def _GetPlistRootKey(self, file_entry):
"""Open a plist file entry.
Args:
file_entry: The plist file entry (instance of dfvfs.FileEntry).
Returns:
The plist root key (instance of plistlib._InternalDict).
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
file_object = file_entry.GetFileObject()
plist_file = plist.PlistFile()
try:
plist_file.Read(file_object)
except IOError as exception:
location = getattr(file_entry.path_spec, u'location', u'')
raise errors.PreProcessFail(
u'Unable to read plist file: {0:s} with error: {1:s}'.format(
location, exception))
finally:
file_object.close()
return plist_file.root_key
def _GetPlistRootKey(self, file_entry):
"""Retrieves the root key of a plist file.
Args:
file_entry (dfvfs.FileEntry): file entry of the plist.
Returns:
dict[str, object]: plist root key.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
file_object = file_entry.GetFileObject()
try:
plist_file = plist.PlistFile()
plist_file.Read(file_object)
except IOError as exception:
location = getattr(file_entry.path_spec, 'location', '')
raise errors.PreProcessFail(
'Unable to read plist file: {0:s} with error: {1!s}'.format(
location, exception))
finally:
file_object.close()
return plist_file.root_key
def testReadXML(self):
"""Tests the Read function on a XML plist file."""
path = os.path.join(u'test_data', u'com.apple.iPod.plist')
with open(path, 'rb') as file_object:
plist_file = plist.PlistFile()
plist_file.Read(file_object)
self.assertIsNotNone(plist_file.root_key)
def testReadBinary(self):
"""Tests the Read function on a binary plist file."""
path = os.path.join(u'test_data', u'com.apple.HIToolbox.plist')
with open(path, 'rb') as file_object:
plist_file = plist.PlistFile()
plist_file.Read(file_object)
self.assertNotEqual(plist_file.root_key, None)
def testReadXML(self):
"""Tests the Read function on a XML plist file."""
test_file_path = self._GetTestFilePath(['com.apple.iPod.plist'])
with open(test_file_path, 'rb') as file_object:
plist_file = plist.PlistFile()
plist_file.Read(file_object)
self.assertIsNotNone(plist_file.root_key)
def testReadBinary(self):
"""Tests the Read function on a binary plist file."""
test_file_path = self._GetTestFilePath([u'com.apple.HIToolbox.plist'])
with open(test_file_path, 'rb') as file_object:
plist_file = plist.PlistFile()
plist_file.Read(file_object)
self.assertIsNotNone(plist_file.root_key)
def testGetValueByPath(self):
"""Tests the GetValueByPath function."""
path = os.path.join(u'test_data', u'com.apple.HIToolbox.plist')
with open(path, 'rb') as file_object:
plist_file = plist.PlistFile()
plist_file.Read(file_object)
path_segments = [
u'AppleEnabledInputSources', u'0', u'KeyboardLayout Name']
plist_value = plist_file.GetValueByPath(path_segments)
self.assertEqual(plist_value, u'U.S.')
def _ParseFileData(self, knowledge_base, file_object):
"""Parses file content (data) for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
file_object (dfvfs.FileIO): file-like object that contains the artifact
value data.
Returns:
bool: True if all the preprocessing attributes were found and
the preprocessor plugin is done.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
plist_file = plist.PlistFile()
try:
plist_file.Read(file_object)
except IOError as exception:
raise errors.PreProcessFail(
'Unable to read: {0:s} with error: {1!s}'.format(
self.ARTIFACT_DEFINITION_NAME, exception))
if not plist_file.root_key:
raise errors.PreProcessFail(
('Unable to read: {0:s} with error: missing root key').format(
self.ARTIFACT_DEFINITION_NAME))
matches = []
self._FindKeys(plist_file.root_key, self._PLIST_KEYS, matches)
if not matches:
raise errors.PreProcessFail(
'Unable to read: {0:s} with error: no such keys: {1:s}.'.
format(self.ARTIFACT_DEFINITION_NAME,
', '.join(self._PLIST_KEYS)))
name = None
value = None
for name, value in matches:
if value:
break
if value is None:
raise errors.PreProcessFail(
('Unable to read: {0:s} with error: no values found for keys: '
'{1:s}.').format(self.ARTIFACT_DEFINITION_NAME,
', '.join(self._PLIST_KEYS)))
return self._ParsePlistKeyValue(knowledge_base, name, value)
def testGetValueByPath(self):
"""Tests the GetValueByPath function."""
test_file_path = self._GetTestFilePath(['com.apple.HIToolbox.plist'])
with open(test_file_path, 'rb') as file_object:
plist_file = plist.PlistFile()
plist_file.Read(file_object)
path_segments = [
'AppleEnabledInputSources', '0', 'KeyboardLayout Name'
]
plist_value = plist_file.GetValueByPath(path_segments)
self.assertEqual(plist_value, 'U.S.')
def _ParseFileData(self, mediator, file_object):
"""Parses file content (data) for a preprocessing attribute.
Args:
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
file_object (dfvfs.FileIO): file-like object that contains the artifact
value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
plist_file = plist.PlistFile()
try:
plist_file.Read(file_object)
except IOError as exception:
raise errors.PreProcessFail(
'Unable to read: {0:s} with error: {1!s}'.format(
self.ARTIFACT_DEFINITION_NAME, exception))
if not plist_file.root_key:
raise errors.PreProcessFail(
('Unable to read: {0:s} with error: missing root key').format(
self.ARTIFACT_DEFINITION_NAME))
matches = []
self._FindKeys(plist_file.root_key, self._PLIST_KEYS, matches)
if not matches:
raise errors.PreProcessFail(
'Unable to read: {0:s} with error: no such keys: {1:s}.'.
format(self.ARTIFACT_DEFINITION_NAME,
', '.join(self._PLIST_KEYS)))
name = None
value = None
for name, value in matches:
if value:
break
if value is None:
raise errors.PreProcessFail(
('Unable to read: {0:s} with error: no values found for keys: '
'{1:s}.').format(self.ARTIFACT_DEFINITION_NAME,
', '.join(self._PLIST_KEYS)))
self._ParsePlistKeyValue(mediator, name, value)
def _ParseFileEntry(self, mediator, file_entry):
"""Parses artifact file system data for a preprocessing attribute.
Args:
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
file_entry (dfvfs.FileEntry): file entry that contains the artifact
value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
file_object = file_entry.GetFileObject()
try:
plist_file = plist.PlistFile()
plist_file.Read(file_object)
match = self._GetTopLevelKeys(plist_file.root_key, self._KEYS)
except (IOError, plistlib.InvalidFileException) as exception:
mediator.ProducePreprocessingWarning(
self.ARTIFACT_DEFINITION_NAME,
'Unable to read plist with error: {0!s}.'.format(exception))
return
name = match.get('name', [None])[0]
uid = match.get('uid', [None])[0]
if not name or not uid:
mediator.ProducePreprocessingWarning(
self.ARTIFACT_DEFINITION_NAME,
'Missing name or user identifier')
return
user_account = artifacts.UserAccountArtifact(identifier=uid,
username=name)
user_account.group_identifier = match.get('gid', [None])[0]
user_account.full_name = match.get('realname', [None])[0]
user_account.shell = match.get('shell', [None])[0]
user_account.user_directory = match.get('home', [None])[0]
try:
mediator.AddUserAccount(user_account)
except KeyError:
mediator.ProducePreprocessingWarning(
self.ARTIFACT_DEFINITION_NAME,
'Unable to add user account: {0:s} to knowledge base.'.format(
name))
