Skip to content

GitLab

Switch branch/tag
Find file Normal viewHistoryPermalink
log_consumer.go 8.32 KB
Newer Older
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
1 2 3 4 
package service

import (
	"context"
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
5 
	"encoding/json"
qiuqunfeng's avatar
Add Kafka log consumer with dynamic authentication and configuration  
qiuqunfeng committed
6 
	"errors"
qiuqunfeng's avatar
Refactor API router and WAF handling to support additional parameters and...  
qiuqunfeng committed
7 8 
	"fmt"
	"time"
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
9 10 11 

	"github.com/rs/zerolog/log"
	"github.com/segmentio/kafka-go"
qiuqunfeng's avatar
Add Kafka log consumer with dynamic authentication and configuration  
qiuqunfeng committed
12 
	"github.com/segmentio/kafka-go/sasl/scram"
qiuqunfeng's avatar
Refactor API router and WAF handling to support additional parameters and...  
qiuqunfeng committed
13 
	"gitlab.com/tensorsecurity-rd/waf-console/internal/config"
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
14 15 16 17 18 
	"gitlab.com/tensorsecurity-rd/waf-console/internal/model"
	"gitlab.com/tensorsecurity-rd/waf-console/internal/utils/id"

	es "github.com/olivere/elastic/v7"
	esStore "gitlab.com/tensorsecurity-rd/waf-console/internal/store"
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
19 20 21 
	"gorm.io/gorm"
)
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
22 23 24 25 26 27 
const (
	KafkaTopicIvanWafDetections       = "ivan_waf_detections"
	KafkaGroupIvanWafDetectionsPalace = "ivan_waf_detections_palace"

	EsIndexWafDetections      = "waf-detections*"
	EsIndexWafDetectionsAlias = "waf-detections"
qiuqunfeng's avatar
Refactor WAF detection handling in LogConsumerService to improve event generation and error logging  
qiuqunfeng committed
28 
	ESIndexEvents             = "events"
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
29 30 
)
qiuqunfeng's avatar
Add Kafka log consumer with dynamic authentication and configuration  
qiuqunfeng committed
31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 
var scramAlgo = map[string]scram.Algorithm{
	"SHA512": scram.SHA512,
	"SHA256": scram.SHA256,
}

var ErrMissingBrokers = errors.New("no KAFKA_BROKERS env variable set")
var ErrMissingAuthInfo = errors.New("no username or passwrod set when auth is enabled")
var ErrUnsupportedAuthMethod = errors.New("unsupported auth method")

const (
	EnvKafkaAuthMethod   = "KAFKA_AUTH_METHOD"
	EnvKafkaAuthUsername = "KAFKA_AUTH_USERNAME"
	EnvKafkaAuthPassword = "KAFKA_AUTH_PASSWORD"
	EnvKafkaScramAlgo    = "KAFKA_SCRAM_ALGO"
	EnvKafkaBrokers      = "KAFKA_BROKERS"
	KafkaAuthPlain       = "plain"
	KafkaAuthScram       = "scram"
)
qiuqunfeng's avatar
Implement dynamic log level configuration and refactor Elasticsearch client creation  
qiuqunfeng committed
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 
// func getSASLMechanismByEnv() (sasl.Mechanism, bool, error) {
// 	authMethod := os.Getenv(EnvKafkaAuthMethod)
// 	username := os.Getenv(EnvKafkaAuthUsername)
// 	password := os.Getenv(EnvKafkaAuthPassword)
// 	var mechanism sasl.Mechanism
// 	switch authMethod {
// 	case KafkaAuthPlain:
// 		if username == "" || password == "" {
// 			return nil, true, ErrMissingAuthInfo
// 		}
// 		mechanism = &plain.Mechanism{
// 			Username: username,
// 			Password: password,
// 		}
// 	case KafkaAuthScram:
// 		if username == "" || password == "" {
// 			return nil, true, ErrMissingAuthInfo
// 		}
// 		algoKey := os.Getenv(EnvKafkaScramAlgo)
// 		algo := scram.SHA512
// 		algoTmp, exist := scramAlgo[algoKey]
// 		if exist {
// 			algo = algoTmp
// 		}
// 		var err error
// 		mechanism, err = scram.Mechanism(algo, username, password)
// 		if err != nil {
// 			return nil, true, err
// 		}
// 	}
// 	return mechanism, mechanism != nil, nil
// }
qiuqunfeng's avatar
Add Kafka log consumer with dynamic authentication and configuration  
qiuqunfeng committed
82
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
83 84 85 
type LogConsumerService struct {
	consumer *kafka.Reader
	db       *gorm.DB
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
86 
	esStore  *esStore.ESStore
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
87 88 
}
qiuqunfeng's avatar
Implement dynamic log level configuration and refactor Elasticsearch client creation  
qiuqunfeng committed
89 90 91 92 93 94 95 96 97 
func NewLogConsumerService(db *gorm.DB, esStore *esStore.ESStore, config *config.KafkaConfig) *LogConsumerService {
	// mechanism, _, err := getSASLMechanismByEnv()
	// if err != nil {
	// 	log.Fatal().Err(err).Msg("failed to get SASL mechanism")
	// }
	// brokers := strings.Split(os.Getenv(EnvKafkaBrokers), ",")
	// if len(brokers) == 0 {
	// 	log.Fatal().Msg("no KAFKA_BROKERS env variable set")
	// }
qiuqunfeng's avatar
Add Kafka log consumer with dynamic authentication and configuration  
qiuqunfeng committed
98
qiuqunfeng's avatar
Implement dynamic log level configuration and refactor Elasticsearch client creation  
qiuqunfeng committed
99 100 101 102 103 104 105 106 107 108 109 
	// consumer := kafka.NewReader(kafka.ReaderConfig{
	// 	Brokers: brokers,
	// 	GroupID: KafkaGroupIvanWafDetectionsPalace,
	// 	Topic:   KafkaTopicIvanWafDetections,
	// 	Dialer: &kafka.Dialer{
	// 		SASLMechanism: mechanism,
	// 		Timeout:       10 * time.Second,
	// 		DualStack:     true,
	// 	},
	// })
	consumer := NewKafkaReader(config)
qiuqunfeng's avatar
Add Kafka log consumer with dynamic authentication and configuration  
qiuqunfeng committed
110
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
111 112 113 
	return &LogConsumerService{
		consumer: consumer,
		db:       db,
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
114 
		esStore:  esStore,
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
115 116 117 118 
	}
}

