/* * auditd-plugin-clickhouse is an auditd plugin for sending auditd data * to clickhouse DB. * Copyright (C) 2019-2020 Aleksei Nikiforov * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * */ #ifndef AUDITD_PLUGIN_CLICKHOUSE_RECORD_HPP #define AUDITD_PLUGIN_CLICKHOUSE_RECORD_HPP #include #include #include #include #include #include #include #include #include #include #include struct AuditRecord; bool check_field_type(auparse_type_t field_type, const std::string &database_type, const std::string &database_field_name); std::string field_type_to_string(auparse_type_t field_type); std::string generate_name_for_audit_record(const AuditRecord &record); class AbstractRecordField { public: enum class Type { Int, String, InterpretedString, InterpretedStringArray }; struct Column { std::string name; clickhouse::ColumnRef value; Column(const std::string &l_name, const clickhouse::ColumnRef &l_value) : name(l_name), value(l_value) { } }; virtual ~AbstractRecordField() = default; virtual void addOrUpdateValue(auparse_state_t *record) = 0; virtual std::vector generateColumnsAndNames() const = 0; virtual void addToColumn(const std::vector &columns) const = 0; virtual Type getType() const = 0; std::string getName() const { return m_name; } protected: explicit AbstractRecordField(const std::string &name); AbstractRecordField(const AbstractRecordField &other) = default; AbstractRecordField& operator=(const AbstractRecordField &other) = default; std::string m_name; }; struct AuditRecord { time_t time; uint64_t milliseconds; uint64_t serial; std::string node; // skip processing node from record fields std::map > fields; std::string filename; // filename of file where data is stored; empty if no such file exists boost::property_tree::ptree toPtree() const; static std::shared_ptr fromPtree(const boost::property_tree::ptree &data); bool operator<(const AuditRecord &other) const; }; class CommonStringRecordField: public AbstractRecordField { public: virtual std::vector generateColumnsAndNames() const override; virtual void addToColumn(const std::vector &columns) const override; const boost::optional& getStringValue() const; void setStringValue(const boost::optional &value); protected: explicit CommonStringRecordField(const std::string &name); boost::optional m_value; }; class StringRecordField: public CommonStringRecordField { public: static std::shared_ptr createRecord(const std::string &name); virtual void addOrUpdateValue(auparse_state_t *record) override; virtual Type getType() const override; protected: explicit StringRecordField(const std::string &name); }; class InterpretedStringRecordField: public CommonStringRecordField { public: static std::shared_ptr createRecord(const std::string &name); virtual void addOrUpdateValue(auparse_state_t *record) override; virtual Type getType() const override; protected: explicit InterpretedStringRecordField(const std::string &name); }; class IntegerRecordField: public InterpretedStringRecordField { public: static std::shared_ptr createRecord(const std::string &name); virtual void addOrUpdateValue(auparse_state_t *record) override; virtual std::vector generateColumnsAndNames() const override; virtual void addToColumn(const std::vector &columns) const override; virtual Type getType() const override; const boost::optional& getIntValue() const; void setIntValue(const boost::optional &value); protected: explicit IntegerRecordField(const std::string &name); boost::optional m_int_value; }; class InterpretedStringArrayRecordField: public AbstractRecordField { public: static std::shared_ptr createRecord(const std::string &name); virtual void addOrUpdateValue(auparse_state_t *record) override; virtual std::vector generateColumnsAndNames() const override; virtual void addToColumn(const std::vector &columns) const override; virtual Type getType() const override; const std::list& getNamesArray() const; const std::list& getValuesArray() const; void setArrays(std::list names_array, std::list values_array); protected: explicit InterpretedStringArrayRecordField(const std::string &name); std::list m_names_array; std::list m_values_array; }; #endif /* AUDITD_PLUGIN_CLICKHOUSE_RECORD_HPP */