Merge pull request #1542 from mozilla/fixup_ssh_access_pid

Fixup ssh access alert to consider pid beginning of summary

alerts/ssh_access_signreleng.py

@@ -57,11 +57,9 @@ class AlertAuthSignRelengSSH(AlertTask):
                 sourceipaddress = x['details']['sourceipaddress']
 
         targetuser = 'unknown'
-        expr = re.compile(r'Accepted publickey for ([A-Za-z0-9]+) from')
-        m = expr.match(event['_source']['summary'])
-        groups = m.groups()
-        if len(groups) > 0:
-            targetuser = groups[0]
+        found_usernames = re.findall(r'Accepted publickey for ([A-Za-z0-9]+) from', event['_source']['summary'])
+        if len(found_usernames) > 0:
+            targetuser = found_usernames[0]
 
         summary = 'SSH login from {0} on {1} as user {2}'.format(sourceipaddress, targethost, targetuser)
         return self.createAlertDict(summary, category, tags, [event], severity, ircchannel=self.config['ircchannel'])

tests/alerts/test_ssh_access_signreleng.py

@@ -142,3 +142,13 @@ class TestAlertSSHAccessSignReleng(AlertTestSuite):
             events=[event],
         )
     )
+
+    event = AlertTestSuite.create_event(default_event)
+    event['_source']['summary'] = '[12345] Accepted publickey for ttesterson from 1.2.3.4 port 39190 ssh2'
+    test_cases.append(
+        PositiveAlertTestCase(
+            description="Positive test case with processid at beginning of summary",
+            events=[event],
+            expected_alert=default_alert
+        )
+    )