Port OneLogin.Events to pantherlog and add username tag (#2123)

* Port OneLogin.Events to pantherlog and add username tag * mage gen fmt * fix test * Remove timestamp Co-authored-by: panther-bot <[email protected]> Co-authored-by: Kostas Papageorgiou <[email protected]>
glerb · Dec 1, 2020 · 9d162b3 · 9d162b3
1 parent b1e1f74
commit 9d162b3
Show file tree

Hide file tree

Showing 4 changed files with 333 additions and 230 deletions.
diff --git a/internal/log_analysis/log_processor/parsers/oneloginlogs/onelogin.go b/internal/log_analysis/log_processor/parsers/oneloginlogs/onelogin.go
@@ -19,11 +19,8 @@ package oneloginlogs
  */
 
 import (
-	jsoniter "github.com/json-iterator/go"
-
 	"github.com/panther-labs/panther/internal/log_analysis/log_processor/logtypes"
-	"github.com/panther-labs/panther/internal/log_analysis/log_processor/parsers"
-	"github.com/panther-labs/panther/internal/log_analysis/log_processor/parsers/timestamp"
+	"github.com/panther-labs/panther/internal/log_analysis/log_processor/pantherlog"
 )
 
 const TypeOneLogin = "OneLogin.Events"
@@ -32,113 +29,78 @@ func LogTypes() logtypes.Group {
 	return logTypes
 }
 
-var logTypes = logtypes.Must("OneLogin", logtypes.Config{
+var logTypes = logtypes.Must("OneLogin", logtypes.ConfigJSON{
 	Name: TypeOneLogin,
 	Description: `OneLogin provides single sign-on and identity management for organizations
 Panther Enterprise Only
 `,
 	ReferenceURL: `https://developers.onelogin.com/api-docs/1/events/event-resource`,
-	Schema:       OneLogin{},
-	NewParser:    parsers.AdapterFactory(&OneLoginParser{}),
+	NewEvent: func() interface{} {
+		return &OneLogin{}
+	},
 })
 
