synapse 2.170.0__py311-none-any.whl → 2.172.0__py311-none-any.whl

synapse/tests/test_model_inet.py

@@ -1,4 +1,3 @@
-import copy
 import logging
 
 import synapse.exc as s_exc
@@ -12,10 +11,16 @@ class InetModelTest(s_t_utils.SynTest):
     async def test_model_inet_basics(self):
         async with self.getTestCore() as core:
             self.len(1, await core.nodes('[ inet:web:hashtag="#hehe" ]'))
+            self.len(1, await core.nodes('[ inet:web:hashtag="#foo·bar"]'))  # note the interpunct
+            self.len(1, await core.nodes('[ inet:web:hashtag="#fo·o·······b·ar"]'))
             with self.raises(s_exc.BadTypeValu):
                 await core.nodes('[ inet:web:hashtag="foo" ]')
             with self.raises(s_exc.BadTypeValu):
                 await core.nodes('[ inet:web:hashtag="#foo bar" ]')
+            with self.raises(s_exc.BadTypeValu):
+                self.len(1, await core.nodes('[ inet:web:hashtag="#·bar"]'))
+            with self.raises(s_exc.BadTypeValu):
+                self.len(1, await core.nodes('[ inet:web:hashtag="#foo·"]'))
 
             nodes = await core.nodes('''
                 [ inet:web:instance=(foo,)
@@ -2896,3 +2901,402 @@ class InetModelTest(s_t_utils.SynTest):
             self.len(1, nodes)
             self.eq(nodes[0].get('client'), 'tcp://5.6.7.8:5678')
             self.eq(nodes[0].get('cert'), client)
+
+    async def test_model_inet_service(self):
+
+        async with self.getTestCore() as core:
+
+            provname = 'Slack Corp'
+            opts = {'vars': {'provname': provname}}
+            nodes = await core.nodes(f'gen.ou.org $provname', opts=opts)
+            self.len(1, nodes)
+            provider = nodes[0]
+
+            q = '''
+            [ inet:service:platform=(slack,)
+                :url="https://slack.com"
+                :name=Slack
+                :provider={ ou:org:name=$provname }
+                :provider:name=$provname
+            ]
+            '''
+            nodes = await core.nodes(q, opts=opts)
+            self.len(1, nodes)
+            self.eq(nodes[0].ndef, ('inet:service:platform', s_common.guid(('slack',))))
+            self.eq(nodes[0].get('url'), 'https://slack.com')
+            self.eq(nodes[0].get('name'), 'slack')
+            self.eq(nodes[0].get('provider'), provider.ndef[1])
+            self.eq(nodes[0].get('provider:name'), provname.lower())
+            platform = nodes[0]
+
+            q = '''
+            [ inet:service:instance=(vertex, slack)
+                :id='T2XK1223Y'
+                :platform={ inet:service:platform=(slack,) }
+                :url="https://v.vtx.lk/slack"
+                :name="Synapse users slack"
+            ]
+            '''
+            nodes = await core.nodes(q)
+            self.len(1, nodes)
+            self.eq(nodes[0].ndef, ('inet:service:instance', s_common.guid(('vertex', 'slack'))))
+            self.eq(nodes[0].get('id'), 'T2XK1223Y')
+            self.eq(nodes[0].get('platform'), platform.ndef[1])
+            self.eq(nodes[0].get('url'), 'https://v.vtx.lk/slack')
+            self.eq(nodes[0].get('name'), 'synapse users slack')
+            platinst = nodes[0]
+
+            q = '''
+            [
+                (inet:service:account=(blackout, account, vertex, slack)
+                    :id=U7RN51U1J
+                    :user=blackout
+                    :email=blackout@vertex.link
+                    :profile={ gen.ps.contact.email vertex.employee blackout@vertex.link }
+                )
+
+                (inet:service:account=(visi, account, vertex, slack)
+                    :id=U2XK7PUVB
+                    :user=visi
+                    :email=visi@vertex.link
