Add groupByFields in message url - #56

Author: VincentD06

src/main/java/com/airbus_cyber_security/graylog/events/notifications/types/MessagesURLBuilder.java

@@ -25,6 +25,9 @@
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;
 
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 
@@ -52,18 +55,28 @@ private String buildSourceStreams(EventDto event) {
         return MSGS_URL_STREAM + result.toString();
     }
 
-    private String buildSearchQuery(Optional<EventDefinitionDto> eventDefinitionOpt) {
+    private String buildSearchQuery(Optional<EventDefinitionDto> eventDefinitionOpt, Map<String, String> groupByFields) {
         if (eventDefinitionOpt.isPresent()) {
             EventDefinitionDto eventDefinition = eventDefinitionOpt.get();
             EventProcessorConfig config = eventDefinition.config();
 
             if (config instanceof AggregationEventProcessorConfig) {
                 AggregationEventProcessorConfig aggregationConfig = (AggregationEventProcessorConfig) config;
-                if (aggregationConfig.query() == null || aggregationConfig.query().isEmpty() || aggregationConfig.query().equals("*")) {
-                    return "";
+                List<String> filters = new ArrayList<>();
+
+                String searchQuery = aggregationConfig.query();
+                if (searchQuery != null && !searchQuery.isEmpty() && !searchQuery.equals("*")) {
+                    filters.add(searchQuery);
                 }
 
-                return MSGS_URL_QUERY + aggregationConfig.query();
+                // Add groupByFields in filters
+                groupByFields.entrySet().stream().map( entry -> entry.getKey() + ": " + entry.getValue()).forEach(filters::add);
+
+                Optional<String> filterResult = filters.stream().reduce((x, y) -> "(" + x + ") AND (" + y + ")");
+
+                if (filterResult.isPresent()) {
+                    return MSGS_URL_QUERY + filterResult.get();
+                }
             }
         }
 
@@ -87,7 +100,7 @@ public String buildMessagesUrl(EventNotificationContext context, DateTime beginT
         // TODO review how beginTime/endTime are computed: they do not seem to correspond to the aggregation time range shown when viewing the alert!!
         return MSGS_URL_BEGIN + beginTime.toString(TIME_FORMATTER)
                 + MSGS_URL_TO + endTime.toString(TIME_FORMATTER)
-                + this.buildSearchQuery(context.eventDefinition())
+                + this.buildSearchQuery(context.eventDefinition(), event.groupByFields())
                 + this.buildSourceStreams(event);
     }
 }

src/test/java/com/airbus_cyber_security/graylog/events/notifications/types/MessagesURLBuilderTest.java

@@ -56,8 +56,8 @@ public void setup() {
         this.dummyTime = DateTime.parse("2023-06-21T14:43:25Z");
     }
 
-    private EventDto.Builder dummyEventBuilder() {
-        return EventDto.builder()
+    private EventDto.Builder dummyEventBuilder(boolean withGroupByField) {
+        EventDto.Builder builder = EventDto.builder()
                 .alert(true)
                 .eventDefinitionId("EventDefinitionTestId")
                 .eventDefinitionType("notification-test-v1")
@@ -72,6 +72,12 @@ private EventDto.Builder dummyEventBuilder() {
                 .originContext(EventOriginContext.elasticsearchMessage("testIndex_42", "b5e53442-12bb-4374-90ed-0deadbeefbaz"))
                 .priority(2)
                 .fields(ImmutableMap.of("field1", "value1", "field2", "value2"));
+
+        if (withGroupByField) {
+           builder.groupByFields(ImmutableMap.of("user", "x"));
+        }
+
+        return builder;
     }
 
     EventDefinitionDto buildDummyEventDefinition(boolean isFallback) {
@@ -106,7 +112,7 @@ public Builder toBuilder() {
     private EventNotificationContext.Builder dummyContextBuilder(boolean isFallback) {
         EventNotificationConfig notificationConfig = new EventNotificationConfig.FallbackNotificationConfig();
         EventDefinitionDto eventDefinitionDto = buildDummyEventDefinition(isFallback);
-        EventDto event = dummyEventBuilder()
+        EventDto event = dummyEventBuilder(false)
                 .timerangeStart(this.dummyTime)
                 .timerangeEnd(this.dummyTime.plusMinutes(1))
                 .build();
@@ -164,23 +170,42 @@ public void getStreamSearchUrlShouldNotFailWhenThereIsNoJobTrigger() {
 
     @Test
     public void getStreamSearchUrlShouldNotFailWhenThereIsNoTimerangeStart() {
-        EventDto event = dummyEventBuilder().timerangeEnd(this.dummyTime.plusMinutes(1)).build();
+        EventDto event = dummyEventBuilder(false).timerangeEnd(this.dummyTime.plusMinutes(1)).build();
         EventNotificationContext context = dummyContextBuilder(true).event(event).build();
         this.subject.buildMessagesUrl(context, this.dummyTime);
     }
 
     @Test
     public void getStreamSearchUrlShouldNotFailWhenThereIsNoTimerangeEnd() {
-        EventDto event = dummyEventBuilder().timerangeStart(this.dummyTime).build();
+        EventDto event = dummyEventBuilder(false).timerangeStart(this.dummyTime).build();
         EventNotificationContext context = dummyContextBuilder(true).event(event).build();
         this.subject.buildMessagesUrl(context, this.dummyTime);
     }
 
+    @Test
+    public void getStreamSearchUrlShouldNotContainsSearchQuery() {
+        EventDto event = dummyEventBuilder(false).timerangeStart(this.dummyTime).build();
+        EventNotificationContext context = dummyContextBuilder(true).event(event).build();
+        String messageUrl = this.subject.buildMessagesUrl(context, this.dummyTime);
+
+        Assert.assertFalse(messageUrl.contains("&q="));
+    }
+
     @Test
     public void getStreamSearchUrlShouldContainsSearchQuery() {
-        EventDto event = dummyEventBuilder().timerangeStart(this.dummyTime).build();
+        EventDto event = dummyEventBuilder(false).timerangeStart(this.dummyTime).build();
         EventNotificationContext context = dummyContextBuilder(false).event(event).build();
         String messageUrl = this.subject.buildMessagesUrl(context, this.dummyTime);
         Assert.assertTrue(messageUrl.contains(TEST_SEARCH_QUERY));
     }
+
+    @Test
+    public void getStreamSearchUrlShouldContainsSearchQueryAndGroupByFields() {
+        String expectedValue = "(" + TEST_SEARCH_QUERY + ") AND (user: x)";
+
+        EventDto event = dummyEventBuilder(true).timerangeStart(this.dummyTime).build();
+        EventNotificationContext context = dummyContextBuilder(false).event(event).build();
+        String messageUrl = this.subject.buildMessagesUrl(context, this.dummyTime);
+        Assert.assertTrue(messageUrl.contains(expectedValue));
+    }
 }