feat(cli): add filter for fixable alerts (#1073)

ANEP-1395

Author: hazedav

cli/cmd/alert.go

@@ -29,18 +29,31 @@ import (
 	"github.com/spf13/cobra"
 )
 
+type alertCmdStateType struct {
+	Comment  string
+	End      string
+	Fixable  bool
+	Range    string
+	Reason   int
+	Scope    string
+	Severity string
+	Status   string
+	Start    string
+	Type     string
+}
+
+// hasFilters returns true if certain filters are present
+// in the command state.  excludes time filters (start, end, range).
+func (s alertCmdStateType) hasFilters() bool {
+	// severity / status / type filters
+	if s.Severity != "" || s.Status != "" || s.Type != "" {
+		return true
+	}
+	return s.Fixable
+}
+
 var (
-	alertCmdState = struct {
-		Comment  string
-		End      string
-		Range    string
-		Reason   int
-		Scope    string
-		Severity string
-		Status   string
-		Start    string
-		Type     string
-	}{}
+	alertCmdState = alertCmdStateType{}
 
 	// alertCmd represents the alert parent command
 	alertCmd = &cobra.Command{

cli/cmd/alert_list.go

@@ -134,18 +134,22 @@ func init() {
 		"type", "",
 		"filter alerts by type",
 	)
+
+	// fixable
+	if cli.isRemediateInstalled() {
+		alertListCmd.Flags().BoolVar(
+			&alertCmdState.Fixable,
+			"fixable", false,
+			"filter alerts by fixability",
+		)
+	}
 }
 
 func alertListTable(alerts api.Alerts) (out [][]string) {
 	alerts.SortByID()
 	alerts.SortBySeverity()
 
 	for _, alert := range alerts {
-		// filter severity if desired
-		if lwseverity.ShouldFilter(alert.Severity, alertCmdState.Severity) {
-			continue
-		}
-
 		out = append(out, []string{
 			strconv.Itoa(alert.ID),
 			alert.Type,
@@ -242,17 +246,46 @@ func listAlert(_ *cobra.Command, _ []string) error {
 		return errors.Wrap(err, msg)
 	}
 
+	// filter severity
+	alerts := api.Alerts{}
+	for _, alert := range listResponse.Data {
+		// filter severity if desired
+		if lwseverity.ShouldFilter(alert.Severity, alertCmdState.Severity) {
+			continue
+		}
+		alerts = append(alerts, alert)
+	}
+
+	// filter fixable
+	if alertCmdState.Fixable {
+		templateIDs, err := getRemediationTemplateIDs()
+		if err != nil {
+			return errors.Wrap(err, "unable to filter by alert fixability")
+		}
+		alerts = filterFixableAlerts(alerts, templateIDs)
+	}
+
 	if cli.JSONOutput() {
-		return cli.OutputJSON(listResponse.Data)
+		return cli.OutputJSON(alerts)
 	}
 
-	if len(listResponse.Data) == 0 {
-		cli.OutputHuman("There are no alerts in your account in the specified time range.\n")
+	if len(alerts) == 0 {
+		if alertCmdState.hasFilters() {
+			cli.OutputHuman(fmt.Sprintf("%s %s\n",
+				"No alerts match the specified filters within the given time range.",
+				"Try removing filters or expanding the time range.",
+			))
+			return nil
+		}
+		cli.OutputHuman("There are no alerts in the specified time range.\n")
 		return nil
 	}
-	renderAlertListTable(listResponse.Data)
+	renderAlertListTable(alerts)
 
