Combine RequestAuditConfig with RequestAuditConfigWithLevel

This commit is contained in:
Tim Allclair 2022-11-02 15:23:48 -07:00
parent de95671f0c
commit 1a1ca5173e
5 changed files with 29 additions and 44 deletions

View File

@ -25,6 +25,9 @@ import (
// a given request. PolicyRuleEvaluator evaluates the audit policy against the // a given request. PolicyRuleEvaluator evaluates the audit policy against the
// authorizer attributes and returns a RequestAuditConfig that applies to the request. // authorizer attributes and returns a RequestAuditConfig that applies to the request.
type RequestAuditConfig struct { type RequestAuditConfig struct {
// Level at which the request is being audited at
Level audit.Level
// OmitStages is the stages that need to be omitted from being audited. // OmitStages is the stages that need to be omitted from being audited.
OmitStages []audit.Stage OmitStages []audit.Stage
@ -33,21 +36,10 @@ type RequestAuditConfig struct {
OmitManagedFields bool OmitManagedFields bool
} }
// RequestAuditConfigWithLevel includes Level at which the request is being audited.
// PolicyRuleEvaluator evaluates the audit configuration for a request
// against the authorizer attributes and returns an RequestAuditConfigWithLevel
// that applies to the request.
type RequestAuditConfigWithLevel struct {
RequestAuditConfig
// Level at which the request is being audited at
Level audit.Level
}
// PolicyRuleEvaluator exposes methods for evaluating the policy rules. // PolicyRuleEvaluator exposes methods for evaluating the policy rules.
type PolicyRuleEvaluator interface { type PolicyRuleEvaluator interface {
// EvaluatePolicyRule evaluates the audit policy of the apiserver against // EvaluatePolicyRule evaluates the audit policy of the apiserver against
// the given authorizer attributes and returns the audit configuration that // the given authorizer attributes and returns the audit configuration that
// is applicable to the given equest. // is applicable to the given equest.
EvaluatePolicyRule(authorizer.Attributes) RequestAuditConfigWithLevel EvaluatePolicyRule(authorizer.Attributes) RequestAuditConfig
} }

View File

@ -61,25 +61,21 @@ type policyRuleEvaluator struct {
audit.Policy audit.Policy
} }
func (p *policyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) auditinternal.RequestAuditConfigWithLevel { func (p *policyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) auditinternal.RequestAuditConfig {
for _, rule := range p.Rules { for _, rule := range p.Rules {
if ruleMatches(&rule, attrs) { if ruleMatches(&rule, attrs) {
return auditinternal.RequestAuditConfigWithLevel{ return auditinternal.RequestAuditConfig{
Level: rule.Level, Level: rule.Level,
RequestAuditConfig: auditinternal.RequestAuditConfig{
OmitStages: rule.OmitStages, OmitStages: rule.OmitStages,
OmitManagedFields: isOmitManagedFields(&rule, p.OmitManagedFields), OmitManagedFields: isOmitManagedFields(&rule, p.OmitManagedFields),
},
} }
} }
} }
return auditinternal.RequestAuditConfigWithLevel{ return auditinternal.RequestAuditConfig{
Level: DefaultAuditLevel, Level: DefaultAuditLevel,
RequestAuditConfig: auditinternal.RequestAuditConfig{
OmitStages: p.OmitStages, OmitStages: p.OmitStages,
OmitManagedFields: p.OmitManagedFields, OmitManagedFields: p.OmitManagedFields,
},
} }
} }
@ -235,11 +231,9 @@ type fakePolicyRuleEvaluator struct {
stage []audit.Stage stage []audit.Stage
} }
func (f *fakePolicyRuleEvaluator) EvaluatePolicyRule(_ authorizer.Attributes) auditinternal.RequestAuditConfigWithLevel { func (f *fakePolicyRuleEvaluator) EvaluatePolicyRule(_ authorizer.Attributes) auditinternal.RequestAuditConfig {
return auditinternal.RequestAuditConfigWithLevel{ return auditinternal.RequestAuditConfig{
Level: f.level, Level: f.level,
RequestAuditConfig: auditinternal.RequestAuditConfig{
OmitStages: f.stage, OmitStages: f.stage,
},
} }
} }

