Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Kolide ATC] Construct KATC tables and add support for Firefox extension data #1763

Merged
merged 24 commits into from
Jul 3, 2024
Merged
Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
dda79df
Construct KATC tables
RebeccaMahany Jun 26, 2024
5530c17
Add support for deserializing structured_clone javascript objects
RebeccaMahany Jun 26, 2024
80b380b
Reorder function args
RebeccaMahany Jun 27, 2024
38c9e46
Rename type => source
RebeccaMahany Jun 27, 2024
90a930b
Fetch columns from query results
RebeccaMahany Jun 27, 2024
42ae269
Ensure path is included in results; reorder func args
RebeccaMahany Jun 27, 2024
4782383
Merge remote-tracking branch 'upstream/main' into becca/katc-construct
RebeccaMahany Jun 27, 2024
376714f
Merge remote-tracking branch 'upstream/main' into becca/katc-construct
RebeccaMahany Jun 28, 2024
15f7ea5
Read-only
RebeccaMahany Jun 28, 2024
f52843e
Transform entire row instead of individual data to properly unwrap in…
RebeccaMahany Jun 28, 2024
9868c16
Add source path constraint filtering so we don't run queries against …
RebeccaMahany Jun 28, 2024
9159366
Add test for constraint checks
RebeccaMahany Jun 28, 2024
1e32327
Rename function for brevity
RebeccaMahany Jun 28, 2024
af341ae
Add documentation
RebeccaMahany Jun 28, 2024
3d0c135
Add a table test
RebeccaMahany Jun 28, 2024
212b047
discard column log is way too noisy, remove it
RebeccaMahany Jun 28, 2024
f7c7eb8
Remove source type until implemented
RebeccaMahany Jun 28, 2024
3efe890
Rename to disambiguate source (type of table) and source (specific lo…
RebeccaMahany Jul 1, 2024
7fbdcb8
Rename structured clone to something more intuitive
RebeccaMahany Jul 1, 2024
97d8647
Fix dsn for sqlite
RebeccaMahany Jul 1, 2024
62e4061
Remove unneeded check
RebeccaMahany Jul 1, 2024
eda263e
Don't need unnecessary variable, return early if constraint not met
RebeccaMahany Jul 1, 2024
3019cf0
Support LIKE syntax for source rather than glob
RebeccaMahany Jul 1, 2024
0c00c9e
Merge remote-tracking branch 'upstream/main' into becca/katc-construct
RebeccaMahany Jul 2, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
125 changes: 125 additions & 0 deletions ee/katc/config.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
package katc

import (
"context"
"encoding/json"
"errors"
"fmt"
"log/slog"
"runtime"

"github.com/osquery/osquery-go"
"github.com/osquery/osquery-go/plugin/table"
)

// katcSourceType defines a source of data for a KATC table. The `name` is the
// identifier parsed from the JSON KATC config, and the `dataFunc` is the function
// that performs the query against the source.
type katcSourceType struct {
name string
dataFunc func(ctx context.Context, slogger *slog.Logger, path string, query string, sourceConstraints *table.ConstraintList) ([]sourceData, error)
}

// sourceData holds the result of calling `katcSourceType.dataFunc`. It maps the
// source's path to the query results. (A config may have wildcards in the path,
// allowing for querying against multiple source paths.)
type sourceData struct {
path string
rows []map[string][]byte
}

const (
sqliteSourceType = "sqlite"
indexedDBSourceType = "indexeddb"
)

func (kst *katcSourceType) UnmarshalJSON(data []byte) error {
var s string
err := json.Unmarshal(data, &s)
James-Pickett marked this conversation as resolved.
Show resolved Hide resolved
if err != nil {
return fmt.Errorf("unmarshalling string: %w", err)
}

switch s {
case sqliteSourceType:
kst.name = sqliteSourceType
kst.dataFunc = sqliteData
return nil
case indexedDBSourceType:
kst.name = indexedDBSourceType
return errors.New("indexeddb is not yet implemented")
default:
return fmt.Errorf("unknown table type %s", s)
}
}

