TEST_F(QueryTests, test_add_and_get_current_results) { // Test adding a "current" set of results to a scheduled query instance. auto query = getOsqueryScheduledQuery(); auto cf = Query("foobar", query); auto status = cf.addNewResults(getTestDBExpectedResults(), db_); EXPECT_TRUE(status.ok()); EXPECT_EQ(status.toString(), "OK"); // Simulate results from several schedule runs, calculate differentials. for (auto result : getTestDBResultStream()) { // Get the results from the previous query execution (from RocksDB). QueryData previous_qd; auto status = cf.getPreviousQueryResults(previous_qd, db_); EXPECT_TRUE(status.ok()); EXPECT_EQ(status.toString(), "OK"); // Add the "current" results and output the differentials. DiffResults dr; auto s = cf.addNewResults(result.second, dr, true, db_); EXPECT_TRUE(s.ok()); // Call the diffing utility directly. DiffResults expected = diff(previous_qd, result.second); EXPECT_EQ(dr, expected); // After Query::addNewResults the previous results are now current. QueryData qd; cf.getPreviousQueryResults(qd, db_); EXPECT_EQ(qd, result.second); } }
TEST_F(QueryTests, test_query_name_not_found_in_db) { // Try to retrieve results from a query that has not executed. QueryData previous_qd; auto query = getOsqueryScheduledQuery(); auto cf = Query("not_a_real_query", query); auto status = cf.getPreviousQueryResults(previous_qd, db_); EXPECT_FALSE(status.ok()); }
static void DATABASE_query_results(benchmark::State& state) { auto qd = getExampleQueryData(state.range_x(), state.range_y()); auto query = getOsqueryScheduledQuery(); while (state.KeepRunning()) { DiffResults diff_results; auto dbq = Query("default", query); dbq.addNewResults(qd, diff_results); } }
TEST_F(QueryTests, test_is_query_name_in_database) { auto query = getOsqueryScheduledQuery(); auto cf = Query(query); auto hQR = getSerializedHistoricalQueryResultsJSON(); auto put_status = db->Put(kQueries, query.name, hQR.first); EXPECT_TRUE(put_status.ok()); EXPECT_EQ(put_status.toString(), "OK"); EXPECT_TRUE(cf.isQueryNameInDatabase(db)); }
TEST_F(QueryTests, test_is_query_name_in_database) { auto query = getOsqueryScheduledQuery(); auto cf = Query("foobar", query); auto encoded_qd = getSerializedQueryDataJSON(); auto status = db_->Put(kQueries, "foobar", encoded_qd.first); EXPECT_TRUE(status.ok()); // Now test that the query name exists. EXPECT_TRUE(cf.isQueryNameInDatabase(db_)); }
TEST_F(QueryTests, test_query_name_not_found_in_db) { HistoricalQueryResults from_db; auto query = getOsqueryScheduledQuery(); query.name = "not_a_real_query"; auto cf = Query(query); auto query_status = cf.getHistoricalQueryResults(from_db, db); EXPECT_FALSE(query_status.ok()); EXPECT_EQ(query_status.toString(), "query name not found in database"); }
static void DATABASE_query_results(benchmark::State& state) { auto qd = getExampleQueryData(state.range(0), state.range(1)); auto query = getOsqueryScheduledQuery(); while (state.KeepRunning()) { DiffResults diff_results; uint64_t counter; auto dbq = Query("default", query); dbq.addNewResults(std::move(qd), 0, counter, diff_results); } }
TEST_F(QueryTests, test_get_stored_query_names) { auto query = getOsqueryScheduledQuery(); auto cf = Query(query); auto hQR = getSerializedHistoricalQueryResultsJSON(); auto put_status = db->Put(kQueries, query.name, hQR.first); EXPECT_TRUE(put_status.ok()); EXPECT_EQ(put_status.toString(), "OK"); auto names = cf.getStoredQueryNames(db); auto in_vector = std::find(names.begin(), names.end(), query.name); EXPECT_NE(in_vector, names.end()); }
