Feature/integ 1064 multi checkpoint (#106)

Author: alanag13

CHANGELOG.md

@@ -8,6 +8,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 The intended audience of this file is for py42 consumers -- as such, changes that don't affect
 how a consumer would use the library (e.g. adding unit tests, updating documentation, etc) are not captured here.
 
+## Unreleased
+
+### Changed
+
+- `-i` (`--incremental`) has been removed, use `-c` (`--use-checkpoint`) with a string name for the checkpoint instead.
+
+### Added
+
+- Profile can now save multiple alert and file event checkpoints. The name of the checkpoint to be used for a given query should be passed to `-c` (`--use-checkpoint`).
+
 ## 0.7.3 - 2020-06-23
 
 ### Fixed

README.md

@@ -61,10 +61,6 @@ To see all your profiles, do:
 code42 profile list
 ```
 
-A separate profile would be needed in order to keep the incremental checkpoints separate for different queries.
-i.e User needs to maintain separate profiles for file event queries and saved search queries as only one checkpoint
-is supported per profile.
-
 ## Security Data and Alerts
 
 Using the CLI, you can query for security events and alerts and send them to three possible destination types:

docs/commands/alerts.md

@@ -30,7 +30,7 @@ Search args are shared between `print`, `write-to`, and `send-to` commands.
     Available choices=['FedEndpointExfiltration', 'FedCloudSharePermissions', 'FedFileTypeMismatch'].
 * `--description`: Filter alerts by description. Does fuzzy search by default.
 * `-f`, `--format` (optional): The format used for outputting file events. Available choices= [CEF,JSON,RAW-JSON]. 
-* `-i`, `--incremental` (optional): Only get file events that were not previously retrieved.
+* `-c`, `--use-checkpoint` (optional): Get only file events that were not previously retrieved by writing the timestamp of the last event retrieved to a named checkpoint.
 
 ## print
 
@@ -73,9 +73,12 @@ code42 alerts send-to <server> <optional-args> <args>
 
 ## clear-checkpoint
 
-Remove the saved file event checkpoint from 'incremental' (-i) mode.
+Arguments:
+* `name`: The name to save this checkpoint as for later reuse.
+
+Remove the saved file event checkpoint from 'use-checkpoint' (-c) mode.
 
 Usage:
 ```bash
-code42 alerts clear-checkpoint
+code42 alerts clear-checkpoint <name>
 ```

docs/commands/securitydata.md

@@ -6,7 +6,7 @@ Search args are shared between `print`, `write-to`, and `send-to` commands.
 
 * `--advanced-query` (optional): A raw JSON file events query. Useful for when the provided query parameters do not 
     satisfy your requirements. WARNING: Using advanced queries is incompatible with other query-building args.
-* `-b`, `--begin` (required except for non-first runs in incremental mode): The beginning of the date range in which to 
+* `-b`, `--begin` (required except for non-first runs in checkpoint mode): The beginning of the date range in which to 
     look for file events, can be a date/time in yyyy-MM-dd (UTC) or yyyy-MM-dd HH:MM:SS (UTC+24-hr time) format where 
     the 'time' portion of the string can be partial (e.g. '2020-01-01 12' or '2020-01-01 01:15') or a short value 
     representing days (30d), hours (24h) or minutes (15m) from current time.
@@ -26,7 +26,7 @@ Search args are shared between `print`, `write-to`, and `send-to` commands.
 * `--tab-url` (optional): Limits events to be exposure events with one of these destination tab URLs.
 * `--include-non-exposure` (optional): Get all events including non-exposure events.
 * `-f`, `--format` (optional): The format used for outputting file events. Available choices= [CEF,JSON,RAW-JSON]. 
-* `-i`, `--incremental` (optional): Only get file events that were not previously retrieved.
+* `-c`, `--use-checkpoint` (optional): Get only file events that were not previously retrieved by writing the timestamp of the last event retrieved to a named checkpoint.
 
 
 ## print
@@ -70,9 +70,12 @@ code42 security-data send-to <server> <optional-server-args> <args>
 
 ## clear-checkpoint
 
-Remove the saved file event checkpoint from 'incremental' (-i) mode.
+Arguments:
+* `name`: The name to save this checkpoint as for later reuse.
+
+Remove the saved file event checkpoint from 'use-checkpoint' (-c) mode.
 
 Usage:
 ```bash
-code42 security-data clear-checkpoint
+code42 security-data clear-checkpoint <name>
 ```

docs/userguides/siemexample.md

@@ -32,7 +32,7 @@ code42 security-data send-to "https://syslog.example.com:514" -p TCP --profile p
 ```
 
