def testParseDirtyFile(self): """Tests the Parse function on a dirty file.""" parser = asl.ASLParser() storage_writer = self._ParseFile(['2019.09.26.asl'], parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 319) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 1) events = list(storage_writer.GetSortedEvents()) expected_event_values = { 'data_type': 'mac:asl:file', 'format_version': 2, 'is_dirty': True, 'timestamp': '2019-09-25 22:50:16.000000' } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse(self): """Tests the Parse function.""" parser = asl.ASLParser() storage_writer = self._ParseFile(['applesystemlog.asl'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 2) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2013-11-25 09:45:35.705481') event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.record_position, 442) self.assertEqual(event_data.message_id, 101406) self.assertEqual(event_data.computer_name, 'DarkTemplar-2.local') self.assertEqual(event_data.sender, 'locationd') self.assertEqual(event_data.facility, 'com.apple.locationd') self.assertEqual(event_data.pid, 69) self.assertEqual(event_data.user_sid, '205') self.assertEqual(event_data.group_id, 205) self.assertEqual(event_data.read_uid, 205) self.assertEqual(event_data.read_gid, -1) self.assertEqual(event_data.level, 4) # Note that "compatiblity" is spelt incorrectly in the actual message being # tested here. expected_message = ( 'Incorrect NSStringEncoding value 0x8000100 detected. ' 'Assuming NSASCIIStringEncoding. Will stop this compatiblity ' 'mapping behavior in the near future.') self.assertEqual(event_data.message, expected_message) expected_extra = ( 'CFLog Local Time: 2013-11-25 09:45:35.701, ' 'CFLog Thread: 1007, ' 'Sender_Mach_UUID: 50E1F76A-60FF-368C-B74E-EB48F6D98C51') self.assertEqual(event_data.extra_information, expected_extra) expected_message = ('MessageID: 101406 ' 'Level: WARNING (4) ' 'User ID: 205 ' 'Group ID: 205 ' 'Read User: 205 ' 'Read Group: ALL ' 'Host: DarkTemplar-2.local ' 'Sender: locationd ' 'Facility: com.apple.locationd ' 'Message: {0:s} {1:s}').format( expected_message, expected_extra) expected_short_message = ('Sender: locationd ' 'Facility: com.apple.locationd') self._TestGetMessageStrings(event_data, expected_message, expected_short_message)
def testParseRecordString(self): """Tests the _ParseRecordString function.""" parser = asl.ASLParser() string_map = parser._GetDataTypeMap('asl_record_string') string = string_map.CreateStructureValues(unknown1=0, string_size=4, string='test') string_data = string_map.FoldByteStream(string) # Prefix the string data with 4 bytes since string offset cannot be 0. string_data = b''.join([b'\x00\x00\x00\x00', string_data]) string_value = parser._ParseRecordString(string_data, 0, 0) self.assertIsNone(string_value) string_value = parser._ParseRecordString(string_data, 0, 4) self.assertEqual(string_value, 'test') # Test with string data too small. with self.assertRaises(errors.ParseError): parser._ParseRecordString(string_data[:-1], 0, 4) # Test with inline string data. string_value = parser._ParseRecordString(b'', 0, 0x8474657374000000) self.assertEqual(string_value, 'test') with self.assertRaises(errors.ParseError): parser._ParseRecordString(b'', 0, 0xf474657374000000) with self.assertRaises(errors.ParseError): parser._ParseRecordString(b'', 0, 0x8f74657374000000) with self.assertRaises(errors.ParseError): parser._ParseRecordString(b'', 0, 0x84ffffffff000000)
