tests for compatibility with inmem Closes #255
2016-09-30 01:19:51 +00:00
assert.Nil(t, err)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
}
// Now we should get the label queries
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
queries, acc, err = svc.GetDistributedQueries(ctx)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
assert.Nil(t, err)
assert.Len(t, queries, 3)
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
assert.Zero(t, acc)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
// Record a query execution
Update host labels in distributed query ingestion (#278)
2016-10-05 15:56:29 +00:00
err = svc.SubmitDistributedQueryResults(
ctx,
map[string][]map[string]string{
hostLabelQueryPrefix + "1": {{"col1": "val1"}},
},
Push distributed query errors over results websocket (#878) As of recently, osquery will report when a distributed query fails. We now expose errors over the results websocket. When a query errored on the host, the `error` key in the result will be non-null. Note that osquery currently doesn't provide any details so the error string will always be "failed". I anticipate that we will fix this and the string is included for future-proofing. Successful result: ``` { "type": "result", "data": { "distributed_query_execution_id": 15, "host": { ... omitted ... }, "rows": [ { "hour": "1" } ], "error": null } } ``` Failed result: ``` { "type": "result", "data": { "distributed_query_execution_id": 14, "host": { ... omitted ... }, "rows": [ ], "error": "failed" } } ```
2017-01-11 03:34:32 +00:00
map[string]string{},
Update host labels in distributed query ingestion (#278)
2016-10-05 15:56:29 +00:00
)
Implement osquery datastore methods for inmem datastore (#255) - Implement osquery datastore methods - Update tests for compatibility with inmem Closes #255
2016-09-30 01:19:51 +00:00
assert.Nil(t, err)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
Update host labels in distributed query ingestion (#278)
2016-10-05 15:56:29 +00:00
// Verify that labels are set appropriately
Apply consistent naming conventions across server files (#310)
2016-10-14 15:59:27 +00:00
hostLabels, err := ds.ListLabelsForHost(host.ID)
Update host labels in distributed query ingestion (#278)
2016-10-05 15:56:29 +00:00
assert.Len(t, hostLabels, 1)
assert.Equal(t, "label1", hostLabels[0].Name)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
// Now that query should not be returned
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
queries, acc, err = svc.GetDistributedQueries(ctx)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
assert.Nil(t, err)
assert.Len(t, queries, 2)
assert.NotContains(t, queries, "kolide_label_query_1")
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
assert.Zero(t, acc)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
// Advance the time
mockClock.AddTime(1*time.Hour + 1*time.Minute)
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
// Keep the host details fresh
host.DetailUpdateTime = mockClock.Now().Add(-1 * time.Minute)
ds.SaveHost(host)
ctx = hostctx.NewContext(ctx, *host)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
// Now we should get all the label queries again
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
queries, acc, err = svc.GetDistributedQueries(ctx)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
assert.Nil(t, err)
assert.Len(t, queries, 3)
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
assert.Zero(t, acc)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
Update host labels in distributed query ingestion (#278)
2016-10-05 15:56:29 +00:00
// Record a query execution
err = svc.SubmitDistributedQueryResults(
ctx,
map[string][]map[string]string{
hostLabelQueryPrefix + "2": {{"col1": "val1"}},
hostLabelQueryPrefix + "3": {},
},
Push distributed query errors over results websocket (#878) As of recently, osquery will report when a distributed query fails. We now expose errors over the results websocket. When a query errored on the host, the `error` key in the result will be non-null. Note that osquery currently doesn't provide any details so the error string will always be "failed". I anticipate that we will fix this and the string is included for future-proofing. Successful result: ``` { "type": "result", "data": { "distributed_query_execution_id": 15, "host": { ... omitted ... }, "rows": [ { "hour": "1" } ], "error": null } } ``` Failed result: ``` { "type": "result", "data": { "distributed_query_execution_id": 14, "host": { ... omitted ... }, "rows": [ ], "error": "failed" } } ```
2017-01-11 03:34:32 +00:00
map[string]string{},
Update host labels in distributed query ingestion (#278)
2016-10-05 15:56:29 +00:00
)
Implement osquery datastore methods for inmem datastore (#255) - Implement osquery datastore methods - Update tests for compatibility with inmem Closes #255
2016-09-30 01:19:51 +00:00
assert.Nil(t, err)
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
// Now these should no longer show up in the necessary to run queries
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
queries, acc, err = svc.GetDistributedQueries(ctx)
Implement osquery datastore methods for inmem datastore (#255) - Implement osquery datastore methods - Update tests for compatibility with inmem Closes #255
2016-09-30 01:19:51 +00:00
assert.Nil(t, err)
Label API Updates (#413) close #403 close #404 close #412
2016-11-03 01:17:23 +00:00
assert.Len(t, queries, 1)
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
assert.Zero(t, acc)
Update host labels in distributed query ingestion (#278)
2016-10-05 15:56:29 +00:00
// Verify that labels are set appropriately
Apply consistent naming conventions across server files (#310)
2016-10-14 15:59:27 +00:00
hostLabels, err = ds.ListLabelsForHost(host.ID)
Update host labels in distributed query ingestion (#278)
2016-10-05 15:56:29 +00:00
assert.Len(t, hostLabels, 2)
expectLabelNames := map[string]bool{"label1": true, "label2": true}
for _, label := range hostLabels {
assert.Contains(t, expectLabelNames, label.Name)
delete(expectLabelNames, label.Name)
}
Send configuration + label queries in distributed reads (#215) This PR is the beginning of distributed query work. For now we are focusing on using the distributed query subsystem to retrieve the basic configuration information (currently just platform), and run the label queries. A mockable clock interface is also added to the service struct, allowing us to inject a clock as a dependency, and write unit tests that can control the time.
2016-09-21 03:08:11 +00:00
}
Osquery Configuration Control (#244) Label management APIs and an osquery config endpoint based on active pack and label state.
