diff --git a/staging/src/k8s.io/apiserver/pkg/audit/request.go b/staging/src/k8s.io/apiserver/pkg/audit/request.go index 36d82f2042b..f233da94f01 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/request.go +++ b/staging/src/k8s.io/apiserver/pkg/audit/request.go @@ -40,10 +40,7 @@ import ( authenticationv1 "k8s.io/client-go/pkg/apis/authentication/v1" ) -const ( - AuditIDHeader = "X-Request-ID" -) - +// NewEventFromRequest generates an audit event for the request. func NewEventFromRequest(req *http.Request, policy *auditinternal.Policy, attribs authorizer.Attributes) (*auditinternal.Event, error) { ev := &auditinternal.Event{ Timestamp: metav1.NewTime(time.Now()), @@ -61,7 +58,7 @@ func NewEventFromRequest(req *http.Request, policy *auditinternal.Policy, attrib // prefer the id from the headers. If not available, create a new one. // TODO(audit): do we want to forbid the header for non-front-proxy users? - ids := req.Header[AuditIDHeader] + ids := req.Header[auditinternal.HeaderAuditID] if len(ids) > 0 { ev.AuditID = types.UID(ids[0]) } else { @@ -157,7 +154,7 @@ func LogRequestPatch(ae *audit.Event, patch []byte) { return } - ae.RequestObject = runtime.Unknown{ + ae.RequestObject = &runtime.Unknown{ Raw: patch, ContentType: runtime.ContentTypeJSON, } @@ -182,21 +179,21 @@ func LogResponseObject(ae *audit.Event, obj runtime.Object, gv schema.GroupVersi } } -func encodeObject(obj runtime.Object, gv schema.GroupVersion, serializer runtime.NegotiatedSerializer) (runtime.Unknown, error) { +func encodeObject(obj runtime.Object, gv schema.GroupVersion, serializer runtime.NegotiatedSerializer) (*runtime.Unknown, error) { supported := serializer.SupportedMediaTypes() for i := range supported { if supported[i].MediaType == "application/json" { enc := serializer.EncoderForVersion(supported[i].Serializer, gv) var buf bytes.Buffer if err := enc.Encode(obj, &buf); err != nil { - return runtime.Unknown{}, fmt.Errorf("encoding failed: %v", err) + return nil, fmt.Errorf("encoding failed: %v", err) } - return runtime.Unknown{ + return &runtime.Unknown{ Raw: buf.Bytes(), ContentType: runtime.ContentTypeJSON, }, nil } } - return runtime.Unknown{}, fmt.Errorf("no json encoder found") + return nil, fmt.Errorf("no json encoder found") } diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/audit_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/audit_test.go index c6a7a840fa0..4fd42e61a20 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/audit_test.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/audit_test.go @@ -65,8 +65,22 @@ func TestAudit(t *testing.T) { simpleCPrimeJSON, _ := runtime.Encode(testCodec, simpleCPrime) // event checks + noRequestBody := func(i int) eventCheck { + return func(events []*auditinternal.Event) error { + if events[i].RequestObject == nil { + return nil + } + return fmt.Errorf("expected RequestBody to be nil, got non-nill '%s'", events[i].RequestObject.Raw) + } + } requestBodyIs := func(i int, text string) eventCheck { return func(events []*auditinternal.Event) error { + if events[i].RequestObject == nil { + if text != "" { + return fmt.Errorf("expected RequestBody %q, got ", text) + } + return nil + } if string(events[i].RequestObject.Raw) != text { return fmt.Errorf("expected RequestBody %q, got %q", text, string(events[i].RequestObject.Raw)) } @@ -81,12 +95,12 @@ func TestAudit(t *testing.T) { return nil } } - responseBodyIs := func(i int, text string) eventCheck { + noResponseBody := func(i int) eventCheck { return func(events []*auditinternal.Event) error { - if string(events[i].ResponseObject.Raw) != text { - return fmt.Errorf("expected ResponseBody %q, got %q", text, string(events[i].ResponseObject.Raw)) + if events[i].ResponseObject == nil { + return nil } - return nil + return fmt.Errorf("expected ResponseBody to be nil, got non-nill '%s'", events[i].ResponseObject.Raw) } } responseBodyMatches := func(i int, pattern string) eventCheck { @@ -115,7 +129,7 @@ func TestAudit(t *testing.T) { 200, 1, []eventCheck{ - requestBodyIs(0, ""), + noRequestBody(0), responseBodyMatches(0, `{.*"name":"c".*}`), }, }, @@ -132,7 +146,7 @@ func TestAudit(t *testing.T) { 200, 1, []eventCheck{ - requestBodyMatches(0, ""), + noRequestBody(0), responseBodyMatches(0, `{.*"name":"a".*"name":"b".*}`), }, }, @@ -158,8 +172,8 @@ func TestAudit(t *testing.T) { 405, 1, []eventCheck{ - requestBodyIs(0, ""), // the 405 is thrown long before the create handler would be executed - responseBodyIs(0, ""), // the 405 is thrown long before the create handler would be executed + noRequestBody(0), // the 405 is thrown long before the create handler would be executed + noResponseBody(0), // the 405 is thrown long before the create handler would be executed }, }, { @@ -171,8 +185,8 @@ func TestAudit(t *testing.T) { 200, 1, []eventCheck{ - requestBodyMatches(0, ""), - responseBodyMatches(0, ""), + noRequestBody(0), + responseBodyMatches(0, `{.*"kind":"Status".*"status":"Success".*}`), }, }, { @@ -185,7 +199,7 @@ func TestAudit(t *testing.T) { 1, []eventCheck{ requestBodyMatches(0, "DeleteOptions"), - responseBodyMatches(0, ""), + responseBodyMatches(0, `{.*"kind":"Status".*"status":"Success".*}`), }, }, { @@ -247,8 +261,8 @@ func TestAudit(t *testing.T) { 200, 2, []eventCheck{ - requestBodyMatches(0, ""), - responseBodyMatches(0, ""), + noRequestBody(0), + noResponseBody(0), }, }, } {