Delete s3Record type and simplify cloudtrail logic

Author: ndakkoune

aws/logs_monitoring_go/internal/handling/cloudtrail.go

@@ -14,6 +14,7 @@ import (
 	"iter"
 	"log/slog"
 	"regexp"
+	"strings"
 	"sync"
 )
 
@@ -30,77 +31,93 @@ var ec2InstanceRegexp = sync.OnceValue(func() *regexp.Regexp {
 	return regexp.MustCompile(`^arn:aws:sts::.*?:assumed-role/(?P<role>.*?)/(?P<host>i-([0-9a-f]{8}|[0-9a-f]{17}))$`)
 })
 
-func decodeCloudTrail(r io.Reader) iter.Seq2[s3Record, error] {
-	return func(yield func(s3Record, error) bool) {
+func decodeCloudTrail(r io.Reader) iter.Seq2[string, error] {
+	return func(yield func(string, error) bool) {
 		gz, err := gzip.NewReader(r)
 		if err != nil {
-			yield(s3Record{}, fmt.Errorf("decode cloudtrail gzip: %w", err))
+			yield("", fmt.Errorf("decode cloudtrail gzip: %w", err))
 			return
 		}
 		defer gz.Close() //nolint:errcheck
 
 		dec := json.NewDecoder(gz)
 
 		if t, err := dec.Token(); err != nil || t != json.Delim('{') {
-			yield(s3Record{}, errors.New("decode cloudtrail: expected '{' at start of JSON"))
+			yield("", errors.New("decode cloudtrail: expected '{' at start of JSON"))
 			return
 		}
 		if t, err := dec.Token(); err != nil || t != "Records" {
-			yield(s3Record{}, errors.New("decode cloudtrail: expected 'Records' key"))
+			yield("", errors.New("decode cloudtrail: expected 'Records' key"))
 			return
 		}
 		if t, err := dec.Token(); err != nil || t != json.Delim('[') {
-			yield(s3Record{}, errors.New("decode cloudtrail: expected '[' at start of Records array"))
+			yield("", errors.New("decode cloudtrail: expected '[' at start of Records array"))
 			return
 		}
 
 		for dec.More() {
-			var record map[string]any
-			if err := dec.Decode(&record); err != nil {
-				yield(s3Record{}, fmt.Errorf("decode cloudtrail record: %w", err))
+			var raw json.RawMessage
+			if err := dec.Decode(&raw); err != nil {
+				yield("", fmt.Errorf("decode cloudtrail record: %w", err))
 				return
 			}
-
-			msg, err := json.Marshal(record)
-			if err != nil {
-				yield(s3Record{}, fmt.Errorf("marshal cloudtrail record: %w", err))
-				return
-			}
-
-			host := cloudtrailHost(record)
-			if !yield(s3Record{Message: string(msg), Host: host}, nil) {
+			if !yield(string(raw), nil) {
 				return
 			}
 		}
 	}
 }
 
-func cloudtrailHostFromMessage(message string) string {
-	var record map[string]any
-	if err := json.Unmarshal([]byte(message), &record); err != nil {
+func cloudtrailHost(message string) string {
+	dec := json.NewDecoder(strings.NewReader(message))
+	if t, err := dec.Token(); err != nil || t != json.Delim('{') {
 		return ""
 	}
-	return cloudtrailHost(record)
-}
 
-func cloudtrailHost(record map[string]any) string {
-	ui, ok := record[cloudTrailUserIdentityKey].(map[string]any)
-	if !ok {
-		slog.Debug(cloudTrailUserIdentityKey + " key not found, cloudtrail host extraction skipped")
-		return ""
-	}
-	arn, ok := ui[cloudTrailARNKey].(string)
-	if !ok {
-		slog.Debug(cloudTrailARNKey + " key not found, cloudtrail host extraction skipped")
-		return ""
-	}
+	for dec.More() {
+		key, err := dec.Token()
+		if err != nil {
+			return ""
+		}
+		if key != cloudTrailUserIdentityKey {
+			var skip json.RawMessage
+			if err := dec.Decode(&skip); err != nil {
+				return ""
+			}
+			continue
+		}
 
