mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 04:33:26 +00:00
Merge pull request #49280 from CaoShuFeng/RequestReceived
Automatic merge from submit-queue Provide a way to omit Event stages in audit policy This provide a way to omit some stages for each audit policy rule. For example: ``` apiVersion: audit.k8s.io/v1beta1 kind: Policy - level: Metadata resources: - group: "rbac.authorization.k8s.io" resources: ["roles"] omitStages: - "RequestReceived" ``` RequestReceived stage will not be emitted to audit backends with previous config. **Release note**: ``` None ``` #
This commit is contained in:
commit
9d29ce1356
@ -207,6 +207,10 @@ type PolicyRule struct {
|
||||
// "/healthz*" - Log all health checks
|
||||
// +optional
|
||||
NonResourceURLs []string
|
||||
|
||||
// OmitStages specify events generated in which stages will not be emitted to backend.
|
||||
// An empty list means no restrictions will apply.
|
||||
OmitStages []Stage
|
||||
}
|
||||
|
||||
// GroupResources represents resource kinds in an API group.
|
||||
|
@ -543,6 +543,21 @@ func (m *PolicyRule) MarshalTo(dAtA []byte) (int, error) {
|
||||
i += copy(dAtA[i:], s)
|
||||
}
|
||||
}
|
||||
if len(m.OmitStages) > 0 {
|
||||
for _, s := range m.OmitStages {
|
||||
dAtA[i] = 0x42
|
||||
i++
|
||||
l = len(s)
|
||||
for l >= 1<<7 {
|
||||
dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
|
||||
l >>= 7
|
||||
i++
|
||||
}
|
||||
dAtA[i] = uint8(l)
|
||||
i++
|
||||
i += copy(dAtA[i:], s)
|
||||
}
|
||||
}
|
||||
return i, nil
|
||||
}
|
||||
|
||||
@ -744,6 +759,12 @@ func (m *PolicyRule) Size() (n int) {
|
||||
n += 1 + l + sovGenerated(uint64(l))
|
||||
}
|
||||
}
|
||||
if len(m.OmitStages) > 0 {
|
||||
for _, s := range m.OmitStages {
|
||||
l = len(s)
|
||||
n += 1 + l + sovGenerated(uint64(l))
|
||||
}
|
||||
}
|
||||
return n
|
||||
}
|
||||
|
||||
@ -856,6 +877,7 @@ func (this *PolicyRule) String() string {
|
||||
`Resources:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Resources), "GroupResources", "GroupResources", 1), `&`, ``, 1) + `,`,
|
||||
`Namespaces:` + fmt.Sprintf("%v", this.Namespaces) + `,`,
|
||||
`NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`,
|
||||
`OmitStages:` + fmt.Sprintf("%v", this.OmitStages) + `,`,
|
||||
`}`,
|
||||
}, "")
|
||||
return s
|
||||
@ -2304,6 +2326,35 @@ func (m *PolicyRule) Unmarshal(dAtA []byte) error {
|
||||
}
|
||||
m.NonResourceURLs = append(m.NonResourceURLs, string(dAtA[iNdEx:postIndex]))
|
||||
iNdEx = postIndex
|
||||
case 8:
|
||||
if wireType != 2 {
|
||||
return fmt.Errorf("proto: wrong wireType = %d for field OmitStages", wireType)
|
||||
}
|
||||
var stringLen uint64
|
||||
for shift := uint(0); ; shift += 7 {
|
||||
if shift >= 64 {
|
||||
return ErrIntOverflowGenerated
|
||||
}
|
||||
if iNdEx >= l {
|
||||
return io.ErrUnexpectedEOF
|
||||
}
|
||||
b := dAtA[iNdEx]
|
||||
iNdEx++
|
||||
stringLen |= (uint64(b) & 0x7F) << shift
|
||||
if b < 0x80 {
|
||||
break
|
||||
}
|
||||
}
|
||||
intStringLen := int(stringLen)
|
||||
if intStringLen < 0 {
|
||||
return ErrInvalidLengthGenerated
|
||||
}
|
||||
postIndex := iNdEx + intStringLen
|
||||
if postIndex > l {
|
||||
return io.ErrUnexpectedEOF
|
||||
}
|
||||
m.OmitStages = append(m.OmitStages, Stage(dAtA[iNdEx:postIndex]))
|
||||
iNdEx = postIndex
|
||||
default:
|
||||
iNdEx = preIndex
|
||||
skippy, err := skipGenerated(dAtA[iNdEx:])
|
||||
@ -2435,75 +2486,76 @@ func init() {
|
||||
}
|
||||
|
||||
var fileDescriptorGenerated = []byte{
|
||||
// 1107 bytes of a gzipped FileDescriptorProto
|
||||
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0xcf, 0x6f, 0xe3, 0x44,
|
||||
0x14, 0xae, 0x37, 0x4d, 0x1b, 0x4f, 0xb7, 0x3f, 0x76, 0x16, 0x81, 0xd5, 0x43, 0x52, 0x82, 0x84,
|
||||
0x22, 0x28, 0x76, 0x5b, 0x0a, 0x2c, 0x07, 0x0e, 0x8d, 0x16, 0x41, 0xa4, 0x52, 0xca, 0xb4, 0x59,
|
||||
0x89, 0x1f, 0x07, 0x9c, 0xe4, 0x35, 0x31, 0x4d, 0x6c, 0x33, 0x33, 0x0e, 0xea, 0x8d, 0x03, 0xe2,
|
||||
0xcc, 0x9d, 0x3f, 0x06, 0x21, 0x81, 0xd4, 0xe3, 0x1e, 0xf7, 0x14, 0xd1, 0xf0, 0x5f, 0xf4, 0x84,
|
||||
0x66, 0x3c, 0xe3, 0xb1, 0xd3, 0x8d, 0x48, 0x2f, 0x7b, 0xf3, 0xbc, 0xf7, 0x7d, 0xdf, 0xbc, 0xf7,
|
||||
0xfc, 0xde, 0xb3, 0xd1, 0x57, 0x97, 0x4f, 0x98, 0x1b, 0x44, 0xde, 0x65, 0xd2, 0x01, 0x1a, 0x02,
|
||||
0x07, 0xe6, 0x8d, 0x21, 0xec, 0x45, 0xd4, 0x53, 0x0e, 0x3f, 0x0e, 0x18, 0xd0, 0x31, 0x50, 0x2f,
|
||||
0xbe, 0xec, 0xcb, 0x93, 0xe7, 0x27, 0xbd, 0x80, 0x7b, 0xe3, 0x7d, 0x7f, 0x18, 0x0f, 0xfc, 0x7d,
|
||||
0xaf, 0x0f, 0x21, 0x50, 0x9f, 0x43, 0xcf, 0x8d, 0x69, 0xc4, 0x23, 0xdc, 0x48, 0x99, 0x6e, 0xc6,
|
||||
0x74, 0xe3, 0xcb, 0xbe, 0x3c, 0xb9, 0x92, 0xe9, 0x6a, 0xe6, 0xf6, 0x7b, 0xfd, 0x80, 0x0f, 0x92,
|
||||
0x8e, 0xdb, 0x8d, 0x46, 0x5e, 0x3f, 0xea, 0x47, 0x9e, 0x14, 0xe8, 0x24, 0x17, 0xf2, 0x24, 0x0f,
|
||||
0xf2, 0x29, 0x15, 0xde, 0xde, 0x35, 0x21, 0x79, 0x7e, 0xc2, 0x07, 0x10, 0xf2, 0xa0, 0xeb, 0xf3,
|
||||
0x20, 0x0a, 0xbd, 0xf1, 0x9d, 0x30, 0xb6, 0x0f, 0x0d, 0x7a, 0xe4, 0x77, 0x07, 0x41, 0x08, 0xf4,
|
||||
0xca, 0xe4, 0x30, 0x02, 0xee, 0xbf, 0x8c, 0xe5, 0xcd, 0x63, 0xd1, 0x24, 0xe4, 0xc1, 0x08, 0xee,
|
||||
0x10, 0x3e, 0xfc, 0x3f, 0x02, 0xeb, 0x0e, 0x60, 0xe4, 0xdf, 0xe1, 0xbd, 0x3f, 0x8f, 0x97, 0xf0,
|
||||
0x60, 0xe8, 0x05, 0x21, 0x67, 0x9c, 0xce, 0x92, 0xea, 0x7f, 0x55, 0x50, 0xf9, 0xd3, 0x31, 0x84,
|
||||
0x1c, 0x7f, 0x8f, 0x2a, 0x22, 0x85, 0x9e, 0xcf, 0x7d, 0xc7, 0xda, 0xb1, 0x1a, 0x6b, 0x07, 0x7b,
|
||||
0xae, 0xa9, 0x7b, 0xa6, 0x68, 0x4a, 0x2f, 0xd0, 0xee, 0x78, 0xdf, 0xfd, 0xb2, 0xf3, 0x03, 0x74,
|
||||
0xf9, 0x17, 0xc0, 0xfd, 0x26, 0xbe, 0x9e, 0xd4, 0x96, 0xa6, 0x93, 0x1a, 0x32, 0x36, 0x92, 0xa9,
|
||||
0xe2, 0x5d, 0x54, 0x1e, 0xc2, 0x18, 0x86, 0xce, 0x83, 0x1d, 0xab, 0x61, 0x37, 0x5f, 0x57, 0xe0,
|
||||
0xf2, 0xb1, 0x30, 0xde, 0xea, 0x07, 0x92, 0x82, 0xf0, 0xb7, 0xc8, 0x16, 0xd9, 0x32, 0xee, 0x8f,
|
||||
0x62, 0xa7, 0x24, 0x03, 0x7a, 0x67, 0xb1, 0x80, 0xce, 0x83, 0x11, 0x34, 0x1f, 0x29, 0x75, 0xfb,
|
||||
0x5c, 0x8b, 0x10, 0xa3, 0x87, 0x4f, 0xd0, 0xaa, 0xec, 0x9c, 0xd6, 0x53, 0x67, 0x59, 0x06, 0x73,
|
||||
0xa8, 0xe0, 0xab, 0x47, 0xa9, 0xf9, 0x76, 0x52, 0x7b, 0x73, 0x5e, 0x3d, 0xf9, 0x55, 0x0c, 0xcc,
|
||||
0x6d, 0xb7, 0x9e, 0x12, 0x2d, 0x22, 0x52, 0x63, 0xdc, 0xef, 0x83, 0x53, 0x2e, 0xa6, 0x76, 0x26,
|
||||
0x8c, 0xb7, 0xfa, 0x81, 0xa4, 0x20, 0x7c, 0x80, 0x10, 0x85, 0x1f, 0x13, 0x60, 0xbc, 0x4d, 0x5a,
|
||||
0xce, 0x8a, 0xa4, 0x64, 0xa5, 0x23, 0x99, 0x87, 0xe4, 0x50, 0x78, 0x07, 0x2d, 0x8f, 0x81, 0x76,
|
||||
0x9c, 0x55, 0x89, 0x7e, 0xa8, 0xd0, 0xcb, 0xcf, 0x80, 0x76, 0x88, 0xf4, 0xe0, 0xcf, 0xd1, 0x72,
|
||||
0xc2, 0x80, 0x3a, 0x15, 0x59, 0xab, 0xb7, 0x73, 0xb5, 0x72, 0x8b, 0xbd, 0x2d, 0x6a, 0xd4, 0x66,
|
||||
0x40, 0x5b, 0xe1, 0x45, 0x64, 0x94, 0x84, 0x85, 0x48, 0x05, 0x3c, 0x40, 0x5b, 0xc1, 0x28, 0x06,
|
||||
0xca, 0xa2, 0x50, 0xb4, 0x8a, 0xf0, 0x38, 0xf6, 0xbd, 0x54, 0x5f, 0x9b, 0x4e, 0x6a, 0x5b, 0xad,
|
||||
0x19, 0x0d, 0x72, 0x47, 0x15, 0xbf, 0x8b, 0x6c, 0x16, 0x25, 0xb4, 0x0b, 0xad, 0x53, 0xe6, 0xa0,
|
||||
0x9d, 0x52, 0xc3, 0x6e, 0xae, 0x8b, 0x97, 0x76, 0xa6, 0x8d, 0xc4, 0xf8, 0xf1, 0x05, 0xb2, 0x23,
|
||||
0xd9, 0x57, 0x04, 0x2e, 0x9c, 0x35, 0x19, 0xcf, 0xc7, 0xee, 0xa2, 0xab, 0x41, 0xb5, 0x29, 0x81,
|
||||
0x0b, 0xa0, 0x10, 0x76, 0x21, 0xbd, 0x27, 0x33, 0x12, 0x23, 0x8d, 0x07, 0x68, 0x83, 0x02, 0x8b,
|
||||
0xa3, 0x90, 0xc1, 0x19, 0xf7, 0x79, 0xc2, 0x9c, 0x87, 0xf2, 0xb2, 0xdd, 0xc5, 0xda, 0x2f, 0xe5,
|
||||
0x34, 0xf1, 0x74, 0x52, 0xdb, 0x20, 0x05, 0x1d, 0x32, 0xa3, 0x8b, 0x7d, 0xb4, 0xae, 0x5e, 0x71,
|
||||
