Add opaque Payload property to AuditMessage (#153)

aleksmaus · web-flow · commit bebb5c63d0fc · 2024-05-29T08:48:02.000-04:00
* Add opaque Payload property to AuditMessage

* Add opaque Payload property to AuditMessage
* Replace deprecated ioutil
* Get rid of go.uber.org/multierr dependency
* Update go to 1.21

* Rollback the golden file check, apparently it creates the different file on Mac vs Linux, so the test on Mac fails while works on Linux

* Address code review feedback
diff --git a/aucoalesce/coalesce_test.go b/aucoalesce/coalesce_test.go
@@ -21,7 +21,6 @@ import (
 	"bufio"
 	"encoding/json"
 	"flag"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"sort"
@@ -110,7 +109,7 @@ func testCoalesceEvent(t *testing.T, file string) {
 }
 
 func readEventsFromYAML(t testing.TB, name string) []testEvent {
-	file, err := ioutil.ReadFile(name)
+	file, err := os.ReadFile(name)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -184,7 +183,7 @@ func writeGoldenFile(name string, events []testEventOutput) error {
 func readGoldenFile(name string) ([]map[string]interface{}, error) {
 	name = strings.TrimSuffix(name, ".yaml")
 
-	data, err := ioutil.ReadFile(name + ".json.golden")
+	data, err := os.ReadFile(name + ".json.golden")
 	if err != nil {
 		return nil, err
 	}
diff --git a/aucoalesce/normalize_test.go b/aucoalesce/normalize_test.go
@@ -18,7 +18,7 @@
 package aucoalesce
 
 import (
-	"io/ioutil"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -31,7 +31,7 @@ func TestNormInit(t *testing.T) {
 }
 
 func TestLoadNormalizationConfig(t *testing.T) {
-	b, err := ioutil.ReadFile("normalizations.yaml")
+	b, err := os.ReadFile("normalizations.yaml")
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/audit.go b/audit.go
@@ -30,8 +30,6 @@ import (
 	"time"
 	"unsafe"
 
-	"go.uber.org/multierr"
-
 	"github.com/elastic/go-libaudit/v2/auparse"
 )
 
@@ -441,7 +439,7 @@ func (c *AuditClient) Close() error {
 			err = c.set(status, NoWait)
 		}
 
-		err = multierr.Append(err, c.Netlink.Close())
+		err = errors.Join(err, c.Netlink.Close())
 	})
 
 	return err
diff --git a/auparse/auparse.go b/auparse/auparse.go
@@ -56,6 +56,8 @@ type AuditMessage struct {
 	Sequence   uint32           // Sequence parsed from payload.
 	RawData    string           // Raw message as a string.
 
+	Payload interface{} // Opaque payload. This can be anything that is needed to be preserved along with the message and returned back after aggregation.
+
 	offset int               // offset is the index into RawData where the header ends and message begins.
 	data   map[string]string // The key value pairs parsed from the message.
 	tags   []string          // The keys associated with the event (e.g. the values set in rules with -F key=exec).
diff --git a/auparse/auparse_test.go b/auparse/auparse_test.go
@@ -22,7 +22,6 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -436,7 +435,7 @@ func writeGoldenFile(sourceName string, events []*AuditMessage) error {
 }
 
 func readGoldenFile(name string) ([]*StoredAuditMessage, error) {
-	data, err := ioutil.ReadFile(name)
+	data, err := os.ReadFile(name)
 	if err != nil {
 		return nil, err
 	}
@@ -480,7 +479,7 @@ func BenchmarkParseLogLine(b *testing.B) {
 	require.NoError(b, err)
 	var msgs []string
 	for _, f := range files {
-		data, err := ioutil.ReadFile(f)
+		data, err := os.ReadFile(f)
 		require.NoError(b, err)
 		for _, line := range strings.Split(strings.TrimSpace(string(data)), "\n") {
 			if _, err = ParseLogLine(line); err == nil {
diff --git a/auparse/mk_audit_exit_codes.go b/auparse/mk_audit_exit_codes.go
@@ -25,7 +25,6 @@ import (
 	"bytes"
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -144,7 +143,7 @@ func readErrorNumbers() ([]ErrorNumber, error) {
 }
 
 func run() error {
-	tmp, err := ioutil.TempDir("", "mk_audit_exit_codes")
+	tmp, err := os.MkdirTemp("", "mk_audit_exit_codes")
 	if err != nil {
 		return err
 	}
@@ -202,7 +201,7 @@ func run() error {
 		}
 	}
 
-	if err = ioutil.WriteFile(flagOut, buf.Bytes(), 0o644); err != nil {
+	if err = os.WriteFile(flagOut, buf.Bytes(), 0o644); err != nil {
 		return err
 	}
 
diff --git a/auparse/mk_audit_msg_types.go b/auparse/mk_audit_msg_types.go
@@ -26,7 +26,6 @@ import (
 	"flag"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"os"
 	"os/exec"
@@ -246,7 +245,7 @@ func readRecordTypes() (map[string]int, error) {
 }
 
 func run() error {
-	tmp, err := ioutil.TempDir("", "mk_audit_msg_types")
+	tmp, err := os.MkdirTemp("", "mk_audit_msg_types")
 	if err != nil {
 		return err
 	}
diff --git a/go.mod b/go.mod
@@ -1,12 +1,17 @@
 module github.com/elastic/go-libaudit/v2
 
