TEST_F(QueryTests, test_add_and_get_current_results) {
// Test adding a "current" set of results to a scheduled query instance.
auto query = getOsqueryScheduledQuery();
auto cf = Query("foobar", query);
auto status = cf.addNewResults(getTestDBExpectedResults(), db_);
EXPECT_TRUE(status.ok());
EXPECT_EQ(status.toString(), "OK");
// Simulate results from several schedule runs, calculate differentials.
for (auto result : getTestDBResultStream()) {
// Get the results from the previous query execution (from RocksDB).
QueryData previous_qd;
auto status = cf.getPreviousQueryResults(previous_qd, db_);
EXPECT_TRUE(status.ok());
EXPECT_EQ(status.toString(), "OK");
// Add the "current" results and output the differentials.
DiffResults dr;
auto s = cf.addNewResults(result.second, dr, true, db_);
EXPECT_TRUE(s.ok());
// Call the diffing utility directly.
DiffResults expected = diff(previous_qd, result.second);
EXPECT_EQ(dr, expected);
// After Query::addNewResults the previous results are now current.
QueryData qd;
cf.getPreviousQueryResults(qd, db_);
EXPECT_EQ(qd, result.second);
}
}
TEST_F(QueryTests, test_query_name_not_found_in_db) {
// Try to retrieve results from a query that has not executed.
QueryData previous_qd;
auto query = getOsqueryScheduledQuery();
auto cf = Query("not_a_real_query", query);
auto status = cf.getPreviousQueryResults(previous_qd, db_);
EXPECT_FALSE(status.ok());
}
static void DATABASE_query_results(benchmark::State& state) {
auto qd = getExampleQueryData(state.range_x(), state.range_y());
auto query = getOsqueryScheduledQuery();
while (state.KeepRunning()) {
DiffResults diff_results;
auto dbq = Query("default", query);
dbq.addNewResults(qd, diff_results);
}
}
TEST_F(QueryTests, test_is_query_name_in_database) {
auto query = getOsqueryScheduledQuery();
auto cf = Query(query);
auto hQR = getSerializedHistoricalQueryResultsJSON();
auto put_status = db->Put(kQueries, query.name, hQR.first);
EXPECT_TRUE(put_status.ok());
EXPECT_EQ(put_status.toString(), "OK");
EXPECT_TRUE(cf.isQueryNameInDatabase(db));
}
TEST_F(QueryTests, test_is_query_name_in_database) {
auto query = getOsqueryScheduledQuery();
auto cf = Query("foobar", query);
auto encoded_qd = getSerializedQueryDataJSON();
auto status = db_->Put(kQueries, "foobar", encoded_qd.first);
EXPECT_TRUE(status.ok());
// Now test that the query name exists.
EXPECT_TRUE(cf.isQueryNameInDatabase(db_));
}
TEST_F(QueryTests, test_query_name_not_found_in_db) {
HistoricalQueryResults from_db;
auto query = getOsqueryScheduledQuery();
query.name = "not_a_real_query";
auto cf = Query(query);
auto query_status = cf.getHistoricalQueryResults(from_db, db);
EXPECT_FALSE(query_status.ok());
EXPECT_EQ(query_status.toString(), "query name not found in database");
}
static void DATABASE_query_results(benchmark::State& state) {
auto qd = getExampleQueryData(state.range(0), state.range(1));
auto query = getOsqueryScheduledQuery();
while (state.KeepRunning()) {
DiffResults diff_results;
uint64_t counter;
auto dbq = Query("default", query);
dbq.addNewResults(std::move(qd), 0, counter, diff_results);
}
}
TEST_F(QueryTests, test_get_stored_query_names) {
auto query = getOsqueryScheduledQuery();
auto cf = Query(query);
auto hQR = getSerializedHistoricalQueryResultsJSON();
auto put_status = db->Put(kQueries, query.name, hQR.first);
EXPECT_TRUE(put_status.ok());
EXPECT_EQ(put_status.toString(), "OK");
auto names = cf.getStoredQueryNames(db);
auto in_vector = std::find(names.begin(), names.end(), query.name);
EXPECT_NE(in_vector, names.end());
}
TEST_F(QueryTests, test_get_stored_query_names) {
auto query = getOsqueryScheduledQuery();
auto cf = Query("foobar", query);
auto encoded_qd = getSerializedQueryDataJSON();
auto status = db_->Put(kQueries, "foobar", encoded_qd.first);
EXPECT_TRUE(status.ok());
// Stored query names is a factory method included alongside every query.
