[apps][onelogin] Adding new integration app for OneLogin Events

[javuto]

to @ryandeivert
cc @mime-frame
resolves: #347

Change

Adding a new integration application for OneLogin. It will allow the collection of OneLogin events and process them using StreamAlert. Also the schema for the OneLogin events format is added here.
It handles the generation of tokens, using API client_secret/client_id pair and pagination of requests to the API, when the number of events returned (using since) is over the limit (50). More information here: https://developers.onelogin.com/api-docs/1/events/get-events

Also added new rule to alert whenever a user is assuming a different role within OneLogin.

Testing

Unit tests are added for the class:

$ ./tests/scripts/unit_tests.sh
...
OneLoginApp - Gather Events Entry Point ... ok
OneLoginApp - Generate Headers, ... ok
OneLoginApp - Get OneLogin Events, Bad Response ... ok
OneLoginApp - Get OneLogin Events, No Headers ... ok
OneLoginApp - Get Paginated Events ... ok
OneLoginApp - Get OneLogin Paginated Events, Bad Response ... ok
OneLoginApp - Required Auth Info ... ok
OneLoginApp - Sleep Seconds ... ok
OneLoginApp - Verify Events Endpoint ... ok
OneLoginApp - Verify Token Endpoint ... ok
OneLoginApp - Verify Events Type ... ok
...

[ghost]

42.56s$ ./tests/scripts/pylint.sh
************* Module app_integrations.apps.onelogin
W: 22, 0: Unused app imported from app_integrations.apps.app_base (unused-import)

[ghost]

Just to confirm: 5000/hour = ~83/min = ~1.3/sec - there's no way we'll accidentally exceed this?

[ghost]

Spoke offline, Javier will intentionally hit the limit locally so he can appropriately catch the exception and throw a useful error if it occurs

[javuto]

I need to do some testing in the actual API to see if we can just generate a new token once we exceed the maximum number of requests per hour (5000) per token. Although I doubt they would allow such a simple workaround to their rate limit. In any case I can add the code to have a safe sleep of 2 seconds per request.

[ryandeivert]

Agreed that additional testing should be done to best determine how this should be handled.

[ghost]

should

[ghost]

OneLoginApp

[ghost]

Since @ryandeivert is out, @austinbyers and @jacknagz can you take a look?

[coveralls]

Coverage decreased (-0.7%) to 94.038% when pulling f78b963 on javuto-streamalert-onelogin-app into 82fd1a4 on master.

[javuto]

Just added a new rule, onelogin_events_assumed_role and tested it:

$ python manage.py lambda test --processor rule --rules onelogin_events_assumed_role
StreamAlertCLI [INFO]: Issues? Report here: https://github.com/airbnb/streamalert/issues

onelogin_events_assumed_role
       [Pass]  [trigger=1]                   rule      (stream_alert_app): OneLogin generated event when a user assumed a different role, it should alert
       [Pass]  [trigger=0]                   rule      (stream_alert_app): OneLogin generated event when a user do any other action, it should not alert



StreamAlertCLI [INFO]: (2/2) Successful Tests
StreamAlertCLI [INFO]: Completed

Schemas also validated:

$ python manage.py validate-schemas
...
onelogin_events_assumed_role
       [Pass]  [log='onelogin:events']       validation  (stream_alert_app): OneLogin generated event when a user assumed a different role, it should alert
       [Pass]  [log='onelogin:events']       validation  (stream_alert_app): OneLogin generated event when a user do any other action, it should not alert
...
StreamAlertCLI [INFO]: (27/27) Successful Tests
StreamAlertCLI [INFO]: Completed

[coveralls]

Coverage decreased (-0.6%) to 94.188% when pulling 623154e on javuto-streamalert-onelogin-app into 82fd1a4 on master.

[ryandeivert]

First round of comments - if you want to chat about any of these in more detail let me know! Also, great start! This will be great to have 💯

[ryandeivert]

We tend to use str.format(...) instead of the older percent formatting. I'd suggest changing this to:

'client_id: {}, client_secret: {}'.format(client_id, client_secret)

Same for the bearer... formatting below.

[ryandeivert]

I anticipate potentially needing post abilities in other future apps as well. Could we move this functionality to the AppIntegration base class in app_base.py with a method name of something like _make_post_request and change the _make_request method to _make_get_request? By doing this, the new method could just return False or the JSON from the response (similar to how _make_request works now).

If this is too much right now, this can happen at a later date - just a thought!

[javuto]

Should I also refactor the duo application to use the new _make_get_requests in this PR?

[ryandeivert]

Yes please! :)

[ryandeivert]

++ nice!

[ryandeivert]

So this is going to actually only get events since the current time. This will likely result in events for only a few seconds or less (the time between setting this date and actually querying their API for the events).

You'll want to use the self._last_timestamp for this param, but we'll have to reason about this more since you need a formatted time and not a unix/integer timestamp

[ryandeivert]

I actually think we should avoid doing the pagination directly within the subclass and just let the while within the base classes gather handle this. We can talk more about the requirements for this.

The main thought process here is that this while loop could loop for a good amount of time, and the subclassed apps don't have a concept of when the lambda function is getting close to timing out. By letting the looping happen on the base class, where there is some checks in place to look for nearing the time out, we can operate with a little more safety.

[ryandeivert]

As we spoke about offline, please add the localization (us/eu) to these so they can be user-provided.

[ryandeivert]

Nice work with these!

[ryandeivert]

Agreed that additional testing should be done to best determine how this should be handled.

