Use re.VERBOSE for long regular expressions

dissect/target/plugins/os/unix/log/auth.py

@@ -12,7 +12,7 @@
 
 from dissect.target import Target
 from dissect.target.exceptions import UnsupportedPluginError
-from dissect.target.helpers.fsutil import TargetPath, open_decompress
+from dissect.target.helpers.fsutil import open_decompress
 from dissect.target.helpers.record import DynamicDescriptor, TargetRecordDescriptor
 from dissect.target.helpers.utils import year_rollover_helper
 from dissect.target.plugin import Plugin, alias, export
@@ -22,13 +22,18 @@
 RE_TS = re.compile(r"^[A-Za-z]{3}\s*\d{1,2}\s\d{1,2}:\d{2}:\d{2}")
 RE_TS_ISO = re.compile(r"^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}\+\d{2}:\d{2}")
 RE_LINE = re.compile(
-    r"\d{2}:\d{2}\s(?P<hostname>\S+)\s(?P<service>\S+?)(\[(?P<pid>\d+)\])?:\s*?(?P<message>.+)\s*?$"
+    r"""\d{2}:\d{2}\s                           # First match on the similar ending of the different timestamps
+        (?P<hostname>\S+)\s                     # The hostname
+        (?P<service>\S+?)(\[(?P<pid>\d+)\])?:   # The service with optionally the PID between brackets
+        \s*?(?P<message>.+)\s*?$                # The log message stripped from spaces left and right""",
+    re.X,
 )
 
 # Generic regular expressions
 RE_IPV4_ADDRESS = re.compile(
-    r"((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}"  # First three octets
-    r"(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"  # Last octet
+    r"""((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}   # First three octets
+        (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)          # Last octet""",
+    re.X,
 )
 RE_USER = re.compile(r"for ([^\s]+)")
 
@@ -44,10 +49,11 @@ class SudoService(BaseService):
     """Parsing of sudo service messages in the auth log."""
 
     RE_SUDO_COMMAND = re.compile(
-        r"TTY=(?P<tty>\w+\/\w+)\s;\s"  # The TTY -> TTY=pts/0 ;
-        r"PWD=(?P<pwd>[\/\w]+)\s;\s"  # The current working directory -> PWD="/home/user" ;
-        r"USER=(?P<effective_user>\w+)\s;\s"  # The effective user -> USER=root ;
-        r"COMMAND=(?P<command>.+)$"  # The command -> COMMAND=/usr/bin/whoami
+        r"""TTY=(?P<tty>\w+\/\w+)\s;\s          # The TTY -> TTY=pts/0 ;
+            PWD=(?P<pwd>[\/\w]+)\s;\s           # The current working directory -> PWD="/home/user" ;
+            USER=(?P<effective_user>\w+)\s;\s   # The effective user -> USER=root ;
+            COMMAND=(?P<command>.+)$            # The command -> COMMAND=/usr/bin/whoami""",
+        re.X,
     )
 
     @classmethod
@@ -100,9 +106,10 @@ class SystemdLogindService(BaseService):
     """Class for parsing systemd-logind messages in the auth log."""
 
     RE_SYSTEMD_LOGIND_WATCHING = re.compile(
-        r"(?P<action>Watching\ssystem\sbuttons)\s"  # Action is "Watching system buttons"
-        r"on\s(?P<device>[^\s]+)\s"  # The device the button is related to -> /dev/input/event0
-        r"\((?P<device_name>.*?)\)"  # The device (button) name -> "(Power button)"
+        r"""(?P<action>Watching\ssystem\sbuttons)\s # Action is "Watching system buttons"
+            on\s(?P<device>[^\s]+)\s                # The device the button is related to -> /dev/input/event0
+            \((?P<device_name>.*?)\)                # The device (button) name -> (Power button)""",
+        re.X,
     )
 
     @classmethod
@@ -164,11 +171,12 @@ class PkexecService(BaseService):
     """Class for parsing pkexec messages in the auth log."""
 
     RE_PKEXEC_COMMAND = re.compile(
-        r"(?P<user>\S+?):\sExecuting\scommand\s"  # Starts with actual user -> user:
-        r"\[USER=(?P<effective_user>[^\]]+)\]\s"  # The impersonated user -> [USER=root]
-        r"\[TTY=(?P<tty>[^\]]+)\]\s"  # The tty -> [TTY=unknown]
-        r"\[CWD=(?P<cwd>[^\]]+)\]\s"  # Current working directory -> [CWD=/home/user]
-        r"\[COMMAND=(?P<command>[^\]]+)\]"  # Command performed -> [COMMAND=/usr/lib/example]
+        r"""(?P<user>\S+?):\sExecuting\scommand\s   # Starts with actual user -> user:
+        \[USER=(?P<effective_user>[^\]]+)\]\s       # The impersonated user -> [USER=root]
+        \[TTY=(?P<tty>[^\]]+)\]\s                   # The tty -> [TTY=unknown]
+        \[CWD=(?P<cwd>[^\]]+)\]\s                   # Current working directory -> [CWD=/home/user]
+        \[COMMAND=(?P<command>[^\]]+)\]             # Command -> [COMMAND=/usr/lib/example]""",
+        re.X,
     )
 
     @classmethod
@@ -187,9 +195,10 @@ def parse(cls, message: str) -> dict[str, str]:
 
 class PamUnixService(BaseService):
     RE_PAM_UNIX = re.compile(
-        r"pam_unix\([^\s]+:session\):\s(?P<action>session\s\w+) "  # Session action, usually opened or closed
-        r"for\suser\s(?P<user>[^\s\(]+)(?:\(uid=(?P<user_uid>\d+)\))?"  # User may contain uid like: root(uid=0)
-        r"(?:\sby\s\(uid=(?P<by_uid>\d+)\))?$"  # Opened action also contains this "by" addition
+        r"""pam_unix\([^\s]+:session\):\s(?P<action>session\s\w+)\s     # Session action, usually opened or closed
+            for\suser\s(?P<user>[^\s\(]+)(?:\(uid=(?P<user_uid>\d+)\))? # User may contain uid like: root(uid=0)
+            (?:\sby\s\(uid=(?P<by_uid>\d+)\))?$                         # Opened action also contains by""",
+        re.X,
     )
 
     @classmethod
@@ -337,7 +346,7 @@ def iso_readlines(file: Path) -> Iterator[tuple[datetime, str]]:
                 log.warning("No timestamp found in one of the lines in %s!", file)
                 log.debug("Skipping line: %s", line)
                 continue
-            
+
             try:
                 ts = datetime.strptime(match[0], "%Y-%m-%dT%H:%M:%S.%f%z")
             except ValueError as e: