osquery-1/osquery/core/tests/query_tests.cpp

/**
 *  Copyright (c) 2014-present, Facebook, Inc.
 *  All rights reserved.
 *
 *  This source code is licensed under both the Apache 2.0 license (found in the
 *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
 *  in the COPYING file in the root directory of this source tree).
 *  You may select, at your option, one of the above-listed licenses.
 */

#include <algorithm>
#include <ctime>
#include <deque>

#include <boost/filesystem/operations.hpp>

#include <gtest/gtest.h>

#include <osquery/query.h>

#include "osquery/tests/test_util.h"

namespace osquery {

class QueryTests : public testing::Test {};

TEST_F(QueryTests, test_private_members) {
  auto query = getOsqueryScheduledQuery();
  auto cf = Query("foobar", query);
  EXPECT_EQ(cf.query_, query);
}

TEST_F(QueryTests, test_add_and_get_current_results) {
  // Test adding a "current" set of results to a scheduled query instance.
  auto query = getOsqueryScheduledQuery();
  auto cf = Query("foobar", query);
  uint64_t counter = 128;
  auto status = cf.addNewResults(getTestDBExpectedResults(), 0, counter);
  EXPECT_TRUE(status.ok());
  EXPECT_EQ(status.toString(), "OK");
  EXPECT_EQ(counter, 0UL);

  // Simulate results from several schedule runs, calculate differentials.
  uint64_t expected_counter = counter + 1;
  for (auto result : getTestDBResultStream()) {
    // Get the results from the previous query execution (from the DB).
    QueryData previous_qd;
    status = cf.getPreviousQueryResults(previous_qd);
    EXPECT_TRUE(status.ok());
    EXPECT_EQ(status.toString(), "OK");

    // Add the "current" results and output the differentials.
    DiffResults dr;
    counter = 128;
    auto s = cf.addNewResults(result.second, 0, counter, dr, true);
    EXPECT_TRUE(s.ok());
    EXPECT_EQ(counter, expected_counter++);

    // Call the diffing utility directly.
    DiffResults expected = diff(previous_qd, result.second);
    EXPECT_EQ(dr, expected);

    // After Query::addNewResults the previous results are now current.
    QueryData qd;
    cf.getPreviousQueryResults(qd);
    EXPECT_EQ(qd, result.second);
  }
}

TEST_F(QueryTests, test_get_query_results) {
  // Grab an expected set of query data and add it as the previous result.
  auto encoded_qd = getSerializedQueryDataJSON();
  auto query = getOsqueryScheduledQuery();
  auto status = setDatabaseValue(kQueries, "foobar", encoded_qd.first);
  EXPECT_TRUE(status.ok());

  // Use the Query retrieval API to check the now "previous" result.
  QueryData previous_qd;
  auto cf = Query("foobar", query);
  status = cf.getPreviousQueryResults(previous_qd);
  EXPECT_TRUE(status.ok());
}

TEST_F(QueryTests, test_query_name_not_found_in_db) {
  // Try to retrieve results from a query that has not executed.
  QueryData previous_qd;
  auto query = getOsqueryScheduledQuery();
  auto cf = Query("not_a_real_query", query);
  auto status = cf.getPreviousQueryResults(previous_qd);
  EXPECT_FALSE(status.ok());
  EXPECT_TRUE(previous_qd.empty());
}

TEST_F(QueryTests, test_is_query_name_in_database) {
  auto query = getOsqueryScheduledQuery();
  auto cf = Query("foobar", query);
  auto encoded_qd = getSerializedQueryDataJSON();
  auto status = setDatabaseValue(kQueries, "foobar", encoded_qd.first);
  EXPECT_TRUE(status.ok());
  // Now test that the query name exists.
  EXPECT_TRUE(cf.isQueryNameInDatabase());
}

TEST_F(QueryTests, test_query_name_updated) {
  // Try to retrieve results from a query that has not executed.
  QueryData previous_qd;
  auto query = getOsqueryScheduledQuery();
  auto cf = Query("will_update_query", query);
  EXPECT_TRUE(cf.isNewQuery());
  EXPECT_TRUE(cf.isNewQuery());

