Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use subject and proper IP addresses for auditing gRPC requests. #123

Merged
merged 5 commits into from
Jan 31, 2024
Merged

Use subject and proper IP addresses for auditing gRPC requests. #123

Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f576d3b
Use subject and proper IP addresses for auditing gRPC requests.
Gerrit91 Jan 19, 2024
19a3fca
Missed one.
Gerrit91 Jan 22, 2024
14fce41
Attempt to map grpc status codes to http equivalents.
Gerrit91 Jan 22, 2024
65a40fe
Just use status code from grpc.
Gerrit91 Jan 22, 2024
1ce4d6a
Merge remote-tracking branch 'origin/master' into audit-grpc-subject
Gerrit91 Jan 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
126 changes: 109 additions & 17 deletions auditing/auditing-interceptor.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ import (
"github.com/metal-stack/security"
"go.uber.org/zap"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
)

const (
Expand Down Expand Up @@ -48,20 +50,25 @@ func UnaryServerInterceptor(a Auditing, logger *zap.SugaredLogger, shouldAudit f
Path: info.FullMethod,
Phase: EntryPhaseRequest,
}

user := security.GetUserFromContext(ctx)
if user != nil {
auditReqContext.User = user.EMail
auditReqContext.User = user.Subject
auditReqContext.Tenant = user.Tenant
}

err = a.Index(auditReqContext)
if err != nil {
return nil, err
}

auditReqContext.prepareForNextPhase()
resp, err = handler(childCtx, req)

auditReqContext.Phase = EntryPhaseResponse
auditReqContext.Body = resp
auditReqContext.StatusCode = statusCodeFromGrpc(err)

if err != nil {
auditReqContext.Error = err
err2 := a.Index(auditReqContext)
Expand All @@ -70,6 +77,7 @@ func UnaryServerInterceptor(a Auditing, logger *zap.SugaredLogger, shouldAudit f
}
return nil, err
}

err = a.Index(auditReqContext)
return resp, err
}
Expand Down Expand Up @@ -106,15 +114,19 @@ func StreamServerInterceptor(a Auditing, logger *zap.SugaredLogger, shouldAudit

user := security.GetUserFromContext(ss.Context())
if user != nil {
auditReqContext.User = user.EMail
auditReqContext.User = user.Subject
auditReqContext.Tenant = user.Tenant
}

err := a.Index(auditReqContext)
if err != nil {
return err
}

auditReqContext.prepareForNextPhase()
err = handler(srv, childSS)
auditReqContext.StatusCode = statusCodeFromGrpc(err)

if err != nil {
auditReqContext.Error = err
err2 := a.Index(auditReqContext)
Expand All @@ -123,8 +135,10 @@ func StreamServerInterceptor(a Auditing, logger *zap.SugaredLogger, shouldAudit
}
return err
}

auditReqContext.Phase = EntryPhaseClosed
err = a.Index(auditReqContext)

return err
}
}
Expand Down Expand Up @@ -157,22 +171,29 @@ func (a auditingConnectInterceptor) WrapStreamingClient(next connect.StreamingCl
Phase: EntryPhaseOpened,
Type: EntryTypeGRPC,
}

user := security.GetUserFromContext(ctx)
if user != nil {
auditReqContext.User = user.EMail
auditReqContext.User = user.Subject
auditReqContext.Tenant = user.Tenant
}

err := a.auditing.Index(auditReqContext)
if err != nil {
a.logger.Errorf("unable to index error: %v", err)
}

auditReqContext.prepareForNextPhase()
scc := next(childCtx, s)

auditReqContext.Phase = EntryPhaseClosed
auditReqContext.StatusCode = statusCodeFromGrpc(err)

err = a.auditing.Index(auditReqContext)
if err != nil {
a.logger.Errorf("unable to index error: %v", err)
}

return scc
}
}
Expand All @@ -193,23 +214,34 @@ func (a auditingConnectInterceptor) WrapStreamingHandler(next connect.StreamingH
childCtx := context.WithValue(ctx, rest.RequestIDKey, requestID)

auditReqContext := Entry{
RequestId: requestID,
Detail: EntryDetailGRPCStream,
Path: shc.Spec().Procedure,
Phase: EntryPhaseOpened,
Type: EntryTypeGRPC,
RequestId: requestID,
Detail: EntryDetailGRPCStream,
Path: shc.Spec().Procedure,
Phase: EntryPhaseOpened,
Type: EntryTypeGRPC,
RemoteAddr: shc.RequestHeader().Get("X-Real-Ip"),
ForwardedFor: shc.RequestHeader().Get("X-Forwarded-For"),
}

