From e3d3ab0214eaeab89723595296b175e0d113c945 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Fri, 4 Oct 2024 11:02:29 +0200 Subject: [PATCH 01/34] add user name to access log --- lib/constants.js | 3 ++- lib/middleware/proxy.js | 1 + lib/services/keystoneAuth.js | 7 +++++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/lib/constants.js b/lib/constants.js index 83f71072..d955013b 100644 --- a/lib/constants.js +++ b/lib/constants.js @@ -32,7 +32,8 @@ var constants = { X_REAL_IP_HEADER: 'x-real-ip', CORRELATOR_HEADER: 'fiware-correlator', - GET_ROLES_PATH: '/user' + GET_ROLES_PATH: '/user', + NA: 'N/A' }; diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index 86878da7..a2f0dd22 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -201,6 +201,7 @@ function accountInfo(req, res, next) { ' | Token=' + req.headers['x-auth-token'] + ' | Origin=' + req.connection.remoteAddress + ' | UserId=' + req.userId + + ' | UserName=' + req.userName + ' | ServiceId=' + req.serviceId + ' | Service=' + req.service + ' | SubServiceId=' + req.subserviceId + diff --git a/lib/services/keystoneAuth.js b/lib/services/keystoneAuth.js index a695d677..4ffacee0 100644 --- a/lib/services/keystoneAuth.js +++ b/lib/services/keystoneAuth.js @@ -191,6 +191,7 @@ function retrieveUser(req, callback) { req.serviceId = cachedValue.serviceId; req.domainName = cachedValue.domainName; req.userId = cachedValue.userId; + req.userName = cachedValue.userName; logger.debug('User value processed with value: %j', cachedValue); @@ -245,7 +246,8 @@ function retrieveUser(req, callback) { cachedValue = { domainName: body.token.project.domain.name, serviceId: body.token.project.domain.id, - userId: body.token['OS-TRUST:trust'].trustor_user.id + userId: body.token['OS-TRUST:trust'].trustor_user.id, + userName: constants.NA }; innerCb(null, cachedValue); @@ -256,7 +258,8 @@ function retrieveUser(req, callback) { cachedValue = { domainName: body.token.user.domain.name, serviceId: body.token.user.domain.id, - userId: body.token.user.id + userId: body.token.user.id, + userName: body.token.user.name }; req.userData = cachedValue; From 632cfb9cff6f7df5ef7f8c11424f102c88608c80 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Fri, 4 Oct 2024 11:12:31 +0200 Subject: [PATCH 02/34] fix userName when token is from Trust --- lib/services/keystoneAuth.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/services/keystoneAuth.js b/lib/services/keystoneAuth.js index 4ffacee0..a47aa6bd 100644 --- a/lib/services/keystoneAuth.js +++ b/lib/services/keystoneAuth.js @@ -249,7 +249,9 @@ function retrieveUser(req, callback) { userId: body.token['OS-TRUST:trust'].trustor_user.id, userName: constants.NA }; - + if (body.token.user) { + cachedValue['userName'] = body.token.user.name; + } innerCb(null, cachedValue); } else if (body.token && body.token.user && body.token.user.domain && From 9b5d7502b2a5a9d7a52d56336f0ef4036f8ccb57 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Fri, 4 Oct 2024 11:16:14 +0200 Subject: [PATCH 03/34] fix linter --- lib/services/keystoneAuth.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/services/keystoneAuth.js b/lib/services/keystoneAuth.js index a47aa6bd..f95f813d 100644 --- a/lib/services/keystoneAuth.js +++ b/lib/services/keystoneAuth.js @@ -250,7 +250,7 @@ function retrieveUser(req, callback) { userName: constants.NA }; if (body.token.user) { - cachedValue['userName'] = body.token.user.name; + cachedValue.userName = body.token.user.name; } innerCb(null, cachedValue); From 5f12d00925da38a046a143c0a29ba757891f45b3 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Fri, 4 Oct 2024 11:23:14 +0200 Subject: [PATCH 04/34] add userName to account InfoError --- lib/fiware-pep-steelskin.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/fiware-pep-steelskin.js b/lib/fiware-pep-steelskin.js index 6be28ed3..3b1946fa 100644 --- a/lib/fiware-pep-steelskin.js +++ b/lib/fiware-pep-steelskin.js @@ -79,7 +79,10 @@ function accountInfoError(error, req, res, next) { ' | Token=' + req.headers['x-auth-token'] + ' | Origin=' + req.connection.remoteAddress + ' | UserId=' + req.userId + + ' | ServiceId=' + req.serviceId + + ' | UserName=' + req.userName + ' | Service=' + req.service + + ' | SubServiceId=' + req.subserviceId + ' | SubService=' + req.subService + ' | Action=' + req.action + ' | Date=' + new Date().toJSON()); From 72a9d5d11dc6d126d9ef5236e13aa7b361d61de2 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Fri, 4 Oct 2024 11:53:14 +0200 Subject: [PATCH 05/34] add path and body to account log --- lib/fiware-pep-steelskin.js | 2 ++ lib/middleware/proxy.js | 2 ++ 2 files changed, 4 insertions(+) diff --git a/lib/fiware-pep-steelskin.js b/lib/fiware-pep-steelskin.js index 3b1946fa..2de643c9 100644 --- a/lib/fiware-pep-steelskin.js +++ b/lib/fiware-pep-steelskin.js @@ -85,6 +85,8 @@ function accountInfoError(error, req, res, next) { ' | SubServiceId=' + req.subserviceId + ' | SubService=' + req.subService + ' | Action=' + req.action + + ' | Path=' + req.path + + ' | Body=' + JSON.stringify(req.body) + ' | Date=' + new Date().toJSON()); next(error); } diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index a2f0dd22..0dd80148 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -207,6 +207,8 @@ function accountInfo(req, res, next) { ' | SubServiceId=' + req.subserviceId + ' | SubService=' + req.subService + ' | Action=' + req.action + + ' | Path=' + req.path + + ' | Body=' + JSON.stringify(req.body).slice(0, 100) + ' | Date=' + new Date().toJSON()); }); } From efbb8f795a1771939e2f2e743b8a1be2851b14c9 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Mon, 7 Oct 2024 11:50:28 +0200 Subject: [PATCH 06/34] add check access match --- configAccessMatch.js | 29 +++++++++++++++++++++++++++++ lib/fiware-pep-steelskin.js | 1 + lib/middleware/proxy.js | 32 +++++++++++++++++++++++++++++++- 3 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 configAccessMatch.js diff --git a/configAccessMatch.js b/configAccessMatch.js new file mode 100644 index 00000000..51c23394 --- /dev/null +++ b/configAccessMatch.js @@ -0,0 +1,29 @@ +'use strict'; + +/** + * List of access match + */ +var configAccessMatch = {}; + +// Activity related with a list of users +configAccessMatch.users = [ + 'cloud_admin', 'pep', +]; + +// Activity related with request which the following headers +configAccessMatch.headers = [ + { "Fiware-service": "smartcity" }, +]; + +// Activity related with request including the following subpaths +configAccessMatch.subpath = [ + '/v1', +]; + +// Activity related with request including the following strings in body +configAccessMatch.body = [ + 'legacy' +]; + + +exports.configAccessMatch = configAccessMatch; diff --git a/lib/fiware-pep-steelskin.js b/lib/fiware-pep-steelskin.js index 2de643c9..b425b817 100644 --- a/lib/fiware-pep-steelskin.js +++ b/lib/fiware-pep-steelskin.js @@ -123,6 +123,7 @@ function setAccessLogger() { }) ] }); + proxyMiddleware.watchConfigAccessMatchFile(); } /** diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index 0dd80148..2bb79248 