2016-10-03 03:14:35 +00:00
func TestGetClientConfig(t *testing.T) {
Added built in labels (#526)
2016-11-25 18:08:22 +00:00
ds, err := inmem.New(config.TestConfig())
Separate tables from data migrations (#745) This PR separates the table migrations from the data population migrations. Table migrations run before data migrations. Now, we have the ability to create the database tables without populating them with data. This can be useful for running "unit" tests against a MySQL store that doesn't have any pre-populated data. When performing real migrations, or for more "integration" style testing, the data migrations can also be executed. Note there are some special cases that must be observed with these migrations, and the README is updated to reflect those.
2017-01-05 17:27:56 +00:00
require.Nil(t, err)
require.Nil(t, ds.MigrateData())
Osquery Configuration Control (#244) Label management APIs and an osquery config endpoint based on active pack and label state.
2016-10-03 03:14:35 +00:00
mockClock := clock.NewMockClock()
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
svc, err := newTestServiceWithClock(ds, nil, mockClock)
Osquery Configuration Control (#244) Label management APIs and an osquery config endpoint based on active pack and label state.
2016-10-03 03:14:35 +00:00
assert.Nil(t, err)
ctx := context.Background()
Apply consistent naming conventions across server files (#310)
2016-10-14 15:59:27 +00:00
hosts, err := ds.ListHosts(kolide.ListOptions{})
Osquery Configuration Control (#244) Label management APIs and an osquery config endpoint based on active pack and label state.
2016-10-03 03:14:35 +00:00
require.Nil(t, err)
require.Len(t, hosts, 0)
_, err = svc.EnrollAgent(ctx, "", "user.local")
assert.Nil(t, err)
Apply consistent naming conventions across server files (#310)
2016-10-14 15:59:27 +00:00
hosts, err = ds.ListHosts(kolide.ListOptions{})
Osquery Configuration Control (#244) Label management APIs and an osquery config endpoint based on active pack and label state.
2016-10-03 03:14:35 +00:00
require.Nil(t, err)
require.Len(t, hosts, 1)
host := hosts[0]
ctx = hostctx.NewContext(ctx, *host)
// with no queries, packs, labels, etc. verify the state of a fresh host
// asking for a config
config, err := svc.GetClientConfig(ctx)
require.Nil(t, err)
assert.NotNil(t, config)
Osquery Options - /config/osquery-options #365 (#729)
2016-12-31 17:56:54 +00:00
val, ok := config.Options["disable_distributed"]
require.True(t, ok)
disabled, ok := val.(bool)
require.True(t, ok)
assert.False(t, disabled)
val, ok = config.Options["pack_delimiter"]
require.True(t, ok)
delim, ok := val.(string)
require.True(t, ok)
assert.Equal(t, "/", delim)
Osquery Configuration Control (#244) Label management APIs and an osquery config endpoint based on active pack and label state.
2016-10-03 03:14:35 +00:00
// this will be greater than 0 if we ever start inserting an administration
// pack
assert.Len(t, config.Packs, 0)
// let's populate the database with some info
infoQuery := &kolide.Query{
Moving query attributes from the query object to the pack-query relationship (#559) * Moving query attributes from the query object to the pack-query relationship * some additional tests * http request parsing test * QueryOptions in new test_util code * initial scaffolding of new request structures * service and datastore * test outline * l2 merge conflict scrub * service tests for scheduled query service * service and datastore tests * most endpoints and transports * order of values are not deterministic with inmem * transport tests * rename PackQuery to ScheduledQuery * removing existing implementation of adding queries to packs * accounting for the new argument to NewQuery * fix alignment in sql query * removing underscore * add removed to the datastore * removed differential from the schema
2016-12-13 22:22:05 +00:00
Name: "Info",
Query: "select * from osquery_info;",
Osquery Configuration Control (#244) Label management APIs and an osquery config endpoint based on active pack and label state.
2016-10-03 03:14:35 +00:00
}
Moving query attributes from the query object to the pack-query relationship (#559) * Moving query attributes from the query object to the pack-query relationship * some additional tests * http request parsing test * QueryOptions in new test_util code * initial scaffolding of new request structures * service and datastore * test outline * l2 merge conflict scrub * service tests for scheduled query service * service and datastore tests * most endpoints and transports * order of values are not deterministic with inmem * transport tests * rename PackQuery to ScheduledQuery * removing existing implementation of adding queries to packs * accounting for the new argument to NewQuery * fix alignment in sql query * removing underscore * add removed to the datastore * removed differential from the schema
2016-12-13 22:22:05 +00:00
infoQueryInterval := uint(60)
Osquery Configuration Control (#244) Label management APIs and an osquery config endpoint based on active pack and label state.
2016-10-03 03:14:35 +00:00
infoQuery, err = ds.NewQuery(infoQuery)
assert.Nil(t, err)
monitoringPack := &kolide.Pack{
Name: "monitoring",
}
Datastore refactor (#439) Removed Gorm, replaced it with Sqlx * Added SQL bundling command to Makfile * Using go-kit logger * Added soft delete capability * Changed SearchLabel to accept a variadic param for optional omit list instead of array * Gorm removed * Refactor table structures to use CURRENT_TIMESTAMP mysql function * Moved Inmem datastore into it's own package * Updated README * Implemented code review suggestions from @zwass * Removed reference to Gorm from glide.yaml
2016-11-16 13:47:49 +00:00
_, err = ds.NewPack(monitoringPack)
Osquery Configuration Control (#244) Label management APIs and an osquery config endpoint based on active pack and label state.
