From eced6fc858e659281d80749661340ba42e8e099e Mon Sep 17 00:00:00 2001
From: Mike Cohen <scudette@users.noreply.github.com>
Date: Wed, 3 Nov 2021 14:15:11 +1000
Subject: [PATCH] Display all subauthorities for GUID in SRUM (#1365)

---
 constants/constants.go             |  2 +-
 vql/parsers/ese/ese.go             |  4 ++--
 vql/parsers/ese/profile_gen.go     |  4 ++--
 vql/parsers/ese/sid.go             | 11 +++++++----
 vql/parsers/ese/vtype_profile.json |  2 +-
 5 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/constants/constants.go b/constants/constants.go
index e416462c813..94913dc00b0 100644
--- a/constants/constants.go
+++ b/constants/constants.go
@@ -23,7 +23,7 @@ import (
 )
 
 const (
-	VERSION                    = "0.6.2-rc2"
+	VERSION                    = "0.6.3-dev"
 	ENROLLMENT_WELL_KNOWN_FLOW = "E:Enrol"
 	MONITORING_WELL_KNOWN_FLOW = FLOW_PREFIX + "Monitoring"
 
diff --git a/vql/parsers/ese/ese.go b/vql/parsers/ese/ese.go
index 178641d27ae..51afbe0b8b4 100644
--- a/vql/parsers/ese/ese.go
+++ b/vql/parsers/ese/ese.go
@@ -129,7 +129,7 @@ func (self _SRUMLookupId) Call(
 
 			// Its a GUID
 			if id_details.IdType == 3 {
-				id_details.IdBlob = formatGUI(id_details.IdBlob)
+				id_details.IdBlob = formatGUID(id_details.IdBlob)
 			} else {
 				id_details.IdBlob = formatString(id_details.IdBlob)
 			}
@@ -163,7 +163,7 @@ func formatString(hexencoded string) string {
 	return ParseTerminatedUTF16String(&utils.BufferReaderAt{Buffer: buffer}, 0)
 }
 
-func formatGUI(hexencoded string) string {
+func formatGUID(hexencoded string) string {
 	if len(hexencoded) == 0 {
 		return hexencoded
 	}
diff --git a/vql/parsers/ese/profile_gen.go b/vql/parsers/ese/profile_gen.go
index 377264d6602..a967869e07a 100644
--- a/vql/parsers/ese/profile_gen.go
+++ b/vql/parsers/ese/profile_gen.go
@@ -103,11 +103,11 @@ func (self *SID) Authority2() uint32 {
 }
 
 func (self *SID) Subauthority() []uint32 {
-   return ParseArray_uint32(self.Profile, self.Reader, self.Profile.Off_SID_Subauthority + self.Offset, 2)
+   return ParseArray_uint32(self.Profile, self.Reader, self.Profile.Off_SID_Subauthority + self.Offset, 100)
 }
 
 func ParseArray_uint32(profile *MiscProfile, reader io.ReaderAt, offset int64, count int) []uint32 {
-    result := []uint32{}
+    result := make([]uint32, 0, count)
     for i:=0; i<count; i++ {
       value := ParseUint32(reader, offset)
       result = append(result, value)
diff --git a/vql/parsers/ese/sid.go b/vql/parsers/ese/sid.go
index cae9a5d8b90..949488aff22 100644
--- a/vql/parsers/ese/sid.go
+++ b/vql/parsers/ese/sid.go
@@ -11,11 +11,14 @@ func (self *SID) String() string {
 	result := fmt.Sprintf("S-%d", uint64(bits.ReverseBytes16(self.Authority()))<<32+
 		uint64(bits.ReverseBytes32(self.Authority2())))
 
-	for _, sub := range self.Subauthority() {
-		if sub != 0 {
-			result += fmt.Sprintf("-%d", sub)
+	sub_authorities := self.Subauthority()
+	for i := 0; i < int(self.SubAuthCount()); i++ {
+		if i > len(sub_authorities) {
+			break
 		}
-	}
 
+		sub := sub_authorities[i]
+		result += fmt.Sprintf("-%d", sub)
+	}
 	return result
 }
diff --git a/vql/parsers/ese/vtype_profile.json b/vql/parsers/ese/vtype_profile.json
index 86bfb7138c0..6def93eb19e 100644
--- a/vql/parsers/ese/vtype_profile.json
+++ b/vql/parsers/ese/vtype_profile.json
@@ -6,7 +6,7 @@
         "Authority2": [4, ["unsigned long"]],
         "Subauthority": [8, ["Array", {
             "target": "unsigned long",
-            "count": 2
+            "count": 100
         }]]
     }],