Issues with the Timesketch init prompt

[wajihyassine]

Expecting a prompt to enter in my Timesketch info when first running a dfTimewolf recipe using Timesketch.

Behavior with the default dfTimewolf UI:

wyassine@47c20a8a4c5e:~/dftimewolf$ dftimewolf gcp_turbinia_ts <project_name>  <zone> --disk_names test-disk-20gb-1 --incident_id test123
 gcp_turbinia_ts
   Preflights:
     GCPTokenCheck: Completed
   Modules:
     TimesketchExporter: Setting Up
     TurbiniaGCPProcessor: Pending

 Messages:
  [ dftimewolf ] Debug log: /tmp/dftimewolf-run-20230719_212057__t5zynqd.log

The recipe will just get stuck there even though in the background its looking for Timesketch credentials.

When using DFTIMEWOLF_NO_CURSES=1, the prompt asking for Timesketch info pops up so seems like some UI issue:

wyassine@47c20a8a4c5e:~/dftimewolf$ dftimewolf gcp_turbinia_ts <project_name>  <zone> --disk_names test-disk-20gb-1 --incident_id test123
[2023-07-19 21:22:00,680] [dftimewolf          ] DEBUG    Logging to stdout and /tmp/dftimewolf-run-20230719_212200_jdtfa630.log
[2023-07-19 21:22:00,680] [dftimewolf          ] DEBUG    Recipe data path: /home/wyassine/dftimewolf/data
[2023-07-19 21:22:00,680] [dftimewolf          ] DEBUG    Configuration loaded from: /home/wyassine/dftimewolf/data/config.json
[2023-07-19 21:22:00,705] [dftimewolf          ] INFO     Loading recipe gcp_turbinia_ts...
[2023-07-19 21:22:00,705] [dftimewolf.state    ] DEBUG    Loading module TurbiniaGCPProcessor from dftimewolf.lib.processors.turbinia_gcp
[2023-07-19 21:22:00,890] [dftimewolf.state    ] DEBUG    Loading module TimesketchExporter from dftimewolf.lib.exporters.timesketch
[2023-07-19 21:22:01,640] [dftimewolf.state    ] DEBUG    Loading module GCPTokenCheck from dftimewolf.lib.preflights.cloud_token
[2023-07-19 21:22:01,697] [dftimewolf          ] INFO     Running preflights...
[2023-07-19 21:22:03,891] [dftimewolf          ] INFO     Setting up modules...
[2023-07-19 21:22:03,892] [dftimewolf.state    ] INFO     Setting up module: TurbiniaGCPProcessor
[2023-07-19 21:22:03,894] [dftimewolf.state    ] INFO     Setting up module: TimesketchExporter
What is the value for <host_uri> (URL of the Timesketch server): [2023-07-19 21:22:03,893] [TurbiniaGCPProcessor] DEBUG    TurbiniaGCPProcessor is storing a turbiniarequest container: test-disk-20gb-1

Also it's hard to tell it's asking for input at first because of the log line coming after the What is the value for <host_uri> (URL of the Timesketch server):. If possible, the other request would be to add a new line between the log line and the Timesketch prompt to make it more clear you have to enter something in.

Another great option would be if we can instead already provide the Timesketch config file for it to use. From my tests, using the config.json does not work. Also can file this as a separate issue if it'll require a whole other body of work.

[ramo-j]

There was a similar issue with Timesketch when providing an auth token, not just the URL as seen here. The fix is for TS to check if stdin/out is a TTY before asking, and exiting with a useful error message if appropriate.

[ramo-j]

Upstream: google/timesketch#2850