Add forwarder plugin for federated Alerta (alerta#1161)

* Add alerts and action forwarder plugin for federated setups

* Add tests for forwarder plugin

Author: satterly

.isort.cfg

@@ -1,2 +1,2 @@
 [settings]
-known_third_party = blinker,bson,click,flask,flask_compress,flask_cors,itsdangerous,jwt,ldap,mohawk,pkg_resources,psycopg2,pymongo,pyparsing,pytz,requests,requests_mock,saml2,sentry_sdk,setuptools,werkzeug,yaml
+known_third_party = blinker,bson,click,flask,flask_compress,flask_cors,itsdangerous,jwt,ldap,mohawk,pkg_resources,psycopg2,pymongo,pyparsing,pytz,requests,requests_hawk,requests_mock,saml2,sentry_sdk,setuptools,werkzeug,yaml

.pre-commit-config.yaml

@@ -17,7 +17,6 @@ repos:
     -   id: debug-statements
     -   id: double-quote-string-fixer
     -   id: end-of-file-fixer
-    -   id: flake8
     -   id: fix-encoding-pragma
         args: ['--remove']
     -   id: pretty-format-json
@@ -26,6 +25,10 @@ repos:
         args: ['--django']
     -   id: requirements-txt-fixer
     -   id: trailing-whitespace
+-   repo: https://gitlab.com/pycqa/flake8
+    rev: 3.7.7
+    hooks:
+    -   id: flake8
 -   repo: https://github.com/asottile/pyupgrade
     rev: v1.27.0
     hooks:

alerta/auth/hmac.py

@@ -3,7 +3,13 @@
 
 
 def get_credentials(key_id: str):
-    credentials_map = {creds['id']: creds for creds in current_app.config['HMAC_AUTH_CREDENTIALS']}
+    credentials_map = {
+        creds['key']: dict(
+            id=creds['key'],  # access_key
+            key=creds['secret'],  # secret_key
+            algorithm=creds.get('algorithm', 'sha256')
+        ) for creds in current_app.config['HMAC_AUTH_CREDENTIALS']}
+
     if key_id in credentials_map:
         return credentials_map[key_id]
     else:

alerta/exceptions.py

@@ -33,6 +33,11 @@ class BlackoutPeriod(AlertaException):
     pass
 
 
+class ForwardingLoop(AlertaException):
+    """Forwarding loop detected."""
+    pass
+
+
 class InvalidAction(AlertaException):
     """Invalid or redundant action for the current alert status."""
     pass

