Source code for plaso.parsers.plist_plugins.macos_login_window

"""Plist parser plugin for Mac OS login window plist files."""

from plaso.containers import events
from plaso.parsers import plist
from plaso.parsers.plist_plugins import interface




[docs]
class MacOSLoginWindowEventData(events.EventData):
    """Mac OS login window event data.

    Also see:
    * https://developer.apple.com/documentation/devicemanagement/loginwindow
    * https://developer.apple.com/documentation/devicemanagement/
      loginwindowscripts

    Attributes:
      login_hook (str): path of the script to run during login.
      logout_hook (str): path of the script to run during logout.
    """

    DATA_TYPE = "macos:login_window:entry"



[docs]
    def __init__(self):
        """Initializes event data."""
        super().__init__(data_type=self.DATA_TYPE)
        self.login_hook = None
        self.logout_hook = None








[docs]
class MacOSLoginWindowManagedLoginItemEventData(events.EventData):
    """Mac OS login window managed login item event data.

    Also see:
    * https://developer.apple.com/documentation/devicemanagement/
      loginitemsmanageditems/loginitem

    Attributes:
      is_hidden (bool): True if the item should is not shown in the "Users &
          Groups" items list.
      path (str): URL or path of the location of the item.
    """

    DATA_TYPE = "macos:login_window:managed_login_item"



[docs]
    def __init__(self):
        """Initializes event data."""
        super().__init__(data_type=self.DATA_TYPE)
        self.is_hidden = None
        self.path = None








[docs]
class MacOSLoginWindowPlugin(interface.PlistPlugin):
    """Plist parser plugin for Mac OS login window plist files."""

    NAME = "macos_login_window_plist"
    DATA_FORMAT = "Mac OS login window plist file"

    PLIST_PATH_FILTERS = frozenset(
        [
            interface.PlistPathFilter("loginwindow.plist"),
            interface.PlistPathFilter("com.apple.loginwindow.plist"),
        ]
    )

    PLIST_KEYS = frozenset([])

    # pylint: disable=arguments-differ
    def _ParsePlist(self, parser_mediator, top_level=None, **unused_kwargs):
        """Extracts login window information from the plist.

        Args:
          parser_mediator (ParserMediator): mediates interactions between parsers
              and other components, such as storage and dfVFS.
          top_level (Optional[dict[str, object]]): plist top-level item.
        """
        for item in top_level.get("AutoLaunchedApplicationDictionary", []):
            event_data = MacOSLoginWindowManagedLoginItemEventData()
            event_data.is_hidden = item.get("Hide")
            event_data.path = item.get("Path")
            parser_mediator.ProduceEventData(event_data)

        event_data = MacOSLoginWindowEventData()
        event_data.login_hook = top_level.get("LoginHook")
        event_data.logout_hook = top_level.get("LogoutHook")
        parser_mediator.ProduceEventData(event_data)




plist.PlistParser.RegisterPlugin(MacOSLoginWindowPlugin)