forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
audit.go
58 lines (49 loc) · 1.71 KB
/
audit.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
package origin
import (
"net/http"
"github.com/golang/glog"
"github.com/pborman/uuid"
kapi "k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/util/net"
authenticationapi "github.com/openshift/origin/pkg/auth/api"
)
type auditResponseWriter struct {
http.ResponseWriter
id string
}
func (a *auditResponseWriter) WriteHeader(code int) {
glog.Infof("AUDIT: id=%q response=\"%d\"", a.id, code)
a.ResponseWriter.WriteHeader(code)
}
// auditHandler is responsible for logging audit information for all the
// request coming to server. Each audit log contains two entries:
// 1. the request line containing:
// - unique id allowing to match the response line (see 2)
// - source ip of the request
// - HTTP method being invoked
// - original user invoking the operation
// - impersonated user for the operation
// - namespace of the request or <none>
// - uri is the full URI as requested
// 2. the response line containing the unique id from 1 and response code
func (c *MasterConfig) auditHandler(handler http.Handler) http.Handler {
if !c.Options.AuditConfig.Enabled {
return handler
}
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
ctx, _ := c.RequestContextMapper.Get(req)
user, _ := kapi.UserFrom(ctx)
asuser := req.Header.Get(authenticationapi.ImpersonateUserHeader)
if len(asuser) == 0 {
asuser = "<self>"
}
namespace := kapi.NamespaceValue(ctx)
if len(namespace) == 0 {
namespace = "<none>"
}
id := uuid.NewRandom().String()
glog.Infof("AUDIT: id=%q ip=%q method=%q user=%q as=%q namespace=%q uri=%q",
id, net.GetClientIP(req), req.Method, user.GetName(), asuser, namespace, req.URL)
handler.ServeHTTP(&auditResponseWriter{w, id}, req)
})
}