  DiffResults dr;
  uint64_t counter = 128;
  auto results = getTestDBExpectedResults();
  cf.addNewResults(results, 0, counter, dr);
  EXPECT_FALSE(cf.isNewQuery());
  EXPECT_EQ(counter, 0UL);

  query.query += " LIMIT 1";
  counter = 128;
  auto cf2 = Query("will_update_query", query);
  EXPECT_TRUE(cf2.isQueryNameInDatabase());
  EXPECT_TRUE(cf2.isNewQuery());
  cf2.addNewResults(results, 0, counter, dr);
  EXPECT_FALSE(cf2.isNewQuery());
  EXPECT_EQ(counter, 0UL);
}

TEST_F(QueryTests, test_get_stored_query_names) {
  auto query = getOsqueryScheduledQuery();
  auto cf = Query("foobar", query);
  auto encoded_qd = getSerializedQueryDataJSON();
  auto status = setDatabaseValue(kQueries, "foobar", encoded_qd.first);
  EXPECT_TRUE(status.ok());

  // Stored query names is a factory method included alongside every query.
  // It will include the set of query names with existing "previous" results.
  auto names = cf.getStoredQueryNames();
  auto in_vector = std::find(names.begin(), names.end(), "foobar");
  EXPECT_NE(in_vector, names.end());
}
}
license: Change license to Apache 2.0 and GPLv2 (#4007) 2017-12-19 00:04:06 +00:00			`/**`
[osquery] Update copyright headers to new format. 2016-02-11 19:48:58 +00:00			`* Copyright (c) 2014-present, Facebook, Inc.`
Updating the license comment to be the correct open source header As per t5494224, all of the license headers in osquery needed to be updated to reflect the correct open source header style. 2014-12-18 18:50:47 +00:00			`* All rights reserved.`
			`*`
license: Change license to Apache 2.0 and GPLv2 (#4007) 2017-12-19 00:04:06 +00:00			`* This source code is licensed under both the Apache 2.0 license (found in the`
			`* LICENSE file in the root directory of this source tree) and the GPLv2 (found`
			`* in the COPYING file in the root directory of this source tree).`
			`* You may select, at your option, one of the above-listed licenses.`
Updating the license comment to be the correct open source header As per t5494224, all of the license headers in osquery needed to be updated to reflect the correct open source header style. 2014-12-18 18:50:47 +00:00			`*/`
Initial commit 2014-07-31 00:35:19 +00:00
			`#include <algorithm>`
			`#include <ctime>`
			`#include <deque>`

Reorganizing tests so that the public headers don't have to include gtest 2014-09-22 21:30:52 +00:00			`#include <boost/filesystem/operations.hpp>`

Initial commit 2014-07-31 00:35:19 +00:00			`#include <gtest/gtest.h>`

cleanup: Move query out of database header (#3576) 2017-08-20 09:44:38 +00:00			`#include <osquery/query.h>`

Improve scheduled/differential query performance and logging (#2476) 2016-09-19 23:45:13 +00:00			`#include "osquery/tests/test_util.h"`
Initial commit 2014-07-31 00:35:19 +00:00
Ran clang-format across the codebase 2014-08-15 07:25:30 +00:00			`namespace osquery {`
Initial commit 2014-07-31 00:35:19 +00:00
1. Reorganize RocksDB database handle into a plugin 2. Introduce a SQLite-based database plugin 3. Refactor database usage to include local 'fast-calls' 4. Introduce an 'ephemeral' database plugin for testing (like a mock) 2016-03-05 17:29:51 +00:00			`class QueryTests : public testing::Test {};`
Initial commit 2014-07-31 00:35:19 +00:00
			`TEST_F(QueryTests, test_private_members) {`
			`auto query = getOsqueryScheduledQuery();`
Change schedule to a map, splay on config update 2015-03-22 21:58:00 +00:00			`auto cf = Query("foobar", query);`
Initial commit 2014-07-31 00:35:19 +00:00			`EXPECT_EQ(cf.query_, query);`
			`}`

