[RORDEV-1567] ECS serializer and improved configurable serializer (#1165)

Author: mgoworko

audit/src/main/scala/tech/beshu/ror/audit/utils/AuditSerializationHelper.scala

@@ -45,23 +45,23 @@ private[ror] object AuditSerializationHelper {
   }
 
   def serialize(responseContext: AuditResponseContext,
-                fields: Map[AuditFieldName, AuditFieldValueDescriptor],
+                fields: Map[AuditFieldPath, AuditFieldValueDescriptor],
                 allowedEventMode: AllowedEventMode): Option[JSONObject] = {
     responseContext match {
       case Allowed(requestContext, verbosity, reason) =>
         allowedEvent(
           allowedEventMode,
           verbosity,
-          createEntry(fields, EventData(matched = true, "ALLOWED", reason, responseContext.duration, requestContext, None))
+          createEntry(fields, EventData(matched = true, FinalState.Allowed, reason, responseContext.duration, requestContext, None))
         )
       case ForbiddenBy(requestContext, _, reason) =>
-        Some(createEntry(fields, EventData(matched = true, "FORBIDDEN", reason, responseContext.duration, requestContext, None)))
+        Some(createEntry(fields, EventData(matched = true, FinalState.Forbidden, reason, responseContext.duration, requestContext, None)))
       case Forbidden(requestContext) =>
-        Some(createEntry(fields, EventData(matched = false, "FORBIDDEN", "default", responseContext.duration, requestContext, None)))
+        Some(createEntry(fields, EventData(matched = false, FinalState.Forbidden, "default", responseContext.duration, requestContext, None)))
       case RequestedIndexNotExist(requestContext) =>
-        Some(createEntry(fields, EventData(matched = false, "INDEX NOT EXIST", "Requested index doesn't exist", responseContext.duration, requestContext, None)))
+        Some(createEntry(fields, EventData(matched = false, FinalState.IndexNotExist, "Requested index doesn't exist", responseContext.duration, requestContext, None)))
       case Errored(requestContext, cause) =>
-        Some(createEntry(fields, EventData(matched = false, "ERRORED", "error", responseContext.duration, requestContext, Some(cause))))
+        Some(createEntry(fields, EventData(matched = false, FinalState.Errored, "error", responseContext.duration, requestContext, Some(cause))))
     }
   }
 
@@ -76,23 +76,48 @@ private[ror] object AuditSerializationHelper {
     }
   }
 
-  private def createEntry(fields: Map[AuditFieldName, AuditFieldValueDescriptor],
+  private def createEntry(fields: Map[AuditFieldPath, AuditFieldValueDescriptor],
                           eventData: EventData) = {
     val resolveAuditFieldValue = resolver(eventData)
-    val resolvedFields: Map[String, Any] =
-      Map("@timestamp" -> timestampFormatter.format(eventData.requestContext.timestamp)) ++
-        fields.map { case (name, valueDescriptor) => name.value -> resolveAuditFieldValue(valueDescriptor) }
+    val resolvedFields: Map[AuditFieldPath, Any] =
+      Map(AuditFieldPath("@timestamp") -> timestampFormatter.format(eventData.requestContext.timestamp)) ++
+        fields.map { case (name, valueDescriptor) => name -> resolveAuditFieldValue(valueDescriptor) }
 
-    resolvedFields
-      .foldLeft(new JSONObject()) { case (soFar, (key, value)) => soFar.put(key, value) }
-      .mergeWith(eventData.requestContext.generalAuditEvents)
+    resolvedFields.foldLeft(new JSONObject()) { case (soFar, (path, value)) =>
+      putNested(soFar, path.path.toList, value)
+    }.mergeWith(eventData.requestContext.generalAuditEvents)
+  }
+
+  private def putNested(json: JSONObject, path: List[String], value: Any): JSONObject = {
+    path match {
+      case Nil =>
+        json
+      case key :: Nil =>
+        json.put(key, value)
+        json
+      case key :: tail =>
+        val child = Option(json.optJSONObject(key)).getOrElse(new JSONObject())
+        json.put(key, putNested(child, tail, value))
+        json
+    }
   }
 