 // nolint:lll
 type OneLogin struct {
-	UUID                            *string                      `json:"uuid" validate:"required,uuid" description:"The Universal Unique Identifier for this message generated by OneLogin."`
-	AccountID                       *int                         `json:"account_id" validate:"required" description:"Account that triggered the event."`
-	EventTimestamp                  *timestamp.OneLoginTimestamp `json:"event_timestamp" validate:"required" description:"Time and date at which the event was created. This value is autogenerated by OneLogin."`
-	ErrorDescription                *string                      `json:"error_description,omitempty" description:"Provisioning error details, if applicable."`
-	LoginName                       *string                      `json:"login_name,omitempty" description:"The name of the login user"`
-	AppName                         *string                      `json:"app_name,omitempty" description:"Name of the app involved in the event, if applicable."`
-	AuthenticationFactorDescription *string                      `json:"authentication_factor_description,omitempty" description:"More details about the authentication factor used."`
-	CertificateName                 *string                      `json:"certificate_name,omitempty" description:"The name of the certificate that was included in the request."`
-	CertificateID                   *string                      `json:"certificate_id,omitempty" description:"The ID of the certificate that was included in the request."`
-	AssumedBySuperadminOrReseller   *bool                        `json:"assumed_by_superadmin_or_reseller,omitempty" description:"Indicates that the operation was performed by superadmin or reseller."`
-	DirectoryName                   *string                      `json:"directory_name,omitempty" description:"The directory name."`
-	ActorUserID                     *int                         `json:"actor_user_id,omitempty" description:"ID of the user whose action triggered the event."`
-	UserName                        *string                      `json:"user_name,omitempty" description:"Name of the user that was acted upon to trigger the event."`
-	MappingID                       *int                         `json:"mapping_id,omitempty" description:"The ID of the mapping included in the operation."`
-	RadiusConfigID                  *int                         `json:"radius_config_id,omitempty" description:"The ID of the Radius configuration included in the operation."`
-	RiskScore                       *int                         `json:"risk_score,omitempty" description:"The higher thiss number, the higher the risk."`
-	OtpDeviceID                     *int                         `json:"otp_device_id,omitempty" description:"ID of a device involved in the event."`
-	ImportedUserID                  *int                         `json:"imported_user_id,omitempty" description:"The ID of the imported user."`
-	Resolution                      *int                         `json:"resolution,omitempty" description:"The resolution."`
-	DirectoryID                     *int                         `json:"directory_id,omitempty" description:"The directory ID."`
-	AuthenticationFactorID          *int                         `json:"authentication_factor_id,omitempty" description:"The ID of the authentication factor used."`
-	RiskCookieID                    *string                      `json:"risk_cookie_id,omitempty" description:"The ID of the risk cookie."`
-	AppID                           *int                         `json:"app_id,omitempty" description:"ID of the app involved in the event, if applicable."`
-	CustomMessage                   *string                      `json:"custom_message,omitempty" description:"More details about the event."`
-	BrowserFingerprint              *string                      `json:"browser_fingerprint,omitempty" description:"The fingerprint of the browser."`
-	OtpDeviceName                   *string                      `json:"otp_device_name,omitempty" description:"Name of a device involved in the event."`
-	ActorUserName                   *string                      `json:"actor_user_name,omitempty" description:"First and last name of the user whose action triggered the event."`
-	ActorSystem                     *string                      `json:"actor_system,omitempty" description:"Acting system that triggered the event when the actor is not a user."`
-	UserFieldName                   *string                      `json:"user_field_name,omitempty" description:"The name of the custom user field."`
-	UserFieldID                     *string                      `json:"user_field_id,omitempty" description:"The ID of the custom user field."`
-	AssumingActingUserID            *int                         `json:"assuming_acting_user_id,omitempty" description:"ID of the user who assumed the role of the acting user to trigger the event, if applicable."`
-	APICredentialName               *string                      `json:"api_credential_name,omitempty" description:"The name of the API credential used."`
-	ImportedUserName                *string                      `json:"imported_user_name,omitempty" description:"The name of the imported user."`
-	NoteTitle                       *string                      `json:"note_title,omitempty" description:"The title of the note."`
-	TrustedIdpName                  *string                      `json:"trusted_idp_name,omitempty" description:"The name of the trusted IDP."`
-	PolicyID                        *int                         `json:"policy_id,omitempty" description:"ID of the policy involved in the event."`
-	RoleName                        *string                      `json:"role_name,omitempty" description:"Name of a role involved in the event."`
-	ResolvedByUserID                *int                         `json:"resolved_by_user_id,omitempty" description:"The ID of the user that resolved the issue."`
-	GroupID                         *int                         `json:"group_id,omitempty" description:"ID of a group involved in the event."`