+                    :profile={ gen.ps.contact.email vertex.employee visi@vertex.link }
+                )
+            ]
+            '''
+            accounts = await core.nodes(q)
+            self.len(2, accounts)
+
+            profiles = await core.nodes('ps:contact')
+            self.len(2, profiles)
+            self.eq(profiles[0].get('email'), 'blackout@vertex.link')
+            self.eq(profiles[1].get('email'), 'visi@vertex.link')
+            blckprof, visiprof = profiles
+
+            self.eq(accounts[0].ndef, ('inet:service:account', s_common.guid(('blackout', 'account', 'vertex', 'slack'))))
+            self.eq(accounts[0].get('id'), 'U7RN51U1J')
+            self.eq(accounts[0].get('user'), 'blackout')
+            self.eq(accounts[0].get('email'), 'blackout@vertex.link')
+            self.eq(accounts[0].get('profile'), blckprof.ndef[1])
+
+            self.eq(accounts[1].ndef, ('inet:service:account', s_common.guid(('visi', 'account', 'vertex', 'slack'))))
+            self.eq(accounts[1].get('id'), 'U2XK7PUVB')
+            self.eq(accounts[1].get('user'), 'visi')
+            self.eq(accounts[1].get('email'), 'visi@vertex.link')
+            self.eq(accounts[1].get('profile'), visiprof.ndef[1])
+            blckacct, visiacct = accounts
+
+            q = '''
+            [ inet:service:group=(developers, group, vertex, slack)
+                :id=X1234
+                :name="developers, developers, developers"
+                :profile={ gen.ps.contact.email vertex.slack.group developers@vertex.slack.com }
+            ]
+            '''
+            nodes = await core.nodes(q)
+            self.len(1, nodes)
+
+            profiles = await core.nodes('ps:contact:email=developers@vertex.slack.com')
+            self.len(1, profiles)
+            devsprof = profiles[0]
+
+            self.eq(nodes[0].get('id'), 'X1234')
+            self.eq(nodes[0].get('name'), 'developers, developers, developers')
+            self.eq(nodes[0].get('profile'), devsprof.ndef[1])
+            devsgrp = nodes[0]
+
+            q = '''
+            [
+                (inet:service:group:member=(blackout, developers, group, vertex, slack)
+                    :account=$blckiden
+                    :group=$devsiden
+                    :period=(20230601, ?)
+                    :creator=$visiiden
+                    :remover=$visiiden
+                )
+
+                (inet:service:group:member=(visi, developers, group, vertex, slack)
+                    :account=$visiiden
+                    :group=$devsiden
+                    :period=(20150101, ?)
+                )
+            ]
+            '''
+            opts = {'vars': {
+                'blckiden': blckacct.ndef[1],
+                'visiiden': visiacct.ndef[1],
+                'devsiden': devsgrp.ndef[1],
+            }}
+            nodes = await core.nodes(q, opts=opts)
+            self.len(2, nodes)
+
+            self.eq(nodes[0].get('account'), blckacct.ndef[1])
+            self.eq(nodes[0].get('group'), devsgrp.ndef[1])
+            self.eq(nodes[0].get('period'), (1685577600000, 9223372036854775807))
+            self.eq(nodes[0].get('creator'), visiacct.ndef[1])
+            self.eq(nodes[0].get('remover'), visiacct.ndef[1])
+
+            self.eq(nodes[1].get('account'), visiacct.ndef[1])
+            self.eq(nodes[1].get('group'), devsgrp.ndef[1])
+            self.eq(nodes[1].get('period'), (1420070400000, 9223372036854775807))
+            self.none(nodes[1].get('creator'))
+            self.none(nodes[1].get('remover'))
+
+            q = '''
+            [ inet:service:session=*
+                :creator=$blckiden
+                :period=(202405160900, 202405161055)
+            ]
