def test_send_to_without_existing_checkpoint_writes_both_event_hashes_with_same_timestamp(
cli_state,
runner,
test_audit_log_response_with_only_same_timestamps,
audit_log_cursor_with_checkpoint,
send_to_logger,
):
cli_state.sdk.auditlogs.get_all.return_value = (
test_audit_log_response_with_only_same_timestamps
)
runner.invoke(
cli,
[
"audit-logs",
"send-to",
"localhost",
"--begin",
"1d",
"--use-checkpoint",
"test",
],
obj=cli_state,
)
assert audit_log_cursor_with_checkpoint.replace_events.call_count == 2
assert audit_log_cursor_with_checkpoint.replace_events.call_args_list[1][0][1] == [
hash_event(TEST_EVENTS_WITH_SAME_TIMESTAMP[0]),
hash_event(TEST_EVENTS_WITH_SAME_TIMESTAMP[1]),
]
def _dedupe_checkpointed_events_and_store_updated_checkpoint(
cursor, checkpoint_name, events
):
"""De-duplicates events across checkpointed runs. Since using the timestamp of the last event
processed as the `--begin` time of the next run causes the last event to show up again in the
next results, we hash the last event(s) of each run and store those hashes in the cursor to
filter out on the next run. It's also possible that two events have the exact same timestamp, so
`checkpoint_events` needs to be a list of hashes so we can filter out everything that's actually
been processed.
"""
checkpoint_events = cursor.get_events(checkpoint_name)
new_timestamp = None
new_events = []
for event in events:
event_hash = hash_event(event)
if event_hash not in checkpoint_events:
if event["timestamp"] != new_timestamp:
new_timestamp = event["timestamp"]
new_events.clear()
new_events.append(event_hash)
yield event
ts = _parse_audit_log_timestamp_string_to_timestamp(new_timestamp)
cursor.replace(checkpoint_name, ts)
cursor.replace_events(checkpoint_name, new_events)
def audit_log_cursor_with_checkpoint_and_events(mocker):
mock_cursor = mocker.MagicMock(spec=AuditLogCursorStore)
mock_cursor.get.return_value = CURSOR_TIMESTAMP
mock_cursor.get_events.return_value = [
hash_event(TEST_EVENTS_WITH_SAME_TIMESTAMP[0])
]
mocker.patch("code42cli.cmds.auditlogs._get_audit_log_cursor_store",
return_value=mock_cursor)
return mock_cursor
"actorName": "*****@*****.**",
"actorAgent": "py42 python code42cli",
"actorIpAddress": "200.100.300.42",
"timestamp": TEST_AUDIT_LOG_TIMESTAMP_2,
},
{
"type$": "audit_log::logged_in/1",
"actorId": "45",
"actorName": "*****@*****.**",
"actorAgent": "py42 python code42cli",
"actorIpAddress": "200.100.300.42",
"timestamp": TEST_AUDIT_LOG_TIMESTAMP_3,
},
]
TEST_CHECKPOINT_EVENT_HASHLIST = [
hash_event(event) for event in TEST_EVENTS_WITH_SAME_TIMESTAMP
]
@pytest.fixture
def audit_log_cursor_with_checkpoint(mocker):
mock_cursor = mocker.MagicMock(spec=AuditLogCursorStore)
mock_cursor.get.return_value = CURSOR_TIMESTAMP
mocker.patch(
"code42cli.cmds.auditlogs._get_audit_log_cursor_store", return_value=mock_cursor
)
return mock_cursor
@pytest.fixture
def audit_log_cursor_with_checkpoint_and_events(mocker):