From 17d6a6489c490e92d9b0ec2a676e03e5082a18c2 Mon Sep 17 00:00:00 2001 From: Aleksei Nikiforov Date: Wed, 29 Jan 2020 14:47:27 +0300 Subject: [PATCH] Don't store record names in the record itself --- auditd-datatypes.cpp | 4 +- auditd-datatypes.hpp | 2 +- auditd-plugin-clickhouse.cpp | 18 ++++---- auditd-record.cpp | 90 ++++++++++-------------------------- auditd-record.hpp | 32 ++++++------- test_audit_record.cpp | 14 +++--- 6 files changed, 56 insertions(+), 104 deletions(-) diff --git a/auditd-datatypes.cpp b/auditd-datatypes.cpp index 3f493c9..26357fa 100644 --- a/auditd-datatypes.cpp +++ b/auditd-datatypes.cpp @@ -31,7 +31,7 @@ static std::map s_datatypes_map; static std::list > s_datatype_regexps_map; -static std::map(const std::string &name)> > s_type_creation_map; +static std::map()> > s_type_creation_map; void read_datatypes_map(const std::string &config_filename) { @@ -85,7 +85,7 @@ std::list > get_datatype_regex return s_datatype_regexps_map; } -std::map(const std::string &name)> > get_type_creation_map() +std::map()> > get_type_creation_map() { return s_type_creation_map; } diff --git a/auditd-datatypes.hpp b/auditd-datatypes.hpp index d95e253..2f5efc5 100644 --- a/auditd-datatypes.hpp +++ b/auditd-datatypes.hpp @@ -32,6 +32,6 @@ void read_datatypes_map(const std::string &config_filename); std::map get_datatypes_map(); std::list > get_datatype_regexps_map(); -std::map(const std::string &name)> > get_type_creation_map(); +std::map()> > get_type_creation_map(); #endif /* AUDITD_PLUGIN_CLICKHOUSE_DATATYPES_HPP */ diff --git a/auditd-plugin-clickhouse.cpp b/auditd-plugin-clickhouse.cpp index c224db9..b766984 100644 --- a/auditd-plugin-clickhouse.cpp +++ b/auditd-plugin-clickhouse.cpp @@ -77,7 +77,7 @@ struct CallbackData { std::map datatypes_map; std::list > datatype_regexps_map; - std::map(const std::string &name)> > type_creation_map; + std::map()> > type_creation_map; std::set all_fields_set; clickhouse::Client *clickhouse_client; @@ -115,7 +115,7 @@ void initialize_data_block( std::map &data, const std::map &datatypes_map, const std::list > &datatype_regexps_map, - const std::map(const std::string &name)> > &generators) + const std::map()> > &generators) { data["record_time"] = std::make_shared(); data["record_milli"] = std::make_shared(); @@ -127,7 +127,7 @@ void initialize_data_block( auto factory_iter = generators.find(iter->second); if (factory_iter != generators.end()) { - auto columns = factory_iter->second(sanitize_column_name(iter->first))->generateColumnsAndNames(); + auto columns = factory_iter->second()->generateColumnsAndNames(sanitize_column_name(iter->first)); for (auto column_iter = columns.begin(); column_iter != columns.end(); ++column_iter) { @@ -145,7 +145,7 @@ void initialize_data_block( auto factory_iter = generators.find(std::get<1>(*iter)); if (factory_iter != generators.end()) { - auto columns = factory_iter->second(sanitize_column_name(std::get<2>(*iter)))->generateColumnsAndNames(); + auto columns = factory_iter->second()->generateColumnsAndNames(sanitize_column_name(std::get<2>(*iter))); for (auto column_iter = columns.begin(); column_iter != columns.end(); ++column_iter) { @@ -160,7 +160,7 @@ void initialize_data_block( // also add "unknown_field" { - auto columns = InterpretedStringArrayRecordField::createRecord(sanitize_column_name("unknown_field"))->generateColumnsAndNames(); + auto columns = InterpretedStringArrayRecordField::createRecord()->generateColumnsAndNames(sanitize_column_name("unknown_field")); for (auto column_iter = columns.begin(); column_iter != columns.end(); ++column_iter) { @@ -180,7 +180,7 @@ void generate_clickhouse_columns_from_audit_records( for (auto iter = record.fields.begin(); iter != record.fields.end(); ++iter) { - auto columns = iter->second->generateColumnsAndNames(); + auto columns = iter->second->generateColumnsAndNames(iter->first); iter->second->addToColumn(columns); for (auto column_iter = columns.begin(); column_iter != columns.end(); ++column_iter) @@ -307,12 +307,12 @@ void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, voi auto iter = callback_data->type_creation_map.find(database_type); if (iter != callback_data->type_creation_map.end()) { - data_ptr = iter->second(database_name); + data_ptr = iter->second(); } else { Logger::write("Warning: no creator function found for data type \"%s\", using \"string\" as fallback", database_type.c_str()); - data_ptr = InterpretedStringRecordField::createRecord(database_name); + data_ptr = InterpretedStringRecordField::createRecord(); } audit_record->fields[database_name] = data_ptr; @@ -364,7 +364,7 @@ void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, voi auto factory_iter = callback_data->type_creation_map.find(type_name); if (factory_iter != callback_data->type_creation_map.end()) { - audit_record->fields[*iter] = factory_iter->second(*iter); + audit_record->fields[*iter] = factory_iter->second(); } } else diff --git a/auditd-record.cpp b/auditd-record.cpp index 4c35bcb..91967ae 100644 --- a/auditd-record.cpp +++ b/auditd-record.cpp @@ -215,20 +215,10 @@ std::string generate_name_for_audit_record(const AuditRecord &record) + ".json"; } -AbstractRecordField::AbstractRecordField(const std::string &name) - : m_name(name) -{ -} - -CommonStringRecordField::CommonStringRecordField(const std::string &name) - : AbstractRecordField(name) -{ -} - -std::vector CommonStringRecordField::generateColumnsAndNames() const +std::vector CommonStringRecordField::generateColumnsAndNames(const std::string &name) const { return std::vector { - Column { m_name, std::make_shared(std::make_shared(), std::make_shared()) } + Column { name, std::make_shared(std::make_shared(), std::make_shared()) } }; } @@ -278,18 +268,15 @@ void CommonStringRecordField::setStringValue(const boost::optional m_value = value; } -std::shared_ptr StringRecordField::createRecord(const std::string &name) +std::shared_ptr StringRecordField::createRecord() { class StringRecordFieldPublic: public StringRecordField { public: - explicit StringRecordFieldPublic(const std::string &l_name) - : StringRecordField(l_name) - { - } + StringRecordFieldPublic() = default; }; - return std::make_shared(name); + return std::make_shared(); } void StringRecordField::addOrUpdateValue(auparse_state_t *record) @@ -304,33 +291,20 @@ void StringRecordField::addOrUpdateValue(auparse_state_t *record) } } -StringRecordField::StringRecordField(const std::string &name) - : CommonStringRecordField(name) -{ -} - AbstractRecordField::Type StringRecordField::getType() const { return AbstractRecordField::Type::String; } -std::shared_ptr InterpretedStringRecordField::createRecord(const std::string &name) +std::shared_ptr InterpretedStringRecordField::createRecord() { class InterpretedStringRecordFieldPublic: public InterpretedStringRecordField { public: - explicit InterpretedStringRecordFieldPublic(const std::string &l_name) - : InterpretedStringRecordField(l_name) - { - } + InterpretedStringRecordFieldPublic() = default; }; - return std::make_shared(name); -} - -InterpretedStringRecordField::InterpretedStringRecordField(const std::string &name) - : CommonStringRecordField(name) -{ + return std::make_shared(); } void InterpretedStringRecordField::addOrUpdateValue(auparse_state_t *record) @@ -350,23 +324,15 @@ AbstractRecordField::Type InterpretedStringRecordField::getType() const return AbstractRecordField::Type::InterpretedString; } -std::shared_ptr IntegerRecordField::createRecord(const std::string &name) +std::shared_ptr IntegerRecordField::createRecord() { class IntegerRecordFieldPublic: public IntegerRecordField { public: - explicit IntegerRecordFieldPublic(const std::string &l_name) - : IntegerRecordField(l_name) - { - } + IntegerRecordFieldPublic() = default; }; - return std::make_shared(name); -} - -IntegerRecordField::IntegerRecordField(const std::string &name) - : InterpretedStringRecordField(name) -{ + return std::make_shared(); } void IntegerRecordField::addOrUpdateValue(auparse_state_t *record) @@ -383,11 +349,11 @@ void IntegerRecordField::addOrUpdateValue(auparse_state_t *record) } } -std::vector IntegerRecordField::generateColumnsAndNames() const +std::vector IntegerRecordField::generateColumnsAndNames(const std::string &name) const { return std::vector { - Column { m_name + "_IntValue", std::make_shared(std::make_shared(), std::make_shared()) }, - Column { m_name + "_InterpretedValue", std::make_shared(std::make_shared(), std::make_shared()) } + Column { name + "_IntValue", std::make_shared(std::make_shared(), std::make_shared()) }, + Column { name + "_InterpretedValue", std::make_shared(std::make_shared(), std::make_shared()) } }; } @@ -448,18 +414,15 @@ void IntegerRecordField::setIntValue(const boost::optional &value) m_int_value = value; } -std::shared_ptr InterpretedStringArrayRecordField::createRecord(const std::string &name) +std::shared_ptr InterpretedStringArrayRecordField::createRecord() { class InterpretedStringArrayRecordFieldPublic: public InterpretedStringArrayRecordField { public: - explicit InterpretedStringArrayRecordFieldPublic(const std::string &l_name) - : InterpretedStringArrayRecordField(l_name) - { - } + InterpretedStringArrayRecordFieldPublic() = default; }; - return std::make_shared(name); + return std::make_shared(); } void InterpretedStringArrayRecordField::addOrUpdateValue(auparse_state_t *record) @@ -471,11 +434,11 @@ void InterpretedStringArrayRecordField::addOrUpdateValue(auparse_state_t *record } } -std::vector InterpretedStringArrayRecordField::generateColumnsAndNames() const +std::vector InterpretedStringArrayRecordField::generateColumnsAndNames(const std::string &name) const { return std::vector { - Column { m_name + "_Name", std::make_shared(std::make_shared()) }, - Column { m_name + "_Value", std::make_shared(std::make_shared()) } + Column { name + "_Name", std::make_shared(std::make_shared()) }, + Column { name + "_Value", std::make_shared(std::make_shared()) } }; } @@ -514,11 +477,6 @@ void InterpretedStringArrayRecordField::addToColumn(const std::vector &c array_values->AppendAsColumn(value_column); } -InterpretedStringArrayRecordField::InterpretedStringArrayRecordField(const std::string &name) - : AbstractRecordField(name) -{ -} - AbstractRecordField::Type InterpretedStringArrayRecordField::getType() const { return AbstractRecordField::Type::InterpretedStringArray; @@ -685,7 +643,7 @@ std::shared_ptr AuditRecord::fromPtree(const boost::property_tree:: { case AbstractRecordField::Type::Int: { - auto record_field = IntegerRecordField::createRecord(iter->first); + auto record_field = IntegerRecordField::createRecord(); if (record_field) { auto int_value = iter->second.get_child_optional("value_int"); @@ -707,7 +665,7 @@ std::shared_ptr AuditRecord::fromPtree(const boost::property_tree:: case AbstractRecordField::Type::String: { - auto record_field = StringRecordField::createRecord(iter->first); + auto record_field = StringRecordField::createRecord(); if (record_field) { auto str_value = iter->second.get_child_optional("value_str"); @@ -723,7 +681,7 @@ std::shared_ptr AuditRecord::fromPtree(const boost::property_tree:: case AbstractRecordField::Type::InterpretedString: { - auto record_field = InterpretedStringRecordField::createRecord(iter->first); + auto record_field = InterpretedStringRecordField::createRecord(); if (record_field) { auto str_value = iter->second.get_child_optional("value_str"); @@ -739,7 +697,7 @@ std::shared_ptr AuditRecord::fromPtree(const boost::property_tree:: case AbstractRecordField::Type::InterpretedStringArray: { - auto record_field = InterpretedStringArrayRecordField::createRecord(iter->first); + auto record_field = InterpretedStringArrayRecordField::createRecord(); if (record_field) { std::list names, values; diff --git a/auditd-record.hpp b/auditd-record.hpp index b71eecb..73f9130 100644 --- a/auditd-record.hpp +++ b/auditd-record.hpp @@ -69,18 +69,14 @@ public: virtual ~AbstractRecordField() = default; virtual void addOrUpdateValue(auparse_state_t *record) = 0; - virtual std::vector generateColumnsAndNames() const = 0; + virtual std::vector generateColumnsAndNames(const std::string &name) const = 0; virtual void addToColumn(const std::vector &columns) const = 0; virtual Type getType() const = 0; - std::string getName() const { return m_name; } - protected: - explicit AbstractRecordField(const std::string &name); + AbstractRecordField() = default; AbstractRecordField(const AbstractRecordField &other) = default; AbstractRecordField& operator=(const AbstractRecordField &other) = default; - - std::string m_name; }; struct AuditRecord @@ -103,14 +99,14 @@ struct AuditRecord class CommonStringRecordField: public AbstractRecordField { public: - virtual std::vector generateColumnsAndNames() const override; + virtual std::vector