Convert santa::santad::event_providers::endpoint_security (#1386)

Source/santad/EventProviders/AuthResultCache.h

@@ -52,13 +52,12 @@ class AuthResultCache {
   // previously denied binary is allowed, it can be re-executed by the user in a
   // timely manner. But the value should be high enough to allow the cache to be
   // effective in the event the binary is executed in rapid succession.
-  static std::unique_ptr<AuthResultCache> Create(
-    std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI> esapi,
-    SNTMetricSet *metric_set, uint64_t cache_deny_time_ms = 1500);
+  static std::unique_ptr<AuthResultCache> Create(std::shared_ptr<santa::EndpointSecurityAPI> esapi,
+                                                 SNTMetricSet *metric_set,
+                                                 uint64_t cache_deny_time_ms = 1500);
 
-  AuthResultCache(
-    std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI> esapi,
-    SNTMetricCounter *flush_count, uint64_t cache_deny_time_ms = 1500);
+  AuthResultCache(std::shared_ptr<santa::EndpointSecurityAPI> esapi, SNTMetricCounter *flush_count,
+                  uint64_t cache_deny_time_ms = 1500);
   virtual ~AuthResultCache();
 
   AuthResultCache(AuthResultCache &&other) = delete;
@@ -81,7 +80,7 @@ class AuthResultCache {
   SantaCache<SantaVnode, uint64_t> *root_cache_;
   SantaCache<SantaVnode, uint64_t> *nonroot_cache_;
 
-  std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI> esapi_;
+  std::shared_ptr<santa::EndpointSecurityAPI> esapi_;
   SNTMetricCounter *flush_count_;
   uint64_t root_devno_;
   uint64_t cache_deny_time_ns_;

Source/santad/EventProviders/AuthResultCache.mm

@@ -22,8 +22,8 @@
 #import "Source/common/SantaVnodeHash.h"
 #include "Source/santad/EventProviders/EndpointSecurity/Client.h"
 
-using santa::santad::event_providers::endpoint_security::Client;
-using santa::santad::event_providers::endpoint_security::EndpointSecurityAPI;
+using santa::Client;
+using santa::EndpointSecurityAPI;
 
 static NSString *const kFlushCacheReasonClientModeChanged = @"ClientModeChanged";
 static NSString *const kFlushCacheReasonPathRegexChanged = @"PathRegexChanged";

Source/santad/EventProviders/EndpointSecurity/Client.h

@@ -19,7 +19,7 @@
 
 #include <cstddef>
 
-namespace santa::santad::event_providers::endpoint_security {
+namespace santa {
 
 class Client {
  public:
@@ -64,6 +64,6 @@ class Client {
   es_new_client_result_t result_;
 };
 
-}  // namespace santa::santad::event_providers::endpoint_security
+}  // namespace santa
 
 #endif

Source/santad/EventProviders/EndpointSecurity/ClientTest.mm

@@ -20,7 +20,7 @@
 
 #include "Source/santad/EventProviders/EndpointSecurity/Client.h"
 
-using santa::santad::event_providers::endpoint_security::Client;
+using santa::Client;
 
 // Global semaphore used for custom `es_delete_client` function
 dispatch_semaphore_t gSema;

Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h

@@ -25,7 +25,7 @@
 #include "Source/santad/EventProviders/EndpointSecurity/Client.h"
 #include "Source/santad/EventProviders/EndpointSecurity/Message.h"
 
-namespace santa::santad::event_providers::endpoint_security {
+namespace santa {
 
 class EndpointSecurityAPI : public std::enable_shared_from_this<EndpointSecurityAPI> {
  public:
@@ -69,6 +69,6 @@ class EndpointSecurityAPI : public std::enable_shared_from_this<EndpointSecurity
   virtual const es_fd_t *ExecFD(const es_event_exec_t *event, uint32_t index);
 };
 
-}  // namespace santa::santad::event_providers::endpoint_security
+}  // namespace santa
 
 #endif

Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.mm

@@ -21,7 +21,7 @@
 
 using santa::WatchItemPathType;
 
-namespace santa::santad::event_providers::endpoint_security {
+namespace santa {
 
 Client EndpointSecurityAPI::NewClient(void (^message_handler)(es_client_t *, Message)) {
   es_client_t *client = NULL;
@@ -163,4 +163,4 @@
   return es_exec_fd(event, index);
 }
 
-}  // namespace santa::santad::event_providers::endpoint_security
+}  // namespace santa

Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h

@@ -28,7 +28,7 @@
 #include "Source/santad/EventProviders/EndpointSecurity/Message.h"
 #include "Source/santad/ProcessTree/process_tree.pb.h"
 
-namespace santa::santad::event_providers::endpoint_security {
+namespace santa {
 
 class EnrichedFile {
  public:
@@ -454,6 +454,6 @@ class EnrichedMessage {
   EnrichedType msg_;
 };
 
-}  // namespace santa::santad::event_providers::endpoint_security
+}  // namespace santa
 
 #endif

Source/santad/EventProviders/EndpointSecurity/Enricher.h

@@ -21,7 +21,7 @@
 #include "Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h"
 #include "Source/santad/ProcessTree/process_tree.h"
 
-namespace santa::santad::event_providers::endpoint_security {
+namespace santa {
 
 enum class EnrichOptions {
   // Specifies default enricher operation.
@@ -34,7 +34,8 @@ enum class EnrichOptions {
 
 class Enricher {
  public:
-  Enricher(std::shared_ptr<process_tree::ProcessTree> pt = nullptr);
+  Enricher(
+      std::shared_ptr<santa::santad::process_tree::ProcessTree> pt = nullptr);
   virtual ~Enricher() = default;
   virtual std::unique_ptr<EnrichedMessage> Enrich(Message &&msg);
   virtual EnrichedProcess Enrich(
@@ -58,9 +59,9 @@ class Enricher {
       username_cache_;
   SantaCache<gid_t, std::optional<std::shared_ptr<std::string>>>
       groupname_cache_;
-  std::shared_ptr<process_tree::ProcessTree> process_tree_;
+  std::shared_ptr<santa::santad::process_tree::ProcessTree> process_tree_;
 };
 
-}  // namespace santa::santad::event_providers::endpoint_security
+}  // namespace santa
 
 #endif

Source/santad/EventProviders/EndpointSecurity/Enricher.mm

@@ -33,7 +33,7 @@
 
 using santa::StringTokenToStringView;
 
-namespace santa::santad::event_providers::endpoint_security {
+namespace santa {
 
 Enricher::Enricher(std::shared_ptr<::santa::santad::process_tree::ProcessTree> pt)
     : username_cache_(256), groupname_cache_(256), process_tree_(std::move(pt)) {}
@@ -134,9 +134,10 @@
                          UsernameForUID(audit_token_to_ruid(es_proc.audit_token), options),
                          UsernameForGID(audit_token_to_rgid(es_proc.audit_token), options),
                          Enrich(*es_proc.executable, options),
-                         process_tree_ ? process_tree_->ExportAnnotations(
-                                           process_tree::PidFromAuditToken(es_proc.audit_token))
-                                       : std::nullopt);
+                         process_tree_
+                           ? process_tree_->ExportAnnotations(
+                               santa::santad::process_tree::PidFromAuditToken(es_proc.audit_token))
+                           : std::nullopt);
 }
 
 EnrichedFile Enricher::Enrich(const es_file_t &es_file, EnrichOptions options) {
@@ -202,4 +203,4 @@
   return pw ? std::make_optional(pw->pw_uid) : std::nullopt;
 }
 
-}  // namespace santa::santad::event_providers::endpoint_security
+}  // namespace santa

Source/santad/EventProviders/EndpointSecurity/EnricherTest.mm

@@ -18,7 +18,7 @@
 #include "Source/common/TestUtils.h"
 #include "Source/santad/EventProviders/EndpointSecurity/Enricher.h"
 
-using santa::santad::event_providers::endpoint_security::Enricher;
+using santa::Enricher;
 
 @interface EnricherTest : XCTestCase
 @end

Source/santad/EventProviders/EndpointSecurity/Message.h

@@ -23,7 +23,7 @@
 #import "Source/common/SNTCommonEnums.h"
 #include "Source/santad/ProcessTree/process_tree.h"
 
-namespace santa::santad::event_providers::endpoint_security {
+namespace santa {
 
 class EndpointSecurityAPI;
 class MessagePeer;
@@ -41,7 +41,7 @@ class Message {
   Message(const Message& other);
   Message& operator=(const Message& other) = delete;
 
-  void SetProcessToken(process_tree::ProcessToken tok);
+  void SetProcessToken(santa::santad::process_tree::ProcessToken tok);
 
   // Operators to access underlying es_message_t
   inline const es_message_t* operator->() const { return es_msg_; }
@@ -60,19 +60,19 @@ class Message {
   inline StatChangeStep StatChangeStep() const { return stat_change_step_; }
   inline StatResult StatResult() const { return stat_result_; }
 