-go 1.16
+go 1.21
 
 require (
 	github.com/elastic/go-licenser v0.4.1
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
 	github.com/stretchr/testify v1.7.0
-	go.uber.org/multierr v1.7.0
 	golang.org/x/sys v0.11.0
 	gopkg.in/yaml.v2 v2.4.0
 )
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+)
diff --git a/go.sum b/go.sum
@@ -8,14 +8,9 @@ github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:C
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
-go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/multierr v1.7.0 h1:zaiO/rmgFjbmCXdSYJWQcdvOCsthmdaHfr3Gm2Kx4Ec=
-go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
diff --git a/reassembler_test.go b/reassembler_test.go
@@ -128,6 +128,9 @@ func testReassembler(t testing.TB, file string, expected *results) {
 			continue
 		}
 
+		// Attach some predictable Payload
+		msg.Payload = createTestPayload(msg)
+
 		reassmbler.PushMessage(msg)
 	}
 
@@ -144,11 +147,21 @@ func testReassembler(t testing.TB, file string, expected *results) {
 
 		for _, msg := range stream.events[i] {
 			assert.EqualValues(t, expectedEvent.seq, msg.Sequence, "sequence number")
+
+			// Verify that custom payload is preserved
+			assert.Equal(t, createTestPayload(msg), msg.Payload)
 		}
 		assert.Equal(t, expectedEvent.count, len(stream.events[i]), "message count")
 	}
 }
 
+func createTestPayload(msg *auparse.AuditMessage) map[string]interface{} {
+	return map[string]interface{}{
+		"seq": msg.Sequence,
+		"typ": msg.RecordType,
+	}
+}
+
 func TestSequenceNumSliceSort(t *testing.T) {
 	expected := sequenceNumSlice{maxSeq - 5, maxSeq - 4, maxSeq - 3, maxSeq - 2, maxSeq, 0, 1, 2, 3, 4}
 	seqs := sequenceNumSlice{maxSeq - 5, maxSeq - 4, 0, 1, 2, maxSeq - 3, maxSeq - 2, maxSeq, 3, 4}
diff --git a/rule/flags/flags.go b/rule/flags/flags.go
@@ -24,7 +24,7 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"regexp"
 	"strings"
 
@@ -115,7 +115,7 @@ func newRuleFlagSet() *ruleFlagSet {
 	rule := &ruleFlagSet{
 		flagSet: flag.NewFlagSet("rule", flag.ContinueOnError),
 	}
-	rule.flagSet.SetOutput(ioutil.Discard)
+	rule.flagSet.SetOutput(io.Discard)
 
 	rule.flagSet.BoolVar(&rule.DeleteAll, "D", false, "delete all")
 	rule.flagSet.Var(&rule.Append, "a", "append rule")
@@ -134,7 +134,7 @@ func (r *ruleFlagSet) Usage() string {
 	buf := new(bytes.Buffer)
 	r.flagSet.SetOutput(buf)
 	r.flagSet.Usage()
-	r.flagSet.SetOutput(ioutil.Discard)
+	r.flagSet.SetOutput(io.Discard)
 	return buf.String()
 }
 
diff --git a/rule/gen_testdata_test.go b/rule/gen_testdata_test.go
@@ -26,7 +26,6 @@ import (
 	"encoding/binary"
 	"errors"
 	"flag"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -70,7 +69,7 @@ func TestUpdateGoldenData(t *testing.T) {
 }
 
 func makeGoldenFile(t testing.TB, rulesFile string) {
-	rules, err := ioutil.ReadFile(rulesFile)
+	rules, err := os.ReadFile(rulesFile)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -206,7 +205,7 @@ func makePaths(t testing.TB, tmpDir, rule string) []string {
 			if err := os.MkdirAll(dir, 0o700); err != nil {
 				t.Fatal(err)
 			}
-			if err := ioutil.WriteFile(testPath, nil, 0o600); err != nil {
+			if err := os.WriteFile(testPath, nil, 0o600); err != nil {
 				t.Fatal(err)
 			}
 		}
diff --git a/rule/rule_integ_test.go b/rule/rule_integ_test.go
@@ -23,7 +23,6 @@ package rule_test
 import (
 	"encoding/binary"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -67,7 +66,7 @@ func TestBuildGolden(t *testing.T) {
 
