feat(processing): add multi-file directory handler

There are certain formats where the content is split between
multiple files. Currently unblob operates under the assumption
that all content resides in a single file.

A few examples where this might be relevant:
- multi-volume archives, such as 7zip, rar etc.
- VM snapshots
- content + index type formats

This change introduces a DirectoryHandler which can operate
on multiple files residing in one directory or at least under
one subtree. Most formats there is a "main" file which can
be identified by a directory file name pattern. Using this
first file the handler can identify the other files and
return a MultiFile object, similar to ValidChunks.

We do not support cases where a single file is part of
multiple MultiFile, also a file processed & extracted in
the context of a MultiFile is not processed by traditional
handlers. Also there is no carving step rather the files
are extracted directly into an extraction directory. The
original files are kept and never deleted, as these are normal
files, unlike carved out temporary chunks.

Files extracted from a MultiFile have a MultiFile as their
parent. This required extending the current File -> Chunk
reporting concept by introducing an abstract Blob
type which is the parent of Chunk and MultiFile as well.

MultiFileReports are reported under the directory Task,
but contains all included file paths as well.

Author: martonilles

tests/conftest.py

@@ -11,5 +11,5 @@
 
 @pytest.fixture
 def task_result():
-    task = Task(path=Path("/nonexistent"), depth=0, chunk_id="")
+    task = Task(path=Path("/nonexistent"), depth=0, blob_id="")
     return TaskResult(task)

tests/test_cli.py

@@ -1,14 +1,15 @@
 from pathlib import Path
-from typing import List
+from typing import List, Optional
 from unittest import mock
 
 import pytest
 from click.testing import CliRunner
 
 import unblob.cli
 from unblob.extractors import Command
+from unblob.extractors.command import MultiFileCommand
 from unblob.handlers import BUILTIN_HANDLERS
-from unblob.models import Handler, HexString
+from unblob.models import DirectoryHandler, Glob, Handler, HexString, MultiFile
 from unblob.processing import DEFAULT_DEPTH, DEFAULT_PROCESS_NUM, ExtractionConfig
 
 
@@ -25,33 +26,54 @@ class ExistingCommandHandler(TestHandler):
     EXTRACTOR = Command("sh", "something")
 
 
-def test_show_external_dependencies_exists():
+class TestDirHandler(DirectoryHandler):
+    NAME = "test_dir_handler"
+    PATTERN = Glob("*.test")
+    EXTRACTOR = MultiFileCommand("test-multi", "for", "test", "handler")
+
+    def calculate_multifile(self, file: Path) -> Optional[MultiFile]:
+        pass
+
+
+class ExistingCommandDirHandler(TestDirHandler):
+    EXTRACTOR = MultiFileCommand("true")
+
+
+def test_show_external_dependencies_missing():
     handlers = (ExistingCommandHandler, TestHandler)
     runner = CliRunner()
     result = runner.invoke(
-        unblob.cli.cli, ["--show-external-dependencies"], handlers=handlers
+        unblob.cli.cli,
+        ["--show-external-dependencies"],
+        handlers=handlers,
+        dir_handlers=(TestDirHandler,),
     )
     assert result.exit_code == 1
     assert (
         result.output
         == """The following executables found installed, which are needed by unblob:
     sh             ✓
+    test-multi     ✗
     testcommand    ✗
 """
     )
 
 
-def test_show_external_dependencies_not_exists():
+def test_show_external_dependencies_exists():
     handlers = (ExistingCommandHandler, ExistingCommandHandler)
     runner = CliRunner()
     result = runner.invoke(
-        unblob.cli.cli, ["--show-external-dependencies"], handlers=handlers
+        unblob.cli.cli,
+        ["--show-external-dependencies"],
+        handlers=handlers,
+        dir_handlers=(ExistingCommandDirHandler,),
     )
     assert result.exit_code == 0
     assert (
         result.output
         == """The following executables found installed, which are needed by unblob:
-    sh    ✓
+    sh      ✓
+    true    ✓
 """
     )
 

