AuthMonitor/src/auth_message_parser.rs at 384880497648e6acfe7f9462ad80e49876f26746 · FastAlien/AuthMonitor · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
use chrono::DateTime;

pub const DATE_FORMAT_ISO_8601: &str = "%Y-%m-%dT%H:%M:%S.%6f%:z";

pub struct AuthMessageParser {
    patterns: Vec<AuthFailedMessagePattern>,
}

struct AuthFailedMessagePattern {
    prefix: String,
    message: String,
}

impl AuthMessageParser {
    pub fn new() -> AuthMessageParser {
        let pam_message = AuthFailedMessagePattern {
            prefix: String::from("pam_unix"),
            message: String::from("authentication failure"),
        };
        let unix_chkpwd_message = AuthFailedMessagePattern {
            prefix: String::from("unix_chkpwd"),
            message: String::from("password check failed"),
        };
        return AuthMessageParser {
            patterns: vec![pam_message, unix_chkpwd_message],
        };
    }

    pub fn is_auth_failed_message(&self, message: &str) -> bool {
        for pattern in &self.patterns {
            match message.find(&pattern.prefix) {
                None => {}
                Some(prefix_position) => {
                    let message_after_prefix = &message[prefix_position + pattern.prefix.len()..];
                    if message_after_prefix.contains(&pattern.message) {
                        return true;
                    }
                }
            };
        }
        return false;
    }

    pub fn get_message_timestamp_millis(&self, message: &str) -> i64 {
        let date_time_str = message.get(0..32).unwrap_or("");
        return match DateTime::parse_from_str(date_time_str, DATE_FORMAT_ISO_8601) {
            Ok(date_time) => date_time.timestamp_millis(),
            Err(_) => 0,
        };
    }
}

#[cfg(test)]
#[path = "./auth_message_parser_tests.rs"]
mod tests;