forked from Velocidex/velociraptor
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathreformat.go
More file actions
82 lines (65 loc) · 2.03 KB
/
reformat.go
File metadata and controls
82 lines (65 loc) · 2.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
package functions
import (
"context"
"strings"
"github.com/Velocidex/ordereddict"
"www.velocidex.com/golang/velociraptor/services"
vql_subsystem "www.velocidex.com/golang/velociraptor/vql"
"www.velocidex.com/golang/vfilter"
"www.velocidex.com/golang/vfilter/arg_parser"
)
type ReformatFunctionArgs struct {
Artifact string `vfilter:"required,field=artifact,doc=The artifact VQL to reformat."`
}
type ReformatFunction struct{}
type ReformatFunctionResult struct {
Artifact string
Error string
}
func (self *ReformatFunctionResult) ToDict() *ordereddict.Dict {
return ordereddict.NewDict().
Set("Artifact", self.Artifact).
Set("Error", self.Error)
}
func (self *ReformatFunction) Call(ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any {
defer vql_subsystem.RegisterMonitor(ctx, "reformat", args)()
result := &ReformatFunctionResult{}
arg := &ReformatFunctionArgs{}
err := arg_parser.ExtractArgsWithContext(ctx, scope, args, arg)
if err != nil {
result.Artifact = arg.Artifact
result.Error = err.Error()
return result.ToDict()
}
config_obj, ok := vql_subsystem.GetServerConfig(scope)
if !ok {
scope.Log("reformat: Must be run on the server")
return vfilter.Null{}
}
manager, err := services.GetRepositoryManager(config_obj)
if err != nil {
result.Artifact = arg.Artifact
result.Error = err.Error()
return result.ToDict()
}
reformatted, err := manager.ReformatVQL(ctx, arg.Artifact)
if err != nil {
result.Artifact = arg.Artifact
result.Error = err.Error()
return result.ToDict()
}
result.Artifact = strings.Trim(reformatted, "\n")
result.Error = ""
return result.ToDict()
}
func (self ReformatFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo {
return &vfilter.FunctionInfo{
Name: "reformat",
Doc: `Reformat VQL
This function will reformat the artifact provided and return the reformatted content.`,
ArgType: type_map.AddType(scope, &ReformatFunctionArgs{}),
}
}
func init() {
vql_subsystem.RegisterFunction(&ReformatFunction{})
}