2016-10-03 03:14:35 +00:00
assert.Nil(t, err)
Moving query attributes from the query object to the pack-query relationship (#559) * Moving query attributes from the query object to the pack-query relationship * some additional tests * http request parsing test * QueryOptions in new test_util code * initial scaffolding of new request structures * service and datastore * test outline * l2 merge conflict scrub * service tests for scheduled query service * service and datastore tests * most endpoints and transports * order of values are not deterministic with inmem * transport tests * rename PackQuery to ScheduledQuery * removing existing implementation of adding queries to packs * accounting for the new argument to NewQuery * fix alignment in sql query * removing underscore * add removed to the datastore * removed differential from the schema
2016-12-13 22:22:05 +00:00
test.NewScheduledQuery(t, ds, monitoringPack.ID, infoQuery.ID, infoQueryInterval, false, false)
Osquery Configuration Control (#244) Label management APIs and an osquery config endpoint based on active pack and label state.
2016-10-03 03:14:35 +00:00
mysqlLabel := &kolide.Label{
Label API Updates (#413) close #403 close #404 close #412
2016-11-03 01:17:23 +00:00
Name: "MySQL Monitoring",
Query: "select pid from processes where name = 'mysqld';",
Osquery Configuration Control (#244) Label management APIs and an osquery config endpoint based on active pack and label state.
2016-10-03 03:14:35 +00:00
}
mysqlLabel, err = ds.NewLabel(mysqlLabel)
assert.Nil(t, err)
err = ds.AddLabelToPack(mysqlLabel.ID, monitoringPack.ID)
assert.Nil(t, err)
Label API Updates (#413) close #403 close #404 close #412
2016-11-03 01:17:23 +00:00
err = ds.RecordLabelQueryExecutions(
host,
change recordlabelexecutions to use map[uint]bool instead of map[string]bool (#965) Closes #345
2017-01-17 06:03:51 +00:00
map[uint]bool{mysqlLabel.ID: true},
Label API Updates (#413) close #403 close #404 close #412
2016-11-03 01:17:23 +00:00
mockClock.Now(),
)
Osquery Configuration Control (#244) Label management APIs and an osquery config endpoint based on active pack and label state.
2016-10-03 03:14:35 +00:00
assert.Nil(t, err)
// with a minimal setup of packs, labels, and queries, will our host get the
// pack
config, err = svc.GetClientConfig(ctx)
require.Nil(t, err)
assert.Len(t, config.Packs, 1)
assert.Len(t, config.Packs["monitoring"].Queries, 1)
}
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
Fix issue where empty strings are returned as ints in log results (#1522) Fix for issue where osquery sends empty strings where we expect integers in detail queries. We handle empty strings in these cases by changing them to "0" and then letting the different conversion functions change the "0" string into the appropriate integer type. This has been tested against running osquery hosts. Closes #1521
2017-06-08 17:57:12 +00:00
func TestDetailQueriesWithEmptyStrings(t *testing.T) {
ds, svc, mockClock := setupOsqueryTests(t)
ctx := context.Background()
nodeKey, err := svc.EnrollAgent(ctx, "", "host123")
assert.Nil(t, err)
host, err := ds.AuthenticateHost(nodeKey)
require.Nil(t, err)
ctx = hostctx.NewContext(ctx, *host)
// With a new host, we should get the detail queries (and accelerated
// queries)
queries, acc, err := svc.GetDistributedQueries(ctx)
assert.Nil(t, err)
assert.Len(t, queries, len(detailQueries))
assert.NotZero(t, acc)
resultJSON := `
{
"kolide_detail_query_network_interface": [
{
"address": "192.168.0.1",
"broadcast": "192.168.0.255",
"ibytes": "",
"ierrors": "",
"interface": "en0",
"ipackets": "25698094",
"last_change": "1474233476",
"mac": "5f:3d:4b:10:25:82",
"mask": "255.255.255.0",
"metric": "",
"mtu": "",
"obytes": "",
"oerrors": "",
"opackets": "",
"point_to_point": "",
"type": ""
}
],
"kolide_detail_query_os_version": [
{
"platform": "darwin",
"build": "15G1004",
"major": "10",
"minor": "10",
"name": "Mac OS X",
"patch": "6"
}
],
"kolide_detail_query_osquery_info": [
{
"build_distro": "10.10",
"build_platform": "darwin",
"config_hash": "3c6e4537c4d0eb71a7c6dda19d",
"config_valid": "1",
"extensions": "active",
"pid": "38113",
"start_time": "1475603155",
"version": "1.8.2",
"watcher": "38112"
}
],
"kolide_detail_query_system_info": [
{
"computer_name": "computer",
"cpu_brand": "Intel(R) Core(TM) i7-4770HQ CPU @ 2.20GHz",
"cpu_logical_cores": "8",
"cpu_physical_cores": "4",
"cpu_subtype": "Intel x86-64h Haswell",
"cpu_type": "x86_64h",
"hardware_model": "MacBookPro11,4",
"hardware_serial": "ABCDEFGH",
"hardware_vendor": "Apple Inc.",
"hardware_version": "1.0",
"hostname": "computer.local",
"physical_memory": "17179869184",
"uuid": "uuid"
}
],
"kolide_detail_query_uptime": [
{
"days": "20",
"hours": "0",
"minutes": "48",
"seconds": "13",
"total_seconds": "1730893"
}
],
"kolide_detail_query_osquery_flags": [
{
"name":"config_tls_refresh",
"value":""
},
{
"name":"distributed_interval",
"value":""
},
{
"name":"logger_tls_period",
"value":""
}
]
}
`
var results kolide.OsqueryDistributedQueryResults