0x1a, 0x88, 0xb3, 0x2e, 0x2f, 0x6a, 0xcc, 0xbd, 0x48, 0xad, 0x00, 0xb7, 0x1d, 0x5e, 0x86, 0xd1,
|
||||
0x4f, 0x61, 0xf3, 0xd1, 0x74, 0x52, 0x5b, 0x27, 0x79, 0x09, 0x52, 0x54, 0xc4, 0x3d, 0x93, 0x8c,
|
||||
0xba, 0x63, 0xe3, 0x9e, 0x77, 0x14, 0x12, 0x51, 0x97, 0xcc, 0x68, 0xd6, 0xff, 0xb0, 0x90, 0x2d,
|
||||
0xd7, 0xc8, 0x71, 0xc0, 0x38, 0xfe, 0xee, 0xce, 0x2a, 0x71, 0x17, 0x2b, 0x9d, 0x60, 0xcb, 0x45,
|
||||
0xb2, 0xa5, 0xba, 0xb2, 0xa2, 0x2d, 0xb9, 0x35, 0x72, 0x8e, 0xca, 0x01, 0x87, 0x11, 0x73, 0x1e,
|
||||
0xec, 0x94, 0x1a, 0x6b, 0x07, 0xde, 0xe2, 0x2d, 0x20, 0x23, 0x6c, 0xae, 0xeb, 0xe1, 0x6c, 0x09,
|
||||
0x15, 0x92, 0x8a, 0xd5, 0x7f, 0xb7, 0xd0, 0xc6, 0x67, 0x34, 0x4a, 0x62, 0x02, 0x69, 0xc7, 0x31,
|
||||
0xfc, 0x16, 0x2a, 0xf7, 0x85, 0x45, 0xe6, 0x60, 0x1b, 0x5e, 0x0a, 0x4b, 0x7d, 0xa2, 0x83, 0xa9,
|
||||
0x66, 0xc8, 0x88, 0x54, 0x07, 0x67, 0x32, 0xc4, 0xf8, 0xf1, 0x47, 0xe2, 0x7d, 0xa7, 0x87, 0x13,
|
||||
0x7f, 0x04, 0xcc, 0x29, 0x49, 0x82, 0x7a, 0x8b, 0x39, 0x07, 0x29, 0xe2, 0xea, 0xbf, 0x94, 0xd0,
|
||||
0xe6, 0x4c, 0x03, 0xe3, 0x5d, 0x54, 0xd1, 0x20, 0x15, 0x61, 0x56, 0x35, 0xad, 0x45, 0x32, 0x04,
|
||||
0xf6, 0x90, 0x1d, 0x0a, 0xa9, 0xd8, 0xef, 0x82, 0x5a, 0xc0, 0xd9, 0x8a, 0x3c, 0xd1, 0x0e, 0x62,
|
||||
0x30, 0x62, 0xe1, 0x88, 0x83, 0x5c, 0xbd, 0xb9, 0x85, 0x23, 0xb0, 0x44, 0x7a, 0x70, 0x13, 0x95,
|
||||
0x92, 0xa0, 0xa7, 0x16, 0xe8, 0x9e, 0x02, 0x94, 0xda, 0x8b, 0x2e, 0x4f, 0x41, 0x16, 0xab, 0xd0,
|
||||
0x8f, 0x83, 0x67, 0x40, 0x59, 0x10, 0x85, 0x6a, 0x7b, 0x66, 0xab, 0xf0, 0xe8, 0xb4, 0xa5, 0x3c,
|
||||
0x24, 0x87, 0xc2, 0x47, 0x68, 0x53, 0xa7, 0xa5, 0x89, 0xe9, 0x0e, 0x7d, 0x43, 0x11, 0x37, 0x49,
|
||||
0xd1, 0x4d, 0x66, 0xf1, 0xf8, 0x03, 0xb4, 0xc6, 0x92, 0x4e, 0x56, 0xbe, 0x74, 0xa9, 0x3e, 0x56,
|
||||
0xf4, 0xb5, 0x33, 0xe3, 0x22, 0x79, 0x5c, 0xfd, 0x6f, 0x0b, 0xad, 0x9c, 0x46, 0xc3, 0xa0, 0x7b,
|
||||
0xf5, 0x0a, 0x3e, 0x97, 0x5f, 0xa3, 0x32, 0x4d, 0x86, 0xa0, 0xfb, 0xfc, 0x70, 0xf1, 0x3e, 0x4f,
|
||||
0x43, 0x24, 0xc9, 0x10, 0x4c, 0xd3, 0x8a, 0x13, 0x23, 0xa9, 0x62, 0xfd, 0x4f, 0x0b, 0xa1, 0x14,
|
||||
0xf4, 0x0a, 0xe6, 0xb5, 0x5d, 0x9c, 0xd7, 0xbd, 0xfb, 0xe6, 0x31, 0x67, 0x60, 0x7f, 0x2d, 0xe9,
|
||||
0x1c, 0x44, 0x6a, 0xe6, 0xe7, 0xc2, 0x5a, 0xe4, 0xe7, 0xa2, 0x86, 0xca, 0xe2, 0x4b, 0xa7, 0x27,
|
||||
0xd6, 0x16, 0x48, 0xf1, 0x41, 0x62, 0x24, 0xb5, 0x63, 0x17, 0x21, 0xf1, 0x20, 0x47, 0x5d, 0x8f,
|
||||
0xe9, 0x86, 0x78, 0x55, 0xed, 0xcc, 0x4a, 0x72, 0x08, 0x21, 0x28, 0x3e, 0xc2, 0xcc, 0x59, 0x36,
|
||||
0x82, 0xe2, 0xdb, 0xcc, 0x48, 0x6a, 0xc7, 0x41, 0x7e, 0x4f, 0x94, 0x65, 0x25, 0x9e, 0x2c, 0x5e,
|
||||
0x89, 0xe2, 0x66, 0x32, 0x93, 0xfb, 0xd2, 0x2d, 0xe3, 0x22, 0x94, 0x8d, 0x31, 0x73, 0x56, 0x4c,
|
||||
0xec, 0xd9, 0x9c, 0x33, 0x92, 0x43, 0xe0, 0x4f, 0xd0, 0x66, 0x18, 0x85, 0x5a, 0xaa, 0x4d, 0x8e,
|
||||
0x99, 0xb3, 0x2a, 0x49, 0x8f, 0xc5, 0x2c, 0x9d, 0x14, 0x5d, 0x64, 0x16, 0xdb, 0x74, 0xaf, 0x6f,
|
||||
0xaa, 0x4b, 0xcf, 0x6f, 0xaa, 0x4b, 0x2f, 0x6e, 0xaa, 0x4b, 0x3f, 0x4f, 0xab, 0xd6, 0xf5, 0xb4,
|
||||
0x6a, 0x3d, 0x9f, 0x56, 0xad, 0x17, 0xd3, 0xaa, 0xf5, 0xcf, 0xb4, 0x6a, 0xfd, 0xf6, 0x6f, 0x75,
|
||||
0xe9, 0x9b, 0x8a, 0xce, 0xe5, 0xbf, 0x00, 0x00, 0x00, 0xff, 0xff, 0x6c, 0x88, 0x4f, 0x33, 0x21,
|
||||
0x0c, 0x00, 0x00,
|
||||
// 1129 bytes of a gzipped FileDescriptorProto
|
||||
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0xcd, 0x6e, 0x23, 0x45,
|
||||
0x10, 0xce, 0xac, 0xe3, 0x8d, 0xa7, 0xb3, 0xf9, 0xd9, 0x5e, 0xc4, 0x8e, 0x72, 0xb0, 0x83, 0x91,
|
||||
0x90, 0x05, 0x61, 0x26, 0x09, 0x81, 0x5d, 0x0e, 0x1c, 0x62, 0x2d, 0x02, 0x4b, 0x21, 0x84, 0x4e,
|
||||
0xbc, 0x12, 0x3f, 0x07, 0xc6, 0x76, 0xc5, 0x1e, 0xe2, 0xf9, 0xa1, 0xbb, 0xc7, 0x28, 0x37, 0x0e,
|
||||
0x3c, 0x00, 0x77, 0x1e, 0x66, 0x85, 0x04, 0x52, 0x8e, 0x7b, 0xdc, 0x93, 0x45, 0xcc, 0x5b, 0xe4,
|
||||
0x84, 0xba, 0xa7, 0x7b, 0x7a, 0xec, 0xac, 0x85, 0x73, 0xd9, 0xdb, 0x74, 0xd5, 0xf7, 0x7d, 0x5d,
|
||||
0x55, 0x53, 0x55, 0x33, 0xe8, 0x9b, 0x8b, 0xa7, 0xcc, 0x0d, 0x62, 0xef, 0x22, 0xed, 0x00, 0x8d,
|
||||
0x80, 0x03, 0xf3, 0x46, 0x10, 0xf5, 0x62, 0xea, 0x29, 0x87, 0x9f, 0x04, 0x0c, 0xe8, 0x08, 0xa8,
|
||||
0x97, 0x5c, 0xf4, 0xe5, 0xc9, 0xf3, 0xd3, 0x5e, 0xc0, 0xbd, 0xd1, 0x9e, 0x3f, 0x4c, 0x06, 0xfe,
|
||||
0x9e, 0xd7, 0x87, 0x08, 0xa8, 0xcf, 0xa1, 0xe7, 0x26, 0x34, 0xe6, 0x31, 0x6e, 0x64, 0x4c, 0x37,
|
||||
0x67, 0xba, 0xc9, 0x45, 0x5f, 0x9e, 0x5c, 0xc9, 0x74, 0x35, 0x73, 0xeb, 0xc3, 0x7e, 0xc0, 0x07,
|
||||
0x69, 0xc7, 0xed, 0xc6, 0xa1, 0xd7, 0x8f, 0xfb, 0xb1, 0x27, 0x05, 0x3a, 0xe9, 0xb9, 0x3c, 0xc9,
|
||||
0x83, 0x7c, 0xca, 0x84, 0xb7, 0x76, 0x4c, 0x48, 0x9e, 0x9f, 0xf2, 0x01, 0x44, 0x3c, 0xe8, 0xfa,
|
||||
0x3c, 0x88, 0x23, 0x6f, 0x74, 0x2b, 0x8c, 0xad, 0x03, 0x83, 0x0e, 0xfd, 0xee, 0x20, 0x88, 0x80,
|
||||
0x5e, 0x9a, 0x1c, 0x42, 0xe0, 0xfe, 0xeb, 0x58, 0xde, 0x3c, 0x16, 0x4d, 0x23, 0x1e, 0x84, 0x70,
|
||||
0x8b, 0xf0, 0xc9, 0xff, 0x11, 0x58, 0x77, 0x00, 0xa1, 0x7f, 0x8b, 0xf7, 0xd1, 0x3c, 0x5e, 0xca,
|
||||
0x83, 0xa1, 0x17, 0x44, 0x9c, 0x71, 0x3a, 0x4b, 0xaa, 0xff, 0x55, 0x41, 0xe5, 0xcf, 0x47, 0x10,
|
||||
0x71, 0xfc, 0x23, 0xaa, 0x88, 0x14, 0x7a, 0x3e, 0xf7, 0x1d, 0x6b, 0xdb, 0x6a, 0xac, 0xee, 0xef,
|
||||
0xba, 0xa6, 0xee, 0xb9, 0xa2, 0x29, 0xbd, 0x40, 0xbb, 0xa3, 0x3d, 0xf7, 0xeb, 0xce, 0x4f, 0xd0,
|
||||
0xe5, 0x5f, 0x01, 0xf7, 0x9b, 0xf8, 0x6a, 0x5c, 0x5b, 0x9a, 0x8c, 0x6b, 0xc8, 0xd8, 0x48, 0xae,
|
||||
0x8a, 0x77, 0x50, 0x79, 0x08, 0x23, 0x18, 0x3a, 0xf7, 0xb6, 0xad, 0x86, 0xdd, 0x7c, 0x5b, 0x81,
|
||||
0xcb, 0x47, 0xc2, 0x78, 0xa3, 0x1f, 0x48, 0x06, 0xc2, 0xdf, 0x23, 0x5b, 0x64, 0xcb, 0xb8, 0x1f,
|
||||
0x26, 0x4e, 0x49, 0x06, 0xf4, 0xfe, 0x62, 0x01, 0x9d, 0x05, 0x21, 0x34, 0x1f, 0x2a, 0x75, 0xfb,
|
||||
0x4c, 0x8b, 0x10, 0xa3, 0x87, 0x8f, 0xd1, 0x8a, 0xec, 0x9c, 0xd6, 0x33, 0x67, 0x59, 0x06, 0x73,
|
||||
0xa0, 0xe0, 0x2b, 0x87, 0x99, 0xf9, 0x66, 0x5c, 0x7b, 0x67, 0x5e, 0x3d, 0xf9, 0x65, 0x02, 0xcc,
|
||||
0x6d, 0xb7, 0x9e, 0x11, 0x2d, 0x22, 0x52, 0x63, 0xdc, 0xef, 0x83, 0x53, 0x9e, 0x4e, 0xed, 0x54,
|
||||
0x18, 0x6f, 0xf4, 0x03, 0xc9, 0x40, 0x78, 0x1f, 0x21, 0x0a, 0x3f, 0xa7, 0xc0, 0x78, 0x9b, 0xb4,
|
||||
0x9c, 0xfb, 0x92, 0x92, 0x97, 0x8e, 0xe4, 0x1e, 0x52, 0x40, 0xe1, 0x6d, 0xb4, 0x3c, 0x02, 0xda,
|
||||
0x71, 0x56, 0x24, 0xfa, 0x81, 0x42, 0x2f, 0x3f, 0x07, 0xda, 0x21, 0xd2, 0x83, 0xbf, 0x44, 0xcb,
|
||||
0x29, 0x03, 0xea, 0x54, 0x64, 0xad, 0xde, 0x2b, 0xd4, 0xca, 0x9d, 0xee, 0x6d, 0x51, 0xa3, 0x36,
|
||||
0x03, 0xda, 0x8a, 0xce, 0x63, 0xa3, 0x24, 0x2c, 0x44, 0x2a, 0xe0, 0x01, 0xda, 0x0c, 0xc2, 0x04,
|
||||
0x28, 0x8b, 0x23, 0xd1, 0x2a, 0xc2, 0xe3, 0xd8, 0x77, 0x52, 0x7d, 0x6b, 0x32, 0xae, 0x6d, 0xb6,
|
||||
0x66, 0x34, 0xc8, 0x2d, 0x55, 0xfc, 0x01, 0xb2, 0x59, 0x9c, 0xd2, 0x2e, 0xb4, 0x4e, 0x98, 0x83,
|
||||
0xb6, 0x4b, 0x0d, 0xbb, 0xb9, 0x26, 0x5e, 0xda, 0xa9, 0x36, 0x12, 0xe3, 0xc7, 0xe7, 0xc8, 0x8e,
|
||||
0x65, 0x5f, 0x11, 0x38, 0x77, 0x56, 0x65, 0x3c, 0x9f, 0xba, 0x8b, 0xae, 0x06, 0xd5, 0xa6, 0x04,
|
||||
0xce, 0x81, 0x42, 0xd4, 0x85, 0xec, 0x9e, 0xdc, 0x48, 0x8c, 0x34, 0x1e, 0xa0, 0x75, 0x0a, 0x2c,
|
||||
0x89, 0x23, 0x06, 0xa7, 0xdc, 0xe7, 0x29, 0x73, 0x1e, 0xc8, 0xcb, 0x76, 0x16, 0x6b, 0xbf, 0x8c,
|
||||
0xd3, 0xc4, 0x93, 0x71, 0x6d, 0x9d, 0x4c, 0xe9, 0x90, 0x19, 0x5d, 0xec, 0xa3, 0x35, 0xf5, 0x8a,
|
||||
0xb3, 0x40, 0x9c, 0x35, 0x79, 0x51, 0x63, 0xee, 0x45, 0x6a, 0x05, 0xb8, 0xed, 0xe8, 0x22, 0x8a,
|
||||
0x7f, 0x89, 0x9a, 0x0f, 0x27, 0xe3, 0xda, 0x1a, 0x29, 0x4a, 0x90, 0x69, 0x45, 0xdc, 0x33, 0xc9,
|
||||
0xa8, 0x3b, 0xd6, 0xef, 0x78, 0xc7, 0x54, 0x22, 0xea, 0x92, 0x19, 0xcd, 0xfa, 0x0b, 0x0b, 0xd9,
|
||||
0x72, 0x8d, 0x1c, 0x05, 0x8c, 0xe3, 0x1f, 0x6e, 0xad, 0x12, 0x77, 0xb1, 0xd2, 0x09, 0xb6, 0x5c,
