def testParseDirtyFile(self):
"""Tests the Parse function on a dirty file."""
parser = asl.ASLParser()
storage_writer = self._ParseFile(['2019.09.26.asl'], parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 319)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 1)
events = list(storage_writer.GetSortedEvents())
expected_event_values = {
'data_type': 'mac:asl:file',
'format_version': 2,
'is_dirty': True,
'timestamp': '2019-09-25 22:50:16.000000'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse(self):
"""Tests the Parse function."""
parser = asl.ASLParser()
storage_writer = self._ParseFile(['applesystemlog.asl'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 2)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2013-11-25 09:45:35.705481')
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.record_position, 442)
self.assertEqual(event_data.message_id, 101406)
self.assertEqual(event_data.computer_name, 'DarkTemplar-2.local')
self.assertEqual(event_data.sender, 'locationd')
self.assertEqual(event_data.facility, 'com.apple.locationd')
self.assertEqual(event_data.pid, 69)
self.assertEqual(event_data.user_sid, '205')
self.assertEqual(event_data.group_id, 205)
self.assertEqual(event_data.read_uid, 205)
self.assertEqual(event_data.read_gid, -1)
self.assertEqual(event_data.level, 4)
# Note that "compatiblity" is spelt incorrectly in the actual message being
# tested here.
expected_message = (
'Incorrect NSStringEncoding value 0x8000100 detected. '
'Assuming NSASCIIStringEncoding. Will stop this compatiblity '
'mapping behavior in the near future.')
self.assertEqual(event_data.message, expected_message)
expected_extra = (
'CFLog Local Time: 2013-11-25 09:45:35.701, '
'CFLog Thread: 1007, '
'Sender_Mach_UUID: 50E1F76A-60FF-368C-B74E-EB48F6D98C51')
self.assertEqual(event_data.extra_information, expected_extra)
expected_message = ('MessageID: 101406 '
'Level: WARNING (4) '
'User ID: 205 '
'Group ID: 205 '
'Read User: 205 '
'Read Group: ALL '
'Host: DarkTemplar-2.local '
'Sender: locationd '
'Facility: com.apple.locationd '
'Message: {0:s} {1:s}').format(
expected_message, expected_extra)
expected_short_message = ('Sender: locationd '
'Facility: com.apple.locationd')
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
def testParseRecordString(self):
"""Tests the _ParseRecordString function."""
parser = asl.ASLParser()
string_map = parser._GetDataTypeMap('asl_record_string')
string = string_map.CreateStructureValues(unknown1=0,
string_size=4,
string='test')
string_data = string_map.FoldByteStream(string)
# Prefix the string data with 4 bytes since string offset cannot be 0.
string_data = b''.join([b'\x00\x00\x00\x00', string_data])
string_value = parser._ParseRecordString(string_data, 0, 0)
self.assertIsNone(string_value)
string_value = parser._ParseRecordString(string_data, 0, 4)
self.assertEqual(string_value, 'test')
# Test with string data too small.
with self.assertRaises(errors.ParseError):
parser._ParseRecordString(string_data[:-1], 0, 4)
# Test with inline string data.
string_value = parser._ParseRecordString(b'', 0, 0x8474657374000000)
self.assertEqual(string_value, 'test')
with self.assertRaises(errors.ParseError):
parser._ParseRecordString(b'', 0, 0xf474657374000000)
with self.assertRaises(errors.ParseError):
parser._ParseRecordString(b'', 0, 0x8f74657374000000)
with self.assertRaises(errors.ParseError):
parser._ParseRecordString(b'', 0, 0x84ffffffff000000)
def testParseFileObject(self):
"""Tests the ParseFileObject function."""
