-
Notifications
You must be signed in to change notification settings - Fork 50
/
audit_logger.go
85 lines (66 loc) · 2.14 KB
/
audit_logger.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
package guard
import (
"context"
"encoding/json"
"strings"
"github.com/justtrackio/gosoline/pkg/cfg"
"github.com/justtrackio/gosoline/pkg/funk"
"github.com/justtrackio/gosoline/pkg/log"
"github.com/selm0/ladon"
)
//go:generate mockery --name AuditLogger
type AuditLogger interface {
ladon.AuditLogger
}
type auditSettings struct {
LogGrants bool `cfg:"log_grants" default:"false"`
LogRejections bool `cfg:"log_rejections" default:"true"`
}
type auditLogger struct {
logger log.Logger
settings auditSettings
}
func NewAuditLogger(config cfg.Config, logger log.Logger) AuditLogger {
settings := auditSettings{}
config.UnmarshalKey("guard.audit", &settings)
return &auditLogger{
logger: logger.WithChannel("guard_access"),
settings: settings,
}
}
func (a auditLogger) LogRejectedAccessRequest(ctx context.Context, request *ladon.Request, pool ladon.Policies, deciders ladon.Policies) {
if !a.settings.LogRejections {
return
}
logger := a.logger.
WithContext(ctx).
WithFields(buildLogFields(request, deciders))
if len(deciders) == 0 {
logger.Info("no policy allowed access for %s on %s", request.Subject, request.Resource)
return
}
rejecter := deciders[len(deciders)-1]
logger.Info("%d policy(s) allow access, but policy %s denied the access for %s on %s", len(deciders)-1, rejecter.GetID(), request.Subject, request.Resource)
}
func (a auditLogger) LogGrantedAccessRequest(ctx context.Context, request *ladon.Request, pool ladon.Policies, deciders ladon.Policies) {
if !a.settings.LogGrants {
return
}
logger := a.logger.
WithContext(ctx).
WithFields(buildLogFields(request, deciders))
logger.Info("%d policy(s) allow access for %s on %s", len(deciders), request.Subject, request.Resource)
}
func buildLogFields(request *ladon.Request, deciders ladon.Policies) log.Fields {
ctx, _ := json.Marshal(request.Context)
fields := log.Fields{
"access_resource": request.Resource,
"access_action": request.Action,
"access_subject": request.Subject,
"access_context": string(ctx),
"access_policy_ids": strings.Join(funk.Map(deciders, func(p ladon.Policy) string {
return p.GetID()
}), ", "),
}
return fields
}