Skip to content

Commit

Permalink
chore: do not audit log GET requests to k8s
Browse files Browse the repository at this point in the history
Since we do not audit log read-like requests, I think it makes sense to do the same here.

Signed-off-by: Dmitriy Matrenichev <[email protected]>
  • Loading branch information
DmitriyMV committed Oct 23, 2024
1 parent 62917e7 commit c904e3a
Show file tree
Hide file tree
Showing 4 changed files with 5 additions and 31 deletions.
2 changes: 1 addition & 1 deletion go.work
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
go 1.23.0
go 1.23.2

use (
.
Expand Down
1 change: 0 additions & 1 deletion internal/backend/k8sproxy/middleware.go
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,6 @@ func AuthorizeRequest(next http.Handler, keyFunc KeyProvider, clusterUUIDResolve
Session: req.Header.Get("Kubectl-Session"),
ClusterName: clusterName,
ClusterUUID: clusterUUID,
Body: "",
},
Session: audit.Session{
UserAgent: req.Header.Get("User-Agent"),
Expand Down
32 changes: 4 additions & 28 deletions internal/backend/runtime/omni/audit/audit.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@
package audit

import (
"bytes"
"context"
"errors"
"fmt"
Expand Down Expand Up @@ -124,21 +123,15 @@ func (l *Log) AuditTalosAccess(ctx context.Context, fullMethodName string, clust
// Wrap wraps the http.Handler with audit logging.
func (l *Log) Wrap(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
clonedReq := req.Clone(req.Context())

strData, body, err := duplicateReadCloser(req.Body)
if err != nil {
l.logger.Error("failed to clone request body", zap.Error(err))
if req.Method == http.MethodGet || req.Method == http.MethodHead || req.Method == http.MethodOptions {
next.ServeHTTP(w, req)

return
}

clonedReq.Body = body

data, ok := ctxstore.Value[*Data](req.Context())
if !ok {
next.ServeHTTP(w, clonedReq)
next.ServeHTTP(w, req)

return
}
Expand All @@ -147,9 +140,7 @@ func (l *Log) Wrap(next http.Handler) http.Handler {
data.K8SAccess = &K8SAccess{}
}

data.K8SAccess.Body = strData

err = l.logFile.Dump(event{
err := l.logFile.Dump(event{
Type: "k8s_access",
Time: time.Now().UnixMilli(),
Data: data,
Expand All @@ -158,7 +149,7 @@ func (l *Log) Wrap(next http.Handler) http.Handler {
l.logger.Error("failed to write audit log", zap.Error(err))
}

next.ServeHTTP(w, clonedReq)
next.ServeHTTP(w, req)
})
}

Expand All @@ -181,21 +172,6 @@ func (l *Log) RunCleanup(ctx context.Context) error {
}
}

func duplicateReadCloser(body io.ReadCloser) (string, io.ReadCloser, error) {
if body == nil {
return "", nil, nil
}

var buf bytes.Buffer

_, err := buf.ReadFrom(body)
if err != nil {
return "", nil, err
}

return buf.String(), io.NopCloser(&buf), nil
}

type (
// CreateHook is a hook for specific type resource creation.
CreateHook = func(ctx context.Context, res resource.Resource, option ...state.CreateOption) error
Expand Down
1 change: 0 additions & 1 deletion internal/backend/runtime/omni/audit/data.go
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,6 @@ type TalosAccess struct {
type K8SAccess struct {
FullMethodName string `json:"full_method_name,omitempty"`
Command string `json:"command,omitempty"`
Body string `json:"body,omitempty"`
Session string `json:"kube_session,omitempty"`
ClusterName string `json:"cluster_name,omitempty"`
ClusterUUID string `json:"cluster_uuid,omitempty"`
Expand Down

0 comments on commit c904e3a

Please sign in to comment.