def testParseFileObject(self): """Tests the ParseFileObject function.""" parser = asl.ASLParser() file_header_data = self._CreateFileHeaderData(parser) storage_writer = self._CreateStorageWriter() parser_mediator = self._CreateParserMediator(storage_writer) file_object = self._CreateFileObject('asl', file_header_data) parser.ParseFileObject(parser_mediator, file_object) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 1) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) # Test with file header data too small. file_object = self._CreateFileObject('asl', file_header_data[:-1]) with self.assertRaises(errors.UnableToParseFile): parser.ParseFileObject(parser_mediator, file_object) # Test with invalid signature. file_object = self._CreateFileObject( 'asl', b''.join([b'\xff\xff\xff\xff', file_header_data[4:]])) storage_writer = self._CreateStorageWriter() parser_mediator = self._CreateParserMediator(storage_writer) with self.assertRaises(errors.UnableToParseFile): parser.ParseFileObject(parser_mediator, file_object) # Test with first record data too small. file_object = self._CreateFileObject( 'asl', b''.join([file_header_data, self._TEST_RECORD[:452]])) parser.ParseFileObject(parser_mediator, file_object) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 1) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0)
def testParse(self): """Tests the Parse function.""" parser = asl.ASLParser() storage_writer = self._ParseFile(['applesystemlog.asl'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 2) events = list(storage_writer.GetEvents()) # Note that "compatiblity" is spelt incorrectly in the actual message being # tested here. expected_event_values = { 'computer_name': 'DarkTemplar-2.local', 'data_type': 'mac:asl:event', 'extra_information': ('CFLog Local Time: 2013-11-25 09:45:35.701, ' 'CFLog Thread: 1007, ' 'Sender_Mach_UUID: 50E1F76A-60FF-368C-B74E-EB48F6D98C51'), 'facility': 'com.apple.locationd', 'group_id': 205, 'level': 4, 'message': ('Incorrect NSStringEncoding value 0x8000100 detected. ' 'Assuming NSASCIIStringEncoding. Will stop this compatiblity ' 'mapping behavior in the near future.'), 'message_id': 101406, 'pid': 69, 'read_gid': -1, 'read_uid': 205, 'record_position': 442, 'sender': 'locationd', 'timestamp': '2013-11-25 09:45:35.705481', 'user_sid': '205' } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParseRecordExtraField(self): """Tests the _ParseRecordExtraField function.""" parser = asl.ASLParser() extra_field_map = parser._GetDataTypeMap('asl_record_extra_field') extra_field = extra_field_map.CreateStructureValues( name_string_offset=10, value_string_offset=20) extra_field_data = extra_field_map.FoldByteStream(extra_field) extra_field_value = parser._ParseRecordExtraField(extra_field_data, 0) self.assertEqual(extra_field_value.name_string_offset, 10) self.assertEqual(extra_field_value.value_string_offset, 20) # Test with extra field data too small. with self.assertRaises(errors.ParseError): parser._ParseRecordExtraField(extra_field_data[:-1], 0)
def testParseRecord(self): """Tests the _ParseRecord function.""" parser = asl.ASLParser() storage_writer = self._CreateStorageWriter() parser_mediator = self._CreateParserMediator(storage_writer) file_object = self._CreateFileObject('asl', self._TEST_RECORD) next_record_offset = parser._ParseRecord(parser_mediator, file_object, 362) self.assertEqual(next_record_offset, 974) # Test with log entry descriptor data too small. file_object = self._CreateFileObject('asl', self._TEST_RECORD[:452]) with self.assertRaises(errors.ParseError): parser._ParseRecord(parser_mediator, file_object, 362)
