Merge pull request #189 from mozilla-services/dev

Sprint Nov 13

Author: Mike Trinkala

hyperloglog/CMakeLists.txt

@@ -3,7 +3,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 cmake_minimum_required(VERSION 3.0)
-project(hyperloglog VERSION 1.0.0 LANGUAGES C)
+project(hyperloglog VERSION 1.0.1 LANGUAGES C)
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Lua hyperloglog module (distinct count)")
 set(MODULE_SRCS hyperloglog.c redis_hyperloglog.c hyperloglog.def)
 include(sandbox_module)

hyperloglog/hyperloglog.c

@@ -45,6 +45,7 @@ static int hll_new(lua_State *lua)
   hyperloglog *hll = lua_newuserdata(lua, nbytes);
   memcpy(hll->magic, hll_magic, sizeof(hll->magic));
   hll->encoding = HLL_DENSE;
+  memset(hll->card, 0, sizeof(hll->card));
   HLL_INVALIDATE_CACHE(hll);
   memset(hll->notused, 0, sizeof(hll->notused));
   memset(hll->registers, 0, HLL_REGISTERS_SIZE);

hyperloglog/tests/test.lua

@@ -4,7 +4,7 @@
 
 require "hyperloglog"
 require "string"
-assert(hyperloglog.version() == "1.0.0", hyperloglog.version())
+assert(hyperloglog.version() == "1.0.1", hyperloglog.version())
 
 local hll = hyperloglog.new()
 local hll1 = hyperloglog.new()

kafka/index.md

@@ -61,7 +61,7 @@ local consumer   = kafka.consumer(brokerlist, topics, consumer_conf, topic_conf)
 *Arguments*
 * brokerlist (string) - [librdkafka broker string](https://github.com/edenhill/librdkafka/blob/master/src/rdkafka.h#L2205)
 * topics (array of 'topic[:partition]' strings) - Balanced consumer group mode a
-  consumer can only subscribe on topics, not topics:partitions. The partition 
+  consumer can only subscribe on topics, not topics:partitions. The partition
   syntax is only used for manual assignments (without balanced consumer groups).
 * consumer_conf (table) - must contain 'group.id' see: [librdkafka consumer configuration](https://github.com/edenhill/librdkafka/blob/master/CONFIGURATION.md#global-configuration-properties)
 * topic_conf (table, optional) - [librdkafka topic configuration](https://github.com/edenhill/librdkafka/blob/master/CONFIGURATION.md#topic-configuration-properties)
@@ -91,12 +91,13 @@ Returns a string with the running version of Kafka module.
 Creates a topic to be used by a producer, no-op if the topic already exists.
 
 ```lua
-producer:create_topic(topic) -- creates the topic if it does not exist
+producer:create_topic(topic, topic_conf) -- creates the topic if it does not exist
 
 ```
 
 *Arguments*
 * topic (string) - Name of the topic
+* topic_conf (table, optional) - [librdkafka topic configuration](https://github.com/edenhill/librdkafka/blob/master/CONFIGURATION.md#topic-configuration-properties)
 
 *Return*
 * none
@@ -146,14 +147,14 @@ local ret = producer:send(topic, -1, sequence_id, message)
 *Arguments*
 * topic (string) - Name of the topic
 * partition (number) - Topic partition number (-1 for automatic assignment)
-* sequence_id 
+* sequence_id
     * lua_sandbox (lightuserdata/nil/none) - Opaque pointer for checkpointing
     * Lua 5.1 (number/nil/none) - range: zero to UINTPTR_MAX
 * message
     * heka_sandbox (string/table)
         * string - message to send
         * table - zero copy specifier (table of read_message arguments)
-    * Lua 5.1 (string) - Message to send 
+    * Lua 5.1 (string) - Message to send
 