func (s *LogConsumerService) Consume() {
qiuqunfeng's avatar
Add logging for Kafka message consumption  
qiuqunfeng committed
119 
	log.Info().Msg("start consume kafka message")
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
120 121 122 123 124 125 126 127 128 129 130 131 132 
	for {
		m, err := s.consumer.ReadMessage(context.Background())
		if err != nil {
			log.Error().Err(err).Msg("failed to read message")
			continue
		}
		log.Info().Msgf("message: %s", string(m.Value))
		go s.processMessage(m)
	}
}

func (s *LogConsumerService) processMessage(m kafka.Message) {
	log.Info().Msgf("processing message: %s", string(m.Value))
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
133 134 135 
	s.Handle(context.Background(), m.Value)
}
qiuqunfeng's avatar
Refactor API router and WAF handling to support additional parameters and...  
qiuqunfeng committed
136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 
func (s *LogConsumerService) genWafDetection(wafDetectionMessage model.WafDetectionMessage, attackedLog model.WafDetectionAttackedLog) (model.WafDetection, error) {
	if attackedLog.AttackIP == "" {
		return model.WafDetection{}, errors.New("attack_ip is empty")
	}
	if attackedLog.Action != "pass" {
		return model.WafDetection{}, errors.New("action is not pass")
	}
	wafDetection := model.WafDetection{
		WafDetectionMessageBasic: wafDetectionMessage.WafDetectionMessageBasic,
		WafDetectionAttackedLog:  attackedLog,
		CreatedAt:                wafDetectionMessage.CreatedAt,
	}
	wafDetection.WafDetectionAttackedLog.ID = id.Str()
	return wafDetection, nil
}