|
||||
0x24, 0x9b, 0xaa, 0x2b, 0x2b, 0xda, 0x52, 0x58, 0x23, 0x67, 0xa8, 0x1c, 0x70, 0x08, 0x99, 0x73,
|
||||
0x6f, 0xbb, 0xd4, 0x58, 0xdd, 0xf7, 0x16, 0x6f, 0x01, 0x19, 0x61, 0x73, 0x4d, 0x0f, 0x67, 0x4b,
|
||||
0xa8, 0x90, 0x4c, 0xac, 0xfe, 0x87, 0x85, 0xd6, 0xbf, 0xa0, 0x71, 0x9a, 0x10, 0xc8, 0x3a, 0x8e,
|
||||
0xe1, 0x77, 0x51, 0xb9, 0x2f, 0x2c, 0x32, 0x07, 0xdb, 0xf0, 0x32, 0x58, 0xe6, 0x13, 0x1d, 0x4c,
|
||||
0x35, 0x43, 0x46, 0xa4, 0x3a, 0x38, 0x97, 0x21, 0xc6, 0x8f, 0x9f, 0x88, 0xf7, 0x9d, 0x1d, 0x8e,
|
||||
0xfd, 0x10, 0x98, 0x53, 0x92, 0x04, 0xf5, 0x16, 0x0b, 0x0e, 0x32, 0x8d, 0xab, 0xff, 0x56, 0x42,
|
||||
0x1b, 0x33, 0x0d, 0x8c, 0x77, 0x50, 0x45, 0x83, 0x54, 0x84, 0x79, 0xd5, 0xb4, 0x16, 0xc9, 0x11,
|
||||
0xd8, 0x43, 0x76, 0x24, 0xa4, 0x12, 0xbf, 0x0b, 0x6a, 0x01, 0xe7, 0x2b, 0xf2, 0x58, 0x3b, 0x88,
|
||||
0xc1, 0x88, 0x85, 0x23, 0x0e, 0x72, 0xf5, 0x16, 0x16, 0x8e, 0xc0, 0x12, 0xe9, 0xc1, 0x4d, 0x54,
|
||||
0x4a, 0x83, 0x9e, 0x5a, 0xa0, 0xbb, 0x0a, 0x50, 0x6a, 0x2f, 0xba, 0x3c, 0x05, 0x59, 0xac, 0x42,
|
||||
0x3f, 0x09, 0x9e, 0x03, 0x65, 0x41, 0x1c, 0xa9, 0xed, 0x99, 0xaf, 0xc2, 0xc3, 0x93, 0x96, 0xf2,
|
||||
0x90, 0x02, 0x0a, 0x1f, 0xa2, 0x0d, 0x9d, 0x96, 0x26, 0x66, 0x3b, 0xf4, 0xb1, 0x22, 0x6e, 0x90,
|
||||
0x69, 0x37, 0x99, 0xc5, 0xe3, 0x8f, 0xd1, 0x2a, 0x4b, 0x3b, 0x79, 0xf9, 0xb2, 0xa5, 0xfa, 0x48,
|
||||
0xd1, 0x57, 0x4f, 0x8d, 0x8b, 0x14, 0x71, 0xf5, 0xbf, 0x2d, 0x74, 0xff, 0x24, 0x1e, 0x06, 0xdd,
|
||||
0xcb, 0x37, 0xf0, 0xb9, 0xfc, 0x16, 0x95, 0x69, 0x3a, 0x04, 0xdd, 0xe7, 0x07, 0x8b, 0xf7, 0x79,
|
||||
0x16, 0x22, 0x49, 0x87, 0x60, 0x9a, 0x56, 0x9c, 0x18, 0xc9, 0x14, 0xeb, 0x7f, 0x5a, 0x08, 0x65,
|
||||
0xa0, 0x37, 0x30, 0xaf, 0xed, 0xe9, 0x79, 0xdd, 0xbd, 0x6b, 0x1e, 0x73, 0x06, 0xf6, 0x45, 0x49,
|
||||
0xe7, 0x20, 0x52, 0x33, 0x3f, 0x17, 0xd6, 0x22, 0x3f, 0x17, 0x35, 0x54, 0x16, 0x5f, 0x3a, 0x3d,
|
||||
0xb1, 0xb6, 0x40, 0x8a, 0x0f, 0x12, 0x23, 0x99, 0x1d, 0xbb, 0x08, 0x89, 0x07, 0x39, 0xea, 0x7a,
|
||||
0x4c, 0xd7, 0xc5, 0xab, 0x6a, 0xe7, 0x56, 0x52, 0x40, 0x08, 0x41, 0xf1, 0x11, 0x66, 0xce, 0xb2,
|
||||
0x11, 0x14, 0xdf, 0x66, 0x46, 0x32, 0x3b, 0x0e, 0x8a, 0x7b, 0xa2, 0x2c, 0x2b, 0xf1, 0x74, 0xf1,
|
||||
0x4a, 0x4c, 0x6f, 0x26, 0x33, 0xb9, 0xaf, 0xdd, 0x32, 0x2e, 0x42, 0xf9, 0x18, 0x33, 0xe7, 0xbe,
|
||||
0x89, 0x3d, 0x9f, 0x73, 0x46, 0x0a, 0x08, 0xfc, 0x19, 0xda, 0x88, 0xe2, 0x48, 0x4b, 0xb5, 0xc9,
|
||||
0x11, 0x73, 0x56, 0x24, 0xe9, 0x91, 0x98, 0xa5, 0xe3, 0x69, 0x17, 0x99, 0xc5, 0xe2, 0x27, 0x08,
|
||||
0xc5, 0x61, 0xc0, 0xe5, 0x1f, 0x0e, 0x73, 0x2a, 0x92, 0xf9, 0x58, 0x76, 0x75, 0x6e, 0x35, 0x7f,
|
||||
0x40, 0x05, 0x68, 0xd3, 0xbd, 0xba, 0xae, 0x2e, 0xbd, 0xbc, 0xae, 0x2e, 0xbd, 0xba, 0xae, 0x2e,
|
||||
0xfd, 0x3a, 0xa9, 0x5a, 0x57, 0x93, 0xaa, 0xf5, 0x72, 0x52, 0xb5, 0x5e, 0x4d, 0xaa, 0xd6, 0x3f,
|
||||
0x93, 0xaa, 0xf5, 0xfb, 0xbf, 0xd5, 0xa5, 0xef, 0x2a, 0xba, 0x08, 0xff, 0x05, 0x00, 0x00, 0xff,
|
||||
0xff, 0x92, 0xdb, 0xa5, 0x50, 0x5a, 0x0c, 0x00, 0x00,
|
||||
}
|
||||
|
@ -205,5 +205,9 @@ message PolicyRule {
|
||||
// "/healthz*" - Log all health checks
|
||||
// +optional
|
||||
repeated string nonResourceURLs = 7;
|
||||
|
||||
// OmitStages specify events generated in which stages will not be emitted to backend.
|
||||
// An empty list means no restrictions will apply.
|
||||
repeated string omitStages = 8;
|
||||
}
|
||||
|
||||
|
@ -208,6 +208,10 @@ type PolicyRule struct {
|
||||
// "/healthz*" - Log all health checks
|
||||
// +optional
|
||||
NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,7,rep,name=nonResourceURLs"`
|
||||
|
||||
// OmitStages specify events generated in which stages will not be emitted to backend.
|
||||
// An empty list means no restrictions will apply.
|
||||
OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,8,rep,name=omitStages"`
|
||||
}
|
||||
|
||||
// GroupResources represents resource kinds in an API group.
|
||||
|
@ -264,6 +264,7 @@ func autoConvert_v1alpha1_PolicyRule_To_audit_PolicyRule(in *PolicyRule, out *au
|
||||
out.Resources = *(*[]audit.GroupResources)(unsafe.Pointer(&in.Resources))
|
||||
out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
|
||||
out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs))
|
||||
out.OmitStages = *(*[]audit.Stage)(unsafe.Pointer(&in.OmitStages))
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -280,6 +281,7 @@ func autoConvert_audit_PolicyRule_To_v1alpha1_PolicyRule(in *audit.PolicyRule, o
|
||||
out.Resources = *(*[]GroupResources)(unsafe.Pointer(&in.Resources))
|
||||
out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
|
||||
out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs))
|
||||
out.OmitStages = *(*[]Stage)(unsafe.Pointer(&in.OmitStages))
|
||||
return nil
|
||||
}
|
||||
|
||||
|
@ -327,6 +327,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) {
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.OmitStages != nil {
|
||||
in, out := &in.OmitStages, &out.OmitStages
|
||||
*out = make([]Stage, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -547,6 +547,21 @@ func (m *PolicyRule) MarshalTo(dAtA []byte) (int, error) {
|
||||
i += copy(dAtA[i:], s)
|
||||
}
|
||||
}
|
||||
if len(m.OmitStages) > 0 {
|
||||
for _, s := range m.OmitStages {
|
||||
dAtA[i] = 0x42
|
||||
i++
|
||||
l = len(s)
|
||||
for l >= 1<<7 {
|
||||
dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
|
||||
l >>= 7
|
||||
i++
|
||||
}
|
||||
dAtA[i] = uint8(l)
|
||||
i++
|
||||
i += copy(dAtA[i:], s)
|
||||
}
|
||||
}
|
||||
return i, nil
|
||||
}
|
||||
|
||||
@ -750,6 +765,12 @@ func (m *PolicyRule) Size() (n int) {
|
||||
n += 1 + l + sovGenerated(uint64(l))
|
||||
}
|
||||
}
|
||||
if len(m.OmitStages) > 0 {
|
||||
for _, s := range m.OmitStages {
|
||||
l = len(s)
|
||||
n += 1 + l + sovGenerated(uint64(l))
|
||||
}
|
||||
}
|
||||
return n
|
||||
}
|
||||
|
||||
@ -863,6 +884,7 @@ func (this *PolicyRule) String() string {
|
||||
`Resources:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Resources), "GroupResources", "GroupResources", 1), `&`, ``, 1) + `,`,
|
||||
`Namespaces:` + fmt.Sprintf("%v", this.Namespaces) + `,`,
|
||||
`NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`,
|
||||
`OmitStages:` + fmt.Sprintf("%v", this.OmitStages) + `,`,
|
||||
`}`,
|
||||
}, "")
|
||||
return s
|
||||
@ -2340,6 +2362,35 @@ func (m *PolicyRule) Unmarshal(dAtA []byte) error {
|
||||
}
|
||||
m.NonResourceURLs = append(m.NonResourceURLs, string(dAtA[iNdEx:postIndex]))
|
||||
iNdEx = postIndex
|
||||
case 8:
|
||||
if wireType != 2 {
|
||||
return fmt.Errorf("proto: wrong wireType = %d for field OmitStages", wireType)
|
||||
}
|
||||
var stringLen uint64
|
||||
for shift := uint(0); ; shift += 7 {
|
||||
if shift >= 64 {
|
||||
return ErrIntOverflowGenerated
|
||||
}
|
||||
if iNdEx >= l {
|
||||
return io.ErrUnexpectedEOF
|
||||
}
|
||||
b := dAtA[iNdEx]
|
||||
iNdEx++
|
||||
stringLen |= (uint64(b) & 0x7F) << shift
|
||||
if b < 0x80 {
|
||||
break
|
||||
}
|
||||
}
|
||||
intStringLen := int(stringLen)
|
||||
if intStringLen < 0 {
|
||||
return ErrInvalidLengthGenerated
|
||||
}
|
||||
postIndex := iNdEx + intStringLen
|
||||
if postIndex > l {
|
||||
return io.ErrUnexpectedEOF
|
||||
}
|
||||
m.OmitStages = append(m.OmitStages, Stage(dAtA[iNdEx:postIndex]))
|
||||
iNdEx = postIndex
|
||||
default:
|
||||
iNdEx = preIndex
|
||||
skippy, err := skipGenerated(dAtA[iNdEx:])
|
||||
@ -2471,76 +2522,78 @@ func init() {
|
||||
}
|
||||
|
||||
var fileDescriptorGenerated = []byte{
