mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-11-03 23:40:03 +00:00
116 lines
3.0 KiB
Go
116 lines
3.0 KiB
Go
/*
|
|
Copyright 2018 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package utils
|
|
|
|
import (
|
|
"bufio"
|
|
"fmt"
|
|
"io"
|
|
"sort"
|
|
"strings"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
|
"k8s.io/apiserver/pkg/audit"
|
|
)
|
|
|
|
type AuditEvent struct {
|
|
Level auditinternal.Level
|
|
Stage auditinternal.Stage
|
|
RequestURI string
|
|
Verb string
|
|
Code int32
|
|
User string
|
|
ImpersonatedUser string
|
|
ImpersonatedGroups string
|
|
Resource string
|
|
Namespace string
|
|
RequestObject bool
|
|
ResponseObject bool
|
|
AuthorizeDecision string
|
|
}
|
|
|
|
// Search the audit log for the expected audit lines.
|
|
func CheckAuditLines(stream io.Reader, expected []AuditEvent, version schema.GroupVersion) (missing []AuditEvent, err error) {
|
|
expectations := map[AuditEvent]bool{}
|
|
for _, event := range expected {
|
|
expectations[event] = false
|
|
}
|
|
|
|
scanner := bufio.NewScanner(stream)
|
|
for scanner.Scan() {
|
|
line := scanner.Text()
|
|
event, err := parseAuditLine(line, version)
|
|
if err != nil {
|
|
return expected, err
|
|
}
|
|
|
|
// If the event was expected, mark it as found.
|
|
if _, found := expectations[event]; found {
|
|
expectations[event] = true
|
|
}
|
|
}
|
|
if err := scanner.Err(); err != nil {
|
|
return expected, err
|
|
}
|
|
|
|
missing = make([]AuditEvent, 0)
|
|
for event, found := range expectations {
|
|
if !found {
|
|
missing = append(missing, event)
|
|
}
|
|
}
|
|
return missing, nil
|
|
}
|
|
|
|
func parseAuditLine(line string, version schema.GroupVersion) (AuditEvent, error) {
|
|
e := &auditinternal.Event{}
|
|
decoder := audit.Codecs.UniversalDecoder(version)
|
|
if err := runtime.DecodeInto(decoder, []byte(line), e); err != nil {
|
|
return AuditEvent{}, fmt.Errorf("failed decoding buf: %s, apiVersion: %s", line, version)
|
|
}
|
|
|
|
event := AuditEvent{
|
|
Level: e.Level,
|
|
Stage: e.Stage,
|
|
RequestURI: e.RequestURI,
|
|
Verb: e.Verb,
|
|
User: e.User.Username,
|
|
}
|
|
if e.ObjectRef != nil {
|
|
event.Namespace = e.ObjectRef.Namespace
|
|
event.Resource = e.ObjectRef.Resource
|
|
}
|
|
if e.ResponseStatus != nil {
|
|
event.Code = e.ResponseStatus.Code
|
|
}
|
|
if e.ResponseObject != nil {
|
|
event.ResponseObject = true
|
|
}
|
|
if e.RequestObject != nil {
|
|
event.RequestObject = true
|
|
}
|
|
if e.ImpersonatedUser != nil {
|
|
event.ImpersonatedUser = e.ImpersonatedUser.Username
|
|
sort.Strings(e.ImpersonatedUser.Groups)
|
|
event.ImpersonatedGroups = strings.Join(e.ImpersonatedUser.Groups, ",")
|
|
}
|
|
event.AuthorizeDecision = e.Annotations["authorization.k8s.io/decision"]
|
|
return event, nil
|
|
}
|