func (s *LogConsumerService) genWafDetectionEvent(wafDetectionMessage model.WafDetectionMessage) (model.Event, error) {
	event := model.Event{
		ID:          id.Str(),
		Type:        "waf_detection",
		Description: "waf detection",
		RuleKeys:    []model.RuleKey{},
		Scopes: map[string][]model.Scope{
			"cluster": {
				{
					Kind: "cluster",
					ID:   wafDetectionMessage.WafDetectionMessageBasic.ClusterKey,
					Name: wafDetectionMessage.WafDetectionMessageBasic.ClusterKey,
				},
			},
			"namespace": {
				{
					Kind: "namespace",
					ID:   wafDetectionMessage.WafDetectionMessageBasic.Namespace,
					Name: wafDetectionMessage.WafDetectionMessageBasic.Namespace,
				},
			},
			"resource": {
				{
					Kind: "resource",
					ID:   "",
					Name: fmt.Sprintf("%s(%s)", wafDetectionMessage.WafDetectionMessageBasic.ResName, wafDetectionMessage.WafDetectionMessageBasic.ResKind),
				},
			},
		},
		Resources: []map[string]model.Scope{
			{
				"cluster": {
					Kind: "cluster",
					ID:   wafDetectionMessage.WafDetectionMessageBasic.ClusterKey,
					Name: wafDetectionMessage.WafDetectionMessageBasic.ClusterKey,
				},
				"namespace": {
					Kind: "namespace",
					ID:   wafDetectionMessage.WafDetectionMessageBasic.Namespace,
					Name: wafDetectionMessage.WafDetectionMessageBasic.Namespace,
				},
				"resource": {
					Kind: "resource",
					ID:   "",
					Name: fmt.Sprintf("%s(%s)", wafDetectionMessage.WafDetectionMessageBasic.ResName, wafDetectionMessage.WafDetectionMessageBasic.ResKind),
				},
			},
		},
		Relation: model.Relation{
			Type: "timeline",
		},
		CreatedAt: wafDetectionMessage.CreatedAt,
		UpdatedAt: wafDetectionMessage.CreatedAt,
		Timestamp: time.Now(),
		Context: map[string]interface{}{
			"waf_detection_message": wafDetectionMessage,
		},
	}
	return event, nil
}
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 
func (s *LogConsumerService) Handle(ctx context.Context, message []byte) error {
	WafDetectionMessage := model.WafDetectionMessage{}
	err := json.Unmarshal(message, &WafDetectionMessage)
	if err != nil {
		log.Err(err).Str("message.Value", string(message)).Msg("unmarshal kafka message fails")
		return err
	}

	bulkableRequests := make([]es.BulkableRequest, 0)
	WafDetections := make([]model.WafDetection, len(WafDetectionMessage.AttackedLog))

	unPassCount := 0
	for i := range WafDetectionMessage.AttackedLog {
		if WafDetectionMessage.AttackedLog[i].AttackIP == "" {
			log.Err(err).Str("message.Value", string(message)).Msg("WafDetectionMessage.AttackedLog[i].AttackIP empty")
			continue
		}
		if WafDetectionMessage.AttackedLog[i].Action != "pass" {
			unPassCount++
		}
qiuqunfeng's avatar
Refactor WAF detection handling in LogConsumerService to improve event generation and error logging  
qiuqunfeng committed
233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 
		// WafDetections[i].WafDetectionMessageBasic = WafDetectionMessage.WafDetectionMessageBasic
		// WafDetections[i].WafDetectionAttackedLog = WafDetectionMessage.AttackedLog[i]
		// WafDetections[i].WafDetectionAttackedLog.ID = id.Str()
		// WafDetections[i].CreatedAt = WafDetectionMessage.CreatedAt
		wafDetection, err := s.genWafDetection(WafDetectionMessage, WafDetectionMessage.AttackedLog[i])
		if err != nil {
			log.Err(err).Str("message.Value", string(message)).Msg("gen waf detection fails")
			continue
		}
		WafDetections[i] = wafDetection
		event, err := s.genWafDetectionEvent(WafDetectionMessage)
		if err != nil {
			log.Err(err).Str("message.Value", string(message)).Msg("gen waf detection event fails")
			continue
		}
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
248 
		bulkIndexSignal := es.NewBulkIndexRequest().Index(EsIndexWafDetectionsAlias)
qiuqunfeng's avatar
Refactor WAF detection handling in LogConsumerService to improve event generation and error logging  
qiuqunfeng committed
249 250 251 
		bulkableRequests = append(bulkableRequests, bulkIndexSignal.Id(wafDetection.WafDetectionAttackedLog.ID).Doc(wafDetection))
		bulkIndexEvent := es.NewBulkIndexRequest().Index(ESIndexEvents)
		bulkableRequests = append(bulkableRequests, bulkIndexEvent.Id(event.ID).Doc(event))
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
252 253 254 255 
	}

	s.esStore.Save(ctx, bulkableRequests)
qiuqunfeng's avatar
Refactor API router and WAF handling to support additional parameters and...  
qiuqunfeng committed
256 257 258 259 260 
	// err = s.db.WithContext(ctx).Model(&model.WafService{}).Where("id = ?", WafDetectionMessage.ServiceID).Update("attack_num", gorm.Expr("attack_num + ?", 1)).Error
	// if err != nil {
	// 	log.Err(err).Int64("WafDetectionMessage.ServiceID", WafDetectionMessage.ServiceID).Msg("update waf_service attack_number fails")
	// 	return err
	// }
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
261 262 

	return nil
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
263 
}