// It will include the set of query names with existing "previous" results.
auto names = cf.getStoredQueryNames(db_);
auto in_vector = std::find(names.begin(), names.end(), "foobar");
EXPECT_NE(in_vector, names.end());
}
TEST_F(QueryTests, test_get_query_results) {
// Grab an expected set of query data and add it as the previous result.
auto encoded_qd = getSerializedQueryDataJSON();
auto query = getOsqueryScheduledQuery();
auto status = db_->Put(kQueries, "foobar", encoded_qd.first);
EXPECT_TRUE(status.ok());
// Use the Query retrieval API to check the now "previous" result.
QueryData previous_qd;
auto cf = Query("foobar", query);
status = cf.getPreviousQueryResults(previous_qd, db_);
EXPECT_TRUE(status.ok());
}
TEST_F(QueryTests, test_get_current_results) {
auto hQR = getSerializedHistoricalQueryResultsJSON();
auto query = getOsqueryScheduledQuery();
auto put_status = db->Put(kQueries, query.name, hQR.first);
EXPECT_TRUE(put_status.ok());
EXPECT_EQ(put_status.toString(), "OK");
auto cf = Query(query);
QueryData qd;
auto query_status = cf.getCurrentResults(qd, db);
EXPECT_TRUE(query_status.ok());
EXPECT_EQ(query_status.toString(), "OK");
EXPECT_EQ(qd, hQR.second.mostRecentResults.second);
}
TEST_F(QueryTests, test_get_historical_query_results) {
auto hQR = getSerializedHistoricalQueryResultsJSON();
auto query = getOsqueryScheduledQuery();
auto put_status = db->Put(kQueries, query.name, hQR.first);
EXPECT_TRUE(put_status.ok());
EXPECT_EQ(put_status.toString(), "OK");
auto cf = Query(query);
HistoricalQueryResults from_db;
auto query_status = cf.getHistoricalQueryResults(from_db, db);
EXPECT_TRUE(query_status.ok());
EXPECT_EQ(query_status.toString(), "OK");
EXPECT_EQ(from_db, hQR.second);
}
TEST_F(QueryTests, test_add_and_get_current_results) {
auto query = getOsqueryScheduledQuery();
auto cf = Query(query);
auto s = cf.addNewResults(getTestDBExpectedResults(), std::time(0), db);
EXPECT_TRUE(s.ok());
EXPECT_EQ(s.toString(), "OK");
for (auto result : getTestDBResultStream()) {
DiffResults dr;
HistoricalQueryResults hQR;
auto hqr_status = cf.getHistoricalQueryResults(hQR, db);
EXPECT_TRUE(hqr_status.ok());
EXPECT_EQ(hqr_status.toString(), "OK");
auto s = cf.addNewResults(result.second, dr, true, std::time(0), db);
EXPECT_TRUE(s.ok());
DiffResults expected = diff(hQR.mostRecentResults.second, result.second);
EXPECT_EQ(dr, expected);
QueryData qd;
cf.getCurrentResults(qd, db);
EXPECT_EQ(qd, result.second);
}
}
TEST_F(QueryTests, test_private_members) {
auto query = getOsqueryScheduledQuery();
auto cf = Query("foobar", query);
EXPECT_EQ(cf.query_, query);
}
TEST_F(QueryTests, test_get_interval) {
auto query = getOsqueryScheduledQuery();
auto cf = Query("foobar", query);
EXPECT_EQ(cf.getInterval(), query.interval);
}
TEST_F(QueryTests, test_get_query) {
auto query = getOsqueryScheduledQuery();
auto cf = Query("foobar", query);
EXPECT_EQ(cf.getQuery(), query.query);
}
TEST_F(QueryTests, test_get_column_family_name) {
auto query = getOsqueryScheduledQuery();
auto cf = Query("foobar", query);
EXPECT_EQ(cf.getQueryName(), "foobar");
}
