Compute Aggregation Id Field - #170

Author: VincentD06

src/main/java/com/airbus_cyber_security/graylog/wizard/fields/AggregationFieldValueProvider.java

@@ -28,9 +28,17 @@
 import org.graylog.events.fields.FieldValueType;
 import org.graylog.events.fields.providers.AbstractFieldValueProvider;
 import org.graylog.events.fields.providers.FieldValueProvider;
+import org.graylog.events.search.EventsSearchFilter;
+import org.graylog.events.search.EventsSearchParameters;
+import org.graylog.events.search.EventsSearchResult;
+import org.graylog.events.search.EventsSearchService;
+import org.graylog2.plugin.Message;
+import org.graylog2.plugin.indexer.searches.timeranges.RelativeRange;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.util.Collections;
+import java.util.Optional;
 import java.util.UUID;
 
 public class AggregationFieldValueProvider extends AbstractFieldValueProvider {
@@ -42,18 +50,64 @@ public interface Factory extends AbstractFieldValueProvider.Factory<AggregationF
     private static final Logger LOG = LoggerFactory.getLogger(AggregationFieldValueProvider.class);
 
     private final AggregationFieldValueProvider.Config config;
+    private final EventsSearchService searchService;
 
     @Inject
-    public AggregationFieldValueProvider(@Assisted FieldValueProvider.Config config) {
+    public AggregationFieldValueProvider(@Assisted FieldValueProvider.Config config, EventsSearchService searchService) {
         super(config);
         this.config = (AggregationFieldValueProvider.Config) config;
+        this.searchService = searchService;
     }
 
     @Override
     protected FieldValue doGet(String fieldName, EventWithContext eventWithContext) {
-        return FieldValue.create(FieldValueType.STRING, UUID.randomUUID().toString());
+        LOG.debug("Start Compute field {}", fieldName);
+
+        // Check if alert already exist in time range
+        if (this.config.aggregationTimeRange() > 0) {
+            LOG.debug("Aggregation Time Range is defined");
+
+            String eventDefinitionId = eventWithContext.event().getEventDefinitionId();
+            int timeRange = this.config.aggregationTimeRange() * 60;
+
+            EventsSearchFilter searchFilter = EventsSearchFilter.builder()
+                    .alerts(EventsSearchFilter.Alerts.ONLY)
+                    .eventDefinitions(Collections.singleton(eventDefinitionId))
+                    .build();
+
+            EventsSearchParameters request = EventsSearchParameters.builder()
+                    .filter(searchFilter)
+                    .timerange(RelativeRange.create(timeRange))
+                    .page(1)
+                    // Do not use higher perPage value cause request failed
+                    .perPage(5000)
+                    .query("")
+                    .sortBy(Message.FIELD_TIMESTAMP)
+                    .sortDirection(EventsSearchParameters.SortDirection.DESC)
+                    .build();
+
+            EventsSearchResult result = this.searchService.search(request, new EmptySubject());
+
+            if (result.totalEvents() > 0) {
+                LOG.debug("Found {} events for aggregation", result.totalEvents());
+
+                Optional<EventsSearchResult.Event> existingEvent = result.events().stream().filter(x -> x.event().groupByFields().equals(eventWithContext.event().getGroupByFields())).findFirst();
+
+                if (existingEvent.isPresent()) {
+                    String existingId = existingEvent.get().event().fields().getOrDefault(fieldName, UUID.randomUUID().toString());
+                    LOG.debug("Find existing Event with aggregation Id {}", existingId);
+
+                    return FieldValue.create(FieldValueType.STRING, existingId);
+                }
+            }
+        }
+
+        return getRandomFieldValue();
     }
 
+    public FieldValue getRandomFieldValue() {
+        return FieldValue.create(FieldValueType.STRING, UUID.randomUUID().toString());
+    }
 
     @AutoValue
     @JsonTypeName(AggregationFieldValueProvider.Config.TYPE_NAME)
@@ -64,7 +118,7 @@ public static abstract class Config implements AbstractFieldValueProvider.Config
         private static final String FIELD_AGGREGATION_TIME_RANGE = "aggregation_time_range";
 
         @JsonProperty(FIELD_AGGREGATION_TIME_RANGE)
-        public abstract Long aggregationTimeRange();
+        public abstract Integer aggregationTimeRange();
 
         public static AggregationFieldValueProvider.Config.Builder builder() {
             return AggregationFieldValueProvider.Config.Builder.create();
@@ -80,7 +134,7 @@ public static AggregationFieldValueProvider.Config.Builder create() {
             }
 