 
 *Return*

moz_ingest/CMakeLists.txt

@@ -3,7 +3,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 cmake_minimum_required(VERSION 3.0)
-project(moz-ingest VERSION 0.0.2 LANGUAGES C)
+project(moz-ingest VERSION 0.0.3 LANGUAGES C)
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Mozilla Nginx Ingestion Data Processing")
 set(CPACK_DEBIAN_PACKAGE_DEPENDS "${PACKAGE_PREFIX}-rjson (>= 1.1.1), ${PACKAGE_PREFIX}-lpeg (>= 1.0.0), ${PACKAGE_PREFIX}-lfs (>= 1.6.4), ${PACKAGE_PREFIX}-zlib (>= 0.3.1)")
 string(REGEX REPLACE "[()]" "" CPACK_RPM_PACKAGE_REQUIRES ${CPACK_DEBIAN_PACKAGE_DEPENDS})

moz_ingest/io_modules/decoders/moz_ingest/json.lua

@@ -3,7 +3,7 @@
 -- file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 --[[
-# Mozilla Telemetry Decoder Module
+# Mozilla Telemetry JSON Decoder Module
 
 ## Decoder Configuration Table
 ```lua
@@ -17,6 +17,16 @@ decoders_moz_ingest_json = {
 
     -- array of namespace directories to ignore
     -- namespace_ignore = {"heka", "metadata", "pioneer-study", "telemetry"},
+
+    -- Transform the User-Agent header into user_agent_browser, user_agent_version, user_agent_os.
+    -- user_agent_transform = false, -- default
+
+    -- Always preserve the User-Agent header if transform is enabled.
+    -- user_agent_keep = false, -- default
+
+    -- Only preserve the User-Agent header if transform is enabled and fails.
+    -- user_agent_conditional = false, -- default
+
 }
 ```
 
@@ -52,6 +62,7 @@ local module_cfg    = string.gsub(module_name, "%.", "_")
 local rjson  = require "rjson"
 local miu    = require "moz_ingest.util"
 local lfs    = require "lfs"
+local clf    = require "lpeg.common_log_format"
 
 local read_config          = read_config
 local assert               = assert
@@ -87,8 +98,8 @@ end
 local namespaces = load_namespaces(cfg.namespace_path)
 
 
-local submissionField = {value = nil, representation = "json"}
 local doc = rjson.parse("{}") -- reuse this object to avoid creating a lot of GC
+local submissionField = {value = doc, representation = "json"}
 local function process_json(hsr, msg)
     local ok, err = pcall(doc.parse_message, doc, hsr, "Fields[content]", nil, nil, true)
     if not ok then
@@ -108,6 +119,7 @@ local function process_json(hsr, msg)
         error(string.format("json\tnamespace: %s schema: %s version: %d error: %s",
                             msg.Logger, msg.Fields.docType, msg.Fields.docVersion, err), 0)
     end
+    msg.Fields.submission = submissionField
 end
 
 
@@ -119,8 +131,18 @@ function transform_message(hsr, msg)
     process_json(hsr, msg)
 
     -- Migrate the original message data after the validation (avoids Field duplication in the error message)
-    msg.Hostname    = hsr:read_message("Hostname")
-    msg.Fields.Host = hsr:read_message("Fields[Host]")
+    msg.Hostname                = hsr:read_message("Hostname")
+    msg.Fields.Host             = hsr:read_message("Fields[Host]")
+    msg.Fields["User-Agent"]    = hsr:read_message("Fields[User-Agent]")
+
+    if msg.Fields["User-Agent"] and cfg.user_agent_transform then
+        msg.Fields.user_agent_browser,
+        msg.Fields.user_agent_version,
+        msg.Fields.user_agent_os = clf.normalize_user_agent(msg.Fields["User-Agent"])
+        if not ((cfg.user_agent_conditional and not msg.Fields.user_agent_browser) or cfg.user_agent_keep) then
+            msg.Fields["User-Agent"] = nil
+        end
+    end
 
     local ok, err = pcall(inject_message, msg)
     if not ok then

moz_ingest/tests/hindsight/input.hpb

@@ -1,32 +1,32 @@
 `
-:�E�ӛIߣs�S>u�����۽��
+�GG���E�-���R��撝���
 common.raw"
 moz_ingestJexample.comR
 remote_addr"192.30.255.112p
-6�.��mCu�pN�~������۽��
+�?d��B��{m#�H`�ɩ璝���
 common.raw"
 moz_ingestJexample.comR
 uri"/foobarR
 remote_addr"192.30.255.112�

