Merge pull request #3364 from JakubOnderka/json-logging

Simplify code for JSON audit log

Author: airween

headers/modsecurity/rules_set_properties.h

@@ -331,7 +331,7 @@ class RulesSetProperties {
     };
 
 
-    static const char *ruleEngineStateString(RuleEngine i) {
+    static std::string ruleEngineStateString(RuleEngine i) {
         switch (i) {
         case DisabledRuleEngine:
             return "Disabled";
@@ -342,7 +342,7 @@ class RulesSetProperties {
         case PropertyNotSetRuleEngine:
             return "PropertyNotSet/DetectionOnly";
         }
-        return NULL;
+        return std::string{};
     }
 
 

headers/modsecurity/transaction.h

@@ -80,15 +80,14 @@ typedef struct Rules_t RulesSet;
 
 #define LOGFY_ADD(a, b) \
     yajl_gen_string(g, reinterpret_cast<const unsigned char*>(a), strlen(a)); \
-    if (b == NULL) { \
+    if (b.data() == NULL) { \
       yajl_gen_string(g, reinterpret_cast<const unsigned char*>(""), \
           strlen("")); \
     } else { \
-      yajl_gen_string(g, reinterpret_cast<const unsigned char*>(b), \
-          strlen(b)); \
+      yajl_gen_string(g, reinterpret_cast<const unsigned char*>(b.data()), \
+          b.length()); \
     }
 
-
 #define LOGFY_ADD_INT(a, b) \
     yajl_gen_string(g, reinterpret_cast<const unsigned char*>(a), strlen(a)); \
     yajl_gen_number(g, reinterpret_cast<const char*>(b), strlen(b));

src/transaction.cc

@@ -1565,7 +1565,7 @@ std::string Transaction::toJSON(int parts) {
     size_t len;
     yajl_gen g;
     std::string log;
-    std::string ts = utils::string::ascTime(&m_timeStamp).c_str();
+    std::string ts = utils::string::ascTime(&m_timeStamp);
     std::string uniqueId = UniqueId::uniqueId();
 
     g = yajl_gen_alloc(NULL);
@@ -1583,13 +1583,13 @@ std::string Transaction::toJSON(int parts) {
 
     yajl_gen_map_open(g);
     /* Part: A (header mandatory) */
-    LOGFY_ADD("client_ip", m_clientIpAddress.c_str());
-    LOGFY_ADD("time_stamp", ts.c_str());
-    LOGFY_ADD("server_id", uniqueId.c_str());
+    LOGFY_ADD("client_ip", m_clientIpAddress);
+    LOGFY_ADD("time_stamp", ts);
+    LOGFY_ADD("server_id", uniqueId);
     LOGFY_ADD_NUM("client_port", m_clientPort);
-    LOGFY_ADD("host_ip", m_serverIpAddress.c_str());
+    LOGFY_ADD("host_ip", m_serverIpAddress);
     LOGFY_ADD_NUM("host_port", m_serverPort);
-    LOGFY_ADD("unique_id", m_id.c_str());
+    LOGFY_ADD("unique_id", m_id);
 
     /* request */
     yajl_gen_string(g, reinterpret_cast<const unsigned char*>("request"),
@@ -1598,14 +1598,14 @@ std::string Transaction::toJSON(int parts) {
 
     LOGFY_ADD("method",
         utils::string::dash_if_empty(
-            m_variableRequestMethod.evaluate()).c_str());
+            m_variableRequestMethod.evaluate()));
 
-    LOGFY_ADD_INT("http_version", m_httpVersion.c_str());
-    LOGFY_ADD("uri", this->m_uri.c_str());
+    LOGFY_ADD("http_version", m_httpVersion);
+    LOGFY_ADD("uri", this->m_uri);
 
     if (parts & audit_log::AuditLog::CAuditLogPart) {
         // FIXME: check for the binary content size.
-        LOGFY_ADD("body", this->m_requestBody.str().c_str());
+        LOGFY_ADD("body", this->m_requestBody.str());
     }
 
     /* request headers */
@@ -1617,7 +1617,7 @@ std::string Transaction::toJSON(int parts) {
 
         m_variableRequestHeaders.resolve(&l);
         for (auto &h : l) {
-            LOGFY_ADD(h->getKey().c_str(), h->getValue().c_str());
+            LOGFY_ADD(h->getKey().c_str(), h->getValue());
             delete h;
         }
 
@@ -1634,7 +1634,7 @@ std::string Transaction::toJSON(int parts) {
     yajl_gen_map_open(g);
 
     if (parts & audit_log::AuditLog::EAuditLogPart) {
-        LOGFY_ADD("body", this->m_responseBody.str().c_str());
+        LOGFY_ADD("body", this->m_responseBody.str());
     }
     LOGFY_ADD_NUM("http_code", m_httpCodeReturned);
 
@@ -1647,7 +1647,7 @@ std::string Transaction::toJSON(int parts) {
 
         m_variableResponseHeaders.resolve(&l);
         for (auto &h : l) {
-            LOGFY_ADD(h->getKey().c_str(), h->getValue().c_str());
+            LOGFY_ADD(h->getKey().c_str(), h->getValue());
             delete h;
         }
 
@@ -1664,10 +1664,10 @@ std::string Transaction::toJSON(int parts) {
         yajl_gen_map_open(g);
 
         /* producer > libmodsecurity */
-        LOGFY_ADD("modsecurity", m_ms->whoAmI().c_str());
+        LOGFY_ADD("modsecurity", m_ms->whoAmI());
 
         /* producer > connector */
-        LOGFY_ADD("connector", m_ms->getConnectorInformation().c_str());
+        LOGFY_ADD("connector", m_ms->getConnectorInformation());
 