 Note that it is best practice to use a separate profile when executing a scheduled task. This way, it is harder to 
-accidentally mess up your stored checkpoints by running `--incremental` adhoc queries.
+accidentally mess up your stored checkpoints by running `--use-checkpoint` adhoc queries.
 
 This query will send to the syslog server only the new security event data since the previous request.
 

src/code42cli/cmds/alerts/extraction.py

@@ -35,8 +35,8 @@ def extract(sdk, profile, output_logger, args):
                 send-to: uses a logger that sends logs to a server.
             args: Command line args used to build up alert query filters.
     """
-    store = AlertCursorStore(profile.name) if args.incremental else None
-    handlers = create_handlers(sdk, AlertExtractor, output_logger, store)
+    store = AlertCursorStore(profile.name) if args.use_checkpoint else None
+    handlers = create_handlers(sdk, AlertExtractor, output_logger, store, args.use_checkpoint)
     extractor = AlertExtractor(sdk, handlers)
     if args.advanced_query:
         extractor.extract_advanced(args.advanced_query)

src/code42cli/cmds/alerts/main.py

@@ -11,9 +11,7 @@
     RuleType,
 )
 from code42cli.cmds.search_shared.cursor_store import AlertCursorStore
-from code42cli.cmds.search_shared.args import (
-    create_incompatible_search_args, SEARCH_FOR_ALERTS
-)
+from code42cli.cmds.search_shared.args import create_incompatible_search_args, SEARCH_FOR_ALERTS
 
 
 class MainAlertsSubcommandLoader(SubcommandLoader):
@@ -55,20 +53,20 @@ def load_commands(self):
 
         clear = Command(
             self.CLEAR_CHECKPOINT,
-            u"Remove the saved alert checkpoint from 'incremental' (-i) mode.",
+            u"Remove the saved alert checkpoint from 'use-checkpoint' (-c) mode.",
             u"{} {}".format(usage_prefix, u"clear-checkpoint <optional-args>"),
             handler=clear_checkpoint,
         )
 
         return [print_func, write, send, clear]
 
 
-def clear_checkpoint(sdk, profile):
+def clear_checkpoint(sdk, profile, cursor_name):
     """Removes the stored checkpoint that keeps track of the last alert retrieved for the given profile..
         To use, run `code42 alerts clear-checkpoint`.
-        This affects `incremental` mode by causing it to behave like it has never been run before.
+        This affects `use-checkpoint` mode by resetting the checkpoint, causing it to behave like it has never been run before.
     """
-    AlertCursorStore(profile.name).replace_stored_cursor_timestamp(None)
+    AlertCursorStore(profile.name).delete(cursor_name)
 
 
 def _validate_args(args):

src/code42cli/cmds/search_shared/args.py

@@ -39,8 +39,9 @@ def _saved_search_args():
     saved_search = ArgConfig(
         u"--saved-search",
         help=u"Limits events to those discoverable with the saved search "
-             u"filters for the saved search with the given ID.\n"
-             u"WARNING: Using saved search is incompatible with other query-building args.")
+        u"filters for the saved search with the given ID.\n"
+        u"WARNING: Using saved search is incompatible with other query-building args.",
+    )
     return {u"saved_search": saved_search}
 
