#!/usr/bin/env python3

####################################################################
#
# anonymize a metricbeat dump
#
####################################################################
#
# This is a strange balance of openness and paranoia. And all hacky.
# When we see a field or log pattern we don't recognize we fail the
# processing entirely and raise an error. So that a human can look at
# the new thing and decide if it should be changed. We're fairly
# willing to leave things, though we consume the bodies of many log
# messages and replace uuids and host names and ips and application
# names. But we let metric values pass right through. We need to let
# them through because TSDB is optimized for real world data.
#
####################################################################


import ipaddress
import json
import sys
import uuid


def passthrough(v):
    return v


def numbered(prefix):
    numbers = {}

    def number_it(v):
        if v not in numbers:
            numbers[v] = len(numbers)
        return f"{prefix}{numbers[v]}"

    return number_it


def uids():
    uids = {}

    def replace_uid(v):
        if v not in uids:
            uids[v] = uuid.uuid4()
        return str(uids[v])

    return replace_uid


def ips():
    ips = {}

    def replace_ip(v):
        if v not in ips:
            ips[v] = ipaddress.IPv4Address(len(ips))
        return str(ips[v])

    return replace_ip


def container_runtime(v):
    if v == "docker":
        return v
    raise ValueError(f"unexpected service address [{v}]")


def service_type(v):
    if v == "kubernetes":
        return v
    raise ValueError(f"unexepected service type [{v}]")


container_ids = {}


def container_id(id):
    if id not in container_ids:
        container_ids[id] = uuid.uuid4()
    return str(container_ids[id])


def k8s_container_id(id):
    if id.startswith("docker://"):
        return "docker://" + container_id(id[len("docker://") :])
    raise ValueError(f"unexepected k8s container prefix [{id}]")


K8S_IMAGE_PASSTHROUGH = {
    "centos:7",
    "gcr.io/cloud-builders/gsutil:latest",
    "nginx:stable",
}
k8s_images_docker_es_co = numbered("docker.elastic.co/image-name-")
k8s_images_elastic = numbered("elastic/image-name-")
k8s_images_gradle = numbered("registry.replicated.com/gradleenterprise/image-name-")
k8s_images_other = numbered("anon/image-")


def k8s_container_image(img):
    if img in K8S_IMAGE_PASSTHROUGH:
        return img
    if img.startswith("sha256:"):
        return img
    if img.startswith("docker.elastic.co/"):
        return k8s_images_docker_es_co(img[len("docker.elastic.co/") :])
    if img.startswith("elastic/"):
        return k8s_images_docker_es_co(img[len("elastic/") :])
    if img.startswith("registry.replicated.com/gradleenterprise/"):
        return k8s_images_gradle(img[len("registry.replicated.com/gradleenterprise/") :])
    if "elastic" in img:
        raise ValueError(f"unexpected k8s container image [{img}]")
    return k8s_images_other(img)


