Changes to address failing artifact filters tests #4708 (#4709)

log2timeline · Jul 17, 2023 · 8b9bff7 · 8b9bff7
1 parent a43f3ce
commit 8b9bff7
Show file tree

Hide file tree

Showing 8 changed files with 29 additions and 12 deletions.
diff --git a/config/dpkg/changelog b/config/dpkg/changelog
@@ -1,5 +1,5 @@
-plaso (20230630-1) unstable; urgency=low
+plaso (20230717-1) unstable; urgency=low
 
   * Auto-generated
 
- -- Log2Timeline maintainers <log2timeline-maintainers@googlegroups.com>  Fri, 30 Jun 2023 13:07:21 +0200
+ -- Log2Timeline maintainers <log2timeline-maintainers@googlegroups.com>  Mon, 17 Jul 2023 06:23:50 +0200
diff --git a/plaso/__init__.py b/plaso/__init__.py
@@ -6,4 +6,4 @@
 of log2timeline.
 """
 
-__version__ = '20230630'
+__version__ = '20230717'
diff --git a/plaso/cli/extraction_tool.py b/plaso/cli/extraction_tool.py
@@ -502,10 +502,12 @@ def _ProcessSource(self, session, storage_writer):
 
     environment_variables = (
         extraction_engine.knowledge_base.GetEnvironmentVariables())
+    user_accounts = list(storage_writer.GetAttributeContainers('user_account'))
 
     try:
       extraction_engine.BuildCollectionFilters(
-          environment_variables, artifact_filter_names=self._artifact_filters,
+          environment_variables, user_accounts,
+          artifact_filter_names=self._artifact_filters,
           filter_file_path=self._filter_file)
     except errors.InvalidFilter as exception:
       raise errors.BadConfigOption(

diff --git a/plaso/cli/image_export_tool.py b/plaso/cli/image_export_tool.py
@@ -340,10 +340,12 @@ def _Extract(
 
     environment_variables = (
         extraction_engine.knowledge_base.GetEnvironmentVariables())
+    user_accounts = []
 
     try:
       extraction_engine.BuildCollectionFilters(
-          environment_variables, artifact_filter_names=artifact_filters,
+          environment_variables, user_accounts,
+          artifact_filter_names=artifact_filters,
           filter_file_path=filter_file)
     except errors.InvalidFilter as exception:
       raise errors.BadConfigOption(

diff --git a/plaso/engine/engine.py b/plaso/engine/engine.py
@@ -170,13 +170,14 @@ def BuildArtifactsRegistry(
     self._artifacts_registry = registry
 
   def BuildCollectionFilters(
-      self, environment_variables, artifact_filter_names=None,
+      self, environment_variables, user_accounts, artifact_filter_names=None,
       filter_file_path=None):
     """Builds collection filters from artifacts or filter file if available.
 
     Args:
       environment_variables (list[EnvironmentVariableArtifact]):
           environment variables.
+      user_accounts (list[UserAccountArtifact]): user accounts.
       artifact_filter_names (Optional[list[str]]): names of artifact
           definitions that are used for filtering file system and Windows
           Registry key paths.
@@ -195,14 +196,16 @@ def BuildCollectionFilters(
       filters_helper = artifact_filters.ArtifactDefinitionsFiltersHelper(
           self._artifacts_registry)
       filters_helper.BuildFindSpecs(
-          artifact_filter_names, environment_variables=environment_variables)
+          artifact_filter_names, environment_variables=environment_variables,
+          user_accounts=user_accounts)
 
       # If the user selected Windows Registry artifacts we have to ensure
       # the Windows Registry files are parsed.
       if filters_helper.registry_find_specs:
         filters_helper.BuildFindSpecs(
             self._WINDOWS_REGISTRY_FILES_ARTIFACT_NAMES,
-            environment_variables=environment_variables)
+            environment_variables=environment_variables,
+            user_accounts=user_accounts)
 
       if not filters_helper.file_system_find_specs:
         raise errors.InvalidFilter(
@@ -386,6 +389,8 @@ def PreprocessSource(
       # TODO: kept for backwards compatibility.
       self.knowledge_base.ReadSystemConfigurationArtifact(
           system_configurations[0])
+      for environment_variable in system_configuration.environment_variables:
+        self.knowledge_base.AddEnvironmentVariable(environment_variable)
 
     return system_configurations
 

diff --git a/plaso/multi_process/extraction_engine.py b/plaso/multi_process/extraction_engine.py
@@ -1089,10 +1089,11 @@ def ProcessSourceMulti(
 
     # TODO: get environment_variables per system_configuration
     environment_variables = self.knowledge_base.GetEnvironmentVariables()
+    user_accounts = list(storage_writer.GetAttributeContainers('user_account'))
 
     try:
       self.BuildCollectionFilters(
-          environment_variables,
+          environment_variables, user_accounts,
           artifact_filter_names=processing_configuration.artifact_filters,
           filter_file_path=processing_configuration.filter_file)
     except errors.InvalidFilter as exception:

diff --git a/plaso/preprocessors/mediator.py b/plaso/preprocessors/mediator.py
@@ -112,6 +112,8 @@ def AddUserAccount(self, user_account):
     Raises:
       KeyError: if the user account already exists.
     """
+    logger.debug('adding user account: {0:s}'.format(user_account.username))
+
     if self._storage_writer:
       self._storage_writer.AddAttributeContainer(user_account)
 

diff --git a/plaso/single_process/extraction_engine.py b/plaso/single_process/extraction_engine.py
@@ -361,10 +361,12 @@ def _UpdateStatus(self):
       self._status_update_callback(self._processing_status)
 
   def _CreateParserMediator(
-      self, resolver_context, processing_configuration, system_configurations):
+      self, storage_writer, resolver_context, processing_configuration,
+      system_configurations):
     """Creates a parser mediator.
 
     Args:
+      storage_writer (StorageWriter): storage writer for a session storage.
       resolver_context (dfvfs.Context): resolver context.
       processing_configuration (ProcessingConfiguration): processing
           configuration.
@@ -382,9 +384,11 @@ def _CreateParserMediator(
     if self.knowledge_base:
       environment_variables = self.knowledge_base.GetEnvironmentVariables()
 
+    user_accounts = list(storage_writer.GetAttributeContainers('user_account'))
+
     try:
       self.BuildCollectionFilters(
-          environment_variables,
+          environment_variables, user_accounts,
           artifact_filter_names=processing_configuration.artifact_filters,
           filter_file_path=processing_configuration.filter_file)
     except errors.InvalidFilter as exception:
@@ -437,7 +441,8 @@ def ProcessSource(
           processing_configuration.custom_artifacts_path)
 
     parser_mediator = self._CreateParserMediator(
-        resolver_context, processing_configuration, system_configurations)
+        storage_writer, resolver_context, processing_configuration,
+        system_configurations)
     parser_mediator.SetStorageWriter(storage_writer)
 
     self._extraction_worker = worker.EventExtractionWorker(