alerta/plugins/forwarder.py

@@ -0,0 +1,124 @@
+import logging
+from typing import TYPE_CHECKING, Any, Optional
+
+from flask import request
+
+from alerta.exceptions import ForwardingLoop
+from alerta.plugins import PluginBase
+from alerta.utils.client import Client
+from alerta.utils.response import base_url
+
+if TYPE_CHECKING:
+    from alerta.models.alert import Alert  # noqa
+
+
+LOG = logging.getLogger('alerta.plugins.forwarder')
+
+X_LOOP_HEADER = 'X-Alerta-Loop'
+
+
+def append_to_header(origin):
+    x_loop = request.headers.get(X_LOOP_HEADER)
+    return origin if not x_loop else '{},{}'.format(x_loop, origin)
+
+
+def is_in_xloop(server):
+    x_loop = request.headers.get(X_LOOP_HEADER)
+    return server in x_loop if server and x_loop else False
+
+
+class Forwarder(PluginBase):
+    """
+    Alert and action forwarder for federated Alerta deployments
+    See https://docs.alerta.io/en/latest/federated.html
+    """
+
+    def pre_receive(self, alert: 'Alert', **kwargs) -> 'Alert':
+
+        if is_in_xloop(base_url()):
+            http_origin = request.origin or '(unknown)'
+            raise ForwardingLoop('Alert forwarded by {} already processed by {}'.format(http_origin, base_url()))
+        return alert
+
+    def post_receive(self, alert: 'Alert', **kwargs) -> Optional['Alert']:
+
+        for remote, auth, actions in self.get_config('FWD_DESTINATIONS', default=[], type=list, **kwargs):
+            if is_in_xloop(remote):
+                LOG.debug('Forward [action=alerts]: {} ; Remote {} already processed alert. Skip.'.format(alert.id, remote))
+                continue
+            if not ('*' in actions or 'alerts' in actions):
+                LOG.debug('Forward [action=alerts]: {} ; Remote {} not configured for alerts. Skip.'.format(alert.id, remote))
+                continue
+
+            headers = {X_LOOP_HEADER: append_to_header(base_url())}
+            client = Client(endpoint=remote, headers=headers, **auth)
+
+            LOG.info('Forward [action=alerts]: {} ; {} -> {}'.format(alert.id, base_url(), remote))
+            try:
+                r = client.send_alert(**alert.get_body())
+            except Exception as e:
+                LOG.warning('Forward [action=alerts]: {} ; Failed to forward alert to {} - {}'.format(alert.id, remote, str(e)))
+                continue
+            LOG.debug('Forward [action=alerts]: {} ; [{}] {}'.format(alert.id, r.status_code, r.text))
+
+        return alert
+
+    def status_change(self, alert: 'Alert', status: str, text: str, **kwargs) -> Any:
+        return
+
+    def take_action(self, alert: 'Alert', action: str, text: str, **kwargs) -> Any:
+
+        if is_in_xloop(base_url()):
+            http_origin = request.origin or '(unknown)'
+            raise ForwardingLoop('Action {} forwarded by {} already processed by {}'.format(
+                action, http_origin, base_url())
+            )
+
+        for remote, auth, actions in self.get_config('FWD_DESTINATIONS', default=[], type=list, **kwargs):
+            if is_in_xloop(remote):
+                LOG.debug('Forward [action={}]: {} ; Remote {} already processed action. Skip.'.format(action, alert.id, remote))
+                continue
+            if not ('*' in actions or 'actions' in actions or action in actions):
+                LOG.debug('Forward [action={}]: {} ; Remote {} not configured for action. Skip.'.format(action, alert.id, remote))
+                continue
+
+            headers = {X_LOOP_HEADER: append_to_header(base_url())}
+            client = Client(endpoint=remote, headers=headers, **auth)
+
+            LOG.info('Forward [action={}]: {} ; {} -> {}'.format(action, alert.id, base_url(), remote))
+            try:
+                r = client.action(alert.id, action, text)
+            except Exception as e:
+                LOG.warning('Forward [action={}]: {} ; Failed to action alert on {} - {}'.format(action, alert.id, remote, str(e)))
+                continue
+            LOG.debug('Forward [action={}]: {} ; [{}] {}'.format(action, alert.id, r.status_code, r.text))
+
+        return alert
+
+    def delete(self, alert: 'Alert', **kwargs) -> bool:
+
+        if is_in_xloop(base_url()):
+            http_origin = request.origin or '(unknown)'
+            raise ForwardingLoop('Delete forwarded by {} already processed by {}'.format(http_origin, base_url()))
+
+        for remote, auth, actions in self.get_config('FWD_DESTINATIONS', default=[], type=list, **kwargs):
+            print('{} actions={}'.format(remote, actions))
+            if is_in_xloop(remote):
+                LOG.debug('Forward [action=delete]: {} ; Remote {} already processed delete. Skip.'.format(alert.id, remote))
+                continue
+            if not ('*' in actions or 'delete' in actions):
+                LOG.debug('Forward [action=delete]: {} ; Remote {} not configured for deletes. Skip.'.format(alert.id, remote))
+                continue
+
+            headers = {X_LOOP_HEADER: append_to_header(base_url())}
+            client = Client(endpoint=remote, headers=headers, **auth)
+
+            LOG.info('Forward [action=delete]: {} ; {} -> {}'.format(alert.id, base_url(), remote))
+            try:
+                r = client.delete_alert(alert.id)
+            except Exception as e:
+                LOG.warning('Forward [action=delete]: {} ; Failed to delete alert on {} - {}'.format(alert.id, remote, str(e)))
+                continue
+            LOG.debug('Forward [action=delete]: {} ; [{}] {}'.format(alert.id, r.status_code, r.text))
+
+        return True  # always continue with local delete even if remote delete(s) fail

alerta/settings.py

@@ -6,7 +6,7 @@
 #
 # Further information on settings can be found at https://docs.alerta.io
 
-from typing import Any, Dict, List  # noqa
+from typing import Any, Dict, List, Tuple  # noqa
 
