Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Decoders improvments #35

Merged
merged 16 commits into from
Dec 5, 2024
10 changes: 5 additions & 5 deletions src/chunks/firehose/activity.rs
Original file line number Diff line number Diff line change
Expand Up @@ -265,11 +265,11 @@ mod tests {
assert_eq!(results.unknown_activity_id_3, 64435);
assert_eq!(results.unknown_sentinal_3, 2147483648);
assert_eq!(results.unknown_message_string_ref, 0);
assert_eq!(results.firehose_formatters.main_exe, false);
assert_eq!(results.firehose_formatters.absolute, false);
assert_eq!(results.firehose_formatters.shared_cache, false);
assert_eq!(results.firehose_formatters.main_plugin, false);
assert_eq!(results.firehose_formatters.pc_style, false);
assert!(!results.firehose_formatters.main_exe);
assert!(!results.firehose_formatters.absolute);
assert!(!results.firehose_formatters.shared_cache);
assert!(!results.firehose_formatters.main_plugin);
assert!(!results.firehose_formatters.pc_style);
assert_eq!(results.firehose_formatters.main_exe_alt_index, 0);
assert_eq!(results.firehose_formatters.uuid_relative, "");
assert_eq!(results.unknown_pc_id, 303578944);
Expand Down
10 changes: 5 additions & 5 deletions src/decoders/bool.rs
Original file line number Diff line number Diff line change
Expand Up @@ -22,17 +22,17 @@ pub(crate) fn lowercase_bool(bool_data: &str) -> String {
}

/// Return int value to bool
pub(crate) fn lowercase_int_bool(bool_data: &u8) -> String {
let false_bool = 0;
if bool_data == &false_bool {
pub(crate) fn lowercase_int_bool(bool_data: u8) -> String {
const FALSE_BOOL: u8 = 0;
if bool_data == FALSE_BOOL {
return String::from("false");
}
String::from("true")
}

#[cfg(test)]
mod tests {
use crate::decoders::bool::{lowercase_bool, lowercase_int_bool, uppercase_bool};
use super::*;

#[test]
fn test_uppercase_bool() {
Expand All @@ -59,7 +59,7 @@ mod tests {
#[test]
fn test_lowercase_int_bool() {
let test_data = 0;
let results = lowercase_int_bool(&test_data);
let results = lowercase_int_bool(test_data);
assert_eq!(results, "false");
}
}
114 changes: 65 additions & 49 deletions src/decoders/decoder.rs
Original file line number Diff line number Diff line change
Expand Up @@ -23,108 +23,124 @@ use crate::{
opendirectory::{errors, member_details, member_id_type, sid_details},
time::parse_time,
uuid::parse_uuid,
DecoderError,
},
};

/// Check if we support one of Apple's custom logging objects
pub(crate) fn check_objects(
format_string: &str,
message_values: &[FirehoseItemInfo],
item_type: &u8,
item_type: u8,
item_index: usize,
) -> String {
let mut message_value = String::new();
let mut index = item_index;
let precision_item = 0x12;
const PRECISION_ITEM: u8 = 0x12;

// Increment index get the actual firehose item data
if item_type == &precision_item {
if item_type == PRECISION_ITEM {
index += 1;
if index > message_values.len() {
return format!("Index out of bounds for FirehoseItemInfo Vec. Got adjusted index {}, Vec size is {}. This should not have happened", index, message_values.len());
}
}

let masked_hash_type = 0xf2;
const MASKED_HASH_TYPE: u8 = 0xf2;
// Check if the log value is hashed or marked private
if (format_string.contains("mask.hash") && message_values[index].item_type == masked_hash_type)
if (format_string.contains("mask.hash") && message_values[index].item_type == MASKED_HASH_TYPE)
|| message_values[index].message_strings == "<private>"
{
return message_values[index].message_strings.to_owned();
}