             @JsonProperty(FIELD_AGGREGATION_TIME_RANGE)
-            public abstract AggregationFieldValueProvider.Config.Builder aggregationTimeRange(Long aggregationTimeRange);
+            public abstract AggregationFieldValueProvider.Config.Builder aggregationTimeRange(Integer aggregationTimeRange);
 
             public abstract AggregationFieldValueProvider.Config build();
         }

src/main/java/com/airbus_cyber_security/graylog/wizard/fields/EmptySubject.java

@@ -0,0 +1,196 @@
+/*
+ * Copyright (C) 2018 Airbus CyberSecurity (SAS)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package com.airbus_cyber_security.graylog.wizard.fields;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authz.AuthorizationException;
+import org.apache.shiro.authz.Permission;
+import org.apache.shiro.session.Session;
+import org.apache.shiro.subject.ExecutionException;
+import org.apache.shiro.subject.PrincipalCollection;
+import org.apache.shiro.subject.Subject;
+
+import java.util.Collection;
+import java.util.List;
+import java.util.concurrent.Callable;
+
+/**
+ * Empty implementation of Subject
+ */
+// TODO: Remove this when Graylog will allow search without Subject
+public class EmptySubject implements Subject {
+    @Override
+    public Object getPrincipal() {
+        return null;
+    }
+
+    @Override
+    public PrincipalCollection getPrincipals() {
+        return null;
+    }
+
+    @Override
+    public boolean isPermitted(String permission) {
+        return true;
+    }
+
+    @Override
+    public boolean isPermitted(Permission permission) {
+        return true;
+    }
+
+    @Override
+    public boolean[] isPermitted(String... permissions) {
+        return new boolean[0];
+    }
+
+    @Override
+    public boolean[] isPermitted(List<Permission> permissions) {
+        return new boolean[0];
+    }
+
+    @Override
+    public boolean isPermittedAll(String... permissions) {
+        return false;
+    }
+
+    @Override
+    public boolean isPermittedAll(Collection<Permission> permissions) {
+        return false;
+    }
+
+    @Override
+    public void checkPermission(String permission) throws AuthorizationException {
+
+    }
+
+    @Override
+    public void checkPermission(Permission permission) throws AuthorizationException {
+
+    }
+
+    @Override
+    public void checkPermissions(String... permissions) throws AuthorizationException {
+
+    }
+
+    @Override
+    public void checkPermissions(Collection<Permission> permissions) throws AuthorizationException {
+
+    }
+
+    @Override
+    public boolean hasRole(String roleIdentifier) {
+        return false;
+    }
+
+    @Override
+    public boolean[] hasRoles(List<String> roleIdentifiers) {
+        return new boolean[0];
+    }
+
+    @Override
+    public boolean hasAllRoles(Collection<String> roleIdentifiers) {
+        return false;
+    }
+
+    @Override
+    public void checkRole(String roleIdentifier) throws AuthorizationException {
+
+    }
+
+    @Override
+    public void checkRoles(Collection<String> roleIdentifiers) throws AuthorizationException {
+
+    }
+
+    @Override
+    public void checkRoles(String... roleIdentifiers) throws AuthorizationException {
+
+    }
+
+    @Override
+    public void login(AuthenticationToken token) throws AuthenticationException {
+
+    }
+
+    @Override
+    public boolean isAuthenticated() {
+        return false;
+    }
+
+    @Override
+    public boolean isRemembered() {
+        return false;
+    }
+
+    @Override
+    public Session getSession() {
+        return null;
+    }
+
+    @Override
+    public Session getSession(boolean create) {
+        return null;
+    }
+
+    @Override
+    public void logout() {
+
+    }
+
+    @Override
+    public <V> V execute(Callable<V> callable) throws ExecutionException {
+        return null;
+    }
+
+    @Override
+    public void execute(Runnable runnable) {
+
+    }
+
+    @Override
+    public <V> Callable<V> associateWith(Callable<V> callable) {
+        return null;
+    }
+
+    @Override
+    public Runnable associateWith(Runnable runnable) {
+        return null;
+    }
+
+    @Override
+    public void runAs(PrincipalCollection principals) throws NullPointerException, IllegalStateException {
+
+    }
+
+    @Override
+    public boolean isRunAs() {
+        return false;
+    }
+
+    @Override
+    public PrincipalCollection getPreviousPrincipals() {
+        return null;
+    }
+
+    @Override
+    public PrincipalCollection releaseRunAs() {
+        return null;
+    }
+}

src/web/wizard/aggregationField/AggregationFieldValueProviderSummary.tsx

@@ -31,7 +31,6 @@ const AggregationFieldValueProviderSummary = ({ fieldName, config, keys }: Props
 
     const toggleDisplayDetails = () => {
         setDisplayDetails(!displayDetails);
-        console.log(config);
     };
 
     return (