CLOUDP-97443: add access tracking to the atlas go client (#241)

Author: andreaangiolillo

mongodbatlas/access_tracking.go

@@ -0,0 +1,131 @@
+// Copyright 2021 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package mongodbatlas
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+)
+
+const accessTrackingBasePath = "api/atlas/v1.0/groups/%s/dbAccessHistory"
+
+// AccessTrackingService is an interface for interfacing with the Access Tracking endpoints of the MongoDB Atlas API.
+//
+// See more: https://docs.atlas.mongodb.com/reference/api/access-tracking/
+type AccessTrackingService interface {
+	ListByCluster(context.Context, string, string, *AccessLogOptions) (*AccessLogSettings, *Response, error)
+	ListByHostname(context.Context, string, string, *AccessLogOptions) (*AccessLogSettings, *Response, error)
+}
+
+// AccessTrackingServiceOp handles communication with the AccessTrackingService related methods of the
+// MongoDB Atlas API.
+type AccessTrackingServiceOp service
+
+var _ AccessTrackingService = &AccessTrackingServiceOp{}
+
+// AccessLogOptions represents the query options of AccessTrackingService.List.
+type AccessLogOptions struct {
+	Start      string `url:"start,omitempty"`      // Start is the timestamp in the number of milliseconds that have elapsed since the UNIX epoch for the first entry that Atlas returns from the database access logs.
+	End        string `url:"end,omitempty"`        // End is the timestamp in the number of milliseconds that have elapsed since the UNIX epoch for the last entry that Atlas returns from the database access logs.
+	NLogs      int    `url:"nLogs,omitempty"`      // NLogs is the maximum number of log entries to return. Atlas accepts values between 0 and 20000, inclusive.
+	IPAddress  string `url:"ipAddress,omitempty"`  // IPAddress is the single IP address that attempted to authenticate with the database. Atlas filters the returned logs to include documents with only this IP address.
+	AuthResult *bool  `url:"authResult,omitempty"` // AuthResult indicates whether to return either successful or failed authentication attempts. When set to true, Atlas filters the log to return only successful authentication attempts. When set to false, Atlas filters the log to return only failed authentication attempts.
+}
+
+// AccessLogs represents authentication attempts made against the cluster.
+type AccessLogs struct {
+	GroupID       string `json:"groupId,omitempty"`       // GroupID is the unique identifier for the project.
+	Hostname      string `json:"hostname,omitempty"`      // Hostname is the hostname of the target node that received the authentication attempt.
+	ClusterName   string `json:"clusterName,omitempty"`   // ClusterName is the name associated with the cluster.
+	IPAddress     string `json:"ipAddress,omitempty"`     // IPAddress is the IP address that the authentication attempt originated from.
+	AuthResult    *bool  `json:"authResult,omitempty"`    // AuthResult is the result of the authentication attempt. Returns true if the authentication request was successful. Returns false if the authentication request resulted in failure.
+	LogLine       string `json:"logLine,omitempty"`       // LogLine is the text of the server log concerning the authentication attempt.
+	Timestamp     string `json:"timestamp,omitempty"`     // Timestamp is the UTC timestamp of the authentication attempt.
+	Username      string `json:"username,omitempty"`      // Username is the username that attempted to authenticate.
+	FailureReason string `json:"failureReason,omitempty"` // FailureReason is the reason that the request failed to authenticate. Returns null if the authentication request was successful.
+	AuthSource    string `json:"authSource,omitempty"`    // AuthSource is the database that the request attempted to authenticate against. Returns admin if the authentication source for the user is SCRAM-SHA. Returns $external if the authentication source for the user is LDAP.
+}
+
+// AccessLogSettings represents database access history settings.
+type AccessLogSettings struct {
+	AccessLogs []*AccessLogs `json:"accessLogs,omitempty"` // AccessLogs contains the authentication attempts made against the cluster.
+}
+
+// ListByCluster retrieves the access logs of a cluster by hostname.
+//
+// See more: https://docs.atlas.mongodb.com/reference/api/access-tracking-get-database-history-hostname/
+func (s *AccessTrackingServiceOp) ListByCluster(ctx context.Context, groupID, clusterName string, opts *AccessLogOptions) (*AccessLogSettings, *Response, error) {
+	if groupID == "" {
+		return nil, nil, NewArgError("groupID", "must be set")
+	}
+
+	if clusterName == "" {
+		return nil, nil, NewArgError("clusterName", "must be set")
+	}
+
+	basePath := fmt.Sprintf(accessTrackingBasePath, groupID)
+	path := fmt.Sprintf("%s/clusters/%s", basePath, clusterName)
+	path, err := setListOptions(path, opts)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	req, err := s.Client.NewRequest(ctx, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	var root *AccessLogSettings
+	resp, err := s.Client.Do(ctx, req, &root)
+	if err != nil {
+		return nil, resp, err
+	}
+
+	return root, resp, nil
+}
+
+// ListByHostname retrieves the access logs of a cluster by hostname.
+//
+// See more: https://docs.atlas.mongodb.com/reference/api/access-tracking-get-database-history-hostname/
+func (s *AccessTrackingServiceOp) ListByHostname(ctx context.Context, groupID, hostname string, opts *AccessLogOptions) (*AccessLogSettings, *Response, error) {
+	if groupID == "" {
+		return nil, nil, NewArgError("groupID", "must be set")
+	}
+
+	if hostname == "" {
+		return nil, nil, NewArgError("hostname", "must be set")
+	}
+
+	basePath := fmt.Sprintf(accessTrackingBasePath, groupID)
+	path := fmt.Sprintf("%s/processes/%s", basePath, hostname)
+	path, err := setListOptions(path, opts)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	req, err := s.Client.NewRequest(ctx, http.MethodGet, path, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	var root *AccessLogSettings
+	resp, err := s.Client.Do(ctx, req, &root)
+	if err != nil {
+		return nil, resp, err
+	}
+
+	return root, resp, nil
+}