 
@@ -65,10 +66,9 @@ def create_incompatible_search_args(search_for=None):
             help=u"The end of the date range in which to look for {0}, "
             u"argument format options are the same as --begin.".format(search_for),
         ),
-        u"incremental": ArgConfig(
-            u"-i",
-            u"--incremental",
-            action=u"store_true",
+        u"use_checkpoint": ArgConfig(
+            u"-c",
+            u"--use-checkpoint",
             help=u"Only get {0} that were not previously retrieved.".format(search_for),
         ),
     }

src/code42cli/cmds/search_shared/cursor_store.py

@@ -1,126 +1,80 @@
 from __future__ import with_statement
 
-import sqlite3
 import os
+from os import path
 
+from code42cli.errors import Code42CLIError
 from code42cli.util import get_user_project_path
 
 
+class Cursor(object):
+    def __init__(self, location):
+        self._location = location
+        self._name = path.basename(location)
+
+    @property
+    def name(self):
+        return self._name
+
+    @property
+    def value(self):
+        with open(self._location) as checkpoint:
+            return checkpoint.read()
+
+
 class BaseCursorStore(object):
-    _PRIMARY_KEY_COLUMN_NAME = u"cursor_id"
-    _timestamp_column_name = u"OVERRIDE"
-    _primary_key = u"OVERRIDE"
-
-    def __init__(self, db_table_name, db_file_path=None):
-        self._table_name = db_table_name
-        if db_file_path is None:
-            db_path = get_user_project_path(u"db")
-            db_file = u"file_event_checkpoints.db"
-            db_file_path = os.path.join(db_path, db_file)
-
-        self._connection = sqlite3.connect(db_file_path)
-        if self._is_empty():
-            self._init_table()
-
-    def _get(self, columns, primary_key):
-        query = u"SELECT {0} FROM {1} WHERE {2}=?"
-        query = query.format(columns, self._table_name, self._PRIMARY_KEY_COLUMN_NAME)
-        with self._connection as conn:
-            cursor = conn.cursor()
-            cursor.execute(query, (primary_key,))
-            return cursor.fetchall()
-
-    def _set(self, column_name, new_value, primary_key):
-        query = u"UPDATE {0} SET {1}=? WHERE {2}=?".format(
-            self._table_name, column_name, self._PRIMARY_KEY_COLUMN_NAME
-        )
-        with self._connection as conn:
-            conn.execute(query, (new_value, primary_key))
-
-    def _delete(self, primary_key):
-        query = u"DELETE FROM {0} WHERE {1}=?".format(
-            self._table_name, self._PRIMARY_KEY_COLUMN_NAME
-        )
-        with self._connection as conn:
-            conn.execute(query, (primary_key,))
-
-    def _row_exists(self, primary_key):
-        query = u"SELECT * FROM {0} WHERE {1}=?"
-        query = query.format(self._table_name, self._PRIMARY_KEY_COLUMN_NAME)
-        with self._connection as conn:
-            cursor = conn.cursor()
-            cursor.execute(query, (primary_key,))
-            query_result = cursor.fetchone()
-            if not query_result:
-                return False
-            return True
-
-    def _drop_table(self):
-        drop_query = u"DROP TABLE {0}".format(self._table_name)
-        with self._connection as conn:
-            conn.execute(drop_query)
-
-    def _is_empty(self):
-        table_count_query = u"""
-            SELECT COUNT(name)
-            FROM sqlite_master
-            WHERE type='table' AND name=?
-        """
-        with self._connection as conn:
-            cursor = conn.cursor()
-            cursor.execute(table_count_query, (self._table_name,))
-            query_result = cursor.fetchone()
-            if query_result:
-                return int(query_result[0]) <= 0
-
-    def _init_table(self):
-        columns = u"{0}, {1}".format(self._PRIMARY_KEY_COLUMN_NAME, self._timestamp_column_name)
-        create_table_query = u"CREATE TABLE {0} ({1})".format(self._table_name, columns)
-        with self._connection as conn:
-            conn.execute(create_table_query)
-
-    def _insert_new_row(self):
-        insert_query = u"INSERT INTO {0} VALUES(?, null)".format(self._table_name)
-        with self._connection as conn:
-            conn.execute(insert_query, (self._primary_key,))
-
-    def get_stored_cursor_timestamp(self):
-        """Gets the last stored date observed timestamp."""
-        rows = self._get(self._timestamp_column_name, self._primary_key)
-        if rows and rows[0]:
-            return rows[0][0]
+    def __init__(self, dir_path):
+        self._dir_path = dir_path
 
