def _ParsePlistWithPlugin(
self, plugin_object, plist_name, top_level_object,
knowledge_base_values=None):
"""Parses a plist using the plugin object.
Args:
plugin_object: the plugin object.
plist_name: the name of the plist to parse.
top_level_object: the top-level plist object.
knowledge_base_values: optional dict containing the knowledge base
values.
Returns:
An event object queue consumer object (instance of
TestItemQueueConsumer).
"""
event_queue = single_process.SingleProcessQueue()
event_queue_consumer = test_lib.TestItemQueueConsumer(event_queue)
parse_error_queue = single_process.SingleProcessQueue()
parser_mediator = self._GetParserMediator(
event_queue, parse_error_queue,
knowledge_base_values=knowledge_base_values)
plugin_object.Process(
parser_mediator, plist_name=plist_name, top_level=top_level_object)
return event_queue_consumer
def _ParseEseDbFileWithPlugin(self,
path_segments,
plugin_object,
knowledge_base_values=None):
"""Parses a file as an ESE database file and returns an event generator.
Args:
path_segments: The path to the ESE database test file.
plugin_object: The plugin object that is used to extract an event
generator.
knowledge_base_values: optional dict containing the knowledge base
values. The default is None.
Returns:
An event object queue consumer object (instance of
TestItemQueueConsumer).
"""
event_queue = single_process.SingleProcessQueue()
event_queue_consumer = test_lib.TestItemQueueConsumer(event_queue)
parse_error_queue = single_process.SingleProcessQueue()
parser_mediator = self._GetParserMediator(
event_queue,
parse_error_queue,
knowledge_base_values=knowledge_base_values)
esedb_file = self._OpenEseDbFile(path_segments)
cache = esedb.EseDbCache()
plugin_object.Process(parser_mediator,
database=esedb_file,
cache=cache)
return event_queue_consumer
def _ParseDatabaseFileWithPlugin(self,
plugin_object,
path,
cache=None,
knowledge_base_values=None):
"""Parses a file as a SQLite database with a specific plugin.
Args:
plugin_object: The plugin object that is used to extract an event
generator.
path: The path to the SQLite database file.
cache: A cache object (instance of SQLiteCache).
knowledge_base_values: optional dict containing the knowledge base
values. The default is None.
Returns:
An event object queue consumer object (instance of
TestItemQueueConsumer).
"""
event_queue = single_process.SingleProcessQueue()
event_queue_consumer = test_lib.TestItemQueueConsumer(event_queue)
parse_error_queue = single_process.SingleProcessQueue()
parser_mediator = self._GetParserMediator(
event_queue,
parse_error_queue,
knowledge_base_values=knowledge_base_values)
path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=path)
file_entry = path_spec_resolver.Resolver.OpenFileEntry(path_spec)
parser_mediator.SetFileEntry(file_entry)
# AppendToParserChain needs to be run after SetFileEntry.
parser_mediator.AppendToParserChain(plugin_object)
database = sqlite.SQLiteDatabase(file_entry.name)
file_object = file_entry.GetFileObject()
try:
database.Open(file_object)
finally:
file_object.close()
try:
plugin_object.Process(parser_mediator,
cache=cache,
database=database)
finally:
database.Close()
return event_queue_consumer
def _ParseKeyWithPlugin(self,
plugin_object,
registry_key,
file_entry=None,
knowledge_base_values=None,
parser_chain=None):
"""Parses a key within a Windows Registry file using the plugin object.
Args:
plugin_object: The plugin object.
registry_key: The Windows Registry Key.
file_entry: Optional file entry object (instance of dfvfs.FileEntry).
knowledge_base_values: Optional dict containing the knowledge base
values.
parser_chain: Optional string containing the parsing chain up to this
point.
Returns:
An event object queue consumer object (instance of
TestItemQueueConsumer).
"""
self.assertNotEqual(registry_key, None)
event_queue = single_process.SingleProcessQueue()
event_queue_consumer = test_lib.TestItemQueueConsumer(event_queue)
parse_error_queue = single_process.SingleProcessQueue()
parser_mediator = self._GetParserMediator(
event_queue,
parse_error_queue,
knowledge_base_values=knowledge_base_values)
parser_mediator.SetFileEntry(file_entry)
# Most tests aren't explicitly checking for parser chain values,
# or setting them, so we'll just append the plugin name if no explicit
# parser chain argument is supplied.
# pylint: disable=protected-access
if parser_chain is None:
# AppendToParserChain needs to be run after SetFileEntry.
parser_mediator.AppendToParserChain(plugin_object)
else:
# In the rare case that a test is checking for a particular chain, we
# provide a way set it directly. There's no public API for this,
# as access to the parser chain should be very infrequent.
parser_mediator._parser_chain_components = parser_chain.split(u'/')
plugin_object.Process(parser_mediator, registry_key)
return event_queue_consumer
def _ParseOleCfFileWithPlugin(self,
path,
plugin_object,
knowledge_base_values=None):
"""Parses a file as an OLE compound file and returns an event generator.
Args:
path: The path to the OLE CF test file.
plugin_object: The plugin object that is used to extract an event
generator.
knowledge_base_values: optional dict containing the knowledge base
values.
Returns:
An event object queue consumer object (instance of
TestItemQueueConsumer).
"""
event_queue = single_process.SingleProcessQueue()
event_queue_consumer = test_lib.TestItemQueueConsumer(event_queue)
parse_error_queue = single_process.SingleProcessQueue()
parser_mediator = self._GetParserMediator(
event_queue,
parse_error_queue,
knowledge_base_values=knowledge_base_values)
olecf_file = self._OpenOleCfFile(path)
file_entry = self._GetTestFileEntryFromPath([path])
parser_mediator.SetFileEntry(file_entry)
# Get a list of all root items from the OLE CF file.
root_item = olecf_file.root_item
item_names = [item.name for item in root_item.sub_items]
plugin_object.Process(parser_mediator,
root_item=root_item,
item_names=item_names)
return event_queue_consumer
def _ParseFileWithPlugin(
self, plugin_name, path, knowledge_base_values=None):
"""Parses a syslog file with a specific plugin.
Args:
plugin_name: a string containing the name of the plugin.
path: a string containing the path to the syslog file.
knowledge_base_values: optional dictionary containing the knowledge base
values.
Returns:
An event object queue consumer object (instance of ItemQueueConsumer).
"""
event_queue = single_process.SingleProcessQueue()
event_queue_consumer = test_lib.TestItemQueueConsumer(event_queue)
parse_error_queue = single_process.SingleProcessQueue()
parser_mediator = self._GetParserMediator(
event_queue, parse_error_queue,
knowledge_base_values=knowledge_base_values)
path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=path)
file_entry = path_spec_resolver.Resolver.OpenFileEntry(path_spec)
parser_mediator.SetFileEntry(file_entry)
parser_object = syslog.SyslogParser()
parser_object.EnablePlugins([plugin_name])
file_object = file_entry.GetFileObject()
try:
parser_object.Parse(parser_mediator, file_object)
finally:
file_object.close()
return event_queue_consumer