Write client info database to a snapshot (Velocidex#2776)

This allows client records to be read much more efficiently than one
record per file.

accessors/zip/zip.go

@@ -18,24 +18,7 @@
 
 // A Zip accessor.
 
-// This accessor provides access to compressed archives. The filename
-// is encoded in such a way that this accessor can delegate to another
-// accessor to actually open the underlying zip file. This makes it
-// possible to open zip files read through e.g. raw ntfs.
-
-// For example a filename is URL encoded as:
-// ntfs:/c:\\Windows\\File.zip#/foo/bar
-
-// Refers to the file opened by the accessor "ntfs" (The URL Scheme)
-// with a path (URL Path) of c:\\Windows\File.zip. We then open this
-// file and return a member called /foo/bar (The URL Fragment) within
-// the archive.
-
-// This scheme allows us to nest zip files if we need to:
-// zip://fs:%2Fc:%5Cfoo%5Cbar%23nested.zip#foo/bar
-
-// Refers to the file /foo/bar stored within a zip file nested.zip
-// which is itself stored on the filesystem at c:\foo\bar\nested.zip
+// This accessor provides access to compressed archives.
 
 package zip
 

actions/proto/vql.proto

@@ -194,6 +194,10 @@ message ClientInfo {
     repeated string labels = 15;
     repeated string mac_addresses = 22;
 
+    // A hint if tasks are available. This does not have to be date -
+    // checking the task queue will yield the correct tasks.
+    bool has_tasks = 27;
+
     string last_interrogate_flow_id = 16;
 
     // This can be a customized artifact that is compatible with

artifacts/definitions/Server/Internal/ClientInfoSnapshot.yaml

@@ -0,0 +1,6 @@
+name: Server.Internal.ClientInfoSnapshot
+type: INTERNAL
+description: |
+  An internal artifact that fires when the master node writes a new
+  snapshot. Minion use this to trigger a refresh of their client info
+  snapshots.

docs/references/vql.yaml

@@ -998,11 +998,14 @@
   description: Delete all the files that make up a flow.
   type: Plugin
   args:
-  - name: client_id
+  - name: flow_id
     type: string
     required: true
-  - name: flow_id
+  - name: client_id
     type: string
+    required: true
+  - name: really_do_it
+    type: bool
   metadata:
     permissions: DELETE_RESULTS
 - name: dict
@@ -2859,6 +2862,18 @@
     description: A list of items to filter
     required: true
   category: basic
+- name: leveldb
+  description: Enumerate all items in a level db database
+  type: Plugin
+  args:
+  - name: file
+    type: accessors.OSPath
+    description: The path to the leveldb file.
+  - name: accessor
+    type: string
+    description: The accessor to use.
+  metadata:
+    permissions: FILESYSTEM_READ
 - name: log
   description: |
     Log the message and return TRUE.
@@ -5084,6 +5099,8 @@
     type: string
     required: true
   category: server
+  metadata:
+    permissions: SERVER_ADMIN
 - name: server_set_metadata
   description: |
     Sets server metadata. Server metadata is a set of free form
@@ -5945,6 +5962,12 @@
   - name: serversideencryption
     type: string
     description: The server side encryption method to use
+  - name: kmsencryptionkey
+    type: string
+    description: The server side KMS key to use
+  - name: s3uploadroot
+    type: string
+    description: Prefix for the S3 object
   - name: noverifycert
     type: bool
     description: Skip TLS Verification (deprecated in favor of SkipVerify)
@@ -6106,6 +6129,9 @@
   - name: fragment
     type: string
     description: The fragment
+  - name: query
+    type: Any
+    description: A dict representing a query string
   - name: parse
     type: string
     description: A url to parse