+            '''
+            opts = {'vars': {'blckiden': blckacct.ndef[1]}}
+            nodes = await core.nodes(q, opts=opts)
+            self.len(1, nodes)
+            self.eq(nodes[0].get('creator'), blckacct.ndef[1])
+            self.eq(nodes[0].get('period'), (1715850000000, 1715856900000))
+            blcksess = nodes[0]
+
+            q = '''
+            [ inet:service:login=*
+                :method=password
+                :session=$blcksess
+                :server=tcp://10.10.10.4:443
+                :client=tcp://192.168.0.10:12345
+            ]
+            '''
+            opts = {'vars': {'blcksess': blcksess.ndef[1]}}
+            nodes = await core.nodes(q, opts=opts)
+            self.len(1, nodes)
+            self.eq(nodes[0].get('method'), 'password.')
+
+            server = await core.nodes('inet:server=tcp://10.10.10.4:443')
+            self.len(1, server)
+            server = server[0]
+
+            client = await core.nodes('inet:client=tcp://192.168.0.10:12345')
+            self.len(1, client)
+            client = client[0]
+
+            self.eq(nodes[0].get('server'), server.ndef[1])
+            self.eq(nodes[0].get('client'), client.ndef[1])
+
+            q = '''
+            [ inet:service:message:link=(blackout, developers, 1715856900000, https://www.youtube.com/watch?v=dQw4w9WgXcQ, vertex, slack)
+                :title="Deadpool & Wolverine | Official Teaser | In Theaters July 26"
+                :url="https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+            ]
+            '''
+            nodes = await core.nodes(q)
+            self.len(1, nodes)
+            self.eq(nodes[0].get('title'), 'Deadpool & Wolverine | Official Teaser | In Theaters July 26')
+            self.eq(nodes[0].get('url'), 'https://www.youtube.com/watch?v=dQw4w9WgXcQ')
+            msglink = nodes[0]
+
+            q = '''
+            [ inet:service:channel=(general, channel, vertex, slack)
+                :id=C1234
+                :name=general
+                :period=(20150101, ?)
+                :creator=$visiiden
+                :platform=$platiden
+                :instance=$instiden
+            ]
+            '''
+            opts = {'vars': {
+                'visiiden': visiacct.ndef[1],
+                'platiden': platform.ndef[1],
+                'instiden': platinst.ndef[1],
+            }}
+            nodes = await core.nodes(q, opts=opts)
+            self.len(1, nodes)
+            self.eq(nodes[0].ndef, ('inet:service:channel', s_common.guid(('general', 'channel', 'vertex', 'slack'))))
+            self.eq(nodes[0].get('name'), 'general')
+            self.eq(nodes[0].get('period'), (1420070400000, 9223372036854775807))
+            self.eq(nodes[0].get('creator'), visiacct.ndef[1])
+            self.eq(nodes[0].get('platform'), platform.ndef[1])
+            self.eq(nodes[0].get('instance'), platinst.ndef[1])
+            gnrlchan = nodes[0]
+
+            q = '''
+            [
+                (inet:service:channel:member=(visi, general, channel, vertex, slack)
+                    :account=$visiiden
+                    :period=(20150101, ?)
+                )
+
+                (inet:service:channel:member=(blackout, general, channel, vertex, slack)
+                    :account=$blckiden
+                    :period=(20230601, ?)
+                )
+
+                :platform=$platiden
+                :instance=$instiden
+                :channel=$chnliden
+            ]
+            '''
+            opts = {'vars': {
+                'blckiden': blckacct.ndef[1],
+                'visiiden': visiacct.ndef[1],
+                'chnliden': gnrlchan.ndef[1],
+                'platiden': platform.ndef[1],
