Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Santa targets counters #987

Merged
merged 1 commit into from
Jun 8, 2024
Merged

Add Santa targets counters #987

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 67 additions & 2 deletions tests/santa/test_santa_api_views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -675,7 +675,7 @@ def test_eventupload_cdhash_signing_id_team_id(self):
def test_eventupload_without_bundle(self, post_event):
event_d = {
'current_sessions': [],
'decision': 'BLOCK_UNKNOWN',
'decision': 'ALLOW_UNKNOWN',
'executing_user': 'root',
'execution_time': 2242783327.585212,
'file_bundle_id': 'servicecontroller:com.apple.stomp.transcoderx',
Expand Down Expand Up @@ -712,6 +712,14 @@ def test_eventupload_without_bundle(self, post_event):
'valid_from': 1146001236,
'valid_until': 2054670036}]
}
self.assertEqual(Target.objects.all().count(), 0)
Target.objects.create(
type=Target.CERTIFICATE,
identifier=event_d["signing_chain"][1]["sha256"],
blocked_count=3,
collected_count=2,
executed_count=1
)
response = self.post_as_json("eventupload", self.enrolled_machine.hardware_uuid, {"events": [event_d]})
self.assertEqual(response.status_code, 200)
json_response = response.json()
Expand All @@ -726,6 +734,20 @@ def test_eventupload_without_bundle(self, post_event):
for i, cert in enumerate(event_d["signing_chain"]):
self.assertEqual(event.payload[f"signing_cert_{i}"], cert)
self.assertNotIn("signing_chain", event.payload)
self.assertEqual(Target.objects.all().count(), 4)
for target_type, target_identifier, b_count, c_count, e_count in (
(Target.BINARY, event_d["file_sha256"], 0, 0, 1),
(Target.CERTIFICATE, event_d["signing_chain"][0]["sha256"], 0, 0, 1),
(Target.CERTIFICATE, event_d["signing_chain"][1]["sha256"], 3, 2, 2), # executed_count = 1 + 1
(Target.CERTIFICATE, event_d["signing_chain"][2]["sha256"], 0, 0, 1),
):
self.assertTrue(
Target.objects.filter(type=target_type,
identifier=target_identifier,
blocked_count=b_count,
collected_count=c_count,
executed_count=e_count).exists()
)

def test_deprecated_eventupload(self):
url = reverse("santa_public:deprecated_eventupload", args=(self.enrollment_secret.secret,
Expand Down Expand Up @@ -778,6 +800,14 @@ def test_eventupload_with_bundle(self, post_event):
'valid_from': 1146001236,
'valid_until': 2054670036}]
}
self.assertEqual(Target.objects.all().count(), 0)
Target.objects.create(
type=Target.BINARY,
identifier=event_d["file_sha256"],
blocked_count=3,
collected_count=2,
executed_count=1,
)
response = self.post_as_json("eventupload", self.enrolled_machine.hardware_uuid, {"events": [event_d]})
self.assertEqual(response.status_code, 200)
json_response = response.json()
Expand All @@ -790,6 +820,21 @@ def test_eventupload_with_bundle(self, post_event):
event = events[0]
self.assertIsInstance(event, SantaEventEvent)
self.assertEqual(event.payload["signing_chain"], event_d["signing_chain"])
self.assertEqual(Target.objects.all().count(), 5)
for target_type, target_identifier, b_count, c_count, e_count in (
(Target.BINARY, event_d["file_sha256"], 4, 2, 1),
(Target.BUNDLE, event_d["file_bundle_hash"], 1, 0, 0),
(Target.CERTIFICATE, event_d["signing_chain"][0]["sha256"], 1, 0, 0),
(Target.CERTIFICATE, event_d["signing_chain"][1]["sha256"], 1, 0, 0),
(Target.CERTIFICATE, event_d["signing_chain"][2]["sha256"], 1, 0, 0),
):
self.assertTrue(
Target.objects.filter(type=target_type,
identifier=target_identifier,
blocked_count=b_count,
collected_count=c_count,
executed_count=e_count).exists()
)