K8S_MESSAGE_PASSTHROUGH = {
    "Back-off restarting failed container",
    'Container image "centos:7" already present on machine',
    "Created container check",
    "deleting pod for node scale down",
    "Error: ImagePullBackOff",
    "Job has reached the specified backoff limit",
    "Job was active longer than specified deadline",
    "marked the node as toBeDeleted/unschedulable",
    "No matching pods found",
    "node removed by cluster autoscaler",
    "Pod sandbox changed, it will be killed and re-created.",
    "Pod was evicted by VPA Updater to apply resource recommendation.",
    "Started container check",
    "Starting kubelet.",
    "Starting kube-proxy.",
    "Too many active pods running after completion count reached",
    "Updated load balancer with new hosts",
    "Updated Node Allocatable limit across pods",
}
K8S_MESSAGE_SNIP = {
    "event: Deleting": "Deleting node <snip>",
    "event: Removing Node": "Removing node <snip>",
    "event: Registered Node": "registered node <snip>",
    "Created pod: ": "Create pod <snip>",
    "Successfully assigned": "Successfully assigned <snip>",
    "Created job": "Created job <snip>",
    "Scaled up replica set": "Scaled up replica set",
    "Pulling image": "Pulling image <snip>",
    "Started container": "Started container <snip>",
    "Successfully pulled image": "Successfully pulled image <snip>",
    "Created container": "Created container <snip>",
    "Cannot determine if job needs to be started": "Cannot determine if job needs to be started <snip>",
    "Saw completed job": "Saw completed job <snip>",
    "Deleted job": "Deleted job <snip>",
    "AttachVolume.Attach succeeded for volume": "AttachVolume.Attach succeeded for volume <snip>",
    "Scaled down replica set": "Scaled down replica set <snip>",
    "Stopping container": "Stopping container <snip>",
    "Deleted pod": "Deleted pod <snip>",
    "Back-off pulling image": "Back-off pulling image <snip>",
    "Liveness probe failed": "Liveness probe failed <snip>",
    "delete Pod": "Delete pod <snip>",
    "create Pod": "Create pod <snip>",
    "status is now: NodeNotReady": "Node not ready <snip>",
    "Readiness probe failed": "Readiness probe failed <snip>",
    "Readiness probe errored": "Readiness probe errored <snip>",
    "nodes are available:": "Bad nodes <snip>",
    "Saw a job that the controller did not create or forgot": "Saw a job that the controller did not create or forgot <snip>",
    "or sacrifice child": "Brutal murder by oomkiller",
    "Scale-up": "Scale-up <snip>",
    "Scale-down": "Scale-down <snip>",
    "status is now": "<snip> status change <snip>",
    "failed for volume": "<snip> failed for volume <snip>",
    "pod triggered scale-up": "pod triggered scale-up <snip>",
    "Unable to mount volumes for pod": "Unable to mount volumes for pod <snip>",
    "Volume is already exclusively attached to one node": "Volume is already exclusively attached to one node <snip>",
    "failed liveness probe, will be restarted": "<snip> failed liveness probe, will be restarted",
    "Failed create pod sandbox": "Failed create pod sandbox <snip>",
    "Error: cannot find volume": "Error: cannot find volume <snip>",
    "Couldn't find key user in": "Couldn't find key user in <snip>",
}


def k8s_message(message):
    if message in K8S_MESSAGE_PASSTHROUGH:
        return message
    if "Error: secret" in message and "not found" in message:
        return "Error: secret <snip> not found"
    if "Container image " in message and "already present on machine" in message:
        return "Container image <snip> already present on machine"
    if '"unmanaged"' in message:
        return str(uuid.uuid4())
    for trigger, replacement in K8S_MESSAGE_SNIP.items():
        if trigger in message:
            return replacement
    raise ValueError(f"unsupported k8s.event.message [{message}]")


def k8s_event_generate_name(v):
    if v == "":
        return v
    raise ValueError(f"unsupported k8s.event.generate_name [{v}]")


PASSTHROUGH_REASONS = {
    "BackOff",
    "BackoffLimitExceeded",
    "CIDRAssignmentFailed",
    "Created",
    "DeadlineExceeded",
    "EvictedByVPA",
    "Failed",
    "FailedAttachVolume",
    "FailedCreatePodSandBox",
    "FailedMount",
    "FailedNeedsStart",
    "FailedScheduling",
    "Killing",
    "NodeAllocatableEnforced",
    "NodeHasNoDiskPressure",
    "NodeHasSufficientMemory",
    "NodeHasSufficientPID",
    "NodeNotReady",
    "NodeReady",
    "NodeSysctlChange",
    "NoPods",
    None,
    "OOMKilling",
    "Pulled",
    "Pulling",
    "RegisteredNode",
    "RemovingNode",
    "SandboxChanged",
    "SawCompletedJob",
    "ScaleDown",
    "ScaleDownEmpty",
    "ScaledUpGroup",
    "ScalingReplicaSet",
    "Scheduled",
    "Started",
    "Starting",
    "SuccessfulAttachVolume",
    "SuccessfulCreate",
    "SuccessfulDelete",
    "TooManyActivePods",
    "TriggeredScaleUp",
    "UnexpectedJob",
    "Unhealthy",
    "UpdatedLoadBalancer",
}