   private def resolver(eventData: EventData): AuditFieldValueDescriptor => Any = auditValue => {
     val requestContext = eventData.requestContext
     auditValue match {
       case AuditFieldValueDescriptor.IsMatched => eventData.matched
-      case AuditFieldValueDescriptor.FinalState => eventData.finalState
+      case AuditFieldValueDescriptor.FinalState => eventData.finalState match {
+        case FinalState.Allowed => "ALLOWED"
+        case FinalState.Forbidden => "FORBIDDEN"
+        case FinalState.Errored => "ERRORED"
+        case FinalState.IndexNotExist => "INDEX NOT EXIST"
+      }
+      case AuditFieldValueDescriptor.EcsEventOutcome => eventData.finalState match {
+        case FinalState.Allowed => "success"
+        case FinalState.Forbidden => "failure"
+        case FinalState.Errored => "unknown"
+        case FinalState.IndexNotExist => "unknown"
+      }
       case AuditFieldValueDescriptor.Reason => eventData.reason
       case AuditFieldValueDescriptor.User => SerializeUser.serialize(requestContext).orNull
       case AuditFieldValueDescriptor.LoggedUser => requestContext.loggedInUserName.orNull
@@ -102,6 +127,7 @@ private[ror] object AuditSerializationHelper {
       case AuditFieldValueDescriptor.InvolvedIndices => if (requestContext.involvesIndices) requestContext.indices.toList.asJava else List.empty.asJava
       case AuditFieldValueDescriptor.AclHistory => requestContext.history
       case AuditFieldValueDescriptor.ProcessingDurationMillis => eventData.duration.toMillis
+      case AuditFieldValueDescriptor.ProcessingDurationNanos => eventData.duration.toNanos
       case AuditFieldValueDescriptor.Timestamp => timestampFormatter.format(requestContext.timestamp)
       case AuditFieldValueDescriptor.Id => requestContext.id
       case AuditFieldValueDescriptor.CorrelationId => requestContext.correlationId
@@ -121,6 +147,8 @@ private[ror] object AuditSerializationHelper {
       case AuditFieldValueDescriptor.EsNodeName => eventData.requestContext.auditEnvironmentContext.esNodeName
       case AuditFieldValueDescriptor.EsClusterName => eventData.requestContext.auditEnvironmentContext.esClusterName
       case AuditFieldValueDescriptor.StaticText(text) => text
+      case AuditFieldValueDescriptor.NumericValue(value) => value.bigDecimal
+      case AuditFieldValueDescriptor.BooleanValue(value) => value
       case AuditFieldValueDescriptor.Combined(values) => values.map(resolver(eventData)).mkString
     }
   }
@@ -141,12 +169,24 @@ private[ror] object AuditSerializationHelper {
   }
 
   private final case class EventData(matched: Boolean,
-                                     finalState: String,
+                                     finalState: FinalState,
                                      reason: String,
                                      duration: FiniteDuration,
                                      requestContext: AuditRequestContext,
                                      error: Option[Throwable])
 
+  private sealed trait FinalState
+
+  private object FinalState {
+    case object Allowed extends FinalState
+
+    case object Forbidden extends FinalState
+
+    case object Errored extends FinalState
+
+    case object IndexNotExist extends FinalState
+  }
+
   sealed trait AllowedEventMode
 
   object AllowedEventMode {
@@ -155,7 +195,15 @@ private[ror] object AuditSerializationHelper {
     final case class Include(types: Set[Verbosity]) extends AllowedEventMode
   }
 
-  final case class AuditFieldName(value: String)
+  final case class AuditFieldPath private(path: List[String])
+
+  object AuditFieldPath {
+    def apply(name: String): AuditFieldPath =
+      AuditFieldPath(List(name))
+
+    def apply(head: String, tail: List[String]): AuditFieldPath =
+      AuditFieldPath(head :: tail)
+  }
 
   sealed trait AuditFieldValueDescriptor
 
@@ -166,6 +214,8 @@ private[ror] object AuditSerializationHelper {
 
     case object FinalState extends AuditFieldValueDescriptor
 
+    case object EcsEventOutcome extends AuditFieldValueDescriptor
+
     case object Reason extends AuditFieldValueDescriptor
 
     @deprecated("[ROR] The User audit field value descriptor should not be used. Use LoggedUser or PresentedIdentity instead", "1.68.0")
@@ -185,6 +235,8 @@ private[ror] object AuditSerializationHelper {
 
     case object ProcessingDurationMillis extends AuditFieldValueDescriptor
 
+    case object ProcessingDurationNanos extends AuditFieldValueDescriptor
+
     // Identifiers
     case object Timestamp extends AuditFieldValueDescriptor
 