+                'instiden': platinst.ndef[1],
+            }}
+            nodes = await core.nodes(q, opts=opts)
+            self.len(2, nodes)
+            self.eq(nodes[0].ndef, ('inet:service:channel:member', s_common.guid(('visi', 'general', 'channel', 'vertex', 'slack'))))
+            self.eq(nodes[0].get('account'), visiacct.ndef[1])
+            self.eq(nodes[0].get('period'), (1420070400000, 9223372036854775807))
+            self.eq(nodes[0].get('channel'), gnrlchan.ndef[1])
+
+            self.eq(nodes[1].ndef, ('inet:service:channel:member', s_common.guid(('blackout', 'general', 'channel', 'vertex', 'slack'))))
+            self.eq(nodes[1].get('account'), blckacct.ndef[1])
+            self.eq(nodes[1].get('period'), (1685577600000, 9223372036854775807))
+            self.eq(nodes[1].get('channel'), gnrlchan.ndef[1])
+
+            for node in nodes:
+                self.eq(node.get('platform'), platform.ndef[1])
+                self.eq(node.get('instance'), platinst.ndef[1])
+                self.eq(node.get('channel'), gnrlchan.ndef[1])
+
+            q = '''
+            [ inet:service:message:attachment=(pbjtime.gif, blackout, developers, 1715856900000, vertex, slack)
+                :file={[ file:bytes=sha256:028241d9116a02059e99cb239c66d966e1b550926575ad7dcf0a8f076a352bcd ]}
+                :name=pbjtime.gif
+                :text="peanut butter jelly time"
+            ]
+            '''
+            nodes = await core.nodes(q)
+            self.len(1, nodes)
+            self.eq(nodes[0].get('file'), 'sha256:028241d9116a02059e99cb239c66d966e1b550926575ad7dcf0a8f076a352bcd')
+            self.eq(nodes[0].get('name'), 'pbjtime.gif')
+            self.eq(nodes[0].get('text'), 'peanut butter jelly time')
+            attachment = nodes[0]
+
+            q = '''
+            [
+                (inet:service:message=(blackout, developers, 1715856900000, vertex, slack)
+                    :group=$devsiden
+                    :public=$lib.false
+                )
+
+                (inet:service:message=(blackout, visi, 1715856900000, vertex, slack)
+                    :to=$visiiden
+                    :public=$lib.false
+                )
+
+                (inet:service:message=(blackout, general, 1715856900000, vertex, slack)
+                    :channel=$gnrliden
+                    :public=$lib.true
+                )
+
+                :account=$blckiden
+                :text="omg, can't wait for the new deadpool: https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+                :links+=$linkiden
+                :attachments+=$atchiden
+
+                :place:name=nyc
+                :place = { gen.geo.place nyc }
+                :file=*
+
+                :client:software = {[ it:prod:softver=* :name=woot ]}
+                :client:software:name = woot
+            ]
+            '''
+            opts = {'vars': {
+                'blckiden': blckacct.ndef[1],
+                'visiiden': visiacct.ndef[1],
+                'devsiden': devsgrp.ndef[1],
+                'gnrliden': gnrlchan.ndef[1],
+                'linkiden': msglink.ndef[1],
+                'atchiden': attachment.ndef[1],
+            }}
+            nodes = await core.nodes(q, opts=opts)
+            self.len(3, nodes)
+            for node in nodes:
+
+                self.eq(node.get('account'), blckacct.ndef[1])
+                self.eq(node.get('text'), "omg, can't wait for the new deadpool: https://www.youtube.com/watch?v=dQw4w9WgXcQ")
+                self.eq(node.get('links'), [msglink.ndef[1]])
+
+                self.nn(node.get('client:software'))
+                self.eq(node.get('client:software:name'), 'woot')
+