err = json.Unmarshal([]byte(resultJSON), &results)
require.Nil(t, err)
// Verify that results are ingested properly
svc.SubmitDistributedQueryResults(ctx, results, map[string]string{})
// Make sure the result saved to the datastore
host, err = ds.AuthenticateHost(nodeKey)
require.Nil(t, err)
// osquery_info
assert.Equal(t, "darwin", host.Platform)
assert.Equal(t, "1.8.2", host.OsqueryVersion)
// system_info
assert.Equal(t, 17179869184, host.PhysicalMemory)
assert.Equal(t, "computer.local", host.HostName)
assert.Equal(t, "uuid", host.UUID)
// os_version
assert.Equal(t, "Mac OS X 10.10.6", host.OSVersion)
// uptime
assert.Equal(t, 1730893*time.Second, host.Uptime)
// osquery_flags
assert.Equal(t, uint(0), host.ConfigTLSRefresh)
assert.Equal(t, uint(0), host.DistributedInterval)
assert.Equal(t, uint(0), host.LoggerTLSPeriod)
mockClock.AddTime(1 * time.Minute)
// Now no detail queries should be required
host, err = ds.AuthenticateHost(nodeKey)
require.Nil(t, err)
ctx = hostctx.NewContext(ctx, *host)
queries, acc, err = svc.GetDistributedQueries(ctx)
assert.Nil(t, err)
assert.Len(t, queries, 0)
assert.Zero(t, acc)
// Advance clock and queries should exist again
mockClock.AddTime(1*time.Hour + 1*time.Minute)
err = svc.SubmitDistributedQueryResults(ctx, kolide.OsqueryDistributedQueryResults{}, map[string]string{})
require.Nil(t, err)
host, err = ds.AuthenticateHost(nodeKey)
require.Nil(t, err)
ctx = hostctx.NewContext(ctx, *host)
queries, acc, err = svc.GetDistributedQueries(ctx)
assert.Nil(t, err)
assert.Len(t, queries, len(detailQueries))
assert.Zero(t, acc)
}
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
func TestDetailQueries(t *testing.T) {
move osquery enroll secret to appconfig (#1004) For #995
2017-01-20 19:48:54 +00:00
ds, svc, mockClock := setupOsqueryTests(t)
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
ctx := context.Background()
nodeKey, err := svc.EnrollAgent(ctx, "", "host123")
assert.Nil(t, err)
host, err := ds.AuthenticateHost(nodeKey)
require.Nil(t, err)
ctx = hostctx.NewContext(ctx, *host)
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
// With a new host, we should get the detail queries (and accelerated
// queries)
queries, acc, err := svc.GetDistributedQueries(ctx)
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
assert.Nil(t, err)
assert.Len(t, queries, len(detailQueries))
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
assert.NotZero(t, acc)
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
resultJSON := `
{
"kolide_detail_query_network_interface": [
{
"address": "192.168.0.1",
"broadcast": "192.168.0.255",
"ibytes": "1601207629",
Host details 405 (#535)
2016-12-01 17:00:00 +00:00
"ierrors": "314179",
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
"interface": "en0",
"ipackets": "25698094",
"last_change": "1474233476",
"mac": "5f:3d:4b:10:25:82",
"mask": "255.255.255.0",
Host details 405 (#535)
2016-12-01 17:00:00 +00:00
"metric": "1",
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
"mtu": "1453",
"obytes": "2607283152",
Host details 405 (#535)
2016-12-01 17:00:00 +00:00
"oerrors": "101010",
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
"opackets": "12264603",
"point_to_point": "",
"type": "6"
}
],
"kolide_detail_query_os_version": [
{
Retrieve correct platform in detail queries (#1265) Previously we were using `build_platform`, which does not always properly reflect the platform of the host running osquery. Now we should properly retrieve the platform. Fixes #1264
2017-02-22 03:22:34 +00:00
"platform": "darwin",
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
"build": "15G1004",
"major": "10",
"minor": "10",
"name": "Mac OS X",
"patch": "6"
}
],
"kolide_detail_query_osquery_info": [
{
"build_distro": "10.10",
"build_platform": "darwin",
"config_hash": "3c6e4537c4d0eb71a7c6dda19d",
"config_valid": "1",
"extensions": "active",
"pid": "38113",
"start_time": "1475603155",
"version": "1.8.2",
"watcher": "38112"
}
],
"kolide_detail_query_system_info": [
{
"computer_name": "computer",
"cpu_brand": "Intel(R) Core(TM) i7-4770HQ CPU @ 2.20GHz",
"cpu_logical_cores": "8",
"cpu_physical_cores": "4",
"cpu_subtype": "Intel x86-64h Haswell",
"cpu_type": "x86_64h",
"hardware_model": "MacBookPro11,4",
"hardware_serial": "ABCDEFGH",
"hardware_vendor": "Apple Inc.",
"hardware_version": "1.0",
"hostname": "computer.local",
"physical_memory": "17179869184",
"uuid": "uuid"
}
],
"kolide_detail_query_uptime": [
{
"days": "20",
"hours": "0",
"minutes": "48",
"seconds": "13",
"total_seconds": "1730893"
}
Retrieve and store host checkin intervals (#1473) We now track the `config_tls_refresh`, `distributed_interval` and `logger_tls_period` flag values for each host. Each value is updated by a detail query agains the `osquery_flags` table, because they may be specified outside of Kolide. The flags that can be specified within Kolide are also updated when a config is returned to the host that changes their value. This will enable us to do a more accurate per-host online status calculation as discussed in #1419.
