⭐️ add macos.systemExtensions as new resource

providers/os/resources/macos.go

@@ -210,7 +210,9 @@ func (m *mqlMacosSystemsetup) disableKeyboardWhenEnclosureLockIsEngaged() (strin
 	return macos.SystemSetupCmdOutput{}.ParseDisableKeyboardWhenEnclosureLockIsEngaged(data), err
 }
 
-func Decode(r io.ReadSeeker) (map[string]interface{}, error) {
+type plistData map[string]interface{}
+
+func Decode(r io.ReadSeeker) (plistData, error) {
 	var data map[string]interface{}
 	decoder := plist.NewDecoder(r)
 	err := decoder.Decode(&data)
@@ -227,11 +229,54 @@ func Decode(r io.ReadSeeker) (map[string]interface{}, error) {
 		return nil, err
 	}
 
-	var dataJson map[string]interface{}
+	var dataJson plistData
 	err = json.Unmarshal(jsondata, &dataJson)
 	if err != nil {
 		return nil, err
 	}
 
 	return dataJson, nil
 }
+
+func (d plistData) GetPlistData(path ...string) plistData {
+	val := d
+	ok := false
+	for i := range path {
+		if val == nil {
+			return nil
+		}
+		val, ok = val[path[i]].(map[string]interface{})
+		if !ok {
+			return nil
+		}
+	}
+	return val
+}
+
+func (d plistData) GetString(path ...string) string {
+	val := d
+	ok := false
+	for i := 0; i < len(path)-1; i++ {
+		if val == nil {
+			return ""
+		}
+		val, ok = val[path[i]].(map[string]interface{})
+		if !ok {
+			return ""
+		}
+	}
+	key := path[len(path)-1]
+	return val[key].(string)
+}
+
+func (d plistData) GetList(path ...string) []interface{} {
+	val := d
+	for i := 0; i < len(path)-1; i++ {
+		if val == nil {
+			return nil
+		}
+		val = val[path[i]].(map[string]interface{})
+	}
+	key := path[len(path)-1]
+	return val[key].([]interface{})
+}

providers/os/resources/macos_systemextension.go

@@ -0,0 +1,108 @@
+package resources
+
+import (
+	"strings"
+
+	"go.mondoo.com/cnquery/v11/llx"
+	"go.mondoo.com/cnquery/v11/providers-sdk/v1/plugin"
+	"go.mondoo.com/cnquery/v11/providers-sdk/v1/util/convert"
+	"go.mondoo.com/cnquery/v11/providers/os/connection/shared"
+	"go.mondoo.com/cnquery/v11/types"
+)
+
+func (m *mqlMacos) systemExtensions() ([]interface{}, error) {
+	conn := m.MqlRuntime.Connection.(shared.Connection)
+
+	f, err := conn.FileSystem().Open("/Library/SystemExtensions/db.plist")
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	systemExtensionDb, err := Decode(f)
+	if err != nil {
+		return nil, err
+	}
+
+	extensions := systemExtensionDb["extensions"].([]interface{})
+	extensionPolicies := systemExtensionDb["extensionPolicies"].([]interface{})
+
+	list := []interface{}{}
+	for i := range extensions {
+		ex, err := newMacosSystemExtension(m.MqlRuntime, extensions[i].(map[string]interface{}), extensionPolicies)
+		if err != nil {
+			return nil, err
+		}
+		list = append(list, ex)
+	}
+
+	return list, nil
+}
+
+func newMacosSystemExtension(runtime *plugin.Runtime, extension plistData, extensionPolicies []interface{}) (*mqlMacosSystemExtension, error) {
+	uuid := extension.GetString("uniqueID")
+	identifier := extension.GetString("identifier")
+	teamID := extension.GetString("teamID")
+	isMdmManaged := false
+	if extensionPolicies != nil {
+		for i := range extensionPolicies {
+			policy, ok := extensionPolicies[i].(map[string]interface{})
+			if !ok {
+				continue
+			}
+			plistPolicy := plistData(policy)
+
+			// check if the team id is in allowedTeamIDs list
+			allowedTeams := plistPolicy.GetPlistData("allowedTeamIDs")
+			for k := range allowedTeams {
+				list := allowedTeams[k].([]interface{})
+				for j := range list {
+					if list[j].(string) == teamID {
+						isMdmManaged = true
+						break
+					}
+				}
+			}
+
+			// if it is not in the team id list, check allowedExtensions list
+			allowedExtensions := plistPolicy.GetPlistData("allowedExtensions")
+			for k := range allowedExtensions {
+				list := allowedExtensions[k].([]interface{})
+				for j := range list {
+					if list[j].(string) == identifier {
+						isMdmManaged = true
+						break
+					}
+				}
+			}
+		}
+	}
+
+	pkg, err := CreateResource(runtime, "macos.systemExtension", map[string]*llx.RawData{
+		"__id":       llx.StringData(uuid),
+		"identifier": llx.StringData(identifier),
+		"uuid":       llx.StringData(uuid),
+		"version":    llx.StringData(extension.GetString("bundleVersion", "CFBundleShortVersionString")),
+		"categories": llx.ArrayData(convert.SliceAnyToInterface(extension.GetList("categories")), types.String),
+		"state":      llx.StringData(extension.GetString("state")),
+		"teamID":     llx.StringData(teamID),
+		"bundlePath": llx.StringData(extension.GetString("container", "bundlePath")),
+		"mdmManaged": llx.BoolData(isMdmManaged),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	s := pkg.(*mqlMacosSystemExtension)
+	return s, nil
+}
+
+func (m *mqlMacosSystemExtension) enabled() (bool, error) {
+	state := m.GetState()
+	return strings.Contains(state.Data, "enabled"), nil
+}
+
+func (m *mqlMacosSystemExtension) active() (bool, error) {
+	state := m.GetState()
+	return strings.Contains(state.Data, "activated"), nil
+}

providers/os/resources/os.lr

@@ -1302,6 +1302,8 @@ macos {
   userHostPreferences() map[string]dict
   // macOS global account policies
   globalAccountPolicies() dict
+  // System extensions
+  systemExtensions() []macos.systemExtension
 }
 
 // macOS application layer firewall (ALF) service
@@ -1400,6 +1402,30 @@ windows {
   optionalFeatures() []windows.optionalFeature
 }
 
+// macOS system extension
+private macos.systemExtension @defaults("teamID identifier version state"){
+  // Identifier of the system extension
+  identifier string
+  // System extension unique identifier
+  uuid string
+  // Version of the system extension
+  version string
+  // Categories of the system extension
+  categories []string
+  // State of the system extension
+  state string
+  // Indicates whether the system extension is enabled
+  enabled() bool
+  // Indicates whether the system extension is active
+  active() bool
+  // Team identifier of the system extension
+  teamID string
+  // Path to the system extension
+  bundlePath string
+  // Indicates whether the system extension is MDM managed
+  mdmManaged bool
+}
+
 // Windows hotfix resource
 windows.hotfix {
   init(hotfixId string)