Matthias Andreas Benkard | 832a54e | 2019-01-29 09:27:38 +0100 | [diff] [blame] | 1 | /* |
| 2 | Copyright 2016 The Kubernetes Authors. |
| 3 | |
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | you may not use this file except in compliance with the License. |
| 6 | You may obtain a copy of the License at |
| 7 | |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | |
| 10 | Unless required by applicable law or agreed to in writing, software |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | See the License for the specific language governing permissions and |
| 14 | limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package filters |
| 18 | |
| 19 | import ( |
| 20 | "bufio" |
| 21 | "fmt" |
| 22 | "io" |
| 23 | "net" |
| 24 | "net/http" |
| 25 | "strings" |
| 26 | "time" |
| 27 | |
| 28 | "github.com/golang/glog" |
| 29 | "github.com/pborman/uuid" |
| 30 | |
| 31 | authenticationapi "k8s.io/api/authentication/v1" |
| 32 | utilnet "k8s.io/apimachinery/pkg/util/net" |
| 33 | "k8s.io/apiserver/pkg/endpoints/handlers/responsewriters" |
| 34 | ) |
| 35 | |
| 36 | var _ http.ResponseWriter = &legacyAuditResponseWriter{} |
| 37 | |
| 38 | type legacyAuditResponseWriter struct { |
| 39 | http.ResponseWriter |
| 40 | out io.Writer |
| 41 | id string |
| 42 | } |
| 43 | |
| 44 | func (a *legacyAuditResponseWriter) printResponse(code int) { |
| 45 | line := fmt.Sprintf("%s AUDIT: id=%q response=\"%d\"\n", time.Now().Format(time.RFC3339Nano), a.id, code) |
| 46 | if _, err := fmt.Fprint(a.out, line); err != nil { |
| 47 | glog.Errorf("Unable to write audit log: %s, the error is: %v", line, err) |
| 48 | } |
| 49 | } |
| 50 | |
| 51 | func (a *legacyAuditResponseWriter) WriteHeader(code int) { |
| 52 | a.printResponse(code) |
| 53 | a.ResponseWriter.WriteHeader(code) |
| 54 | } |
| 55 | |
| 56 | // fancyLegacyResponseWriterDelegator implements http.CloseNotifier, http.Flusher and |
| 57 | // http.Hijacker which are needed to make certain http operation (e.g. watch, rsh, etc) |
| 58 | // working. |
| 59 | type fancyLegacyResponseWriterDelegator struct { |
| 60 | *legacyAuditResponseWriter |
| 61 | } |
| 62 | |
| 63 | func (f *fancyLegacyResponseWriterDelegator) CloseNotify() <-chan bool { |
| 64 | return f.ResponseWriter.(http.CloseNotifier).CloseNotify() |
| 65 | } |
| 66 | |
| 67 | func (f *fancyLegacyResponseWriterDelegator) Flush() { |
| 68 | f.ResponseWriter.(http.Flusher).Flush() |
| 69 | } |
| 70 | |
| 71 | func (f *fancyLegacyResponseWriterDelegator) Hijack() (net.Conn, *bufio.ReadWriter, error) { |
| 72 | // fake a response status before protocol switch happens |
| 73 | f.printResponse(http.StatusSwitchingProtocols) |
| 74 | return f.ResponseWriter.(http.Hijacker).Hijack() |
| 75 | } |
| 76 | |
| 77 | var _ http.CloseNotifier = &fancyLegacyResponseWriterDelegator{} |
| 78 | var _ http.Flusher = &fancyLegacyResponseWriterDelegator{} |
| 79 | var _ http.Hijacker = &fancyLegacyResponseWriterDelegator{} |
| 80 | |
| 81 | // WithLegacyAudit decorates a http.Handler with audit logging information for all the |
| 82 | // requests coming to the server. If out is nil, no decoration takes place. |
| 83 | // Each audit log contains two entries: |
| 84 | // 1. the request line containing: |