2017-04-06 18:55:24 +00:00
],
"kolide_detail_query_osquery_flags": [
{
"name":"config_tls_refresh",
"value":"10"
},
{
"name":"distributed_interval",
"value":"5"
},
{
"name":"logger_tls_period",
"value":"60"
}
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
]
}
`
var results kolide.OsqueryDistributedQueryResults
err = json.Unmarshal([]byte(resultJSON), &results)
require.Nil(t, err)
// Verify that results are ingested properly
Push distributed query errors over results websocket (#878) As of recently, osquery will report when a distributed query fails. We now expose errors over the results websocket. When a query errored on the host, the `error` key in the result will be non-null. Note that osquery currently doesn't provide any details so the error string will always be "failed". I anticipate that we will fix this and the string is included for future-proofing. Successful result: ``` { "type": "result", "data": { "distributed_query_execution_id": 15, "host": { ... omitted ... }, "rows": [ { "hour": "1" } ], "error": null } } ``` Failed result: ``` { "type": "result", "data": { "distributed_query_execution_id": 14, "host": { ... omitted ... }, "rows": [ ], "error": "failed" } } ```
2017-01-11 03:34:32 +00:00
svc.SubmitDistributedQueryResults(ctx, results, map[string]string{})
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
// Make sure the result saved to the datastore
host, err = ds.AuthenticateHost(nodeKey)
require.Nil(t, err)
// osquery_info
assert.Equal(t, "darwin", host.Platform)
assert.Equal(t, "1.8.2", host.OsqueryVersion)
// system_info
assert.Equal(t, 17179869184, host.PhysicalMemory)
assert.Equal(t, "computer.local", host.HostName)
assert.Equal(t, "uuid", host.UUID)
// os_version
assert.Equal(t, "Mac OS X 10.10.6", host.OSVersion)
// uptime
assert.Equal(t, 1730893*time.Second, host.Uptime)
Retrieve and store host checkin intervals (#1473) We now track the `config_tls_refresh`, `distributed_interval` and `logger_tls_period` flag values for each host. Each value is updated by a detail query agains the `osquery_flags` table, because they may be specified outside of Kolide. The flags that can be specified within Kolide are also updated when a config is returned to the host that changes their value. This will enable us to do a more accurate per-host online status calculation as discussed in #1419.
2017-04-06 18:55:24 +00:00
// osquery_flags
assert.Equal(t, uint(10), host.ConfigTLSRefresh)
assert.Equal(t, uint(5), host.DistributedInterval)
assert.Equal(t, uint(60), host.LoggerTLSPeriod)
Fix bug in saving host detail update time (#888) Saving a new detail update time when the host details were not actually updated caused detail updates to be missed. This PR fixes the existing test to catch the bug, and fixes the bug.
2017-01-11 18:48:24 +00:00
mockClock.AddTime(1 * time.Minute)
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
// Now no detail queries should be required
Fix bug in saving host detail update time (#888) Saving a new detail update time when the host details were not actually updated caused detail updates to be missed. This PR fixes the existing test to catch the bug, and fixes the bug.
2017-01-11 18:48:24 +00:00
host, err = ds.AuthenticateHost(nodeKey)
require.Nil(t, err)
ctx = hostctx.NewContext(ctx, *host)
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
queries, acc, err = svc.GetDistributedQueries(ctx)
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
assert.Nil(t, err)
assert.Len(t, queries, 0)
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
assert.Zero(t, acc)
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
// Advance clock and queries should exist again
mockClock.AddTime(1*time.Hour + 1*time.Minute)
Fix bug in saving host detail update time (#888) Saving a new detail update time when the host details were not actually updated caused detail updates to be missed. This PR fixes the existing test to catch the bug, and fixes the bug.
2017-01-11 18:48:24 +00:00
err = svc.SubmitDistributedQueryResults(ctx, kolide.OsqueryDistributedQueryResults{}, map[string]string{})
require.Nil(t, err)
host, err = ds.AuthenticateHost(nodeKey)
require.Nil(t, err)
ctx = hostctx.NewContext(ctx, *host)
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
queries, acc, err = svc.GetDistributedQueries(ctx)
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
assert.Nil(t, err)
assert.Len(t, queries, len(detailQueries))
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
assert.Zero(t, acc)
Update host details in distributed query ingestion (#274) - Introduce a new pattern for defining/ingesting detail queries - Add many relevant host details: - Platform - osquery Version - Memory - Hostname - UUID - OS Version - Uptime - Primary interface MAC - Primary interface IP - Fix parsing for inconsistent JSON schema returned from osquery - Tests
2016-10-05 00:17:55 +00:00
}
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
func TestDistributedQueries(t *testing.T) {
Added built in labels (#526)
2016-11-25 18:08:22 +00:00
ds, err := inmem.New(config.TestConfig())
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
require.Nil(t, err)
move osquery enroll secret to appconfig (#1004) For #995
2017-01-20 19:48:54 +00:00
_, err = ds.NewAppConfig(&kolide.AppConfig{EnrollSecret: ""})
require.Nil(t, err)
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
mockClock := clock.NewMockClock()
rs := pubsub.NewInmemQueryResults()
svc, err := newTestServiceWithClock(ds, rs, mockClock)
require.Nil(t, err)
ctx := context.Background()
nodeKey, err := svc.EnrollAgent(ctx, "", "host123")
require.Nil(t, err)
host, err := ds.AuthenticateHost(nodeKey)
require.Nil(t, err)
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
host.Platform = "centos"
host.HostName = "zwass.local"
require.Nil(t, ds.SaveHost(host))
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
// Create label
n := "foo"
q := "select * from foo;"
label, err := svc.NewLabel(ctx, kolide.LabelPayload{
Name: &n,
Query: &q,
})
require.Nil(t, err)
// Record match with label
Add attributes to packs (#524) * Adds created_by attribute to packs This PR also updated the distributed query code to use the pattern established here (service checks context) * add enable/disable state to packs * add query_count to packs API responses * add host_count to packs API responses (very, very poorly) * pack description should not be required * counting hosts in packs via mysql * removing extraneous newline in test * Switch case instead of if/if else * add description to update query for SavePack method * change AND to WHERE in query as per @zwass * add ordering and list options as per @murphybytes' suggestion
