Add APFS implementation

Author: Schamper

.gitattributes

@@ -0,0 +1 @@
+tests/_data/** filter=lfs diff=lfs merge=lfs -text

.github/pull_request_template.md

@@ -0,0 +1,24 @@
+<!--
+Thank you for submitting a Pull Request. Please:
+* Read our commit style guide:
+    Commit messages should adhere to the following points:
+    * Separate subject from body with a blank line
+    * Limit the subject line to 50 characters as much as possible
+    * Capitalize the subject line
+    * Do not end the subject line with a period
+    * Use the imperative mood in the subject line
+    * The verb should represent what was accomplished (Create, Add, Fix etc)
+    * Wrap the body at 72 characters
+    * Use the body to explain the what and why vs. the how
+  For an example, look at the following link:
+  https://docs.dissect.tools/en/latest/contributing/style-guide.html#example-commit-message
+
+* Include a description of the proposed changes and how to test them.
+
+* After creation, associate the PR with an issue, under the development section.
+  Or use closing keywords in the body during creation:
+  E.G:
+  * close(|s|d) #<nr>
+  * fix(|es|ed) #<nr>
+  * resolve(|s|d) #<nr>
+-->

.github/workflows/dissect-ci.yml

@@ -0,0 +1,37 @@
+name: Dissect CI
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - '*'
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  ci:
+    uses: fox-it/dissect-workflow-templates/.github/workflows/dissect-ci-template.yml@main
+    secrets: inherit
+
+  publish:
+    if: ${{ github.ref_name == 'main' || github.ref_type == 'tag' }}
+    needs: [ci]
+    runs-on: ubuntu-latest
+    environment: dissect_publish
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: packages
+          path: dist/
+      # According to the documentation, it automatically looks inside the `dist/` folder for packages.
+      - name: Publish package distributions to Pypi
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  trigger-tests:
+    needs: [publish]
+    uses: fox-it/dissect-workflow-templates/.github/workflows/dissect-ci-demand-test-template.yml@main
+    secrets: inherit
+    with:
+      on-demand-test: 'dissect.target'

.gitignore

@@ -0,0 +1,11 @@
+coverage.xml
+.coverage
+dist/
+.eggs/
+*.egg-info/
+*.pyc
+__pycache__/
+.pytest_cache/
+tests/_docs/api
+tests/_docs/build
+.tox/

COPYRIGHT

@@ -0,0 +1,5 @@
+Dissect is released as open source by Fox-IT (https://www.fox-it.com) part of NCC Group Plc (https://www.nccgroup.com)
+
+Developed by the Dissect Team (dissect@fox-it.com) and made available at https://github.com/fox-it/dissect.apfs
+
+License terms: AGPL3 (https://www.gnu.org/licenses/agpl-3.0.html)

LICENSE

@@ -0,0 +1,2 @@
+exclude .git*
+recursive-exclude .github/ *

MANIFEST.in

@@ -0,0 +1,55 @@
+# dissect.apfs
+
+A Dissect module implementing a parser for the APFS file system, a commonly used Apple filesystem. For more
+information, please see [the documentation](https://docs.dissect.tools/en/latest/projects/dissect.apfs/index.html).
+
+## Requirements
+
+This project is part of the Dissect framework and requires Python.
+
+Information on the supported Python versions can be found in the Getting Started section of [the documentation](https://docs.dissect.tools/en/latest/index.html#getting-started).
+
+## Installation
+
+`dissect.apfs` is available on [PyPI](https://pypi.org/project/dissect.apfs/).
+
+```bash
+pip install dissect.apfs
+```
+
+This module is also automatically installed if you install the `dissect` package.
+
+## Build and test instructions
+
+This project uses `tox` to build source and wheel distributions. Run the following command from the root folder to build
+these:
+
+```bash
+tox -e build
+```
+
+The build artifacts can be found in the `dist/` directory.
+
+`tox` is also used to run linting and unit tests in a self-contained environment. To run both linting and unit tests
+using the default installed Python version, run:
+
+```bash
+tox
+```
+
+For a more elaborate explanation on how to build and test the project, please see [the
+documentation](https://docs.dissect.tools/en/latest/contributing/tooling.html).
+
+## Contributing
+
+The Dissect project encourages any contribution to the codebase. To make your contribution fit into the project, please
+refer to [the development guide](https://docs.dissect.tools/en/latest/contributing/developing.html).
+
+## Copyright and license
+
+Dissect is released as open source by Fox-IT (<https://www.fox-it.com>) part of NCC Group Plc
+(<https://www.nccgroup.com>).
+
+Developed by the Dissect Team (<dissect@fox-it.com>) and made available at <https://github.com/fox-it/dissect>.
+
+License terms: AGPL3 (<https://www.gnu.org/licenses/agpl-3.0.html>). For more information, see the LICENSE file.

README.md

@@ -0,0 +1,15 @@
+from dissect.apfs.apfs import APFS
+from dissect.apfs.exception import (
+    Error,
+    FileNotFoundError,
+    NotADirectoryError,
+    NotASymlinkError,
+)
+
+__all__ = [
+    "APFS",
+    "Error",
+    "FileNotFoundError",
+    "NotADirectoryError",
+    "NotASymlinkError",
+]

dissect/apfs/__init__.py

@@ -0,0 +1,70 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, BinaryIO
+
+from dissect.apfs.c_apfs import c_apfs
+from dissect.apfs.objects import NxSuperblock
+
+if TYPE_CHECKING:
+    from uuid import UUID
+
+    from dissect.apfs.objects.fs import FS
+    from dissect.apfs.objects.keybag import ContainerKeybag
+
+
+class APFS:
+    """Container class for APFS operations.
+
+    Args:
+        fh: File-like object to read the APFS container from.
+    """
+
+    def __init__(self, fh: BinaryIO):
+        self.fh = fh
+        self.fh.seek(0)
+
+        self.sb = NxSuperblock.from_block(self, 0, self.fh.read(c_apfs.NX_DEFAULT_BLOCK_SIZE))
+        self.sb = sorted(
+            [self.sb] + [obj for obj in self.sb.checkpoint_objects if isinstance(obj, NxSuperblock)],
+            key=lambda obj: obj.xid,
+        )[-1]
+
+    @property
+    def block_size(self) -> int:
+        """The block size of the container."""
+        return self.sb.block_size
+
+    @property
+    def sectors_per_block(self) -> int:
+        """The number of 512-byte sectors per block."""
+        return self.block_size // 512
+
+    @property
+    def block_count(self) -> int:
+        """The total number of blocks in the container."""
+        return self.sb.block_count
+
+    @property
+    def uuid(self) -> UUID:
+        """The UUID of the container."""
+        return self.sb.uuid
+
+    @property
+    def keybag(self) -> ContainerKeybag | None:
+        """The container keybag, if present."""
+        return self.sb.keylocker
+
+    @property
+    def volumes(self) -> list[FS]:
+        """All the filesystems in the container."""
+        return self.sb.filesystems
+
+    def _read_block(self, address: int, count: int = 1) -> bytes:
+        """Read a block from the container.
+
+        Args:
+            address: The block address to read.
+        """
+        # TODO: Fusion tier2
+        self.fh.seek(address * self.block_size)
+        return self.fh.read(count * self.block_size)