def testParse(self): """Tests the Parse function.""" parser = asl.ASLParser() storage_writer = self._ParseFile(['applesystemlog.asl'], parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 3) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetSortedEvents()) expected_event_values = { 'data_type': 'mac:asl:file', 'format_version': 2, 'is_dirty': False, 'timestamp': '2013-11-25 09:45:35.000000' } self.CheckEventValues(storage_writer, events[0], expected_event_values) # Note that "compatiblity" is spelt incorrectly in the actual message being # tested here. expected_event_values = { 'computer_name': 'DarkTemplar-2.local', 'data_type': 'mac:asl:event', 'extra_information': ('CFLog Local Time: 2013-11-25 09:45:35.701, ' 'CFLog Thread: 1007, ' 'Sender_Mach_UUID: 50E1F76A-60FF-368C-B74E-EB48F6D98C51'), 'facility': 'com.apple.locationd', 'group_id': 205, 'level': 4, 'message': ('Incorrect NSStringEncoding value 0x8000100 detected. ' 'Assuming NSASCIIStringEncoding. Will stop this compatiblity ' 'mapping behavior in the near future.'), 'message_id': 101406, 'pid': 69, 'read_gid': -1, 'read_uid': 205, 'record_position': 442, 'sender': 'locationd', 'timestamp': '2013-11-25 09:45:35.705481', 'user_sid': '205' } self.CheckEventValues(storage_writer, events[1], expected_event_values) # Check a second event to ensure record strings are parsed correctly. expected_event_values = { 'computer_name': 'DarkTemplar-2.local', 'data_type': 'mac:asl:event', 'extra_information': ('CFLog Local Time: 2013-11-25 17:12:43.537, ' 'CFLog Thread: 1007, ' 'Sender_Mach_UUID: 50E1F76A-60FF-368C-B74E-EB48F6D98C51'), 'facility': 'com.apple.locationd', 'group_id': 205, 'level': 4, 'message': ('Incorrect NSStringEncoding value 0x8000100 detected. ' 'Assuming NSASCIIStringEncoding. Will stop this compatiblity ' 'mapping behavior in the near future.'), 'message_id': 102643, 'pid': 69, 'read_gid': -1, 'read_uid': 205, 'record_position': 974, 'sender': 'locationd', 'timestamp': '2013-11-25 17:12:43.571140', 'user_sid': '205' } self.CheckEventValues(storage_writer, events[2], expected_event_values)
def testParse(self): """Tests the Parse function.""" parser_object = asl.ASLParser() test_file = self._GetTestFilePath([u'applesystemlog.asl']) event_queue_consumer = self._ParseFile(parser_object, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 2) event_object = event_objects[0] expected_timestamp = timelib.Timestamp.CopyFromString( u'2013-11-25 09:45:35.705481') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.record_position, 442) self.assertEqual(event_object.message_id, 101406) self.assertEqual(event_object.computer_name, u'DarkTemplar-2.local') self.assertEqual(event_object.sender, u'locationd') self.assertEqual(event_object.facility, u'com.apple.locationd') self.assertEqual(event_object.pid, 69) self.assertEqual(event_object.user_sid, u'205') self.assertEqual(event_object.group_id, 205) self.assertEqual(event_object.read_uid, 205) self.assertEqual(event_object.read_gid, 0xffffffff) self.assertEqual(event_object.level, 4) # Note that "compatiblity" is spelt incorrectly in the actual message being # tested here. expected_message = ( u'Incorrect NSStringEncoding value 0x8000100 detected. ' u'Assuming NSASCIIStringEncoding. Will stop this compatiblity ' u'mapping behavior in the near future.') self.assertEqual(event_object.message, expected_message) expected_extra = ( u'CFLog Local Time: 2013-11-25 09:45:35.701, ' u'CFLog Thread: 1007, ' u'Sender_Mach_UUID: 50E1F76A-60FF-368C-B74E-EB48F6D98C51') self.assertEqual(event_object.extra_information, expected_extra) expected_msg = ( u'MessageID: 101406 ' u'Level: WARNING (4) ' u'User ID: 205 ' u'Group ID: 205 ' u'Read User: 205 ' u'Read Group: ALL ' u'Host: DarkTemplar-2.local ' u'Sender: locationd ' u'Facility: com.apple.locationd ' u'Message: {0:s} {1:s}').format(expected_message, expected_extra) expected_msg_short = ( u'Sender: locationd ' u'Facility: com.apple.locationd') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def setUp(self): """Makes preparations before running an individual test.""" self._parser = asl.ASLParser()