2016-11-22 21:56:05 +00:00
ctx = viewer.NewContext(ctx, viewer.Viewer{
User: &kolide.User{
ID: 0,
},
})
change recordlabelexecutions to use map[uint]bool instead of map[string]bool (#965) Closes #345
2017-01-17 06:03:51 +00:00
err = ds.RecordLabelQueryExecutions(host, map[uint]bool{label.ID: true}, mockClock.Now())
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
require.Nil(t, err)
Host summary endpoint (#742) * Initial scaffolding of the host summary endpoint * inmem datastore implementation of GenerateHostStatusStatistics * HostSummary docstring * changing the url of the host summary endpoint * datastore tests for GenerateHostStatusStatistics * MySQL datastore implementation of GenerateHostStatusStatistics * <= and >= to catch exact time edge case * removing clock interface method * lowercase error wraps * removin superfluous whitespace * use updated_at * adding a seen_at column to the hosts table * moving the update of seen_time to the caller * using db.Get instead of db.Select
2017-01-04 21:16:17 +00:00
err = ds.MarkHostSeen(host, mockClock.Now())
require.Nil(t, err)
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
ctx = hostctx.NewContext(ctx, *host)
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
q = "select year, month, day, hour, minutes, seconds from time"
Add attributes to packs (#524) * Adds created_by attribute to packs This PR also updated the distributed query code to use the pattern established here (service checks context) * add enable/disable state to packs * add query_count to packs API responses * add host_count to packs API responses (very, very poorly) * pack description should not be required * counting hosts in packs via mysql * removing extraneous newline in test * Switch case instead of if/if else * add description to update query for SavePack method * change AND to WHERE in query as per @zwass * add ordering and list options as per @murphybytes' suggestion
2016-11-22 21:56:05 +00:00
campaign, err := svc.NewDistributedQueryCampaign(ctx, q, []uint{}, []uint{label.ID})
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
require.Nil(t, err)
Add cleanup method for distributed queries and metadata (#547) - New datastore method for expiring queries and deleting metadata - Start goroutine in serve to run this method on an hourly interval Closes #392
2016-12-01 18:31:16 +00:00
// Manually set the campaign to running (so that it shows up when
// requesting queries)
campaign.Status = kolide.QueryRunning
err = ds.SaveDistributedQueryCampaign(campaign)
require.Nil(t, err)
Add service method/endpoint for creating distributed query campaign (#485)
2016-11-16 21:07:50 +00:00
queryKey := fmt.Sprintf("%s%d", hostDistributedQueryPrefix, campaign.ID)
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
// Now we should get the active distributed query
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
queries, acc, err := svc.GetDistributedQueries(ctx)
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
require.Nil(t, err)
assert.Len(t, queries, len(detailQueries)+1)
assert.Equal(t, q, queries[queryKey])
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
assert.Zero(t, acc)
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
expectedRows := []map[string]string{
{
"year": "2016",
"month": "11",
"day": "11",
"hour": "6",
"minutes": "12",
"seconds": "10",
},
}
results := map[string][]map[string]string{
queryKey: expectedRows,
}
// TODO use service method
Add service method/endpoint for creating distributed query campaign (#485)
2016-11-16 21:07:50 +00:00
readChan, err := rs.ReadChannel(ctx, *campaign)
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
require.Nil(t, err)
// We need to listen for the result in a separate thread to prevent the
// write to the result channel from failing
var waitSetup, waitComplete sync.WaitGroup
waitSetup.Add(1)
waitComplete.Add(1)
go func() {
waitSetup.Done()
select {
case val := <-readChan:
if res, ok := val.(kolide.DistributedQueryResult); ok {
Add service method/endpoint for creating distributed query campaign (#485)
2016-11-16 21:07:50 +00:00
assert.Equal(t, campaign.ID, res.DistributedQueryCampaignID)
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
assert.Equal(t, expectedRows, res.Rows)
assert.Equal(t, *host, res.Host)
} else {
t.Error("Wrong result type")
}
assert.NotNil(t, val)
case <-time.After(1 * time.Second):
t.Error("No result received")
}
waitComplete.Done()
}()
waitSetup.Wait()
// Sleep a short time to ensure that the above goroutine is blocking on
// the channel read (the waitSetup.Wait() is not necessarily sufficient
// if there is a context switch immediately after waitSetup.Done() is
// called). This should be a small price to pay to prevent flakiness in
// this test.
time.Sleep(10 * time.Millisecond)
Push distributed query errors over results websocket (#878) As of recently, osquery will report when a distributed query fails. We now expose errors over the results websocket. When a query errored on the host, the `error` key in the result will be non-null. Note that osquery currently doesn't provide any details so the error string will always be "failed". I anticipate that we will fix this and the string is included for future-proofing. Successful result: ``` { "type": "result", "data": { "distributed_query_execution_id": 15, "host": { ... omitted ... }, "rows": [ { "hour": "1" } ], "error": null } } ``` Failed result: ``` { "type": "result", "data": { "distributed_query_execution_id": 14, "host": { ... omitted ... }, "rows": [ ], "error": "failed" } } ```
2017-01-11 03:34:32 +00:00
err = svc.SubmitDistributedQueryResults(ctx, results, map[string]string{})
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
require.Nil(t, err)
// Now the distributed query should be completed and not returned
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
queries, acc, err = svc.GetDistributedQueries(ctx)
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
require.Nil(t, err)
assert.Len(t, queries, len(detailQueries))
assert.NotContains(t, queries, queryKey)
Accelerate checkins when hosts enroll (#1423) Return `accelerate: 10` with distributed queries if we do not have host details. This facilitates the host quickly joining all expected labels, as `platform` gated label queries will not be returned until the detail queries return with the platform. Fixes #1421.