def k8s_event_reason(v):
    if v in PASSTHROUGH_REASONS:
        return v
    if "because it does not exist in the cloud provider" in v:
        return "Deleting <snip> because it does not exist in the cloud provider"
    raise ValueError(f"unsupported k8s.event.reason [{v}]")


def k8s_event_type(v):
    if v in {"Normal", "Warning"}:
        return v
    raise ValueError(f"unsupported k8s.event.type [{v}]")


def k8s_system_container(v):
    if v in {"kubelet", "pods", "runtime"}:
        return v
    raise ValueError(f"unsupported k8s.system.container [{v}]")


def k8s_labels_heritage(v):
    if v in {"Helm", "Tiller"}:
        return v
    raise ValueError(f"unsupported k8s.labels.heritage [{v}]")


K8S_LABELS_K8S_APP_PASSTHROUGH = {
    "dashboard-metrics-scraper",
    "glbc",
    "kubernetes-dashboard",
    "kube-dns",
    "kube-dns-autoscaler",
    "metrics-server",
}


def k8s_labels_k8s_app(v):
    if v in K8S_LABELS_K8S_APP_PASSTHROUGH:
        return v
    raise ValueError(f"unsupported k8s.labels.k8s-app [{v}]")


def k8s_labels_k8s_arch(v):
    if v == "amd64":
        return v
    raise ValueError(f"unsupported kubernetes.labels.kubernetes_io/arch [{v}]")


def k8s_labels_k8s_os(v):
    if v == "linux":
        return v
    raise ValueError(f"unsupported kubernetes.labels.kubernetes_io/os [{v}]")


def k8s_pod_status_phase(v):
    if v in {"failed", "pending", "running", "succeeded"}:
        return v
    raise ValueError(f"unsupported kubernetes.pod.status.phase [{v}]")


k8s_labels_names = numbered("k8s-labels-name-")


def k8s_labels_name(v):
    if v in {"glbc", "tiller"}:
        return v
    if v == "export-workday-logs-hourly":
        return k8s_labels_names(v)
    raise ValueError(f"unsupported kubernetes.labels.name [{v}]")


def k8s_labels_app_managed_by(v):
    if v == "Tiller":
        return v
    raise ValueError(f"unsupported kubernetes.labels.app_kubernetes_io/managed-by [{v}]")


K8S_CONTAINER_STATUS_REASON = {
    "Completed",
    "ContainerCreating",
    "CrashLoopBackOff",
    "CreateContainerConfigError",
    "ErrImagePull",
    "Error",
    "ImagePullBackOff",
    "OOMKilled",
}


def k8s_container_status_reason(v):
    if v in K8S_CONTAINER_STATUS_REASON:
        return v
    raise ValueError(f"unsupported k8s.container.status.reason [{v}]")


def metricbeat_error_message(message):
    if "error doing HTTP request to fetch" in message and "Metricset data" in message:
        return "Error fetching metrics <snip>"
    if "decoding of metric family failed" in message:
        return "Error fetching metrics <snip>"
    raise ValueError(f"unsupported error.message [{message}]")


