Add tag to alarm and policy

Author: canyara

alarm/Alarm.js

@@ -242,7 +242,7 @@ class NewDeviceAlarm extends Alarm {
   }
 
   keysToCompareForDedup() {
-    return ["p.device.mac", "p.intf.id", "p.tags"];
+    return ["p.device.mac", "p.intf.id", "p.tag.ids"];
   }
 
   localizedNotificationContentArray() {
@@ -256,7 +256,7 @@ class DeviceBackOnlineAlarm extends Alarm {
   }
 
   keysToCompareForDedup() {
-    return ["p.device.mac", "p.intf.id", "p.tags"];
+    return ["p.device.mac", "p.intf.id", "p.tag.ids"];
   }
 
   localizedNotificationContentArray() {
@@ -273,7 +273,7 @@ class DeviceOfflineAlarm extends Alarm {
   }
 
   keysToCompareForDedup() {
-    return ["p.device.mac", "p.intf.id", "p.tags"];
+    return ["p.device.mac", "p.intf.id", "p.tag.ids"];
   }
 
   localizedNotificationContentArray() {
@@ -287,7 +287,7 @@ class SpoofingDeviceAlarm extends Alarm {
   }
 
   keysToCompareForDedup() {
-    return ["p.device.mac", "p.device.name", "p.device.ip", "p.intf.id", "p.tags"];
+    return ["p.device.mac", "p.device.name", "p.device.ip", "p.intf.id", "p.tag.ids"];
   }
 
   localizedNotificationContentArray() {
@@ -570,9 +570,9 @@ class IntelAlarm extends Alarm {
   keysToCompareForDedup() {
     const url = this["p.dest.url"];
     if (url) {
-      return ["p.device.mac", "p.dest.name", "p.dest.url", "p.dest.port", "p.intf.id", "p.tags"];
+      return ["p.device.mac", "p.dest.name", "p.dest.url", "p.dest.port", "p.intf.id", "p.tag.ids"];
     }
-    return ["p.device.mac", "p.dest.name", "p.dest.port", "p.intf.id", "p.tags"];
+    return ["p.device.mac", "p.dest.name", "p.dest.port", "p.intf.id", "p.tag.ids"];
   }
 
   localizedNotificationContentKey() {
@@ -647,7 +647,7 @@ class OutboundAlarm extends Alarm {
   }
 
   keysToCompareForDedup() {
-    return ["p.device.mac", "p.dest.id", "p.intf.id", "p.tags"];
+    return ["p.device.mac", "p.dest.id", "p.intf.id", "p.tag.ids"];
   }
 
   isDup(alarm) {

alarm/AlarmManager2.js

@@ -1149,8 +1149,14 @@ module.exports = class {
             p.scope = [info.device];
           }
 
+          p.tag = [];
           if (info.intf) {
-            p.tag = [Policy.INTF_PREFIX + info.intf]; // or use tag array
+            p.tag.push(Policy.INTF_PREFIX + info.intf); // or use tag array
+          }
+
+          //@TODO need support array?
+          if (info.tag) {
+            p.tag.push(Policy.TAG_PREFIX + info.tag);
           }
 
           if (info.category) {
@@ -1624,7 +1630,14 @@ module.exports = class {
       e["p.device.mac"] = userInput.device; // limit exception to a single device
     }
     if (userInput && userInput.intf) {
-      e["intf.id"] = userInput.intf;
+      e["p.intf.id"] = userInput.intf;
+    }
+    if (userInput && userInput.tag) {
+      if (_.isArray(userInput.tag)) {
+        e["p.tag.ids"] = userInput.tag;
+      } else if (_.isString(userInput.tag)) {
+        e["p.tag.ids"] = [userInput.tag];
+      }
     }
     log.info("Exception object:", e);
     return e;

alarm/Exception.js

@@ -146,6 +146,14 @@ module.exports = class {
         }
       }
 
+      if (key === "p.tag.ids") {
+        const intersect = _.intersection(val, val2);
+        if (_.difference(intersect, val2).length == 0) {
+          matched = true;
+          continue;
+        }
+      }
+
       if(val.startsWith("*.")) {
         // use glob matching
         if(!minimatch(val2, val) && // NOT glob match

alarm/Policy.js

@@ -194,6 +194,22 @@ class Policy {
       return false; // tag not match
     }
 
+    if (
+      this.tag &&
+      _.isArray(this.tag) &&
+      !_.isEmpty(this.tag) &&
+      _.has(alarm, 'p.tag.ids') &&
+      !_.isEmpty(alarm['p.tag.ids'])
+      )
+    ) {
+      for (let index = 0; index < alarm['p.tag.ids'].length; index++) {
+        const tag = alarm['p.tag.ids'][index];
+        if (this.tag.includes(Policy.TAG_PREFIX + tag)) {
+          return false;
+        }
+      }
+    }
+
     // for each policy type
     switch (this.type) {
       case "ip":
@@ -295,5 +311,6 @@ class Policy {
 }
 