-	ClientID                        *string                      `json:"client_id,omitempty" description:"Client ID used to generate the access token that made the API call that generated the event."`
-	IPAddr                          *string                      `json:"ipaddr,omitempty" description:"IP address of the machine used to trigger the event."`
-	Notes                           *string                      `json:"notes,omitempty" description:"More details about the event."`
-	EventTypeID                     *int                         `json:"event_type_id" validate:"required" description:"Type of event triggered."`
-	UserID                          *int                         `json:"user_id,omitempty" description:"ID of the user that was acted upon to trigger the event."`
-	RiskReasons                     *string                      `json:"risk_reasons,omitempty" description:"This is not an exhaustive list of the reasons for the risk score and should only be used as a guide"`
-	ProxyAgentName                  *string                      `json:"proxy_agent_name,omitempty" description:"The name of the proxy agent."`
-	PolicyType                      *string                      `json:"policy_type,omitempty" description:"The type of the policy."`
-	RoleID                          *int                         `json:"role_id,omitempty" description:"ID of a role involved in the event."`
-	UserAgent                       *string                      `json:"user_agent,omitempty" description:"The user agent from which the request was invoke"`
-	PrivilegeName                   *string                      `json:"privilege_name,omitempty" description:"The name of the privilege."`
-	GroupName                       *string                      `json:"group_name,omitempty" description:"Name of a group involved in the event."`
-	Entity                          *string                      `json:"entity,omitempty" description:"The entity involved in this request."`
-	ResourceTypeID                  *int                         `json:"resource_type_id,omitempty" description:"ID of the resource (user, role, group, and so forth) associated with the event."`
-	MappingName                     *string                      `json:"mapping_name,omitempty" description:"The name of the mapping."`
-	TaskName                        *string                      `json:"task_name,omitempty" description:"The name of the task."`
-	AuthenticationFactorType        *int                         `json:"authentication_factor_type,omitempty" description:"The type of the authentication type."`
-	RadiusConfigName                *string                      `json:"radius_config_name,omitempty" description:"The name of the Radius configuration used."`
-	PolicyName                      *string                      `json:"policy_name,omitempty" description:"Name of the policy involved in the event."`
-	PrivilegeID                     *int                         `json:"privilege_id,omitempty" description:"The id of the privilege."`
-	DirectorySyncRunID              *int                         `json:"directory_sync_run_id,omitempty" description:"Directory sync run ID."`
-	OperationName                   *string                      `json:"operation_name,omitempty" description:"The name of the operation"`
-
-	// NOTE: added to end of struct to allow expansion later
-	parsers.PantherLog
-}
-
-// OneLogin parser parses OneLogin logs
-type OneLoginParser struct{}
-
-func (p *OneLoginParser) New() parsers.LogParser {
-	return &OneLoginParser{}
-}
-
-// Parse returns the parsed events or nil if parsing failed
-func (p *OneLoginParser) Parse(log string) ([]*parsers.PantherLog, error) {
-	var event OneLogin
-	err := jsoniter.UnmarshalFromString(log, &event)
-	if err != nil {
-		return nil, err
-	}
-
-	event.updatePantherFields(p)
-
-	if err := parsers.Validator.Struct(event); err != nil {
-		return nil, err
-	}
-	return event.Logs(), nil
-}
-
-// LogType returns the log type supported by this parser
-func (p *OneLoginParser) LogType() string {
-	return TypeOneLogin
-}
-
-func (event *OneLogin) updatePantherFields(p *OneLoginParser) {
-	event.SetCoreFields(p.LogType(), (*timestamp.RFC3339)(event.EventTimestamp), event)
-	event.AppendAnyIPAddressPtr(event.IPAddr)
+	UUID                            pantherlog.String `json:"uuid" validate:"required,uuid" description:"The Universal Unique Identifier for this message generated by OneLogin."`
+	AccountID                       pantherlog.Int64  `json:"account_id" validate:"required" description:"Account that triggered the event."`
+	EventTimestamp                  pantherlog.Time   `json:"event_timestamp" event_time:"true" tcodec:"layout=2006-01-02 15:04:05 MST" validate:"required" description:"Time and date at which the event was created. This value is autogenerated by OneLogin."`
+	ErrorDescription                pantherlog.String `json:"error_description" description:"Provisioning error details, if applicable."`
+	LoginName                       pantherlog.String `json:"login_name" description:"The name of the login user"`
+	AppName                         pantherlog.String `json:"app_name" description:"Name of the app involved in the event, if applicable."`
+	AuthenticationFactorDescription pantherlog.String `json:"authentication_factor_description" description:"More details about the authentication factor used."`
+	CertificateName                 pantherlog.String `json:"certificate_name" description:"The name of the certificate that was included in the request."`
+	CertificateID                   pantherlog.String `json:"certificate_id" description:"The ID of the certificate that was included in the request."`
+	AssumedBySuperadminOrReseller   pantherlog.Bool   `json:"assumed_by_superadmin_or_reseller" description:"Indicates that the operation was performed by superadmin or reseller."`
+	DirectoryName                   pantherlog.String `json:"directory_name" description:"The directory name."`
+	ActorUserID                     pantherlog.Int64  `json:"actor_user_id" description:"ID of the user whose action triggered the event."`
+	UserName                        pantherlog.String `json:"user_name" panther:"username" description:"Name of the user that was acted upon to trigger the event."`