|
||||
// 1131 bytes of a gzipped FileDescriptorProto
|
||||
// 1153 bytes of a gzipped FileDescriptorProto
|
||||
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0x4f, 0x6f, 0x1b, 0x45,
|
||||
0x14, 0xcf, 0xd6, 0x71, 0xe2, 0x9d, 0x34, 0x7f, 0x3a, 0x45, 0xb0, 0xca, 0xc1, 0x0e, 0x46, 0x82,
|
||||
0x08, 0xd2, 0xdd, 0xa6, 0x2d, 0x34, 0x17, 0x0e, 0xb1, 0x8a, 0xc0, 0x52, 0x08, 0xd1, 0x24, 0xae,
|
||||
0x10, 0x70, 0x60, 0x6c, 0xbf, 0xd8, 0x4b, 0xec, 0xdd, 0x65, 0x66, 0xd6, 0x28, 0x37, 0x2e, 0xdc,
|
||||
0xb9, 0xf3, 0x2d, 0xf8, 0x00, 0x08, 0x09, 0x0e, 0x39, 0xf6, 0xd8, 0x93, 0x45, 0xcc, 0xb7, 0xc8,
|
||||
0x09, 0xcd, 0xec, 0xec, 0xce, 0xae, 0x5d, 0x53, 0xe7, 0xd2, 0x9b, 0xe7, 0xbd, 0xdf, 0xef, 0x37,
|
||||
0xef, 0xbd, 0x79, 0xef, 0xad, 0xd1, 0xc9, 0xc5, 0x01, 0x77, 0xfd, 0xd0, 0xbb, 0x88, 0xdb, 0xc0,
|
||||
0x02, 0x10, 0xc0, 0xbd, 0x11, 0x04, 0xdd, 0x90, 0x79, 0xda, 0x41, 0x23, 0x9f, 0x03, 0x1b, 0x01,
|
||||
0xf3, 0xa2, 0x8b, 0x9e, 0x3a, 0x79, 0x34, 0xee, 0xfa, 0xc2, 0x1b, 0xed, 0xb7, 0x41, 0xd0, 0x7d,
|
||||
0xaf, 0x07, 0x01, 0x30, 0x2a, 0xa0, 0xeb, 0x46, 0x2c, 0x14, 0x21, 0xfe, 0x20, 0x21, 0xba, 0x19,
|
||||
0xd1, 0x8d, 0x2e, 0x7a, 0xea, 0xe4, 0x2a, 0xa2, 0xab, 0x89, 0xdb, 0x0f, 0x7a, 0xbe, 0xe8, 0xc7,
|
||||
0x6d, 0xb7, 0x13, 0x0e, 0xbd, 0x5e, 0xd8, 0x0b, 0x3d, 0xc5, 0x6f, 0xc7, 0xe7, 0xea, 0xa4, 0x0e,
|
||||
0xea, 0x57, 0xa2, 0xbb, 0xbd, 0x67, 0x02, 0xf2, 0x68, 0x2c, 0xfa, 0x10, 0x08, 0xbf, 0x43, 0x85,
|
||||
0x1f, 0x06, 0xde, 0x68, 0x26, 0x8a, 0xed, 0x27, 0x06, 0x3d, 0xa4, 0x9d, 0xbe, 0x1f, 0x00, 0xbb,
|
||||
0x34, 0x19, 0x0c, 0x41, 0xd0, 0x57, 0xb1, 0xbc, 0x79, 0x2c, 0x16, 0x07, 0xc2, 0x1f, 0xc2, 0x0c,
|
||||
0xe1, 0x93, 0xd7, 0x11, 0x78, 0xa7, 0x0f, 0x43, 0x3a, 0xc3, 0x7b, 0x3c, 0x8f, 0x17, 0x0b, 0x7f,
|
||||
0xe0, 0xf9, 0x81, 0xe0, 0x82, 0xcd, 0x90, 0x0e, 0x5e, 0xff, 0x24, 0x74, 0x10, 0xf5, 0x67, 0xdf,
|
||||
0xa4, 0xfe, 0x57, 0x05, 0x95, 0x3f, 0x1b, 0x41, 0x20, 0xf0, 0xf7, 0xa8, 0x22, 0x93, 0xef, 0x52,
|
||||
0x41, 0x1d, 0x6b, 0xc7, 0xda, 0x5d, 0x7b, 0xf4, 0xd0, 0x35, 0x0f, 0x96, 0xc5, 0x62, 0xde, 0x4c,
|
||||
0xa2, 0xdd, 0xd1, 0xbe, 0xfb, 0x55, 0xfb, 0x07, 0xe8, 0x88, 0x2f, 0x41, 0xd0, 0x06, 0xbe, 0x1a,
|
||||
0xd7, 0x96, 0x26, 0xe3, 0x1a, 0x32, 0x36, 0x92, 0xa9, 0xe2, 0x3d, 0x54, 0x1e, 0xc0, 0x08, 0x06,
|
||||
0xce, 0x9d, 0x1d, 0x6b, 0xd7, 0x6e, 0xbc, 0xad, 0xc1, 0xe5, 0x23, 0x69, 0xbc, 0x49, 0x7f, 0x90,
|
||||
0x04, 0x84, 0xbf, 0x45, 0xb6, 0xac, 0x13, 0x17, 0x74, 0x18, 0x39, 0x25, 0x15, 0xd0, 0x87, 0x8b,
|
||||
0x05, 0x74, 0xe6, 0x0f, 0xa1, 0x71, 0x4f, 0xab, 0xdb, 0x67, 0xa9, 0x08, 0x31, 0x7a, 0xf8, 0x18,
|
||||
0xad, 0xaa, 0xc2, 0x34, 0x9f, 0x39, 0xcb, 0x2a, 0x98, 0x27, 0x1a, 0xbe, 0x7a, 0x98, 0x98, 0x6f,
|
||||
0xc6, 0xb5, 0x77, 0xe7, 0xbd, 0x84, 0xb8, 0x8c, 0x80, 0xbb, 0xad, 0xe6, 0x33, 0x92, 0x8a, 0xc8,
|
||||
0xd4, 0xb8, 0xa0, 0x3d, 0x70, 0xca, 0xc5, 0xd4, 0x4e, 0xa5, 0xf1, 0x26, 0xfd, 0x41, 0x12, 0x10,
|
||||
0x7e, 0x84, 0x10, 0x83, 0x1f, 0x63, 0xe0, 0xa2, 0x45, 0x9a, 0xce, 0x8a, 0xa2, 0x64, 0xa5, 0x23,
|
||||
0x99, 0x87, 0xe4, 0x50, 0x78, 0x07, 0x2d, 0x8f, 0x80, 0xb5, 0x9d, 0x55, 0x85, 0xbe, 0xab, 0xd1,
|
||||
0xcb, 0xcf, 0x81, 0xb5, 0x89, 0xf2, 0xe0, 0x2f, 0xd0, 0x72, 0xcc, 0x81, 0x39, 0x15, 0x55, 0xab,
|
||||
0xf7, 0x73, 0xb5, 0x72, 0x8b, 0x53, 0x21, 0x6b, 0xd4, 0xe2, 0xc0, 0x9a, 0xc1, 0x79, 0x68, 0x94,
|
||||
0xa4, 0x85, 0x28, 0x05, 0xdc, 0x47, 0x5b, 0xfe, 0x30, 0x02, 0xc6, 0xc3, 0x40, 0xb6, 0x8a, 0xf4,
|
||||
0x38, 0xf6, 0xad, 0x54, 0xdf, 0x9a, 0x8c, 0x6b, 0x5b, 0xcd, 0x29, 0x0d, 0x32, 0xa3, 0x8a, 0x3f,
|
||||
0x42, 0x36, 0x0f, 0x63, 0xd6, 0x81, 0xe6, 0x09, 0x77, 0xd0, 0x4e, 0x69, 0xd7, 0x6e, 0xac, 0xcb,
|
||||
0x47, 0x3b, 0x4d, 0x8d, 0xc4, 0xf8, 0x31, 0x20, 0x3b, 0x54, 0x7d, 0x45, 0xe0, 0xdc, 0x59, 0x53,
|
||||
0xf1, 0x1c, 0xb8, 0x0b, 0xee, 0x14, 0xdd, 0xa5, 0x04, 0xce, 0x81, 0x41, 0xd0, 0x81, 0xe4, 0x9a,
|
||||
0xcc, 0x48, 0x8c, 0x32, 0xee, 0xa3, 0x0d, 0x06, 0x3c, 0x0a, 0x03, 0x0e, 0xa7, 0x82, 0x8a, 0x98,
|
||||
0x3b, 0x77, 0xd5, 0x5d, 0x7b, 0x8b, 0x75, 0x5f, 0xc2, 0x69, 0xe0, 0xc9, 0xb8, 0xb6, 0x41, 0x0a,
|
||||
0x3a, 0x64, 0x4a, 0x17, 0x53, 0xb4, 0xae, 0x5f, 0x38, 0x09, 0xc4, 0x59, 0x57, 0x17, 0xed, 0xce,
|
||||
0xbd, 0x48, 0xef, 0x0e, 0xb7, 0x15, 0x5c, 0x04, 0xe1, 0x4f, 0x41, 0xe3, 0xde, 0x64, 0x5c, 0x5b,
|
||||
0x27, 0x79, 0x09, 0x52, 0x54, 0xc4, 0x5d, 0x93, 0x8c, 0xbe, 0x63, 0xe3, 0x96, 0x77, 0x14, 0x12,
|
||||
0xd1, 0x97, 0x4c, 0x69, 0xd6, 0xff, 0xb0, 0x90, 0xad, 0xb6, 0xc8, 0x91, 0xcf, 0x05, 0xfe, 0x6e,
|
||||
0x66, 0x93, 0xb8, 0x8b, 0x95, 0x4e, 0xb2, 0xd5, 0x1e, 0xd9, 0xd2, 0x4d, 0x59, 0x49, 0x2d, 0xb9,
|
||||
0x2d, 0x72, 0x8a, 0xca, 0xbe, 0x80, 0x21, 0x77, 0xee, 0xec, 0x94, 0xa6, 0xa4, 0xff, 0xbf, 0x03,
|
||||
0x54, 0x80, 0x8d, 0xf5, 0x74, 0x34, 0x9b, 0x52, 0x84, 0x24, 0x5a, 0xf5, 0xdf, 0x2c, 0xb4, 0xf1,
|
||||
0x39, 0x0b, 0xe3, 0x88, 0x40, 0xd2, 0x6f, 0x1c, 0xbf, 0x87, 0xca, 0x3d, 0x69, 0x51, 0x29, 0xd8,
|
||||
0x86, 0x97, 0xc0, 0x12, 0x9f, 0xec, 0x5f, 0x96, 0x32, 0x54, 0x40, 0xba, 0x7f, 0x33, 0x19, 0x62,
|
||||
0xfc, 0xf8, 0xa9, 0x7c, 0xee, 0xe4, 0x70, 0x4c, 0x87, 0xc0, 0x9d, 0x92, 0x22, 0xe8, 0x47, 0xcc,
|
||||
0x39, 0x48, 0x11, 0x57, 0xff, 0xbd, 0x84, 0x36, 0xa7, 0xfa, 0x17, 0xef, 0xa1, 0x4a, 0x0a, 0xd2,
|
||||
0x11, 0x66, 0x45, 0x4b, 0xb5, 0x48, 0x86, 0xc0, 0x1e, 0xb2, 0x03, 0x29, 0x15, 0xd1, 0x0e, 0xe8,
|
||||
0xf5, 0x9b, 0x2d, 0xc8, 0xe3, 0xd4, 0x41, 0x0c, 0x46, 0xae, 0x1b, 0x79, 0x50, 0x8b, 0x37, 0xb7,
|
||||
0x6e, 0x24, 0x96, 0x28, 0x0f, 0x6e, 0xa0, 0x52, 0xec, 0x77, 0xf5, 0xfa, 0x7c, 0xa8, 0x01, 0xa5,
|
||||
0xd6, 0xa2, 0xab, 0x53, 0x92, 0x65, 0x12, 0x34, 0xf2, 0x55, 0x45, 0xf5, 0xe6, 0xcc, 0x92, 0x38,
|
||||
0x3c, 0x69, 0x26, 0x95, 0xce, 0x10, 0x72, 0x6d, 0xd2, 0xc8, 0x7f, 0x0e, 0x8c, 0xfb, 0x61, 0x30,
|
||||
0xbd, 0x36, 0x0f, 0x4f, 0x9a, 0xda, 0x43, 0x72, 0x28, 0x7c, 0x88, 0x36, 0xd3, 0x22, 0xa4, 0xc4,
|
||||
0x64, 0x83, 0xbe, 0xa3, 0x89, 0x9b, 0xa4, 0xe8, 0x26, 0xd3, 0x78, 0xfc, 0x31, 0x5a, 0xe3, 0x71,
|
||||
0x3b, 0x2b, 0x76, 0x45, 0xd1, 0xef, 0x6b, 0xfa, 0xda, 0xa9, 0x71, 0x91, 0x3c, 0xae, 0xfe, 0xb7,
|
||||
0x85, 0x56, 0x4e, 0xc2, 0x81, 0xdf, 0xb9, 0x7c, 0x03, 0x9f, 0xd6, 0xaf, 0x51, 0x99, 0xc5, 0x03,
|
||||
0x48, 0x87, 0xe2, 0xf1, 0xc2, 0x43, 0x91, 0x44, 0x48, 0xe2, 0x01, 0x98, 0x0e, 0x97, 0x27, 0x4e,
|
||||
0x12, 0xc1, 0xfa, 0x9f, 0x16, 0x42, 0x09, 0xe8, 0x0d, 0xcc, 0xf6, 0x59, 0x71, 0xb6, 0xbd, 0x5b,
|
||||
0xa6, 0x31, 0x67, 0xb8, 0x7f, 0x29, 0xa5, 0x29, 0xc8, 0xcc, 0xcc, 0xdf, 0x10, 0x6b, 0x91, 0xbf,
|
||||
0x21, 0x35, 0x54, 0x96, 0xdf, 0xc4, 0x74, 0xba, 0x6d, 0x89, 0x94, 0x9f, 0x2e, 0x4e, 0x12, 0x3b,
|
||||
0x76, 0x11, 0x92, 0x3f, 0x54, 0x8b, 0xa6, 0x23, 0xbd, 0x21, 0x1f, 0xaa, 0x95, 0x59, 0x49, 0x0e,
|
||||
0x21, 0x05, 0xe5, 0xe7, 0x9a, 0x3b, 0xcb, 0x46, 0x50, 0x7e, 0xc5, 0x39, 0x49, 0xec, 0xb8, 0x9f,
|
||||
0xdf, 0x29, 0x65, 0x55, 0x88, 0xa7, 0x0b, 0x17, 0xa2, 0xb8, 0xc4, 0xcc, 0x90, 0xbf, 0x72, 0x21,
|
||||
0xb9, 0x08, 0x65, 0x13, 0xcf, 0x9d, 0x15, 0x13, 0x7a, 0xb6, 0x12, 0x38, 0xc9, 0x21, 0xf0, 0xa7,
|
||||
0x68, 0x33, 0x08, 0x83, 0x54, 0xaa, 0x45, 0x8e, 0xb8, 0xb3, 0xaa, 0x48, 0xf7, 0xe5, 0x20, 0x1d,
|
||||
0x17, 0x5d, 0x64, 0x1a, 0xdb, 0x78, 0x70, 0x75, 0x5d, 0x5d, 0x7a, 0x71, 0x5d, 0x5d, 0x7a, 0x79,
|
||||
0x5d, 0x5d, 0xfa, 0x79, 0x52, 0xb5, 0xae, 0x26, 0x55, 0xeb, 0xc5, 0xa4, 0x6a, 0xbd, 0x9c, 0x54,
|
||||
0xad, 0x7f, 0x26, 0x55, 0xeb, 0xd7, 0x7f, 0xab, 0x4b, 0xdf, 0xac, 0xea, 0x54, 0xfe, 0x0b, 0x00,
|
||||
0x00, 0xff, 0xff, 0x88, 0x33, 0xe9, 0x19, 0x81, 0x0c, 0x00, 0x00,
|
||||
0x14, 0xcf, 0xd6, 0x71, 0xe2, 0x9d, 0x34, 0x7f, 0x3a, 0x45, 0x74, 0x95, 0x83, 0x1d, 0x8c, 0x04,
|
||||