 	// breadcrumb
 	cli.OutputHuman("\nUse 'lacework alert show <alert_id>' to see details for a specific alert.\n")
+	if alertCmdState.Fixable {
+		cli.OutputHuman("Use 'lacework remediate alert <alert_id>' to fix a specific alert.\n")
+	}
 	return nil
 }

cli/cmd/alert_list_fixable.go

@@ -0,0 +1,108 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"regexp"
+	"strings"
+
+	"github.com/lacework/go-sdk/api"
+	"github.com/pkg/errors"
+)
+
+const remediateComponentName string = "remediate"
+
+// isRemediateInstalled returns true if the remediate component is installed
+func (c *cliState) isRemediateInstalled() bool {
+	return c.IsComponentInstalled(remediateComponentName)
+}
+
+// getTemplateIdentifiers runs the remediate component to retrieve a list
+// of remediation template identifiers
+func getRemediationTemplateIDs() ([]string, error) {
+	remediate, found := cli.LwComponents.GetComponent(remediateComponentName)
+	if !found {
+		return []string{}, errors.New("remediate component not found")
+	}
+
+	// set up environment variables
+	envs := []string{
+		fmt.Sprintf("LW_COMPONENT_NAME=%s", remediateComponentName),
+		"LW_JSON=true",
+		"LW_NONINTERACTIVE=true",
+	}
+	for _, e := range cli.envs() {
+		// don't let LW_JSON / LW_NONINTERACTIVE through here
+		if strings.HasPrefix(e, "LW_JSON=") || strings.HasPrefix(e, "LW_NONINTERACTIVE=") {
+			continue
+		}
+		envs = append(envs, e)
+	}
+	stdout, stderr, err := remediate.RunAndReturn([]string{"ls", "templates"}, nil, envs...)
+	if err != nil {
+		cli.Log.Debugw("remediate error details", "stderr", stderr)
+		return []string{}, err
+	}
+
+	var templates []map[string]interface{}
+	err = json.Unmarshal([]byte(stdout), &templates)
+	if err != nil {
+		return []string{}, err
+	}
+
+	templateIDs := []string{}
+	for _, template := range templates {
+		v, ok := template["id"]
+		if !ok {
+			continue
+		}
+		s, ok := v.(string)
+		if !ok {
+			continue
+		}
+		templateIDs = append(templateIDs, s)
+	}
+	return templateIDs, nil
+}
+
+// filterFixableAlerts identifies which alerts have corresponding remediation template IDs
+// and returns those which don't
+func filterFixableAlerts(alerts api.Alerts, templateIDs []string) api.Alerts {
+	fixableAlerts := api.Alerts{}
+	for _, alert := range alerts {
+		if alert.PolicyID == "" {
+			continue
+		}
+		found := false
+		// Historically alerts did not consistently populate policyID and
+		// templates were named arbitrarily.
+		// If and when policies explicitly reference templates we will no longer need
+		// any inference logic.
+		for _, id := range templateIDs {
+			if id == alert.PolicyID {
+				fixableAlerts = append(fixableAlerts, alert)
+				found = true
+				break
+			}
+		}
+		if found {
+			continue
+		}
+		// Another interesting problem that we have is that policyIDs are dynamic
+		// For instance, on dev7 policy lwcustom-11 is dev7-lwcustom-11
+		// On some other environment it might be someother-lwcustom-11
+		dynamicIDRE := regexp.MustCompile(`^\w+-\d+$`)
+		// Iterate through the templates looking for those with dynamic policy IDs
+		for _, id := range templateIDs {
+			if dynamicIDRE.MatchString(id) {
+				// if the policyID of the alert ends with -<id>
+				// i.e. if dev7-lwcustom-11 endswith -lwcustom-11
+				if strings.HasSuffix(alert.PolicyID, fmt.Sprintf("-%s", id)) {
+					fixableAlerts = append(fixableAlerts, alert)
+					break
+				}
+			}
+		}
+	}
+	return fixableAlerts
+}

cli/cmd/alert_list_fixable_internal_test.go

@@ -0,0 +1,36 @@
+package cmd
+
+import (
+	"testing"
+
+	"github.com/lacework/go-sdk/api"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestFilterFixableAlerts(t *testing.T) {
+	alertsIn := api.Alerts{
+		{
+			PolicyID: "not-fixable",
+		},
+		{
+			PolicyID: "lacework-global-40",
+		},
+		{
+			PolicyID: "dev7-lwcustom-11",
+		},
+	}
+	alertsExpected := api.Alerts{
+		{
+			PolicyID: "lacework-global-40",
+		},
+		{
+			PolicyID: "dev7-lwcustom-11",
+		},
+	}
+	alertsActual := filterFixableAlerts(
+		alertsIn, []string{"LW_foo", "lacework-global-40", "lwcustom-11"})
+	assert.Equal(t, alertsExpected, alertsActual)
+
+	alertsActual = filterFixableAlerts(alertsIn, []string{})
+	assert.Equal(t, api.Alerts{}, alertsActual)
+}