tests/test_extractor.py

@@ -14,7 +14,7 @@
 def test_carve_unknown_chunk(tmp_path: Path):
     content = b"test file"
     test_file = File.from_bytes(content)
-    chunk = UnknownChunk(1, 8)
+    chunk = UnknownChunk(start_offset=1, end_offset=8)
     carve_unknown_chunk(tmp_path, test_file, chunk)
     written_path = tmp_path / "1-8.unknown"
     assert list(tmp_path.iterdir()) == [written_path]

tests/test_finder.py

@@ -112,64 +112,105 @@ def calculate_chunk(self, file, start_offset: int):
 @pytest.mark.parametrize(
     "content, expected_chunks",
     [
-        pytest.param(b"00A23450", [ValidChunk(2, 7)], id="single-chunk"),
         pytest.param(
-            b"0BB34A678900", [ValidChunk(0, 10)], id="chunk-with-relative-match-offset"
+            b"00A23450", [ValidChunk(start_offset=2, end_offset=7)], id="single-chunk"
+        ),
+        pytest.param(
+            b"0BB34A678900",
+            [ValidChunk(start_offset=0, end_offset=10)],
+            id="chunk-with-relative-match-offset",
         ),
         pytest.param(
             b"A23450BB3456789",
-            [ValidChunk(0, 5), ValidChunk(5, 15)],
+            [
+                ValidChunk(start_offset=0, end_offset=5),
+                ValidChunk(start_offset=5, end_offset=15),
+            ],
             id="multiple-chunk",
         ),
-        pytest.param(b"0BC34A67890", [ValidChunk(0, 10)], id="inner-chunk-ignored"),
+        pytest.param(
+            b"0BC34A67890",
+            [ValidChunk(start_offset=0, end_offset=10)],
+            id="inner-chunk-ignored",
+        ),
         pytest.param(
             b"0BC34A67890A2345",
-            [ValidChunk(0, 10), ValidChunk(11, 16)],
+            [
+                ValidChunk(start_offset=0, end_offset=10),
+                ValidChunk(start_offset=11, end_offset=16),
+            ],
             id="inner-chunk-ignored-scan-continues",
         ),
-        pytest.param(b"A23450BB34", [ValidChunk(0, 5)], id="overflowing-chunk-ignored"),
+        pytest.param(
+            b"A23450BB34",
+            [ValidChunk(start_offset=0, end_offset=5)],
+            id="overflowing-chunk-ignored",
+        ),
         pytest.param(
             b"0BBA2345",
-            [ValidChunk(3, 8)],
+            [ValidChunk(start_offset=3, end_offset=8)],
             id="overflowing-chunk-ignored-scan-continues",
         ),
-        pytest.param(b"A2345", [ValidChunk(0, 5)], id="whole-file-chunk"),
-        pytest.param(b"00000A2345", [ValidChunk(5, 10)], id="chunk-till-end-of-file"),
+        pytest.param(
+            b"A2345", [ValidChunk(start_offset=0, end_offset=5)], id="whole-file-chunk"
+        ),
+        pytest.param(
+            b"00000A2345",
+            [ValidChunk(start_offset=5, end_offset=10)],
+            id="chunk-till-end-of-file",
+        ),
         pytest.param(
             b"BB34A678900",