+                self.nn(node.get('place'))
+                self.eq(node.get('place:name'), 'nyc')
+
+            self.eq(nodes[0].get('group'), devsgrp.ndef[1])
+            self.false(nodes[0].get('public'))
+
+            self.eq(nodes[1].get('to'), visiacct.ndef[1])
+            self.false(nodes[1].get('public'))
+
+            self.eq(nodes[2].get('channel'), gnrlchan.ndef[1])
+            self.true(nodes[2].get('public'))
+
+            q = '''
+            [ inet:service:resource=(web, api, vertex, slack)
+                :desc="The Web API supplies a collection of HTTP methods that underpin the majority of Slack app functionality."
+                :instance=$instiden
+                :name="Slack Web APIs"
+                :platform=$platiden
+                :type=slack.web.api
+                :url="https://slack.com/api"
+            ]
+            '''
+            opts = {'vars': {
+                'platiden': platform.ndef[1],
+                'instiden': platinst.ndef[1],
+            }}
+            nodes = await core.nodes(q, opts=opts)
+            self.len(1, nodes)
+            self.eq(nodes[0].get('desc'), 'The Web API supplies a collection of HTTP methods that underpin the majority of Slack app functionality.')
+            self.eq(nodes[0].get('instance'), platinst.ndef[1])
+            self.eq(nodes[0].get('name'), 'slack web apis')
+            self.eq(nodes[0].get('platform'), platform.ndef[1])
+            self.eq(nodes[0].get('type'), 'slack.web.api.')
+            self.eq(nodes[0].get('url'), 'https://slack.com/api')
+            resource = nodes[0]
+
+            nodes = await core.nodes('''
+                [ inet:service:bucket:item=*
+                    :creator={ inet:service:account:user=visi }
+                    :bucket={[ inet:service:bucket=* :name=foobar
+                        :creator={ inet:service:account:user=visi }
+                    ]}
+                    :file=*
+                    :file:name=woot.exe
+                ]
+            ''')
+            self.len(1, nodes)
+            self.nn(nodes[0].get('file'))
+            self.nn(nodes[0].get('bucket'))
+            self.nn(nodes[0].get('creator'))
+            self.eq('woot.exe', nodes[0].get('file:name'))
+            self.len(1, await core.nodes('inet:service:bucket -> inet:service:bucket:item -> file:bytes'))
+            self.len(1, await core.nodes('inet:service:bucket -> inet:service:bucket:item -> inet:service:account'))
+            self.len(1, await core.nodes('inet:service:bucket -> inet:service:account'))
+            self.len(1, await core.nodes('inet:service:bucket:name=foobar'))
+
+            q = '''
+            [ inet:service:access=(api, blackout, 1715856900000, vertex, slack)
+                :account=$blckiden
+                :instance=$instiden
+                :platform=$platiden
+                :resource=$rsrciden
+                :success=$lib.true
+                :time=(1715856900000)
+            ]
+            '''
+            opts = {'vars': {
+                'blckiden': blckacct.ndef[1],
+                'instiden': platinst.ndef[1],
+                'visiiden': visiacct.ndef[1],
+                'platiden': platform.ndef[1],
+                'rsrciden': resource.ndef[1],
+            }}
+            nodes = await core.nodes(q, opts=opts)
+            self.len(1, nodes)
+            self.eq(nodes[0].get('account'), blckacct.ndef[1])
+            self.eq(nodes[0].get('instance'), platinst.ndef[1])
+            self.eq(nodes[0].get('platform'), platform.ndef[1])
+            self.eq(nodes[0].get('resource'), resource.ndef[1])
+            self.true(nodes[0].get('success'))
+            self.eq(nodes[0].get('time'), 1715856900000)