			`TEST_F(QueryTests, test_add_and_get_current_results) {`
Allow snapshot scheduled items 2015-04-27 21:57:04 +00:00			`// Test adding a "current" set of results to a scheduled query instance.`
Initial commit 2014-07-31 00:35:19 +00:00			`auto query = getOsqueryScheduledQuery();`
Change schedule to a map, splay on config update 2015-03-22 21:58:00 +00:00			`auto cf = Query("foobar", query);`
logging: adding "counter" to differentiate initial results (#3651) When setting up alerts for differential logs data you might want to skip the initial added records. counter can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be "0". For subsequent query executions counter will be incremented by 1. When epoch changes, counter will be reset back to "0". 2017-09-07 22:01:15 +00:00			`uint64_t counter = 128;`
			`auto status = cf.addNewResults(getTestDBExpectedResults(), 0, counter);`
Allow snapshot scheduled items 2015-04-27 21:57:04 +00:00			`EXPECT_TRUE(status.ok());`
			`EXPECT_EQ(status.toString(), "OK");`
logging: adding "counter" to differentiate initial results (#3651) When setting up alerts for differential logs data you might want to skip the initial added records. counter can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be "0". For subsequent query executions counter will be incremented by 1. When epoch changes, counter will be reset back to "0". 2017-09-07 22:01:15 +00:00			`EXPECT_EQ(counter, 0UL);`
Allow snapshot scheduled items 2015-04-27 21:57:04 +00:00
			`// Simulate results from several schedule runs, calculate differentials.`
logging: adding "counter" to differentiate initial results (#3651) When setting up alerts for differential logs data you might want to skip the initial added records. counter can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be "0". For subsequent query executions counter will be incremented by 1. When epoch changes, counter will be reset back to "0". 2017-09-07 22:01:15 +00:00			`uint64_t expected_counter = counter + 1;`
Initial commit 2014-07-31 00:35:19 +00:00			`for (auto result : getTestDBResultStream()) {`
1. Reorganize RocksDB database handle into a plugin 2. Introduce a SQLite-based database plugin 3. Refactor database usage to include local 'fast-calls' 4. Introduce an 'ephemeral' database plugin for testing (like a mock) 2016-03-05 17:29:51 +00:00			`// Get the results from the previous query execution (from the DB).`
Allow snapshot scheduled items 2015-04-27 21:57:04 +00:00			`QueryData previous_qd;`
Additional compiler checks, including shadow (#2486) 2016-11-06 09:17:04 +00:00			`status = cf.getPreviousQueryResults(previous_qd);`
Allow snapshot scheduled items 2015-04-27 21:57:04 +00:00			`EXPECT_TRUE(status.ok());`
			`EXPECT_EQ(status.toString(), "OK");`

			`// Add the "current" results and output the differentials.`
Initial commit 2014-07-31 00:35:19 +00:00			`DiffResults dr;`
logging: adding "counter" to differentiate initial results (#3651) When setting up alerts for differential logs data you might want to skip the initial added records. counter can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be "0". For subsequent query executions counter will be incremented by 1. When epoch changes, counter will be reset back to "0". 2017-09-07 22:01:15 +00:00			`counter = 128;`
			`auto s = cf.addNewResults(result.second, 0, counter, dr, true);`
Initial commit 2014-07-31 00:35:19 +00:00			`EXPECT_TRUE(s.ok());`
logging: adding "counter" to differentiate initial results (#3651) When setting up alerts for differential logs data you might want to skip the initial added records. counter can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be "0". For subsequent query executions counter will be incremented by 1. When epoch changes, counter will be reset back to "0". 2017-09-07 22:01:15 +00:00			`EXPECT_EQ(counter, expected_counter++);`
Allow snapshot scheduled items 2015-04-27 21:57:04 +00:00
			`// Call the diffing utility directly.`
			`DiffResults expected = diff(previous_qd, result.second);`
Initial commit 2014-07-31 00:35:19 +00:00			`EXPECT_EQ(dr, expected);`
Allow snapshot scheduled items 2015-04-27 21:57:04 +00:00
			`// After Query::addNewResults the previous results are now current.`
Initial commit 2014-07-31 00:35:19 +00:00			`QueryData qd;`
1. Reorganize RocksDB database handle into a plugin 2. Introduce a SQLite-based database plugin 3. Refactor database usage to include local 'fast-calls' 4. Introduce an 'ephemeral' database plugin for testing (like a mock) 2016-03-05 17:29:51 +00:00			`cf.getPreviousQueryResults(qd);`
Initial commit 2014-07-31 00:35:19 +00:00			`EXPECT_EQ(qd, result.second);`
			`}`
			`}`

Allow snapshot scheduled items 2015-04-27 21:57:04 +00:00			`TEST_F(QueryTests, test_get_query_results) {`
			`// Grab an expected set of query data and add it as the previous result.`
			`auto encoded_qd = getSerializedQueryDataJSON();`
Initial commit 2014-07-31 00:35:19 +00:00			`auto query = getOsqueryScheduledQuery();`
1. Reorganize RocksDB database handle into a plugin 2. Introduce a SQLite-based database plugin 3. Refactor database usage to include local 'fast-calls' 4. Introduce an 'ephemeral' database plugin for testing (like a mock) 2016-03-05 17:29:51 +00:00			`auto status = setDatabaseValue(kQueries, "foobar", encoded_qd.first);`
Allow snapshot scheduled items 2015-04-27 21:57:04 +00:00			`EXPECT_TRUE(status.ok());`

