artifacts collect command can support multiple artifacts again. (Velo…

…cidex#1131)
tlinman67 · Jul 1, 2021 · 0b76066 · 0b76066
1 parent 562c181
commit 0b76066
Showing 1 changed file with 31 additions and 14 deletions.
diff --git a/bin/artifacts.go b/bin/artifacts.go
@@ -30,6 +30,7 @@ import (
 	"www.velocidex.com/golang/velociraptor/config"
 	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
 	flows_proto "www.velocidex.com/golang/velociraptor/flows/proto"
+	"www.velocidex.com/golang/velociraptor/json"
 	logging "www.velocidex.com/golang/velociraptor/logging"
 	"www.velocidex.com/golang/velociraptor/services"
 	vql_subsystem "www.velocidex.com/golang/velociraptor/vql"
@@ -79,9 +80,9 @@ var (
 		"format", "Output format to use  (text,json,csv,jsonl).").
 		Default("json").Enum("text", "json", "csv", "jsonl")
 
-	artifact_command_collect_name = artifact_command_collect.Arg(
+	artifact_command_collect_names = artifact_command_collect.Arg(
 		"artifact_name", "The artifact name to collect.").
-		Required().HintAction(listArtifactsHint).String()
+		Required().HintAction(listArtifactsHint).Strings()
 
 	artifact_command_collect_args = artifact_command_collect.Flag(
 		"args", "Artifact args.").Strings()
@@ -131,19 +132,35 @@ func doArtifactCollect() {
 	kingpin.FatalIfError(err, "Load Config ")
 	defer sm.Close()
 
-	collect_args := ordereddict.NewDict()
-	for _, item := range *artifact_command_collect_args {
-		parts := strings.SplitN(item, "=", 2)
-		arg_name := parts[0]
-
-		if len(parts) < 2 {
-			collect_args.Set(arg_name, "Y")
-		} else {
-			collect_args.Set(arg_name, parts[1])
+	spec := ordereddict.NewDict()
+	for _, name := range *artifact_command_collect_names {
+		collect_args := ordereddict.NewDict()
+		for _, item := range *artifact_command_collect_args {
+			// If an arg has to apply only to a single
+			// artifact then the user may prepend the name
+			// of the artifact with a :: separator.
+			namespaces := strings.SplitN(item, "::", 2)
+			if len(namespaces) == 2 {
+				if namespaces[0] != name {
+					continue
+				}
+				item = namespaces[1]
+			}
+
+			parts := strings.SplitN(item, "=", 2)
+			arg_name := parts[0]
+
+			if len(parts) < 2 {
+				collect_args.Set(arg_name, "Y")
+			} else {
+				collect_args.Set(arg_name, parts[1])
+			}
 		}
+
+		spec.Set(name, collect_args)
 	}
 
-	collect_args = ordereddict.NewDict().Set(*artifact_command_collect_name, collect_args)
+	json.Dump(spec)
 
 	manager, err := services.GetRepositoryManager()
 	kingpin.FatalIfError(err, "GetRepositoryManager")
@@ -153,11 +170,11 @@ func doArtifactCollect() {
 		ACLManager: vql_subsystem.NullACLManager{},
 		Logger:     log.New(&LogWriter{config_obj}, " ", 0),
 		Env: ordereddict.NewDict().
-			Set("Artifacts", []string{*artifact_command_collect_name}).
+			Set("Artifacts", *artifact_command_collect_names).
 			Set("Output", *artifact_command_collect_output).
 			Set("Password", *artifact_command_collect_output_password).
 			Set("Report", *artifact_command_collect_report).
-			Set("Args", collect_args).
+			Set("Args", spec).
 			Set("Format", *artifact_command_collect_format),
 	})
 	defer scope.Close()