0x11, 0xa4, 0xbb, 0x4d, 0x5b, 0x48, 0x2e, 0x1c, 0x62, 0x15, 0x81, 0xa5, 0x10, 0xa2, 0x49, 0x5c,
|
||||
0x21, 0xe0, 0xc0, 0xd8, 0x7e, 0xb1, 0x97, 0x78, 0xff, 0x30, 0x33, 0x6b, 0x94, 0x1b, 0x1f, 0x81,
|
||||
0x3b, 0xdf, 0x82, 0x0f, 0x50, 0x21, 0xc1, 0x21, 0xc7, 0x1e, 0x7b, 0xb2, 0x88, 0xf9, 0x16, 0x39,
|
||||
0xa1, 0x99, 0x9d, 0xdd, 0x59, 0xdb, 0x4d, 0xeb, 0x5c, 0x7a, 0xdb, 0x7d, 0xef, 0xf7, 0xfb, 0xcd,
|
||||
0x7b, 0x6f, 0xde, 0x7b, 0xbb, 0xe8, 0xf8, 0x7c, 0x9f, 0xbb, 0x7e, 0xe4, 0x9d, 0x27, 0x6d, 0x60,
|
||||
0x21, 0x08, 0xe0, 0xde, 0x10, 0xc2, 0x6e, 0xc4, 0x3c, 0xed, 0xa0, 0xb1, 0xcf, 0x81, 0x0d, 0x81,
|
||||
0x79, 0xf1, 0x79, 0x4f, 0xbd, 0x79, 0x34, 0xe9, 0xfa, 0xc2, 0x1b, 0xee, 0xb6, 0x41, 0xd0, 0x5d,
|
||||
0xaf, 0x07, 0x21, 0x30, 0x2a, 0xa0, 0xeb, 0xc6, 0x2c, 0x12, 0x11, 0xfe, 0x38, 0x25, 0xba, 0x39,
|
||||
0xd1, 0x8d, 0xcf, 0x7b, 0xea, 0xcd, 0x55, 0x44, 0x57, 0x13, 0x37, 0x1f, 0xf6, 0x7c, 0xd1, 0x4f,
|
||||
0xda, 0x6e, 0x27, 0x0a, 0xbc, 0x5e, 0xd4, 0x8b, 0x3c, 0xc5, 0x6f, 0x27, 0x67, 0xea, 0x4d, 0xbd,
|
||||
0xa8, 0xa7, 0x54, 0x77, 0x73, 0xc7, 0x04, 0xe4, 0xd1, 0x44, 0xf4, 0x21, 0x14, 0x7e, 0x87, 0x0a,
|
||||
0x3f, 0x0a, 0xbd, 0xe1, 0x4c, 0x14, 0x9b, 0x4f, 0x0d, 0x3a, 0xa0, 0x9d, 0xbe, 0x1f, 0x02, 0xbb,
|
||||
0x30, 0x19, 0x04, 0x20, 0xe8, 0xeb, 0x58, 0xde, 0x4d, 0x2c, 0x96, 0x84, 0xc2, 0x0f, 0x60, 0x86,
|
||||
0xf0, 0xf9, 0xdb, 0x08, 0xbc, 0xd3, 0x87, 0x80, 0xce, 0xf0, 0x9e, 0xdc, 0xc4, 0x4b, 0x84, 0x3f,
|
||||
0xf0, 0xfc, 0x50, 0x70, 0xc1, 0x66, 0x48, 0xfb, 0x6f, 0xbf, 0x12, 0x3a, 0x88, 0xfb, 0xb3, 0x77,
|
||||
0x52, 0xff, 0xbb, 0x82, 0xca, 0x5f, 0x0e, 0x21, 0x14, 0xf8, 0x27, 0x54, 0x91, 0xc9, 0x77, 0xa9,
|
||||
0xa0, 0x8e, 0xb5, 0x65, 0x6d, 0xaf, 0x3c, 0x7e, 0xe4, 0x9a, 0x0b, 0xcb, 0x63, 0x31, 0x77, 0x26,
|
||||
0xd1, 0xee, 0x70, 0xd7, 0xfd, 0xb6, 0xfd, 0x33, 0x74, 0xc4, 0x37, 0x20, 0x68, 0x03, 0x5f, 0x8e,
|
||||
0x6a, 0x0b, 0xe3, 0x51, 0x0d, 0x19, 0x1b, 0xc9, 0x55, 0xf1, 0x0e, 0x2a, 0x0f, 0x60, 0x08, 0x03,
|
||||
0xe7, 0xce, 0x96, 0xb5, 0x6d, 0x37, 0xde, 0xd7, 0xe0, 0xf2, 0xa1, 0x34, 0x5e, 0x67, 0x0f, 0x24,
|
||||
0x05, 0xe1, 0x1f, 0x90, 0x2d, 0xeb, 0xc4, 0x05, 0x0d, 0x62, 0xa7, 0xa4, 0x02, 0xfa, 0x64, 0xbe,
|
||||
0x80, 0x4e, 0xfd, 0x00, 0x1a, 0xf7, 0xb4, 0xba, 0x7d, 0x9a, 0x89, 0x10, 0xa3, 0x87, 0x8f, 0xd0,
|
||||
0xb2, 0x2a, 0x4c, 0xf3, 0x99, 0xb3, 0xa8, 0x82, 0x79, 0xaa, 0xe1, 0xcb, 0x07, 0xa9, 0xf9, 0x7a,
|
||||
0x54, 0xfb, 0xe0, 0xa6, 0x9b, 0x10, 0x17, 0x31, 0x70, 0xb7, 0xd5, 0x7c, 0x46, 0x32, 0x11, 0x99,
|
||||
0x1a, 0x17, 0xb4, 0x07, 0x4e, 0x79, 0x32, 0xb5, 0x13, 0x69, 0xbc, 0xce, 0x1e, 0x48, 0x0a, 0xc2,
|
||||
0x8f, 0x11, 0x62, 0xf0, 0x4b, 0x02, 0x5c, 0xb4, 0x48, 0xd3, 0x59, 0x52, 0x94, 0xbc, 0x74, 0x24,
|
||||
0xf7, 0x90, 0x02, 0x0a, 0x6f, 0xa1, 0xc5, 0x21, 0xb0, 0xb6, 0xb3, 0xac, 0xd0, 0x77, 0x35, 0x7a,
|
||||
0xf1, 0x39, 0xb0, 0x36, 0x51, 0x1e, 0xfc, 0x35, 0x5a, 0x4c, 0x38, 0x30, 0xa7, 0xa2, 0x6a, 0xf5,
|
||||
0x51, 0xa1, 0x56, 0xee, 0xe4, 0x54, 0xc8, 0x1a, 0xb5, 0x38, 0xb0, 0x66, 0x78, 0x16, 0x19, 0x25,
|
||||
0x69, 0x21, 0x4a, 0x01, 0xf7, 0xd1, 0x86, 0x1f, 0xc4, 0xc0, 0x78, 0x14, 0xca, 0x56, 0x91, 0x1e,
|
||||
0xc7, 0xbe, 0x95, 0xea, 0x7b, 0xe3, 0x51, 0x6d, 0xa3, 0x39, 0xa5, 0x41, 0x66, 0x54, 0xf1, 0xa7,
|
||||
0xc8, 0xe6, 0x51, 0xc2, 0x3a, 0xd0, 0x3c, 0xe6, 0x0e, 0xda, 0x2a, 0x6d, 0xdb, 0x8d, 0x55, 0x79,
|
||||
0x69, 0x27, 0x99, 0x91, 0x18, 0x3f, 0x06, 0x64, 0x47, 0xaa, 0xaf, 0x08, 0x9c, 0x39, 0x2b, 0x2a,
|
||||
0x9e, 0x7d, 0x77, 0xce, 0x9d, 0xa2, 0xbb, 0x94, 0xc0, 0x19, 0x30, 0x08, 0x3b, 0x90, 0x1e, 0x93,
|
||||
0x1b, 0x89, 0x51, 0xc6, 0x7d, 0xb4, 0xc6, 0x80, 0xc7, 0x51, 0xc8, 0xe1, 0x44, 0x50, 0x91, 0x70,
|
||||
0xe7, 0xae, 0x3a, 0x6b, 0x67, 0xbe, 0xee, 0x4b, 0x39, 0x0d, 0x3c, 0x1e, 0xd5, 0xd6, 0xc8, 0x84,
|
||||
0x0e, 0x99, 0xd2, 0xc5, 0x14, 0xad, 0xea, 0x1b, 0x4e, 0x03, 0x71, 0x56, 0xd5, 0x41, 0xdb, 0x37,
|
||||
0x1e, 0xa4, 0x77, 0x87, 0xdb, 0x0a, 0xcf, 0xc3, 0xe8, 0xd7, 0xb0, 0x71, 0x6f, 0x3c, 0xaa, 0xad,
|
||||
0x92, 0xa2, 0x04, 0x99, 0x54, 0xc4, 0x5d, 0x93, 0x8c, 0x3e, 0x63, 0xed, 0x96, 0x67, 0x4c, 0x24,
|
||||
0xa2, 0x0f, 0x99, 0xd2, 0xac, 0xbf, 0xb0, 0x90, 0xad, 0xb6, 0xc8, 0xa1, 0xcf, 0x05, 0xfe, 0x71,
|
||||
0x66, 0x93, 0xb8, 0xf3, 0x95, 0x4e, 0xb2, 0xd5, 0x1e, 0xd9, 0xd0, 0x4d, 0x59, 0xc9, 0x2c, 0x85,
|
||||
0x2d, 0x72, 0x82, 0xca, 0xbe, 0x80, 0x80, 0x3b, 0x77, 0xb6, 0x4a, 0x53, 0xd2, 0x6f, 0xee, 0x00,
|
||||
0x15, 0x60, 0x63, 0x35, 0x1b, 0xcd, 0xa6, 0x14, 0x21, 0xa9, 0x56, 0xfd, 0x0f, 0x0b, 0xad, 0x7d,
|
||||
0xc5, 0xa2, 0x24, 0x26, 0x90, 0xf6, 0x1b, 0xc7, 0x1f, 0xa2, 0x72, 0x4f, 0x5a, 0x54, 0x0a, 0xb6,
|
||||
0xe1, 0xa5, 0xb0, 0xd4, 0x27, 0xfb, 0x97, 0x65, 0x0c, 0x15, 0x90, 0xee, 0xdf, 0x5c, 0x86, 0x18,
|
||||
0x3f, 0xde, 0x93, 0xd7, 0x9d, 0xbe, 0x1c, 0xd1, 0x00, 0xb8, 0x53, 0x52, 0x04, 0x7d, 0x89, 0x05,
|
||||
0x07, 0x99, 0xc4, 0xd5, 0xff, 0x2c, 0xa1, 0xf5, 0xa9, 0xfe, 0xc5, 0x3b, 0xa8, 0x92, 0x81, 0x74,
|
||||
0x84, 0x79, 0xd1, 0x32, 0x2d, 0x92, 0x23, 0xb0, 0x87, 0xec, 0x50, 0x4a, 0xc5, 0xb4, 0x03, 0x7a,
|
||||
0xfd, 0xe6, 0x0b, 0xf2, 0x28, 0x73, 0x10, 0x83, 0x91, 0xeb, 0x46, 0xbe, 0xa8, 0xc5, 0x5b, 0x58,
|
||||
0x37, 0x12, 0x4b, 0x94, 0x07, 0x37, 0x50, 0x29, 0xf1, 0xbb, 0x7a, 0x7d, 0x3e, 0xd2, 0x80, 0x52,
|
||||
0x6b, 0xde, 0xd5, 0x29, 0xc9, 0x32, 0x09, 0x1a, 0xfb, 0xaa, 0xa2, 0x7a, 0x73, 0xe6, 0x49, 0x1c,
|
||||
0x1c, 0x37, 0xd3, 0x4a, 0xe7, 0x08, 0xb9, 0x36, 0x69, 0xec, 0x3f, 0x07, 0xc6, 0xfd, 0x28, 0x9c,
|
||||
0x5e, 0x9b, 0x07, 0xc7, 0x4d, 0xed, 0x21, 0x05, 0x14, 0x3e, 0x40, 0xeb, 0x59, 0x11, 0x32, 0x62,
|
||||
0xba, 0x41, 0x1f, 0x68, 0xe2, 0x3a, 0x99, 0x74, 0x93, 0x69, 0x3c, 0xfe, 0x0c, 0xad, 0xf0, 0xa4,
|
||||
0x9d, 0x17, 0xbb, 0xa2, 0xe8, 0xf7, 0x35, 0x7d, 0xe5, 0xc4, 0xb8, 0x48, 0x11, 0x57, 0xff, 0xc7,
|
||||
0x42, 0x4b, 0xc7, 0xd1, 0xc0, 0xef, 0x5c, 0xbc, 0x83, 0x4f, 0xeb, 0x77, 0xa8, 0xcc, 0x92, 0x01,
|
||||
0x64, 0x43, 0xf1, 0x64, 0xee, 0xa1, 0x48, 0x23, 0x24, 0xc9, 0x00, 0x4c, 0x87, 0xcb, 0x37, 0x4e,
|
||||
0x52, 0xc1, 0xfa, 0x5f, 0x16, 0x42, 0x29, 0xe8, 0x1d, 0xcc, 0xf6, 0xe9, 0xe4, 0x6c, 0x7b, 0xb7,
|
||||
0x4c, 0xe3, 0x86, 0xe1, 0x7e, 0x51, 0xca, 0x52, 0x90, 0x99, 0x99, 0xdf, 0x10, 0x6b, 0x9e, 0xdf,
|
||||
0x90, 0x1a, 0x2a, 0xcb, 0x6f, 0x62, 0x36, 0xdd, 0xb6, 0x44, 0xca, 0x4f, 0x17, 0x27, 0xa9, 0x1d,
|
||||
0xbb, 0x08, 0xc9, 0x07, 0xd5, 0xa2, 0xd9, 0x48, 0xaf, 0xc9, 0x8b, 0x6a, 0xe5, 0x56, 0x52, 0x40,
|
||||
0x48, 0x41, 0xf9, 0xb9, 0xe6, 0xce, 0xa2, 0x11, 0x94, 0x5f, 0x71, 0x4e, 0x52, 0x3b, 0xee, 0x17,
|
||||
0x77, 0x4a, 0x59, 0x15, 0x62, 0x6f, 0xee, 0x42, 0x4c, 0x2e, 0x31, 0x33, 0xe4, 0xaf, 0x5d, 0x48,
|
||||
0x2e, 0x42, 0xf9, 0xc4, 0x73, 0x67, 0xc9, 0x84, 0x9e, 0xaf, 0x04, 0x4e, 0x0a, 0x08, 0xfc, 0x05,
|
||||
0x5a, 0x0f, 0xa3, 0x30, 0x93, 0x6a, 0x91, 0x43, 0xee, 0x2c, 0x2b, 0xd2, 0x7d, 0x39, 0x48, 0x47,
|
||||
0x93, 0x2e, 0x32, 0x8d, 0xc5, 0x7b, 0x08, 0x45, 0x81, 0x2f, 0xd4, 0xaf, 0x10, 0x77, 0x2a, 0x8a,
|
||||
0xf9, 0x40, 0xb5, 0x74, 0x6e, 0x35, 0xbf, 0x4a, 0x05, 0x68, 0xe3, 0xe1, 0xe5, 0x55, 0x75, 0xe1,
|
||||
0xe5, 0x55, 0x75, 0xe1, 0xd5, 0x55, 0x75, 0xe1, 0xb7, 0x71, 0xd5, 0xba, 0x1c, 0x57, 0xad, 0x97,
|
||||
0xe3, 0xaa, 0xf5, 0x6a, 0x5c, 0xb5, 0xfe, 0x1d, 0x57, 0xad, 0xdf, 0xff, 0xab, 0x2e, 0x7c, 0xbf,
|
||||
0xac, 0x6b, 0xf0, 0x7f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x19, 0x44, 0x81, 0xf3, 0xba, 0x0c, 0x00,
|
||||
0x00,
|
||||
}
|
||||
|
@ -212,5 +212,9 @@ message PolicyRule {
|
||||
// "/healthz*" - Log all health checks
|
||||
// +optional
|
||||
repeated string nonResourceURLs = 7;
|
||||
|
||||
// OmitStages specify events generated in which stages will not be emitted to backend.
