added audit-logs command (#160)

* added audit-logs command

* remove format option

* Added send-to command

* added changelog

* fix test

* changed argument naming convention to singular

* refactor search intervals

* added format options

* refactor

* make begin date required

* fix tests

* added message when no results found and default header for table output

* fix send-to when no results found

* toggle py42 version

* Fix integration test, removed output validation as made input dates dynamic

* Add integration test for auditlogs

* Fix style

* added docs string and renamed variable

* refactor: _send_to function

* Rectify doc

* Changed output fields for table format

Author: kiran-chaudhary

CHANGELOG.md

@@ -10,6 +10,12 @@ how a consumer would use the library (e.g. adding unit tests, updating documenta
 
 ## Unreleased
 
+### Added
+
+- `code42 audit-logs` commands:
+    - `search` to search for audit-logs.
+    - `send-to` to send audit-logs to server.
+
 ### Changed
 
 - The `--advanced-query` option on `alerts search` and `security-data (search|send-to)` commands has been updated:

integration/test_alerts.py

@@ -1,89 +1,31 @@
-import json
+from datetime import datetime
+from datetime import timedelta
 
 import pytest
 from integration import run_command
-from integration.util import cleanup_after_validation
 
-ALERT_COMMAND = "code42 alerts print -b 2020-05-18 -e 2020-05-20"
 
+begin_date = datetime.utcnow() - timedelta(days=20)
+end_date = datetime.utcnow() - timedelta(days=10)
+begin_date_str = begin_date.strftime("%Y-%m-%d")
+end_date_str = end_date.strftime("%Y-%m-%d")
 
-def _parse_response(response):
-    return [json.loads(line) for line in response if len(line)]
-
-
-def _validate_field_value(field, value, response):
-    parsed_response = _parse_response(response)
-    assert len(parsed_response) > 0
-    for record in parsed_response:
-        assert record[field] == value
+ALERT_COMMAND = "code42 alerts search -b {} -e {}".format(begin_date_str, end_date_str)
 
 
 @pytest.mark.parametrize(
-    "command, field, value",
+    "command",
     [
-        ("{} --state OPEN".format(ALERT_COMMAND), "state", "OPEN"),
-        ("{} --state RESOLVED".format(ALERT_COMMAND), "state", "RESOLVED"),
-        (
-            "{} --actor user@code42.com".format(ALERT_COMMAND),
-            "actor",
-            "user@code42.com",
-        ),
-        (
-            "{} --rule-name 'File Upload Alert'".format(ALERT_COMMAND),
-            "name",
-            "File Upload Alert",
-        ),
-        (
-            "{} --rule-id 962a6a1c-54f6-4477-90bd-a08cc74cbf71".format(ALERT_COMMAND),
-            "ruleId",
-            "962a6a1c-54f6-4477-90bd-a08cc74cbf71",
-        ),
-        (
-            "{} --rule-type FedEndpointExfiltration".format(ALERT_COMMAND),
-            "type",
-            "FED_ENDPOINT_EXFILTRATION",
-        ),
-        (
-            "{} --description 'Alert on any file upload'".format(ALERT_COMMAND),
-            "description",
-            "Alert on any file upload events",
-        ),
+        ("{}".format(ALERT_COMMAND)),
+        ("{} --state OPEN".format(ALERT_COMMAND)),
+        ("{} --state RESOLVED".format(ALERT_COMMAND)),
+        ("{} --actor user@code42.com".format(ALERT_COMMAND)),
+        ("{} --rule-name 'File Upload Alert'".format(ALERT_COMMAND)),
+        ("{} --rule-id 962a6a1c-54f6-4477-90bd-a08cc74cbf71".format(ALERT_COMMAND)),
+        ("{} --rule-type FedEndpointExfiltration".format(ALERT_COMMAND)),
+        ("{} --description 'Alert on any file upload'".format(ALERT_COMMAND)),
     ],
 )
-def test_alert_prints_to_stdout_and_filters_result_by_given_value(
-    command, field, value
-):
+def test_alert_returns_success_return_code(command):
     return_code, response = run_command(command)
     assert return_code == 0
-    _validate_field_value(field, value, response)
-
-
-def _validate_begin_date(response):
-    parsed_response = _parse_response(response)
-    assert len(parsed_response) > 0
-    for record in parsed_response:
-        assert record["createdAt"].startswith("2020-05-18")
-
-
-@pytest.mark.parametrize("command, validate", [(ALERT_COMMAND, _validate_begin_date)])
-def test_alert_prints_to_stdout_and_filters_result_between_given_date(
-    command, validate
-):
-    return_code, response = run_command(command)
-    assert return_code == 0
-    validate(response)
-
-
-def _validate_severity(response):
-    record = json.loads(response)
-    assert record["severity"] == "MEDIUM"
-
-
-@cleanup_after_validation("./integration/alerts")
-def test_alert_writes_to_file_and_filters_result_by_severity():
-    command = (
-        "code42 alerts write-to ./integration/alerts -b 2020-05-18 -e 2020-05-20 "
-        "--severity MEDIUM"
-    )
-    return_code, response = run_command(command)
-    return _validate_severity