synapse/tests/test_model_infotech.py

@@ -4,6 +4,7 @@ import hashlib
 import synapse.exc as s_exc
 import synapse.common as s_common
 
+import synapse.lib.const as s_const
 import synapse.lib.scrape as s_scrape
 
 import synapse.models.crypto as s_m_crypto
@@ -387,6 +388,25 @@ class InfotechModelTest(s_t_utils.SynTest):
 
             self.len(1, await core.nodes('it:av:scan:result:scanner:name="visi total" -> it:av:scan:result +:scanner:name="visi scan"'))
 
+            q = '''
+            [ it:network=(vertex, ops, lan)
+                :desc="Vertex Project Operations LAN"
+                :name="opslan.lax.vertex.link"
+                :net4="10.1.0.0/16"
+                :net6="fe80::0/64"
+                :org={ gen.ou.org "Vertex Project" }
+                :type=virtual.sdn
+            ]
+            '''
+            nodes = await core.nodes(q)
+            self.len(1, nodes)
+            self.eq(nodes[0].ndef, ('it:network', s_common.guid(('vertex', 'ops', 'lan'))))
+            self.eq(nodes[0].get('desc'), 'Vertex Project Operations LAN')
+            self.eq(nodes[0].get('name'), 'opslan.lax.vertex.link')
+            self.eq(nodes[0].get('net4'), (167837696, 167903231))
+            self.eq(nodes[0].get('net6'), ('fe80::', 'fe80::ffff:ffff:ffff:ffff'))
+            self.eq(nodes[0].get('type'), 'virtual.sdn.')
+
     async def test_infotech_ios(self):
 
         async with self.getTestCore() as core:
@@ -447,6 +467,24 @@ class InfotechModelTest(s_t_utils.SynTest):
             node = nodes[0]
             self.eq(node.ndef, ('it:hostname', 'bobs computer'))
 
+            q = '''
+            [ it:software:image=(ubuntu, 24.10, amd64, vhdx)
+                :name="ubuntu-24.10-amd64.vhdx"
+                :published=202405170940
+                :publisher={[ ps:contact=(blackout,) :name=blackout ]}
+                :creator={[ inet:service:account=* :user=visi ]}
+                :parents={[ it:software:image=* :name=zoom ]}
+            ]
+            '''
+            nodes = await core.nodes(q)
+            self.len(1, nodes)
+            self.len(1, nodes[0].get('parents'))
+            self.eq(nodes[0].ndef, ('it:software:image', s_common.guid(('ubuntu', '24.10', 'amd64', 'vhdx'))))
+            self.eq(nodes[0].get('name'), 'ubuntu-24.10-amd64.vhdx')
+            self.eq(nodes[0].get('published'), 1715938800000)
+            self.eq(nodes[0].get('publisher'), s_common.guid(('blackout',)))
+            image = nodes[0]
+
             org0 = s_common.guid()
             host0 = s_common.guid()
             sver0 = s_common.guid()
@@ -464,11 +502,12 @@ class InfotechModelTest(s_t_utils.SynTest):
                 'loc': 'us.hehe.haha',
                 'operator': cont0,
                 'org': org0,
-                'ext:id': 'foo123'
+                'ext:id': 'foo123',
+                'image': image.ndef[1],
             }
             q = '''[(it:host=$valu :name=$p.name :desc=$p.desc :ipv4=$p.ipv4 :place=$p.place :latlong=$p.latlong
                 :os=$p.os :manu=$p.manu :model=$p.model :serial=$p.serial :loc=$p.loc :operator=$p.operator
-                :org=$p.org :ext:id=$p."ext:id")]'''
+                :org=$p.org :ext:id=$p."ext:id" :image=$p.image)]'''
             nodes = await core.nodes(q, opts={'vars': {'valu': host0, 'p': props}})
             self.len(1, nodes)
             node = nodes[0]
@@ -483,6 +522,40 @@ class InfotechModelTest(s_t_utils.SynTest):
             self.eq(node.get('org'), org0)
             self.eq(node.get('operator'), cont0)
             self.eq(node.get('ext:id'), 'foo123')
+            host = node
+
+            q = r'''
+            [ it:storage:volume=(smb, 192.168.0.10, c$, temp)
+                :name="\\\\192.168.0.10\\c$\\temp"
+                :size=(10485760)
+                :type=windows.smb.share
+            ]
+            '''
+            nodes = await core.nodes(q)
+            self.len(1, nodes)
+            self.eq(nodes[0].ndef, ('it:storage:volume', s_common.guid(('smb', '192.168.0.10', 'c$', 'temp'))))
+            self.eq(nodes[0].get('name'), '\\\\192.168.0.10\\c$\\temp')
+            self.eq(nodes[0].get('size'), s_const.mebibyte * 10)
+            self.eq(nodes[0].get('type'), 'windows.smb.share.')
+            volume = nodes[0]
+
+            q = r'''
+            [ it:storage:mount=($hostiden, $voluiden, z:\\)
+                :host=$hostiden
+                :path="z:\\"
+                :volume=$voluiden
+            ]
+            '''
+            opts = {'vars': {
+                'voluiden': volume.ndef[1],
+                'hostiden': host.ndef[1],
+            }}
+            nodes = await core.nodes(q, opts=opts)
+            self.len(1, nodes)
+            self.eq(nodes[0].ndef, ('it:storage:mount', s_common.guid((host.ndef[1], volume.ndef[1], r'z:\\'))))
+            self.eq(nodes[0].get('host'), host.ndef[1])
+            self.eq(nodes[0].get('path'), 'z:')
+            self.eq(nodes[0].get('volume'), volume.ndef[1])
 
