feat: introduce osQuery ATC generator

Author: shah

lib/osquery/atc.ts

@@ -0,0 +1,64 @@
+export type OsQueryAutoTableConstrRecord = {
+  readonly query: string;
+  readonly path: string;
+  readonly columns: string[];
+  readonly platform?: string;
+};
+
+export type OsQueryAutoTableConstrConfig = {
+  readonly auto_table_construction: Record<
+    string,
+    OsQueryAutoTableConstrRecord
+  >;
+};
+
+/**
+ * Create an osQuery Automatic Table Construction (ATC) configuration file
+ * content from a series of tables.
+ * See: https://osquery.readthedocs.io/en/stable/deployment/configuration/#automatic-table-construction
+ * and: https://www.kolide.com/blog/how-to-build-custom-osquery-tables-using-atc
+ * @param tables the list of tables that should be included in the ATC configuration
+ * @returns a function which, when called, will produce an ATC configuratin object
+ */
+export function osQueryATCConfigSupplier(
+  tables: Generator<{
+    readonly tableName: string;
+    readonly columns: Array<{ readonly columnName: string }>;
+    readonly query?: string;
+  }>,
+) {
+  const osQueryATCPartials: Record<
+    string,
+    Omit<OsQueryAutoTableConstrRecord, "path">
+  > = {};
+
+  for (const table of tables) {
+    const columns = table.columns.map((c) => c.columnName);
+    const query = table.query ??
+      `select ${columns.join(", ")} from ${table.tableName}`;
+    osQueryATCPartials[table.tableName] = { query, columns };
+  }
+
+  return (
+    atcRecConfig: (
+      suggested: string,
+      atcPartial: Omit<OsQueryAutoTableConstrRecord, "path">,
+    ) => {
+      readonly osQueryTableName: string;
+      readonly atcRec: OsQueryAutoTableConstrRecord;
+    },
+  ): OsQueryAutoTableConstrConfig => {
+    const ATC: Record<string, OsQueryAutoTableConstrRecord> = {};
+    for (const atcPartialEntry of Object.entries(osQueryATCPartials)) {
+      const [suggestedTableName, atcPartialRec] = atcPartialEntry;
+      const { osQueryTableName, atcRec } = atcRecConfig(
+        suggestedTableName,
+        atcPartialRec,
+      );
+      ATC[osQueryTableName] = atcRec;
+    }
+    return {
+      auto_table_construction: ATC,
+    };
+  };
+}

lib/osquery/atc_test.ts

@@ -0,0 +1,75 @@
+import { testingAsserts as ta } from "../../deps-test.ts";
+import * as mod from "./atc.ts";
+
+Deno.test("osQueryATCConfigSupplier with auto-generated queries", () => {
+  function* tables() {
+    yield {
+      tableName: "test_table",
+      columns: [{ columnName: "column1" }, { columnName: "column2" }],
+    };
+    yield {
+      tableName: "test_table2",
+      columns: [{ columnName: "column2_1" }, { columnName: "column2_2" }],
+    };
+  }
+  const configSupplier = mod.osQueryATCConfigSupplier(tables());
+
+  ta.assertEquals(
+    configSupplier((
+      suggested: string,
+      atcPartial: Omit<mod.OsQueryAutoTableConstrRecord, "path">,
+    ) => ({
+      osQueryTableName: suggested,
+      atcRec: { ...atcPartial, path: "./sqlite-src.db" },
+    })),
+    {
+      auto_table_construction: {
+        test_table: {
+          query: "select column1, column2 from test_table",
+          columns: ["column1", "column2"],
+          path: "./sqlite-src.db",
+        },
+        test_table2: {
+          query: "select column2_1, column2_2 from test_table2",
+          columns: ["column2_1", "column2_2"],
+          path: "./sqlite-src.db",
+        },
+      },
+    },
+  );
+});
+
+Deno.test("osQueryATCConfigSupplier with custom query", () => {
+  function* tables() {
+    yield {
+      tableName: "test_table",
+      columns: [{ columnName: "column1" }, { columnName: "column2" }],
+      query:
+        "select column1 as 'special1', column2 as 'special2' from test_table",
+    };
+  }
+
+  const atcRecConfig = (
+    suggested: string,
+    atcPartial: Omit<mod.OsQueryAutoTableConstrRecord, "path">,
+  ) => ({
+    osQueryTableName: suggested,
+    atcRec: { ...atcPartial, path: "./sqlite-src.db" },
+  });
+
+  const configSupplier = mod.osQueryATCConfigSupplier(tables());
+  const config: mod.OsQueryAutoTableConstrConfig = configSupplier(atcRecConfig);
+
+  const expected: mod.OsQueryAutoTableConstrConfig = {
+    auto_table_construction: {
+      test_table: {
+        query:
+          "select column1 as 'special1', column2 as 'special2' from test_table",
+        columns: ["column1", "column2"],
+        path: "./sqlite-src.db",
+      },
+    },
+  };
+
+  ta.assertEquals(config, expected);
+});

lib/osquery/mod.ts

@@ -0,0 +1 @@
+export * from "./atc.ts";