strategies = {
    "@timestamp": passthrough,
    "agent.ephemeral_id": uids(),
    "agent.hostname": numbered("gke-apps-host-name-"),
    "agent.id": uids(),
    "agent.type": passthrough,
    "agent.version": passthrough,
    "container.id": container_id,
    "container.runtime": container_runtime,
    "ecs.version": passthrough,
    "error.message": metricbeat_error_message,
    "event.dataset": passthrough,
    "event.duration": passthrough,
    "event.module": passthrough,
    "fields.cluster": passthrough,
    "host.name": numbered("gke-apps-host-name-"),
    "kubernetes.container.cpu.limit.cores": passthrough,
    "kubernetes.container.cpu.request.cores": passthrough,
    "kubernetes.container.cpu.usage.core.ns": passthrough,
    "kubernetes.container.cpu.usage.limit.pct": passthrough,
    "kubernetes.container.cpu.usage.nanocores": passthrough,
    "kubernetes.container.cpu.usage.node.pct": passthrough,
    "kubernetes.container.id": k8s_container_id,
    "kubernetes.container.image": k8s_container_image,
    "kubernetes.container.logs.available.bytes": passthrough,
    "kubernetes.container.logs.capacity.bytes": passthrough,
    "kubernetes.container.logs.inodes.count": passthrough,
    "kubernetes.container.logs.inodes.free": passthrough,
    "kubernetes.container.logs.inodes.used": passthrough,
    "kubernetes.container.logs.used.bytes": passthrough,
    "kubernetes.container.memory.available.bytes": passthrough,
    "kubernetes.container.memory.majorpagefaults": passthrough,
    "kubernetes.container.memory.limit.bytes": passthrough,
    "kubernetes.container.memory.pagefaults": passthrough,
    "kubernetes.container.memory.request.bytes": passthrough,
    "kubernetes.container.memory.rss.bytes": passthrough,
    "kubernetes.container.memory.usage.bytes": passthrough,
    "kubernetes.container.memory.usage.limit.pct": passthrough,
    "kubernetes.container.memory.usage.node.pct": passthrough,
    "kubernetes.container.memory.workingset.bytes": passthrough,
    "kubernetes.container.name": numbered("container-name-"),
    "kubernetes.container.rootfs.available.bytes": passthrough,
    "kubernetes.container.rootfs.capacity.bytes": passthrough,
    "kubernetes.container.rootfs.inodes.used": passthrough,
    "kubernetes.container.rootfs.used.bytes": passthrough,
    "kubernetes.container.start_time": passthrough,
    "kubernetes.container.status.phase": passthrough,
    "kubernetes.container.status.ready": passthrough,
    "kubernetes.container.status.reason": k8s_container_status_reason,
    "kubernetes.container.status.restarts": passthrough,
    "kubernetes.event.count": passthrough,
    "kubernetes.event.involved_object.api_version": passthrough,
    "kubernetes.event.involved_object.kind": passthrough,
    "kubernetes.event.involved_object.name": numbered("involved-object-name-"),
    "kubernetes.event.involved_object.resource_version": passthrough,
    "kubernetes.event.involved_object.uid": uids(),
    "kubernetes.event.message": k8s_message,
    "kubernetes.event.metadata.generate_name": k8s_event_generate_name,
    "kubernetes.event.metadata.name": numbered("event-metadata-name-"),
    "kubernetes.event.metadata.namespace": numbered("event-metadata-namespace-"),
    "kubernetes.event.metadata.resource_version": passthrough,
    "kubernetes.event.metadata.self_link": numbered("event-metadata-self-link-"),
    "kubernetes.event.metadata.timestamp.created": passthrough,
    "kubernetes.event.metadata.uid": uids(),
    "kubernetes.event.reason": k8s_event_reason,
    "kubernetes.event.timestamp.first_occurrence": passthrough,
    "kubernetes.event.timestamp.last_occurrence": passthrough,
    "kubernetes.event.type": k8s_event_type,
    "kubernetes.labels.app": numbered("label-app-"),