-	re := ec2InstanceRegexp()
-	matches := re.FindStringSubmatch(arn)
-	if matches == nil {
-		slog.Debug(arn + " arn did not match an EC2 host instance, cloudtrail host extraction skipped")
+		if t, err := dec.Token(); err != nil || t != json.Delim('{') {
+			return ""
+		}
+
+		for dec.More() {
+			innerKey, err := dec.Token()
+			if err != nil {
+				return ""
+			}
+			if innerKey != cloudTrailARNKey {
+				var skip json.RawMessage
+				if err := dec.Decode(&skip); err != nil {
+					return ""
+				}
+				continue
+			}
+
+			var arn string
+			if err := dec.Decode(&arn); err != nil {
+				return ""
+			}
+
+			re := ec2InstanceRegexp()
+			matches := re.FindStringSubmatch(arn)
+			if matches == nil {
+				slog.Debug(arn + " arn did not match an EC2 host instance, cloudtrail host extraction skipped")
+				return ""
+			}
+			return matches[re.SubexpIndex("host")]
+		}
 		return ""
 	}
-
-	return matches[re.SubexpIndex("host")]
+	return ""
 }

aws/logs_monitoring_go/internal/handling/cloudtrail_test.go

@@ -69,53 +69,44 @@ func TestCloudtrailHost(t *testing.T) {
 	t.Parallel()
 
 	tests := map[string]struct {
-		record map[string]any
-		want   string
+		message string
+		want    string
 	}{
 		"ec2 instance (17)": {
-			record: map[string]any{
-				"userIdentity": map[string]any{
-					"arn": "arn:aws:sts::601427279990:assumed-role/MyRole/i-08014e4f62ccf762d",
-				},
-			},
-			want: "i-08014e4f62ccf762d",
+			message: `{"userIdentity":{"arn":"arn:aws:sts::601427279990:assumed-role/MyRole/i-08014e4f62ccf762d"}}`,
+			want:    "i-08014e4f62ccf762d",
 		},
 		"ec2 instance (8)": {
-			record: map[string]any{
-				"userIdentity": map[string]any{
-					"arn": "arn:aws:sts::601427279990:assumed-role/MyRole/i-abcd1234",
-				},
-			},
-			want: "i-abcd1234",
+			message: `{"userIdentity":{"arn":"arn:aws:sts::601427279990:assumed-role/MyRole/i-abcd1234"}}`,
+			want:    "i-abcd1234",
 		},
 		"non ec2 arn": {
-			record: map[string]any{
-				"userIdentity": map[string]any{
-					"arn": "arn:aws:sts::601427279990:assumed-role/MyRole/my-session",
-				},
-			},
-			want: "",
+			message: `{"userIdentity":{"arn":"arn:aws:sts::601427279990:assumed-role/MyRole/my-session"}}`,
+			want:    "",
 		},
 		"missing userIdentity": {
-			record: map[string]any{"eventName": "DescribeTable"},
-			want:   "",
+			message: `{"eventName":"DescribeTable"}`,
+			want:    "",
 		},
 		"missing arn": {
-			record: map[string]any{
-				"userIdentity": map[string]any{
-					"type": "AssumedRole",
-				},
-			},
-			want: "",
+			message: `{"userIdentity":{"type":"AssumedRole"}}`,
+			want:    "",
+		},
+		"invalid json": {
+			message: "not json",
+			want:    "",
+		},
+		"empty message": {
+			message: "",
+			want:    "",
 		},
 	}
 
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
-			host := cloudtrailHost(tc.record)
-			if host != tc.want {
-				t.Errorf("want %q, got %q", tc.want, host)
+			if got := cloudtrailHost(tc.message); got != tc.want {
+				t.Errorf("want %q, got %q", tc.want, got)
 			}
 		})
 	}
@@ -126,10 +117,10 @@ func TestDecodeCloudTrail(t *testing.T) {
 
