wmi: adding utility function to convert datetime to FILETIME #5901
Conversation
|
How difficult would it be to add a unit test for this conversion function? |
|
@zwass probably not very! I'll get cracking on that :) |
|
@theopolis do you have a specific example in mind? Are you referring to the variant type for the WMI class lookup? I added the CIM Datetime to Unixtime here because it seems to fall into the same category as the others -- take a native windows string and port it to something more unix standard. @zwass for the tests, I'm gunna throw up an additional PR to just turn on tests for Darwin and Windows for the conversions string libraries, as there are none for Windows and it looks like Darwins aren't hooked up at all. Once that's up, I'll rebase this on top and add in a test for this logic I'm adding explicitly. I've nearly got the testing logic sorted, should have a PR here soon and I'll tag this one in it. |
muffins
force-pushed
the
fix5746-datetime-to-filetime
branch
from
18918f6 to
dad4b6b
Compare
|
Note, this is waiting for #5908 to land, after which I'll add in a test case for the new utility function and we can ship this. |
muffins
force-pushed
the
fix5746-datetime-to-filetime
branch
from
dad4b6b to
35e6ed3
Compare
muffins
force-pushed
the
fix5746-datetime-to-filetime
branch
2 times, most recently
from
c5ad532 to
b47b365
Compare
|
One thing to debug |
| @@ -41,6 +41,7 @@ function(generateOsqueryUtilsConversions) | |||
|
|
|||
| target_link_libraries(osquery_utils_conversions PUBLIC | |||
| osquery_cxx_settings | |||
| osquery_filesystem | |||
There was a problem hiding this comment.
We might have to look into filesystem and see if its dependencies are overly-broad (this could be a rabbit hole).
There was a problem hiding this comment.
You'll need to remove this to fix the Linux build errors, don't link osquery_filesystem.
muffins
force-pushed
the
fix5746-datetime-to-filetime
branch
from
b47b365 to
08ccec2
Compare
|
Still having some issues on this one. We had spoken in office hours about just removing the tests out of buck, but it's not quite that simple as the entirety of the buck build wont go through due to the new reliance on the FS libraries in the string utility conversions class. I might need to open up a new PR entirely to restructure the FS libraries before this can ship :\ |
|
What's going on with this PR? |
|
@directionless thanks for the ping, I think this was waiting for some re-arch on the filesystem libraries for the tests, but given that we've moved away from buck we might be able to ship his now. I'll get it rebased tonight and see where it's at, my apologies for the stale PRs! |
muffins
force-pushed
the
fix5746-datetime-to-filetime
branch
from
08ccec2 to
6a41801
Compare
|
Rebased and deconflicted, this should be g2g for review/landing now as we're no longer worried about getting tests working for Buck, which is what was holding this up previously. Lemme know if there's anything else needed to land! |
muffins
force-pushed
the
fix5746-datetime-to-filetime
branch
from
6a41801 to
0eddce0
Compare
| timeStore.dwHighDateTime = intStore.HighPart; | ||
|
|
||
| // And finally convert this to a Unix epoch timestamp | ||
| return filetimeToUnixtime(timeStore); |
There was a problem hiding this comment.
I recommend removing this function from fileops.cpp and bringing it into the ./utils/conversation (where ever is most appropriate) since it is simple and innocuous. We should not make a conversions library like this one depend on the filesystem library.
This will allow you to remove the CMake dependency above, which will fix the linking error.
There was a problem hiding this comment.
Done. I took a stab at this, I created a new header/implementation combo for windows_time under util/conversions. Happy to go with something else if folks feel strongly, but this seemed appropriate to me, as the only other conversions we seem to have look to largely be string based.
muffins
force-pushed
the
fix5746-datetime-to-filetime
branch
from
0eddce0 to
fcf88e2
Compare
|
|
||
| class ConversionsTests : public testing::Test {}; | ||
|
|
||
| TEST_F(ConversionsTests, test_filetime_to_unixtime) {} |
There was a problem hiding this comment.
Ah, my b, still need to add some good tests here :) Will update shortly.
muffins
force-pushed
the
fix5746-datetime-to-filetime
branch
3 times, most recently
from
6c4d0cf to
f8414c0
Compare
| @@ -41,6 +41,7 @@ function(generateOsqueryUtilsConversions) | |||
|
|
|||
| target_link_libraries(osquery_utils_conversions PUBLIC | |||
| osquery_cxx_settings | |||
| osquery_filesystem | |||
There was a problem hiding this comment.
You'll need to remove this to fix the Linux build errors, don't link osquery_filesystem.
Summary: See osquery#5746 for more details. This PR adds a helper function to convert datetime BSTRs passed back from WMI queries into FILETIME structs, which we can convert using our existing utility into a Unix Epoch time. Test Plan: Sampled querying the `os_version` and `video_info` tables to ensure that we're getting back Unix epoch times as opposed to the long datetime strings.
muffins
force-pushed
the
fix5746-datetime-to-filetime
branch
from
f8414c0 to
c0ffb56
Compare
Summary:
See #5746 for more details. This PR adds a helper function to
convert datetime BSTRs passed back from WMI queries into FILETIME
structs, which we can convert using our existing utility into a Unix
Epoch time.
Test Plan:
Sample queries against
video_info:Checking that time:
And
os_version:And that time in a datetime:
Both look pretty accurate.