@@ -230,6 +282,10 @@ private[ror] object AuditSerializationHelper {
 
     final case class StaticText(value: String) extends AuditFieldValueDescriptor
 
+    final case class BooleanValue(value: Boolean) extends AuditFieldValueDescriptor
+
+    final case class NumericValue(value: BigDecimal) extends AuditFieldValueDescriptor
+
     final case class Combined(values: List[AuditFieldValueDescriptor]) extends AuditFieldValueDescriptor
 
   }
@@ -244,42 +300,42 @@ private[ror] object AuditSerializationHelper {
     case object FullRequestContentFields extends AuditFieldGroup
   }
 
-  private val commonFields: Map[AuditFieldName, AuditFieldValueDescriptor] = Map(
-    AuditFieldName("match") -> AuditFieldValueDescriptor.IsMatched,
-    AuditFieldName("block") -> AuditFieldValueDescriptor.Reason,
-    AuditFieldName("id") -> AuditFieldValueDescriptor.Id,
-    AuditFieldName("final_state") -> AuditFieldValueDescriptor.FinalState,
-    AuditFieldName("@timestamp") -> AuditFieldValueDescriptor.Timestamp,
-    AuditFieldName("correlation_id") -> AuditFieldValueDescriptor.CorrelationId,
-    AuditFieldName("processingMillis") -> AuditFieldValueDescriptor.ProcessingDurationMillis,
-    AuditFieldName("error_type") -> AuditFieldValueDescriptor.ErrorType,
-    AuditFieldName("error_message") -> AuditFieldValueDescriptor.ErrorMessage,
-    AuditFieldName("content_len") -> AuditFieldValueDescriptor.ContentLengthInBytes,
-    AuditFieldName("content_len_kb") -> AuditFieldValueDescriptor.ContentLengthInKb,
-    AuditFieldName("type") -> AuditFieldValueDescriptor.Type,
-    AuditFieldName("origin") -> AuditFieldValueDescriptor.RemoteAddress,
-    AuditFieldName("destination") -> AuditFieldValueDescriptor.LocalAddress,
-    AuditFieldName("xff") -> AuditFieldValueDescriptor.XForwardedForHttpHeader,
-    AuditFieldName("task_id") -> AuditFieldValueDescriptor.TaskId,
-    AuditFieldName("req_method") -> AuditFieldValueDescriptor.HttpMethod,
-    AuditFieldName("headers") -> AuditFieldValueDescriptor.HttpHeaderNames,
-    AuditFieldName("path") -> AuditFieldValueDescriptor.HttpPath,
-    AuditFieldName("user") -> AuditFieldValueDescriptor.User,
-    AuditFieldName("logged_user") -> AuditFieldValueDescriptor.LoggedUser,
-    AuditFieldName("presented_identity") -> AuditFieldValueDescriptor.PresentedIdentity,
-    AuditFieldName("impersonated_by") -> AuditFieldValueDescriptor.ImpersonatedByUser,
-    AuditFieldName("action") -> AuditFieldValueDescriptor.Action,
-    AuditFieldName("indices") -> AuditFieldValueDescriptor.InvolvedIndices,
-    AuditFieldName("acl_history") -> AuditFieldValueDescriptor.AclHistory
+  private val commonFields: Map[AuditFieldPath, AuditFieldValueDescriptor] = Map(
+    AuditFieldPath("match") -> AuditFieldValueDescriptor.IsMatched,
+    AuditFieldPath("block") -> AuditFieldValueDescriptor.Reason,
+    AuditFieldPath("id") -> AuditFieldValueDescriptor.Id,
+    AuditFieldPath("final_state") -> AuditFieldValueDescriptor.FinalState,
+    AuditFieldPath("@timestamp") -> AuditFieldValueDescriptor.Timestamp,
+    AuditFieldPath("correlation_id") -> AuditFieldValueDescriptor.CorrelationId,
+    AuditFieldPath("processingMillis") -> AuditFieldValueDescriptor.ProcessingDurationMillis,
+    AuditFieldPath("error_type") -> AuditFieldValueDescriptor.ErrorType,
+    AuditFieldPath("error_message") -> AuditFieldValueDescriptor.ErrorMessage,
+    AuditFieldPath("content_len") -> AuditFieldValueDescriptor.ContentLengthInBytes,
+    AuditFieldPath("content_len_kb") -> AuditFieldValueDescriptor.ContentLengthInKb,
+    AuditFieldPath("type") -> AuditFieldValueDescriptor.Type,
+    AuditFieldPath("origin") -> AuditFieldValueDescriptor.RemoteAddress,
+    AuditFieldPath("destination") -> AuditFieldValueDescriptor.LocalAddress,
+    AuditFieldPath("xff") -> AuditFieldValueDescriptor.XForwardedForHttpHeader,
+    AuditFieldPath("task_id") -> AuditFieldValueDescriptor.TaskId,
+    AuditFieldPath("req_method") -> AuditFieldValueDescriptor.HttpMethod,
+    AuditFieldPath("headers") -> AuditFieldValueDescriptor.HttpHeaderNames,
+    AuditFieldPath("path") -> AuditFieldValueDescriptor.HttpPath,
+    AuditFieldPath("user") -> AuditFieldValueDescriptor.User,
+    AuditFieldPath("logged_user") -> AuditFieldValueDescriptor.LoggedUser,
+    AuditFieldPath("presented_identity") -> AuditFieldValueDescriptor.PresentedIdentity,
+    AuditFieldPath("impersonated_by") -> AuditFieldValueDescriptor.ImpersonatedByUser,
+    AuditFieldPath("action") -> AuditFieldValueDescriptor.Action,
+    AuditFieldPath("indices") -> AuditFieldValueDescriptor.InvolvedIndices,
+    AuditFieldPath("acl_history") -> AuditFieldValueDescriptor.AclHistory
   )
 
