Initial implementation of timelines (Velocidex#1134)

tlinman67 · Jul 5, 2021 · 0f3742f · 0f3742f
1 parent cc6d9a2
commit 0f3742f
Show file tree

Hide file tree

Showing 42 changed files with 2,902 additions and 1,717 deletions.
diff --git a/api/api.go b/api/api.go
@@ -582,7 +582,10 @@ func (self *ApiServer) GetTable(
 	var result *api_proto.GetTableResponse
 
 	// We want an event table.
-	if in.Type == "CLIENT_EVENT_LOGS" || in.Type == "SERVER_EVENT_LOGS" {
+	if in.Type == "TIMELINE" {
+		result, err = getTimeline(ctx, self.config, in)
+
+	} else if in.Type == "CLIENT_EVENT_LOGS" || in.Type == "SERVER_EVENT_LOGS" {
 		result, err = getEventTableLogs(ctx, self.config, in)
 
 	} else if in.Type == "CLIENT_EVENT" || in.Type == "SERVER_EVENT" {

diff --git a/api/csv.go b/api/csv.go
@@ -18,6 +18,8 @@
 package api
 
 import (
+	"time"
+
 	errors "github.com/pkg/errors"
 	context "golang.org/x/net/context"
 	file_store "www.velocidex.com/golang/velociraptor/file_store"
@@ -27,6 +29,7 @@ import (
 	"www.velocidex.com/golang/velociraptor/paths"
 	"www.velocidex.com/golang/velociraptor/paths/artifacts"
 	"www.velocidex.com/golang/velociraptor/reporting"
+	"www.velocidex.com/golang/velociraptor/timelines"
 
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"
 	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
@@ -222,3 +225,49 @@ func getEventTableWithPathManager(
 
 	return result, nil
 }
+
+func getTimeline(
+	ctx context.Context,
+	config_obj *config_proto.Config,
+	in *api_proto.GetTableRequest) (*api_proto.GetTableResponse, error) {
+
+	if in.NotebookId == "" {
+		return nil, errors.New("NotebookId must be specified")
+	}
+
+	path_manager := reporting.NewNotebookPathManager(in.NotebookId).Timeline(in.Timeline)
+	reader, err := timelines.NewSuperTimelineReader(config_obj, path_manager, in.SkipComponents)
+	if err != nil {
+		return nil, err
+	}
+	defer reader.Close()
+
+	if in.StartTime != 0 {
+		ts := time.Unix(0, int64(in.StartTime))
+		reader.SeekToTime(ts)
+	}
+
+	rows := uint64(0)
+	result := &api_proto.GetTableResponse{
+		Columns: []string{"_Source", "Time", "Data"},
+	}
+	for item := range reader.Read(ctx) {
+		if result.StartTime == 0 {
+			result.StartTime = item.Time
+		}
+		result.EndTime = item.Time
+		result.Rows = append(result.Rows, &api_proto.Row{
+			Cell: []string{
+				item.Source,
+				csv.AnyToString(item.Time),
+				csv.AnyToString(item.Row)},
+		})
+
+		rows += 1
+		if rows > in.Rows {
+			break
+		}
+	}
+
+	return result, nil
+}
diff --git a/api/notebooks.go b/api/notebooks.go
@@ -687,6 +687,8 @@ func (self *ApiServer) updateNotebookCell(
 		return nil, err
 	}
 
+	tmpl.SetEnv("NotebookId", in.NotebookId)
+
 	// Register a progress reporter so we can monitor how the
 	// template rendering is going.
 	tmpl.Progress = &progressReporter{

diff --git a/api/proto/api.pb.gw.go b/api/proto/api.pb.gw.go
diff --git a/api/proto/csv.pb.go b/api/proto/csv.pb.go
diff --git a/api/proto/csv.proto b/api/proto/csv.proto
@@ -38,10 +38,16 @@ message GetTableRequest {
     string cell_id = 10;
     int64 table_id = 11;
 
+    // For timelines
+    string timeline = 16;
+    // Skip these timeline components.
+    repeated string skip_components = 17;
+
     // For download handler when creating an export file - control
     // output format. Can be "csv", "jsonl"
     string download_format = 12;
 
+
     // If specified only emit these columns.
     repeated string columns = 15;
 }
@@ -60,4 +66,7 @@ message GetTableResponse {
     int64 total_rows = 3;
 
     repeated ColumnType column_types = 4;
+
+    int64 start_time = 5;
+    int64 end_time = 6;
 }