-
Notifications
You must be signed in to change notification settings - Fork 0
/
event.go
126 lines (109 loc) · 5.02 KB
/
event.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
/*******************************************************************************
*
* Copyright 2022 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You should have received a copy of the License along with this
* program. If not, you may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*******************************************************************************/
// Package cadf provides data structures for working with CADF events as per the CADF spec.
//
// SAP CCloud developers wishing to publish audit events to Hermes are advised
// to use the github.com/sapcc/go-bits/audittools package.
package cadf
// Event contains the CADF event according to CADF spec, section 6.6.1 Event (data)
// Extensions: requestPath (OpenStack, IBM), initiator.project_id/domain_id
// Omissions: everything that we do not use or not expose to API users
//
// The JSON annotations are for parsing the result from ElasticSearch AND for generating the Hermes API response
type Event struct {
// CADF Event Schema
TypeURI string `json:"typeURI"`
// CADF generated event id
ID string `json:"id"`
// CADF generated timestamp
EventTime string `json:"eventTime"`
// Characterizes events: eg. activity
EventType string `json:"eventType"`
// CADF action mapping for GET call on an OpenStack REST API
Action Action `json:"action"`
// Outcome of REST API call, eg. success/failure
Outcome Outcome `json:"outcome"`
// Standard response for successful HTTP requests
Reason Reason `json:"reason,omitempty"`
// CADF component that contains the RESOURCE
// that initiated, originated, or instigated the event's
// ACTION, according to the OBSERVER
Initiator Resource `json:"initiator"`
// CADF component that contains the RESOURCE
// against which the ACTION of a CADF Event
// Record was performed, was attempted, or is
// pending, according to the OBSERVER.
Target Resource `json:"target"`
// CADF component that contains the RESOURCE
// that generates the CADF Event Record based on
// its observation (directly or indirectly) of the Actual Event
Observer Resource `json:"observer"`
// Attachment contains self-describing extensions to the event
Attachments []Attachment `json:"attachments,omitempty"`
// Request path on the OpenStack service REST API call
RequestPath string `json:"requestPath,omitempty"`
}
// Resource contains attributes describing a (OpenStack-) Resource
type Resource struct {
TypeURI string `json:"typeURI"`
Name string `json:"name,omitempty"`
Domain string `json:"domain,omitempty"`
ID string `json:"id"`
Addresses []struct {
URL string `json:"url"`
Name string `json:"name,omitempty"`
} `json:"addresses,omitempty"`
Host *Host `json:"host,omitempty"`
Attachments []Attachment `json:"attachments,omitempty"`
// project_id and domain_id are OpenStack extensions (introduced by Keystone and keystone(audit)middleware)
ProjectID string `json:"project_id,omitempty"`
DomainID string `json:"domain_id,omitempty"`
// project_name, project_domain_name, domain_name, application_credential_id are Hermes extensions for
// initiator resources only (they all refer to the token scope; the initiating user's original domain
// is described by "domain")
ProjectName string `json:"project_name,omitempty"`
ProjectDomainName string `json:"project_domain_name,omitempty"`
DomainName string `json:"domain_name,omitempty"`
AppCredentialID string `json:"application_credential_id,omitempty"`
}
// Reason contains HTTP Code and Type, and is optional in the CADF spec
type Reason struct {
ReasonType string `json:"reasonType,omitempty"`
ReasonCode string `json:"reasonCode,omitempty"`
}
// Host contains optional Information about the Host
type Host struct {
ID string `json:"id,omitempty"`
Address string `json:"address,omitempty"`
Agent string `json:"agent,omitempty"`
Platform string `json:"platform,omitempty"`
}
// Attachment contains self-describing extensions to the event
type Attachment struct {
// Note: name is optional in CADF spec. to permit unnamed attachments
Name string `json:"name,omitempty"`
// this is messed-up in the spec.: the schema and examples says contentType. But the text often refers to typeURI.
// Using typeURI would surely be more consistent. OpenStack uses typeURI, IBM supports both
// (but forgot the name property)
TypeURI string `json:"typeURI"`
// Content contains the payload of the attachment. In theory this means any type.
// In practise we have to decide because otherwise ES does based one first value
// An interface allows arrays of json content. This should be json in the content.
Content any `json:"content"`
}