    "kubernetes.labels.app_kubernetes_io/component": numbered("app_kubernetes_io/component-"),
    "kubernetes.labels.app_kubernetes_io/instance": numbered("app_kubernetes_io/instance-"),
    "kubernetes.labels.app_kubernetes_io/managed-by": k8s_labels_app_managed_by,
    "kubernetes.labels.app_kubernetes_io/name": numbered("app_kubernetes_io/name-"),
    "kubernetes.labels.beta_kubernetes_io/arch": k8s_labels_k8s_arch,
    "kubernetes.labels.beta_kubernetes_io/fluentd-ds-ready": "drop",
    "kubernetes.labels.beta_kubernetes_io/instance-type": numbered("beta_kubernetes_io/instance-type-"),
    "kubernetes.labels.beta_kubernetes_io/os": k8s_labels_k8s_os,
    "kubernetes.labels.chart": numbered("chart-"),
    "kubernetes.labels.cloud_google_com/gke-nodepool": "drop",
    "kubernetes.labels.cloud_google_com/gke-os-distribution": "drop",
    "kubernetes.labels.co_elastic_apps_oblt-test-plans_service": "drop",
    "kubernetes.labels.failure-domain_beta_kubernetes_io/region": "drop",
    "kubernetes.labels.failure-domain_beta_kubernetes_io/zone": "drop",
    "kubernetes.labels.component": numbered("label-component-"),
    "kubernetes.labels.controller-revision-hash": numbered("label-controller-revision-hash-"),
    "kubernetes.labels.controller-uid": uids(),
    "kubernetes.labels.github_account": numbered("github-account-"),
    "kubernetes.labels.helm_sh/chart": numbered("chart-"),
    "kubernetes.labels.heritage": k8s_labels_heritage,
    "kubernetes.labels.io_kompose_service": numbered("io_kopose_service-"),
    "kubernetes.labels.job-name": numbered("job-name-"),
    "kubernetes.labels.kubernetes_io/arch": k8s_labels_k8s_arch,
    "kubernetes.labels.kubernetes_io/hostname": numbered("kubernetes_io/hostname-"),
    "kubernetes.labels.kubernetes_io/os": k8s_labels_k8s_os,
    "kubernetes.labels.k8s-app": k8s_labels_k8s_app,
    "kubernetes.labels.logtype": passthrough,
    "kubernetes.labels.llama": "drop",
    "kubernetes.labels.name": k8s_labels_name,
    "kubernetes.labels.pod-template-generation": passthrough,
    "kubernetes.labels.pod-template-hash": numbered("label-pod-template-hash-"),
    "kubernetes.labels.release": numbered("release-"),
    "kubernetes.labels.statefulset_kubernetes_io/pod-name": numbered("statefulset_kubernetes_io/pod-name-"),
    "kubernetes.labels.tier": numbered("tier-"),
    "kubernetes.labels.watcher": "drop",
    "kubernetes.labels.version": "drop",
    "kubernetes.namespace": numbered("namespace"),
    "kubernetes.node.name": numbered("gke-apps-node-name-"),
    "kubernetes.node.cpu.allocatable.cores": passthrough,
    "kubernetes.node.cpu.capacity.cores": passthrough,
    "kubernetes.node.cpu.usage.core.ns": passthrough,
    "kubernetes.node.cpu.usage.nanocores": passthrough,
    "kubernetes.node.fs.available.bytes": passthrough,
    "kubernetes.node.fs.capacity.bytes": passthrough,
    "kubernetes.node.fs.inodes.count": passthrough,
    "kubernetes.node.fs.inodes.free": passthrough,
    "kubernetes.node.fs.inodes.used": passthrough,
    "kubernetes.node.fs.used.bytes": passthrough,
    "kubernetes.node.memory.allocatable.bytes": passthrough,
    "kubernetes.node.memory.available.bytes": passthrough,
    "kubernetes.node.memory.capacity.bytes": passthrough,
    "kubernetes.node.memory.majorpagefaults": passthrough,
    "kubernetes.node.memory.pagefaults": passthrough,
    "kubernetes.node.memory.rss.bytes": passthrough,
    "kubernetes.node.memory.usage.bytes": passthrough,
    "kubernetes.node.memory.workingset.bytes": passthrough,
    "kubernetes.node.network.rx.bytes": passthrough,
    "kubernetes.node.network.rx.errors": passthrough,
    "kubernetes.node.network.tx.bytes": passthrough,
    "kubernetes.node.network.tx.errors": passthrough,