|
||||
// An empty list means no restrictions will apply.
|
||||
repeated string omitStages = 8;
|
||||
}
|
||||
|
||||
|
@ -201,6 +201,10 @@ type PolicyRule struct {
|
||||
// "/healthz*" - Log all health checks
|
||||
// +optional
|
||||
NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,7,rep,name=nonResourceURLs"`
|
||||
|
||||
// OmitStages specify events generated in which stages will not be emitted to backend.
|
||||
// An empty list means no restrictions will apply.
|
||||
OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,8,rep,name=omitStages"`
|
||||
}
|
||||
|
||||
// GroupResources represents resource kinds in an API group.
|
||||
|
@ -239,6 +239,7 @@ func autoConvert_v1beta1_PolicyRule_To_audit_PolicyRule(in *PolicyRule, out *aud
|
||||
out.Resources = *(*[]audit.GroupResources)(unsafe.Pointer(&in.Resources))
|
||||
out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
|
||||
out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs))
|
||||
out.OmitStages = *(*[]audit.Stage)(unsafe.Pointer(&in.OmitStages))
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -255,6 +256,7 @@ func autoConvert_audit_PolicyRule_To_v1beta1_PolicyRule(in *audit.PolicyRule, ou
|
||||
out.Resources = *(*[]GroupResources)(unsafe.Pointer(&in.Resources))
|
||||
out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
|
||||
out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs))
|
||||
out.OmitStages = *(*[]Stage)(unsafe.Pointer(&in.OmitStages))
|
||||
return nil
|
||||
}
|
||||
|
||||
|
@ -327,6 +327,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) {
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.OmitStages != nil {
|
||||
in, out := &in.OmitStages, &out.OmitStages
|
||||
*out = make([]Stage, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -38,6 +38,7 @@ func validatePolicyRule(rule audit.PolicyRule, fldPath *field.Path) field.ErrorL
|
||||
allErrs = append(allErrs, validateLevel(rule.Level, fldPath.Child("level"))...)
|
||||
allErrs = append(allErrs, validateNonResourceURLs(rule.NonResourceURLs, fldPath.Child("nonResourceURLs"))...)
|
||||
allErrs = append(allErrs, validateResources(rule.Resources, fldPath.Child("resources"))...)
|
||||
allErrs = append(allErrs, validateOmitStages(rule.OmitStages, fldPath.Child("omitStages"))...)
|
||||
|
||||
if len(rule.NonResourceURLs) > 0 {
|
||||
if len(rule.Resources) > 0 || len(rule.Namespaces) > 0 {
|
||||
@ -55,6 +56,13 @@ var validLevels = []string{
|
||||
string(audit.LevelRequestResponse),
|
||||
}
|
||||
|
||||
var validOmitStages = []string{
|
||||
string(audit.StageRequestReceived),
|
||||
string(audit.StageResponseStarted),
|
||||
string(audit.StageResponseComplete),
|
||||
string(audit.StagePanic),
|
||||
}
|
||||
|
||||
func validateLevel(level audit.Level, fldPath *field.Path) field.ErrorList {
|
||||
switch level {
|
||||
case audit.LevelNone, audit.LevelMetadata, audit.LevelRequest, audit.LevelRequestResponse:
|
||||
@ -104,3 +112,20 @@ func validateResources(groupResources []audit.GroupResources, fldPath *field.Pat
|
||||
}
|
||||
return allErrs
|
||||
}
|
||||
|
||||
func validateOmitStages(omitStages []audit.Stage, fldPath *field.Path) field.ErrorList {
|
||||
var allErrs field.ErrorList
|
||||
for i, stage := range omitStages {
|
||||
valid := false
|
||||
for _, validOmitStage := range validOmitStages {
|
||||
if string(stage) == validOmitStage {
|
||||
valid = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !valid {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Index(i), string(stage), "allowed stages are "+strings.Join(validOmitStages, ",")))
|
||||
}
|
||||
}
|
||||
return allErrs
|
||||
}
|
||||
|
@ -43,6 +43,11 @@ func TestValidatePolicy(t *testing.T) {
|
||||
"/metrics",
|
||||
"*",
|
||||
},
|
||||
}, { // Omit RequestReceived stage
|
||||
Level: audit.LevelMetadata,
|
||||
OmitStages: []audit.Stage{
|
||||
audit.Stage("RequestReceived"),
|
||||
},
|
||||
},
|
||||
}
|
||||
successCases := []audit.Policy{}
|
||||
@ -108,6 +113,12 @@ func TestValidatePolicy(t *testing.T) {
|
||||
Resources: []audit.GroupResources{{ResourceNames: []string{"leader"}}},
|
||||
Namespaces: []string{"kube-system"},
|
||||
},
|
||||
{ // invalid omitStages
|
||||
Level: audit.LevelMetadata,
|
||||
OmitStages: []audit.Stage{
|
||||
audit.Stage("foo"),
|
||||
},
|
||||
},
|
||||
}
|
||||
errorCases := []audit.Policy{}
|
||||
for _, rule := range invalidRules {
|
||||
|
@ -325,6 +325,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) {
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.OmitStages != nil {
|
||||
in, out := &in.OmitStages, &out.OmitStages
|
||||
*out = make([]Stage, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -31,7 +31,7 @@ const (
|
||||
// Checker exposes methods for checking the policy rules.
|
||||
type Checker interface {
|
||||
// Check the audit level for a request with the given authorizer attributes.
|
||||
Level(authorizer.Attributes) audit.Level
|
||||
LevelAndStages(authorizer.Attributes) (audit.Level, []audit.Stage)
|
||||
}
|
||||
|
||||
// NewChecker creates a new policy checker.
|
||||
@ -40,21 +40,21 @@ func NewChecker(policy *audit.Policy) Checker {
|
||||
}
|
||||
|
||||
// FakeChecker creates a checker that returns a constant level for all requests (for testing).
|
||||
func FakeChecker(level audit.Level) Checker {
|
||||
return &fakeChecker{level}
|
||||
func FakeChecker(level audit.Level, stage []audit.Stage) Checker {
|
||||
return &fakeChecker{level, stage}
|
||||
}
|
||||
|
||||
type policyChecker struct {
|
||||
audit.Policy
|
||||
}
|
||||
|
||||
func (p *policyChecker) Level(attrs authorizer.Attributes) audit.Level {
|
||||
func (p *policyChecker) LevelAndStages(attrs authorizer.Attributes) (audit.Level, []audit.Stage) {
|
||||
for _, rule := range p.Rules {
|
||||
if ruleMatches(&rule, attrs) {
|
||||
return rule.Level
|
||||
return rule.Level, rule.OmitStages
|
||||
}
|
||||
}
|
||||
return DefaultAuditLevel
|
||||
return DefaultAuditLevel, nil
|
||||
}
|
||||
|
||||
// Check whether the rule matches the request attrs.
|
||||
@ -181,8 +181,9 @@ func hasString(slice []string, value string) bool {
|
||||
|
||||
type fakeChecker struct {
|
||||
level audit.Level
|
||||
stage []audit.Stage
|
||||
}
|
||||
|
||||
func (f *fakeChecker) Level(_ authorizer.Attributes) audit.Level {
|
||||
return f.level
|
||||
func (f *fakeChecker) LevelAndStages(_ authorizer.Attributes) (audit.Level, []audit.Stage) {
|
||||
return f.level, f.stage
|
||||
}
|
||||
|
@ -136,59 +136,80 @@ func TestChecker(t *testing.T) {
|
||||
ResourceNames: []string{"edit"},
|
||||
}},
|
||||
},
|
||||
"omit RequestReceived": {
|
||||
Level: audit.LevelRequest,
|
||||
OmitStages: []audit.Stage{
|
||||
audit.StageRequestReceived,
|
||||
},
|
||||
},
|
||||
"only audit panic": {
|
||||
Level: audit.LevelRequest,
|
||||
OmitStages: []audit.Stage{
|
||||
audit.StageRequestReceived,
|
||||
audit.StageResponseStarted,
|
||||
audit.StageResponseComplete,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
test := func(req string, expected audit.Level, ruleNames ...string) {
|
||||
test := func(req string, expLevel audit.Level, expOmitStages []audit.Stage, ruleNames ...string) {
|
||||
policy := audit.Policy{}
|
||||
for _, rule := range ruleNames {
|
||||
require.Contains(t, rules, rule)
|
||||
policy.Rules = append(policy.Rules, rules[rule])
|
||||
}
|
||||
require.Contains(t, attrs, req)
|
||||
actual := NewChecker(&policy).Level(attrs[req])
|
||||
assert.Equal(t, expected, actual, "request:%s rules:%s", req, strings.Join(ruleNames, ","))
|
||||
actualLevel, actualOmitStages := NewChecker(&policy).LevelAndStages(attrs[req])
|
||||
assert.Equal(t, expLevel, actualLevel, "request:%s rules:%s", req, strings.Join(ruleNames, ","))
|
||||
assert.Equal(t, expOmitStages, actualOmitStages, "request:%s rules:%s", req, strings.Join(ruleNames, ","))
|
||||
}
|
||||
|
||||
test("namespaced", audit.LevelMetadata, "default")
|
||||
test("namespaced", audit.LevelNone, "create")
|
||||
test("namespaced", audit.LevelMetadata, "tims")
|
||||
test("namespaced", audit.LevelMetadata, "humans")
|
||||
test("namespaced", audit.LevelNone, "serviceAccounts")
|
||||
test("namespaced", audit.LevelRequestResponse, "getPods")
|
||||
test("namespaced", audit.LevelNone, "getClusterRoles")
|
||||
test("namespaced", audit.LevelNone, "getLogs")
|
||||
test("namespaced", audit.LevelNone, "getMetrics")
|
||||
test("namespaced", audit.LevelMetadata, "getMetrics", "serviceAccounts", "default")
|
||||
test("namespaced", audit.LevelRequestResponse, "getMetrics", "getPods", "default")
|
||||
test("namespaced", audit.LevelRequestResponse, "getPodLogs", "getPods")
|
||||
test("namespaced", audit.LevelMetadata, nil, "default")
|
||||
test("namespaced", audit.LevelNone, nil, "create")
|
||||
test("namespaced", audit.LevelMetadata, nil, "tims")
|
||||
test("namespaced", audit.LevelMetadata, nil, "humans")
|
||||
test("namespaced", audit.LevelNone, nil, "serviceAccounts")
|
||||
test("namespaced", audit.LevelRequestResponse, nil, "getPods")
|
||||
test("namespaced", audit.LevelNone, nil, "getClusterRoles")
|
||||
test("namespaced", audit.LevelNone, nil, "getLogs")
|
||||
test("namespaced", audit.LevelNone, nil, "getMetrics")
|
||||
test("namespaced", audit.LevelMetadata, nil, "getMetrics", "serviceAccounts", "default")
|
||||
test("namespaced", audit.LevelRequestResponse, nil, "getMetrics", "getPods", "default")
|
||||
test("namespaced", audit.LevelRequestResponse, nil, "getPodLogs", "getPods")
|
||||
test("namespaced", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived}, "omit RequestReceived", "getPods", "default")
|
||||
test("namespaced", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived, audit.StageResponseStarted, audit.StageResponseComplete}, "only audit panic", "getPods", "default")
|
||||
|
||||
test("cluster", audit.LevelMetadata, "default")
|
||||
test("cluster", audit.LevelNone, "create")
|
||||
test("cluster", audit.LevelMetadata, "tims")
|
||||
test("cluster", audit.LevelMetadata, "humans")
|
||||
test("cluster", audit.LevelNone, "serviceAccounts")
|
||||
test("cluster", audit.LevelNone, "getPods")
|
||||
test("cluster", audit.LevelRequestResponse, "getClusterRoles")
|
||||
test("cluster", audit.LevelRequest, "clusterRoleEdit", "getClusterRoles")
|
||||
test("cluster", audit.LevelNone, "getLogs")
|
||||
test("cluster", audit.LevelNone, "getMetrics")
|
||||
test("cluster", audit.LevelMetadata, "getMetrics", "serviceAccounts", "default")
|
||||
test("cluster", audit.LevelRequestResponse, "getMetrics", "getClusterRoles", "default")
|
||||
test("cluster", audit.LevelNone, "getPodLogs", "getPods")
|
||||
test("cluster", audit.LevelMetadata, nil, "default")
|
||||
test("cluster", audit.LevelNone, nil, "create")
|
||||
test("cluster", audit.LevelMetadata, nil, "tims")
|
||||
test("cluster", audit.LevelMetadata, nil, "humans")
|
||||
test("cluster", audit.LevelNone, nil, "serviceAccounts")
|
||||
test("cluster", audit.LevelNone, nil, "getPods")
|
||||
test("cluster", audit.LevelRequestResponse, nil, "getClusterRoles")
|
||||
test("cluster", audit.LevelRequest, nil, "clusterRoleEdit", "getClusterRoles")
|
||||
test("cluster", audit.LevelNone, nil, "getLogs")
|
||||
test("cluster", audit.LevelNone, nil, "getMetrics")
|
||||
test("cluster", audit.LevelMetadata, nil, "getMetrics", "serviceAccounts", "default")
|
||||
test("cluster", audit.LevelRequestResponse, nil, "getMetrics", "getClusterRoles", "default")
|
||||
test("cluster", audit.LevelNone, nil, "getPodLogs", "getPods")
|
||||
test("cluster", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived}, "omit RequestReceived", "getPods", "default")
|
||||
test("cluster", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived, audit.StageResponseStarted, audit.StageResponseComplete}, "only audit panic", "getPods", "default")
|
||||
|
||||
test("nonResource", audit.LevelMetadata, "default")
|
||||
test("nonResource", audit.LevelNone, "create")
|
||||
test("nonResource", audit.LevelMetadata, "tims")
|
||||
test("nonResource", audit.LevelMetadata, "humans")
|
||||
test("nonResource", audit.LevelNone, "serviceAccounts")
|
||||
test("nonResource", audit.LevelNone, "getPods")
|
||||
test("nonResource", audit.LevelNone, "getClusterRoles")
|
||||
test("nonResource", audit.LevelRequestResponse, "getLogs")
|
||||
test("nonResource", audit.LevelNone, "getMetrics")
|
||||
test("nonResource", audit.LevelMetadata, "getMetrics", "serviceAccounts", "default")
|
||||
test("nonResource", audit.LevelRequestResponse, "getLogs", "getClusterRoles", "default")
|
||||
test("nonResource", audit.LevelNone, "getPodLogs", "getPods")
|
||||
test("nonResource", audit.LevelMetadata, nil, "default")
|
||||
test("nonResource", audit.LevelNone, nil, "create")
|
||||
test("nonResource", audit.LevelMetadata, nil, "tims")
|
||||
test("nonResource", audit.LevelMetadata, nil, "humans")
|
||||
test("nonResource", audit.LevelNone, nil, "serviceAccounts")
|
||||
test("nonResource", audit.LevelNone, nil, "getPods")
|
||||
test("nonResource", audit.LevelNone, nil, "getClusterRoles")
|
||||
test("nonResource", audit.LevelRequestResponse, nil, "getLogs")
|
||||
test("nonResource", audit.LevelNone, nil, "getMetrics")
|
||||
test("nonResource", audit.LevelMetadata, nil, "getMetrics", "serviceAccounts", "default")
|
||||
test("nonResource", audit.LevelRequestResponse, nil, "getLogs", "getClusterRoles", "default")
|
||||
test("nonResource", audit.LevelNone, nil, "getPodLogs", "getPods")
|
||||
test("nonResource", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived}, "omit RequestReceived", "getPods", "default")
|
||||
test("nonResource", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived, audit.StageResponseStarted, audit.StageResponseComplete}, "only audit panic", "getPods", "default")
|
||||
|
||||
test("subresource", audit.LevelRequest, "getPodLogs", "getPods")
|
||||
test("subresource", audit.LevelRequest, "getPods", "getPodLogs")
|
||||
test("subresource", audit.LevelRequest, nil, "getPodLogs", "getPods")
|
||||
test("subresource", audit.LevelRequest, nil, "getPods", "getPodLogs")
|
||||
}
|
||||
|
@ -331,7 +331,7 @@ func handleInternal(storage map[string]rest.Storage, admissionControl admission.