-  friend class santa::santad::event_providers::endpoint_security::MessagePeer;
+  friend class santa::MessagePeer;
 
  private:
   std::shared_ptr<EndpointSecurityAPI> esapi_;
   const es_message_t* es_msg_;
-  std::optional<process_tree::ProcessToken> process_token_;
+  std::optional<santa::santad::process_tree::ProcessToken> process_token_;
 
   std::string GetProcessName(pid_t pid) const;
 
   mutable enum StatChangeStep stat_change_step_ = StatChangeStep::kNoChange;
   mutable enum StatResult stat_result_ = StatResult::kOK;
 };
 
-}  // namespace santa::santad::event_providers::endpoint_security
+}  // namespace santa
 
 #endif

Source/santad/EventProviders/EndpointSecurity/Message.mm

@@ -20,7 +20,7 @@
 
 #include "Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h"
 
-namespace santa::santad::event_providers::endpoint_security {
+namespace santa {
 
 Message::Message(std::shared_ptr<EndpointSecurityAPI> esapi, const es_message_t *es_msg)
     : esapi_(std::move(esapi)), es_msg_(es_msg), process_token_(std::nullopt) {
@@ -72,7 +72,7 @@
   }
 }
 
-void Message::SetProcessToken(process_tree::ProcessToken tok) {
+void Message::SetProcessToken(santa::santad::process_tree::ProcessToken tok) {
   process_token_ = std::move(tok);
 }
 
@@ -91,4 +91,4 @@
   }
 }
 
-}  // namespace santa::santad::event_providers::endpoint_security
+}  // namespace santa

Source/santad/EventProviders/EndpointSecurity/MessageTest.mm

@@ -23,7 +23,7 @@
 #include "Source/santad/EventProviders/EndpointSecurity/Message.h"
 #include "Source/santad/EventProviders/EndpointSecurity/MockEndpointSecurityAPI.h"
 
-using santa::santad::event_providers::endpoint_security::Message;
+using santa::Message;
 
 bool IsPidInUse(pid_t pid) {
   char pname[MAXCOMLEN * 2 + 1] = {};

Source/santad/EventProviders/EndpointSecurity/MockEndpointSecurityAPI.h

@@ -27,18 +27,13 @@
 #include "Source/santad/EventProviders/EndpointSecurity/EndpointSecurityAPI.h"
 #include "Source/santad/EventProviders/EndpointSecurity/Message.h"
 
-using santa::santad::event_providers::endpoint_security::Client;
+using santa::Client;
 
-class MockEndpointSecurityAPI
-    : public santa::santad::event_providers::endpoint_security::EndpointSecurityAPI {
+class MockEndpointSecurityAPI : public santa::EndpointSecurityAPI {
  public:
-  MOCK_METHOD(santa::santad::event_providers::endpoint_security::Client, NewClient,
-              (void (^message_handler)(
-                es_client_t *, santa::santad::event_providers::endpoint_security::Message)));
+  MOCK_METHOD(santa::Client, NewClient, (void (^message_handler)(es_client_t *, santa::Message)));
 
-  MOCK_METHOD(bool, Subscribe,
-              (const santa::santad::event_providers::endpoint_security::Client &,
-               const std::set<es_event_type_t> &));
+  MOCK_METHOD(bool, Subscribe, (const santa::Client &, const std::set<es_event_type_t> &));
   MOCK_METHOD(bool, UnsubscribeAll, (const Client &client));
 
   MOCK_METHOD(bool, UnmuteAllPaths, (const Client &client));
@@ -56,20 +51,15 @@ class MockEndpointSecurityAPI
   MOCK_METHOD(void, ReleaseMessage, (const es_message_t *msg));
 
   MOCK_METHOD(bool, RespondAuthResult,
-              (const santa::santad::event_providers::endpoint_security::Client &,
-               const santa::santad::event_providers::endpoint_security::Message &msg,
-               es_auth_result_t result, bool cache));
+              (const santa::Client &, const santa::Message &msg, es_auth_result_t result,
+               bool cache));
   MOCK_METHOD(bool, RespondFlagsResult,
-              (const santa::santad::event_providers::endpoint_security::Client &client,
-               const santa::santad::event_providers::endpoint_security::Message &msg,
-               uint32_t allowed_flags, bool cache));
+              (const santa::Client &client, const santa::Message &msg, uint32_t allowed_flags,
+               bool cache));
 
-  MOCK_METHOD(bool, MuteProcess,
-              (const santa::santad::event_providers::endpoint_security::Client &,
-               const audit_token_t *tok));
+  MOCK_METHOD(bool, MuteProcess, (const santa::Client &, const audit_token_t *tok));
 
