From 503de32094e480e76ef1e82c7c18fbbadc67a00b Mon Sep 17 00:00:00 2001 From: deads2k Date: Fri, 18 Nov 2016 12:11:54 -0500 Subject: [PATCH] add groups to the audit trail --- pkg/apiserver/filters/audit.go | 27 ++++++++++++++++++++------- pkg/apiserver/filters/audit_test.go | 2 +- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/pkg/apiserver/filters/audit.go b/pkg/apiserver/filters/audit.go index 75d437f29bf..46546a41724 100644 --- a/pkg/apiserver/filters/audit.go +++ b/pkg/apiserver/filters/audit.go @@ -96,6 +96,11 @@ func WithAudit(handler http.Handler, attributeGetter RequestAttributeGetter, out internalError(w, req, err) return } + + groups := "" + if userGroups := attribs.GetUser().GetGroups(); len(userGroups) > 0 { + groups = auditStringSlice(userGroups) + } asuser := req.Header.Get(authenticationapi.ImpersonateUserHeader) if len(asuser) == 0 { asuser = "" @@ -103,11 +108,7 @@ func WithAudit(handler http.Handler, attributeGetter RequestAttributeGetter, out asgroups := "" requestedGroups := req.Header[authenticationapi.ImpersonateGroupHeader] if len(requestedGroups) > 0 { - quotedGroups := make([]string, len(requestedGroups)) - for i, group := range requestedGroups { - quotedGroups[i] = fmt.Sprintf("%q", group) - } - asgroups = strings.Join(quotedGroups, ", ") + asgroups = auditStringSlice(requestedGroups) } namespace := attribs.GetNamespace() if len(namespace) == 0 { @@ -115,8 +116,8 @@ func WithAudit(handler http.Handler, attributeGetter RequestAttributeGetter, out } id := uuid.NewRandom().String() - line := fmt.Sprintf("%s AUDIT: id=%q ip=%q method=%q user=%q as=%q asgroups=%q namespace=%q uri=%q\n", - time.Now().Format(time.RFC3339Nano), id, utilnet.GetClientIP(req), req.Method, attribs.GetUser().GetName(), asuser, asgroups, namespace, req.URL) + line := fmt.Sprintf("%s AUDIT: id=%q ip=%q method=%q user=%q groups=%q as=%q asgroups=%q namespace=%q uri=%q\n", + time.Now().Format(time.RFC3339Nano), id, utilnet.GetClientIP(req), req.Method, attribs.GetUser().GetName(), groups, asuser, asgroups, namespace, req.URL) if _, err := fmt.Fprint(out, line); err != nil { glog.Errorf("Unable to write audit log: %s, the error is: %v", line, err) } @@ -125,6 +126,18 @@ func WithAudit(handler http.Handler, attributeGetter RequestAttributeGetter, out }) } +func auditStringSlice(inList []string) string { + if len(inList) == 0 { + return "" + } + + quotedElements := make([]string, len(inList)) + for i, in := range inList { + quotedElements[i] = fmt.Sprintf("%q", in) + } + return strings.Join(quotedElements, ",") +} + func decorateResponseWriter(responseWriter http.ResponseWriter, out io.Writer, id string) http.ResponseWriter { delegate := &auditResponseWriter{ResponseWriter: responseWriter, out: out, id: id} // check if the ResponseWriter we're wrapping is the fancy one we need diff --git a/pkg/apiserver/filters/audit_test.go b/pkg/apiserver/filters/audit_test.go index d490bb8631f..69e19d99546 100644 --- a/pkg/apiserver/filters/audit_test.go +++ b/pkg/apiserver/filters/audit_test.go @@ -86,7 +86,7 @@ func TestAudit(t *testing.T) { if len(line) != 2 { t.Fatalf("Unexpected amount of lines in audit log: %d", len(line)) } - match, err := regexp.MatchString(`[\d\:\-\.\+TZ]+ AUDIT: id="[\w-]+" ip="127.0.0.1" method="GET" user="admin" as="" asgroups="" namespace="default" uri="/api/v1/namespaces/default/pods"`, line[0]) + match, err := regexp.MatchString(`[\d\:\-\.\+TZ]+ AUDIT: id="[\w-]+" ip="127.0.0.1" method="GET" user="admin" groups="" as="" asgroups="" namespace="default" uri="/api/v1/namespaces/default/pods"`, line[0]) if err != nil { t.Errorf("Unexpected error matching first line: %v", err) }