2017-03-21 16:17:38 +00:00
assert.Zero(t, acc)
Update osquery service methods for distributed queries (#476)
2016-11-14 18:22:54 +00:00
waitComplete.Wait()
}
Close orphaned distributed query campaign after failed publish attempt (#707) A distributed query campaign can be "orphaned" (left in the QueryRunning state) if the Kolide server restarts while it is running, or other weirdness occurs. When this happens, no subscribers are waiting to read results written by osqueryd agents, but the agents continue to receive the query. Previously, this would cause us to error on ingestion. The new behavior will instead set the campaign to completed when it detects that it is orphaned. This should prevent sending queries for which there is no subscriber. - New NoSubscriber error interface in pubsub - Detect NoSubscriber errors and close campaigns - Tests on pubsub and service methods Fixes #695
2016-12-27 15:35:19 +00:00
func TestOrphanedQueryCampaign(t *testing.T) {
ds, err := inmem.New(config.TestConfig())
require.Nil(t, err)
move osquery enroll secret to appconfig (#1004) For #995
2017-01-20 19:48:54 +00:00
_, err = ds.NewAppConfig(&kolide.AppConfig{EnrollSecret: ""})
require.Nil(t, err)
Close orphaned distributed query campaign after failed publish attempt (#707) A distributed query campaign can be "orphaned" (left in the QueryRunning state) if the Kolide server restarts while it is running, or other weirdness occurs. When this happens, no subscribers are waiting to read results written by osqueryd agents, but the agents continue to receive the query. Previously, this would cause us to error on ingestion. The new behavior will instead set the campaign to completed when it detects that it is orphaned. This should prevent sending queries for which there is no subscriber. - New NoSubscriber error interface in pubsub - Detect NoSubscriber errors and close campaigns - Tests on pubsub and service methods Fixes #695
2016-12-27 15:35:19 +00:00
rs := pubsub.NewInmemQueryResults()
svc, err := newTestService(ds, rs)
require.Nil(t, err)
ctx := context.Background()
nodeKey, err := svc.EnrollAgent(ctx, "", "host123")
require.Nil(t, err)
host, err := ds.AuthenticateHost(nodeKey)
require.Nil(t, err)
ctx = viewer.NewContext(context.Background(), viewer.Viewer{
User: &kolide.User{
ID: 0,
},
})
q := "select year, month, day, hour, minutes, seconds from time"
campaign, err := svc.NewDistributedQueryCampaign(ctx, q, []uint{}, []uint{})
require.Nil(t, err)
campaign.Status = kolide.QueryRunning
err = ds.SaveDistributedQueryCampaign(campaign)
require.Nil(t, err)
queryKey := fmt.Sprintf("%s%d", hostDistributedQueryPrefix, campaign.ID)
expectedRows := []map[string]string{
{
"year": "2016",
"month": "11",
"day": "11",
"hour": "6",
"minutes": "12",
"seconds": "10",
},
}
results := map[string][]map[string]string{
queryKey: expectedRows,
}
// Submit results
ctx = hostctx.NewContext(context.Background(), *host)
Push distributed query errors over results websocket (#878) As of recently, osquery will report when a distributed query fails. We now expose errors over the results websocket. When a query errored on the host, the `error` key in the result will be non-null. Note that osquery currently doesn't provide any details so the error string will always be "failed". I anticipate that we will fix this and the string is included for future-proofing. Successful result: ``` { "type": "result", "data": { "distributed_query_execution_id": 15, "host": { ... omitted ... }, "rows": [ { "hour": "1" } ], "error": null } } ``` Failed result: ``` { "type": "result", "data": { "distributed_query_execution_id": 14, "host": { ... omitted ... }, "rows": [ ], "error": "failed" } } ```
2017-01-11 03:34:32 +00:00
err = svc.SubmitDistributedQueryResults(ctx, results, map[string]string{})
Close orphaned distributed query campaign after failed publish attempt (#707) A distributed query campaign can be "orphaned" (left in the QueryRunning state) if the Kolide server restarts while it is running, or other weirdness occurs. When this happens, no subscribers are waiting to read results written by osqueryd agents, but the agents continue to receive the query. Previously, this would cause us to error on ingestion. The new behavior will instead set the campaign to completed when it detects that it is orphaned. This should prevent sending queries for which there is no subscriber. - New NoSubscriber error interface in pubsub - Detect NoSubscriber errors and close campaigns - Tests on pubsub and service methods Fixes #695
2016-12-27 15:35:19 +00:00
require.Nil(t, err)
// The campaign should be set to completed because it is orphaned
campaign, err = ds.DistributedQueryCampaign(campaign.ID)
require.Nil(t, err)
assert.Equal(t, kolide.QueryComplete, campaign.Status)
}
move osquery enroll secret to appconfig (#1004) For #995
2017-01-20 19:48:54 +00:00
Retrieve and store host checkin intervals (#1473) We now track the `config_tls_refresh`, `distributed_interval` and `logger_tls_period` flag values for each host. Each value is updated by a detail query agains the `osquery_flags` table, because they may be specified outside of Kolide. The flags that can be specified within Kolide are also updated when a config is returned to the host that changes their value. This will enable us to do a more accurate per-host online status calculation as discussed in #1419.
2017-04-06 18:55:24 +00:00
func TestUpdateHostIntervals(t *testing.T) {
ds := new(mock.Store)
svc, err := newTestService(ds, nil)
require.Nil(t, err)
Added support for atomic imports and dry run imports (#1510) Closes issue #1475 The command line tool that uses this endpoint -> https://github.com/kolide/configimporter * Added support for atomic imports and dry run imports * Added code so that imports are idempotent
2017-05-30 19:42:00 +00:00
ds.ListDecoratorsFunc = func(opt ...kolide.OptionalArg) ([]*kolide.Decorator, error) {
Retrieve and store host checkin intervals (#1473) We now track the `config_tls_refresh`, `distributed_interval` and `logger_tls_period` flag values for each host. Each value is updated by a detail query agains the `osquery_flags` table, because they may be specified outside of Kolide. The flags that can be specified within Kolide are also updated when a config is returned to the host that changes their value. This will enable us to do a more accurate per-host online status calculation as discussed in #1419.
