query: subscribe: utils: Provide an option to turn on/off for expanding SID

cosmo0920 · cosmo0920 · commit 004c57ee0645 · 2024-07-25T18:30:30.000+09:00
Signed-off-by: Hiroshi Hatake &lt;hiroshi@chronosphere.io&gt;
diff --git a/ext/winevt/winevt_c.h b/ext/winevt/winevt_c.h
@@ -46,7 +46,7 @@ EVT_HANDLE connect_to_remote(LPWSTR computerName, LPWSTR domain,
                              DWORD *error_code);
 WCHAR* get_description(EVT_HANDLE handle, LANGID langID, EVT_HANDLE hRemote);
 VALUE get_values(EVT_HANDLE handle);
-VALUE render_system_event(EVT_HANDLE handle, BOOL preserve_qualifiers);
+VALUE render_system_event(EVT_HANDLE handle, BOOL preserve_qualifiers, BOOL expandSID);
 LocaleInfo* get_locale_info_from_rb_str(VALUE rb_locale_str);
 
 #ifdef __cplusplus
@@ -101,6 +101,7 @@ struct WinevtQuery
   LONG timeout;
   BOOL renderAsXML;
   BOOL preserveQualifiers;
+  BOOL expandSID;
   LocaleInfo *localeInfo;
   EVT_HANDLE remoteHandle;
 };
@@ -122,6 +123,7 @@ struct WinevtSubscribe
   DWORD currentRate;
   BOOL renderAsXML;
   BOOL preserveQualifiers;
+  BOOL expandSID;
   LocaleInfo* localeInfo;
   EVT_HANDLE remoteHandle;
 };
diff --git a/ext/winevt/winevt_query.c b/ext/winevt/winevt_query.c
@@ -153,6 +153,7 @@ rb_winevt_query_initialize(VALUE argc, VALUE *argv, VALUE self)
   winevtQuery->preserveQualifiers = FALSE;
   winevtQuery->localeInfo = &default_locale;
   winevtQuery->remoteHandle = hRemoteHandle;
+  winevtQuery->expandSID = TRUE;
 
   ALLOCV_END(wchannelBuf);
   ALLOCV_END(wpathBuf);
@@ -274,7 +275,8 @@ rb_winevt_query_render(VALUE self, EVT_HANDLE event)
   if (winevtQuery->renderAsXML) {
     return render_to_rb_str(event, EvtRenderEventXml);
   } else {
-    return render_system_event(event, winevtQuery->preserveQualifiers);
+    return render_system_event(event, winevtQuery->preserveQualifiers,
+                               winevtQuery->expandSID);
   }
 }
 
@@ -535,6 +537,40 @@ rb_winevt_query_get_locale(VALUE self)
   }
 }
 
+/*
+ * This method specifies whether expanding SID or not.
+ *
+ * @param rb_expand_sid_p [Boolean]
+ */
+static VALUE
+rb_winevt_query_set_expand_sid(VALUE self, VALUE rb_expand_sid_p)
+{
+  struct WinevtQuery* winevtQuery;
+
+  TypedData_Get_Struct(
+    self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);
+
+  winevtQuery->expandSID = RTEST(rb_expand_sid_p);
+
+  return Qnil;
+}
+
+/*
+ * This method returns whether expanding SID or not.
+ *
+ * @return [Boolean]
+ */
+static VALUE
+rb_winevt_query_expand_sid_p(VALUE self)
+{
+  struct WinevtQuery* winevtQuery;
+
+  TypedData_Get_Struct(
+    self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);
+
+  return winevtQuery->expandSID ? Qtrue : Qfalse;
+}
+
 /*
  * This method cancels channel query.
  *
@@ -683,6 +719,14 @@ Init_winevt_query(VALUE rb_cEventLog)
    * @since 0.8.0
    */
   rb_define_method(rb_cQuery, "locale=", rb_winevt_query_set_locale, 1);
+  /*
+   * @since 0.10.3
+   */
+  rb_define_method(rb_cQuery, "expand_sid?", rb_winevt_query_expand_sid_p, 0);
+  /*
+   * @since 0.10.3
+   */
+  rb_define_method(rb_cQuery, "expand_sid=", rb_winevt_query_set_expand_sid, 1);
   /*
    * @since 0.9.1
    */
diff --git a/ext/winevt/winevt_subscribe.c b/ext/winevt/winevt_subscribe.c
@@ -110,6 +110,7 @@ rb_winevt_subscribe_initialize(VALUE self)
   winevtSubscribe->readExistingEvents = TRUE;
   winevtSubscribe->preserveQualifiers = FALSE;
   winevtSubscribe->localeInfo = &default_locale;
+  winevtSubscribe->expandSID = TRUE;
 