// rowTransformStep defines an operation performed against a row of data
// returned from a source. The `name` is the identifier parsed from the
// JSON KATC config.
type rowTransformStep struct {
name string
transformFunc func(ctx context.Context, slogger *slog.Logger, row map[string][]byte) (map[string][]byte, error)
}

const (
snappyDecodeTransformStep = "snappy"
structuredCloneDeserializeTransformStep = "structured_clone"
)

func (r *rowTransformStep) UnmarshalJSON(data []byte) error {
var s string
err := json.Unmarshal(data, &s)
if err != nil {
return fmt.Errorf("unmarshalling string: %w", err)
}

switch s {
case snappyDecodeTransformStep:
r.name = snappyDecodeTransformStep
r.transformFunc = snappyDecode
return nil
case structuredCloneDeserializeTransformStep:
r.name = structuredCloneDeserializeTransformStep
r.transformFunc = structuredCloneDeserialize
return nil
default:
return fmt.Errorf("unknown data processing step %s", s)
}
}

// katcTableConfig is the configuration for a specific KATC table. The control server
// sends down these configurations.
type katcTableConfig struct {
Source katcSourceType `json:"source"`
Platform string `json:"platform"`
Columns []string `json:"columns"`
Path string `json:"path"` // Path to file holding data (e.g. sqlite file) -- wildcards supported
Query string `json:"query"` // Query to run against `path`
RowTransformSteps []rowTransformStep `json:"row_transform_steps"`
}

// ConstructKATCTables takes stored configuration of KATC tables, parses the configuration,
// and returns the constructed tables.
func ConstructKATCTables(config map[string]string, slogger *slog.Logger) []osquery.OsqueryPlugin {
plugins := make([]osquery.OsqueryPlugin, 0)
for tableName, tableConfigStr := range config {
var cfg katcTableConfig
if err := json.Unmarshal([]byte(tableConfigStr), &cfg); err != nil {
slogger.Log(context.TODO(), slog.LevelWarn,
"unable to unmarshal config for Kolide ATC table, skipping",
"table_name", tableName,
"err", err,
)
continue
}

if cfg.Platform != runtime.GOOS {
continue
}

t, columns := newKatcTable(tableName, cfg, slogger)
plugins = append(plugins, table.NewPlugin(tableName, columns, t.generate))
}

return plugins
}
78 changes: 78 additions & 0 deletions ee/katc/config_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
package katc

import (
_ "embed"
"fmt"
"runtime"
"testing"

"github.com/kolide/launcher/pkg/log/multislogger"
"github.com/stretchr/testify/require"
)

func TestConstructKATCTables(t *testing.T) {
t.Parallel()

for _, tt := range []struct {
testCaseName string
katcConfig map[string]string
expectedPluginCount int
}{
{
testCaseName: "snappy_sqlite",
katcConfig: map[string]string{
"kolide_snappy_sqlite_test": fmt.Sprintf(`{
"source": "sqlite",
"platform": "%s",
"columns": ["data"],
"path": "/some/path/to/db.sqlite",
"query": "SELECT data FROM object_data JOIN object_store ON (object_data.object_store_id = object_store.id) WHERE object_store.name=\"testtable\";",
"row_transform_steps": ["snappy"]
}`, runtime.GOOS),
},
expectedPluginCount: 1,
},
{
testCaseName: "malformed config",
katcConfig: map[string]string{
"malformed_test": "this is not a config",
},
expectedPluginCount: 0,
},
{
testCaseName: "invalid table source",
katcConfig: map[string]string{
"kolide_snappy_test": fmt.Sprintf(`{
"source": "unknown_source",
"platform": "%s",
"columns": ["data"],
"path": "/some/path/to/db.sqlite",
"query": "SELECT data FROM object_data;"
}`, runtime.GOOS),
},
expectedPluginCount: 0,
},
{
testCaseName: "invalid data processing step type",
katcConfig: map[string]string{
"kolide_snappy_test": fmt.Sprintf(`{
"source": "sqlite",
"platform": "%s",
zackattack01 marked this conversation as resolved.
Show resolved Hide resolved
"columns": ["data"],
"path": "/some/path/to/db.sqlite",
"query": "SELECT data FROM object_data;",
"row_transform_steps": ["unknown_step"]
}`, runtime.GOOS),
},
expectedPluginCount: 0,
},
} {
tt := tt
t.Run(tt.testCaseName, func(t *testing.T) {
t.Parallel()

plugins := ConstructKATCTables(tt.katcConfig, multislogger.NewNopLogger())
require.Equal(t, tt.expectedPluginCount, len(plugins), "unexpected number of plugins")
})
}
}
26 changes: 26 additions & 0 deletions ee/katc/snappy.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package katc

import (
"context"
"fmt"
"log/slog"

