TEST_F(QueryTests, test_add_and_get_current_results) {
// Test adding a "current" set of results to a scheduled query instance.
auto query = getOsqueryScheduledQuery();
auto cf = Query("foobar", query);
auto status = cf.addNewResults(getTestDBExpectedResults(), db_);
EXPECT_TRUE(status.ok());
EXPECT_EQ(status.toString(), "OK");
// Simulate results from several schedule runs, calculate differentials.
for (auto result : getTestDBResultStream()) {
// Get the results from the previous query execution (from RocksDB).
QueryData previous_qd;
auto status = cf.getPreviousQueryResults(previous_qd, db_);
EXPECT_TRUE(status.ok());
EXPECT_EQ(status.toString(), "OK");
// Add the "current" results and output the differentials.
DiffResults dr;
auto s = cf.addNewResults(result.second, dr, true, db_);
EXPECT_TRUE(s.ok());
// Call the diffing utility directly.
DiffResults expected = diff(previous_qd, result.second);
EXPECT_EQ(dr, expected);
// After Query::addNewResults the previous results are now current.
QueryData qd;
cf.getPreviousQueryResults(qd, db_);
EXPECT_EQ(qd, result.second);
}
}
void launchQuery(const std::string& name, const ScheduledQuery& query) {
// Execute the scheduled query and create a named query object.
VLOG(1) << "Executing query: " << query.query;
auto sql = (FLAGS_enable_monitor) ? monitor(name, query) : SQL(query.query);
if (!sql.ok()) {
LOG(ERROR) << "Error executing query (" << query.query
<< "): " << sql.getMessageString();
return;
}
// Fill in a host identifier fields based on configuration or availability.
std::string ident;
auto status = getHostIdentifier(ident);
if (!status.ok() || ident.empty()) {
ident = "<unknown>";
}
// A query log item contains an optional set of differential results or
// a copy of the most-recent execution alongside some query metadata.
QueryLogItem item;
item.name = name;
item.identifier = ident;
item.time = osquery::getUnixTime();
item.calendar_time = osquery::getAsciiTime();
if (query.options.count("snapshot") && query.options.at("snapshot")) {
// This is a snapshot query, emit results with a differential or state.
item.snapshot_results = std::move(sql.rows());
logSnapshotQuery(item);
return;
}
// Create a database-backed set of query results.
auto dbQuery = Query(name, query);
DiffResults diff_results;
// Add this execution's set of results to the database-tracked named query.
// We can then ask for a differential from the last time this named query
// was executed by exact matching each row.
status = dbQuery.addNewResults(sql.rows(), diff_results);
if (!status.ok()) {
LOG(ERROR) << "Error adding new results to database: " << status.what();
return;
}
if (diff_results.added.size() == 0 && diff_results.removed.size() == 0) {
// No diff results or events to emit.
return;
}
VLOG(1) << "Found results for query (" << name << ") for host: " << ident;
item.results = diff_results;
status = logQueryLogItem(item);
if (!status.ok()) {
LOG(ERROR) << "Error logging the results of query (" << query.query
<< "): " << status.toString();
}
}
static void DATABASE_query_results(benchmark::State& state) {
auto qd = getExampleQueryData(state.range_x(), state.range_y());
auto query = getOsqueryScheduledQuery();
while (state.KeepRunning()) {
DiffResults diff_results;
auto dbq = Query("default", query);
dbq.addNewResults(qd, diff_results);
}
}
static void DATABASE_query_results(benchmark::State& state) {
auto qd = getExampleQueryData(state.range(0), state.range(1));
auto query = getOsqueryScheduledQuery();
while (state.KeepRunning()) {
DiffResults diff_results;
uint64_t counter;
auto dbq = Query("default", query);
dbq.addNewResults(std::move(qd), 0, counter, diff_results);
}
}
TEST_F(QueryTests, test_add_and_get_current_results) {
auto query = getOsqueryScheduledQuery();
auto cf = Query(query);
auto s = cf.addNewResults(getTestDBExpectedResults(), std::time(0), db);
EXPECT_TRUE(s.ok());
EXPECT_EQ(s.toString(), "OK");
for (auto result : getTestDBResultStream()) {
DiffResults dr;
HistoricalQueryResults hQR;
auto hqr_status = cf.getHistoricalQueryResults(hQR, db);
EXPECT_TRUE(hqr_status.ok());
EXPECT_EQ(hqr_status.toString(), "OK");
auto s = cf.addNewResults(result.second, dr, true, std::time(0), db);
EXPECT_TRUE(s.ok());
DiffResults expected = diff(hQR.mostRecentResults.second, result.second);
EXPECT_EQ(dr, expected);
QueryData qd;
cf.getCurrentResults(qd, db);
EXPECT_EQ(qd, result.second);
}
}
inline void launchQuery(const std::string& name, const ScheduledQuery& query) {
// Execute the scheduled query and create a named query object.
