WIP: More work on ProcessEvent() func, handling of IgnoreLookupErrors…

… per GH-62
atc0005 · Jun 24, 2020 · 94c2d2c · 94c2d2c
1 parent abf3c1a
commit 94c2d2c
Showing 1 changed file with 122 additions and 77 deletions.
diff --git a/files/process.go b/files/process.go
@@ -67,99 +67,67 @@ func ProcessEvent(
 		return err
 	}
 
-	ignoredUserEntryFound, ignoredUserLookupErr := fileutils.HasLine(
-		alert.Username,
-		"#",
-		ignoredSources.IgnoredUsersFile,
-	)
-
-	if ignoredUserLookupErr != nil {
-
-		errMsg := fmt.Errorf(
-			"error while checking ignored status for user %q from IP %q: %w",
-			alert.Username,
-			alert.UserIP,
-			ignoredUserLookupErr,
-		)
-
-		// If there are issues checking ignored status, return the error. This
-		// results in no real action against the reported user account; the
-		// user account is not disabled.
-		if !ignoredSources.IgnoreLookupErrors {
-			return errMsg
-		}
-
-		// console, local logs, syslog via systemd, etc.
-		log.Warn(errMsg.Error())
-
-	}
-
-	if ignoredUserEntryFound {
-		logEventIgnoredUsernameErr := logEventIgnoredUsername(
-			alert,
-			reportedUserEventsLog,
-			ignoredSources.IgnoredUsersFile,
-			notifyWorkQueue,
-		)
-
-		return logEventIgnoredUsernameErr
-
-	}
-
-	// check to see if IP Address has been ignored
-	ipAddressIgnoreEntryFound, ipAddressIgnoreLookupErr := fileutils.HasLine(
-		alert.UserIP, "#", ignoredSources.IgnoredIPAddressesFile)
-	if ipAddressIgnoreLookupErr != nil {
-
-		errMsg := fmt.Errorf(
-			"error while checking ignored status for IP %q associated with user %q: %w",
-			alert.UserIP,
-			alert.Username,
-			ipAddressIgnoreLookupErr,
-		)
-
-		if !ignoredSources.IgnoreLookupErrors {
-			return errMsg
+	// check whether username or IP Address is ignored, return early if true
+	// or if there is an error looking up the status which the sysadmin did
+	// not opt to disregard
+	ignoredEntryFound, ignoredEntryLookupErr := isIgnored(alert, reportedUserEventsLog, ignoredSources, notifyWorkQueue)
+	switch {
+	case ignoredEntryLookupErr != nil:
+
+		if ignoredSources.IgnoreLookupErrors {
+			// If sysadmin opted to ignore lookup errors then honor the
+			// request; emit complaint )to console, local logs, syslog via
+			// systemd, etc) and ignore the lookup error by proceeding.
+			//
+			// WARNING: See GH-62; this "feature" may be removed in a future
+			// release in order to avoid potentially unexpected logic bugs.
+			log.Warn(ignoredEntryLookupErr.Error())
+			break
 		}
 
-		// console, local logs, syslog via systemd, etc.
-		log.Warn(errMsg.Error())
-	}
-
-	if ipAddressIgnoreEntryFound {
-
-		logEventIgnoredUsernameErr := logEventIgnoredUsername(
-			alert,
-			reportedUserEventsLog,
-			ignoredSources.IgnoredIPAddressesFile,
-			notifyWorkQueue,
-		)
-
-		return logEventIgnoredUsernameErr
+		return ignoredEntryLookupErr
 
+	// early exit to force desired ignore behavior
+	case ignoredEntryFound:
+		return nil
 	}
 
 	// check to see if username has already been disabled
 	disabledUserEntry := alert.Username + disabledUsers.EntrySuffix
 	disableEntryFound, disableEntryLookupErr := fileutils.HasLine(
-		disabledUserEntry, "#", disabledUsers.FilePath)
-	if disableEntryLookupErr != nil {
+		disabledUserEntry,
+		"#",
+		disabledUsers.FilePath,
+	)
+
+	// Handle logic for disabling user account
+	switch {
+
+	case disableEntryLookupErr != nil:
+
 		errMsg := fmt.Errorf(
 			"error while checking disabled status for user %q from IP %q: %w",
 			alert.Username,
 			alert.UserIP,
 			disableEntryLookupErr,
 		)
 