-�틩��I,���V�-j4����۽��
+��*0(C�3�&��xL�璝���
 common.raw"
 moz_ingestJexample.comRC
 uri"</submit/common/foobar/1/0055FAC4-8A1A-4FCA-B380-EBFDC8571A01R
 remote_addr"192.30.255.112�

-ӘӥKߧi��X�[����۽��
+�`��"C���x	���璝���
 common.raw"
 moz_ingestJexample.comRC
 uri"</submit/common/foobar/1/0055FAC4-8A1A-4FCA-B380-EBFDC8571A01R
 remote_addr"192.30.255.112�

-FJ��K�{]��I|���۽��
+&3�NB�D�������璝���
 common.raw"
 moz_ingestJexample.comR
 geoCity"HalifaxR
 remote_addr"192.30.255.112RD
 uri"=/submit/common/widget/99/0055FAC4-8A1A-4FCA-B380-EBFDC8571A02R
 
 geoCountry"CA�

-_!e3<D����+L~������۽��
+�����C?�·�A�6g��璝���
 common.raw"
 moz_ingestJexample.comR
 remote_addr"192.30.255.112RD

moz_ingest/tests/hindsight/json.hpb

@@ -14,7 +14,11 @@ local messages = {
         docType = "bar",
         geoCity = "New York",
         geoCountry = "US",
-        documentId = "0055FAC4-8A1A-4FCA-B380-EBFDC8571A01"
+        documentId = "0055FAC4-8A1A-4FCA-B380-EBFDC8571A01",
+        submission = [[{"exampleString":"string one"}]],
+        user_agent_browser = "Firefox",
+        user_agent_version = 59,
+        user_agent_os      = "Linux"
         }
     },
     {Logger = "foo", Type = "error", Hostname = "example.com", Fields = {

moz_ingest/tests/hindsight/run/analysis/verify_json_decoder.lua

@@ -48,6 +48,7 @@ function process_message()
     msg.Type = "json.raw"
     msg.Fields.uri = "/submit/foo/bar/1/0055FAC4-8A1A-4FCA-B380-EBFDC8571A01"
     msg.Fields.content = [[{"exampleString":"string one"}]]
+    msg.Fields["User-Agent"] = "Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
     inject_message(msg)
 
     -- fails parsing

moz_ingest/tests/hindsight/run/input/generate_data.lua

@@ -18,4 +18,5 @@ decoders_moz_ingest_common = {
 
 decoders_moz_ingest_json = {
     namespace_path = "namespaces",
+    user_agent_transform = true,
 }

moz_ingest/tests/hindsight/run/input/test_json_decoder.cfg

@@ -3,7 +3,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 cmake_minimum_required(VERSION 3.0)
-project(moz-security VERSION 0.0.3 LANGUAGES C)
+project(moz-security VERSION 0.0.4 LANGUAGES C)
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Mozilla Infrastructure Security Analysis")
 include(sandbox_module)
 

moz_security/CMakeLists.txt

@@ -15,12 +15,12 @@ message_matcher = "Type == 'logging.shared.bastion.systemd.sshd' && Fields[sshd_
 ticker_interval = 0
 process_message_inject_limit = 1
 