 func testRulesFromGoldenFile(t *testing.T, goldenFile string) {
 	t.Run(filepath.Base(goldenFile), func(t *testing.T) {
-		testdata, err := ioutil.ReadFile(goldenFile)
+		testdata, err := os.ReadFile(goldenFile)
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -123,7 +122,7 @@ func mkdirTempPaths(t testing.TB, path string) {
 		if err := os.MkdirAll(dir, 0o700); err != nil {
 			t.Fatal(err)
 		}
-		if err := ioutil.WriteFile(path, nil, 0o600); err != nil {
+		if err := os.WriteFile(path, nil, 0o600); err != nil {
 			t.Fatal(err)
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@`
`18`	`18`	`package aucoalesce`
`19`	`19`
`20`	`20`	`import (`
`21`		`- "io/ioutil"`
	`21`	`+ "os"`
`22`	`22`	`"testing"`
`23`	`23`
`24`	`24`	`"github.com/stretchr/testify/assert"`
`@@ -31,7 +31,7 @@ func TestNormInit(t *testing.T) {`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`func TestLoadNormalizationConfig(t *testing.T) {`
`34`		`- b, err := ioutil.ReadFile("normalizations.yaml")`
	`34`	`+ b, err := os.ReadFile("normalizations.yaml")`
`35`	`35`	`if err != nil {`
`36`	`36`	`t.Fatal(err)`
`37`	`37`	`}`
Original file line number	Diff line number	Diff line change
`@@ -30,8 +30,6 @@ import (`
`30`	`30`	`"time"`
`31`	`31`	`"unsafe"`
`32`	`32`
`33`		`- "go.uber.org/multierr"`
`34`		`-`
`35`	`33`	`"github.com/elastic/go-libaudit/v2/auparse"`
`36`	`34`	`)`
`37`	`35`
`@@ -441,7 +439,7 @@ func (c *AuditClient) Close() error {`
`441`	`439`	`err = c.set(status, NoWait)`
`442`	`440`	`}`
`443`	`441`
`444`		`- err = multierr.Append(err, c.Netlink.Close())`
	`442`	`+ err = errors.Join(err, c.Netlink.Close())`
`445`	`443`	`})`
`446`	`444`
`447`	`445`	`return err`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,6 @@ import (`
`25`	`25`	`"bytes"`
`26`	`26`	`"flag"`
`27`	`27`	`"fmt"`
`28`		`- "io/ioutil"`
`29`	`28`	`"os"`
`30`	`29`	`"os/exec"`
`31`	`30`	`"path/filepath"`
`@@ -144,7 +143,7 @@ func readErrorNumbers() ([]ErrorNumber, error) {`
`144`	`143`	`}`
`145`	`144`
`146`	`145`	`func run() error {`
`147`		`- tmp, err := ioutil.TempDir("", "mk_audit_exit_codes")`
	`146`	`+ tmp, err := os.MkdirTemp("", "mk_audit_exit_codes")`
`148`	`147`	`if err != nil {`
`149`	`148`	`return err`
`150`	`149`	`}`
`@@ -202,7 +201,7 @@ func run() error {`
`202`	`201`	`}`
`203`	`202`	`}`
`204`	`203`
`205`		`- if err = ioutil.WriteFile(flagOut, buf.Bytes(), 0o644); err != nil {`
	`204`	`+ if err = os.WriteFile(flagOut, buf.Bytes(), 0o644); err != nil {`
`206`	`205`	`return err`
`207`	`206`	`}`
`208`	`207`
Original file line number	Diff line number	Diff line change
`@@ -128,6 +128,9 @@ func testReassembler(t testing.TB, file string, expected *results) {`
`128`	`128`	`continue`
`129`	`129`	`}`
`130`	`130`
	`131`	`+ // Attach some predictable Payload`
	`132`	`+ msg.Payload = createTestPayload(msg)`
	`133`	`+`
`131`	`134`	`reassmbler.PushMessage(msg)`
`132`	`135`	`}`
`133`	`136`
`@@ -144,11 +147,21 @@ func testReassembler(t testing.TB, file string, expected *results) {`
`144`	`147`
`145`	`148`	`for _, msg := range stream.events[i] {`
`146`	`149`	`assert.EqualValues(t, expectedEvent.seq, msg.Sequence, "sequence number")`
	`150`	`+`
	`151`	`+ // Verify that custom payload is preserved`
	`152`	`+ assert.Equal(t, createTestPayload(msg), msg.Payload)`
`147`	`153`	`}`
`148`	`154`	`assert.Equal(t, expectedEvent.count, len(stream.events[i]), "message count")`
`149`	`155`	`}`
`150`	`156`	`}`
`151`	`157`
	`158`	`+func createTestPayload(msg *auparse.AuditMessage) map[string]interface{} {`
	`159`	`+ return map[string]interface{}{`
	`160`	`+ "seq": msg.Sequence,`
	`161`	`+ "typ": msg.RecordType,`
	`162`	`+ }`
	`163`	`+}`
	`164`	`+`
`152`	`165`	`func TestSequenceNumSliceSort(t *testing.T) {`
`153`	`166`	`expected := sequenceNumSlice{maxSeq - 5, maxSeq - 4, maxSeq - 3, maxSeq - 2, maxSeq, 0, 1, 2, 3, 4}`
`154`	`167`	`seqs := sequenceNumSlice{maxSeq - 5, maxSeq - 4, 0, 1, 2, maxSeq - 3, maxSeq - 2, maxSeq, 3, 4}`