From 3dc6d25e6c46670bbfc15f8e2378f655ae9abc78 Mon Sep 17 00:00:00 2001
From: JSCU-CNI <121175071+JSCU-CNI@users.noreply.github.com>
Date: Thu, 16 Jan 2025 11:22:11 +0100
Subject: [PATCH] add tests

---
 dissect/target/plugins/os/unix/log/journal.py |  6 ++--
 .../os/unix/log/journal/system.journal        |  3 ++
 .../os/unix/log/journal/unused.journal        |  3 ++
 .../os/unix/log/journal/user-1000.journal     |  3 ++
 tests/plugins/os/unix/log/test_journal.py     | 35 +++++++++++++++++++
 5 files changed, 48 insertions(+), 2 deletions(-)
 create mode 100644 tests/_data/plugins/os/unix/log/journal/system.journal
 create mode 100644 tests/_data/plugins/os/unix/log/journal/unused.journal
 create mode 100644 tests/_data/plugins/os/unix/log/journal/user-1000.journal

diff --git a/dissect/target/plugins/os/unix/log/journal.py b/dissect/target/plugins/os/unix/log/journal.py
index fa0dbc886..bf8ec6e17 100644
--- a/dissect/target/plugins/os/unix/log/journal.py
+++ b/dissect/target/plugins/os/unix/log/journal.py
@@ -319,10 +319,12 @@ def __iter__(self) -> Iterator[dict[str, int | str]]:
 
             if object_type == c_journal.ObjectType.OBJECT_UNUSED:
                 self.target.log.warning(
-                    "ObjectType OBJECT_UNUSED encountered for next OBJECT_ENTRY_ARRAY offset. ",
-                    "This indicates allocated space in file which is not used yet.",
+                    "ObjectType OBJECT_UNUSED encountered for next OBJECT_ENTRY_ARRAY offset at 0x%X. "
+                    "This indicates allocated space in the journal file which is not used yet.",
+                    offset,
                 )
                 break
+
             elif object_type != c_journal.ObjectType.OBJECT_ENTRY_ARRAY:
                 raise ValueError(f"Expected OBJECT_ENTRY_ARRAY or OBJECT_UNUSED at offset {offset}")
 
diff --git a/tests/_data/plugins/os/unix/log/journal/system.journal b/tests/_data/plugins/os/unix/log/journal/system.journal
new file mode 100644
index 000000000..62f8a136d
--- /dev/null
+++ b/tests/_data/plugins/os/unix/log/journal/system.journal
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bd34a41863a93619bff6389d760dd3417652dc42083776bd8a13fa6a0725178e
+size 8388608
diff --git a/tests/_data/plugins/os/unix/log/journal/unused.journal b/tests/_data/plugins/os/unix/log/journal/unused.journal
new file mode 100644
index 000000000..285d52440
--- /dev/null
+++ b/tests/_data/plugins/os/unix/log/journal/unused.journal
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eb19305d131360a8b6ea15f8db3c906cb0bb10c92e2b29a3155cbbcf67cc53c2
+size 8388608
diff --git a/tests/_data/plugins/os/unix/log/journal/user-1000.journal b/tests/_data/plugins/os/unix/log/journal/user-1000.journal
new file mode 100644
index 000000000..0c8573973
--- /dev/null
+++ b/tests/_data/plugins/os/unix/log/journal/user-1000.journal
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d5dfb012b37018e9c39826ab0f44cd583045964c417e19bbaacbaefa74122da0
+size 16777216
diff --git a/tests/plugins/os/unix/log/test_journal.py b/tests/plugins/os/unix/log/test_journal.py
index 82675bb2f..500252cce 100644
--- a/tests/plugins/os/unix/log/test_journal.py
+++ b/tests/plugins/os/unix/log/test_journal.py
@@ -1,3 +1,6 @@
+import logging
+
+import pytest
 from flow.record.fieldtypes import datetime as dt
 
 from dissect.target.filesystem import VirtualFilesystem
@@ -28,3 +31,35 @@ def test_journal_plugin(target_unix: Target, fs_unix: VirtualFilesystem) -> None
     assert record.pid == 2096
     assert record.transport == "stdout"
     assert record.source == "/var/log/journal/1337/user-1000.journal"
+
+
+def test_journal_plugin_benchmark(target_unix: Target, fs_unix: VirtualFilesystem) -> None:
+    """test if we can parse some large journal files. this demonstrates how slow the journal plugin is."""
+
+    system_journal = absolute_path("_data/plugins/os/unix/log/journal/system.journal")
+    user_journal = absolute_path("_data/plugins/os/unix/log/journal/user-1000.journal")
+
+    fs_unix.map_file("/var/log/journal/deadbeef/system.journal", system_journal)
+    fs_unix.map_file("/var/log/journal/deadbeef/user-1000.journal", user_journal)
+    target_unix.add_plugin(JournalPlugin)
+
+    results = list(target_unix.journal())
+    assert len(results) == 252 + 17986
+
+
+def test_journal_plugin_unused_object(
+    caplog: pytest.LogCaptureFixture, target_unix: Target, fs_unix: VirtualFilesystem
+) -> None:
+    """test if we can handle OBJECT_UNUSED in journal files correctly."""
+
+    # unused.journal is a modified copy of system.journal at offset 0x393260.
+    # the next_entry_array_offset was set from 0x00 to 0x3C1337.
+    data_file = absolute_path("_data/plugins/os/unix/log/journal/unused.journal")
+    fs_unix.map_file("/var/log/journal/deadbeef/system.journal", data_file)
+    target_unix.add_plugin(JournalPlugin)
+
+    with caplog.at_level(logging.WARNING):
+        results = list(target_unix.journal())
+
+    assert "ObjectType OBJECT_UNUSED encountered for next OBJECT_ENTRY_ARRAY offset at 0x3C1337" in caplog.text
+    assert len(results) == 252