 	tests := map[string]struct {
 		input   []byte
-		want    []s3Record
+		want    []string
 		wantErr bool
 	}{
-		"single record with ec2 host": {
+		"single record": {
 			input: testutil.MustGzipJSON(t, map[string]any{
 				"Records": []any{
 					map[string]any{
@@ -140,29 +131,8 @@ func TestDecodeCloudTrail(t *testing.T) {
 					},
 				},
 			}),
-			want: []s3Record{
-				{
-					Message: `{"eventName":"DescribeTable","userIdentity":{"arn":"arn:aws:sts::601427279990:assumed-role/MyRole/i-08014e4f62ccf762d"}}`,
-					Host:    "i-08014e4f62ccf762d",
-				},
-			},
-		},
-		"single record without ec2 host": {
-			input: testutil.MustGzipJSON(t, map[string]any{
-				"Records": []any{
-					map[string]any{
-						"eventName": "DescribeTable",
-						"userIdentity": map[string]any{
-							"arn": "arn:aws:iam::601427279990:user/admin",
-						},
-					},
-				},
-			}),
-			want: []s3Record{
-				{
-					Message: `{"eventName":"DescribeTable","userIdentity":{"arn":"arn:aws:iam::601427279990:user/admin"}}`,
-					Host:    "",
-				},
+			want: []string{
+				`{"eventName":"DescribeTable","userIdentity":{"arn":"arn:aws:sts::601427279990:assumed-role/MyRole/i-08014e4f62ccf762d"}}`,
 			},
 		},
 		"multiple records": {
@@ -172,9 +142,9 @@ func TestDecodeCloudTrail(t *testing.T) {
 					map[string]any{"eventName": "event2"},
 				},
 			}),
-			want: []s3Record{
-				{Message: `{"eventName":"event1"}`},
-				{Message: `{"eventName":"event2"}`},
+			want: []string{
+				`{"eventName":"event1"}`,
+				`{"eventName":"event2"}`,
 			},
 		},
 		"empty records array": {
@@ -197,15 +167,15 @@ func TestDecodeCloudTrail(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
-			var got []s3Record
-			for rec, err := range decodeCloudTrail(bytes.NewReader(tc.input)) {
+			var got []string
+			for msg, err := range decodeCloudTrail(bytes.NewReader(tc.input)) {
 				if err != nil {
 					if !tc.wantErr {
 						t.Fatalf("unexpected error: %v", err)
 					}
 					return
 				}
-				got = append(got, rec)
+				got = append(got, msg)
 			}
 
 			if tc.wantErr {

aws/logs_monitoring_go/internal/handling/cloudwatch.go

@@ -135,8 +135,8 @@ func (h CloudwatchHandler) newCloudwatchLogEntry(event events.CloudwatchLogsLogE
 	entry.ID = event.ID
 	entry.Timestamp = event.Timestamp
 
-	if entry.Source == sourceCloudtrail {
-		if host := cloudtrailHostFromMessage(event.Message); host != "" {
+	if h.cfg.Host == "" && entry.Source == sourceCloudtrail {
+		if host := cloudtrailHost(event.Message); host != "" {
 			entry.Host = host
 		}
 	}

aws/logs_monitoring_go/internal/handling/s3.go

@@ -28,11 +28,6 @@ const (
 	s3KeyCloudtrail = "_CloudTrail_"
 )
 
-type s3Record struct {
-	Message string
-	Host    string
-}
-
 type S3Handler struct {
 	cfg *config.Config
 }
@@ -81,23 +76,27 @@ func (h S3Handler) processRecord(ctx context.Context, client S3APIClient, out ch
 		}
 	}()
 
-	var records iter.Seq2[s3Record, error]
-	if cloudTrailRegex().MatchString(key) {
+	var records iter.Seq2[string, error]
+	isCloudTrail := cloudTrailRegex().MatchString(key)
+	if isCloudTrail {
 		records = decodeCloudTrail(body)
 	} else {
 		records = scan(body, h.cfg.S3MultilineLogRegex)
 	}
 
-	for rec, err := range records {
+	for message, err := range records {
 		if err != nil {
 			return err
 		}
-		entry := h.newS3LogEntry(eventRecord, rec.Message, lambdaOrigin)
+		entry := h.newS3LogEntry(eventRecord, message, lambdaOrigin)
 		if h.cfg.Filter.ShouldExclude(entry.Message) {
 			continue
 		}
 
-		entry.Host = cmp.Or(h.cfg.Host, rec.Host)
+		if isCloudTrail {
+			entry.Host = cloudtrailHost(message)
+		}
+		entry.Host = cmp.Or(h.cfg.Host, entry.Host)
 		entry.Message = h.cfg.Scrubber.Scrub(entry.Message)
 		if err := concurrent.SafeSender(ctx, out, entry); err != nil {
 			return err

aws/logs_monitoring_go/internal/handling/scanner.go

@@ -80,17 +80,17 @@ func (s *Scanner) splitOnLines(data []byte, atEOF bool) (advance int, token []by
 	return 0, nil, nil
 }
 
-func scan(r io.Reader, re *regexp.Regexp) iter.Seq2[s3Record, error] {
-	return func(yield func(s3Record, error) bool) {
+func scan(r io.Reader, re *regexp.Regexp) iter.Seq2[string, error] {
+	return func(yield func(string, error) bool) {
 		scanner := NewScanner(r, re)
 		for scanner.Scan() {
 			message := strings.ToValidUTF8(scanner.Text(), "")
-			if !yield(s3Record{Message: message}, nil) {
+			if !yield(message, nil) {
 				return
 			}
 		}
 		if err := scanner.Err(); err != nil {
-			yield(s3Record{}, err)
+			yield("", err)
 		}
 	}
 }