-  private val esEnvironmentFields: Map[AuditFieldName, AuditFieldValueDescriptor] = Map(
-    AuditFieldName("es_node_name") -> AuditFieldValueDescriptor.EsNodeName,
-    AuditFieldName("es_cluster_name") -> AuditFieldValueDescriptor.EsClusterName
+  private val esEnvironmentFields: Map[AuditFieldPath, AuditFieldValueDescriptor] = Map(
+    AuditFieldPath("es_node_name") -> AuditFieldValueDescriptor.EsNodeName,
+    AuditFieldPath("es_cluster_name") -> AuditFieldValueDescriptor.EsClusterName
   )
 
-  private val requestContentFields: Map[AuditFieldName, AuditFieldValueDescriptor] = Map(
-    AuditFieldName("content") -> AuditFieldValueDescriptor.Content
+  private val requestContentFields: Map[AuditFieldPath, AuditFieldValueDescriptor] = Map(
+    AuditFieldPath("content") -> AuditFieldValueDescriptor.Content
   )
 
 }

core/src/main/scala/tech/beshu/ror/accesscontrol/audit/AuditFieldUtils.scala

@@ -0,0 +1,46 @@
+/*
+ *    This file is part of ReadonlyREST.
+ *
+ *    ReadonlyREST is free software: you can redistribute it and/or modify
+ *    it under the terms of the GNU General Public License as published by
+ *    the Free Software Foundation, either version 3 of the License, or
+ *    (at your option) any later version.
+ *
+ *    ReadonlyREST is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    GNU General Public License for more details.
+ *
+ *    You should have received a copy of the GNU General Public License
+ *    along with ReadonlyREST.  If not, see http://www.gnu.org/licenses/
+ */
+package tech.beshu.ror.accesscontrol.audit
+
+import tech.beshu.ror.audit.utils.AuditSerializationHelper.{AuditFieldPath, AuditFieldValueDescriptor}
+
+object AuditFieldUtils {
+  def fields(values: ((AuditFieldPath, AuditFieldValueDescriptor) | Map[AuditFieldPath, AuditFieldValueDescriptor])*): Map[AuditFieldPath, AuditFieldValueDescriptor] =
+    values.flatMap(toMap).toMap
+
+  def withPrefix(prefix: String)(
+    values: ((AuditFieldPath, AuditFieldValueDescriptor) | Map[AuditFieldPath, AuditFieldValueDescriptor])*
+  ): Map[AuditFieldPath, AuditFieldValueDescriptor] =
+    withPrefix(prefix, values.flatMap(toMap).toMap)
+
+  private def withPrefix(prefix: String,
+                         values: Map[AuditFieldPath, AuditFieldValueDescriptor]): Map[AuditFieldPath, AuditFieldValueDescriptor] = {
+    values.map { case (path, desc) =>
+      val newPath = AuditFieldPath(prefix, path.path)
+      newPath -> desc
+    }
+  }
+
+  private def toMap(value: (AuditFieldPath, AuditFieldValueDescriptor) | Map[AuditFieldPath, AuditFieldValueDescriptor]): Map[AuditFieldPath, AuditFieldValueDescriptor] = {
+    value match {
+      case (path: AuditFieldPath, value: AuditFieldValueDescriptor) =>
+        Map(path -> value)
+      case values: Map[AuditFieldPath, AuditFieldValueDescriptor] =>
+        values
+    }
+  }
+}