|
||||
}
|
||||
}
|
||||
|
||||
handler := genericapifilters.WithAudit(mux, requestContextMapper, auditSink, auditpolicy.FakeChecker(auditinternal.LevelRequestResponse), func(r *http.Request, requestInfo *request.RequestInfo) bool {
|
||||
handler := genericapifilters.WithAudit(mux, requestContextMapper, auditSink, auditpolicy.FakeChecker(auditinternal.LevelRequestResponse, nil), func(r *http.Request, requestInfo *request.RequestInfo) bool {
|
||||
// simplified long-running check
|
||||
return requestInfo.Verb == "watch" || requestInfo.Verb == "proxy"
|
||||
})
|
||||
|
@ -42,7 +42,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
|
||||
return handler
|
||||
}
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
|
||||
ctx, ev, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy)
|
||||
ctx, ev, omitStages, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy)
|
||||
if err != nil {
|
||||
utilruntime.HandleError(fmt.Errorf("failed to create audit event: %v", err))
|
||||
responsewriters.InternalError(w, req, errors.New("failed to create audit event"))
|
||||
@ -54,7 +54,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
|
||||
}
|
||||
|
||||
ev.Stage = auditinternal.StageRequestReceived
|
||||
processAuditEvent(sink, ev)
|
||||
processAuditEvent(sink, ev, omitStages)
|
||||
|
||||
// intercept the status code
|
||||
var longRunningSink audit.Sink
|
||||
@ -64,7 +64,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
|
||||
longRunningSink = sink
|
||||
}
|
||||
}
|
||||
respWriter := decorateResponseWriter(w, ev, longRunningSink)
|
||||
respWriter := decorateResponseWriter(w, ev, longRunningSink, omitStages)
|
||||
|
||||
// send audit event when we leave this func, either via a panic or cleanly. In the case of long
|
||||
// running requests, this will be the second audit event.
|
||||
@ -78,7 +78,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
|
||||
Reason: metav1.StatusReasonInternalError,
|
||||
Message: fmt.Sprintf("APIServer panic'd: %v", r),
|
||||
}
|
||||
processAuditEvent(sink, ev)
|
||||
processAuditEvent(sink, ev, omitStages)
|
||||
return
|
||||
}
|
||||
|
||||
@ -92,14 +92,14 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
|
||||
if ev.ResponseStatus == nil && longRunningSink != nil {
|
||||
ev.ResponseStatus = fakedSuccessStatus
|
||||
ev.Stage = auditinternal.StageResponseStarted
|
||||
processAuditEvent(longRunningSink, ev)
|
||||
processAuditEvent(longRunningSink, ev, omitStages)
|
||||
}
|
||||
|
||||
ev.Stage = auditinternal.StageResponseComplete
|
||||
if ev.ResponseStatus == nil {
|
||||
ev.ResponseStatus = fakedSuccessStatus
|
||||
}
|
||||
processAuditEvent(sink, ev)
|
||||
processAuditEvent(sink, ev, omitStages)
|
||||
}()
|
||||
handler.ServeHTTP(respWriter, req)
|
||||
})
|
||||
@ -110,47 +110,53 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
|
||||
// - context with audit event attached to it
|
||||
// - created audit event
|
||||
// - error if anything bad happened
|
||||
func createAuditEventAndAttachToContext(requestContextMapper request.RequestContextMapper, req *http.Request, policy policy.Checker) (request.Context, *auditinternal.Event, error) {
|
||||
func createAuditEventAndAttachToContext(requestContextMapper request.RequestContextMapper, req *http.Request, policy policy.Checker) (request.Context, *auditinternal.Event, []auditinternal.Stage, error) {
|
||||
ctx, ok := requestContextMapper.Get(req)
|
||||
if !ok {
|
||||
return nil, nil, fmt.Errorf("no context found for request")
|
||||
return nil, nil, nil, fmt.Errorf("no context found for request")
|
||||
}
|
||||
|
||||
attribs, err := GetAuthorizerAttributes(ctx)
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err)
|
||||
return nil, nil, nil, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err)
|
||||
}
|
||||
|
||||
level := policy.Level(attribs)
|
||||
level, omitStages := policy.LevelAndStages(attribs)
|
||||
audit.ObservePolicyLevel(level)
|
||||
if level == auditinternal.LevelNone {
|
||||
// Don't audit.
|
||||
return nil, nil, nil
|
||||
return nil, nil, nil, nil
|
||||
}
|
||||
|
||||
ev, err := audit.NewEventFromRequest(req, level, attribs)
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("failed to complete audit event from request: %v", err)
|
||||
return nil, nil, nil, fmt.Errorf("failed to complete audit event from request: %v", err)
|
||||
}
|
||||
|
||||
ctx = request.WithAuditEvent(ctx, ev)
|
||||
if err := requestContextMapper.Update(req, ctx); err != nil {
|
||||
return nil, nil, fmt.Errorf("failed to attach audit event to context: %v", err)
|
||||
return nil, nil, nil, fmt.Errorf("failed to attach audit event to context: %v", err)
|
||||
}
|
||||
|
||||
return ctx, ev, nil
|
||||
return ctx, ev, omitStages, nil
|
||||
}
|
||||
|
||||
func processAuditEvent(sink audit.Sink, ev *auditinternal.Event) {
|
||||
func processAuditEvent(sink audit.Sink, ev *auditinternal.Event, omitStages []auditinternal.Stage) {
|
||||
for _, stage := range omitStages {
|
||||
if ev.Stage == stage {
|
||||
return
|
||||
}
|
||||
}
|
||||
audit.ObserveEvent()
|
||||
sink.ProcessEvents(ev)
|
||||
}
|
||||
|
||||
func decorateResponseWriter(responseWriter http.ResponseWriter, ev *auditinternal.Event, sink audit.Sink) http.ResponseWriter {
|
||||
func decorateResponseWriter(responseWriter http.ResponseWriter, ev *auditinternal.Event, sink audit.Sink, omitStages []auditinternal.Stage) http.ResponseWriter {
|
||||
delegate := &auditResponseWriter{
|
||||
ResponseWriter: responseWriter,
|
||||
event: ev,
|
||||
sink: sink,
|
||||
omitStages: omitStages,
|
||||
}
|
||||
|
||||
// check if the ResponseWriter we're wrapping is the fancy one we need
|
||||
@ -170,9 +176,10 @@ var _ http.ResponseWriter = &auditResponseWriter{}
|
||||
// create immediately an event (for long running requests).
|
||||
type auditResponseWriter struct {
|
||||
http.ResponseWriter
|
||||
event *auditinternal.Event
|
||||
once sync.Once
|
||||
sink audit.Sink
|
||||
event *auditinternal.Event
|
||||
once sync.Once
|
||||
sink audit.Sink
|
||||
omitStages []auditinternal.Stage
|
||||
}
|
||||
|
||||
func (a *auditResponseWriter) setHttpHeader() {
|
||||
@ -188,7 +195,7 @@ func (a *auditResponseWriter) processCode(code int) {
|
||||
a.event.Stage = auditinternal.StageResponseStarted
|
||||
|
||||
if a.sink != nil {
|
||||
processAuditEvent(a.sink, a.event)
|
||||
processAuditEvent(a.sink, a.event, a.omitStages)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
@ -98,14 +98,14 @@ func (*fancyResponseWriter) Flush() {}
|
||||
func (*fancyResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) { return nil, nil, nil }
|
||||
|
||||
func TestConstructResponseWriter(t *testing.T) {
|
||||
actual := decorateResponseWriter(&simpleResponseWriter{}, nil, nil)
|
||||
actual := decorateResponseWriter(&simpleResponseWriter{}, nil, nil, nil)
|
||||
switch v := actual.(type) {
|
||||
case *auditResponseWriter:
|
||||
default:
|
||||
t.Errorf("Expected auditResponseWriter, got %v", reflect.TypeOf(v))
|
||||
}
|
||||
|
||||
actual = decorateResponseWriter(&fancyResponseWriter{}, nil, nil)
|
||||
actual = decorateResponseWriter(&fancyResponseWriter{}, nil, nil, nil)
|
||||
switch v := actual.(type) {
|
||||
case *fancyResponseWriterDelegator:
|
||||
default:
|
||||
@ -115,7 +115,7 @@ func TestConstructResponseWriter(t *testing.T) {
|
||||
|
||||
func TestDecorateResponseWriterWithoutChannel(t *testing.T) {
|
||||
ev := &auditinternal.Event{}
|
||||
actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil)
|
||||
actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil, nil)
|
||||
|
||||
// write status. This will not block because firstEventSentCh is nil
|
||||
actual.WriteHeader(42)
|
||||
@ -129,7 +129,7 @@ func TestDecorateResponseWriterWithoutChannel(t *testing.T) {
|
||||
|
||||
func TestDecorateResponseWriterWithImplicitWrite(t *testing.T) {
|
||||
ev := &auditinternal.Event{}
|
||||
actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil)
|
||||
actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil, nil)
|
||||
|
||||
// write status. This will not block because firstEventSentCh is nil
|
||||
actual.Write([]byte("foo"))
|
||||
@ -144,7 +144,7 @@ func TestDecorateResponseWriterWithImplicitWrite(t *testing.T) {
|
||||
func TestDecorateResponseWriterChannel(t *testing.T) {
|
||||
sink := &fakeAuditSink{}
|
||||
ev := &auditinternal.Event{}
|
||||
actual := decorateResponseWriter(&simpleResponseWriter{}, ev, sink)
|
||||
actual := decorateResponseWriter(&simpleResponseWriter{}, ev, sink, nil)
|
||||
|
||||
done := make(chan struct{})
|
||||
go func() {
|
||||
@ -203,17 +203,19 @@ func TestAuditLegacy(t *testing.T) {
|
||||
delay := 500 * time.Millisecond
|
||||
|
||||
for _, test := range []struct {
|
||||
desc string
|
||||
path string
|
||||
verb string
|
||||
handler func(http.ResponseWriter, *http.Request)
|
||||
expected []string
|
||||
desc string
|
||||
path string
|
||||
verb string
|
||||
omitStages []auditinternal.Stage
|
||||
handler func(http.ResponseWriter, *http.Request)
|
||||
expected []string
|
||||
}{
|
||||
// short running requests with read-only verb
|
||||
{
|
||||
"read-only empty",
|
||||
shortRunningPath,
|
||||
"GET",
|
||||
nil,
|
||||
func(http.ResponseWriter, *http.Request) {},
|
||||
[]string{
|
||||
readOnlyShortRunningPrefix(auditinternal.StageRequestReceived) + ` response="<deferred>"`,
|
||||
@ -224,6 +226,7 @@ func TestAuditLegacy(t *testing.T) {
|
||||
"read-only panic",
|
||||
shortRunningPath,
|
||||
"GET",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
panic("kaboom")
|
||||
},
|
||||
@ -238,6 +241,7 @@ func TestAuditLegacy(t *testing.T) {
|
||||
"writing empty",
|
||||
shortRunningPath,
|
||||
"PUT",
|
||||
nil,
|
||||
func(http.ResponseWriter, *http.Request) {},
|
||||
[]string{
|
||||
writingShortRunningPrefix(auditinternal.StageRequestReceived) + ` response="<deferred>"`,
|
||||
@ -248,6 +252,7 @@ func TestAuditLegacy(t *testing.T) {
|
||||
"writing sleep",
|
||||
shortRunningPath,
|
||||
"PUT",
|
||||
nil,
|
||||
func(http.ResponseWriter, *http.Request) {
|
||||
time.Sleep(delay)
|
||||
},
|
||||
@ -260,6 +265,7 @@ func TestAuditLegacy(t *testing.T) {
|
||||
"writing 403+write",
|
||||
shortRunningPath,
|
||||
"PUT",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.WriteHeader(403)
|
||||
w.Write([]byte("foo"))
|
||||
@ -273,6 +279,7 @@ func TestAuditLegacy(t *testing.T) {
|
||||
"writing panic",
|
||||
shortRunningPath,
|
||||
"PUT",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
panic("kaboom")
|
||||
},
|
||||
@ -285,6 +292,7 @@ func TestAuditLegacy(t *testing.T) {
|
||||
"writing write+panic",
|
||||
shortRunningPath,
|
||||
"PUT",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("foo"))
|
||||
panic("kaboom")
|
||||
@ -300,6 +308,7 @@ func TestAuditLegacy(t *testing.T) {
|
||||
"empty longrunning",
|
||||
longRunningPath,
|
||||
"GET",
|
||||
nil,
|
||||
func(http.ResponseWriter, *http.Request) {},
|
||||
[]string{
|
||||
longRunningPrefix(auditinternal.StageRequestReceived) + ` response="<deferred>"`,
|
||||
@ -311,6 +320,7 @@ func TestAuditLegacy(t *testing.T) {
|
||||
"sleep longrunning",
|
||||
longRunningPath,
|
||||
"GET",
|
||||
nil,
|
||||
func(http.ResponseWriter, *http.Request) {
|
||||
time.Sleep(delay)
|
||||
},
|
||||
@ -324,6 +334,7 @@ func TestAuditLegacy(t *testing.T) {
|
||||
"sleep+403 longrunning",
|
||||
longRunningPath,
|
||||
"GET",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