integration/test_auditlogs.py

@@ -0,0 +1,13 @@
+from datetime import datetime
+from datetime import timedelta
+
+from integration import run_command
+
+BASE_COMMAND = "code42 auditlogs search -b"
+
+
+def test_auditlogs_search():
+    begin_date = datetime.utcnow() - timedelta(days=-10)
+    begin_date_str = begin_date.strftime("%Y-%m-%d %H:%M:%S")
+    return_code, response = run_command(BASE_COMMAND + begin_date_str)
+    assert return_code == 0

setup.py

@@ -36,7 +36,7 @@
         "c42eventextractor==0.4.0",
         "keyring==18.0.1",
         "keyrings.alt==3.2.0",
-        "py42>=1.8.1",
+        "py42>=1.9",
     ],
     extras_require={
         "dev": [

src/code42cli/cmds/auditlogs.py

@@ -0,0 +1,195 @@
+import json
+from _collections import OrderedDict
+
+import click
+
+from code42cli.click_ext.groups import OrderedGroup
+from code42cli.date_helper import parse_max_timestamp
+from code42cli.date_helper import parse_min_timestamp
+from code42cli.logger import get_logger_for_server
+from code42cli.options import begin_option
+from code42cli.options import end_option
+from code42cli.options import format_option
+from code42cli.options import sdk_options
+from code42cli.options import send_to_format_options
+from code42cli.options import server_options
+from code42cli.output_formats import OutputFormatter
+from code42cli.util import warn_interrupt
+
+EVENT_KEY = "events"
+AUDIT_LOGS_KEYWORD = "audit-logs"
+
+AUDIT_LOGS_DEFAULT_HEADER = OrderedDict()
+AUDIT_LOGS_DEFAULT_HEADER["timestamp"] = "Timestamp"
+AUDIT_LOGS_DEFAULT_HEADER["type$"] = "Type"
+AUDIT_LOGS_DEFAULT_HEADER["actorName"] = "ActorName"
+AUDIT_LOGS_DEFAULT_HEADER["actorIpAddress"] = "ActorIpAddress"
+AUDIT_LOGS_DEFAULT_HEADER["userName"] = "AffectedUser"
+AUDIT_LOGS_DEFAULT_HEADER["userId"] = "AffectedUserUID"
+# AUDIT_LOGS_DEFAULT_HEADER["success"] = "Success"
+# AUDIT_LOGS_DEFAULT_HEADER["resultCount"] = "ResultCount"
+
+filter_option_usernames = click.option(
+    "--username", required=False, help="Filter results by usernames.", multiple=True,
+)
+filter_option_user_ids = click.option(
+    "--user-id", required=False, help="Filter results by user ids.", multiple=True,
+)
+
+filter_option_user_ip_addresses = click.option(
+    "--user-ip",
+    required=False,
+    help="Filter results by user ip addresses.",
+    multiple=True,
+)
+filter_option_affected_user_ids = click.option(
+    "--affected-user-id",
+    required=False,
+    help="Filter results by affected user ids.",
+    multiple=True,
+)
+filter_option_affected_usernames = click.option(
+    "--affected-username",
+    required=False,
+    help="Filter results by affected usernames.",
+    multiple=True,
+)
+filter_option_event_types = click.option(
+    "--event-type",
+    required=False,
+    help="Filter results by event types.",
+    multiple=True,
+)
+
+
+def filter_options(f):
+    f = begin_option(
+        f,
+        AUDIT_LOGS_KEYWORD,
+        callback=lambda ctx, param, arg: parse_min_timestamp(arg),
+        required=True,
+    )
+    f = end_option(
+        f, AUDIT_LOGS_KEYWORD, callback=lambda ctx, param, arg: parse_max_timestamp(arg)
+    )
