auditd-plugin-clickhouse/auditd-record.hpp

183 lines
5.3 KiB
C++

/*
* auditd-plugin-clickhouse is an auditd plugin for sending auditd data
* to clickhouse DB.
* Copyright (C) 2019-2020 Aleksei Nikiforov <darktemplar@basealt.ru>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
*/
#ifndef AUDITD_PLUGIN_CLICKHOUSE_RECORD_HPP
#define AUDITD_PLUGIN_CLICKHOUSE_RECORD_HPP
#include <memory>
#include <map>
#include <functional>
#include <string>
#include <list>
#include <stdint.h>
#include <boost/optional.hpp>
#include <boost/property_tree/ptree.hpp>
#include <auparse.h>
#include <libaudit.h>
#include <clickhouse-cpp/columns/column.h>
struct AuditRecord;
bool check_field_type(auparse_type_t field_type, const std::string &database_type, const std::string &database_field_name);
std::string field_type_to_string(auparse_type_t field_type);
std::string generate_name_for_audit_record(const AuditRecord &record);
class AbstractRecordField
{
public:
enum class Type
{
Int,
String,
InterpretedString,
InterpretedStringArray
};
struct Column
{
std::string name;
clickhouse::ColumnRef value;
Column(const std::string &l_name, const clickhouse::ColumnRef &l_value)
: name(l_name),
value(l_value)
{
}
};
virtual ~AbstractRecordField() = default;
virtual void addOrUpdateValue(auparse_state_t *record) = 0;
virtual std::vector<Column> generateColumnsAndNames() const = 0;
virtual void addToColumn(const std::vector<Column> &columns) const = 0;
virtual Type getType() const = 0;
std::string getName() const { return m_name; }
protected:
explicit AbstractRecordField(const std::string &name);
AbstractRecordField(const AbstractRecordField &other) = default;
AbstractRecordField& operator=(const AbstractRecordField &other) = default;
std::string m_name;
};
struct AuditRecord
{
time_t time;
uint64_t milliseconds;
uint64_t serial;
std::string node; // skip processing node from record fields
std::map<std::string, std::shared_ptr<AbstractRecordField> > fields;
std::string filename; // filename of file where data is stored; empty if no such file exists
boost::property_tree::ptree toPtree() const;
static AuditRecord fromPtree(const boost::property_tree::ptree &data);
bool operator<(const AuditRecord &other) const;
};
class CommonStringRecordField: public AbstractRecordField
{
public:
virtual std::vector<Column> generateColumnsAndNames() const override;
virtual void addToColumn(const std::vector<Column> &columns) const override;
const boost::optional<std::string>& getStringValue() const;
void setStringValue(const boost::optional<std::string> &value);
protected:
explicit CommonStringRecordField(const std::string &name);
boost::optional<std::string> m_value;
};
class StringRecordField: public CommonStringRecordField
{
public:
static std::shared_ptr<StringRecordField> createRecord(const std::string &name);
virtual void addOrUpdateValue(auparse_state_t *record) override;
virtual Type getType() const override;
protected:
explicit StringRecordField(const std::string &name);
};
class InterpretedStringRecordField: public CommonStringRecordField
{
public:
static std::shared_ptr<InterpretedStringRecordField> createRecord(const std::string &name);
virtual void addOrUpdateValue(auparse_state_t *record) override;
virtual Type getType() const override;
protected:
explicit InterpretedStringRecordField(const std::string &name);
};
class IntegerRecordField: public InterpretedStringRecordField
{
public:
static std::shared_ptr<IntegerRecordField> createRecord(const std::string &name);
virtual void addOrUpdateValue(auparse_state_t *record) override;
virtual std::vector<Column> generateColumnsAndNames() const override;
virtual void addToColumn(const std::vector<Column> &columns) const override;
virtual Type getType() const override;
const boost::optional<int>& getIntValue() const;
void setIntValue(const boost::optional<int> &value);
protected:
explicit IntegerRecordField(const std::string &name);
boost::optional<int> m_int_value;
};
class InterpretedStringArrayRecordField: public AbstractRecordField
{
public:
static std::shared_ptr<InterpretedStringArrayRecordField> createRecord(const std::string &name);
virtual void addOrUpdateValue(auparse_state_t *record) override;
virtual std::vector<Column> generateColumnsAndNames() const override;
virtual void addToColumn(const std::vector<Column> &columns) const override;
virtual Type getType() const override;
const std::list<std::string>& getNamesArray() const;
const std::list<std::string>& getValuesArray() const;
void setArrays(std::list<std::string> names_array, std::list<std::string> values_array);
protected:
explicit InterpretedStringArrayRecordField(const std::string &name);
std::list<std::string> m_names_array;
std::list<std::string> m_values_array;
};
#endif /* AUDITD_PLUGIN_CLICKHOUSE_RECORD_HPP */