LOG(INFO) << "Executing scheduled query " << name << ": " << query.query;
runDecorators(DECORATE_ALWAYS);
auto sql = monitor(name, query);
if (!sql.ok()) {
LOG(ERROR) << "Error executing scheduled query " << name << ": "
<< sql.getMessageString();
return;
}
// Fill in a host identifier fields based on configuration or availability.
std::string ident = getHostIdentifier();
// A query log item contains an optional set of differential results or
// a copy of the most-recent execution alongside some query metadata.
QueryLogItem item;
item.name = name;
item.identifier = ident;
item.time = osquery::getUnixTime();
item.epoch = FLAGS_schedule_epoch;
item.calendar_time = osquery::getAsciiTime();
getDecorations(item.decorations);
if (query.options.count("snapshot") && query.options.at("snapshot")) {
// This is a snapshot query, emit results with a differential or state.
item.snapshot_results = std::move(sql.rows());
logSnapshotQuery(item);
return;
}
// Create a database-backed set of query results.
auto dbQuery = Query(name, query);
// Comparisons and stores must include escaped data.
sql.escapeResults();
Status status;
DiffResults diff_results;
// Add this execution's set of results to the database-tracked named query.
// We can then ask for a differential from the last time this named query
// was executed by exact matching each row.
if (!FLAGS_events_optimize || !sql.eventBased()) {
status = dbQuery.addNewResults(
sql.rows(), item.epoch, item.counter, diff_results);
if (!status.ok()) {
std::string line =
"Error adding new results to database: " + status.what();
LOG(ERROR) << line;
// If the database is not available then the daemon cannot continue.
Initializer::requestShutdown(EXIT_CATASTROPHIC, line);
}
} else {
diff_results.added = std::move(sql.rows());
}
if (diff_results.added.empty() && diff_results.removed.empty()) {
// No diff results or events to emit.
return;
}
VLOG(1) << "Found results for query: " << name;
item.results = diff_results;
if (query.options.count("removed") && !query.options.at("removed")) {
item.results.removed.clear();
}
status = logQueryLogItem(item);
if (!status.ok()) {
// If log directory is not available, then the daemon shouldn't continue.
std::string error = "Error logging the results of query: " + name + ": " +
status.toString();
LOG(ERROR) << error;
Initializer::requestShutdown(EXIT_CATASTROPHIC, error);
}
}
Status Query::addNewResults(const QueryData& qd, DiffResults& dr) {
return addNewResults(qd, dr, true, DBHandle::getInstance());
}
Status Query::addNewResults(const QueryData& qd, DBHandleRef db) {
DiffResults dr;
return addNewResults(qd, dr, false, db);
}
Status Query::addNewResults(const osquery::QueryData& qd) {
return addNewResults(qd, DBHandle::getInstance());
}
Status Query::addNewResults(QueryData qd,
const uint64_t epoch,
uint64_t& counter) const {
DiffResults dr;
return addNewResults(std::move(qd), epoch, counter, dr, false);
}
osquery::Status Query::addNewResults(const osquery::QueryData& qd,
osquery::DiffResults& dr,
int unix_time) {
return addNewResults(qd, dr, true, unix_time, DBHandle::getInstance());
}
Status Query::addNewResults(const QueryData& qd,
int unix_time,
std::shared_ptr<DBHandle> db) {
DiffResults dr;
return addNewResults(qd, dr, false, unix_time, db);
}
Status Query::addNewResults(const osquery::QueryData& qd, int unix_time) {
return addNewResults(qd, unix_time, DBHandle::getInstance());
}