if auditReqContext.RemoteAddr == "" {
auditReqContext.RemoteAddr = shc.Peer().Addr
}

user := security.GetUserFromContext(ctx)
if user != nil {
auditReqContext.User = user.EMail
auditReqContext.User = user.Subject
auditReqContext.Tenant = user.Tenant
}

err := a.auditing.Index(auditReqContext)
if err != nil {
a.logger.Errorf("unable to index error: %v", err)
}

auditReqContext.prepareForNextPhase()
err = next(childCtx, shc)
auditReqContext.StatusCode = statusCodeFromGrpc(err)

if err != nil {
auditReqContext.Error = err
err2 := a.auditing.Index(auditReqContext)
Expand All @@ -218,11 +250,13 @@ func (a auditingConnectInterceptor) WrapStreamingHandler(next connect.StreamingH
}
return err
}

auditReqContext.Phase = EntryPhaseClosed
err = a.auditing.Index(auditReqContext)
if err != nil {
a.logger.Errorf("unable to index error: %v", err)
}

return err
}
}
Expand All @@ -243,17 +277,23 @@ func (i auditingConnectInterceptor) WrapUnary(next connect.UnaryFunc) connect.Un
childCtx := context.WithValue(ctx, rest.RequestIDKey, requestID)

auditReqContext := Entry{
RequestId: requestID,
Detail: EntryDetailGRPCUnary,
Path: ar.Spec().Procedure,
Phase: EntryPhaseRequest,
Type: EntryTypeGRPC,
Body: ar.Any(),
RemoteAddr: ar.Peer().Addr,
RequestId: requestID,
Detail: EntryDetailGRPCUnary,
Path: ar.Spec().Procedure,
Phase: EntryPhaseRequest,
Type: EntryTypeGRPC,
Body: ar.Any(),
RemoteAddr: ar.Header().Get("X-Real-Ip"),
ForwardedFor: ar.Header().Get("X-Forwarded-For"),
}

if auditReqContext.RemoteAddr == "" {
auditReqContext.RemoteAddr = ar.Peer().Addr
}

user := security.GetUserFromContext(ctx)
if user != nil {
auditReqContext.User = user.EMail
auditReqContext.User = user.Subject
auditReqContext.Tenant = user.Tenant
}
err := i.auditing.Index(auditReqContext)
Expand All @@ -262,9 +302,13 @@ func (i auditingConnectInterceptor) WrapUnary(next connect.UnaryFunc) connect.Un
}

auditReqContext.prepareForNextPhase()

resp, err := next(childCtx, ar)

auditReqContext.Phase = EntryPhaseResponse
auditReqContext.Body = resp
auditReqContext.StatusCode = statusCodeFromGrpc(err)

if err != nil {
auditReqContext.Error = err
err2 := i.auditing.Index(auditReqContext)
Expand All @@ -273,6 +317,7 @@ func (i auditingConnectInterceptor) WrapUnary(next connect.UnaryFunc) connect.Un
}
return nil, err
}

err = i.auditing.Index(auditReqContext)
return resp, err
}
Expand Down Expand Up @@ -432,3 +477,50 @@ type grpcServerStreamWithContext struct {
func (s grpcServerStreamWithContext) Context() context.Context {
return s.ctx
}

// statusCodeFromGrpc attempts to map some grpc status errors to its http equivalents
func statusCodeFromGrpc(err error) int {
majst01 marked this conversation as resolved.
Show resolved Hide resolved
s, ok := status.FromError(err)
if !ok {
return http.StatusInternalServerError
}

switch s.Code() {
case codes.OK:
return http.StatusOK
case codes.Canceled:
return 499 // client connection closed
case codes.Unknown:
return http.StatusInternalServerError
case codes.InvalidArgument:
return http.StatusBadRequest
case codes.DeadlineExceeded:
return http.StatusGatewayTimeout
case codes.NotFound:
return http.StatusNotFound
case codes.AlreadyExists:
return http.StatusConflict
case codes.PermissionDenied:
return http.StatusForbidden
case codes.Unauthenticated:
return http.StatusUnauthorized
case codes.ResourceExhausted:
return http.StatusTooManyRequests
case codes.FailedPrecondition:
return http.StatusBadRequest
case codes.Aborted:
return http.StatusConflict
case codes.OutOfRange:
return http.StatusBadRequest
case codes.Unimplemented:
return http.StatusNotImplemented
case codes.Internal:
return http.StatusInternalServerError
case codes.Unavailable:
return http.StatusServiceUnavailable
case codes.DataLoss:
return http.StatusInternalServerError
default:
return http.StatusInternalServerError
}
}