cli/cmd/component.go

@@ -144,6 +144,22 @@ func isComponent(annotations map[string]string) bool {
 	return false
 }
 
+// IsComponentInstalled returns true if component is
+// valid and installed
+func (c *cliState) IsComponentInstalled(name string) bool {
+	var err error
+	c.LwComponents, err = lwcomponent.LocalState()
+	if err != nil || c.LwComponents == nil {
+		return false
+	}
+
+	component, found := c.LwComponents.GetComponent(name)
+	if found && component.IsInstalled() {
+		return true
+	}
+	return false
+}
+
 // LoadComponents reads the local components state and loads all installed components
 // of type `CLI_COMMAND` dynamically into the root command of the CLI (`rootCmd`)
 func (c *cliState) LoadComponents() {

cli/cmd/content_library.go

@@ -74,18 +74,8 @@ type LaceworkContentLibrary struct {
 	PolicyTags map[string][]string  `json:"policy_tags"`
 }
 
-func (c *cliState) IsLCLInstalled() bool {
-	var err error
-	c.LwComponents, err = lwcomponent.LocalState()
-	if err != nil || c.LwComponents == nil {
-		return false
-	}
-
-	component, found := c.LwComponents.GetComponent(lclComponentName)
-	if found && component.IsInstalled() {
-		return true
-	}
-	return false
+func (c *cliState) isLCLInstalled() bool {
+	return c.IsComponentInstalled(lclComponentName)
 }
 
 func (c *cliState) LoadLCL() (*LaceworkContentLibrary, error) {

cli/cmd/content_library_internal_test.go

@@ -306,7 +306,7 @@ func TestLoadLCLNotFound(t *testing.T) {
 	cli := cliState{LwComponents: new(lwcomponent.State)}
 
 	// IsLCLInstalled
-	assert.Equal(t, false, cli.IsLCLInstalled())
+	assert.Equal(t, false, cli.isLCLInstalled())
 
 	_, err := cli.LoadLCL()
 	assert.Equal(
@@ -368,7 +368,7 @@ func _TestLoadLCLOK(t *testing.T) {
 	}
 
 	// IsLCLInstalled
-	assert.Equal(t, true, cli.IsLCLInstalled())
+	assert.Equal(t, true, cli.isLCLInstalled())
 
 	lcl, err := cli.LoadLCL()
 	assert.Nil(t, err)

cli/cmd/lql.go

@@ -143,7 +143,7 @@ func init() {
 	// add sub-commands to the lql command
 	queryCmd.AddCommand(queryRunCmd)
 
-	if cli.IsLCLInstalled() {
+	if cli.isLCLInstalled() {
 		queryRunCmd.Flags().StringVarP(
 			&queryCmdState.CURVFromLibrary,
 			"library", "l", "",

cli/cmd/lql_create.go

@@ -114,7 +114,7 @@ func init() {
 
 	setQuerySourceFlags(queryCreateCmd)
 
-	if cli.IsLCLInstalled() {
+	if cli.isLCLInstalled() {
 		queryCreateCmd.Flags().StringVarP(
 			&queryCmdState.CURVFromLibrary,
 			"library", "l", "",

cli/cmd/lql_library.go

@@ -44,7 +44,7 @@ var (
 )
 
 func init() {
-	if cli.IsLCLInstalled() {
+	if cli.isLCLInstalled() {
 		queryCmd.AddCommand(queryListLibraryCmd)
 		queryCmd.AddCommand(queryShowLibraryCmd)
 	}