TEST_F(QueryTests, test_get_stored_query_names) { auto query = getOsqueryScheduledQuery(); auto cf = Query("foobar", query); auto encoded_qd = getSerializedQueryDataJSON(); auto status = db_->Put(kQueries, "foobar", encoded_qd.first); EXPECT_TRUE(status.ok()); // Stored query names is a factory method included alongside every query. // It will include the set of query names with existing "previous" results. auto names = cf.getStoredQueryNames(db_); auto in_vector = std::find(names.begin(), names.end(), "foobar"); EXPECT_NE(in_vector, names.end()); }
TEST_F(QueryTests, test_get_query_results) { // Grab an expected set of query data and add it as the previous result. auto encoded_qd = getSerializedQueryDataJSON(); auto query = getOsqueryScheduledQuery(); auto status = db_->Put(kQueries, "foobar", encoded_qd.first); EXPECT_TRUE(status.ok()); // Use the Query retrieval API to check the now "previous" result. QueryData previous_qd; auto cf = Query("foobar", query); status = cf.getPreviousQueryResults(previous_qd, db_); EXPECT_TRUE(status.ok()); }
TEST_F(QueryTests, test_get_current_results) { auto hQR = getSerializedHistoricalQueryResultsJSON(); auto query = getOsqueryScheduledQuery(); auto put_status = db->Put(kQueries, query.name, hQR.first); EXPECT_TRUE(put_status.ok()); EXPECT_EQ(put_status.toString(), "OK"); auto cf = Query(query); QueryData qd; auto query_status = cf.getCurrentResults(qd, db); EXPECT_TRUE(query_status.ok()); EXPECT_EQ(query_status.toString(), "OK"); EXPECT_EQ(qd, hQR.second.mostRecentResults.second); }
TEST_F(QueryTests, test_get_historical_query_results) { auto hQR = getSerializedHistoricalQueryResultsJSON(); auto query = getOsqueryScheduledQuery(); auto put_status = db->Put(kQueries, query.name, hQR.first); EXPECT_TRUE(put_status.ok()); EXPECT_EQ(put_status.toString(), "OK"); auto cf = Query(query); HistoricalQueryResults from_db; auto query_status = cf.getHistoricalQueryResults(from_db, db); EXPECT_TRUE(query_status.ok()); EXPECT_EQ(query_status.toString(), "OK"); EXPECT_EQ(from_db, hQR.second); }
TEST_F(QueryTests, test_add_and_get_current_results) { auto query = getOsqueryScheduledQuery(); auto cf = Query(query); auto s = cf.addNewResults(getTestDBExpectedResults(), std::time(0), db); EXPECT_TRUE(s.ok()); EXPECT_EQ(s.toString(), "OK"); for (auto result : getTestDBResultStream()) { DiffResults dr; HistoricalQueryResults hQR; auto hqr_status = cf.getHistoricalQueryResults(hQR, db); EXPECT_TRUE(hqr_status.ok()); EXPECT_EQ(hqr_status.toString(), "OK"); auto s = cf.addNewResults(result.second, dr, true, std::time(0), db); EXPECT_TRUE(s.ok()); DiffResults expected = diff(hQR.mostRecentResults.second, result.second); EXPECT_EQ(dr, expected); QueryData qd; cf.getCurrentResults(qd, db); EXPECT_EQ(qd, result.second); } }
TEST_F(QueryTests, test_private_members) { auto query = getOsqueryScheduledQuery(); auto cf = Query("foobar", query); EXPECT_EQ(cf.query_, query); }
TEST_F(QueryTests, test_get_interval) { auto query = getOsqueryScheduledQuery(); auto cf = Query("foobar", query); EXPECT_EQ(cf.getInterval(), query.interval); }
TEST_F(QueryTests, test_get_query) { auto query = getOsqueryScheduledQuery(); auto cf = Query("foobar", query); EXPECT_EQ(cf.getQuery(), query.query); }
TEST_F(QueryTests, test_get_column_family_name) { auto query = getOsqueryScheduledQuery(); auto cf = Query("foobar", query); EXPECT_EQ(cf.getQueryName(), "foobar"); }