    "kubernetes.node.pod.allocatable.total": passthrough,
    "kubernetes.node.pod.capacity.total": passthrough,
    "kubernetes.node.runtime.imagefs.available.bytes": passthrough,
    "kubernetes.node.runtime.imagefs.capacity.bytes": passthrough,
    "kubernetes.node.runtime.imagefs.used.bytes": passthrough,
    "kubernetes.node.start_time": passthrough,
    "kubernetes.node.status.ready": passthrough,
    "kubernetes.node.status.unschedulable": passthrough,
    "kubernetes.pod.cpu.usage.limit.pct": passthrough,
    "kubernetes.pod.cpu.usage.nanocores": passthrough,
    "kubernetes.pod.cpu.usage.node.pct": passthrough,
    "kubernetes.pod.host_ip": ips(),
    "kubernetes.pod.ip": ips(),
    "kubernetes.pod.memory.available.bytes": passthrough,
    "kubernetes.pod.memory.major_page_faults": passthrough,
    "kubernetes.pod.memory.page_faults": passthrough,
    "kubernetes.pod.memory.rss.bytes": passthrough,
    "kubernetes.pod.memory.usage.bytes": passthrough,
    "kubernetes.pod.memory.usage.limit.pct": passthrough,
    "kubernetes.pod.memory.usage.node.pct": passthrough,
    "kubernetes.pod.memory.working_set.bytes": passthrough,
    "kubernetes.pod.network.rx.bytes": passthrough,
    "kubernetes.pod.network.rx.errors": passthrough,
    "kubernetes.pod.network.tx.bytes": passthrough,
    "kubernetes.pod.network.tx.errors": passthrough,
    "kubernetes.pod.name": numbered("pod-name-pod-name-"),
    "kubernetes.pod.start_time": passthrough,
    "kubernetes.pod.status.phase": k8s_pod_status_phase,
    "kubernetes.pod.status.ready": passthrough,
    "kubernetes.pod.status.scheduled": passthrough,
    "kubernetes.pod.uid": uids(),
    "kubernetes.replicaset.name": numbered("replicaset-name-"),
    "kubernetes.statefulset.name": numbered("statefulset-name-"),
    "kubernetes.system.container": k8s_system_container,
    "kubernetes.system.cpu.usage.core.ns": passthrough,
    "kubernetes.system.cpu.usage.nanocores": passthrough,
    "kubernetes.system.memory.majorpagefaults": passthrough,
    "kubernetes.system.memory.pagefaults": passthrough,
    "kubernetes.system.memory.rss.bytes": passthrough,
    "kubernetes.system.memory.usage.bytes": passthrough,
    "kubernetes.system.memory.workingset.bytes": passthrough,
    "kubernetes.system.start_time": passthrough,
    "kubernetes.volume.fs.capacity.bytes": passthrough,
    "kubernetes.volume.fs.available.bytes": passthrough,
    "kubernetes.volume.fs.inodes.count": passthrough,
    "kubernetes.volume.fs.inodes.free": passthrough,
    "kubernetes.volume.fs.inodes.used": passthrough,
    "kubernetes.volume.fs.used.bytes": passthrough,
    "kubernetes.volume.name": numbered("volume-"),
    "metricset.name": passthrough,
    "metricset.period": passthrough,
    "service.address": numbered("service-address-"),
    "service.type": service_type,
}


def anon(path, it):
    result = {}
    for k, v in it.items():
        new_path = k if path == "" else path + "." + k
        if isinstance(v, dict):
            result[k] = anon(new_path, v)
            continue
        strategy = strategies.get(new_path)
        if not strategy:
            raise KeyError(f"Unknown key [{new_path}] with value [{v}]")
        if strategy == "drop":
            continue
        if isinstance(it, list):
            result[k] = [strategy(item) for item in v]
            continue
        result[k] = strategy(v)
    return result


count = 0
for line in sys.stdin:
    try:
        parsed = json.loads(line)
        anonymized = anon("", parsed)
        print(json.dumps(anonymized, separators=(",", ":")))
        count += 1
        if count % 1000 == 0:
            print(f"Processed {count:012d} documents", file=sys.stderr)
    except Exception as e:
        raise Exception(f"Error processing {line}") from e