             valu = (host0, 'http://vertex.ninja/cool.php')
             nodes = await core.nodes('[it:hosturl=$valu]', opts={'vars': {'valu': valu}})
@@ -1112,6 +1185,62 @@ class InfotechModelTest(s_t_utils.SynTest):
             self.len(1, nodes)
             self.eq(nodes[0].ndef, ('it:cmd', 'rar a -r yourfiles.rar *.txt'))
 
+            q = '''
+            [ it:host=(VTX001, 192.168.0.10) :name=VTX001 :ipv4=192.168.0.10 ]
+            $host = $node
+
+            [( it:cmd:session=(202405170900, 202405171000, bash, $host)
+                :host=$host
+                :period=(202405170900, 202405171000)
+            )]
+            '''
+            nodes = await core.nodes(q)
+            self.len(2, nodes)
+            hostguid = s_common.guid(('VTX001', '192.168.0.10'))
+            self.eq(nodes[0].ndef, ('it:host', hostguid))
+            self.eq(nodes[1].ndef, ('it:cmd:session', s_common.guid(('202405170900', '202405171000', 'bash', hostguid))))
+            self.eq(nodes[1].get('host'), hostguid)
+            self.eq(nodes[1].get('period'), (1715936400000, 1715940000000))
+            cmdsess = nodes[1]
+
+            q = '''
+            [
+                (it:cmd:history=(1715936400001, $sessiden)
+                    :cmd="ls -la"
+                    :time=(1715936400001)
+                )
+
+                (it:cmd:history=(1715936400002, $sessiden)
+                    :cmd="cd /"
+                    :time=(1715936400002)
+                )
+
+                (it:cmd:history=(1715936400003, $sessiden)
+                    :cmd="ls -laR"
+                    :time=(1715936400003)
+                )
+
+                :session=$sessiden
+            ]
+            '''
+            opts = {'vars': {'sessiden': cmdsess.ndef[1]}}
+            nodes = await core.nodes(q, opts=opts)
+            self.len(3, nodes)
+            self.eq(nodes[0].ndef, ('it:cmd:history', s_common.guid(('1715936400001', cmdsess.ndef[1]))))
+            self.eq(nodes[0].get('cmd'), 'ls -la')
+            self.eq(nodes[0].get('time'), 1715936400001)
+            self.eq(nodes[0].get('session'), cmdsess.ndef[1])
+
+            self.eq(nodes[1].ndef, ('it:cmd:history', s_common.guid(('1715936400002', cmdsess.ndef[1]))))
+            self.eq(nodes[1].get('cmd'), 'cd /')
+            self.eq(nodes[1].get('time'), 1715936400002)
+            self.eq(nodes[1].get('session'), cmdsess.ndef[1])
+
+            self.eq(nodes[2].ndef, ('it:cmd:history', s_common.guid(('1715936400003', cmdsess.ndef[1]))))
+            self.eq(nodes[2].get('cmd'), 'ls -laR')
+            self.eq(nodes[2].get('time'), 1715936400003)
+            self.eq(nodes[2].get('session'), cmdsess.ndef[1])
+
             m0 = s_common.guid()
             mprops = {
                 'exe': exe,
@@ -1747,6 +1876,7 @@ class InfotechModelTest(s_t_utils.SynTest):
 
         async with self.getTestCore() as core:
 