--- default_email = "foxsec-alerts@mozilla.com"
+-- default_email = "foxsec-dump+OutOfHours@mozilla.com"
 ```
 --]]
 require "string"
 
-local default_email = read_config("default_email") or "foxsec-alerts@mozilla.com"
+local default_email = read_config("default_email") or "foxsec-dump+OutOfHours@mozilla.com"
 local msg = {
     Type = "alert",
     Payload = "",
@@ -35,10 +35,8 @@ local msg = {
 function process_message()
     local user  = read_message("Fields[remote_user]")
     local ip    = read_message("Fields[remote_addr]")
-    local id    = string.format("%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X",
-                                string.byte(read_message("Uuid"), 1, 16))
 
-    msg.Fields[2].value    = string.format("%s logged into bastion from %s id:%s", user, ip, id)
+    msg.Fields[2].value    = string.format("%s logged into bastion from %s", user, ip)
     msg.Fields[3].value[2] = string.format("<manatee-%[email protected]>", user)
     inject_message(msg)
     return 0

moz_security/sandboxes/heka/analysis/moz_security_sshd_login_monitor.lua

@@ -1,7 +1,6 @@
-filename = "moz_security_heavy_hitters_monitor.lua"
+filename = "moz_security_heavy_hitters.lua"
 message_matcher = "Logger == 'input.hh'"
 ticker_interval = 0
 
 id_field = "Fields[id]"
-cf_items = 2000
 hh_items = 10

moz_security/tests/hindsight/run/analysis/hh_monitor.cfg

@@ -2,32 +2,3 @@ filename = "moz_security_sshd_login_monitor.lua"
 message_matcher = "Logger == 'input.syslog' && Fields[programname] == 'sshd' && Fields[sshd_authmsg] == 'Accepted'"
 ticker_interval = 0
 process_message_inject_limit = 1
-
-closed = {
-    tz      = "America/Los_Angeles",
-    days    = {"Sat", "Sun"},
-    holidays = {
-        "2017-09-04", -- Labor Day
-        "2017-11-23", -- Thanksgiving Holiday
-        "2017-11-24", -- Thanksgiving Holiday + 1
-        "2017-12-25", -- Christmas Day
-        "2017-12-26", -- Christmas + 1
-        "2017-01-01", -- New Year's Day
-        "2017-01-15", -- Martin Luther King, Jr. Day
-        "2017-02-19", -- Presidents' Day
-        "2017-05-28", -- Memorial Day
-    },
-    hours   = {open = "09:00", close = "17:00"},
-}
-
-alert = {
-    prefix = false,
-    throttle = 1,
-    modules = {
-        email = {recipients = {"[email protected]"}}
-    }
-}
-
-user_map = {
-    trink = "mtrinkala"
-}

moz_security/tests/hindsight/run/analysis/sshd_login_monitor.cfg

@@ -6,17 +6,9 @@
 # Generates test data for moz_security_sshd_login_monitor
 --]]
 
-require "date"
 
-local fmt = "%Y-%m-%d %H:%M:%S"
 local tests = {
-    {"2017-07-24 09:20:01", "trink" , "192.168.1.1"}, -- ok
-    {"2017-07-22 02:33:44", "sat"   , "192.168.1.2"}, -- Saturday
-    {"2017-07-23 01:11:12", "sun"   , "192.168.1.3"}, -- Sunday
-    {"2017-07-23 17:00:00", "abh"   , "192.168.1.4"}, -- after business hours
-    {"2017-07-23 08:59:59", "bbh"   , "192.168.1.5"}, -- before business hours
-    {"2017-09-04 10:11:12", "trink" , "192.168.1.6"}, -- Labor Day with user_map
-    {"2017-05-28 10:11:12", "root"  , "192.168.1.7"}, -- Memorial Day
+    {"11111111-1111-1111-1111-111111111111", "trink" , "192.168.1.1"},
 }
 
 local msg = {
@@ -32,7 +24,7 @@ local msg = {
 
 function process_message()
     for i,v in ipairs(tests) do
-        msg.Timestamp = date.time(v[1], fmt, "America/Los_Angeles")
+        msg.Uuid = v[1]
         msg.Fields.remote_user = v[2]
         msg.Fields.remote_addr = v[3]