mongodbatlas/access_tracking_test.go

@@ -0,0 +1,185 @@
+// Copyright 2021 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package mongodbatlas
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/go-test/deep"
+)
+
+func TestAccessTracking_ListByCluster(t *testing.T) {
+	client, mux, teardown := setup()
+	defer teardown()
+
+	mux.HandleFunc(fmt.Sprintf("/api/atlas/v1.0/groups/%s/dbAccessHistory/clusters/%s", groupID, clusterName), func(w http.ResponseWriter, r *http.Request) {
+		testMethod(t, r, http.MethodGet)
+		fmt.Fprint(w, `{
+			  "accessLogs": [
+					{
+					  "authResult": true,
+					  "authSource": "admin",
+					  "groupId": "1",
+					  "hostname": "cluster0-shard-00-00-c01ab.mongodb.net:27017",
+					  "clusterName": "globalCluster",
+					  "ipAddress": "123.45.0.1",
+					  "logLine": "2019-07-25T19:14:42.484+0000 I  ACCESS   [conn2167] Successfully authenticated as principal jon-snow on admin from client 123.45.0.1:8080",
+					  "timestamp": "Sun Jul 25 9:14:42 EDT 2019",
+					  "username": "jon-snow"
+					},
+					{
+					  "authResult": true,
+					  "authSource": "admin",
+					  "failureReason": "UserNotFound: Could not find user \"jane-doe\" for db \"admin\"",
+					  "groupId": "1",
+					  "hostname": "cluster0-shard-00-00-c01ab.mongodb.net:27017",
+					  "clusterName": "globalCluster",
+					  "ipAddress": "123.45.2.2",
+					  "logLine": "2019-07-25T19:13:39.316+0000 I  ACCESS   [conn1893] SASL SCRAM-SHA-1 authentication failed for jane-doe on admin from client 123.45.2.2:51842 ; UserNotFound: Could not find user \"jane-doe\" for db \"admin\"",
+					  "timestamp": "Sun Jul 25 9:14:42 EDT 2019",
+					  "username": "jane-doe"
+					}]
+		}`)
+	})
+	authResult := true
+	opts := &AccessLogOptions{
+		Start:      "1564064082000",
+		End:        "1564064082000",
+		NLogs:      1,
+		IPAddress:  "123.45.2.2",
+		AuthResult: &authResult,
+	}
+
+	results, _, err := client.AccessTracking.ListByCluster(ctx, groupID, clusterName, opts)
+	if err != nil {
+		t.Fatalf("AccessTracking.ListByCluster returned error: %v", err)
+	}
+
+	expected := &AccessLogSettings{
+		AccessLogs: []*AccessLogs{
+			{
+				GroupID:     "1",
+				Hostname:    "cluster0-shard-00-00-c01ab.mongodb.net:27017",
+				ClusterName: "globalCluster",
+				IPAddress:   "123.45.0.1",
+				LogLine:     "2019-07-25T19:14:42.484+0000 I  ACCESS   [conn2167] Successfully authenticated as principal jon-snow on admin from client 123.45.0.1:8080",
+				Timestamp:   "Sun Jul 25 9:14:42 EDT 2019",
+				Username:    "jon-snow",
+				AuthSource:  "admin",
+				AuthResult:  &authResult,
+			},
+			{
+				GroupID:       "1",
+				Hostname:      "cluster0-shard-00-00-c01ab.mongodb.net:27017",
+				ClusterName:   "globalCluster",
+				IPAddress:     "123.45.2.2",
+				LogLine:       "2019-07-25T19:13:39.316+0000 I  ACCESS   [conn1893] SASL SCRAM-SHA-1 authentication failed for jane-doe on admin from client 123.45.2.2:51842 ; UserNotFound: Could not find user \"jane-doe\" for db \"admin\"",
+				Timestamp:     "Sun Jul 25 9:14:42 EDT 2019",
+				Username:      "jane-doe",
+				AuthSource:    "admin",
+				AuthResult:    &authResult,
+				FailureReason: "UserNotFound: Could not find user \"jane-doe\" for db \"admin\"",
+			},
+		},
+	}
+
+	if diff := deep.Equal(results, expected); diff != nil {
+		t.Error(diff)
+	}
+}
+
+func TestAccessTracking_ListByHostname(t *testing.T) {
+	client, mux, teardown := setup()
+	defer teardown()
+
+	hostname := "cluster0-shard-00-00-c01ab.mongodb.net:27017"
+	mux.HandleFunc(fmt.Sprintf("/api/atlas/v1.0/groups/%s/dbAccessHistory/processes/%s", groupID, hostname), func(w http.ResponseWriter, r *http.Request) {
