-
Notifications
You must be signed in to change notification settings - Fork 325
/
mediator.py
225 lines (171 loc) · 6.86 KB
/
mediator.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
# -*- coding: utf-8 -*-
"""The preprocess mediator."""
from plaso.containers import warnings
from plaso.preprocessors import logger
class PreprocessMediator(object):
"""Preprocess mediator."""
def __init__(self, session, storage_writer, knowledge_base):
"""Initializes a preprocess mediator.
Args:
session (Session): session the preprocessing is part of.
storage_writer (StorageWriter): storage writer, to store preprocessing
information in.
knowledge_base (KnowledgeBase): knowledge base, to fill with
preprocessing information.
"""
super(PreprocessMediator, self).__init__()
self._file_entry = None
self._knowledge_base = knowledge_base
self._session = session
self._storage_writer = storage_writer
self._windows_eventlog_providers_by_identifier = {}
@property
def knowledge_base(self):
"""KnowledgeBase: knowledge base."""
return self._knowledge_base
def AddEnvironmentVariable(self, environment_variable_artifact):
"""Adds an environment variable.
Args:
environment_variable_artifact (EnvironmentVariableArtifact): environment
variable artifact.
Raises:
KeyError: if the environment variable already exists.
"""
logger.debug('setting environment variable: {0:s} to: "{1:s}"'.format(
environment_variable_artifact.name,
environment_variable_artifact.value))
self._knowledge_base.AddEnvironmentVariable(environment_variable_artifact)
def AddHostname(self, hostname_artifact):
"""Adds a hostname.
Args:
hostname_artifact (HostnameArtifact): hostname artifact.
"""
# TODO: change storage and knowledge base to handle more than 1 hostname.
if not self._knowledge_base.GetHostname():
self._knowledge_base.SetHostname(hostname_artifact)
def AddTimeZoneInformation(self, time_zone_artifact):
"""Adds a time zone defined by the operating system.
Args:
time_zone_artifact (TimeZoneArtifact): time zone artifact.
Raises:
KeyError: if the time zone already exists.
"""
self._knowledge_base.AddAvailableTimeZone(time_zone_artifact)
def AddUserAccount(self, user_account):
"""Adds an user account.
Args:
user_account (UserAccountArtifact): user account artifact.
Raises:
KeyError: if the user account already exists.
"""
self._knowledge_base.AddUserAccount(user_account)
def AddWindowsEventLogProvider(self, windows_eventlog_provider):
"""Adds a Windows EventLog provider.
Args:
windows_eventlog_provider (WindowsEventLogProviderArtifact): Windows
EventLog provider.
Raises:
KeyError: if the Windows EventLog provider already exists.
"""
provider_identifier = windows_eventlog_provider.identifier
existing_provider = self._knowledge_base.GetWindowsEventLogProvider(
windows_eventlog_provider.log_source)
if not existing_provider and provider_identifier:
existing_provider = self._windows_eventlog_providers_by_identifier.get(
provider_identifier, None)
if existing_provider:
existing_provider.log_source_alias = existing_provider.log_source
existing_provider.log_source = windows_eventlog_provider.log_source
if existing_provider:
if not existing_provider.category_message_files:
existing_provider.category_message_files = (
windows_eventlog_provider.category_message_files)
if not existing_provider.event_message_files:
existing_provider.event_message_files = (
windows_eventlog_provider.event_message_files)
if not existing_provider.identifier:
existing_provider.identifier = windows_eventlog_provider.identifier
if not existing_provider.log_type:
existing_provider.log_type = windows_eventlog_provider.log_type
if not existing_provider.parameter_message_files:
existing_provider.parameter_message_files = (
windows_eventlog_provider.parameter_message_files)
if self._storage_writer:
self._storage_writer.UpdateAttributeContainer(existing_provider)
else:
if self._storage_writer:
system_configuration_identifier = (
self._storage_writer.GetSystemConfigurationIdentifier())
windows_eventlog_provider.SetSystemConfigurationIdentifier(
system_configuration_identifier)
self._storage_writer.AddAttributeContainer(windows_eventlog_provider)
self._knowledge_base.AddWindowsEventLogProvider(
windows_eventlog_provider)
if provider_identifier:
self._windows_eventlog_providers_by_identifier[provider_identifier] = (
windows_eventlog_provider)
def GetEnvironmentVariable(self, name):
"""Retrieves an environment variable.
Args:
name (str): name of the environment variable.
Returns:
EnvironmentVariableArtifact: environment variable artifact or None
if there was no value set for the given name.
"""
return self._knowledge_base.GetEnvironmentVariable(name)
def ProducePreprocessingWarning(self, plugin_name, message):
"""Produces a preprocessing warning.
Args:
plugin_name (str): name of the preprocess plugin.
message (str): message of the warning.
"""
if self._storage_writer:
path_spec = None
if self._file_entry:
path_spec = self._file_entry.path_spec
warning = warnings.PreprocessingWarning(
message=message, path_spec=path_spec, plugin_name=plugin_name)
self._storage_writer.AddAttributeContainer(warning)
logger.debug('[{0:s}] {1:s}'.format(plugin_name, message))
def SetCodepage(self, codepage):
"""Sets the codepage.
Args:
codepage (str): codepage.
Raises:
ValueError: if the codepage is not supported.
"""
if not self._knowledge_base.codepage:
self._knowledge_base.SetCodepage(codepage)
def SetFileEntry(self, file_entry):
"""Sets the active file entry.
Args:
file_entry (dfvfs.FileEntry): file entry.
"""
self._file_entry = file_entry
def SetLanguage(self, language):
"""Sets the language.
Args:
language (str): language.
Raises:
ValueError: if the language is not supported.
"""
self._knowledge_base.SetLanguage(language)
def SetTimeZone(self, time_zone):
"""Sets the time zone.
Args:
time_zone (str): time zone.
Raises:
ValueError: if the time zone is not supported.
"""
# TODO: check if time zone is set in knowledge base.
self._knowledge_base.SetTimeZone(time_zone)
def SetValue(self, identifier, value):
"""Sets a value by identifier.
Args:
identifier (str): case insensitive unique identifier for the value.
value (object): value.
Raises:
TypeError: if the identifier is not a string type.
"""
if not self._knowledge_base.GetValue(identifier):
self._knowledge_base.SetValue(identifier, value)