-            [ValidChunk(4, 9)],
+            [ValidChunk(start_offset=4, end_offset=9)],
             id="chunk-with-invalid-relative-match-offset-ignored",
         ),
-        pytest.param(b"00D00A2345", [ValidChunk(5, 10)], id="invalid-chunk-ignored"),
-        pytest.param(b"EOFA2345", [ValidChunk(3, 8)], id="eof-ignored-scan-continues"),
         pytest.param(
-            b"IA2345", [ValidChunk(1, 6)], id="invalid-chunk-ignored-scan-continues"
+            b"00D00A2345",
+            [ValidChunk(start_offset=5, end_offset=10)],
+            id="invalid-chunk-ignored",
+        ),
+        pytest.param(
+            b"EOFA2345",
+            [ValidChunk(start_offset=3, end_offset=8)],
+            id="eof-ignored-scan-continues",
         ),
         pytest.param(
-            b"EXCA2345", [ValidChunk(3, 8)], id="exception-ignored-scan-continues"
+            b"IA2345",
+            [ValidChunk(start_offset=1, end_offset=6)],
+            id="invalid-chunk-ignored-scan-continues",
+        ),
+        pytest.param(
+            b"EXCA2345",
+            [ValidChunk(start_offset=3, end_offset=8)],
+            id="exception-ignored-scan-continues",
         ),
         pytest.param(b"0", [], id="1-byte"),
         pytest.param(b"1234567890", [], id="no-chunk"),
         pytest.param(
             b"A2345L1" + b"1" * DEFAULT_BUFSIZE * 2,
-            [ValidChunk(0, 5), ValidChunk(5, 5 + DEFAULT_BUFSIZE * 2)],
+            [
+                ValidChunk(start_offset=0, end_offset=5),
+                ValidChunk(start_offset=5, end_offset=5 + DEFAULT_BUFSIZE * 2),
+            ],
             id="multi-large-chunk",
         ),
         pytest.param(
             b"L" + b"1" * DEFAULT_BUFSIZE + b"A2345" + b"1" * DEFAULT_BUFSIZE,
-            [ValidChunk(0, DEFAULT_BUFSIZE * 2)],
+            [ValidChunk(start_offset=0, end_offset=DEFAULT_BUFSIZE * 2)],
             id="large-small-inside-ignored",
         ),
         pytest.param(
             b"0123456789L" + b"1" * DEFAULT_BUFSIZE + b"A2345" + b"1" * DEFAULT_BUFSIZE,
-            [ValidChunk(10, 10 + DEFAULT_BUFSIZE * 2)],
+            [ValidChunk(start_offset=10, end_offset=10 + DEFAULT_BUFSIZE * 2)],
             id="padding-large-small-inside-ignored",
         ),
         pytest.param(
             b"L" + b"1" * (DEFAULT_BUFSIZE * 2 - 1) + b"A2345" + b"1" * DEFAULT_BUFSIZE,
             [
-                ValidChunk(0, DEFAULT_BUFSIZE * 2),
-                ValidChunk(DEFAULT_BUFSIZE * 2, DEFAULT_BUFSIZE * 2 + 5),
+                ValidChunk(start_offset=0, end_offset=DEFAULT_BUFSIZE * 2),
+                ValidChunk(
+                    start_offset=DEFAULT_BUFSIZE * 2, end_offset=DEFAULT_BUFSIZE * 2 + 5
+                ),
             ],
             id="large-small",
         ),
@@ -192,6 +233,4 @@ def test_search_chunks(content, expected_chunks, task_result):
 