| 85 | // - unique id allowing to match the response line (see 2) |
| 86 | // - source ip of the request |
| 87 | // - HTTP method being invoked |
| 88 | // - original user invoking the operation |
| 89 | // - original user's groups info |
| 90 | // - impersonated user for the operation |
| 91 | // - impersonated groups info |
| 92 | // - namespace of the request or <none> |
| 93 | // - uri is the full URI as requested |
| 94 | // 2. the response line containing: |
| 95 | // - the unique id from 1 |
| 96 | // - response code |
| 97 | func WithLegacyAudit(handler http.Handler, out io.Writer) http.Handler { |
| 98 | if out == nil { |
| 99 | return handler |
| 100 | } |
| 101 | return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { |
| 102 | ctx := req.Context() |
| 103 | attribs, err := GetAuthorizerAttributes(ctx) |
| 104 | if err != nil { |
| 105 | responsewriters.InternalError(w, req, err) |
| 106 | return |
| 107 | } |
| 108 | |
| 109 | username := "<none>" |
| 110 | groups := "<none>" |
| 111 | if attribs.GetUser() != nil { |
| 112 | username = attribs.GetUser().GetName() |
| 113 | if userGroups := attribs.GetUser().GetGroups(); len(userGroups) > 0 { |
| 114 | groups = auditStringSlice(userGroups) |
| 115 | } |
| 116 | } |
| 117 | asuser := req.Header.Get(authenticationapi.ImpersonateUserHeader) |
| 118 | if len(asuser) == 0 { |
| 119 | asuser = "<self>" |
| 120 | } |
| 121 | asgroups := "<lookup>" |
| 122 | requestedGroups := req.Header[authenticationapi.ImpersonateGroupHeader] |
| 123 | if len(requestedGroups) > 0 { |
| 124 | asgroups = auditStringSlice(requestedGroups) |
| 125 | } |
| 126 | namespace := attribs.GetNamespace() |
| 127 | if len(namespace) == 0 { |
| 128 | namespace = "<none>" |
| 129 | } |
| 130 | id := uuid.NewRandom().String() |
| 131 | |
| 132 | line := fmt.Sprintf("%s AUDIT: id=%q ip=%q method=%q user=%q groups=%q as=%q asgroups=%q namespace=%q uri=%q\n", |
| 133 | time.Now().Format(time.RFC3339Nano), id, utilnet.GetClientIP(req), req.Method, username, groups, asuser, asgroups, namespace, req.URL) |
| 134 | if _, err := fmt.Fprint(out, line); err != nil { |
| 135 | glog.Errorf("Unable to write audit log: %s, the error is: %v", line, err) |
| 136 | } |
| 137 | respWriter := legacyDecorateResponseWriter(w, out, id) |
| 138 | handler.ServeHTTP(respWriter, req) |
| 139 | }) |
| 140 | } |
| 141 | |
| 142 | func auditStringSlice(inList []string) string { |
| 143 | quotedElements := make([]string, len(inList)) |
| 144 | for i, in := range inList { |
| 145 | quotedElements[i] = fmt.Sprintf("%q", in) |
| 146 | } |
| 147 | return strings.Join(quotedElements, ",") |
| 148 | } |
| 149 | |
| 150 | func legacyDecorateResponseWriter(responseWriter http.ResponseWriter, out io.Writer, id string) http.ResponseWriter { |
| 151 | delegate := &legacyAuditResponseWriter{ResponseWriter: responseWriter, out: out, id: id} |
| 152 | // check if the ResponseWriter we're wrapping is the fancy one we need |
| 153 | // or if the basic is sufficient |
| 154 | _, cn := responseWriter.(http.CloseNotifier) |
| 155 | _, fl := responseWriter.(http.Flusher) |
| 156 | _, hj := responseWriter.(http.Hijacker) |
| 157 | if cn && fl && hj { |
| 158 | return &fancyLegacyResponseWriterDelegator{delegate} |
| 159 | } |
| 160 | return delegate |
| 161 | } |