parser = asl.ASLParser()
file_header_data = self._CreateFileHeaderData(parser)
storage_writer = self._CreateStorageWriter()
parser_mediator = self._CreateParserMediator(storage_writer)
file_object = self._CreateFileObject('asl', file_header_data)
parser.ParseFileObject(parser_mediator, file_object)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 1)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
# Test with file header data too small.
file_object = self._CreateFileObject('asl', file_header_data[:-1])
with self.assertRaises(errors.UnableToParseFile):
parser.ParseFileObject(parser_mediator, file_object)
# Test with invalid signature.
file_object = self._CreateFileObject(
'asl', b''.join([b'\xff\xff\xff\xff', file_header_data[4:]]))
storage_writer = self._CreateStorageWriter()
parser_mediator = self._CreateParserMediator(storage_writer)
with self.assertRaises(errors.UnableToParseFile):
parser.ParseFileObject(parser_mediator, file_object)
# Test with first record data too small.
file_object = self._CreateFileObject(
'asl', b''.join([file_header_data, self._TEST_RECORD[:452]]))
parser.ParseFileObject(parser_mediator, file_object)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 1)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
def testParse(self):
"""Tests the Parse function."""
parser = asl.ASLParser()
storage_writer = self._ParseFile(['applesystemlog.asl'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 2)
events = list(storage_writer.GetEvents())
# Note that "compatiblity" is spelt incorrectly in the actual message being
# tested here.
expected_event_values = {
'computer_name':
'DarkTemplar-2.local',
'data_type':
'mac:asl:event',
'extra_information':
('CFLog Local Time: 2013-11-25 09:45:35.701, '
'CFLog Thread: 1007, '
'Sender_Mach_UUID: 50E1F76A-60FF-368C-B74E-EB48F6D98C51'),
'facility':
'com.apple.locationd',
'group_id':
205,
'level':
4,
'message':
('Incorrect NSStringEncoding value 0x8000100 detected. '
'Assuming NSASCIIStringEncoding. Will stop this compatiblity '
'mapping behavior in the near future.'),
'message_id':
101406,
'pid':
69,
'read_gid':
-1,
'read_uid':
205,
'record_position':
442,
'sender':
'locationd',
'timestamp':
'2013-11-25 09:45:35.705481',
'user_sid':
'205'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParseRecordExtraField(self):
"""Tests the _ParseRecordExtraField function."""
parser = asl.ASLParser()
extra_field_map = parser._GetDataTypeMap('asl_record_extra_field')
extra_field = extra_field_map.CreateStructureValues(
name_string_offset=10, value_string_offset=20)
extra_field_data = extra_field_map.FoldByteStream(extra_field)
extra_field_value = parser._ParseRecordExtraField(extra_field_data, 0)
self.assertEqual(extra_field_value.name_string_offset, 10)
self.assertEqual(extra_field_value.value_string_offset, 20)
# Test with extra field data too small.
with self.assertRaises(errors.ParseError):
parser._ParseRecordExtraField(extra_field_data[:-1], 0)
def testParseRecord(self):
"""Tests the _ParseRecord function."""
parser = asl.ASLParser()
storage_writer = self._CreateStorageWriter()
parser_mediator = self._CreateParserMediator(storage_writer)
file_object = self._CreateFileObject('asl', self._TEST_RECORD)
next_record_offset = parser._ParseRecord(parser_mediator, file_object, 362)
self.assertEqual(next_record_offset, 974)
# Test with log entry descriptor data too small.
file_object = self._CreateFileObject('asl', self._TEST_RECORD[:452])
with self.assertRaises(errors.ParseError):
parser._ParseRecord(parser_mediator, file_object, 362)
def testParse(self):
"""Tests the Parse function."""