+    f = filter_option_event_types(f)
+    f = filter_option_usernames(f)
+    f = filter_option_user_ids(f)
+    f = filter_option_user_ip_addresses(f)
+    f = filter_option_affected_user_ids(f)
+    f = filter_option_affected_usernames(f)
+    return f
+
+
+@click.group(cls=OrderedGroup)
+@sdk_options(hidden=True)
+def audit_logs(state):
+    """Retrieve audit logs."""
+    pass
+
+
+@audit_logs.command()
+@filter_options
+@format_option
+@sdk_options()
+def search(
+    state,
+    begin,
+    end,
+    event_type,
+    username,
+    user_id,
+    user_ip,
+    affected_user_id,
+    affected_username,
+    format,
+):
+    """Search audit logs."""
+    _search(
+        state.sdk,
+        format,
+        begin_time=begin,
+        end_time=end,
+        event_types=event_type,
+        usernames=username,
+        user_ids=user_id,
+        user_ip_addresses=user_ip,
+        affected_user_ids=affected_user_id,
+        affected_usernames=affected_username,
+    )
+
+
+@audit_logs.command()
+@filter_options
+@server_options
+@send_to_format_options
+@sdk_options()
+def send_to(
+    state,
+    hostname,
+    protocol,
+    format,
+    begin,
+    end,
+    event_type,
+    username,
+    user_id,
+    user_ip,
+    affected_user_id,
+    affected_username,
+):
+    """Send audit logs to the given server address."""
+    _send_to(
+        state.sdk,
+        hostname,
+        protocol,
+        format,
+        begin_time=begin,
+        end_time=end,
+        event_types=event_type,
+        usernames=username,
+        user_ids=user_id,
+        user_ip_addresses=user_ip,
+        affected_user_ids=affected_user_id,
+        affected_usernames=affected_username,
+    )
+
+
+def _search(sdk, format, **filter_args):
+
+    formatter = OutputFormatter(format, AUDIT_LOGS_DEFAULT_HEADER)
+    response_gen = sdk.auditlogs.get_all(**filter_args)
+
+    events = []
+    try:
+        for response in response_gen:
+            response_dict = json.loads(response.text)
+            if EVENT_KEY in response_dict:
+                events.extend(response_dict.get(EVENT_KEY))
+    except KeyError:
+        # API endpoint (get_page) returns a response without events key when no records are found
+        # e.g {"paginationRangeStartIndex": 10000, "paginationRangeEndIndex": 10000, "totalResultCount": 1593}
+        pass
+
+    event_count = len(events)
+    if not event_count:
+        click.echo("No results found.")
+    elif event_count > 10:
+        click.echo_via_pager(formatter.get_formatted_output(events))
+    else:
+        formatter.echo_formatted_list(events)
+
+
+def _send_to(sdk, hostname, protocol, format, **filter_args):
+    logger = get_logger_for_server(hostname, protocol, format)
+    with warn_interrupt():
+        response_gen = sdk.auditlogs.get_all(**filter_args)
+        try:
+            for response in response_gen:
+                if EVENT_KEY in response:
+                    for event in response[EVENT_KEY]:
+                        logger.info(event)
+                else:
+                    logger.info("No results found.")
+        except KeyError:
+            pass