			`// Use the Query retrieval API to check the now "previous" result.`
			`QueryData previous_qd;`
Change schedule to a map, splay on config update 2015-03-22 21:58:00 +00:00			`auto cf = Query("foobar", query);`
1. Reorganize RocksDB database handle into a plugin 2. Introduce a SQLite-based database plugin 3. Refactor database usage to include local 'fast-calls' 4. Introduce an 'ephemeral' database plugin for testing (like a mock) 2016-03-05 17:29:51 +00:00			`status = cf.getPreviousQueryResults(previous_qd);`
Allow snapshot scheduled items 2015-04-27 21:57:04 +00:00			`EXPECT_TRUE(status.ok());`
Initial commit 2014-07-31 00:35:19 +00:00			`}`

			`TEST_F(QueryTests, test_query_name_not_found_in_db) {`
Allow snapshot scheduled items 2015-04-27 21:57:04 +00:00			`// Try to retrieve results from a query that has not executed.`
			`QueryData previous_qd;`
Initial commit 2014-07-31 00:35:19 +00:00			`auto query = getOsqueryScheduledQuery();`
Change schedule to a map, splay on config update 2015-03-22 21:58:00 +00:00			`auto cf = Query("not_a_real_query", query);`
1. Reorganize RocksDB database handle into a plugin 2. Introduce a SQLite-based database plugin 3. Refactor database usage to include local 'fast-calls' 4. Introduce an 'ephemeral' database plugin for testing (like a mock) 2016-03-05 17:29:51 +00:00			`auto status = cf.getPreviousQueryResults(previous_qd);`
Improve scheduled/differential query performance and logging (#2476) 2016-09-19 23:45:13 +00:00			`EXPECT_FALSE(status.ok());`
			`EXPECT_TRUE(previous_qd.empty());`
Initial commit 2014-07-31 00:35:19 +00:00			`}`

			`TEST_F(QueryTests, test_is_query_name_in_database) {`
			`auto query = getOsqueryScheduledQuery();`
Change schedule to a map, splay on config update 2015-03-22 21:58:00 +00:00			`auto cf = Query("foobar", query);`
Allow snapshot scheduled items 2015-04-27 21:57:04 +00:00			`auto encoded_qd = getSerializedQueryDataJSON();`
1. Reorganize RocksDB database handle into a plugin 2. Introduce a SQLite-based database plugin 3. Refactor database usage to include local 'fast-calls' 4. Introduce an 'ephemeral' database plugin for testing (like a mock) 2016-03-05 17:29:51 +00:00			`auto status = setDatabaseValue(kQueries, "foobar", encoded_qd.first);`
Allow snapshot scheduled items 2015-04-27 21:57:04 +00:00			`EXPECT_TRUE(status.ok());`
			`// Now test that the query name exists.`
1. Reorganize RocksDB database handle into a plugin 2. Introduce a SQLite-based database plugin 3. Refactor database usage to include local 'fast-calls' 4. Introduce an 'ephemeral' database plugin for testing (like a mock) 2016-03-05 17:29:51 +00:00			`EXPECT_TRUE(cf.isQueryNameInDatabase());`
Initial commit 2014-07-31 00:35:19 +00:00			`}`

Improve scheduled/differential query performance and logging (#2476) 2016-09-19 23:45:13 +00:00			`TEST_F(QueryTests, test_query_name_updated) {`
			`// Try to retrieve results from a query that has not executed.`
			`QueryData previous_qd;`
			`auto query = getOsqueryScheduledQuery();`
			`auto cf = Query("will_update_query", query);`
			`EXPECT_TRUE(cf.isNewQuery());`
			`EXPECT_TRUE(cf.isNewQuery());`