parser = asl.ASLParser()
storage_writer = self._ParseFile(['applesystemlog.asl'], parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 3)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetSortedEvents())
expected_event_values = {
'data_type': 'mac:asl:file',
'format_version': 2,
'is_dirty': False,
'timestamp': '2013-11-25 09:45:35.000000'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
# Note that "compatiblity" is spelt incorrectly in the actual message being
# tested here.
expected_event_values = {
'computer_name':
'DarkTemplar-2.local',
'data_type':
'mac:asl:event',
'extra_information':
('CFLog Local Time: 2013-11-25 09:45:35.701, '
'CFLog Thread: 1007, '
'Sender_Mach_UUID: 50E1F76A-60FF-368C-B74E-EB48F6D98C51'),
'facility':
'com.apple.locationd',
'group_id':
205,
'level':
4,
'message':
('Incorrect NSStringEncoding value 0x8000100 detected. '
'Assuming NSASCIIStringEncoding. Will stop this compatiblity '
'mapping behavior in the near future.'),
'message_id':
101406,
'pid':
69,
'read_gid':
-1,
'read_uid':
205,
'record_position':
442,
'sender':
'locationd',
'timestamp':
'2013-11-25 09:45:35.705481',
'user_sid':
'205'
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
# Check a second event to ensure record strings are parsed correctly.
expected_event_values = {
'computer_name':
'DarkTemplar-2.local',
'data_type':
'mac:asl:event',
'extra_information':
('CFLog Local Time: 2013-11-25 17:12:43.537, '
'CFLog Thread: 1007, '
'Sender_Mach_UUID: 50E1F76A-60FF-368C-B74E-EB48F6D98C51'),
'facility':
'com.apple.locationd',
'group_id':
205,
'level':
4,
'message':
('Incorrect NSStringEncoding value 0x8000100 detected. '
'Assuming NSASCIIStringEncoding. Will stop this compatiblity '
'mapping behavior in the near future.'),
'message_id':
102643,
'pid':
69,
'read_gid':
-1,
'read_uid':
205,
'record_position':
974,
'sender':
'locationd',
'timestamp':
'2013-11-25 17:12:43.571140',
'user_sid':
'205'
}
self.CheckEventValues(storage_writer, events[2], expected_event_values)
def testParse(self):
"""Tests the Parse function."""
parser_object = asl.ASLParser()
test_file = self._GetTestFilePath([u'applesystemlog.asl'])
event_queue_consumer = self._ParseFile(parser_object, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 2)
event_object = event_objects[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-11-25 09:45:35.705481')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.record_position, 442)
self.assertEqual(event_object.message_id, 101406)
self.assertEqual(event_object.computer_name, u'DarkTemplar-2.local')
self.assertEqual(event_object.sender, u'locationd')
self.assertEqual(event_object.facility, u'com.apple.locationd')
self.assertEqual(event_object.pid, 69)
self.assertEqual(event_object.user_sid, u'205')
self.assertEqual(event_object.group_id, 205)
self.assertEqual(event_object.read_uid, 205)
self.assertEqual(event_object.read_gid, 0xffffffff)
self.assertEqual(event_object.level, 4)
# Note that "compatiblity" is spelt incorrectly in the actual message being
# tested here.
expected_message = (
u'Incorrect NSStringEncoding value 0x8000100 detected. '
u'Assuming NSASCIIStringEncoding. Will stop this compatiblity '
u'mapping behavior in the near future.')
self.assertEqual(event_object.message, expected_message)
expected_extra = (
u'CFLog Local Time: 2013-11-25 09:45:35.701, '
u'CFLog Thread: 1007, '
u'Sender_Mach_UUID: 50E1F76A-60FF-368C-B74E-EB48F6D98C51')
self.assertEqual(event_object.extra_information, expected_extra)
expected_msg = (
u'MessageID: 101406 '
u'Level: WARNING (4) '
u'User ID: 205 '
u'Group ID: 205 '
u'Read User: 205 '
u'Read Group: ALL '
u'Host: DarkTemplar-2.local '
u'Sender: locationd '
u'Facility: com.apple.locationd '
u'Message: {0:s} {1:s}').format(expected_message, expected_extra)
expected_msg_short = (
u'Sender: locationd '
u'Facility: com.apple.locationd')
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def setUp(self):
"""Makes preparations before running an individual test."""
self._parser = asl.ASLParser()