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -36,8 +36,30 @@ var config = require('../../config'), 'x-auth-token' ], winston = require('winston'), + logger = require('logops'), + configAccessMatch = require('../../configAccessMatch.js').configAccessMatch, accessLogger; +const fs = require('fs'); +const configAccessMatchFilePath = './configAccessMatch.js'; + +function requireUncached(module) { + delete require.cache[require.resolve(module)]; + return require(module); +} + +function watchConfigAccessMatchFile() { + fs.watch(configAccessMatchFilePath, (event, filename) => { + logger.info('watchConfigAccessMatchFile changed by %s detected in file %s', event, filename); + try { + configAccessMatch = requireUncached('../../configAccessMatch.js').configAccessMatch; + logger.debug('reloaded configAccessMatch %j', configAccessMatch); + } catch (err) { + logger.error('Error %s reloading module: %s ', err, filename); + } + }); +} + /** * Middleware to extract the organization data from the request. * @@ -196,7 +218,14 @@ function accountInfo(req, res, next) { }); } req.fwdResponse = req.fwdResponse.on('response', function(res) { - accessLogger.info('Right Attempt' + + var accessMsg = "Right Attempt"; + + // CHeck here MATCH file patterns: + if (req.userName in configAccessMatch.users ) { + accessMsg += ' MATCHED USER'; + } + + accessLogger.info(accessMsg + ' | ResponseStatus=' + req.fwdResponse.response.statusCode + ' | Token=' + req.headers['x-auth-token'] + ' | Origin=' + req.connection.remoteAddress + @@ -260,3 +289,4 @@ exports.sendResponse = sendResponse; exports.accountInfo = accountInfo; exports.checkMandatoryHeaders = checkMandatoryHeaders(validationHeaders); exports.checkAuthorizationHeader = checkMandatoryHeaders(authorizationHeaders); +exports.watchConfigAccessMatchFile = watchConfigAccessMatchFile; From 103ce8baff4a5829e8e2eb3b9fcbe31eea6fb6a4 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Mon, 7 Oct 2024 11:56:27 +0200 Subject: [PATCH 07/34] fix linter --- lib/middleware/proxy.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index 2bb79248..65f3d854 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -218,7 +218,7 @@ function accountInfo(req, res, next) { }); } req.fwdResponse = req.fwdResponse.on('response', function(res) { - var accessMsg = "Right Attempt"; + var accessMsg = 'Right Attempt'; // CHeck here MATCH file patterns: if (req.userName in configAccessMatch.users ) { From 80f368b23df4cdb516a4ee015858b659926c4784 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Mon, 7 Oct 2024 14:40:41 +0200 Subject: [PATCH 08/34] add checks about body, subpaths and headers --- configAccessMatch.js | 5 +++-- lib/middleware/proxy.js | 29 +++++++++++++++++++++++++++-- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/configAccessMatch.js b/configAccessMatch.js index 51c23394..ee77c92d 100644 --- a/configAccessMatch.js +++ b/configAccessMatch.js @@ -12,11 +12,12 @@ configAccessMatch.users = [ // Activity related with request which the following headers configAccessMatch.headers = [ - { "Fiware-service": "smartcity" }, + { "fiware-service": "smartcity" }, + { "x-real-ip": "127.0.0.1" } ]; // Activity related with request including the following subpaths -configAccessMatch.subpath = [ +configAccessMatch.subpaths = [ '/v1', ]; diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index 65f3d854..0786c7fc 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -222,7 +222,32 @@ function accountInfo(req, res, next) { // CHeck here MATCH file patterns: if (req.userName in configAccessMatch.users ) { - accessMsg += ' MATCHED USER'; + accessMsg += ' MATCHED USER'; + } + for (var header of configAccessMatch.headers) { + if ('fiware-service' in Object.keys(header)) { + if (req.service.includes(header['fiware-service'])) { + accessMsg += ' MATCHED HEADER Service'; + } + } else if ('fiware-servicepath' in Object.keys(header)) { + if (req.subService.includes(header['fiware-servicepath'])) { + accessMsg += ' MATCHED HEADER SubService'; + } + } else if ('x-real-ip' in Object.keys(header)) { + if (req.connection.remoteAddress.includes(header['x-real-ip'])) { + accessMsg += ' MATCHED HEADER Origin'; + } + } + } + for (var subpath of configAccessMatch.subpaths) { + if (req.path.includes(subpath)) { + accessMsg += ' MATCHED SUBPATH ' + subpath; + } + } + for (var text of configAccessMatch.body) { + if (JSON.stringify(req.body).includes(text)) { + accessMsg += ' MATCHED BODY ' + text; + } } accessLogger.info(accessMsg + @@ -237,7 +262,7 @@ function accountInfo(req, res, next) { ' | SubService=' + req.subService + ' | Action=' + req.action + ' | Path=' + req.path + - ' | Body=' + JSON.stringify(req.body).slice(0, 100) + + ' | Body=' + JSON.stringify(req.body).slice(0, 100) + // not all body ' | Date=' + new Date().toJSON()); }); } From 2ea4f8398bc2145e88d8df3f79897980138e5b16 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Mon, 7 Oct 2024 15:39:36 +0200 Subject: [PATCH 09/34] add match value --- lib/middleware/proxy.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index 0786c7fc..4158d90b 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -222,20 +222,20 @@ function accountInfo(req, res, next) { // CHeck here MATCH file patterns: if (req.userName in configAccessMatch.users ) { - accessMsg += ' MATCHED USER'; + accessMsg += ' MATCHED USER ' + req.userName; } for (var header of configAccessMatch.headers) { - if ('fiware-service' in Object.keys(header)) { + if (Object.keys(header).includes('fiware-service')) { if (req.service.includes(header['fiware-service'])) { - accessMsg += ' MATCHED HEADER Service'; + accessMsg += ' MATCHED HEADER Service ' + header['fiware-service']; } - } else if ('fiware-servicepath' in Object.keys(header)) { + } else if (Object.keys(header).includes('fiware-servicepath')) { if (req.subService.includes(header['fiware-servicepath'])) { - accessMsg += ' MATCHED HEADER SubService'; + accessMsg += ' MATCHED HEADER SubService ' + header['fiware-servicepath']; } - } else if ('x-real-ip' in Object.keys(header)) { + } else if (Object.keys(header).includes('x-real-ip')) { if (req.connection.remoteAddress.includes(header['x-real-ip'])) { - accessMsg += ' MATCHED HEADER Origin'; + accessMsg += ' MATCHED HEADER Origin ' + header['x-real-ip']; } } } From e893ca73f0f172e2e8127cd7b27777709a7b7869 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Tue, 8 Oct 2024 11:32:34 +0200 Subject: [PATCH 10/34] add found matches to wrong access also --- lib/fiware-pep-steelskin.js | 4 +- lib/middleware/proxy.js | 74 +++++++++++++++++++++---------------- 2 files changed, 46 insertions(+), 32 deletions(-) diff --git a/lib/fiware-pep-steelskin.js b/lib/fiware-pep-steelskin.js index b425b817..a3e13635 100644 --- a/lib/fiware-pep-steelskin.js +++ b/lib/fiware-pep-steelskin.js @@ -74,7 +74,9 @@ function handleError(error, req, res, next) { * @param {Function} next Call to the next error handler in the chain. */ function accountInfoError(error, req, res, next) { - accessLogger.info('Wrong Attempt' + + var accessMsg = 'Wrong Attempt'; + accessMsg = proxyMiddleware.checkAccessMatches(req, accessMsg); + accessLogger.info(accessMsg + ' | Error=' + error.name + ' | Token=' + req.headers['x-auth-token'] + ' | Origin=' + req.connection.remoteAddress + diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index 4158d90b..f2d11ae0 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -197,6 +197,47 @@ function sendRequest(req, res, next) { next(); } + // Check here MATCH file patterns: +/** + * Check here MATCH file patterns + * + * @param {Object} req Incoming request. + * @param {String} accessMsg Incoming accessMsg + * @return {String} String message corresponding with accessMsg and found matches + */ +function checkAccessMatches(req, accessMsg) { + if (req.userName in configAccessMatch.users ) { + accessMsg += ' MATCHED USER ' + req.userName; + } + for (var header of configAccessMatch.headers) { + if (Object.keys(header).includes('fiware-service')) { + if (req.service.includes(header['fiware-service'])) { + accessMsg += ' MATCHED HEADER Service ' + header['fiware-service']; + } + } else if (Object.keys(header).includes('fiware-servicepath')) { + if (req.subService.includes(header['fiware-servicepath'])) { + accessMsg += ' MATCHED HEADER SubService ' + header['fiware-servicepath']; + } + } else if (Object.keys(header).includes('x-real-ip')) { + if (req.connection.remoteAddress.includes(header['x-real-ip'])) { + accessMsg += ' MATCHED HEADER Origin ' + header['x-real-ip']; + } + } + } + for (var subpath of configAccessMatch.subpaths) { + if (req.path.includes(subpath)) { + accessMsg += ' MATCHED SUBPATH ' + subpath; + } + } + for (var text of configAccessMatch.body) { + if (JSON.stringify(req.body).includes(text)) { + accessMsg += ' MATCHED BODY ' + text; + } + } + return accessMsg; +} + + /** * Account Log * read to guess its type. @@ -219,37 +260,7 @@ function accountInfo(req, res, next) { } req.fwdResponse = req.fwdResponse.on('response', function(res) { var accessMsg = 'Right Attempt'; - - // CHeck here MATCH file patterns: - if (req.userName in configAccessMatch.users ) { - accessMsg += ' MATCHED USER ' + req.userName; - } - for (var header of configAccessMatch.headers) { - if (Object.keys(header).includes('fiware-service')) { - if (req.service.includes(header['fiware-service'])) { - accessMsg += ' MATCHED HEADER Service ' + header['fiware-service']; - } - } else if (Object.keys(header).includes('fiware-servicepath')) { - if (req.subService.includes(header['fiware-servicepath'])) { - accessMsg += ' MATCHED HEADER SubService ' + header['fiware-servicepath']; - } - } else if (Object.keys(header).includes('x-real-ip')) { - if (req.connection.remoteAddress.includes(header['x-real-ip'])) { - accessMsg += ' MATCHED HEADER Origin ' + header['x-real-ip']; - } - } - } - for (var subpath of configAccessMatch.subpaths) { - if (req.path.includes(subpath)) { - accessMsg += ' MATCHED SUBPATH ' + subpath; - } - } - for (var text of configAccessMatch.body) { - if (JSON.stringify(req.body).includes(text)) { - accessMsg += ' MATCHED BODY ' + text; - } - } - + accessMsg = checkAccessMatches(req, accessMsg); accessLogger.info(accessMsg + ' | ResponseStatus=' + req.fwdResponse.response.statusCode + ' | Token=' + req.headers['x-auth-token'] + @@ -315,3 +326,4 @@ exports.accountInfo = accountInfo; exports.checkMandatoryHeaders = checkMandatoryHeaders(validationHeaders); exports.checkAuthorizationHeader = checkMandatoryHeaders(authorizationHeaders); exports.watchConfigAccessMatchFile = watchConfigAccessMatchFile; +exports.checkAccessMatches = checkAccessMatches; From 70ca4f5f033f97420150128ab80ca7f1667070f5 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Tue, 8 Oct 2024 11:40:43 +0200 Subject: [PATCH 11/34] clean javadoc --- lib/middleware/proxy.js | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index f2d11ae0..c1899f68 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -197,7 +197,6 @@ function sendRequest(req, res, next) { next(); } - // Check here MATCH file patterns: /** * Check here MATCH file patterns * From 30e566edb4640a53bda017c6ff9e401e4edd1ac4 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Tue, 8 Oct 2024 11:59:48 +0200 Subject: [PATCH 12/34] update doc --- README.md | 45 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a0c460e0..3bbf5b62 100644 --- a/README.md +++ b/README.md @@ -449,13 +449,56 @@ Accounting access log include daba about: * Token * Origin * UserId +* UserName * ServiceId +* Service * SubServiceId +* SubService * Action +* Path +* Body * Date Example of access log: ``` -Right Attempt | ResponseStatus=200 | Token=860864fb6d1a4c8a8cb7d59d16daaa52 | Origin=192.168.1.125 | UserId=62c63ada8694451fb67a341346172499 | ServiceId=a9b38dd2a97e4944b2daebdb74ed60ff | Service=smartgondor | SubServiceId=/ | SubService=/ | Action=read | Date=2017-09-21T12:46:57.844Z +{"level":"info","message":"Right Attempt | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Body={} | Date=2024-10-08T09:25:30.441Z","timestamp":"2024-10-08T09:25:30.441Z"} +``` + +Additionally a file configAccessMatch could be provided to pep to check matches about some elements involved in current access, regardless is right or not right access. For example: +* List for users involved +* List of headers and values ++ List of subpaths in URL request +* List of strings in body + +``` +// Activity related with a list of users +configAccessMatch.users = [ + 'cracker1', 'cracker2', +]; + +// Activity related with request which the following headers +configAccessMatch.headers = [ + { "fiware-service": "smartcity" }, + { "x-real-ip": "127.0.0.1" } +]; + +// Activity related with request including the following subpaths +configAccessMatch.subpaths = [ + '/v1', +]; + +// Activity related with request including the following strings in body +configAccessMatch.body = [ + 'legacy', +]; +``` + +When any of theses patterns maches in current access message access is added with `MATCHED ` . For example: + +``` +{"level":"info","message":"Right Attempt MATCHED HEADER Service smartcity | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Body={} | Date=2024-10-08T09:25:30.441Z","timestamp":"2024-10-08T09:25:30.441Z"} +``` + + ``` * `config.componentName`: name of the component that will be used to compose the FRN that will identify the resource to be accessed. E.g.: `orion`. * `config.resourceNamePrefix`: string prefix that will be used to compose the FRN that will identify the resource to be accessed. E.g.: `fiware:`. From 041d9fc626b1b3f4fd8226ed727718ca08fa2fbf Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Tue, 8 Oct 2024 13:04:25 +0200 Subject: [PATCH 13/34] update CNR --- CHANGES_NEXT_RELEASE | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES_NEXT_RELEASE b/CHANGES_NEXT_RELEASE index f1486f6c..51d5c0c0 100644 --- a/CHANGES_NEXT_RELEASE +++ b/CHANGES_NEXT_RELEASE @@ -1,2 +1,4 @@ +- Add User Name, path request URL and request body to AccessLogger (#541) +- Add Access Logger Patterns to match to Access Logger (#541) - Upgrade body-parser dep from 1.20.0 to 1.20.3 - Upgrade express from 4.19.2 to 4.20.0 From e491a132b68e92adebe65583c089216eb4449185 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Tue, 8 Oct 2024 13:30:42 +0200 Subject: [PATCH 14/34] =?UTF-8?q?add=20messages=20match=C2=B7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3bbf5b62..536c5260 100644 --- a/README.md +++ b/README.md @@ -492,7 +492,7 @@ configAccessMatch.body = [ ]; ``` -When any of theses patterns maches in current access message access is added with `MATCHED ` . For example: +When any of theses patterns maches in current access message access is added with `MATCHED ` , where `` would be: `USER`, `HEADER Service`, `HEADER SubService`, HEADER Origin, SUBPATH, BODY and `` the value which matches. For example: ``` {"level":"info","message":"Right Attempt MATCHED HEADER Service smartcity | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Body={} | Date=2024-10-08T09:25:30.441Z","timestamp":"2024-10-08T09:25:30.441Z"} From 20e2610ca4a782d7fe961cf7bb8024bfd4fe9223 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Tue, 8 Oct 2024 14:44:42 +0200 Subject: [PATCH 15/34] update doc --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 536c5260..2a6972ef 100644 --- a/README.md +++ b/README.md @@ -466,9 +466,11 @@ Example of access log: Additionally a file configAccessMatch could be provided to pep to check matches about some elements involved in current access, regardless is right or not right access. For example: * List for users involved * List of headers and values -+ List of subpaths in URL request +* List of subpaths in URL request * List of strings in body +This is an example of file `configAccessMatch.js`: + ``` // Activity related with a list of users configAccessMatch.users = [ @@ -492,7 +494,7 @@ configAccessMatch.body = [ ]; ``` -When any of theses patterns maches in current access message access is added with `MATCHED ` , where `` would be: `USER`, `HEADER Service`, `HEADER SubService`, HEADER Origin, SUBPATH, BODY and `` the value which matches. For example: +When any of theses patterns maches in current access message access is added with `MATCHED ` , where `` would be: `USER`, `HEADER Service`, `HEADER SubService`, `HEADER Origin`, `SUBPATH`, `BODY` and `` the value which matches. For example: ``` {"level":"info","message":"Right Attempt MATCHED HEADER Service smartcity | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Body={} | Date=2024-10-08T09:25:30.441Z","timestamp":"2024-10-08T09:25:30.441Z"} From c939833ffab96ecb764af065d55653635bedb8ad Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Tue, 8 Oct 2024 16:03:00 +0200 Subject: [PATCH 16/34] update example users --- configAccessMatch.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configAccessMatch.js b/configAccessMatch.js index ee77c92d..04fb5a56 100644 --- a/configAccessMatch.js +++ b/configAccessMatch.js @@ -7,7 +7,7 @@ var configAccessMatch = {}; // Activity related with a list of users configAccessMatch.users = [ - 'cloud_admin', 'pep', + 'user1', 'user2', ]; // Activity related with request which the following headers From b78220e8be9e7b9f68297ab11b0137d3c12fbc27 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Tue, 8 Oct 2024 17:14:34 +0200 Subject: [PATCH 17/34] update doc --- README.md | 8 ++++---- operations.md | 2 ++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 2a6972ef..7ff908a4 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ * [Development documentation](#development) ## Overview -The Orion Policy Enforcement Point (PEP) is a proxy meant to secure independent FiWare components, by intercepting every request sent to the component, validating it against the Access Control component. This validation is based in several pieces of data: +The Policy Enforcement Point (PEP) is a proxy meant to secure independent FiWare components, by intercepting every request sent to the component, validating it against the Access Control component. This validation is based in several pieces of data: * User token: comes from the OAuth authorization server and is taken from the `x-auth-token` header. * ServiceId: is read from the `fiware-service` header and identifies the protected component. @@ -442,9 +442,9 @@ In order to have the proxy running, there are several basic pieces of informatio accountFile: '/tmp/pepAccount.log' } ``` -Accounting log is only activated when account flag is true, and the logs are produced in a fixed INFO level for accountLogger, redardless of the pep log level. -Note that accunting log is not rotate, so you should make sure you configure your own rotation system. -Accounting access log include daba about: +Accounting log is only activated when account flag is true, and the logs are produced in a fixed INFO level for accessLogger, redardless of the pep log level. +Note that accounting log is not rotated, so you should make sure you configure your own rotation system. +Accounting access log include data about: * Attempt was right or not * Token * Origin diff --git a/operations.md b/operations.md index 3e3b9252..b119e7d7 100644 --- a/operations.md +++ b/operations.md @@ -26,6 +26,8 @@ curl -X GET "http://localhost:11211/admin/log" Every error message is identified with a prefix code in brackets. The code convention can be found in Apendix A. +There is another log about accounting access which is produced when access.account flag is enabled and is done over access.accountFile file. This accounting access logs run always in the a fixed `info` level and logs right and wrong access attempts, providing for each one user, service, subservice, path, date and other relevant info about access. Additionallys some patterns could be configured in order to mark some of these access. + ## Cache management PEP keeps a memory cache with some access about roles, domains, users and subservices. Related with this info is possible From b6d412a9bac2bb282a934a5acf81dd440e6f2dee Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Wed, 9 Oct 2024 11:31:15 +0200 Subject: [PATCH 18/34] add subqueries --- README.md | 8 +++++++- configAccessMatch.js | 5 +++++ lib/middleware/proxy.js | 9 +++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7ff908a4..e7bd5146 100644 --- a/README.md +++ b/README.md @@ -467,6 +467,7 @@ Additionally a file configAccessMatch could be provided to pep to check matches * List for users involved * List of headers and values * List of subpaths in URL request +* List of subqueries in query request * List of strings in body This is an example of file `configAccessMatch.js`: @@ -488,13 +489,18 @@ configAccessMatch.subpaths = [ '/v1', ]; +// Activity related with request including the following subqueries +configAccessMatch.subqueries = [ + 'flowControl', 'options', +]; + // Activity related with request including the following strings in body configAccessMatch.body = [ 'legacy', ]; ``` -When any of theses patterns maches in current access message access is added with `MATCHED ` , where `` would be: `USER`, `HEADER Service`, `HEADER SubService`, `HEADER Origin`, `SUBPATH`, `BODY` and `` the value which matches. For example: +When any of theses patterns maches in current access message access is added with `MATCHED ` , where `` would be: `USER`, `HEADER Service`, `HEADER SubService`, `HEADER Origin`, `SUBPATH`, `SUBQUERY`, `BODY` and `` the value which matches. For example: ``` {"level":"info","message":"Right Attempt MATCHED HEADER Service smartcity | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Body={} | Date=2024-10-08T09:25:30.441Z","timestamp":"2024-10-08T09:25:30.441Z"} diff --git a/configAccessMatch.js b/configAccessMatch.js index 04fb5a56..2b06f669 100644 --- a/configAccessMatch.js +++ b/configAccessMatch.js @@ -21,6 +21,11 @@ configAccessMatch.subpaths = [ '/v1', ]; +// Activity related with request including the following subqueries +configAccessMatch.subqueries = [ + 'flowControl', 'options', +]; + // Activity related with request including the following strings in body configAccessMatch.body = [ 'legacy' diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index c1899f68..63c0a19c 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -221,6 +221,10 @@ function checkAccessMatches(req, accessMsg) { if (req.connection.remoteAddress.includes(header['x-real-ip'])) { accessMsg += ' MATCHED HEADER Origin ' + header['x-real-ip']; } + // } else if (Object.keys(header).includes('x-forwarded-for')) { + // if (req.headers.includes(header['x-forwarded-for'])) { + // accessMsg += ' MATCHED HEADER x-forwarded-for ' + header['x-forwarded-for']; + // } } } for (var subpath of configAccessMatch.subpaths) { @@ -228,6 +232,11 @@ function checkAccessMatches(req, accessMsg) { accessMsg += ' MATCHED SUBPATH ' + subpath; } } + for (var subquery of configAccessMatch.subqueries) { + if (JSON.stringify(req.query).includes(subquery)) { + accessMsg += ' MATCHED SUBQUERY ' + subquery; + } + } for (var text of configAccessMatch.body) { if (JSON.stringify(req.body).includes(text)) { accessMsg += ' MATCHED BODY ' + text; From e762d494204937a6e70079a6f0849a42b44b4c0a Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Wed, 9 Oct 2024 11:53:15 +0200 Subject: [PATCH 19/34] Log query in accessLogger --- lib/fiware-pep-steelskin.js | 1 + lib/middleware/proxy.js | 1 + 2 files changed, 2 insertions(+) diff --git a/lib/fiware-pep-steelskin.js b/lib/fiware-pep-steelskin.js index a3e13635..d1d501e6 100644 --- a/lib/fiware-pep-steelskin.js +++ b/lib/fiware-pep-steelskin.js @@ -88,6 +88,7 @@ function accountInfoError(error, req, res, next) { ' | SubService=' + req.subService + ' | Action=' + req.action + ' | Path=' + req.path + + ' | Query=' + JSON.stringify(req.query) + ' | Body=' + JSON.stringify(req.body) + ' | Date=' + new Date().toJSON()); next(error); diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index 63c0a19c..a88465f8 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -281,6 +281,7 @@ function accountInfo(req, res, next) { ' | SubService=' + req.subService + ' | Action=' + req.action + ' | Path=' + req.path + + ' | Query=' + JSON.stringify(req.query) + ' | Body=' + JSON.stringify(req.body).slice(0, 100) + // not all body ' | Date=' + new Date().toJSON()); }); From 2f78d1de95551b37d4213e247f7160cdc67e9c20 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Wed, 9 Oct 2024 12:06:18 +0200 Subject: [PATCH 20/34] update account log examples --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e7bd5146..960fa946 100644 --- a/README.md +++ b/README.md @@ -460,7 +460,7 @@ Accounting access log include data about: * Date Example of access log: ``` -{"level":"info","message":"Right Attempt | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Body={} | Date=2024-10-08T09:25:30.441Z","timestamp":"2024-10-08T09:25:30.441Z"} +{"level":"info","message":"Right Attempt | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Query={\"limit\":\"15\",\"offset\":\"0\",\"options\":\"count\"} | Body={} | Date=2024-10-08T09:25:30.441Z","timestamp":"2024-10-08T09:25:30.441Z"} ``` Additionally a file configAccessMatch could be provided to pep to check matches about some elements involved in current access, regardless is right or not right access. For example: @@ -503,7 +503,7 @@ configAccessMatch.body = [ When any of theses patterns maches in current access message access is added with `MATCHED ` , where `` would be: `USER`, `HEADER Service`, `HEADER SubService`, `HEADER Origin`, `SUBPATH`, `SUBQUERY`, `BODY` and `` the value which matches. For example: ``` -{"level":"info","message":"Right Attempt MATCHED HEADER Service smartcity | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Body={} | Date=2024-10-08T09:25:30.441Z","timestamp":"2024-10-08T09:25:30.441Z"} +{"level":"info","message":"Right Attempt MATCHED HEADER Service smartcity | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Query={\"limit\":\"15\",\"offset\":\"0\",\"options\":\"count\"} | Body={} | Date=2024-10-08T09:25:30.441Z","timestamp":"2024-10-08T09:25:30.441Z"} ``` From 8bdd7b564404b5a1a3f4ed9a7e51f87dcd712eae Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Wed, 9 Oct 2024 16:06:17 +0200 Subject: [PATCH 21/34] add accountMode --- README.md | 5 +++-- bin/pepProxy | 4 ++++ config.js | 6 +++++- lib/middleware/proxy.js | 46 ++++++++++++++++++++++------------------- 4 files changed, 37 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 960fa946..9db0f81d 100644 --- a/README.md +++ b/README.md @@ -439,7 +439,8 @@ In order to have the proxy running, there are several basic pieces of informatio port: 7070, path: '/pdp/v3', account: false, - accountFile: '/tmp/pepAccount.log' + accountFile: '/tmp/pepAccount.log', + accountMode: 'all' } ``` Accounting log is only activated when account flag is true, and the logs are produced in a fixed INFO level for accessLogger, redardless of the pep log level. @@ -505,7 +506,7 @@ When any of theses patterns maches in current access message access is added wit ``` {"level":"info","message":"Right Attempt MATCHED HEADER Service smartcity | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Query={\"limit\":\"15\",\"offset\":\"0\",\"options\":\"count\"} | Body={} | Date=2024-10-08T09:25:30.441Z","timestamp":"2024-10-08T09:25:30.441Z"} ``` - +Account log has three modes: `all`, `matched`, `wrong`. First one `all` includes right and wrong access regardles if matches or not. Second one `matched` includes all wrong and just rigth matches acess. And `wrong` monde only includes all wrong access, regardless is maches or not with patterns. ``` * `config.componentName`: name of the component that will be used to compose the FRN that will identify the resource to be accessed. E.g.: `orion`. diff --git a/bin/pepProxy b/bin/pepProxy index b74da75f..19068beb 100755 --- a/bin/pepProxy +++ b/bin/pepProxy @@ -48,6 +48,7 @@ function loadConfiguration() { 'ACCESS_PROTOCOL', 'ACCESS_ACCOUNT', 'ACCESS_ACCOUNTFILE', + 'ACCESS_ACCOUNTMODE', 'ADMIN_PORT', 'AUTHENTICATION_HOST', 'AUTHENTICATION_PORT', @@ -103,6 +104,9 @@ function loadConfiguration() { if (process.env.ACCESS_ACCOUNTFILE) { config.access.accountFile = process.env.ACCESS_ACCOUNTFILE; } + if (process.env.ACCESS_ACCOUNTMODE) { + config.access.accountMode = process.env.ACCESS_ACCOUNTMODE; + } if (process.env.AUTHENTICATION_HOST) { config.authentication.options.host = process.env.AUTHENTICATION_HOST; } diff --git a/config.js b/config.js index 8c03e488..233446ff 100644 --- a/config.js +++ b/config.js @@ -64,7 +64,11 @@ config.access = { /** * Log Account file */ - accountFile: '/tmp/pepAccount.log' + accountFile: '/tmp/pepAccount.log', + /** + * Account mode: `all`, `matched`, `wrong` + */ + accountMode: 'all' }; // User identity configuration diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index a88465f8..d08dfb00 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -221,10 +221,6 @@ function checkAccessMatches(req, accessMsg) { if (req.connection.remoteAddress.includes(header['x-real-ip'])) { accessMsg += ' MATCHED HEADER Origin ' + header['x-real-ip']; } - // } else if (Object.keys(header).includes('x-forwarded-for')) { - // if (req.headers.includes(header['x-forwarded-for'])) { - // accessMsg += ' MATCHED HEADER x-forwarded-for ' + header['x-forwarded-for']; - // } } } for (var subpath of configAccessMatch.subpaths) { @@ -267,23 +263,31 @@ function accountInfo(req, res, next) { }); } req.fwdResponse = req.fwdResponse.on('response', function(res) { - var accessMsg = 'Right Attempt'; - accessMsg = checkAccessMatches(req, accessMsg); - accessLogger.info(accessMsg + - ' | ResponseStatus=' + req.fwdResponse.response.statusCode + - ' | Token=' + req.headers['x-auth-token'] + - ' | Origin=' + req.connection.remoteAddress + - ' | UserId=' + req.userId + - ' | UserName=' + req.userName + - ' | ServiceId=' + req.serviceId + - ' | Service=' + req.service + - ' | SubServiceId=' + req.subserviceId + - ' | SubService=' + req.subService + - ' | Action=' + req.action + - ' | Path=' + req.path + - ' | Query=' + JSON.stringify(req.query) + - ' | Body=' + JSON.stringify(req.body).slice(0, 100) + // not all body - ' | Date=' + new Date().toJSON()); + var accessMsgOrig = 'Right Attempt'; + var accessMsg = accessMsgOrig; + if (! ['wrong'].includes(config.access.accountMode) ) { + accessMsg = checkAccessMatches(req, accessMsgOrig); + } + if ( ['all'].includes(config.access.accountMode) || + (['matched'].includes(config.access.accountMode) && + accessMsgOrig.length < accessMsg.length) ){ + + accessLogger.info(accessMsg + + ' | ResponseStatus=' + req.fwdResponse.response.statusCode + + ' | Token=' + req.headers['x-auth-token'] + + ' | Origin=' + req.connection.remoteAddress + + ' | UserId=' + req.userId + + ' | UserName=' + req.userName + + ' | ServiceId=' + req.serviceId + + ' | Service=' + req.service + + ' | SubServiceId=' + req.subserviceId + + ' | SubService=' + req.subService + + ' | Action=' + req.action + + ' | Path=' + req.path + + ' | Query=' + JSON.stringify(req.query) + + ' | Body=' + JSON.stringify(req.body).slice(0, 100) + // not all body + ' | Date=' + new Date().toJSON()); + } }); } next(); From a9135d033de15845cc59a42115de89f5977ebc73 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Thu, 10 Oct 2024 10:08:47 +0200 Subject: [PATCH 22/34] generic header checker --- README.md | 4 ++-- lib/middleware/proxy.js | 15 ++++----------- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 9db0f81d..fae4967d 100644 --- a/README.md +++ b/README.md @@ -501,10 +501,10 @@ configAccessMatch.body = [ ]; ``` -When any of theses patterns maches in current access message access is added with `MATCHED ` , where `` would be: `USER`, `HEADER Service`, `HEADER SubService`, `HEADER Origin`, `SUBPATH`, `SUBQUERY`, `BODY` and `` the value which matches. For example: +When any of theses patterns maches in current access message access is added with `MATCHED ` , where `` would be: `USER`, `HEADER `, `SUBPATH`, `SUBQUERY`, `BODY` and `` the value which matches. For example: ``` -{"level":"info","message":"Right Attempt MATCHED HEADER Service smartcity | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Query={\"limit\":\"15\",\"offset\":\"0\",\"options\":\"count\"} | Body={} | Date=2024-10-08T09:25:30.441Z","timestamp":"2024-10-08T09:25:30.441Z"} +{"level":"info","message":"Right Attempt MATCHED HEADER fiware-service smartcity | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Query={\"limit\":\"15\",\"offset\":\"0\",\"options\":\"count\"} | Body={} | Date=2024-10-08T09:25:30.441Z","timestamp":"2024-10-08T09:25:30.441Z"} ``` Account log has three modes: `all`, `matched`, `wrong`. First one `all` includes right and wrong access regardles if matches or not. Second one `matched` includes all wrong and just rigth matches acess. And `wrong` monde only includes all wrong access, regardless is maches or not with patterns. diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index d08dfb00..98dae82d 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -209,17 +209,10 @@ function checkAccessMatches(req, accessMsg) { accessMsg += ' MATCHED USER ' + req.userName; } for (var header of configAccessMatch.headers) { - if (Object.keys(header).includes('fiware-service')) { - if (req.service.includes(header['fiware-service'])) { - accessMsg += ' MATCHED HEADER Service ' + header['fiware-service']; - } - } else if (Object.keys(header).includes('fiware-servicepath')) { - if (req.subService.includes(header['fiware-servicepath'])) { - accessMsg += ' MATCHED HEADER SubService ' + header['fiware-servicepath']; - } - } else if (Object.keys(header).includes('x-real-ip')) { - if (req.connection.remoteAddress.includes(header['x-real-ip'])) { - accessMsg += ' MATCHED HEADER Origin ' + header['x-real-ip']; + var headerName = Object.keys(header)[0]; + if (Object.keys(req.headers).includes(headerName)) { + if (req.headers[headerName] === header[headerName]) { + accessMsg += ' MATCHED HEADER ' + headerName + ' ' + header[headerName]; } } } From 555301bcac64b1ab97c86c93336e026be8063e32 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Thu, 10 Oct 2024 10:39:31 +0200 Subject: [PATCH 23/34] fix origin to (req.ip || req.connection.remoteAddress) to ensure headers related with proxys --- lib/fiware-pep-steelskin.js | 2 +- lib/middleware/proxy.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/fiware-pep-steelskin.js b/lib/fiware-pep-steelskin.js index d1d501e6..b8c03343 100644 --- a/lib/fiware-pep-steelskin.js +++ b/lib/fiware-pep-steelskin.js @@ -79,7 +79,7 @@ function accountInfoError(error, req, res, next) { accessLogger.info(accessMsg + ' | Error=' + error.name + ' | Token=' + req.headers['x-auth-token'] + - ' | Origin=' + req.connection.remoteAddress + + ' | Origin=' + (req.ip || req.connection.remoteAddress) + ' | UserId=' + req.userId + ' | ServiceId=' + req.serviceId + ' | UserName=' + req.userName + diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index 98dae82d..1c47457c 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -268,7 +268,7 @@ function accountInfo(req, res, next) { accessLogger.info(accessMsg + ' | ResponseStatus=' + req.fwdResponse.response.statusCode + ' | Token=' + req.headers['x-auth-token'] + - ' | Origin=' + req.connection.remoteAddress + + ' | Origin=' + (req.ip || req.connection.remoteAddress) + ' | UserId=' + req.userId + ' | UserName=' + req.userName + ' | ServiceId=' + req.serviceId + From 4a0db45c8f4fc57db3ff9bbbf83da3b9cb75f9b1 