Source code for plaso.parsers.plist_plugins.install_history

"""Plist parser plugin for MacOS install history plist files."""

from plaso.containers import events
from plaso.parsers import plist
from plaso.parsers.plist_plugins import interface




[docs]
class MacOSInstallHistoryEventData(events.EventData):
    """MacOS install history event data.

    Attributes:
      identifiers (list[str]): identifiers of the installed package.
      name (str): display name of the installed package.
      process_name (str): name of the process that installed the package.
      version (str): display version of the installed package.
      written_time (dfdatetime.DateTimeValues): entry written date and time.
    """

    DATA_TYPE = "macos:install_history:entry"



[docs]
    def __init__(self):
        """Initializes event data."""
        super().__init__(data_type=self.DATA_TYPE)
        self.identifiers = None
        self.name = None
        self.process_name = None
        self.version = None
        self.written_time = None








[docs]
class MacOSInstallHistoryPlistPlugin(interface.PlistPlugin):
    """Plist parser plugin for MacOS install history plist files."""

    NAME = "macos_install_history"
    DATA_FORMAT = "MacOS installation history plist file"

    PLIST_PATH_FILTERS = frozenset([interface.PlistPathFilter("InstallHistory.plist")])

    PLIST_KEYS = frozenset(
        ["date", "displayName", "displayVersion", "processName", "packageIdentifiers"]
    )

    # pylint: disable=arguments-differ
    def _ParsePlist(self, parser_mediator, top_level=None, **unused_kwargs):
        """Extracts relevant install history entries.

        Args:
          parser_mediator (ParserMediator): mediates interactions between parsers
              and other components, such as storage and dfVFS.
          top_level (Optional[dict[str, object]]): plist top-level item.
        """
        for plist_key in top_level:
            event_data = MacOSInstallHistoryEventData()
            event_data.identifiers = plist_key.get("packageIdentifiers")
            event_data.name = plist_key.get("displayName")
            event_data.process_name = plist_key.get("processName")
            event_data.version = plist_key.get("displayVersion")
            event_data.written_time = self._GetDateTimeValueFromPlistKey(
                plist_key, "date"
            )

            parser_mediator.ProduceEventData(event_data)




plist.PlistParser.RegisterPlugin(MacOSInstallHistoryPlistPlugin)