@patch("zentral.core.queues.backends.kombu.EventQueues.post_event")
def test_eventupload_bundle_binary(self, post_event):
Expand Down Expand Up @@ -838,7 +883,9 @@ def test_eventupload_bundle_binary(self, post_event):
'valid_from': 1146001236,
'valid_until': 2054670036}]
}
t, _ = Target.objects.get_or_create(type=Target.BUNDLE, identifier=event_d["file_bundle_hash"])
t, _ = Target.objects.get_or_create(type=Target.BUNDLE,
identifier=event_d["file_bundle_hash"],
blocked_count=1)
b, _ = Bundle.objects.update_or_create(
target=t,
defaults={"binary_count": event_d["file_bundle_binary_count"]}
Expand All @@ -860,6 +907,24 @@ def test_eventupload_bundle_binary(self, post_event):
self.assertEqual(file_qs.count(), 1)
file = file_qs.first()
self.assertEqual(file.signing_id, event_d["signing_id"])
self.assertEqual(Target.objects.all().count(), 8)
for target_type, target_identifier, b_count, c_count, e_count in (
(Target.BINARY, event_d["file_sha256"], 0, 1, 0),
(Target.BUNDLE, event_d["file_bundle_hash"], 1, 0, 0),
(Target.CDHASH, event_d["cdhash"], 0, 1, 0),
(Target.SIGNING_ID, event_d["signing_id"], 0, 1, 0),
(Target.TEAM_ID, event_d["team_id"], 0, 1, 0),
(Target.CERTIFICATE, event_d["signing_chain"][0]["sha256"], 0, 1, 0),
(Target.CERTIFICATE, event_d["signing_chain"][1]["sha256"], 0, 1, 0),
(Target.CERTIFICATE, event_d["signing_chain"][2]["sha256"], 0, 1, 0),
):
self.assertTrue(
Target.objects.filter(type=target_type,
identifier=target_identifier,
blocked_count=b_count,
collected_count=c_count,
executed_count=e_count).exists()
)

# postflight

Expand Down
97 changes: 94 additions & 3 deletions tests/santa/test_santa_events.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,18 @@
import datetime
from django.test import SimpleTestCase
from zentral.contrib.santa.events import (_build_file_tree_from_santa_event, EventMetadata,
from unittest.mock import patch
from django.test import TestCase
from zentral.contrib.santa.events import (_build_file_tree_from_santa_event,
_create_bundle_binaries,
_create_missing_bundles,
_update_targets,
EventMetadata,
SantaEnrollmentEvent, SantaEventEvent,
SantaRuleSetUpdateEvent, SantaRuleUpdateEvent)
from zentral.contrib.santa.models import Bundle, Target
from .test_rule_engine import new_sha256


class SantaEventTestCase(SimpleTestCase):
class SantaEventTestCase(TestCase):
maxDiff = None

def test_event_with_signed_bundle(self):
Expand Down Expand Up @@ -608,3 +615,87 @@ def test_enrollment_linked_objects(self):
event.get_linked_objects_keys(),
{"santa_configuration": [(13,)]}
)

# _update_targets

@patch("zentral.contrib.santa.events.logger.warning")
def test_update_targets_unknown_decisiton(self, logger_warning):
event_d = {"decision": "UNKNOWN!!!"}
self.assertEqual(_update_targets([event_d]), {})
logger_warning.assert_called_once_with("Unknown decision: %s", "UNKNOWN!!!")

# _create_missing_bundles

@patch("zentral.contrib.santa.events.logger.error")
def test_create_missing_bundles_missing_target(self, logger_error):
event_d = {"decision": "BLOCK_UNKNOWN",
"file_bundle_hash": new_sha256()}
_create_missing_bundles([event_d], {})
logger_error.assert_called_once_with("Missing BUNDLE target %s", event_d["file_bundle_hash"])

