Add plugin to parse recentlyused.xbel files from Linux desktops

dissect/target/plugins/os/unix/linux/recentlyused.py

@@ -0,0 +1,141 @@
+from datetime import datetime
+from typing import Iterator, Union
+
+from defusedxml import ElementTree
+from flow.record import GroupedRecord
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.plugin import Plugin, export
+
+RecentlyUsedRecord = TargetRecordDescriptor(
+    "unix/linux/recentlyused",
+    [
+        ("datetime", "ts"),
+        ("string", "user"),
+        ("string", "source"),
+        ("string", "href"),
+        ("datetime", "added"),
+        ("datetime", "modified"),
+        ("datetime", "visited"),
+        ("string", "mimetype"),
+        ("string", "groups"),
+        ("boolean", "private"),
+    ],
+)
+
+RecentlyUsedIconRecord = TargetRecordDescriptor(
+    "unix/linux/recentlyusedicon",
+    [
+        ("string", "type"),
+        ("string", "href"),
+        ("string", "name"),
+    ],
+)
+
+RecentlyUsedApplicationRecord = TargetRecordDescriptor(
+    "unix/linux/recentlyusedapplication",
+    [
+        ("datetime", "ts"),
+        ("string", "name"),
+        ("string", "exec"),
+        ("varint", "count"),
+    ],
+)
+ns = {
+    "bookmark": "http://www.freedesktop.org/standards/desktop-bookmarks",
+    "mime": "http://www.freedesktop.org/standards/shared-mime-info",
+}
+
+
+def parse_ts(ts):
+    """Parse timestamp format from xbel file"""
+    # datetime.fromisoformat() doesn´t support the trailing Z in python <= 3.10
+    return datetime.strptime(ts, "%Y-%m-%dT%H:%M:%S.%fZ")
+
+
+def parse_recentlyused_xbel(username, xbel_file):
+    with xbel_file.open() as fh:
+        et = ElementTree.fromstring(fh.read(), forbid_dtd=True)
+        for b in et.iter("bookmark"):
+            # The spec says there should always be exactly one.
+            # Ignore if there are fewer or more.
+            mimetypes = b.findall("./info/metadata/mime:mime-type", ns)
+            if mimetypes and len(mimetypes) == 1:
+                mimetype = mimetypes[0].get("type")
+            else:
+                mimetype = None
+
+            # This is just a list of names, GroupedRecords seem overkill
+            groups = b.findall("./info/metadata/bookmark:groups/bookmark:group", ns)
+            group_list = ", ".join(group.text for group in groups)
+
+            # There should be at most one "private" tag, but accept multiple
+            private_entries = b.findall("./info/metadata/bookmark:private", ns)
+            private = private_entries is not None and len(private_entries) > 0
+
+            cur = RecentlyUsedRecord(
+                ts=parse_ts(b.get("visited")),
+                user=username,
+                source=xbel_file,
+                href=b.get("href"),
+                added=parse_ts(b.get("added")),
+                modified=parse_ts(b.get("modified")),
+                visited=parse_ts(b.get("visited")),
+                mimetype=mimetype,
+                groups=group_list,
+                private=private,
+            )
+            yield cur
+
+            # Icon is optional, spec says at most one.
+            icons = b.findall("./info/metadata/bookmark:icon", ns)
+            if icons and len(icons) >= 1:
+                icon = icons[0]
+                iconrecord = RecentlyUsedIconRecord(
+                    type=icon.get("type"),
+                    href=icon.get("href"),
+                    name=icon.get("name"),
+                )
+                yield GroupedRecord("unix/linux/recentlyused/grouped", [cur, iconrecord])
+
+            # Spec says there should be at least one application
+            apps = b.findall("./info/metadata/bookmark:applications/bookmark:application", ns)
+            for app in apps:
+                apprecord = RecentlyUsedApplicationRecord(
+                    ts=parse_ts(app.get("modified")),
+                    name=app.get("name"),
+                    exec=app.get("exec"),
+                    count=app.get("count"),
+                )
+                yield GroupedRecord("unix/linux/recentlyused/grouped", [cur, apprecord])
+
+
+class RecentlyUsedPlugin(Plugin):
+    """Parse recently-used.xbel files on Gnome-based Linux Desktops.
+
+    Based on the spec on https://www.freedesktop.org/wiki/Specifications/desktop-bookmark-spec/
+    """
+
+    FILEPATH = ".local/share/recently-used.xbel"
+
+    def __init__(self, target):
+        super().__init__(target)
+        self.users_files = []
+        for user_details in self.target.user_details.all_with_home():
+            xbel_file = user_details.home_path.joinpath(self.FILEPATH)
+            if not xbel_file.exists():
+                continue
+            self.users_files.append((user_details.user, xbel_file))
+
+    def check_compatible(self) -> None:
+        if not len(self.users_files):
+            raise UnsupportedPluginError("No recently-used.xbel files found")
+
+    @export(record=RecentlyUsedRecord)
+    def recentlyused(self) -> Iterator[Union[RecentlyUsedRecord, GroupedRecord]]:
+        """Parse recently-used.xbel files on Linux Desktops."""
+
+        for user, xbel_file in self.users_files:
+            for record in parse_recentlyused_xbel(user.name, xbel_file):
+                yield record

tests/plugins/os/unix/linux/test_recentlyused.py

@@ -0,0 +1,22 @@
+from flow.record.fieldtypes import datetime as dt
+
+from dissect.target.filesystem import VirtualFilesystem
+from dissect.target.plugins.os.unix.linux.recentlyused import RecentlyUsedPlugin
+from dissect.target.target import Target
+from tests._utils import absolute_path
+
+
+def test_recentlyused(target_unix_users: Target, fs_unix: VirtualFilesystem) -> None:
+    data_file = absolute_path("_data/plugins/os/unix/linux/recently-used.xbel")
+    fs_unix.map_file("/home/user/.local/share/recently-used.xbel", data_file)
+    target_unix_users.add_plugin(RecentlyUsedPlugin)
+
+    results = list(target_unix_users.recentlyused())
+    assert len(results) == 15
+    assert results[0].user == "user"
+    assert results[0].href == "file:///home/sjaak/.profile"
+    assert results[0].ts == dt("2023-10-18 13:12:41.905277Z")
+    assert results[0].added == dt("2023-10-18 13:12:41.905276Z")
+    assert results[0].modified == dt("2023-10-18 13:14:09.483576Z")
+    assert results[0].visited == dt("2023-10-18 13:12:41.905277Z")
+    assert results[0].mimetype == "text/plain"