-		if !ignoredSources.IgnoreLookupErrors {
-			return errMsg
+		if ignoredSources.IgnoreLookupErrors {
+			// If sysadmin opted to ignore lookup errors then honor the
+			// request; emit complaint )to console, local logs, syslog via
+			// systemd, etc) and ignore the lookup error by proceeding.
+			//
+			// WARNING: See GH-62; this "feature" may be removed in a future
+			// release in order to avoid potentially unexpected logic bugs.
+			log.Warn(disableEntryLookupErr.Error())
+
+			// NOTE: If the lookup error is being ignored, we skip all
+			// attempts to disable the user account.
+			break
 		}
 
-		// console, local logs, syslog via systemd, etc.
-		log.Warn(errMsg.Error())
-	}
+		return errMsg
 
-	switch {
 	case !disableEntryFound:
 
 		// if username has not been disabled yet, proceed with additional checks
@@ -228,10 +196,87 @@ func ProcessEvent(
 
 }
 
-func isDisabledUser(alert events.SplunkAlertEvent, disabledUsers *DisabledUsers) (bool, error) {
+// isIgnored is a wrapper function to help concentrate common ignored status
+// checks in one place. If there are issues checking ignored status,
+// explicitly state that the username or IP Address is ignored and return the
+// error. The caller can then apply other logic to determine how the error
+// condition should be treated.
+func isIgnored(
+	alert events.SplunkAlertEvent,
+	reportedUserEventsLog *ReportedUserEventsLog,
+	ignoredSources IgnoredSources,
+	notifyWorkQueue chan<- events.Record,
+) (bool, error) {
+
+	ignoredUserEntryFound, ignoredUserLookupErr := fileutils.HasLine(
+		alert.Username,
+		"#",
+		ignoredSources.IgnoredUsersFile,
+	)
+
+	if ignoredUserLookupErr != nil {
+
+		errMsg := fmt.Errorf(
+			"error while checking ignored status for user %q from IP %q: %w",
+			alert.Username,
+			alert.UserIP,
+			ignoredUserLookupErr,
+		)
+
+		// on error, assume username or IP should be ignored
+		return true, errMsg
+
+	}
+
+	if ignoredUserEntryFound {
+		logEventIgnoredUsernameErr := logEventIgnoredUsername(
+			alert,
+			reportedUserEventsLog,
+			ignoredSources.IgnoredUsersFile,
+			notifyWorkQueue,
+		)
+
+		return true, logEventIgnoredUsernameErr
+
+	}
+
+	// check to see if IP Address has been ignored
+	ipAddressIgnoreEntryFound, ipAddressIgnoreLookupErr := fileutils.HasLine(
+		alert.UserIP,
+		"#",
+		ignoredSources.IgnoredIPAddressesFile,
+	)
+
+	if ipAddressIgnoreLookupErr != nil {
 
-	// TODO: Start back here, pull from line 92 on ...
+		errMsg := fmt.Errorf(
+			"error while checking ignored status for IP %q associated with user %q: %w",
+			alert.UserIP,
+			alert.Username,
+			ipAddressIgnoreLookupErr,
+		)
 
+		// on error, assume username or IP should be ignored
+		return true, errMsg
+	}
+
+	if ipAddressIgnoreEntryFound {
+
+		logEventIgnoredUsernameErr := logEventIgnoredUsername(
+			alert,
+			reportedUserEventsLog,
+			ignoredSources.IgnoredIPAddressesFile,
+			notifyWorkQueue,
+		)
+
+		return true, logEventIgnoredUsernameErr
+
+	}
+
+	// indicate that the username and associated IP Addr is *not* ignored if:
+	//
+	// - no error occurs looking up the ignored status
+	// - no match is found
 	return false, nil
 
 }