core/src/main/scala/tech/beshu/ror/accesscontrol/audit/configurable/AuditFieldValueDescriptorParser.scala

@@ -28,7 +28,7 @@ object AuditFieldValueDescriptorParser extends Logging {
   private val key = P.charsWhile(c => c != '{' && c != '}')
 
   private val placeholder: P[Either[String, AuditFieldValueDescriptor]] =
-    (lbrace *> key <* rbrace).map(k => deserializerAuditFieldValueDescriptor(k.trim.toUpperCase).toRight(k))
+    (lbrace *> key <* rbrace).map(k => deserializerAuditFieldValueDescriptor(k.trim).toRight(k))
 
   private val text: P[AuditFieldValueDescriptor] =
     P.charsWhile(_ != '{').map(AuditFieldValueDescriptor.StaticText.apply)
@@ -59,6 +59,7 @@ object AuditFieldValueDescriptorParser extends Logging {
     str.toUpperCase match {
       case "IS_MATCHED" => Some(AuditFieldValueDescriptor.IsMatched)
       case "FINAL_STATE" => Some(AuditFieldValueDescriptor.FinalState)
+      case "ECS_EVENT_OUTCOME" => Some(AuditFieldValueDescriptor.EcsEventOutcome)
       case "REASON" => Some(AuditFieldValueDescriptor.Reason)
       case "USER" =>
         logger.warn(
@@ -75,6 +76,7 @@ object AuditFieldValueDescriptorParser extends Logging {
       case "INVOLVED_INDICES" => Some(AuditFieldValueDescriptor.InvolvedIndices)
       case "ACL_HISTORY" => Some(AuditFieldValueDescriptor.AclHistory)
       case "PROCESSING_DURATION_MILLIS" => Some(AuditFieldValueDescriptor.ProcessingDurationMillis)
+      case "PROCESSING_DURATION_NANOS" => Some(AuditFieldValueDescriptor.ProcessingDurationNanos)
       case "TIMESTAMP" => Some(AuditFieldValueDescriptor.Timestamp)
       case "ID" => Some(AuditFieldValueDescriptor.Id)
       case "CORRELATION_ID" => Some(AuditFieldValueDescriptor.CorrelationId)

core/src/main/scala/tech/beshu/ror/accesscontrol/audit/configurable/ConfigurableAuditLogSerializer.scala

@@ -18,11 +18,11 @@ package tech.beshu.ror.accesscontrol.audit.configurable
 
 import org.json.JSONObject
 import tech.beshu.ror.audit.utils.AuditSerializationHelper
-import tech.beshu.ror.audit.utils.AuditSerializationHelper.{AllowedEventMode, AuditFieldName, AuditFieldValueDescriptor}
+import tech.beshu.ror.audit.utils.AuditSerializationHelper.{AllowedEventMode, AuditFieldPath, AuditFieldValueDescriptor}
 import tech.beshu.ror.audit.{AuditLogSerializer, AuditResponseContext}
 
 class ConfigurableAuditLogSerializer(val allowedEventMode: AllowedEventMode,
-                                     val fields: Map[AuditFieldName, AuditFieldValueDescriptor]) extends AuditLogSerializer {
+                                     val fields: Map[AuditFieldPath, AuditFieldValueDescriptor]) extends AuditLogSerializer {
 
   override def onResponse(responseContext: AuditResponseContext): Option[JSONObject] =
     AuditSerializationHelper.serialize(responseContext, fields, allowedEventMode)