Merge pull request #2378 from alphagov/remove-splunk

Remove code related to sending EventLog to Splunk

Gemfile

@@ -14,7 +14,6 @@ gem "devise-encryptable"
 gem "devise_invitable"
 gem "devise_zxcvbn", "~> 1.1"
 gem "doorkeeper"
-gem "faraday"
 gem "json"
 gem "kaminari"
 gem "kubeclient"

Gemfile.lock

@@ -77,7 +77,6 @@ GEM
     ast (2.4.2)
     autoprefixer-rails (10.4.7.0)
       execjs (~> 2)
-    base64 (0.1.1)
     bcrypt (3.1.18)
     better_errors (2.10.1)
       erubi (>= 1.0.0)
@@ -147,11 +146,6 @@ GEM
     factory_bot_rails (6.2.0)
       factory_bot (~> 6.2.0)
       railties (>= 5.0.0)
-    faraday (2.7.11)
-      base64
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (3.0.2)
     ffi (1.15.5)
     ffi-compiler (1.0.1)
       ffi (>= 1.0.0)
@@ -731,7 +725,6 @@ DEPENDENCIES
   devise_zxcvbn (~> 1.1)
   doorkeeper
   factory_bot_rails
-  faraday
   gds-api-adapters
   govuk_admin_template
   govuk_app_config

app/models/event_log.rb

@@ -85,29 +85,6 @@ def ip_address_string
     self.class.convert_integer_to_ip_address(ip_address)
   end
 
-  def send_to_splunk(*)
-    return unless self.class.splunk_endpoint_enabled?
-
-    event = {
-      timestamp: created_at.utc,
-      app: application&.name,
-      object_id: id,
-      user: initiator&.name || user_email_string,
-      user_uid: uid,
-      src_ip: (ip_address_string if ip_address.present?),
-      action: self.event,
-      result: trailing_message,
-      http_user_agent: user_agent_as_string,
-    }
-
-    conn = Faraday.new(ENV["SPLUNK_EVENT_LOG_ENDPOINT_URL"])
-    conn.post do |request|
-      request.headers["Content-Type"] = "application/json"
-      request.headers["Authorization"] = "Splunk #{ENV['SPLUNK_EVENT_LOG_ENDPOINT_HEC_TOKEN']}"
-      request.body = { event: }.to_json
-    end
-  end
-
   def self.record_event(user, event, options = {})
     if options[:ip_address]
       options[:ip_address] = convert_ip_address_to_integer(options[:ip_address])
@@ -117,13 +94,7 @@ def self.record_event(user, event, options = {})
       event_id: event.id,
     }.merge!(options.slice(*VALID_OPTIONS))
 
-    event_log_entry = EventLog.create!(attributes)
-
-    if splunk_endpoint_enabled?
-      SplunkLogStreamingJob.perform_later(event_log_entry.id)
-    end
-
-    event_log_entry
+    EventLog.create!(attributes)
   end
 
   def self.record_email_change(user, email_was, email_is, initiator = user)
@@ -157,10 +128,6 @@ def self.convert_integer_to_ip_address(integer)
     end
   end
 
-  def self.splunk_endpoint_enabled?
-    ENV["SPLUNK_EVENT_LOG_ENDPOINT_URL"] && ENV["SPLUNK_EVENT_LOG_ENDPOINT_HEC_TOKEN"]
-  end
-
 private
 
   def validate_event_mappable

docs/environment-variables.md

@@ -39,10 +39,3 @@ Used to configure Google Analytics in the new `app/views/layouts/admin_layout.ht
 Used to configure `GovukAdminTemplate` and in `Healthcheck::ApiTokens#expiring_tokens`.
 
 * `GOVUK_ENVIRONMENT_NAME`
-
-## Splunk
-
-Used to stream event logs to Splunk for analysis of Signon usage patterns and anomalies.
-
-* `SPLUNK_EVENT_LOG_ENDPOINT_HEC_TOKEN`
-* `SPLUNK_EVENT_LOG_ENDPOINT_URL`

test/models/event_log_test.rb

@@ -130,79 +130,4 @@ class EventLogTest < ActiveSupport::TestCase
     assert_equal admin, event_log.initiator
     assert_equal EventLog::ACCOUNT_INVITED, event_log.entry
   end
-
-  context "when Splunk endpoint enabled" do
-    setup do
-      EventLog.stubs(:splunk_endpoint_enabled?).returns(true)
-    end
-
-    should "queue job to send event to Splunk endpoint" do
-      SplunkLogStreamingJob.expects(:perform_later)
-      EventLog.record_event(build(:user), EventLog::SUCCESSFUL_LOGIN)
-    end
-  end
-
-  context "when Splunk endpoint disabled" do
-    setup do
-      EventLog.stubs(:splunk_endpoint_enabled?).returns(false)
-    end
-
-    should "not queue job to send event to Splunk endpoint" do
-      SplunkLogStreamingJob.expects(:perform_later).never
-      EventLog.record_event(build(:user), EventLog::SUCCESSFUL_LOGIN)
-    end
-  end
-
-  context "when Splunk endpoint enabled" do
-    setup do
-      EventLog.stubs(:splunk_endpoint_enabled?).returns(true)
-    end
-
-    should "send event to Splunk endpoint" do
-      ClimateControl.modify(
-        SPLUNK_EVENT_LOG_ENDPOINT_URL: "http://example.com/splunk",
-        SPLUNK_EVENT_LOG_ENDPOINT_HEC_TOKEN: "hec-token",
-      ) do
-        request = stub_request(:post, "http://example.com/splunk")
-        event_log = create(:event_log)
-        event_log.send_to_splunk
-        assert_requested request
-      end
-    end
-  end
-
-  context "when Splunk endpoint disabled" do
-    setup do
-      EventLog.stubs(:splunk_endpoint_enabled?).returns(false)
-    end
-
-    should "not send event to Splunk endpoint" do
-      request = stub_request(:post, "http://example.com/splunk")
-      event_log = create(:event_log)
-      event_log.send_to_splunk
-      assert_not_requested request
-    end
-  end
-
-  context "when Splunk-related env vars are defined" do
-    should "return true for splunk_endpoint_enabled?" do
-      ClimateControl.modify(
-        SPLUNK_EVENT_LOG_ENDPOINT_URL: "url",
-        SPLUNK_EVENT_LOG_ENDPOINT_HEC_TOKEN: "hec-token",
-      ) do
-        assert EventLog.splunk_endpoint_enabled?
-      end
-    end
-  end
-
-  context "when Splunk-related env vars are not defined" do
-    should "return false for splunk_endpoint_enabled?" do
-      ClimateControl.modify(
-        SPLUNK_EVENT_LOG_ENDPOINT_URL: nil,
-        SPLUNK_EVENT_LOG_ENDPOINT_HEC_TOKEN: nil,
-      ) do
-        assert_not EventLog.splunk_endpoint_enabled?
-      end
-    end
-  end
 end