#!/usr/bin/env bash
#  vim:ts=4:sts=4:sw=4:et
#
#  Author: Hari Sekhon
#  Date: 2020-01-02 16:19:20 +0000 (Thu, 02 Jan 2020)
#
#  https://github.com/HariSekhon/DevOps-Bash-tools
#
#  License: see accompanying Hari Sekhon LICENSE file
#
#  If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
#
#  https://www.linkedin.com/in/HariSekhon
#

# Script to fetch Cloudera Navigator Audit logs via API
#
# See cloudera_navigator_api.sh for base options like Navigator Host, SSL etc
#
# I've managed to crash Navigator several times both via the API and the UI trying to get access to > 1 years of historical logs
# even after increasing the heap by several GB, so I don't recommend you run more than one of these scripts at a time, and
# try to time bound it to a 1 year interval each time so it is more likely to succeed and less range to restart. I've written an
# adjacent script called cloudera_navigator_audit_download_logs.sh to manage iterating years and retrying where needed
#
# Tested on Cloudera Enterprise 5.10


# See the inline documentation for Cloudera Navigator Query filters
#
# https://$CLOUDERA_NAVIGATOR_HOST:7187/api-console/index.html#!/audits/getAudits
#
# https://$CLOUDERA_NAVIGATOR_HOST:7187/api-console/tutorial.html

# Usage:
#
#   ./cloudera_navigator_audit_logs.sh <start_date> <end_date> <query_filter> <curl_options> ...

# Examples:
#
# All logs up to now:
#
#   ./cloudera_navigator_audit_logs.sh <query> ... > navigator_audit_log.csv
#
#
# Last year of Impala queries (literally today minus 1 year right down to the second):
#
#   ./cloudera_navigator_audit_logs.sh "1 year ago" service==impala ... > navigator_audit_log_year.csv
#
#
# All Privilege Grants up to now:
#
#   ./cloudera_navigator_audit_logs.sh command==GRANT_PRIVILEGE > navigator_audit_log_grants.csv
#
#   ./cloudera_navigator_audit_logs.sh command==REVOKE_PRIVILEGE > navigator_audit_log_revokes.csv
#
#
# From Start to End Dates, all hive queries in 2019:
#
#   ./cloudera_navigator_audit_logs.sh "2019-01-01T00:00:00" "2020-01-01T00:00:00" service==hive ... > navigator_audit_log_hive_2019.csv
#
#
# All logs up to now for the Impala service, ignoring the self-signed certificate:
#
#   ./cloudera_navigator_audit_logs.sh service==impala -k > navigator_audit_log_impala.csv
#
#
# Since this can easily take an hour or two per year of logs to download, you may want to add progress dots like so:
#
#   ./cloudera_navigator_audit_logs.sh service==impala -k | ./progress_dots.sh > navigator_audit_log_impala.csv
#
#
# or if you want full curl interactive progress on stderr:
#
#   PROGRESS=1 ./cloudera_navigator_audit_logs.sh service==impala -k > navigator_audit_log_impala.csv
#
#
# XXX: looks like there is a bug in the Navigator API returning only admin commands, not data access, for when start date set to 1970-01-01T00:00:00 - workaround is to use 1970-01-01T00:00:01

set -euo pipefail
[ -n "${DEBUG:-}" ] && set -x
srcdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

# shellcheck source=lib/cloudera_navigator.sh
. "$srcdir/lib/utils.sh"

# shellcheck source=lib/cloudera_navigator.sh
. "$srcdir/lib/cloudera_navigator.sh"

# to use Linux's date -d switch
if is_mac; then
    date="gdate"
else
    date="date"
fi

start=""
end=""

if [[ "${1:-}" =~ ^[[:digit:]] ]]; then
    start="$1"
    shift
fi

if [[ "${1:-}" =~ ^[[:digit:]] ]]; then
    end="$1"
    shift
fi

if [ -z "$start" ]; then
    #start="1 year ago"
    # XXX: this causes Navigator API to return only admin commands and not SQL queries... weird
    #start="1970-01-01T00:00:00"
    # looks like a bug, workaround:
    start="1970-01-01T00:00:01"
fi
start_epoch_ms="$("$date" --utc -d "$start" +%s000)"

if [ -z "$end" ]; then
    end_epoch_ms="$now_timestamp"
else
    end_epoch_ms="$("$date" --utc -d "$end" +%s000)"
fi

start_date="$($date --utc -d "@${start_epoch_ms%000}")"
end_date="$($date --utc -d "@${end_epoch_ms%000}")"

# defined in lib
# shellcheck disable=SC2154
echo "fetching audit logs from  '$start_date'  to  '$end_date'" >&2

query=""
if ! [[ "${1:-}" =~ ^- ]]; then
    query="${1:-}"
    shift
fi

# don't page through this, dump as whole attachment
limit="${limit:-10000}" # max limit
offset="${offset:-0}"

# CSV format seems to default to attachment=true, ignoring limits and offsets, even when attachment=false

# default in API is JSON
#format="${format:-JSON}"  # or CSV
format=CSV  # only way to get all the records

# attachment will ignore default 10,000 limit and return all results which is what we want - seems to not work on JSON, use CSV format instead, which also seems to ignore limit & offset even with attachment=false
#"$srcdir/cloudera_navigator_api.sh" "/audits/?query=${query}&startTime=${start_epoch_ms}&endTime=${end_epoch_ms}&format=${format}&limit=$limit&offset=$offset&attachment=false" "$@"
"$srcdir/cloudera_navigator_api.sh" "/audits/?query=${query}&startTime=${start_epoch_ms}&endTime=${end_epoch_ms}&format=${format}&attachment=true" "$@"