+		testMethod(t, r, http.MethodGet)
+		fmt.Fprint(w, `{
+			  "accessLogs": [
+					{
+					  "authResult": true,
+					  "authSource": "admin",
+					  "groupId": "1",
+					  "hostname": "cluster0-shard-00-00-c01ab.mongodb.net:27017",
+					  "clusterName": "globalCluster",
+					  "ipAddress": "123.45.0.1",
+					  "logLine": "2019-07-25T19:14:42.484+0000 I  ACCESS   [conn2167] Successfully authenticated as principal jon-snow on admin from client 123.45.0.1:8080",
+					  "timestamp": "Sun Jul 25 9:14:42 EDT 2019",
+					  "username": "jon-snow"
+					},
+					{
+					  "authResult": true,
+					  "authSource": "admin",
+					  "failureReason": "UserNotFound: Could not find user \"jane-doe\" for db \"admin\"",
+					  "groupId": "1",
+					  "hostname": "cluster0-shard-00-00-c01ab.mongodb.net:27017",
+					  "clusterName": "globalCluster",
+					  "ipAddress": "123.45.2.2",
+					  "logLine": "2019-07-25T19:13:39.316+0000 I  ACCESS   [conn1893] SASL SCRAM-SHA-1 authentication failed for jane-doe on admin from client 123.45.2.2:51842 ; UserNotFound: Could not find user \"jane-doe\" for db \"admin\"",
+					  "timestamp": "Sun Jul 25 9:14:42 EDT 2019",
+					  "username": "jane-doe"
+					}]
+		}`)
+	})
+
+	authResult := true
+	opts := &AccessLogOptions{
+		Start:      "1564064082000",
+		End:        "1564064082000",
+		NLogs:      1,
+		IPAddress:  "123.45.2.2",
+		AuthResult: &authResult,
+	}
+
+	results, _, err := client.AccessTracking.ListByHostname(ctx, groupID, hostname, opts)
+	if err != nil {
+		t.Fatalf("AccessTracking.ListByHostname returned error: %v", err)
+	}
+
+	expected := &AccessLogSettings{
+		AccessLogs: []*AccessLogs{
+			{
+				GroupID:     "1",
+				Hostname:    "cluster0-shard-00-00-c01ab.mongodb.net:27017",
+				ClusterName: "globalCluster",
+				IPAddress:   "123.45.0.1",
+				LogLine:     "2019-07-25T19:14:42.484+0000 I  ACCESS   [conn2167] Successfully authenticated as principal jon-snow on admin from client 123.45.0.1:8080",
+				Timestamp:   "Sun Jul 25 9:14:42 EDT 2019",
+				Username:    "jon-snow",
+				AuthSource:  "admin",
+				AuthResult:  &authResult,
+			},
+			{
+				GroupID:       "1",
+				Hostname:      "cluster0-shard-00-00-c01ab.mongodb.net:27017",
+				ClusterName:   "globalCluster",
+				IPAddress:     "123.45.2.2",
+				LogLine:       "2019-07-25T19:13:39.316+0000 I  ACCESS   [conn1893] SASL SCRAM-SHA-1 authentication failed for jane-doe on admin from client 123.45.2.2:51842 ; UserNotFound: Could not find user \"jane-doe\" for db \"admin\"",
+				Timestamp:     "Sun Jul 25 9:14:42 EDT 2019",
+				Username:      "jane-doe",
+				AuthSource:    "admin",
+				AuthResult:    &authResult,
+				FailureReason: "UserNotFound: Could not find user \"jane-doe\" for db \"admin\"",
+			},
+		},
+	}
+
+	if diff := deep.Equal(results, expected); diff != nil {
+		t.Error(diff)
+	}
+}

mongodbatlas/mongodbatlas.go

@@ -139,6 +139,7 @@ type Client struct {
 	AdvancedClusters                    AdvancedClustersService
 	ServerlessInstances                 ServerlessInstancesService
 	LiveMigration                       LiveMigrationService
+	AccessTracking                      AccessTrackingService
 
 	onRequestCompleted RequestCompletionCallback
 }
@@ -277,6 +278,7 @@ func NewClient(httpClient *http.Client) *Client {
 	c.AdvancedClusters = &AdvancedClustersServiceOp{Client: c}
 	c.ServerlessInstances = &ServerlessInstancesServiceOp{Client: c}
 	c.LiveMigration = &LiveMigrationServiceOp{Client: c}
+	c.AccessTracking = &AccessTrackingServiceOp{Client: c}
 
 	return c
 }