View File

@ -133,10 +133,10 @@ func evaluatePolicyAndCreateAuditEvent(req *http.Request, policy audit.PolicyRul
return ac, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err) return ac, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err)
} }
ls := policy.EvaluatePolicyRule(attribs) rac := policy.EvaluatePolicyRule(attribs)
audit.ObservePolicyLevel(ctx, ls.Level) audit.ObservePolicyLevel(ctx, rac.Level)
ac.RequestAuditConfig = ls.RequestAuditConfig ac.RequestAuditConfig = rac
if ls.Level == auditinternal.LevelNone { if rac.Level == auditinternal.LevelNone {
// Don't audit. // Don't audit.
return ac, nil return ac, nil
} }
@ -145,7 +145,7 @@ func evaluatePolicyAndCreateAuditEvent(req *http.Request, policy audit.PolicyRul
if !ok { if !ok {
requestReceivedTimestamp = time.Now() requestReceivedTimestamp = time.Now()
} }
ev, err := audit.NewEventFromRequest(req, requestReceivedTimestamp, ls.Level, attribs) ev, err := audit.NewEventFromRequest(req, requestReceivedTimestamp, rac.Level, attribs)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to complete audit event from request: %v", err) return nil, fmt.Errorf("failed to complete audit event from request: %v", err)
} }

View File

@ -780,10 +780,9 @@ func (a *fakeAudit) requestAudited(auditID string) bool {
return exists return exists
} }
func (a *fakeAudit) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfigWithLevel { func (a *fakeAudit) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfig {
return audit.RequestAuditConfigWithLevel{ return audit.RequestAuditConfig{
Level: auditinternal.LevelMetadata, Level: auditinternal.LevelMetadata,
RequestAuditConfig: audit.RequestAuditConfig{},
} }
} }

View File

@ -50,14 +50,14 @@ func TestWebhookLoopback(t *testing.T) {
// Hook into audit to watch requests // Hook into audit to watch requests
config.GenericConfig.AuditBackend = auditSinkFunc(func(events ...*auditinternal.Event) {}) config.GenericConfig.AuditBackend = auditSinkFunc(func(events ...*auditinternal.Event) {})
config.GenericConfig.AuditPolicyRuleEvaluator = auditPolicyRuleEvaluator(func(attrs authorizer.Attributes) audit.RequestAuditConfigWithLevel { config.GenericConfig.AuditPolicyRuleEvaluator = auditPolicyRuleEvaluator(func(attrs authorizer.Attributes) audit.RequestAuditConfig {
if attrs.GetPath() == webhookPath { if attrs.GetPath() == webhookPath {
if attrs.GetUser().GetName() != "system:apiserver" { if attrs.GetUser().GetName() != "system:apiserver" {
t.Errorf("expected user %q, got %q", "system:apiserver", attrs.GetUser().GetName()) t.Errorf("expected user %q, got %q", "system:apiserver", attrs.GetUser().GetName())
} }
atomic.AddInt32(&called, 1) atomic.AddInt32(&called, 1)
} }
return audit.RequestAuditConfigWithLevel{ return audit.RequestAuditConfig{
Level: auditinternal.LevelNone, Level: auditinternal.LevelNone,
} }
}) })
@ -107,9 +107,9 @@ func TestWebhookLoopback(t *testing.T) {
} }
} }
type auditPolicyRuleEvaluator func(authorizer.Attributes) audit.RequestAuditConfigWithLevel type auditPolicyRuleEvaluator func(authorizer.Attributes) audit.RequestAuditConfig
func (f auditPolicyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfigWithLevel { func (f auditPolicyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfig {
return f(attrs) return f(attrs)
} }