crowdsec/pkg/leakybucket/uniq.go

package leakybucket

import (
	"github.com/antonmedv/expr"
	"github.com/antonmedv/expr/vm"

	"github.com/crowdsecurity/crowdsec/pkg/exprhelpers"
	"github.com/crowdsecurity/crowdsec/pkg/types"
)

// Uniq creates three new functions that share the same initialisation and the same scope.
// They are triggered respectively:
// on pour
// on overflow
// on leak

type Uniq struct {
	DistinctCompiled *vm.Program
}

func (u *Uniq) OnBucketPour(bucketFactory *BucketFactory) func(types.Event, *Leaky) *types.Event {
	return func(msg types.Event, leaky *Leaky) *types.Event {
		element, err := getElement(msg, u.DistinctCompiled)
		if err != nil {
			leaky.logger.Errorf("Uniq filter exec failed : %v", err)
			return &msg
		}
		leaky.logger.Tracef("Uniq '%s' -> '%s'", bucketFactory.Distinct, element)
		for _, evt := range leaky.Queue.GetQueue() {
			if val, err := getElement(evt, u.DistinctCompiled); err == nil && val == element {
				leaky.logger.Debugf("Uniq(%s) : ko, discard event", element)
				return nil
			}
			if err != nil {
				leaky.logger.Errorf("Uniq filter exec failed : %v", err)
			}
		}
		leaky.logger.Debugf("Uniq(%s) : ok", element)
		return &msg
	}
}

func (u *Uniq) OnBucketOverflow(bucketFactory *BucketFactory) func(*Leaky, types.RuntimeAlert, *Queue) (types.RuntimeAlert, *Queue) {
	return func(leaky *Leaky, alert types.RuntimeAlert, queue *Queue) (types.RuntimeAlert, *Queue) {
		return alert, queue
	}
}

func (u *Uniq) OnBucketInit(bucketFactory *BucketFactory) error {
	var err error

	u.DistinctCompiled, err = expr.Compile(bucketFactory.Distinct, expr.Env(exprhelpers.GetExprEnv(map[string]interface{}{"evt": &types.Event{}})))
	return err
}

// getElement computes a string from an event and a filter
func getElement(msg types.Event, cFilter *vm.Program) (string, error) {
	el, err := expr.Run(cFilter, exprhelpers.GetExprEnv(map[string]interface{}{"evt": &msg}))
	if err != nil {
		return "", err
	}
	element, ok := el.(string)
	if !ok {
		return "", err
	}
	return element, nil
}
initial import 2020-05-15 09:39:16 +00:00			`package leakybucket`

			`import (`
			`"github.com/antonmedv/expr"`
			`"github.com/antonmedv/expr/vm"`

			`"github.com/crowdsecurity/crowdsec/pkg/exprhelpers"`
			`"github.com/crowdsecurity/crowdsec/pkg/types"`
			`)`

			`// Uniq creates three new functions that share the same initialisation and the same scope.`
			`// They are triggered respectively:`
			`// on pour`
			`// on overflow`
			`// on leak`

			`type Uniq struct {`
			`DistinctCompiled *vm.Program`
			`}`

local api (#482) Co-authored-by: AlteredCoder Co-authored-by: erenJag 2020-11-30 09:37:17 +00:00			`func (u Uniq) OnBucketPour(bucketFactory BucketFactory) func(types.Event, Leaky) types.Event {`
			`return func(msg types.Event, leaky Leaky) types.Event {`
initial import 2020-05-15 09:39:16 +00:00			`element, err := getElement(msg, u.DistinctCompiled)`
			`if err != nil {`
local api (#482) Co-authored-by: AlteredCoder Co-authored-by: erenJag 2020-11-30 09:37:17 +00:00			`leaky.logger.Errorf("Uniq filter exec failed : %v", err)`
initial import 2020-05-15 09:39:16 +00:00			`return &msg`
			`}`
local api (#482) Co-authored-by: AlteredCoder Co-authored-by: erenJag 2020-11-30 09:37:17 +00:00			`leaky.logger.Tracef("Uniq '%s' -> '%s'", bucketFactory.Distinct, element)`
			`for _, evt := range leaky.Queue.GetQueue() {`
initial import 2020-05-15 09:39:16 +00:00			`if val, err := getElement(evt, u.DistinctCompiled); err == nil && val == element {`
local api (#482) Co-authored-by: AlteredCoder Co-authored-by: erenJag 2020-11-30 09:37:17 +00:00			`leaky.logger.Debugf("Uniq(%s) : ko, discard event", element)`
initial import 2020-05-15 09:39:16 +00:00			`return nil`
			`}`
			`if err != nil {`
local api (#482) Co-authored-by: AlteredCoder Co-authored-by: erenJag 2020-11-30 09:37:17 +00:00			`leaky.logger.Errorf("Uniq filter exec failed : %v", err)`
initial import 2020-05-15 09:39:16 +00:00			`}`
			`}`
local api (#482) Co-authored-by: AlteredCoder Co-authored-by: erenJag 2020-11-30 09:37:17 +00:00			`leaky.logger.Debugf("Uniq(%s) : ok", element)`
initial import 2020-05-15 09:39:16 +00:00			`return &msg`
			`}`
			`}`

local api (#482) Co-authored-by: AlteredCoder Co-authored-by: erenJag 2020-11-30 09:37:17 +00:00			`func (u Uniq) OnBucketOverflow(bucketFactory BucketFactory) func(Leaky, types.RuntimeAlert, Queue) (types.RuntimeAlert, *Queue) {`
			`return func(leaky Leaky, alert types.RuntimeAlert, queue Queue) (types.RuntimeAlert, *Queue) {`
			`return alert, queue`
initial import 2020-05-15 09:39:16 +00:00			`}`
			`}`

local api (#482) Co-authored-by: AlteredCoder Co-authored-by: erenJag 2020-11-30 09:37:17 +00:00			`func (u Uniq) OnBucketInit(bucketFactory BucketFactory) error {`
initial import 2020-05-15 09:39:16 +00:00			`var err error`

local api (#482) Co-authored-by: AlteredCoder Co-authored-by: erenJag 2020-11-30 09:37:17 +00:00			`u.DistinctCompiled, err = expr.Compile(bucketFactory.Distinct, expr.Env(exprhelpers.GetExprEnv(map[string]interface{}{"evt": &types.Event{}})))`
initial import 2020-05-15 09:39:16 +00:00			`return err`
			`}`

			`// getElement computes a string from an event and a filter`
			`func getElement(msg types.Event, cFilter *vm.Program) (string, error) {`
			`el, err := expr.Run(cFilter, exprhelpers.GetExprEnv(map[string]interface{}{"evt": &msg}))`
			`if err != nil {`
			`return "", err`
			`}`
			`element, ok := el.(string)`
			`if !ok {`
			`return "", err`
			`}`
			`return element, nil`
			`}`