Add search_query in messages_url - #56

Author: VincentD06

src/main/java/com/airbus_cyber_security/graylog/events/notifications/types/MessagesURLBuilder.java

@@ -18,16 +18,21 @@
 
 import org.graylog.events.event.EventDto;
 import org.graylog.events.notifications.EventNotificationContext;
+import org.graylog.events.processor.EventDefinitionDto;
+import org.graylog.events.processor.EventProcessorConfig;
+import org.graylog.events.processor.aggregation.AggregationEventProcessorConfig;
 import org.joda.time.DateTime;
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;
 
+import java.util.Optional;
 import java.util.Set;
 
 public class MessagesURLBuilder {
 
     private static final String MSGS_URL_BEGIN = "/search?rangetype=absolute&from=";
     private static final String MSGS_URL_TO = "&to=";
+    private static final String MSGS_URL_QUERY = "&q=";
     private static final String MSGS_URL_STREAM = "&streams=";
     private static final String COMMA_SEPARATOR = "%2C";
     private static final DateTimeFormatter TIME_FORMATTER = DateTimeFormat.forPattern("yyy-MM-dd'T'HH'%3A'mm'%3A'ss.SSS'Z'");
@@ -47,6 +52,24 @@ private String buildSourceStreams(EventDto event) {
         return MSGS_URL_STREAM + result.toString();
     }
 
+    private String buildSearchQuery(Optional<EventDefinitionDto> eventDefinitionOpt) {
+        if (eventDefinitionOpt.isPresent()) {
+            EventDefinitionDto eventDefinition = eventDefinitionOpt.get();
+            EventProcessorConfig config = eventDefinition.config();
+
+            if (config instanceof AggregationEventProcessorConfig) {
+                AggregationEventProcessorConfig aggregationConfig = (AggregationEventProcessorConfig) config;
+                if (aggregationConfig.query() == null || aggregationConfig.query().isEmpty() || aggregationConfig.query().equals("*")) {
+                    return "";
+                }
+
+                return MSGS_URL_QUERY + aggregationConfig.query();
+            }
+        }
+
+        return "";
+    }
+
     private DateTime evaluateEndTime(EventDto event, DateTime beginTime) {
         if (event.timerangeEnd().isEmpty()) {
             return beginTime.plusMinutes(1);
@@ -64,6 +87,7 @@ public String buildMessagesUrl(EventNotificationContext context, DateTime beginT
         // TODO review how beginTime/endTime are computed: they do not seem to correspond to the aggregation time range shown when viewing the alert!!
         return MSGS_URL_BEGIN + beginTime.toString(TIME_FORMATTER)
                 + MSGS_URL_TO + endTime.toString(TIME_FORMATTER)
+                + this.buildSearchQuery(context.eventDefinition())
                 + this.buildSourceStreams(event);
     }
 }

src/test/java/com/airbus_cyber_security/graylog/events/notifications/types/MessagesURLBuilderTest.java

@@ -28,22 +28,27 @@
 import org.graylog.events.notifications.EventNotificationSettings;
 import org.graylog.events.processor.EventDefinitionDto;
 import org.graylog.events.processor.EventProcessorConfig;
+import org.graylog.events.processor.aggregation.AggregationEventProcessorConfig;
 import org.graylog.scheduler.JobSchedule;
 import org.graylog.scheduler.JobTriggerDto;
 import org.graylog2.plugin.Tools;
 import org.joda.time.DateTime;
+import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 import org.graylog2.plugin.streams.Stream;
 import org.graylog.events.event.EventOriginContext;
 
+import java.util.Collections;
+
 public class MessagesURLBuilderTest {
 
     private MessagesURLBuilder subject;
 
     private DateTime dummyTime;
 
     private static final String TEST_NOTIFICATION_ID = "NotificationTestId";
+    private static final String TEST_SEARCH_QUERY = "src: x";
 
     @Before
     public void setup() {
@@ -69,13 +74,13 @@ private EventDto.Builder dummyEventBuilder() {
                 .fields(ImmutableMap.of("field1", "value1", "field2", "value2"));
     }
 