[ryandeivert]

Can the base class' _make_request be used in this instance, since it will do the response check and automatically return the json response value.

[ryandeivert]

As we spoke about offline, switch to using a url that can be formatted with a region/localization (us/eu) for this link and the token link.

[coveralls]

Coverage decreased (-0.6%) to 94.191% when pulling 52cf350 on javuto-streamalert-onelogin-app into 82fd1a4 on master.

[coveralls]

Coverage decreased (-0.6%) to 94.097% when pulling 167b59e on javuto-streamalert-onelogin-app into 82fd1a4 on master.

[ryandeivert]

Hey Javier - overall great revisions! Some additional comments

[ryandeivert]

Can you add post to this logger message somewhere, ie: Making post request for...

[ryandeivert]

Can we choose a different name from json for the variable, since that conflicts with the json package?

[ryandeivert]

Thanks for this!

[ryandeivert]

can we restrict this to eu or us since those are the only regions OneLogin supports?

[ryandeivert]

can we just return False here instead? the line below (151) could result in a KeyError

[coveralls]

Coverage increased (+0.1%) to 94.845% when pulling c02c975 on javuto-streamalert-onelogin-app into 82fd1a4 on master.

[ghost]

From CI:

StreamAlertCLI [ERROR]: (2/27) Failures
StreamAlertCLI [ERROR]: (1/2) Detected old format for test event in file 'onelogin_events_assumed_role.json'. Please visit https://streamalert.io/rule-testing.html for information on the new format and update your test events accordingly.
StreamAlertCLI [ERROR]: (2/2) Detected old format for test event in file 'onelogin_events_assumed_role.json'. Please visit https://streamalert.io/rule-testing.html for information on the new format and update your test events accordingly.

^ You need to update your tests as @ryandeivert merged his changes. You'll need to specify logs and trigger_rules, here's an example: https://github.com/airbnb/streamalert/pull/372/files#diff-0e3d1b3c864f17c2c1e876b811c33590

Full details are here: https://streamalert.io/rule-testing.html

[javuto]

@ryandeivert I have added a significant update to the PR, that It will probably require another round of code review. It does include the update to the tests format that @mime-frame pointed out above, the refactoring of get/post requests to return a tuple and handling the API rate limit sleep, more info here.

Thanks guys!

[coveralls]

Coverage decreased (-0.05%) to 94.62% when pulling f5e866d on javuto-streamalert-onelogin-app into 3a22d5c on master.

[ryandeivert]

hey @javuto - I added a similar logging message to this in loop within the base class:

streamalert/app_integrations/apps/app_base.py

Line 310 in f5e866d

LOGGER.debug('More logs to poll for \'%s\': %s', self.type(), self._more_to_poll)

You can probably safely remove this, or change it to add more context on what's happening at this point in the code.

[javuto]

Per our offline chat, having this logging message here it is redundant with the added one in the base class. I will remove it.

[ryandeivert]

You'll may want to make sure response is valid here as well, since it could be None? Below you may also want to change your lookups to reponse.get('status'), etc in case the response is not in a format we expect (just for safety).

[ryandeivert]

Maybe do this:

if not (result or response):
   return False
elif not result and response:
   <do your logic here>

[ryandeivert]

^^ This might be unnecessary - I'll let you decide :)

[javuto]

I think this approach can add some unnecessary complexity to the code. I like checking first result, then checking response. It makes the code easy to read and to follow the flow.

[ryandeivert]

Let's add a safety check here to make sure the data list actually has logs:

logs = response['data']
if not logs:
    return False

self._last_timestamp = logs[-1]['created_at']

# Return the list of logs to the caller so they can be send to the batcher
return logs

[ryandeivert]

Tip (not a necessary change): you can use bool() to perform this logic:

self._more_to_poll = bool(self._next_page_url)

[ryandeivert]

++ Nice work on this logic!

[ryandeivert]

@javuto I added a few comments that might need addressed, but I'm giving you the 🚀

[ryandeivert]

Let's make the params arg be an optional that defaults to None:

def _make_get_request(self, full_url, headers, params=None): ...

And then update your call here so it doesn't have to pass None explicitly

[coveralls]

Coverage increased (+0.04%) to 94.711% when pulling d7585ad on javuto-streamalert-onelogin-app into 3a22d5c on master.

[ryandeivert]

Good changes here, except you aren't checking to see if the events list is empty (and events[-1] could cause an index out of range error if no events are returned). You can also probably drop the get( above and just use events['data'] since they key will exist even if it is an empty list.

[ryandeivert]

What I'm worried about is this case:

{
    "status": {
        "error": false,
        "code": 200,
        "type": "success",
        "message": "Success"
    },
    "pagination": {
        "before_cursor": null,
        "after_cursor": "xWNjb3VudF9pZDo6OjUzNDEzLS0jI2lkOjo6OTA0MjU3NTQ2",
        "previous_link": null,
        "next_link": null
    },
    "data": []
}

[javuto]

I see, I will handle this case so it will be safe if it appears

[ryandeivert]

Thanks for this fix

[ryandeivert]

++

[ryandeivert]

👏 👏 for simplification

[coveralls]

Coverage increased (+0.04%) to 94.714% when pulling 7bfe013 on javuto-streamalert-onelogin-app into 3a22d5c on master.

[coveralls]

Coverage decreased (-0.06%) to 94.616% when pulling ba14c63 on javuto-streamalert-onelogin-app into 80a974b on master.