// Check if log value contains one the supported decoders
if format_string.contains("BOOL") {
message_value = uppercase_bool(&message_values[index].message_strings);
let message_value: Result<String, DecoderError<'_>> = if format_string.contains("BOOL") {
Ok(uppercase_bool(&message_values[index].message_strings))
} else if format_string.contains("bool") {
message_value = lowercase_bool(&message_values[index].message_strings);
Ok(lowercase_bool(&message_values[index].message_strings))
} else if format_string.contains("uuid_t") {
message_value = parse_uuid(&message_values[index].message_strings);
Ok(parse_uuid(&message_values[index].message_strings))
} else if format_string.contains("darwin.errno") {
message_value = errno_codes(&message_values[index].message_strings);
Ok(errno_codes(&message_values[index].message_strings))
} else if format_string.contains("darwin.mode") {
message_value = permission(&message_values[index].message_strings);
Ok(permission(&message_values[index].message_strings))
} else if format_string.contains("odtypes:ODError") {
message_value = errors(&message_values[index].message_strings);
Ok(errors(&message_values[index].message_strings))
} else if format_string.contains("odtypes:mbridtype") {
message_value = member_id_type(&message_values[index].message_strings);
Ok(member_id_type(&message_values[index].message_strings))
} else if format_string.contains("odtypes:mbr_details") {
message_value = member_details(&message_values[index].message_strings);
Ok(member_details(&message_values[index].message_strings))
} else if format_string.contains("odtypes:nt_sid_t") {
message_value = sid_details(&message_values[index].message_strings);
Ok(sid_details(&message_values[index].message_strings))
} else if format_string.contains("location:CLClientAuthorizationStatus") {
message_value = client_authorization_status(&message_values[index].message_strings)
Ok(client_authorization_status(
&message_values[index].message_strings,
))
} else if format_string.contains("location:CLDaemonStatus_Type::Reachability") {
message_value = daemon_status_type(&message_values[index].message_strings);
Ok(daemon_status_type(&message_values[index].message_strings))
} else if format_string.contains("location:CLSubHarvesterIdentifier") {
message_value = subharvester_identifier(&message_values[index].message_strings);
Ok(subharvester_identifier(
&message_values[index].message_strings,
))
} else if format_string.contains("location:SqliteResult") {
message_value = sqlite(&message_values[index].message_strings);
Ok(sqlite(&message_values[index].message_strings))
} else if format_string.contains("location:_CLClientManagerStateTrackerState") {
message_value = client_manager_state_tracker_state(&message_values[index].message_strings);
Ok(client_manager_state_tracker_state(
&message_values[index].message_strings,
))
} else if format_string.contains("location:_CLLocationManagerStateTrackerState") {
message_value =
location_manager_state_tracker_state(&message_values[index].message_strings);
Ok(location_manager_state_tracker_state(
&message_values[index].message_strings,
))
} else if format_string.contains("network:in6_addr") {
message_value = ipv_six(&message_values[index].message_strings);
Ok(ipv_six(&message_values[index].message_strings))
} else if format_string.contains("network:in_addr") {
message_value = ipv_four(&message_values[index].message_strings);
Ok(ipv_four(&message_values[index].message_strings))
} else if format_string.contains("network:sockaddr") {
message_value = sockaddr(&message_values[index].message_strings);
Ok(sockaddr(&message_values[index].message_strings))
} else if format_string.contains("time_t") {
message_value = parse_time(&message_values[index].message_strings);
Ok(parse_time(&message_values[index].message_strings))
} else if format_string.contains("mdns:dnshdr") {
message_value = parse_dns_header(&message_values[index].message_strings);
parse_dns_header(&message_values[index].message_strings)
} else if format_string.contains("mdns:rd.svcb") {
message_value = get_service_binding(&message_values[index].message_strings);
get_service_binding(&message_values[index].message_strings)
} else if format_string.contains("location:IOMessage") {
message_value = io_message(&message_values[index].message_strings);
Ok(io_message(&message_values[index].message_strings))
} else if format_string.contains("mdnsresponder:domain_name") {
message_value = get_domain_name(&message_values[index].message_strings);
get_domain_name(&message_values[index].message_strings)
} else if format_string.contains("mdnsresponder:mac_addr") {
message_value = get_dns_mac_addr(&message_values[index].message_strings);
get_dns_mac_addr(&message_values[index].message_strings)
} else if format_string.contains("mdnsresponder:ip_addr") {
message_value = dns_ip_addr(&message_values[index].message_strings);
dns_ip_addr(&message_values[index].message_strings)
} else if format_string.contains("mdns:addrmv") {
message_value = dns_addrmv(&message_values[index].message_strings);
Ok(dns_addrmv(&message_values[index].message_strings))
} else if format_string.contains("mdns:rrtype") {
message_value = dns_records(&message_values[index].message_strings);
Ok(dns_records(&message_values[index].message_strings))
} else if format_string.contains("mdns:nreason") {
message_value = dns_reason(&message_values[index].message_strings);
Ok(dns_reason(&message_values[index].message_strings))
} else if format_string.contains("mdns:protocol") {
message_value = dns_protocol(&message_values[index].message_strings);
Ok(dns_protocol(&message_values[index].message_strings))
} else if format_string.contains("mdns:dns.idflags") {
message_value = dns_idflags(&message_values[index].message_strings);
Ok(dns_idflags(&message_values[index].message_strings))
} else if format_string.contains("mdns:dns.counts") {
message_value = dns_counts(&message_values[index].message_strings);
Ok(dns_counts(&message_values[index].message_strings))
} else if format_string.contains("mdns:yesno") {
message_value = dns_yes_no(&message_values[index].message_strings);
Ok(dns_yes_no(&message_values[index].message_strings))
} else if format_string.contains("mdns:acceptable") {
message_value = dns_acceptable(&message_values[index].message_strings);
Ok(dns_acceptable(&message_values[index].message_strings))
} else if format_string.contains("mdns:gaiopts") {
message_value = dns_getaddrinfo_opts(&message_values[index].message_strings);
Ok(dns_getaddrinfo_opts(&message_values[index].message_strings))
} else {
Ok(String::new())
};