 Policy.INTF_PREFIX = "intf:";
+Policy.TAG_PREFIX = "tag:";
 
 module.exports = Policy

hook/DeviceHook.js

@@ -633,7 +633,7 @@ class DeviceHook extends Hook {
             "p.device.mac": host.mac,
             "p.device.vendor": host.macVendor,
             "p.intf.id": host.intf ? host.intf : "",
-            "p.tags": _.isEmpty(host.tags) ? [] : host.tags
+            "p.tag.ids": _.isEmpty(host.tags) ? [] : host.tags
           });
         am2.enqueueAlarm(alarm);
         break;
@@ -647,7 +647,7 @@ class DeviceHook extends Hook {
             "p.device.mac": host.mac,
             "p.device.vendor": host.macVendor,
             "p.intf.id": host.intf ? host.intf : "",
-            "p.tags": _.isEmpty(host.tags) ? [] : host.tags
+            "p.tag.ids": _.isEmpty(host.tags) ? [] : host.tags
           });
         am2.enqueueAlarm(alarm);
         break;
@@ -662,7 +662,7 @@ class DeviceHook extends Hook {
             "p.device.vendor": host.macVendor,
             "p.device.lastSeen": host.lastActiveTimestamp,
             "p.intf.id": host.intf ? host.intf : "",
-            "p.tags": _.isEmpty(host.tags) ? [] : host.tags
+            "p.tag.ids": _.isEmpty(host.tags) ? [] : host.tags
           });
         am2.enqueueAlarm(alarm);
         break;
@@ -676,7 +676,7 @@ class DeviceHook extends Hook {
             "p.device.mac": host.mac,
             "p.device.vendor": host.macVendor,
             "p.intf.id": host.intf ? host.intf : "",
-            "p.tags": _.isEmpty(host.tags) ? [] : host.tags
+            "p.tag.ids": _.isEmpty(host.tags) ? [] : host.tags
           });
         am2.enqueueAlarm(alarm);
         break;

intel/TagsInfoIntel.js

@@ -22,22 +22,23 @@ const tagManager = require('../net2/TagManager.js');
 
 class TagsInfoIntel extends Intel {
     async enrichAlarm(alarm) {
-        if (_.has(alarm, 'p.tags')) {
-            let tags = [];
-            for (let index = 0; index < alarm['p.tags'].length; index++) {
-                const tagUid = alarm['p.tags'][index];
+        if (_.has(alarm, 'p.tag.ids')) {
+            let names = [];
+            for (let index = 0; index < alarm['p.tag.ids'].length; index++) {
+                const tagUid = alarm['p.tag.ids'][index];
                 const tagInfo = tagManager.getTagByUid(tagUid);
-                if (condition) {
-                    tags.push({ uid: tagUid, name: tagInfo.getTagName() });
+                if (tagInfo) {
+                    names.push({ uid: tagUid, name: tagInfo.getTagName() });
                 }
             }
 
-            alarm['p.tags'] = tags;
+            Object.assign(alarm, {
+                'p.tag.names': names
+            });
         }
 
         return alarm;
     }
-
 }
 
 module.exports = IntfInfoIntel

monitor/FlowMonitor.js

@@ -74,7 +74,7 @@ function alarmBootstrap(flow) {
     "p.dest.ip": flow.dh,
     "p.dest.port": flow.dp,
     "p.intf.id": flow.intf,
-    "p.tags": flow.tags
+    "p.tag.ids": flow.tags
   }
 }
 
@@ -749,7 +749,7 @@ module.exports = class FlowMonitor {
         "p.local_is_client": direction == 'in' ? "1" : "0", // connection is initiated from local
         "p.flow": JSON.stringify(flow),
         "p.intf.id": flow.intf,
-        "p.tags": flow.tags
+        "p.tag.ids": flow.tags
       });
 
       // ideally each destination should have a unique ID, now just use hostname as a workaround
@@ -965,7 +965,7 @@ module.exports = class FlowMonitor {
       "e.dest.ports": this.getRemotePorts(flowObj),
       "p.from": intelObj.from,
       "p.intf.id": flowObj.intf,
-      "p.tags": flowObj.tags
+      "p.tag.ids": flowObj.tags
     };
 
     this.updateURLPart(alarmPayload, flowObj);
@@ -1046,7 +1046,7 @@ module.exports = class FlowMonitor {
       "e.device.ports": this.getDevicePorts(flowObj),
       "e.dest.ports": this.getRemotePorts(flowObj),
       "p.intf.id": flowObj.intf,
-      "p.tags": flowObj.tags
+      "p.tag.ids": flowObj.tags
     };
 
     this.updateURLPart(alarmPayload, flowObj);