org.graylog.events.search.EventsSearchService Maven / Gradle / Ivy
/**
* This file is part of Graylog.
*
* Graylog is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Graylog is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with Graylog. If not, see filterBuilder = ImmutableSet.builder();
if (!parameters.filter().eventDefinitions().isEmpty()) {
final String eventDefinitionFilter = parameters.filter().eventDefinitions().stream()
.map(this::eventDefinitionFilter)
.collect(Collectors.joining(" OR "));
filterBuilder.addAll(Collections.singleton("(" + eventDefinitionFilter + ")"));
}
switch (parameters.filter().alerts()) {
case INCLUDE:
// Nothing to do
break;
case EXCLUDE:
filterBuilder.add("NOT alert:true");
break;
case ONLY:
filterBuilder.add("alert:true");
break;
}
final String filter = String.join(" AND ", filterBuilder.build());
final ImmutableSet eventStreams = ImmutableSet.of(DEFAULT_EVENTS_STREAM_ID, DEFAULT_SYSTEM_EVENTS_STREAM_ID);
final MoreSearch.Result result = moreSearch.eventSearch(parameters, filter, eventStreams, forbiddenSourceStreams(subject));
final ImmutableSet.Builder eventDefinitionIdsBuilder = ImmutableSet.builder();
final ImmutableSet.Builder streamIdsBuilder = ImmutableSet.builder();
final List events = result.results().stream()
.map(resultMsg -> {
final EventDto eventDto = objectMapper.convertValue(resultMsg.getMessage().getFields(), EventDto.class);
eventDefinitionIdsBuilder.add((String) resultMsg.getMessage().getField(EventDto.FIELD_EVENT_DEFINITION_ID));
streamIdsBuilder.addAll(resultMsg.getMessage().getStreamIds());
return EventsSearchResult.Event.create(eventDto, resultMsg.getIndex(), IndexMapping.TYPE_MESSAGE);
}).collect(Collectors.toList());
final EventsSearchResult.Context context = EventsSearchResult.Context.create(
lookupEventDefinitions(eventDefinitionIdsBuilder.build()),
lookupStreams(streamIdsBuilder.build())
);
return EventsSearchResult.builder()
.parameters(parameters)
.totalEvents(result.resultsCount())
.duration(result.duration())
.events(events)
.usedIndices(result.usedIndexNames())
.context(context)
.build();
}
// TODO: Loading all streams for a user is not very efficient. Not sure if we can find an alternative that is
// more efficient. Doing a separate ES query to get all source streams that would be in the result is
// most probably not more efficient.
private Set forbiddenSourceStreams(Subject subject) {
// Users with the generic streams:read permission can read all streams so we don't need to check every single
// stream here and can take a short cut.
if (subject.isPermitted(RestPermissions.STREAMS_READ)) {
return Collections.emptySet();
}
return streamService.loadAll().stream()
.map(Persisted::getId)
// Select all streams the user is NOT permitted to access
.filter(streamId -> !subject.isPermitted(String.join(":", RestPermissions.STREAMS_READ, streamId)))
.collect(Collectors.toSet());
}
private Map lookupStreams(Set streams) {
return streams.stream()
.map(streamId -> {
try {
return streamService.load(streamId);
} catch (NotFoundException e) {
return null;
}
})
.filter(Objects::nonNull)
.collect(Collectors.toMap(Persisted::getId, s -> EventsSearchResult.ContextEntity.create(s.getId(), s.getTitle(), s.getDescription())));
}
private Map lookupEventDefinitions(Set eventDefinitions) {
return eventDefinitions.stream()
.map(eventDefinitionService::get)
.filter(Optional::isPresent)
.map(Optional::get)
.collect(Collectors.toMap(EventDefinitionDto::id, d -> EventsSearchResult.ContextEntity.create(d.id(), d.title(), d.description())));
}
}