match message_value {
Ok(value) => value,
Err(e) => {
log::error!("[macos-unifiedlogs] Failed to decode log object. Error: {e:?}");
e.to_string()
}
}
message_value
}

#[cfg(test)]
Expand All @@ -143,7 +159,7 @@ mod tests {
let test_type = 0;
let test_index = 0;

let results = check_objects(test_format, &vec![test_item_info], &test_type, test_index);
let results = check_objects(test_format, &[test_item_info], test_type, test_index);
assert_eq!(results, "true")
}

Expand All @@ -158,7 +174,7 @@ mod tests {
let test_type = 0;
let test_index = 0;

let results = check_objects(test_format, &vec![test_item_info], &test_type, test_index);
let results = check_objects(test_format, &[test_item_info], test_type, test_index);
assert_eq!(results, "YES")
}

Expand All @@ -173,7 +189,7 @@ mod tests {
let test_type = 50; // 0x32
let test_index = 0;

let results = check_objects(test_format, &vec![test_item_info], &test_type, test_index);
let results = check_objects(test_format, &[test_item_info], test_type, test_index);
assert_eq!(results, "user: -2@/Local/Default");
}

Expand All @@ -188,7 +204,7 @@ mod tests {
let test_type = 50; // 0x32
let test_index = 0;

let results = check_objects(test_format, &vec![test_item_info], &test_type, test_index);
let results = check_objects(test_format, &[test_item_info], test_type, test_index);
assert_eq!(results, "85957E1D36C44ED286A80657BCDDE293")
}

Expand All @@ -203,7 +219,7 @@ mod tests {
let test_type = 50; // 0x32
let test_index = 0;

let results = check_objects(test_format, &vec![test_item_info], &test_type, test_index);
let results = check_objects(test_format, &[test_item_info], test_type, test_index);
assert_eq!(results, "<private>")
}

Expand All @@ -218,7 +234,7 @@ mod tests {
let test_type = 242; // 0x32
let test_index = 0;

let results = check_objects(test_format, &vec![test_item_info], &test_type, test_index);
let results = check_objects(test_format, &[test_item_info], test_type, test_index);
assert_eq!(results, "hash")
}
}
Loading