   return Qnil;
 }
@@ -417,7 +418,8 @@ rb_winevt_subscribe_render(VALUE self, EVT_HANDLE event)
   if (winevtSubscribe->renderAsXML) {
     return render_to_rb_str(event, EvtRenderEventXml);
   } else {
-    return render_system_event(event, winevtSubscribe->preserveQualifiers);
+    return render_system_event(event, winevtSubscribe->preserveQualifiers,
+                               winevtSubscribe->expandSID);
   }
 }
 
@@ -674,6 +676,40 @@ rb_winevt_subscribe_get_locale(VALUE self)
   }
 }
 
+/*
+ * This method specifies whether expanding SID or not.
+ *
+ * @param rb_expand_sid_p [Boolean]
+ */
+static VALUE
+rb_winevt_subscribe_set_expand_sid(VALUE self, VALUE rb_expand_sid_p)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+
+  winevtSubscribe->expandSID = RTEST(rb_expand_sid_p);
+
+  return Qnil;
+}
+
+/*
+ * This method returns whether expanding SID or not.
+ *
+ * @return [Boolean]
+ */
+static VALUE
+rb_winevt_subscribe_expand_sid_p(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+
+  return winevtSubscribe->expandSID ? Qtrue : Qfalse;
+}
+
 /*
  * This method cancels channel subscription.
  *
@@ -771,6 +807,14 @@ Init_winevt_subscribe(VALUE rb_cEventLog)
    */
   rb_define_method(
     rb_cSubscribe, "locale=", rb_winevt_subscribe_set_locale, 1);
+  /*
+   * @since 0.10.3
+   */
+  rb_define_method(rb_cSubscribe, "expand_sid?", rb_winevt_subscribe_expand_sid_p, 0);
+  /*
+   * @since 0.10.3
+   */
+  rb_define_method(rb_cSubscribe, "expand_sid=", rb_winevt_subscribe_set_expand_sid, 1);
   /*
    * @since 0.9.1
    */
diff --git a/ext/winevt/winevt_utils.cpp b/ext/winevt/winevt_utils.cpp
@@ -646,7 +646,7 @@ static int ExpandSIDWString(PSID sid, CHAR **out_expanded)
 }
 
 VALUE
-render_system_event(EVT_HANDLE hEvent, BOOL preserve_qualifiers)
+render_system_event(EVT_HANDLE hEvent, BOOL preserve_qualifiers, BOOL expandSID_p)
 {
   DWORD status = ERROR_SUCCESS;
   EVT_HANDLE hContext = NULL;
@@ -837,7 +837,8 @@ render_system_event(EVT_HANDLE hEvent, BOOL preserve_qualifiers)
   if (EvtVarTypeNull != pRenderedValues[EvtSystemUserID].Type) {
     if (ConvertSidToStringSid(pRenderedValues[EvtSystemUserID].SidVal, &pwsSid)) {
       CHAR *expandSID;
-      if (ExpandSIDWString(pRenderedValues[EvtSystemUserID].SidVal,
+      if (expandSID_p &&
+          ExpandSIDWString(pRenderedValues[EvtSystemUserID].SidVal,
                            &expandSID) == 0) {
         rbstr = rb_utf8_str_new_cstr(expandSID);
       } else {