 DEBUG = False
 
@@ -71,8 +71,8 @@
 
 HMAC_AUTH_CREDENTIALS = [
     # {
-    #     'id': 'AKID001',  # access key id
-    #     'key': 'supersecret',  # secret key
+    #     'id': '',  # access key id  => $ uuidgen | tr '[:upper:]' '[:lower:]'
+    #     'key': '',  # secret key => $ date | md5 | base64
     #     'algorithm': 'sha256'  # valid hmac algorithm eg. sha256, sha384, sha512
     # }
 ]  # type: List[Dict[str, Any]]
@@ -206,7 +206,7 @@
 AUTO_REFRESH_INTERVAL = 5000  # ms
 
 # Plugins
-PLUGINS = ['remote_ip', 'reject', 'heartbeat', 'blackout']
+PLUGINS = ['remote_ip', 'reject', 'heartbeat', 'blackout', 'forwarder']
 PLUGINS_RAISE_ON_ERROR = True  # raise RuntimeError exception on first failure
 
 # reject plugin settings
@@ -219,3 +219,14 @@
 NOTIFICATION_BLACKOUT = False  # True - set alert status=blackout, False - do not process alert (default)
 BLACKOUT_ACCEPT = []  # type: List[str]
 # BLACKOUT_ACCEPT = ['normal', 'ok', 'cleared']  # list of severities accepted during blackout period
+
+# northbound interface
+FWD_DESTINATIONS = [
+    # ('http://localhost:9000', {'username': 'user', 'password': 'pa55w0rd', 'timeout': 10}, ['alerts', 'actions']),  # BasicAuth
+    # ('https://httpbin.org/anything', dict(username='foo', password='bar', ssl_verify=False), ['alerts', 'actions']),
+    # ('http://localhost:9000', {'key': 'access-key', 'secret': 'secret-key'}, ['alerts', 'actions']),  # Hawk HMAC
+    # ('http://localhost:9000', {'key': 'my-api-key'}, ['alerts', 'actions']),  # API key
+    # ('http://localhost:9000', {'token': 'bearer-token'}, ['alerts', 'actions']),  # Bearer token
+]  # type: List[Tuple]
+
+# valid actions=['*', 'alerts', 'actions', 'open', 'assign', 'ack', 'unack', 'shelve', 'unshelve', 'close', 'delete']

alerta/utils/api.py

@@ -4,8 +4,8 @@
 from flask import current_app, g
 
 from alerta.app import plugins
-from alerta.exceptions import (ApiError, BlackoutPeriod, HeartbeatReceived,
-                               RateLimit, RejectException)
+from alerta.exceptions import (ApiError, BlackoutPeriod, ForwardingLoop,
+                               HeartbeatReceived, RateLimit, RejectException)
 from alerta.models.alert import Alert
 from alerta.models.enums import Scope
 
@@ -40,7 +40,7 @@ def process_alert(alert: Alert) -> Alert:
             alert = plugin.pre_receive(alert, config=wanted_config)
         except TypeError:
             alert = plugin.pre_receive(alert)  # for backward compatibility
-        except (RejectException, HeartbeatReceived, BlackoutPeriod, RateLimit):
+        except (RejectException, HeartbeatReceived, BlackoutPeriod, RateLimit, ForwardingLoop):
             raise
         except Exception as e:
             if current_app.config['PLUGINS_RAISE_ON_ERROR']:
@@ -97,23 +97,21 @@ def process_action(alert: Alert, action: str, text: str, timeout: int) -> Tuple[
             updated = plugin.take_action(alert, action, text, timeout=timeout, config=wanted_config)
         except NotImplementedError:
             pass  # plugin does not support action() method
-        except RejectException:
+        except (RejectException, ForwardingLoop):
             raise
         except Exception as e:
             if current_app.config['PLUGINS_RAISE_ON_ERROR']:
                 raise ApiError("Error while running action plugin '{}': {}".format(plugin.name, str(e)))
             else:
                 logging.error("Error while running action plugin '{}': {}".format(plugin.name, str(e)))
-        if updated:
-            try:
-                if len(updated) == 3:
-                    alert, action, text = updated
-                elif len(updated) == 4:
-                    alert, action, text, timeout = updated
-                else:
-                    alert = updated
-            except Exception as e:
-                logging.error("Error while running action plugin '{}': {}".format(plugin.name, str(e)))
+
+        if isinstance(updated, Alert):
+            updated = updated, action, text, timeout
+        if isinstance(updated, tuple):
+            if len(updated) == 4:
+                alert, action, text, timeout = updated
+            elif len(updated) == 3:
+                alert, action, text = updated
 
     # remove keys from attributes with None values
     new_attrs = {k: v for k, v in alert.attributes.items() if v is not None}