-    def replace_stored_cursor_timestamp(self, new_date_observed_timestamp):
+    def get(self, cursor_name):
+        """Gets the last stored date observed timestamp."""
+        try:
+            location = path.join(self._dir_path, cursor_name)
+            with open(location) as checkpoint:
+                return float(checkpoint.read())
+        except FileNotFoundError:
+            return None
+
+    def replace(self, cursor_name, new_timestamp):
         """Replaces the last stored date observed timestamp with the given one."""
-        self._set(
-            column_name=self._timestamp_column_name,
-            new_value=new_date_observed_timestamp,
-            primary_key=self._primary_key,
-        )
+        location = path.join(self._dir_path, cursor_name)
+        with open(location, "w") as checkpoint:
+            return checkpoint.write(str(new_timestamp))
+
+    def delete(self, cursor_name):
+        """Removes a single cursor from the store."""
+        try:
+            location = path.join(self._dir_path, cursor_name)
+            os.remove(location)
+        except FileNotFoundError:
+            msg = "No checkpoint named {0} exists for this profile.".format(cursor_name)
+            raise Code42CLIError(msg)
 
     def clean(self):
-        """Removes profile cursor data from store."""
-        self._delete(self._primary_key)
+        """Removes all cursors from this store."""
+        cursors = self.get_all_cursors()
+        for cursor in cursors:
+            self.delete(cursor.name)
 
+    def get_all_cursors(self):
+        """Returns a list of all cursors stored in this directory (which istypically scoped to a profile)."""
+        dir_contents = os.listdir(self._dir_path)
+        return [Cursor(f) for f in dir_contents if self._is_file(f)]
 
-class FileEventCursorStore(BaseCursorStore):
-    _timestamp_column_name = u"insertionTimestamp"
+    def _is_file(self, node_name):
+        return path.isfile(path.join(self._dir_path, node_name))
 
-    def __init__(self, profile_name, db_file_path=None):
-        self._primary_key = profile_name
-        super(FileEventCursorStore, self).__init__(u"file_event_checkpoints", db_file_path)
-        if not self._row_exists(self._primary_key):
-            self._insert_new_row()
 
+class FileEventCursorStore(BaseCursorStore):
+    def __init__(self, profile_name):
+        dir_path = get_user_project_path(u"file_event_checkpoints", profile_name)
+        super(FileEventCursorStore, self).__init__(dir_path)
 
-class AlertCursorStore(BaseCursorStore):
-    _timestamp_column_name = u"createdAt"
 
-    def __init__(self, profile_name, db_file_path=None):
-        self._primary_key = profile_name
-        super(AlertCursorStore, self).__init__(u"alert_checkpoints", db_file_path)
-        if not self._row_exists(self._primary_key):
-            self._insert_new_row()
+class AlertCursorStore(BaseCursorStore):
+    def __init__(self, profile_name):
+        dir_path = get_user_project_path(u"alert_checkpoints", profile_name)
+        super(AlertCursorStore, self).__init__(dir_path)
 
 
 def get_file_event_cursor_store(profile_name):

src/code42cli/cmds/search_shared/enums.py

@@ -1,4 +1,4 @@
-IS_INCREMENTAL_KEY = u"incremental"
+IS_CHECKPOINT_KEY = u"use_checkpoint"
 
 
 class OutputFormat(object):