"github.com/golang/snappy"
)

// snappyDecode is a dataProcessingStep that decodes data compressed with snappy.
// We use this to decode data retrieved from Firefox IndexedDB sqlite-backed databases.
func snappyDecode(ctx context.Context, _ *slog.Logger, row map[string][]byte) (map[string][]byte, error) {
decodedRow := make(map[string][]byte)

for k, v := range row {
decodedResultBytes, err := snappy.Decode(nil, v)
if err != nil {
return nil, fmt.Errorf("decoding data for key %s: %w", k, err)
}

decodedRow[k] = decodedResultBytes
}

return decodedRow, nil
}
104 changes: 104 additions & 0 deletions ee/katc/sqlite.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
package katc

import (
"context"
"database/sql"
"fmt"
"log/slog"
"path/filepath"

"github.com/osquery/osquery-go/plugin/table"
_ "modernc.org/sqlite"
)

// sqliteData is the dataFunc for sqlite KATC tables
func sqliteData(ctx context.Context, slogger *slog.Logger, pathPattern string, query string, sourceConstraints *table.ConstraintList) ([]sourceData, error) {
sqliteDbs, err := filepath.Glob(pathPattern)
if err != nil {
return nil, fmt.Errorf("globbing for files with pattern %s: %w", pathPattern, err)
}

results := make([]sourceData, 0)
for _, sqliteDb := range sqliteDbs {
// Check to make sure `sqliteDb` adheres to sourceConstraints
valid, err := checkSourcePathConstraints(sqliteDb, sourceConstraints)
if err != nil {
return nil, fmt.Errorf("checking source path constraints: %w", err)
}
if !valid {
continue
}

rowsFromDb, err := querySqliteDb(ctx, slogger, sqliteDb, query)
if err != nil {
return nil, fmt.Errorf("querying %s: %w", sqliteDb, err)
}
results = append(results, sourceData{
path: sqliteDb,
rows: rowsFromDb,
})
}

return results, nil
}

// querySqliteDb queries the database at the given path, returning rows of results
func querySqliteDb(ctx context.Context, slogger *slog.Logger, path string, query string) ([]map[string][]byte, error) {
dsn := fmt.Sprintf("file://%s?mode=ro", path)
conn, err := sql.Open("sqlite", dsn)
if err != nil {
return nil, fmt.Errorf("opening sqlite db: %w", err)
}
defer func() {
if err := conn.Close(); err != nil {
slogger.Log(ctx, slog.LevelWarn,
"closing sqlite db after query",
"err", err,
)
}
}()

rows, err := conn.QueryContext(ctx, query)
if err != nil {
return nil, fmt.Errorf("running query: %w", err)
}
defer func() {
if err := rows.Close(); err != nil {
slogger.Log(ctx, slog.LevelWarn,
"closing rows after scanning results",
"err", err,
)
}
}()

results := make([]map[string][]byte, 0)
RebeccaMahany marked this conversation as resolved.
Show resolved Hide resolved

// Fetch columns so we know how many values per row we will scan
columns, err := rows.Columns()
if err != nil {
return nil, fmt.Errorf("getting columns from query result: %w", err)
}

// Prepare scan destination
rawResult := make([][]byte, len(columns))
scanDest := make([]any, len(columns))
for i := 0; i < len(columns); i += 1 {
scanDest[i] = &rawResult[i]
}

// Scan all rows
for rows.Next() {
if err := rows.Scan(scanDest...); err != nil {
RebeccaMahany marked this conversation as resolved.
Show resolved Hide resolved
return nil, fmt.Errorf("scanning query results: %w", err)
}

row := make(map[string][]byte)
for i := 0; i < len(columns); i += 1 {
row[columns[i]] = rawResult[i]
}

results = append(results, row)
}

return results, nil
}
Loading
Loading