+	MappingID                       pantherlog.Int64  `json:"mapping_id" description:"The ID of the mapping included in the operation."`
+	RadiusConfigID                  pantherlog.Int64  `json:"radius_config_id" description:"The ID of the Radius configuration included in the operation."`
+	RiskScore                       pantherlog.Int64  `json:"risk_score" description:"The higher thiss number, the higher the risk."`
+	OtpDeviceID                     pantherlog.Int64  `json:"otp_device_id" description:"ID of a device involved in the event."`
+	ImportedUserID                  pantherlog.Int64  `json:"imported_user_id" description:"The ID of the imported user."`
+	Resolution                      pantherlog.Int64  `json:"resolution" description:"The resolution."`
+	DirectoryID                     pantherlog.Int64  `json:"directory_id" description:"The directory ID."`
+	AuthenticationFactorID          pantherlog.Int64  `json:"authentication_factor_id" description:"The ID of the authentication factor used."`
+	RiskCookieID                    pantherlog.String `json:"risk_cookie_id" description:"The ID of the risk cookie."`
+	AppID                           pantherlog.Int64  `json:"app_id" description:"ID of the app involved in the event, if applicable."`
+	CustomMessage                   pantherlog.String `json:"custom_message" description:"More details about the event."`
+	BrowserFingerprint              pantherlog.String `json:"browser_fingerprint" description:"The fingerprint of the browser."`
+	OtpDeviceName                   pantherlog.String `json:"otp_device_name" description:"Name of a device involved in the event."`
+	ActorUserName                   pantherlog.String `json:"actor_user_name" description:"First and last name of the user whose action triggered the event."`
+	ActorSystem                     pantherlog.String `json:"actor_system" description:"Acting system that triggered the event when the actor is not a user."`
+	UserFieldName                   pantherlog.String `json:"user_field_name" description:"The name of the custom user field."`
+	UserFieldID                     pantherlog.String `json:"user_field_id" description:"The ID of the custom user field."`
+	AssumingActingUserID            pantherlog.Int64  `json:"assuming_acting_user_id" description:"ID of the user who assumed the role of the acting user to trigger the event, if applicable."`
+	APICredentialName               pantherlog.String `json:"api_credential_name" description:"The name of the API credential used."`
+	ImportedUserName                pantherlog.String `json:"imported_user_name" description:"The name of the imported user."`
+	NoteTitle                       pantherlog.String `json:"note_title" description:"The title of the note."`
+	TrustedIdpName                  pantherlog.String `json:"trusted_idp_name" description:"The name of the trusted IDP."`
+	PolicyID                        pantherlog.Int64  `json:"policy_id" description:"ID of the policy involved in the event."`
+	RoleName                        pantherlog.String `json:"role_name" description:"Name of a role involved in the event."`
+	ResolvedByUserID                pantherlog.Int64  `json:"resolved_by_user_id" description:"The ID of the user that resolved the issue."`
+	GroupID                         pantherlog.Int64  `json:"group_id" description:"ID of a group involved in the event."`
+	ClientID                        pantherlog.String `json:"client_id" description:"Client ID used to generate the access token that made the API call that generated the event."`
+	IPAddr                          pantherlog.String `json:"ipaddr" panther:"ip" description:"IP address of the machine used to trigger the event."`
+	Notes                           pantherlog.String `json:"notes" description:"More details about the event."`
+	EventTypeID                     pantherlog.Int64  `json:"event_type_id" validate:"required" description:"Type of event triggered."`
+	UserID                          pantherlog.Int64  `json:"user_id" description:"ID of the user that was acted upon to trigger the event."`
+	RiskReasons                     pantherlog.String `json:"risk_reasons" description:"This is not an exhaustive list of the reasons for the risk score and should only be used as a guide"`
+	ProxyAgentName                  pantherlog.String `json:"proxy_agent_name" description:"The name of the proxy agent."`
+	PolicyType                      pantherlog.String `json:"policy_type" description:"The type of the policy."`
+	RoleID                          pantherlog.Int64  `json:"role_id" description:"ID of a role involved in the event."`
+	UserAgent                       pantherlog.String `json:"user_agent" description:"The user agent from which the request was invoke"`
+	PrivilegeName                   pantherlog.String `json:"privilege_name" description:"The name of the privilege."`
+	GroupName                       pantherlog.String `json:"group_name" description:"Name of a group involved in the event."`
+	Entity                          pantherlog.String `json:"entity" description:"The entity involved in this request."`
+	ResourceTypeID                  pantherlog.Int64  `json:"resource_type_id" description:"ID of the resource (user, role, group, and so forth) associated with the event."`
+	MappingName                     pantherlog.String `json:"mapping_name" description:"The name of the mapping."`
+	TaskName                        pantherlog.String `json:"task_name" description:"The name of the task."`
+	AuthenticationFactorType        pantherlog.Int64  `json:"authentication_factor_type" description:"The type of the authentication type."`
+	RadiusConfigName                pantherlog.String `json:"radius_config_name" description:"The name of the Radius configuration used."`
+	PolicyName                      pantherlog.String `json:"policy_name" description:"Name of the policy involved in the event."`
+	PrivilegeID                     pantherlog.Int64  `json:"privilege_id" description:"The id of the privilege."`
+	DirectorySyncRunID              pantherlog.Int64  `json:"directory_sync_run_id" description:"Directory sync run ID."`
+	OperationName                   pantherlog.String `json:"operation_name" description:"The name of the operation"`
 }