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Thu, 10 Oct 2024 10:49:46 +0200 Subject: [PATCH 24/34] update CNR and configAccessMatch file --- CHANGES_NEXT_RELEASE | 3 ++- configAccessMatch.js | 12 ++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGES_NEXT_RELEASE b/CHANGES_NEXT_RELEASE index 51d5c0c0..7b68a8d0 100644 --- a/CHANGES_NEXT_RELEASE +++ b/CHANGES_NEXT_RELEASE @@ -1,4 +1,5 @@ -- Add User Name, path request URL and request body to AccessLogger (#541) +- Add User name, request path, query and body to AccessLogger (#541) +- Ensure Origin of AccesLogger show x-forwarderd-for header if exists - Add Access Logger Patterns to match to Access Logger (#541) - Upgrade body-parser dep from 1.20.0 to 1.20.3 - Upgrade express from 4.19.2 to 4.20.0 diff --git a/configAccessMatch.js b/configAccessMatch.js index 2b06f669..7a945182 100644 --- a/configAccessMatch.js +++ b/configAccessMatch.js @@ -7,28 +7,28 @@ var configAccessMatch = {}; // Activity related with a list of users configAccessMatch.users = [ - 'user1', 'user2', + // 'user1', 'user2', ]; // Activity related with request which the following headers configAccessMatch.headers = [ - { "fiware-service": "smartcity" }, - { "x-real-ip": "127.0.0.1" } + // { "fiware-service": "smartcity" }, + // { "x-real-ip": "127.0.0.1" } ]; // Activity related with request including the following subpaths configAccessMatch.subpaths = [ - '/v1', + // '/v1', ]; // Activity related with request including the following subqueries configAccessMatch.subqueries = [ - 'flowControl', 'options', + // 'flowControl', ]; // Activity related with request including the following strings in body configAccessMatch.body = [ - 'legacy' + // 'legacy' ]; From 11d7487ef7a6abcf456376dae532447419fcd1ec Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Thu, 10 Oct 2024 12:40:03 +0200 Subject: [PATCH 25/34] just log message in accessLogger instead of full json with timestamp and level --- lib/fiware-pep-steelskin.js | 5 ++++- lib/middleware/proxy.js | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/fiware-pep-steelskin.js b/lib/fiware-pep-steelskin.js index b8c03343..65e7ee86 100644 --- a/lib/fiware-pep-steelskin.js +++ b/lib/fiware-pep-steelskin.js @@ -122,7 +122,10 @@ function setAccessLogger() { level: 'info', transports: [ new(winston.transports.File)({ - filename: config.access.accountFile + filename: config.access.accountFile, + json: false, + timestamp: false, + showLevel: false }) ] }); diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index 1c47457c..6e806f37 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -251,6 +251,9 @@ function accountInfo(req, res, next) { transports: [ new(winston.transports.File)({ filename: config.access.accountFile + json: false, + timestamp: false, + showLevel: false }) ] }); From 7c77636a4fd294455076d35f9bdd9ba67b616286 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Thu, 10 Oct 2024 12:54:43 +0200 Subject: [PATCH 26/34] Homogenizes format for Access Logger with pep logs --- CHANGES_NEXT_RELEASE | 1 + README.md | 4 ++-- lib/middleware/proxy.js | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGES_NEXT_RELEASE b/CHANGES_NEXT_RELEASE index 7b68a8d0..a02184b0 100644 --- a/CHANGES_NEXT_RELEASE +++ b/CHANGES_NEXT_RELEASE @@ -1,5 +1,6 @@ - Add User name, request path, query and body to AccessLogger (#541) - Ensure Origin of AccesLogger show x-forwarderd-for header if exists - Add Access Logger Patterns to match to Access Logger (#541) +- Homogenizes format for Access Logger with pep logs - Upgrade body-parser dep from 1.20.0 to 1.20.3 - Upgrade express from 4.19.2 to 4.20.0 diff --git a/README.md b/README.md index fae4967d..cdf24972 100644 --- a/README.md +++ b/README.md @@ -461,7 +461,7 @@ Accounting access log include data about: * Date Example of access log: ``` -{"level":"info","message":"Right Attempt | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Query={\"limit\":\"15\",\"offset\":\"0\",\"options\":\"count\"} | Body={} | Date=2024-10-08T09:25:30.441Z","timestamp":"2024-10-08T09:25:30.441Z"} +"Right Attempt | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Query={\"limit\":\"15\",\"offset\":\"0\",\"options\":\"count\"} | Body={} | Date=2024-10-08T09:25:30.441Z" ``` Additionally a file configAccessMatch could be provided to pep to check matches about some elements involved in current access, regardless is right or not right access. For example: @@ -504,7 +504,7 @@ configAccessMatch.body = [ When any of theses patterns maches in current access message access is added with `MATCHED ` , where `` would be: `USER`, `HEADER `, `SUBPATH`, `SUBQUERY`, `BODY` and `` the value which matches. For example: ``` -{"level":"info","message":"Right Attempt MATCHED HEADER fiware-service smartcity | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Query={\"limit\":\"15\",\"offset\":\"0\",\"options\":\"count\"} | Body={} | Date=2024-10-08T09:25:30.441Z","timestamp":"2024-10-08T09:25:30.441Z"} +Right Attempt MATCHED HEADER fiware-service smartcity | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Query={\"limit\":\"15\",\"offset\":\"0\",\"options\":\"count\"} | Body={} | Date=2024-10-08T09:25:30.441Z" ``` Account log has three modes: `all`, `matched`, `wrong`. First one `all` includes right and wrong access regardles if matches or not. Second one `matched` includes all wrong and just rigth matches acess. And `wrong` monde only includes all wrong access, regardless is maches or not with patterns. diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index 6e806f37..d600795b 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -250,7 +250,7 @@ function accountInfo(req, res, next) { level: 'info', transports: [ new(winston.transports.File)({ - filename: config.access.accountFile + filename: config.access.accountFile, json: false, timestamp: false, showLevel: false From 77bf0f0f08c5704cf5b836d1f681cb8300689228 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Thu, 10 Oct 2024 14:32:32 +0200 Subject: [PATCH 27/34] update path of file configAccessMatch.js --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cdf24972..2eab7ff7 100644 --- a/README.md +++ b/README.md @@ -471,7 +471,7 @@ Additionally a file configAccessMatch could be provided to pep to check matches * List of subqueries in query request * List of strings in body -This is an example of file `configAccessMatch.js`: +This is an example of file `configAccessMatch.js` (full path /opt/fiware-pep-steelskin/configAccessMatch.js i.e. in a docker image): ``` // Activity related with a list of users From 9f497ab267eb4fe2660b498c4e31650cf7270478 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Fri, 11 Oct 2024 09:49:58 +0200 Subject: [PATCH 28/34] Update CHANGES_NEXT_RELEASE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Fermín Galán Márquez --- CHANGES_NEXT_RELEASE | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGES_NEXT_RELEASE b/CHANGES_NEXT_RELEASE index a02184b0..b159105c 100644 --- a/CHANGES_NEXT_RELEASE +++ b/CHANGES_NEXT_RELEASE @@ -1,6 +1,6 @@ -- Add User name, request path, query and body to AccessLogger (#541) -- Ensure Origin of AccesLogger show x-forwarderd-for header if exists -- Add Access Logger Patterns to match to Access Logger (#541) -- Homogenizes format for Access Logger with pep logs +- Add: user name, request path, query and body to AccessLogger (#541) +- Add: Access Logger Patterns to match to Access Logger (#541) +- Fix: ensure Origin of AccesLogger show x-forwarderd-for header if exists +- Fix: Homogenizes format for Access Logger with pep logs - Upgrade body-parser dep from 1.20.0 to 1.20.3 - Upgrade express from 4.19.2 to 4.20.0 From 4308e23fc19f5be3f1dd21aa688bb11ae61e0275 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ferm=C3=ADn=20Gal=C3=A1n=20M=C3=A1rquez?