bodyfile/
bodyfile.rs

1use std::io::stdout;
2
3use bodyfile::Bodyfile3Line;
4use chrono::{DateTime, Utc};
5use flow_record::artifacts::posix::FileMode;
6use flow_record::artifacts::posix::FileType;
7use flow_record::prelude::*;
8use flow_record::derive::*;
9use types::Filesize;
10use types::Path;
11use types::PathType;
12
13fn main() {
14    let sample_line = "0|/Users/Administrator ($FILE_NAME)|93552-48-2|d/drwxr-xr-x|0|0|92|1577092511|1577092511|1577092511|-1";
15    let bf_line = Bodyfile3Line::try_from(sample_line).unwrap();
16    let record = FileRecord::try_from(&bf_line).unwrap();
17    let mut ser = Serializer::new(stdout());
18
19    ser.serialize(record).unwrap();
20}
21
22#[derive(FlowRecord)]
23#[flow_record(version = 1, source = "Posix", classification = "file")]
24pub struct FileRecord {
25    file_name: Path,
26    user_id: i64,
27    group_id: i64,
28    file_type: FileType,
29    mode: FileMode,
30    size: Filesize,
31
32    modified: Option<DateTime<Utc>>,
33    accessed: Option<DateTime<Utc>>,
34    changed: Option<DateTime<Utc>>,
35    birth: Option<DateTime<Utc>>,
36}
37
38struct UnixTimestamp(i64);
39
40impl From<i64> for UnixTimestamp {
41    fn from(value: i64) -> Self {
42        Self(value)
43    }
44}
45
46impl From<UnixTimestamp> for Option<DateTime<Utc>> {
47    fn from(value: UnixTimestamp) -> Self {
48        if value.0 != -1 {
49            DateTime::from_timestamp(value.0, 0)
50        } else {
51            None
52        }
53    }
54}
55
56impl TryFrom<&Bodyfile3Line> for FileRecord {
57    type Error = flow_record_common::Error;
58    fn try_from(line: &Bodyfile3Line) -> Result<Self, Self::Error> {
59        Ok(Self {
60            file_name: Path::new(line.get_name().to_string().into(), PathType::Posix),
61            user_id: i64::try_from(line.get_uid())?,
62            group_id: i64::try_from(line.get_gid())?,
63            mode: line.get_mode().try_into()?,
64            file_type: line.get_mode().try_into()?,
65            size: line.get_size().into(),
66            modified: UnixTimestamp::from(line.get_mtime()).into(),
67            accessed: UnixTimestamp::from(line.get_atime()).into(),
68            changed: UnixTimestamp::from(line.get_ctime()).into(),
69            birth: UnixTimestamp::from(line.get_crtime()).into(),
70        })
71    }
72}