-  MOCK_METHOD(bool, ClearCache,
-              (const santa::santad::event_providers::endpoint_security::Client &));
+  MOCK_METHOD(bool, ClearCache, (const santa::Client &));
 
   MOCK_METHOD(uint32_t, ExecArgCount, (const es_event_exec_t *event));
   MOCK_METHOD(es_string_token_t, ExecArg, (const es_event_exec_t *event, uint32_t index));
@@ -82,8 +72,7 @@ class MockEndpointSecurityAPI
 
   void SetExpectationsESNewClient() {
     EXPECT_CALL(*this, NewClient)
-      .WillOnce(testing::Return(santa::santad::event_providers::endpoint_security::Client(
-        nullptr, ES_NEW_CLIENT_RESULT_SUCCESS)));
+      .WillOnce(testing::Return(santa::Client(nullptr, ES_NEW_CLIENT_RESULT_SUCCESS)));
     EXPECT_CALL(*this, MuteProcess).WillOnce(testing::Return(true));
     EXPECT_CALL(*this, ClearCache).WillRepeatedly(testing::Return(true));
     EXPECT_CALL(*this, Subscribe).WillRepeatedly(testing::Return(true));

Source/santad/EventProviders/SNTEndpointSecurityAuthorizer.h

@@ -27,14 +27,11 @@
 @interface SNTEndpointSecurityAuthorizer
     : SNTEndpointSecurityClient <SNTEndpointSecurityEventHandler>
 
-- (instancetype)
-       initWithESAPI:
-         (std::shared_ptr<santa::santad::event_providers::endpoint_security::EndpointSecurityAPI>)
-           esApi
-             metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
-      execController:(SNTExecutionController *)execController
-  compilerController:(SNTCompilerController *)compilerController
-     authResultCache:
-       (std::shared_ptr<santa::santad::event_providers::AuthResultCache>)authResultCache;
+- (instancetype)initWithESAPI:(std::shared_ptr<santa::EndpointSecurityAPI>)esApi
+                      metrics:(std::shared_ptr<santa::santad::Metrics>)metrics
+               execController:(SNTExecutionController *)execController
+           compilerController:(SNTCompilerController *)compilerController
+              authResultCache:
+                (std::shared_ptr<santa::santad::event_providers::AuthResultCache>)authResultCache;
 
 @end

Source/santad/EventProviders/SNTEndpointSecurityAuthorizer.mm

@@ -26,10 +26,10 @@
 #include "Source/santad/EventProviders/EndpointSecurity/Message.h"
 #include "Source/santad/Metrics.h"
 
+using santa::EndpointSecurityAPI;
+using santa::Message;
 using santa::santad::EventDisposition;
 using santa::santad::event_providers::AuthResultCache;
-using santa::santad::event_providers::endpoint_security::EndpointSecurityAPI;
-using santa::santad::event_providers::endpoint_security::Message;
 
 @interface SNTEndpointSecurityAuthorizer ()
 @property SNTCompilerController *compilerController;

Source/santad/EventProviders/SNTEndpointSecurityAuthorizerTest.mm

@@ -33,9 +33,9 @@
 #import "Source/santad/SNTCompilerController.h"
 #import "Source/santad/SNTExecutionController.h"
 
+using santa::Message;
 using santa::santad::EventDisposition;
 using santa::santad::event_providers::AuthResultCache;
-using santa::santad::event_providers::endpoint_security::Message;
 
 class MockAuthResultCache : public AuthResultCache {
  public:

Source/santad/EventProviders/SNTEndpointSecurityClient.mm

@@ -37,14 +37,14 @@
 #include "Source/santad/EventProviders/EndpointSecurity/Message.h"
 #include "Source/santad/Metrics.h"
 
+using santa::Client;
+using santa::EndpointSecurityAPI;
+using santa::EnrichedMessage;
+using santa::Message;
 using santa::WatchItemPathType;
 using santa::santad::EventDisposition;
 using santa::santad::Metrics;
 using santa::santad::Processor;
-using santa::santad::event_providers::endpoint_security::Client;
-using santa::santad::event_providers::endpoint_security::EndpointSecurityAPI;
-using santa::santad::event_providers::endpoint_security::EnrichedMessage;
-using santa::santad::event_providers::endpoint_security::Message;
 
 constexpr std::string_view kProtectedFiles[] = {"/private/var/db/santa/rules.db",
                                                 "/private/var/db/santa/events.db"};