= Date: Fri, 11 Oct 2024 12:00:00 +0200 Subject: [PATCH 29/34] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 2eab7ff7..5c824ea7 100644 --- a/README.md +++ b/README.md @@ -459,6 +459,7 @@ Accounting access log include data about: * Path * Body * Date +* Query Example of access log: ``` "Right Attempt | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Query={\"limit\":\"15\",\"offset\":\"0\",\"options\":\"count\"} | Body={} | Date=2024-10-08T09:25:30.441Z" From 504e01dbef2bd1055955728b3d668c5814c746ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ferm=C3=ADn=20Gal=C3=A1n=20M=C3=A1rquez?= Date: Fri, 11 Oct 2024 12:01:59 +0200 Subject: [PATCH 30/34] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 5c824ea7..291c448f 100644 --- a/README.md +++ b/README.md @@ -465,6 +465,8 @@ Example of access log: "Right Attempt | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Query={\"limit\":\"15\",\"offset\":\"0\",\"options\":\"count\"} | Body={} | Date=2024-10-08T09:25:30.441Z" ``` +Note that the above format is not the same than the regular PEP log (although it is also based in fields separated by `|`, the fields themselves are not the same). + Additionally a file configAccessMatch could be provided to pep to check matches about some elements involved in current access, regardless is right or not right access. For example: * List for users involved * List of headers and values From af04774c1ea62e54a22026f310bea32d15f95436 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ferm=C3=ADn=20Gal=C3=A1n=20M=C3=A1rquez?= Date: Fri, 11 Oct 2024 12:04:45 +0200 Subject: [PATCH 31/34] Apply suggestions from code review --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 291c448f..81bc15b3 100644 --- a/README.md +++ b/README.md @@ -504,12 +504,12 @@ configAccessMatch.body = [ ]; ``` -When any of theses patterns maches in current access message access is added with `MATCHED ` , where `` would be: `USER`, `HEADER `, `SUBPATH`, `SUBQUERY`, `BODY` and `` the value which matches. For example: +When any of theses patterns matches in current access, message access is added with `MATCHED ` , where `` would be: `USER`, `HEADER `, `SUBPATH`, `SUBQUERY`, `BODY` and `` the value which matches. For example: ``` Right Attempt MATCHED HEADER fiware-service smartcity | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Query={\"limit\":\"15\",\"offset\":\"0\",\"options\":\"count\"} | Body={} | Date=2024-10-08T09:25:30.441Z" ``` -Account log has three modes: `all`, `matched`, `wrong`. First one `all` includes right and wrong access regardles if matches or not. Second one `matched` includes all wrong and just rigth matches acess. And `wrong` monde only includes all wrong access, regardless is maches or not with patterns. +Account log has three modes: `all`, `matched`, `wrong`. First one `all` includes right and wrong access regardles if matches or not. Second one `matched` includes all wrong and just rigth matches acess. And `wrong` mode only includes all wrong access, regardless is matches or not with patterns. ``` * `config.componentName`: name of the component that will be used to compose the FRN that will identify the resource to be accessed. E.g.: `orion`. From 10bfeebef77a4d13a53af4a496006a087b5ccdad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ferm=C3=ADn=20Gal=C3=A1n=20M=C3=A1rquez?= Date: Fri, 11 Oct 2024 12:06:10 +0200 Subject: [PATCH 32/34] Apply suggestions from code review --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 81bc15b3..5ec962b4 100644 --- a/README.md +++ b/README.md @@ -474,7 +474,9 @@ Additionally a file configAccessMatch could be provided to pep to check matches * List of subqueries in query request * List of strings in body -This is an example of file `configAccessMatch.js` (full path /opt/fiware-pep-steelskin/configAccessMatch.js i.e. in a docker image): +PEP reloads this file each time it changes without needing restarting PEP itself. + +This is an example of file `configAccessMatch.js` (full path `/opt/fiware-pep-steelskin/configAccessMatch.js` i.e. in a docker image): ``` // Activity related with a list of users From 692e17df7164f6e46bae0cc1d09f03b4a13c4172 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ferm=C3=ADn=20Gal=C3=A1n=20M=C3=A1rquez?= Date: Fri, 11 Oct 2024 12:07:10 +0200 Subject: [PATCH 33/34] Update CHANGES_NEXT_RELEASE --- CHANGES_NEXT_RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES_NEXT_RELEASE b/CHANGES_NEXT_RELEASE index b159105c..3aded622 100644 --- a/CHANGES_NEXT_RELEASE +++ b/CHANGES_NEXT_RELEASE @@ -1,6 +1,6 @@ - Add: user name, request path, query and body to AccessLogger (#541) - Add: Access Logger Patterns to match to Access Logger (#541) - Fix: ensure Origin of AccesLogger show x-forwarderd-for header if exists -- Fix: Homogenizes format for Access Logger with pep logs +- Fix: use pipe-separeted format in Access Logger instead of JSON (closer to pep regular log) - Upgrade body-parser dep from 1.20.0 to 1.20.3 - Upgrade express from 4.19.2 to 4.20.0 From 6e954fe578fc6fd7fcd352745005a82370aaf354 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ferm=C3=ADn=20Gal=C3=A1n=20M=C3=A1rquez?= Date: Fri, 11 Oct 2024 12:08:43 +0200 Subject: [PATCH 34/34] Update operations.md --- operations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations.md b/operations.md index b119e7d7..7f6b7c03 100644 --- a/operations.md +++ b/operations.md @@ -26,7 +26,7 @@ curl -X GET "http://localhost:11211/admin/log" Every error message is identified with a prefix code in brackets. The code convention can be found in Apendix A. -There is another log about accounting access which is produced when access.account flag is enabled and is done over access.accountFile file. This accounting access logs run always in the a fixed `info` level and logs right and wrong access attempts, providing for each one user, service, subservice, path, date and other relevant info about access. Additionallys some patterns could be configured in order to mark some of these access. +There is another log about accounting access which is produced when access.account flag is enabled and is done over access.accountFile file. This accounting access logs right and wrong access attempts, providing for each one user, service, subservice, path, date and other relevant info about access. Additionally, some patterns could be configured in order to mark some of these access. ## Cache management