time.Sleep(delay)
|
||||
w.WriteHeader(403)
|
||||
@ -338,6 +349,7 @@ func TestAuditLegacy(t *testing.T) {
|
||||
"write longrunning",
|
||||
longRunningPath,
|
||||
"GET",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("foo"))
|
||||
},
|
||||
@ -351,6 +363,7 @@ func TestAuditLegacy(t *testing.T) {
|
||||
"403+write longrunning",
|
||||
longRunningPath,
|
||||
"GET",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.WriteHeader(403)
|
||||
w.Write([]byte("foo"))
|
||||
@ -365,6 +378,7 @@ func TestAuditLegacy(t *testing.T) {
|
||||
"panic longrunning",
|
||||
longRunningPath,
|
||||
"GET",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
panic("kaboom")
|
||||
},
|
||||
@ -377,6 +391,7 @@ func TestAuditLegacy(t *testing.T) {
|
||||
"write+panic longrunning",
|
||||
longRunningPath,
|
||||
"GET",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("foo"))
|
||||
panic("kaboom")
|
||||
@ -387,10 +402,33 @@ func TestAuditLegacy(t *testing.T) {
|
||||
longRunningPrefix(auditinternal.StagePanic) + ` response="500"`,
|
||||
},
|
||||
},
|
||||
{
|
||||
"omit RequestReceived",
|
||||
shortRunningPath,
|
||||
"GET",
|
||||
[]auditinternal.Stage{auditinternal.StageRequestReceived},
|
||||
func(http.ResponseWriter, *http.Request) {},
|
||||
[]string{
|
||||
readOnlyShortRunningPrefix(auditinternal.StageResponseComplete) + ` response="200"`,
|
||||
},
|
||||
},
|
||||
{
|
||||
"emit painc only",
|
||||
longRunningPath,
|
||||
"GET",
|
||||
[]auditinternal.Stage{auditinternal.StageRequestReceived, auditinternal.StageResponseStarted, auditinternal.StageResponseComplete},
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("foo"))
|
||||
panic("kaboom")
|
||||
},
|
||||
[]string{
|
||||
longRunningPrefix(auditinternal.StagePanic) + ` response="500"`,
|
||||
},
|
||||
},
|
||||
} {
|
||||
var buf bytes.Buffer
|
||||
backend := pluginlog.NewBackend(&buf, pluginlog.FormatLegacy, auditv1beta1.SchemeGroupVersion)
|
||||
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
|
||||
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, test.omitStages)
|
||||
handler := WithAudit(http.HandlerFunc(test.handler), &fakeRequestContextMapper{
|
||||
user: &user.DefaultInfo{Name: "admin"},
|
||||
}, backend, policyChecker, func(r *http.Request, ri *request.RequestInfo) bool {
|
||||
@ -440,6 +478,7 @@ func TestAuditJson(t *testing.T) {
|
||||
path string
|
||||
verb string
|
||||
auditID string
|
||||
omitStages []auditinternal.Stage
|
||||
handler func(http.ResponseWriter, *http.Request)
|
||||
expected []auditv1beta1.Event
|
||||
respHeader bool
|
||||
@ -450,6 +489,7 @@ func TestAuditJson(t *testing.T) {
|
||||
shortRunningPath,
|
||||
"GET",
|
||||
"",
|
||||
nil,
|
||||
func(http.ResponseWriter, *http.Request) {},
|
||||
[]auditv1beta1.Event{
|
||||
{
|
||||
@ -471,6 +511,7 @@ func TestAuditJson(t *testing.T) {
|
||||
shortRunningPath,
|
||||
"GET",
|
||||
uuid.NewRandom().String(),
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("foo"))
|
||||
},
|
||||
@ -494,6 +535,7 @@ func TestAuditJson(t *testing.T) {
|
||||
shortRunningPath,
|
||||
"GET",
|
||||
"",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
panic("kaboom")
|
||||
},
|
||||
@ -518,6 +560,7 @@ func TestAuditJson(t *testing.T) {
|
||||
shortRunningPath,
|
||||
"PUT",
|
||||
"",
|
||||
nil,
|
||||
func(http.ResponseWriter, *http.Request) {},
|
||||
[]auditv1beta1.Event{
|
||||
{
|
||||
@ -539,6 +582,7 @@ func TestAuditJson(t *testing.T) {
|
||||
shortRunningPath,
|
||||
"PUT",
|
||||
"",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("foo"))
|
||||
time.Sleep(delay)
|
||||
@ -563,6 +607,7 @@ func TestAuditJson(t *testing.T) {
|
||||
shortRunningPath,
|
||||
"PUT",
|
||||
"",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.WriteHeader(403)
|
||||
w.Write([]byte("foo"))
|
||||
@ -587,6 +632,7 @@ func TestAuditJson(t *testing.T) {
|
||||
shortRunningPath,
|
||||
"PUT",
|
||||
"",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
panic("kaboom")
|
||||
},
|
||||
@ -610,6 +656,7 @@ func TestAuditJson(t *testing.T) {
|
||||
shortRunningPath,
|
||||
"PUT",
|
||||
"",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("foo"))
|
||||
panic("kaboom")
|
||||
@ -635,6 +682,7 @@ func TestAuditJson(t *testing.T) {
|
||||
longRunningPath,
|
||||
"GET",
|
||||
"",
|
||||
nil,
|
||||
func(http.ResponseWriter, *http.Request) {},
|
||||
[]auditv1beta1.Event{
|
||||
{
|
||||
@ -662,6 +710,7 @@ func TestAuditJson(t *testing.T) {
|
||||
longRunningPath,
|
||||
"GET",
|
||||
uuid.NewRandom().String(),
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("foo"))
|
||||
},
|
||||
@ -691,6 +740,7 @@ func TestAuditJson(t *testing.T) {
|
||||
longRunningPath,
|
||||
"GET",
|
||||
"",
|
||||
nil,
|
||||
func(http.ResponseWriter, *http.Request) {
|
||||
time.Sleep(delay)
|
||||
},
|
||||
@ -720,6 +770,7 @@ func TestAuditJson(t *testing.T) {
|
||||
longRunningPath,
|
||||
"GET",
|
||||
"",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
time.Sleep(delay)
|
||||
w.WriteHeader(403)
|
||||
@ -750,6 +801,7 @@ func TestAuditJson(t *testing.T) {
|
||||
longRunningPath,
|
||||
"GET",
|
||||
"",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("foo"))
|
||||
},
|
||||
@ -779,6 +831,7 @@ func TestAuditJson(t *testing.T) {
|
||||
longRunningPath,
|
||||
"GET",
|
||||
"",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.WriteHeader(403)
|
||||
w.Write([]byte("foo"))
|
||||
@ -809,6 +862,7 @@ func TestAuditJson(t *testing.T) {
|
||||
longRunningPath,
|
||||
"GET",
|
||||
"",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
panic("kaboom")
|
||||
},
|
||||
@ -832,6 +886,7 @@ func TestAuditJson(t *testing.T) {
|
||||
longRunningPath,
|
||||
"GET",
|
||||
"",
|
||||
nil,
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("foo"))
|
||||
panic("kaboom")
|
||||
@ -857,10 +912,49 @@ func TestAuditJson(t *testing.T) {
|
||||
},
|
||||
true,
|
||||
},
|
||||
{
|
||||
"omit RequestReceived",
|
||||
shortRunningPath,
|
||||
"GET",
|
||||
"",
|
||||
[]auditinternal.Stage{auditinternal.StageRequestReceived},
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("foo"))
|
||||
},
|
||||
[]auditv1beta1.Event{
|
||||
{
|
||||
Stage: auditinternal.StageResponseComplete,
|
||||
Verb: "get",
|
||||
RequestURI: shortRunningPath,
|
||||
ResponseStatus: &metav1.Status{Code: 200},
|
||||
},
|
||||
},
|
||||
true,
|
||||
},
|
||||
{
|
||||
"emit Panic only",
|
||||
longRunningPath,
|
||||
"GET",
|
||||
"",
|
||||
[]auditinternal.Stage{auditinternal.StageRequestReceived, auditinternal.StageResponseStarted, auditinternal.StageResponseComplete},
|
||||
func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("foo"))
|
||||
panic("kaboom")
|
||||
},
|
||||
[]auditv1beta1.Event{
|
||||
{
|
||||
Stage: auditinternal.StagePanic,
|
||||
Verb: "watch",
|
||||
RequestURI: longRunningPath,
|
||||
ResponseStatus: &metav1.Status{Code: 500},
|
||||
},
|
||||
},
|
||||
true,
|
||||
},
|
||||
} {
|
||||
var buf bytes.Buffer
|
||||
backend := pluginlog.NewBackend(&buf, pluginlog.FormatJson, auditv1beta1.SchemeGroupVersion)
|
||||
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
|
||||
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, test.omitStages)
|
||||
handler := WithAudit(http.HandlerFunc(test.handler), &fakeRequestContextMapper{
|
||||
user: &user.DefaultInfo{Name: "admin"},
|
||||
}, backend, policyChecker, func(r *http.Request, ri *request.RequestInfo) bool {
|
||||
@ -964,7 +1058,7 @@ func (*fakeRequestContextMapper) Update(req *http.Request, context request.Conte
|
||||
}
|
||||
|
||||
func TestAuditNoPanicOnNilUser(t *testing.T) {
|
||||
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
|
||||
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil)
|
||||
handler := WithAudit(&fakeHTTPHandler{}, &fakeRequestContextMapper{}, &fakeAuditSink{}, policyChecker, nil)
|
||||
req, _ := http.NewRequest("GET", "/api/v1/namespaces/default/pods", nil)
|
||||
req.RemoteAddr = "127.0.0.1"
|
||||
@ -977,7 +1071,7 @@ func TestAuditLevelNone(t *testing.T) {
|
||||
handler = http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.WriteHeader(200)
|
||||
})
|
||||
policyChecker := policy.FakeChecker(auditinternal.LevelNone)
|
||||
policyChecker := policy.FakeChecker(auditinternal.LevelNone, nil)
|
||||
handler = WithAudit(handler, &fakeRequestContextMapper{
|
||||
user: &user.DefaultInfo{Name: "admin"},
|
||||
}, sink, policyChecker, nil)
|
||||
|
@ -38,7 +38,7 @@ func WithFailedAuthenticationAudit(failedHandler http.Handler, requestContextMap
|
||||
return failedHandler
|
||||
}
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
|
||||
_, ev, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy)
|
||||
_, ev, omitStages, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy)
|
||||
if err != nil {
|
||||
utilruntime.HandleError(fmt.Errorf("failed to create audit event: %v", err))
|
||||
responsewriters.InternalError(w, req, errors.New("failed to create audit event"))
|
||||
@ -53,7 +53,7 @@ func WithFailedAuthenticationAudit(failedHandler http.Handler, requestContextMap
|
||||
ev.ResponseStatus.Message = getAuthMethods(req)
|
||||
ev.Stage = auditinternal.StageResponseStarted
|
||||
|
||||
rw := decorateResponseWriter(w, ev, sink)
|
||||
rw := decorateResponseWriter(w, ev, sink, omitStages)
|
||||
failedHandler.ServeHTTP(rw, req)
|
||||
})
|
||||
}
|
||||
|
@ -30,7 +30,7 @@ import (
|
||||
|
||||
func TestFailedAuthnAudit(t *testing.T) {
|
||||
sink := &fakeAuditSink{}
|
||||
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
|
||||
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil)
|
||||
handler := WithFailedAuthenticationAudit(
|
||||
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
@ -61,7 +61,7 @@ func TestFailedAuthnAudit(t *testing.T) {
|
||||
|
||||
func TestFailedMultipleAuthnAudit(t *testing.T) {
|
||||
sink := &fakeAuditSink{}
|
||||
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
|
||||
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil)
|
||||
handler := WithFailedAuthenticationAudit(
|
||||
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
@ -93,7 +93,7 @@ func TestFailedMultipleAuthnAudit(t *testing.T) {
|
||||
|
||||
func TestFailedAuthnAuditWithoutAuthorization(t *testing.T) {
|
||||
sink := &fakeAuditSink{}
|
||||
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
|
||||
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil)
|
||||
handler := WithFailedAuthenticationAudit(
|
||||
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
@ -120,3 +120,20 @@ func TestFailedAuthnAuditWithoutAuthorization(t *testing.T) {
|
||||
t.Errorf("Unexpected user, expected /api/v1/namespaces/default/pods, got %s", ev.RequestURI)
|
||||
}
|
||||
}
|
||||
|
||||
func TestFailedAuthnAuditOmitted(t *testing.T) {
|
||||
sink := &fakeAuditSink{}
|
||||
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, []auditinternal.Stage{auditinternal.StageResponseStarted})
|
||||
handler := WithFailedAuthenticationAudit(
|
||||
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
}),
|
||||
&fakeRequestContextMapper{}, sink, policyChecker)
|
||||
req, _ := http.NewRequest("GET", "/api/v1/namespaces/default/pods", nil)
|
||||
req.RemoteAddr = "127.0.0.1"
|
||||
handler.ServeHTTP(httptest.NewRecorder(), req)
|
||||
|
||||
if len(sink.events) != 0 {
|
||||
t.Fatalf("Unexpected number of audit events generated, expected 0, got: %d", len(sink.events))
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user