generateColumnsAndNames(const std::string &name) const override; virtual void addToColumn(const std::vector &columns) const override; const boost::optional& getStringValue() const; void setStringValue(const boost::optional &value); protected: - explicit CommonStringRecordField(const std::string &name); + CommonStringRecordField() = default; boost::optional m_value; }; @@ -118,34 +114,34 @@ protected: class StringRecordField: public CommonStringRecordField { public: - static std::shared_ptr createRecord(const std::string &name); + static std::shared_ptr createRecord(); virtual void addOrUpdateValue(auparse_state_t *record) override; virtual Type getType() const override; protected: - explicit StringRecordField(const std::string &name); + StringRecordField() = default; }; class InterpretedStringRecordField: public CommonStringRecordField { public: - static std::shared_ptr createRecord(const std::string &name); + static std::shared_ptr createRecord(); virtual void addOrUpdateValue(auparse_state_t *record) override; virtual Type getType() const override; protected: - explicit InterpretedStringRecordField(const std::string &name); + InterpretedStringRecordField() = default; }; class IntegerRecordField: public InterpretedStringRecordField { public: - static std::shared_ptr createRecord(const std::string &name); + static std::shared_ptr createRecord(); virtual void addOrUpdateValue(auparse_state_t *record) override; - virtual std::vector generateColumnsAndNames() const override; + virtual std::vector generateColumnsAndNames(const std::string &name) const override; virtual void addToColumn(const std::vector &columns) const override; virtual Type getType() const override; @@ -153,7 +149,7 @@ public: void setIntValue(const boost::optional &value); protected: - explicit IntegerRecordField(const std::string &name); + IntegerRecordField() = default; boost::optional m_int_value; }; @@ -161,10 +157,10 @@ protected: class InterpretedStringArrayRecordField: public AbstractRecordField { public: - static std::shared_ptr createRecord(const std::string &name); + static std::shared_ptr createRecord(); virtual void addOrUpdateValue(auparse_state_t *record) override; - virtual std::vector generateColumnsAndNames() const override; + virtual std::vector generateColumnsAndNames(const std::string &name) const override; virtual void addToColumn(const std::vector &columns) const override; virtual Type getType() const override; @@ -173,7 +169,7 @@ public: void setArrays(std::list names_array, std::list values_array); protected: - explicit InterpretedStringArrayRecordField(const std::string &name); + InterpretedStringArrayRecordField() = default; std::list m_names_array; std::list m_values_array; diff --git a/test_audit_record.cpp b/test_audit_record.cpp index 66808fa..bc2d8b6 100644 --- a/test_audit_record.cpp +++ b/test_audit_record.cpp @@ -42,18 +42,18 @@ static AuditRecord generateTestRecord() original_record.filename = "some random file name"; - auto string_field = InterpretedStringRecordField::createRecord("string_record"); + auto string_field = InterpretedStringRecordField::createRecord(); string_field->setStringValue(std::string("string_record_value")); - original_record.fields[string_field->getName()] = string_field; + original_record.fields["string_record"] = string_field; - auto integer_field = IntegerRecordField::createRecord("integer_record"); + auto integer_field = IntegerRecordField::createRecord(); integer_field->setIntValue(500); integer_field->setStringValue(std::string("five hundred")); - original_record.fields[integer_field->getName()] = integer_field; + original_record.fields["integer_record"] = integer_field; - auto array_field = InterpretedStringArrayRecordField::createRecord("array_record"); + auto array_field = InterpretedStringArrayRecordField::createRecord(); array_field->setArrays({"first name", "second name"}, {"first value", "second value"}); - original_record.fields[array_field->getName()] = array_field; + original_record.fields["array_record"] = array_field; return original_record; } @@ -102,8 +102,6 @@ TEST(AuditRecord, Serialization) continue; } - EXPECT_EQ(iter->second->getName(), second_iter->second->getName()); - switch (iter->second->getType()) { case AbstractRecordField::Type::Int: