windows/logical_drives: Refactor (#5400)

Summary:
This generally refactors the `logical_drives` table on Windows to conform more closely to C++11 idioms. It also enables the integration test for `logical_drives`.

See #5367. I'll open a PR for the boot partition fixes once this is merged.

cc akindyakov guliashvili
Pull Request resolved: https://github.com/facebook/osquery/pull/5400

Differential Revision: D14131722

Pulled By: fmanco

fbshipit-source-id: c3077da48147a9880ce08925d165e5d1da363bb9

osquery/tables/system/windows/logical_drives.cpp

@@ -16,45 +16,32 @@ QueryData genLogicalDrives(QueryContext& context) {
   QueryData results;
 
   const WmiRequest wmiLogicalDiskReq(
-      "select DeviceID, DriveType, FreeSpace, Size, FileSystem from "
+      "select DeviceID, Description, FreeSpace, Size, FileSystem from "
       "Win32_LogicalDisk");
-  const std::vector<WmiResultItem>& wmiResults = wmiLogicalDiskReq.results();
-  for (unsigned int i = 0; i < wmiResults.size(); ++i) {
+  auto const& logicalDisks = wmiLogicalDiskReq.results();
+  for (const auto& logicalDisk : logicalDisks) {
     Row r;
-    unsigned int driveType = 0;
     std::string deviceId;
-    wmiResults[i].GetString("DeviceID", deviceId);
-    wmiResults[i].GetUnsignedInt32("DriveType", driveType);
-    wmiResults[i].GetString("FreeSpace", r["free_space"]);
-    wmiResults[i].GetString("Size", r["size"]);
-    wmiResults[i].GetString("FileSystem", r["file_system"]);
+    logicalDisk.GetString("DeviceID", deviceId);
+    logicalDisk.GetString("Description", r["description"]);
+    logicalDisk.GetString("FreeSpace", r["free_space"]);
+    logicalDisk.GetString("Size", r["size"]);
+    logicalDisk.GetString("FileSystem", r["file_system"]);
 
-    r["device_id"] = deviceId;
-
-    switch (driveType) {
-    default:
-      r["type"] = TEXT("Unknown");
-      break;
-    case 1:
-      r["type"] = TEXT("No Root Directory");
-      break;
-    case 2:
-      r["type"] = TEXT("Removable Disk");
-      break;
-    case 3:
-      r["type"] = TEXT("Local Disk");
-      break;
-    case 4:
-      r["type"] = TEXT("Network Drive");
-      break;
-    case 5:
-      r["type"] = TEXT("Compact Disc");
-      break;
-    case 6:
-      r["type"] = TEXT("RAM Disk");
-      break;
+    if (r["free_space"].empty()) {
+      r["free_space"] = "-1";
     }
 
+    if (r["size"].empty()) {
+      r["size"] = "-1";
+    }
+
+    // NOTE(ww): Previous versions of this table used the type
+    // column to provide a non-canonical description of the drive.
+    // However, a bug in WMI marshalling caused the type to always
+    // return "Unknown". That behavior is preserved here.
+    r["type"] = "Unknown";
+    r["device_id"] = deviceId;
     r["boot_partition"] = INTEGER(0);
 
     std::string assocQuery =
@@ -62,7 +49,7 @@ QueryData genLogicalDrives(QueryContext& context) {
         "'} where AssocClass=Win32_LogicalDiskToPartition";
 
     const WmiRequest wmiLogicalDiskToPartitionReq(assocQuery);
-    const std::vector<WmiResultItem>& wmiLogicalDiskToPartitionResults =
+    auto const& wmiLogicalDiskToPartitionResults =
         wmiLogicalDiskToPartitionReq.results();
 
     if (wmiLogicalDiskToPartitionResults.empty()) {
@@ -78,8 +65,7 @@ QueryData genLogicalDrives(QueryContext& context) {
             "SELECT BootPartition FROM Win32_DiskPartition WHERE DeviceID='") +
         partitionDeviceId + '\'';
     const WmiRequest wmiPartitionReq(partitionQuery);
-    const std::vector<WmiResultItem>& wmiPartitionResults =
-        wmiPartitionReq.results();
+    auto const& wmiPartitionResults = wmiPartitionReq.results();
 
     if (wmiPartitionResults.empty()) {
       results.push_back(r);

specs/windows/logical_drives.table

@@ -2,9 +2,10 @@ table_name("logical_drives")
 description("Details for logical drives on the system. A logical drive generally represents a single partition.")
 schema([
     Column("device_id", TEXT, "The drive id, usually the drive name, e.g., 'C:'."),
-    Column("type", TEXT, "The type of disk drive this logical drive represents."),
-    Column("free_space", BIGINT, "The amount of free space, in bytes, of the drive."),
-    Column("size", BIGINT, "The total amount of space, in bytes, of the drive."),
+    Column("type", TEXT, "Deprecated (always 'Unknown')."),
+    Column("description", TEXT, "The canonical description of the drive, e.g. 'Logical Fixed Disk', 'CD-ROM Disk'."),
+    Column("free_space", BIGINT, "The amount of free space, in bytes, of the drive (-1 on failure)."),
+    Column("size", BIGINT, "The total amount of space, in bytes, of the drive (-1 on failure)."),
     Column("file_system", TEXT, "The file system of the drive."),
     Column("boot_partition", INTEGER, "True if Windows booted from this drive."),
 ])

tests/integration/tables/logical_drives.cpp

@@ -23,25 +23,20 @@ class logicalDrives : public testing::Test {
 };
 
 TEST_F(logicalDrives, test_sanity) {
-  // 1. Query data
   auto const data = execute_query("select * from logical_drives");
-  // 2. Check size before validation
-  // ASSERT_GE(data.size(), 0ul);
-  // ASSERT_EQ(data.size(), 1ul);
-  // ASSERT_EQ(data.size(), 0ul);
-  // 3. Build validation map
-  // See helper.h for avaialbe flags
-  // Or use custom DataCheck object
-  // ValidatatioMap row_map = {
-  //      {"device_id", NormalType}
-  //      {"type", NormalType}
-  //      {"free_space", IntType}
-  //      {"size", IntType}
-  //      {"file_system", NormalType}
-  //      {"boot_partition", IntType}
-  //}
-  // 4. Perform validation
-  // validate_rows(data, row_map);
+  ASSERT_GE(data.size(), 1ul);
+
+  ValidatatioMap row_map = {
+      {"device_id", NormalType},
+      {"type", NormalType},
+      {"description", NormalType},
+      {"free_space", IntType},
+      {"size", IntType},
+      {"file_system", NormalType},
+      {"boot_partition", IntType},
+  };
+
+  validate_rows(data, row_map);
 }
 
 } // namespace table_tests