From 2bb1abe9c4e0544e15f519a1bcacbae066048a18 Mon Sep 17 00:00:00 2001
From: Georgia Garcia <georgia.garcia@canonical.com>
Date: Tue, 28 Jan 2025 12:45:46 +0000
Subject: [PATCH] Merge utils: test: account for last cmd format change in
 test-aa-notify

The "last" command, which was supplied by util-linux in older Ubuntu
versions, is now supplied by wtmpdb in Oracular and Plucky. Unfortunately,
this changed the output format and broke our column based parsing.

While the wtmpdb upstream has added json support at
https://github.com/thkukuk/wtmpdb/issues/20, we cannot use it because
we need to support systems that do not have this new feature added.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1508
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit 3b7ee81f040fb9bcaeae2d2d46f97cdfa4572c88)

afd6aa05 utils: test: account for last cmd format change in test-aa-notify

Co-authored-by: John Johansen <john@jjmx.net>
---
 utils/test/test-aa-notify.py | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/utils/test/test-aa-notify.py b/utils/test/test-aa-notify.py
index 2dd8ff9a5..962e3cb16 100644
--- a/utils/test/test-aa-notify.py
+++ b/utils/test/test-aa-notify.py
@@ -144,11 +144,21 @@ Feb  4 13:40:38 XPS-13-9370 kernel: [128552.880347] audit: type=1400 audit({epoc
 
             return_code, output = cmd(['last', username, '--time-format', 'iso'])
             output = output.split('\n')[0]  # the first line is enough
-            # example of output:
+            # example of output (util-linux last command):
             # ubuntu  tty7         :0               2024-01-05T14:29:11-03:00   gone - no logout
+            # example of output (wtmpdb last command, local login):
+            # ubuntu  tty7                          2025-01-15T09:32:49-0800   - still logged in
+            # example of output (wtmpdb last command, remote login)
+            # ubuntu  tty7         192.168.122.1    2024-01-05T14:29:11-03:00   gone - no logout
             if output.startswith(username):
-                last_login = output.split()[3]
-                last_login_epoch = datetime.fromisoformat(last_login).timestamp()
+                # Check both possible columns for the date
+                try:
+                    last_login = output.split()[3]
+                    last_login_epoch = datetime.fromisoformat(last_login).timestamp()
+                except (IndexError, ValueError):
+                    last_login = output.split()[2]
+                    last_login_epoch = datetime.fromisoformat(last_login).timestamp()
+
                 # add 60 seconds to the epoch so that the time in the logs are AFTER login time
                 last_login_contents = self.create_logfile_contents(last_login_epoch + 60)
                 file_last_login.write(last_login_contents)