2017-04-06 18:55:24 +00:00
return []*kolide.Decorator{}, nil
}
ds.ListPacksFunc = func(opt kolide.ListOptions) ([]*kolide.Pack, error) {
return []*kolide.Pack{}, nil
}
ds.ListLabelsForHostFunc = func(hid uint) ([]kolide.Label, error) {
return []kolide.Label{}, nil
}
var testCases = []struct {
initHost kolide.Host
finalHost kolide.Host
configOptions map[string]interface{}
saveHostCalled bool
}{
// Both updated
{
kolide.Host{
ConfigTLSRefresh: 60,
},
kolide.Host{
DistributedInterval: 11,
LoggerTLSPeriod: 33,
ConfigTLSRefresh: 60,
},
map[string]interface{}{
"distributed_interval": 11,
"logger_tls_period": 33,
"logger_plugin": "tls",
},
true,
},
// Only logger_tls_period updated
{
kolide.Host{
DistributedInterval: 11,
ConfigTLSRefresh: 60,
},
kolide.Host{
DistributedInterval: 11,
LoggerTLSPeriod: 33,
ConfigTLSRefresh: 60,
},
map[string]interface{}{
"distributed_interval": 11,
"logger_tls_period": 33,
},
true,
},
// Only distributed_interval updated
{
kolide.Host{
ConfigTLSRefresh: 60,
LoggerTLSPeriod: 33,
},
kolide.Host{
DistributedInterval: 11,
LoggerTLSPeriod: 33,
ConfigTLSRefresh: 60,
},
map[string]interface{}{
"distributed_interval": 11,
"logger_tls_period": 33,
},
true,
},
// Kolide not managing distributed_interval
{
kolide.Host{
ConfigTLSRefresh: 60,
DistributedInterval: 11,
},
kolide.Host{
DistributedInterval: 11,
LoggerTLSPeriod: 33,
ConfigTLSRefresh: 60,
},
map[string]interface{}{
"logger_tls_period": 33,
},
true,
},
// SaveHost should not be called with no changes
{
kolide.Host{
DistributedInterval: 11,
LoggerTLSPeriod: 33,
ConfigTLSRefresh: 60,
},
kolide.Host{
DistributedInterval: 11,
LoggerTLSPeriod: 33,
ConfigTLSRefresh: 60,
},
map[string]interface{}{
"distributed_interval": 11,
"logger_tls_period": 33,
},
false,
},
}
Re-enable all tests in TestUpdateHostIntervals (#1496)
2017-04-18 18:29:04 +00:00
for _, tt := range testCases {
Retrieve and store host checkin intervals (#1473) We now track the `config_tls_refresh`, `distributed_interval` and `logger_tls_period` flag values for each host. Each value is updated by a detail query agains the `osquery_flags` table, because they may be specified outside of Kolide. The flags that can be specified within Kolide are also updated when a config is returned to the host that changes their value. This will enable us to do a more accurate per-host online status calculation as discussed in #1419.
2017-04-06 18:55:24 +00:00
t.Run("", func(t *testing.T) {
ctx := hostctx.NewContext(context.Background(), tt.initHost)
ds.GetOsqueryConfigOptionsFunc = func() (map[string]interface{}, error) {
return tt.configOptions, nil
}
saveHostCalled := false
ds.SaveHostFunc = func(host *kolide.Host) error {
saveHostCalled = true
assert.Equal(t, tt.finalHost, *host)
return nil
}
_, err = svc.GetClientConfig(ctx)
require.Nil(t, err)
assert.Equal(t, tt.saveHostCalled, saveHostCalled)
})
}
}
move osquery enroll secret to appconfig (#1004) For #995
2017-01-20 19:48:54 +00:00
func setupOsqueryTests(t *testing.T) (kolide.Datastore, kolide.Service, *clock.MockClock) {
ds, err := inmem.New(config.TestConfig())
require.Nil(t, err)
_, err = ds.NewAppConfig(&kolide.AppConfig{EnrollSecret: ""})
require.Nil(t, err)
mockClock := clock.NewMockClock()
svc, err := newTestServiceWithClock(ds, nil, mockClock)
require.Nil(t, err)
return ds, svc, mockClock
}
Fix host authentication errors in case of DB failure (#1512) Closes #1511
2017-05-25 21:10:12 +00:00
type notFoundError struct{}
func (e notFoundError) Error() string {
return "not found"
}
func (e notFoundError) IsNotFound() bool {
return true
}
func TestAuthenticationErrors(t *testing.T) {
ms := new(mock.Store)
ms.MarkHostSeenFunc = func(*kolide.Host, time.Time) error {
return nil
}
ms.AuthenticateHostFunc = func(nodeKey string) (*kolide.Host, error) {
return nil, nil
}
svc, err := newTestService(ms, nil)
require.Nil(t, err)
ctx := context.Background()
_, err = svc.AuthenticateHost(ctx, "")
require.NotNil(t, err)
require.True(t, err.(osqueryError).NodeInvalid())
_, err = svc.AuthenticateHost(ctx, "foo")
require.Nil(t, err)
// return not found error
ms.AuthenticateHostFunc = func(nodeKey string) (*kolide.Host, error) {
return nil, notFoundError{}
}
_, err = svc.AuthenticateHost(ctx, "foo")
require.NotNil(t, err)
require.True(t, err.(osqueryError).NodeInvalid())
// return other error
ms.AuthenticateHostFunc = func(nodeKey string) (*kolide.Host, error) {
return nil, errors.New("foo")
}
_, err = svc.AuthenticateHost(ctx, "foo")
require.NotNil(t, err)
require.False(t, err.(osqueryError).NodeInvalid())
}
Reference in New Issue Copy Permalink