+            opts = {'vars': {'root': core.auth.rootuser.iden}}
             nodes = await core.nodes('''
                 [ it:exec:query=*
                     :text="SELECT * FROM threats"
@@ -1755,14 +1885,16 @@ class InfotechModelTest(s_t_utils.SynTest):
                     :api:url=https://vertex.link/api/v1.
                     :time=20220720
                     :offset=99
+                    :synuser=$root
                     // we can assume the rest of the interface props work
                 ]
-            ''')
+            ''', opts=opts)
             self.eq(1658275200000, nodes[0].get('time'))
             self.eq(99, nodes[0].get('offset'))
             self.eq('sql', nodes[0].get('language'))
             self.eq({"foo": "bar"}, nodes[0].get('opts'))
             self.eq('SELECT * FROM threats', nodes[0].get('text'))
+            self.eq(core.auth.rootuser.iden, nodes[0].get('synuser'))
             self.len(1, await core.nodes('it:exec:query -> it:query +it:query="SELECT * FROM threats"'))
 
     async def test_infotech_softid(self):

synapse/tests/test_model_orgs.py

@@ -24,6 +24,7 @@ class OuModelTest(s_t_utils.SynTest):
                     :sophistication=high
                     :reporter=$lib.gen.orgByName(vertex)
                     :reporter:name=vertex
+                    :ext:id=Foo
                 ]
             ''')
             self.len(1, nodes)
@@ -32,6 +33,7 @@ class OuModelTest(s_t_utils.SynTest):
             self.eq('Hehe', nodes[0].get('desc'))
             self.eq('lol.woot.', nodes[0].get('type'))
             self.eq('woot.woot', nodes[0].get('tag'))
+            self.eq('Foo', nodes[0].get('ext:id'))
             self.eq('T0001', nodes[0].get('mitre:attack:technique'))
             self.eq(40, nodes[0].get('sophistication'))
             self.eq('vertex', nodes[0].get('reporter:name'))
@@ -93,6 +95,7 @@ class OuModelTest(s_t_utils.SynTest):
             :techniques=$p.techniques :sophistication=$p.sophistication :tag=$p.tag
             :reporter=$p.reporter :reporter:name=$p."reporter:name" :timeline=$p.timeline
             :mitre:attack:campaign=$p."mitre:attack:campaign"
+            :ext:id=Foo
             )]'''
             nodes = await core.nodes(q, opts={'vars': {'valu': camp, 'p': props}})
             self.len(1, nodes)
@@ -106,6 +109,7 @@ class OuModelTest(s_t_utils.SynTest):
             self.eq(node.get('names'), ('bar', 'foo'))
             self.eq(node.get('type'), 'MyType')
             self.eq(node.get('desc'), 'MyDesc')
+            self.eq(node.get('ext:id'), 'Foo')
             self.eq(node.get('success'), 1)
             self.eq(node.get('sophistication'), 40)
             self.eq(node.get('camptype'), 'get.pizza.')
@@ -234,6 +238,7 @@ class OuModelTest(s_t_utils.SynTest):
                 :logo=$p.logo :alias=$p.alias :phone=$p.phone :sic=$p.sic :naics=$p.naics :url=$p.url
                 :us:cage=$p."us:cage" :founded=$p.founded :dissolved=$p.dissolved
                 :techniques=$p.techniques :goals=$p.goals
+                :ext:id=Foo
             )]'''
             nodes = await core.nodes(q, opts={'vars': {'valu': guid0, 'p': props}})
             self.len(1, nodes)
@@ -254,6 +259,7 @@ class OuModelTest(s_t_utils.SynTest):
             self.eq(node.get('dissolved'), 1546300800000)
             self.eq(node.get('techniques'), tuple(sorted(teqs)))
             self.eq(node.get('goals'), (goal,))
+            self.eq(node.get('ext:id'), 'Foo')
             self.nn(node.get('logo'))
 
             await core.nodes('ou:org:us:cage=7qe71 [ :country={ gen.pol.country ua } :country:code=ua ]')