         /* producer > engine state */
         LOGFY_ADD("secrules_engine",
@@ -1683,7 +1683,7 @@ std::string Transaction::toJSON(int parts) {
         for (const auto &a : m_rules->m_components) {
             yajl_gen_string(g,
                 reinterpret_cast<const unsigned char*>
-                    (a.c_str()), a.length());
+                    (a.data()), a.length());
         }
         yajl_gen_array_close(g);
 
@@ -1697,34 +1697,34 @@ std::string Transaction::toJSON(int parts) {
         yajl_gen_array_open(g);
         for (auto a : m_rulesMessages) {
             yajl_gen_map_open(g);
-            LOGFY_ADD("message", a.m_message.c_str());
+            LOGFY_ADD("message", a.m_message);
             yajl_gen_string(g,
                 reinterpret_cast<const unsigned char*>("details"),
                 strlen("details"));
             yajl_gen_map_open(g);
-            LOGFY_ADD("match", a.m_match.c_str());
-            LOGFY_ADD("reference", a.m_reference.c_str());
-            LOGFY_ADD("ruleId", std::to_string(a.m_rule.m_ruleId).c_str());
-            LOGFY_ADD("file", a.m_rule.getFileName().c_str());
-            LOGFY_ADD("lineNumber", std::to_string(a.m_rule.getLineNumber()).c_str());
-            LOGFY_ADD("data", a.m_data.c_str());
-            LOGFY_ADD("severity", std::to_string(a.m_severity).c_str());
-            LOGFY_ADD("ver", a.m_rule.m_ver.c_str());
-            LOGFY_ADD("rev", a.m_rule.m_rev.c_str());
+            LOGFY_ADD("match", a.m_match);
+            LOGFY_ADD("reference", a.m_reference);
+            LOGFY_ADD("ruleId", std::to_string(a.m_rule.m_ruleId));
+            LOGFY_ADD("file", a.m_rule.getFileName());
+            LOGFY_ADD("lineNumber", std::to_string(a.m_rule.getLineNumber()));
+            LOGFY_ADD("data", a.m_data);
+            LOGFY_ADD("severity", std::to_string(a.m_severity));
+            LOGFY_ADD("ver", a.m_rule.m_ver);
+            LOGFY_ADD("rev", a.m_rule.m_rev);
 
             yajl_gen_string(g,
                 reinterpret_cast<const unsigned char*>("tags"),
                 strlen("tags"));
             yajl_gen_array_open(g);
             for (auto b : a.m_tags) {
                 yajl_gen_string(g,
-                    reinterpret_cast<const unsigned char*>(b.c_str()),
-                    strlen(b.c_str()));
+                    reinterpret_cast<const unsigned char*>(b.data()),
+                    b.length());
             }
             yajl_gen_array_close(g);
 
-            LOGFY_ADD("maturity", std::to_string(a.m_rule.m_maturity).c_str());
-            LOGFY_ADD("accuracy", std::to_string(a.m_rule.m_accuracy).c_str());
+            LOGFY_ADD("maturity", std::to_string(a.m_rule.m_maturity));
+            LOGFY_ADD("accuracy", std::to_string(a.m_rule.m_accuracy));
             yajl_gen_map_close(g);
             yajl_gen_map_close(g);
         }

test/test-cases/regression/auditlog.json

@@ -172,6 +172,65 @@
       "SecAuditLogRelevantStatus \"^(?:5|4(?!04))\""
     ]
   },
+  {
+    "enabled": 1,
+    "version_min": 300000,
+    "version_max": 0,
+    "title": "auditlog : basic parser test - JSON",
+    "client": {
+      "ip": "200.249.12.31",
+      "port": 2313
+    },
+    "server": {
+      "ip": "200.249.12.31",
+      "port": 80
+    },
+    "request": {
+      "headers": {
+        "Host": "www.modsecurity.org",
+        "User-Agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko\/20091102 Firefox\/3.5.5 (.NET CLR 3.5.30729)",
+        "Accept": "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8",
+        "Accept-Language": "en-us,en;q=0.5",
+        "Accept-Encoding": "gzip,deflate",
+        "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
+        "Keep-Alive": "300",
+        "Connection": "keep-alive",
+        "Pragma": "no-cache",
+        "Cache-Control": "no-cache"
+      },
+      "uri": "\/test.pl?param1=   test   &param2=test2",
+      "method": "GET",
+      "http_version": 1.1,
+      "body": ""
+    },
+    "response": {
+      "headers": {
+        "Content-Type": "plain\/text\n\r"
+      },
+      "body": [
+        "test"
+      ]
+    },
+    "expected": {
+      "audit_log": "{\"transaction\":{\"client_ip\":\"200.249.12.31\",\"time_stamp\":\"\\S{3} \\S{3} \\d{2} \\d{2}:\\d{2}:\\d{2} \\d{4}\"",
+      "debug_log": "",
+      "error_log": "",
+      "http_code": 403
+    },
+    "rules": [
+      "SecRuleEngine On",
+      "SecRule ARGS \"@contains test\" \"id:1,t:trim,deny,auditlog\"",
+      "SecAuditEngine RelevantOnly",
+      "SecAuditLogFormat JSON",
+      "SecAuditLogParts ABCFHZ",
+      "SecAuditLogStorageDir /tmp/test",
+      "SecAuditLog /tmp/audit_test_parallel.log",
+      "SecAuditLogDirMode 0766",
+      "SecAuditLogFileMode 0600",
+      "SecAuditLogType Serial",
+      "SecAuditLogRelevantStatus \"^(?:5|4(?!04))\""
+    ]
+  },
   {
     "enabled": 1,
     "version_min": 300000,