# _create_bundle_binaries

@patch("zentral.contrib.santa.events.logger.error")
def test_create_bundle_binaries_missing_bundle(self, logger_error):
event_d = {"decision": "BUNDLE_BINARY",
"file_bundle_hash": new_sha256()}
_create_bundle_binaries([event_d])
self.assertEqual(Bundle.objects.count(), 0)
logger_error.assert_called_once_with("Unknown bundle: %s", event_d["file_bundle_hash"])

@patch("zentral.contrib.santa.events.logger.error")
def test_create_bundle_binaries_bundle_already_uploaded(self, logger_error):
event_d = {"decision": "BUNDLE_BINARY",
"file_bundle_hash": new_sha256(),
"file_bundle_binary_count": 42}
t = Target.objects.create(type=Target.BUNDLE,
identifier=event_d["file_bundle_hash"],
blocked_count=1)
Bundle.objects.create(
target=t,
binary_count=event_d["file_bundle_binary_count"],
uploaded_at=datetime.datetime.utcnow()
)
_create_bundle_binaries([event_d])
logger_error.assert_called_once_with("Bundle %s already uploaded", event_d["file_bundle_hash"])

def test_create_bundle_binaries_bundle_without_binary_count(self):
binary_target = Target.objects.create(type=Target.BINARY, identifier=new_sha256())
event_d = {"decision": "BUNDLE_BINARY",
"file_bundle_hash": new_sha256(),
"file_bundle_binary_count": 1,
"file_sha256": binary_target.identifier}
bundle_target = Target.objects.create(type=Target.BUNDLE,
identifier=event_d["file_bundle_hash"],
blocked_count=1)
b = Bundle.objects.create(
target=bundle_target,
binary_count=0,
)
self.assertEqual(b.binary_targets.count(), 0)
_create_bundle_binaries([event_d])
self.assertEqual(set(b.binary_targets.all()), set([binary_target]))
b.refresh_from_db()
self.assertIsNotNone(b.uploaded_at)

@patch("zentral.contrib.santa.events.logger.error")
def test_create_bundle_wrong_binary_target_number(self, logger_error):
binary_target = Target.objects.create(type=Target.BINARY, identifier=new_sha256())
event_d = {"decision": "BUNDLE_BINARY",
"file_bundle_hash": new_sha256(),
"file_bundle_binary_count": 1,
"file_sha256": binary_target.identifier}
bundle_target = Target.objects.create(type=Target.BUNDLE,
identifier=event_d["file_bundle_hash"],
blocked_count=1)
b = Bundle.objects.create(
target=bundle_target,
binary_count=event_d["file_bundle_binary_count"],
)
extra_target = Target.objects.create(type=Target.BINARY, identifier=new_sha256())
b.binary_targets.add(extra_target)
self.assertEqual(b.binary_targets.count(), 1)
_create_bundle_binaries([event_d])
self.assertEqual(b.binary_targets.count(), 2)
logger_error.assert_called_once_with("Bundle %s as wrong number of binary targets",
event_d["file_bundle_hash"])
84 changes: 75 additions & 9 deletions zentral/contrib/santa/events/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
from zentral.conf import settings
from zentral.contrib.inventory.models import File
from zentral.contrib.santa.models import Bundle, EnrolledMachine, Target
from zentral.contrib.santa.utils import add_bundle_binary_targets, update_or_create_targets
from zentral.core.events.base import BaseEvent, EventMetadata, EventRequest, register_event_type
from zentral.utils.certificates import APPLE_DEV_ID_ISSUER_CN, parse_apple_dev_id
from zentral.utils.text import shard
Expand Down Expand Up @@ -263,6 +264,16 @@ def _build_file_tree_from_santa_event(event_d):
return app_d


def _is_allow_event(event_d):
decision = event_d.get('decision')
return decision and decision.startswith("ALLOW_")


def _is_block_event(event_d):
decision = event_d.get('decision')
return decision and decision.startswith("BLOCK_")


def _is_allow_unknown_event(event_d):
return event_d.get('decision') == "ALLOW_UNKNOWN"

