Changes after review

plaso/data/formatters/ios.yaml

@@ -1,12 +1,12 @@
 # Plaso iOS related event formatters.
 ---
 type: 'conditional'
-data_type: 'ios:accounts:account'
+data_type: 'ios:accounts:entry'
 message:
 - 'Account Type: {account_type}'
 - 'Username: {username}'
 - 'Identifier: {identifier}'
-- 'Owning Bundle Identifier: {owning_bundle_id}'
+- 'Owning Bundle Identifier: {owning_bundle_identifier}'
 short_message:
 - 'Account Type: {account_type}'
 - 'Username: {username}'

plaso/data/timeliner.yaml

@@ -487,9 +487,9 @@ attribute_mappings:
   description: 'Creation Time'
 place_holder_event: false
 ---
-data_type: 'ios:accounts:account'
+data_type: 'ios:accounts:entry'
 attribute_mappings:
-- name: 'date'
+- name: 'creation_time'
   description: 'Creation Time'
 place_holder_event: true
 ---

plaso/parsers/sqlite_plugins/ios_accounts.py

@@ -12,25 +12,26 @@ class IOSAccounts(events.EventData):
   """iOS accounts event data.
 
   Attributes:
-      date (dfdatetime.DateTimeValues): date and time the account
-          was created.
       account_type (str): account type.
-      username (str): user name.
+      creation_time (dfdatetime.DateTimeValues): date and time the account
+          was created.
       identifier (str): identifier.
-      owning_bundle_id (str): owning bundle identifier of the app
-          managing the account.
+      owning_bundle_identifier (str): owning bundle identifier of the
+          application managing the account.
+      username (str): user name.
   """
 
-  DATA_TYPE = 'ios:accounts:account'
+  DATA_TYPE = 'ios:accounts:entry'
 
   def __init__(self):
     """Initializes event data."""
     super(IOSAccounts, self).__init__(data_type=self.DATA_TYPE)
-    self.date = None
     self.account_type = None
-    self.username = None
+    self.creation_time = None
     self.identifier = None
-    self.owning_bundle_id = None
+    self.owning_bundle_identifier = None
+    self.username = None
+
 
 class IOSAccountsPlugin(interface.SQLitePlugin):
   """SQLite parser plugin for iOS accounts (Accounts3.db) database files."""
@@ -43,8 +44,7 @@ class IOSAccountsPlugin(interface.SQLitePlugin):
           'ZACCOUNTTYPE', 'ZDATE', 'ZUSERNAME', 'ZIDENTIFIER', 
           'ZOWNINGBUNDLEID']),
       'ZACCOUNTTYPE': frozenset([
-          'Z_PK', 'ZACCOUNTTYPEDESCRIPTION'])
-  }
+          'Z_PK', 'ZACCOUNTTYPEDESCRIPTION'])}
 
   QUERIES = [((
       'SELECT ZACCOUNT.ZDATE, ZACCOUNTTYPE.ZACCOUNTTYPEDESCRIPTION, '
@@ -77,13 +77,13 @@ def _GetTimeRowValue(self, query_hash, row, value_name):
     """Retrieves a date and time value from the row.
 
     Args:
-        query_hash (int): hash of the query, that uniquely
+      query_hash (int): hash of the query, that uniquely
           identifies the query that produced the row.
-        row (sqlite3.Row): row.
-        value_name (str): name of the value.
+      row (sqlite3.Row): row.
+      value_name (str): name of the value.
 
     Returns:
-        dfdatetime.CocoaTime: date and time value or None if not available.
+      dfdatetime.CocoaTime: date and time value or None if not available.
     """
     timestamp = self._GetRowValue(query_hash, row, value_name)
     if timestamp is None:
@@ -92,27 +92,26 @@ def _GetTimeRowValue(self, query_hash, row, value_name):
     return dfdatetime_cocoa_time.CocoaTime(timestamp=timestamp)
 
   # pylint: disable=unused-argument
-  def ParseAccountRow(
-    self, parser_mediator, query, row, **unused_kwargs):
+  def ParseAccountRow(self, parser_mediator, query, row, **unused_kwargs):
     """Parses an account row.
 
     Args:
-        parser_mediator (ParserMediator): mediates interactions between
+      parser_mediator (ParserMediator): mediates interactions between
           parsers and other components, such as storage and dfVFS.
-        query (str): query that created the row.
-        row (sqlite3.Row): row.
+      query (str): query that created the row.
+      row (sqlite3.Row): row.
     """
     query_hash = hash(query)
 
     event_data = IOSAccounts()
-    event_data.date = self._GetTimeRowValue(query_hash, row, 'ZDATE')
-    event_data.account_type = self._GetRowValue(query_hash,
-        row, 'ZACCOUNTTYPEDESCRIPTION')
+    event_data.account_type = self._GetRowValue(
+        query_hash, row, 'ZACCOUNTTYPEDESCRIPTION')
+    event_data.creation_time = self._GetTimeRowValue(query_hash, row, 'ZDATE')
+    event_data.identifier = self._GetRowValue(
+        query_hash, row, 'ZIDENTIFIER')
+    event_data.owning_bundle_identifier = self._GetRowValue(
+        query_hash, row, 'ZOWNINGBUNDLEID')
     event_data.username = self._GetRowValue(query_hash, row, 'ZUSERNAME')
-    event_data.identifier = self._GetRowValue(query_hash, row,
-        'ZIDENTIFIER')
-    event_data.owning_bundle_id = self._GetRowValue(query_hash, row,
-        'ZOWNINGBUNDLEID')
 
     parser_mediator.ProduceEventData(event_data)
 

tests/parsers/sqlite_plugins/ios_accounts.py

@@ -26,12 +26,11 @@ def testParse(self):
     self.assertEqual(number_of_warnings, 0)
 
     expected_event_values = {
-        'date': '2020-03-21T21:47:57.068197+00:00', 
         'account_type': 'iCloud',
+        'creation_time': '2020-03-21T21:47:57.068197+00:00',
         'identifier': '1589F4EC-8F6C-4F37-929F-C6F121B36A59',
-        'owning_bundle_id': 'com.apple.purplebuddy',
-        'username': '[email protected]'
-    }
+        'owning_bundle_identifier': 'com.apple.purplebuddy',
+        'username': '[email protected]'}
 
     event_data = storage_writer.GetAttributeContainerByIndex(
         'event_data', 3)