         inject_message(msg)

moz_security/tests/hindsight/run/input/generate_sshd.lua

@@ -3,7 +3,7 @@
 -- file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 --[[
-# Validates the moz_telemetry_heavy_hitters_monitor output
+# Validates the moz_security_heavy_hitters output
 --]]
 
 require "string"

moz_security/tests/hindsight/run/output/hh_verification.lua

@@ -3,31 +3,39 @@
 -- file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 --[[
-# Validates the moz_telemetry_doctype_monitor alerts
+# Validates the moz_security_sshd_login alerts
 --]]
 
 require "string"
 
 local results = {
-    "user: sat\nip: 192.168.1.2\n",
-    "user: sun\nip: 192.168.1.3\n",
-    "user: abh\nip: 192.168.1.4\n",
-    "user: bbh\nip: 192.168.1.5\n",
-    "user: mtrinkala\nip: 192.168.1.6\n",
-    "user: root\nip: 192.168.1.7\n",
+    { summary    = "trink logged into bastion from 192.168.1.1",
+      recipients = {"<[email protected]>", "<[email protected]>"}
+    }
 }
 
 local cnt = 0
 function process_message()
-    local payload = read_message("Payload")
-    if results[cnt + 1] ~= payload then
-        error(string.format("test:%d result:%s", cnt + 1, payload))
-    end
+    local summary = read_message("Fields[summary]") or "nil"
+    local dflt_recip = read_message("Fields[email.recipients]") or "nil"
+    local user_recip = read_message("Fields[email.recipients]", 0, 1) or "nil"
     cnt = cnt + 1
+    local er = results[cnt]
+    assert(er, "too many messages")
+
+    if er.summary ~= summary then
+        error(string.format("test:%d result:%s", cnt, summary))
+    end
+    if er.recipients[1] ~= dflt_recip then
+        error(string.format("test:%d result:%s", cnt, dflt_recip))
+    end
+    if er.recipients[2] ~= user_recip then
+        error(string.format("test:%d result:%s", cnt, user_recip))
+    end
     return 0
 end
 
 
 function timer_event()
-    assert(cnt == 6, string.format("%d out of 6 tests ran", cnt))
+    assert(cnt == 1, string.format("%d out of 1 tests ran", cnt))
 end

moz_security/tests/hindsight/run/output/sshd_login_verification.lua

@@ -3,7 +3,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 cmake_minimum_required(VERSION 3.0)
-project(moz-telemetry VERSION 1.2.15 LANGUAGES C)
+project(moz-telemetry VERSION 1.2.16 LANGUAGES C)
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Mozilla Firefox Telemetry Data Processing")
 set(CPACK_DEBIAN_PACKAGE_DEPENDS "${PACKAGE_PREFIX}-moz-ingest (>= 0.0.1), ${PACKAGE_PREFIX}-lsb (>= 1.1.0), ${PACKAGE_PREFIX}-circular-buffer (>= 1.0.2), ${PACKAGE_PREFIX}-heka (>= 1.1.9), ${PACKAGE_PREFIX}-elasticsearch (>= 1.0.3), ${PACKAGE_PREFIX}-rjson (>= 1.1.0), ${PACKAGE_PREFIX}-lfs (>= 1.6.4)")
 string(REGEX REPLACE "[()]" "" CPACK_RPM_PACKAGE_REQUIRES ${CPACK_DEBIAN_PACKAGE_DEPENDS})

moz_telemetry/CMakeLists.txt

@@ -224,6 +224,7 @@ local function process_json(hsr, msg)
         msg.Fields.appUpdateChannel     = doc:value(doc:find(app, "channel"))
         msg.Fields.appVendor            = doc:value(doc:find(app, "vendor"))
         msg.Fields.normalizedChannel    = mtn.channel(msg.Fields.appUpdateChannel)
+        msg.Fields.normalizedOSVersion  = mtn.os_version(doc:value(doc:find("environment", "system", "os", "version")))
 
         remove_objects(msg, doc, "environment", environment_objects)
         remove_objects(msg, doc, "payload", extract_payload_objects[msg.Fields.docType])