Expand All @@ -271,7 +282,59 @@ def _is_bundle_binary_pseudo_event(event_d):
return event_d.get('decision') == "BUNDLE_BINARY"


def _create_missing_bundles(events):
def _update_targets(events):
targets = {}
for event_d in events:
# target keys
target_keys = []
file_sha256 = event_d.get("file_sha256")
if file_sha256:
target_keys.append((Target.BINARY, file_sha256))
cdhash = event_d.get("cdhash")
if cdhash:
target_keys.append((Target.CDHASH, cdhash))
team_id = event_d.get("team_id")
if team_id:
target_keys.append((Target.TEAM_ID, team_id))
signing_id = event_d.get("signing_id")
if signing_id:
target_keys.append((Target.SIGNING_ID, signing_id))
signing_chain = event_d.get("signing_chain")
if signing_chain:
for cert_d in signing_chain:
sha256 = cert_d.get("sha256")
if sha256:
target_keys.append((Target.CERTIFICATE, sha256))
if not _is_bundle_binary_pseudo_event(event_d):
bundle_hash = event_d.get("file_bundle_hash")
if bundle_hash:
target_keys.append((Target.BUNDLE, bundle_hash))
# increments
blocked_incr = collected_incr = executed_incr = 0
if _is_block_event(event_d):
blocked_incr = 1
elif _is_bundle_binary_pseudo_event(event_d):
collected_incr = 1
elif _is_allow_event(event_d):
executed_incr = 1
else:
logger.warning("Unknown decision: %s", event_d.get("decision", "-"))
# aggregations
for target_key in target_keys:
target_increments = targets.setdefault(
target_key,
{"blocked_incr": 0, "collected_incr": 0, "executed_incr": 0}
)
target_increments["blocked_incr"] += blocked_incr
target_increments["collected_incr"] += collected_incr
target_increments["executed_incr"] += executed_incr
if targets:
return update_or_create_targets(targets)
else:
return {}


def _create_missing_bundles(events, targets):
bundle_events = {
sha256: event_d
for sha256, event_d in (
Expand All @@ -292,7 +355,10 @@ def _create_missing_bundles(events):
)
unknown_file_bundle_hashes = list(set(bundle_events.keys()) - existing_sha256_set)
for sha256 in unknown_file_bundle_hashes:
target, _ = Target.objects.get_or_create(type=Target.BUNDLE, identifier=sha256)
target, _ = targets.get((Target.BUNDLE, sha256), (None, None))
if not target:
logger.error("Missing BUNDLE target %s", sha256)
continue
defaults = {}
event_d = bundle_events[sha256]
for event_attr, bundle_attr in (("file_bundle_path", "path"),
Expand Down Expand Up @@ -327,19 +393,18 @@ def _create_bundle_binaries(events):
logger.error("Unknown bundle: %s", bundle_sha256)
continue
if bundle.uploaded_at:
logger.info("Bundle %s already uploaded", bundle_sha256)
logger.error("Bundle %s already uploaded", bundle_sha256)
continue
binary_targets = []
binary_target_identifiers = []
binary_count = bundle.binary_count
for event_d in events:
if not binary_count:
event_binary_count = event_d.get("file_bundle_binary_count")
if event_binary_count:
binary_count = event_binary_count
binary_sha256 = event_d.get("file_sha256")
binary_target, _ = Target.objects.get_or_create(type=Target.BINARY, identifier=binary_sha256)
binary_targets.append(binary_target)
bundle.binary_targets.add(*binary_targets)
binary_target_identifiers.append(event_d["file_sha256"])
if binary_target_identifiers:
add_bundle_binary_targets(bundle, binary_target_identifiers)
save_bundle = False
if not bundle.binary_count and binary_count:
bundle.binary_count = binary_count
Expand Down Expand Up @@ -411,7 +476,8 @@ def process_events(enrolled_machine, user_agent, ip, data):
events = data.get("events", [])
if not events:
return []
unknown_file_bundle_hashes = _create_missing_bundles(events)
targets = _update_targets(events)
unknown_file_bundle_hashes = _create_missing_bundles(events, targets)
_create_bundle_binaries(events)
_commit_files(events)
_post_santa_events(enrolled_machine, user_agent, ip, events)
Expand Down
Loading
Loading