-    EventDefinitionDto buildDummyEventDefinition() {
+    EventDefinitionDto buildDummyEventDefinition(boolean isFallback) {
         return EventDefinitionDto.builder()
                 .alert(true)
                 .id(TEST_NOTIFICATION_ID)
                 .title("Event Definition Test Title")
                 .description("Event Definition Test Description")
-                .config(new EventProcessorConfig.FallbackConfig())
+                .config(dummyEventProcessorConfig(isFallback))
                 .fieldSpec(ImmutableMap.of())
                 .priority(2)
                 .keySpec(ImmutableList.of())
@@ -98,9 +103,9 @@ public Builder toBuilder() {
                 ).build();
     }
 
-    private EventNotificationContext.Builder dummyContextBuilder() {
+    private EventNotificationContext.Builder dummyContextBuilder(boolean isFallback) {
         EventNotificationConfig notificationConfig = new EventNotificationConfig.FallbackNotificationConfig();
-        EventDefinitionDto eventDefinitionDto = buildDummyEventDefinition();
+        EventDefinitionDto eventDefinitionDto = buildDummyEventDefinition(isFallback);
         EventDto event = dummyEventBuilder()
                 .timerangeStart(this.dummyTime)
                 .timerangeEnd(this.dummyTime.plusMinutes(1))
@@ -112,6 +117,23 @@ private EventNotificationContext.Builder dummyContextBuilder() {
                 .event(event);
     }
 
+    private EventProcessorConfig dummyEventProcessorConfig(boolean isFallback) {
+        if  (isFallback) {
+            return new EventProcessorConfig.FallbackConfig();
+        } else {
+            EventProcessorConfig eventProcessorConfig = AggregationEventProcessorConfig.builder()
+                    .query(TEST_SEARCH_QUERY)
+                    .streams(Collections.emptySet())
+                    .groupBy(Collections.emptyList())
+                    .series(Collections.emptyList())
+                    .searchWithinMs(60000)
+                    .executeEveryMs(60000)
+                    .build();
+
+            return eventProcessorConfig;
+        }
+    }
+
     private JobTriggerDto buildJobTrigger(DateTime jobTriggerTime) {
         return JobTriggerDto.builder()
                 .jobDefinitionId("jobDefinitionId")
@@ -123,7 +145,7 @@ private JobTriggerDto buildJobTrigger(DateTime jobTriggerTime) {
 
     private EventNotificationContext buildDummyContext(DateTime jobTriggerTime) {
         JobTriggerDto jobTrigger = buildJobTrigger(jobTriggerTime);
-        return dummyContextBuilder()
+        return dummyContextBuilder(true)
                 .jobTrigger(jobTrigger)
                 .build();
     }
@@ -136,21 +158,29 @@ public void buildMessagesUrlShouldNotFailWhenSplitFieldIsNotPresent() {
 
     @Test
     public void getStreamSearchUrlShouldNotFailWhenThereIsNoJobTrigger() {
-        EventNotificationContext context = dummyContextBuilder().build();
+        EventNotificationContext context = dummyContextBuilder(true).build();
         this.subject.buildMessagesUrl(context, this.dummyTime);
     }
 
     @Test
     public void getStreamSearchUrlShouldNotFailWhenThereIsNoTimerangeStart() {
         EventDto event = dummyEventBuilder().timerangeEnd(this.dummyTime.plusMinutes(1)).build();
-        EventNotificationContext context = dummyContextBuilder().event(event).build();
+        EventNotificationContext context = dummyContextBuilder(true).event(event).build();
         this.subject.buildMessagesUrl(context, this.dummyTime);
     }
 
     @Test
     public void getStreamSearchUrlShouldNotFailWhenThereIsNoTimerangeEnd() {
         EventDto event = dummyEventBuilder().timerangeStart(this.dummyTime).build();
-        EventNotificationContext context = dummyContextBuilder().event(event).build();
+        EventNotificationContext context = dummyContextBuilder(true).event(event).build();
         this.subject.buildMessagesUrl(context, this.dummyTime);
     }
+
+    @Test
+    public void getStreamSearchUrlShouldContainsSearchQuery() {
+        EventDto event = dummyEventBuilder().timerangeStart(this.dummyTime).build();
+        EventNotificationContext context = dummyContextBuilder(false).event(event).build();
+        String messageUrl = this.subject.buildMessagesUrl(context, this.dummyTime);
+        Assert.assertTrue(messageUrl.contains(TEST_SEARCH_QUERY));
+    }
 }