			`DiffResults dr;`
logging: adding "counter" to differentiate initial results (#3651) When setting up alerts for differential logs data you might want to skip the initial added records. counter can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be "0". For subsequent query executions counter will be incremented by 1. When epoch changes, counter will be reset back to "0". 2017-09-07 22:01:15 +00:00			`uint64_t counter = 128;`
Improve scheduled/differential query performance and logging (#2476) 2016-09-19 23:45:13 +00:00			`auto results = getTestDBExpectedResults();`
logging: adding "counter" to differentiate initial results (#3651) When setting up alerts for differential logs data you might want to skip the initial added records. counter can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be "0". For subsequent query executions counter will be incremented by 1. When epoch changes, counter will be reset back to "0". 2017-09-07 22:01:15 +00:00			`cf.addNewResults(results, 0, counter, dr);`
Improve scheduled/differential query performance and logging (#2476) 2016-09-19 23:45:13 +00:00			`EXPECT_FALSE(cf.isNewQuery());`
logging: adding "counter" to differentiate initial results (#3651) When setting up alerts for differential logs data you might want to skip the initial added records. counter can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be "0". For subsequent query executions counter will be incremented by 1. When epoch changes, counter will be reset back to "0". 2017-09-07 22:01:15 +00:00			`EXPECT_EQ(counter, 0UL);`
Improve scheduled/differential query performance and logging (#2476) 2016-09-19 23:45:13 +00:00
			`query.query += " LIMIT 1";`
logging: adding "counter" to differentiate initial results (#3651) When setting up alerts for differential logs data you might want to skip the initial added records. counter can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be "0". For subsequent query executions counter will be incremented by 1. When epoch changes, counter will be reset back to "0". 2017-09-07 22:01:15 +00:00			`counter = 128;`
Improve scheduled/differential query performance and logging (#2476) 2016-09-19 23:45:13 +00:00			`auto cf2 = Query("will_update_query", query);`
			`EXPECT_TRUE(cf2.isQueryNameInDatabase());`
			`EXPECT_TRUE(cf2.isNewQuery());`
logging: adding "counter" to differentiate initial results (#3651) When setting up alerts for differential logs data you might want to skip the initial added records. counter can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be "0". For subsequent query executions counter will be incremented by 1. When epoch changes, counter will be reset back to "0". 2017-09-07 22:01:15 +00:00			`cf2.addNewResults(results, 0, counter, dr);`
Improve scheduled/differential query performance and logging (#2476) 2016-09-19 23:45:13 +00:00			`EXPECT_FALSE(cf2.isNewQuery());`
logging: adding "counter" to differentiate initial results (#3651) When setting up alerts for differential logs data you might want to skip the initial added records. counter can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be "0". For subsequent query executions counter will be incremented by 1. When epoch changes, counter will be reset back to "0". 2017-09-07 22:01:15 +00:00			`EXPECT_EQ(counter, 0UL);`
Improve scheduled/differential query performance and logging (#2476) 2016-09-19 23:45:13 +00:00			`}`

Initial commit 2014-07-31 00:35:19 +00:00			`TEST_F(QueryTests, test_get_stored_query_names) {`
			`auto query = getOsqueryScheduledQuery();`
Change schedule to a map, splay on config update 2015-03-22 21:58:00 +00:00			`auto cf = Query("foobar", query);`
Allow snapshot scheduled items 2015-04-27 21:57:04 +00:00			`auto encoded_qd = getSerializedQueryDataJSON();`
1. Reorganize RocksDB database handle into a plugin 2. Introduce a SQLite-based database plugin 3. Refactor database usage to include local 'fast-calls' 4. Introduce an 'ephemeral' database plugin for testing (like a mock) 2016-03-05 17:29:51 +00:00			`auto status = setDatabaseValue(kQueries, "foobar", encoded_qd.first);`
Allow snapshot scheduled items 2015-04-27 21:57:04 +00:00			`EXPECT_TRUE(status.ok());`

			`// Stored query names is a factory method included alongside every query.`
			`// It will include the set of query names with existing "previous" results.`
1. Reorganize RocksDB database handle into a plugin 2. Introduce a SQLite-based database plugin 3. Refactor database usage to include local 'fast-calls' 4. Introduce an 'ephemeral' database plugin for testing (like a mock) 2016-03-05 17:29:51 +00:00			`auto names = cf.getStoredQueryNames();`
Change schedule to a map, splay on config update 2015-03-22 21:58:00 +00:00			`auto in_vector = std::find(names.begin(), names.end(), "foobar");`
Initial commit 2014-07-31 00:35:19 +00:00			`EXPECT_NE(in_vector, names.end());`
			`}`
Ran clang-format across the codebase 2014-08-15 07:25:30 +00:00			`}`