     assert len(chunks) == len(expected_chunks)
     for expected_chunk, chunk in zip(expected_chunks, chunks):
-        assert attr.evolve(chunk, chunk_id="") == attr.evolve(
-            expected_chunk, chunk_id=""
-        )
+        assert attr.evolve(chunk, id="") == attr.evolve(expected_chunk, id="")

tests/test_models.py

@@ -18,11 +18,31 @@ class TestChunk:
     @pytest.mark.parametrize(
         "chunk1, chunk2, result",
         [
-            (Chunk(0, 10), Chunk(1, 2), True),
-            (Chunk(0, 10), Chunk(11, 12), False),
-            (Chunk(0, 10), Chunk(15, 20), False),
-            (Chunk(1, 2), Chunk(3, 5), False),
-            (Chunk(0, 10), Chunk(1, 10), True),
+            (
+                Chunk(start_offset=0, end_offset=10),
+                Chunk(start_offset=1, end_offset=2),
+                True,
+            ),
+            (
+                Chunk(start_offset=0, end_offset=10),
+                Chunk(start_offset=11, end_offset=12),
+                False,
+            ),
+            (
+                Chunk(start_offset=0, end_offset=10),
+                Chunk(start_offset=15, end_offset=20),
+                False,
+            ),
+            (
+                Chunk(start_offset=1, end_offset=2),
+                Chunk(start_offset=3, end_offset=5),
+                False,
+            ),
+            (
+                Chunk(start_offset=0, end_offset=10),
+                Chunk(start_offset=1, end_offset=10),
+                True,
+            ),
         ],
     )
     def test_contains(self, chunk1, chunk2, result):
@@ -35,10 +55,27 @@ def test_range_hex(self):
     @pytest.mark.parametrize(
         "chunk, offset, expected",
         [
-            pytest.param(Chunk(0x1, 0x2), 0x0, False, id="offset_before_chunk"),
-            pytest.param(Chunk(0x0, 0x2), 0x0, True, id="offset_start_of_chunk"),
-            pytest.param(Chunk(0x0, 0x2), 0x1, True, id="offset_inside_chunk"),
-            pytest.param(Chunk(0x0, 0x2), 0x2, False, id="offset_after"),
+            pytest.param(
+                Chunk(start_offset=0x1, end_offset=0x2),
+                0x0,
+                False,
+                id="offset_before_chunk",
+            ),
+            pytest.param(
+                Chunk(start_offset=0x0, end_offset=0x2),
+                0x0,
+                True,
+                id="offset_start_of_chunk",
+            ),
+            pytest.param(
+                Chunk(start_offset=0x0, end_offset=0x2),
+                0x1,
+                True,
+                id="offset_inside_chunk",
+            ),
+            pytest.param(
+                Chunk(start_offset=0x0, end_offset=0x2), 0x2, False, id="offset_after"
+            ),
         ],
     )
     def test_contains_offset(self, chunk, offset, expected):
@@ -56,12 +93,12 @@ def test_contains_offset(self, chunk, offset, expected):
     )
     def test_validation(self, start_offset, end_offset):
         with pytest.raises(InvalidInputFormat):
-            Chunk(start_offset, end_offset)
+            Chunk(start_offset=start_offset, end_offset=end_offset)
 
 
 class Test_to_json:  # noqa: N801
     def test_process_result_conversion(self):
-        task = Task(path=Path("/nonexistent"), depth=0, chunk_id="")
+        task = Task(path=Path("/nonexistent"), depth=0, blob_id="")
         task_result = TaskResult(task)
         chunk_id = "test_basic_conversion:id"
 
@@ -90,7 +127,7 @@ def test_process_result_conversion(self):
         )
         task_result.add_report(
             ChunkReport(
-                chunk_id=chunk_id,
+                id=chunk_id,
                 handler_name="zip",
                 start_offset=0,
                 end_offset=384,
@@ -103,7 +140,7 @@ def test_process_result_conversion(self):
             Task(
                 path=Path("/extractions/nonexistent_extract"),
                 depth=314,
-                chunk_id=chunk_id,
+                blob_id=chunk_id,
             )
         )
 
@@ -143,7 +180,7 @@ def test_process_result_conversion(self):
                         "end_offset": 384,
                         "extraction_reports": [],
                         "handler_name": "zip",
-                        "chunk_id": "test_basic_conversion:id",
+                        "id": "test_basic_conversion:id",
                         "is_encrypted": False,
                         "size": 384,
                         "start_offset": 0,
@@ -152,15 +189,17 @@ def test_process_result_conversion(self):
                 "subtasks": [
                     {
                         "__typename__": "Task",
-                        "chunk_id": "test_basic_conversion:id",
+                        "blob_id": "test_basic_conversion:id",
                         "depth": 314,
+                        "is_multi_file": False,
                         "path": "/extractions/nonexistent_extract",
                     }
                 ],
                 "task": {
                     "__typename__": "Task",
-                    "chunk_id": "",
+                    "blob_id": "",
                     "depth": 0,
+                    "is_multi_file": False,
                     "path": "/nonexistent",
                 },
             },