osquery::Status Query::addNewResults(const osquery::QueryData& qd,
osquery::DiffResults& dr,
bool calculate_diff,
int unix_time,
std::shared_ptr<DBHandle> db) {
HistoricalQueryResults hQR;
auto hqr_status = getHistoricalQueryResults(hQR, db);
if (!hqr_status.ok() && hqr_status.toString() != kQueryNameNotFoundError) {
return hqr_status;
}
if (calculate_diff) {
dr = diff(hQR.mostRecentResults.second, qd);
}
hQR.mostRecentResults.first = unix_time;
hQR.mostRecentResults.second = qd;
std::string json;
auto serialize_status = serializeHistoricalQueryResultsJSON(hQR, json);
if (!serialize_status.ok()) {
return serialize_status;
}
auto put_status = db->Put(kQueries, query_.name, json);
if (!put_status.ok()) {
return put_status;
}
return Status(0, "OK");
}
Status Query::getCurrentResults(QueryData& qd, std::shared_ptr<DBHandle> db) {
HistoricalQueryResults hQR;
auto s = getHistoricalQueryResults(hQR, db);
if (s.ok()) {
qd = hQR.mostRecentResults.second;
}
return s;
}
TEST_F(QueryTests, test_query_name_not_found_in_db) {
HistoricalQueryResults from_db;
auto query = getOsqueryScheduledQuery();
query.name = "not_a_real_query";
auto cf = Query(query);
auto query_status = cf.getHistoricalQueryResults(from_db, db);
EXPECT_FALSE(query_status.ok());
EXPECT_EQ(query_status.toString(), "query name not found in database");
}
TEST_F(QueryTests, test_get_historical_query_results) {
auto hQR = getSerializedHistoricalQueryResultsJSON();
auto query = getOsqueryScheduledQuery();
auto put_status = db->Put(kQueries, query.name, hQR.first);
EXPECT_TRUE(put_status.ok());
EXPECT_EQ(put_status.toString(), "OK");
auto cf = Query(query);
HistoricalQueryResults from_db;
auto query_status = cf.getHistoricalQueryResults(from_db, db);
EXPECT_TRUE(query_status.ok());
EXPECT_EQ(query_status.toString(), "OK");
EXPECT_EQ(from_db, hQR.second);
}
TEST_F(QueryTests, test_add_and_get_current_results) {
auto query = getOsqueryScheduledQuery();
auto cf = Query(query);
auto s = cf.addNewResults(getTestDBExpectedResults(), std::time(0), db);
EXPECT_TRUE(s.ok());
EXPECT_EQ(s.toString(), "OK");
for (auto result : getTestDBResultStream()) {
DiffResults dr;
HistoricalQueryResults hQR;
auto hqr_status = cf.getHistoricalQueryResults(hQR, db);
EXPECT_TRUE(hqr_status.ok());
EXPECT_EQ(hqr_status.toString(), "OK");
auto s = cf.addNewResults(result.second, dr, true, std::time(0), db);
EXPECT_TRUE(s.ok());
DiffResults expected = diff(hQR.mostRecentResults.second, result.second);
EXPECT_EQ(dr, expected);
QueryData qd;
cf.getCurrentResults(qd, db);
EXPECT_EQ(qd, result.second);
}
}
Status Query::getHistoricalQueryResults(HistoricalQueryResults& hQR) {
return getHistoricalQueryResults(hQR, DBHandle::getInstance());
}
