nginx-sso/audit.go

package main

import (
	"encoding/json"
	"io"
	"net/http"
	"net/url"
	"os"
	"path"
	"strings"
	"sync"
	"time"

	"github.com/pkg/errors"

	"github.com/Luzifer/go_helpers/str"
)

type auditEvent string

const (
	auditEventAccessDenied            = "access_denied"
	auditEventLoginFailure            = "login_failure"
	auditEventLoginSuccess auditEvent = "login_success"
	auditEventLogout                  = "logout"
	auditEventValidate                = "validate"
)

type auditLogger struct {
	Targets          []string `yaml:"targets"`
	Events           []string `yaml:"events"`
	Headers          []string `yaml:"headers"`
	TrustedIPHeaders []string `yaml:"trusted_ip_headers"`

	lock sync.Mutex
}

func (a *auditLogger) Log(event auditEvent, r *http.Request, extraFields map[string]string) error {
	if len(a.Targets) == 0 {
		return nil
	}

	if !str.StringInSlice(string(event), a.Events) {
		return nil
	}

	// Ensure order of logs, prevent file operation collisions
	a.lock.Lock()
	defer a.lock.Unlock()

	// Compile log event
	evt := map[string]interface{}{}
	evt["timestamp"] = time.Now().Format(time.RFC3339)
	evt["event_type"] = event
	evt["remote_addr"] = a.findIP(r)

	for k, v := range extraFields {
		evt[k] = v
	}

	headers := map[string]string{}
	for _, k := range a.Headers {
		if v := r.Header.Get(k); v != "" {
			headers[k] = v
		}
	}

	evt["headers"] = headers

	// Submit event to all specified targets
	for _, target := range a.Targets {
		if err := a.submitLog(target, evt); err != nil {
			return errors.Wrapf(err, "Could not submit log to target %q", target)
		}
	}

	return nil
}

func (a *auditLogger) findIP(r *http.Request) string {
	remoteAddr := strings.SplitN(r.RemoteAddr, ":", 2)[0]

	for _, hdr := range a.TrustedIPHeaders {
		if value := r.Header.Get(hdr); value != "" {
			return strings.SplitN(value, ",", 2)[0]
		}
	}

	return remoteAddr
}

func (a *auditLogger) submitLog(target string, event map[string]interface{}) error {
	u, err := url.Parse(target)
	if err != nil {
		return errors.Wrap(err, "Unable to parse target")
	}

	switch u.Scheme {
	case "fd":
		return a.submitLogFileDescriptor(u.Host, event)
	case "file":
		return a.submitLogFile(u.Path, event)
	default:
		return errors.Errorf("Unsupported target scheme %q", u.Scheme)
	}
}

func (a *auditLogger) submitLogFile(filename string, event map[string]interface{}) error {
	if err := os.MkdirAll(path.Dir(filename), 0600); err != nil {
		return errors.Wrap(err, "Unable to create required paths")
	}

	f, err := os.OpenFile(filename, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0600)
	if err != nil {
		return errors.Wrap(err, "Unable to open audit file")
	}
	defer f.Close()

	return json.NewEncoder(f).Encode(event)
}

func (a *auditLogger) submitLogFileDescriptor(descriptor string, event map[string]interface{}) error {
	var w io.Writer

	switch descriptor {
	case "stdout":
		w = os.Stdout
	case "stderr":
		w = os.Stderr
	default:
		return errors.Errorf("Unsupported file descriptor %q", descriptor)
	}

	return errors.Wrap(json.NewEncoder(w).Encode(event), "Unable to marshal event")
}
[#17] Implement audit logging - Add README entry for audit logging - On login log the redirection target - Do not log empty headers - Log login errors into AuditLog - Fix: Wrong length error is a sign for no Yubikey OTP - Add missing dependencies - [#17] Implement audit logging closes #17 Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-11-17 13:42:56 +00:00			`package main`

			`import (`
			`"encoding/json"`
			`"io"`
			`"net/http"`
			`"net/url"`
			`"os"`
			`"path"`
			`"strings"`
			`"sync"`
Add timestamp to audit log (#31) 2019-01-06 14:35:59 +00:00			`"time"`
[#17] Implement audit logging - Add README entry for audit logging - On login log the redirection target - Do not log empty headers - Log login errors into AuditLog - Fix: Wrong length error is a sign for no Yubikey OTP - Add missing dependencies - [#17] Implement audit logging closes #17 Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-11-17 13:42:56 +00:00
			`"github.com/pkg/errors"`

			`"github.com/Luzifer/go_helpers/str"`
			`)`

			`type auditEvent string`

			`const (`
			`auditEventAccessDenied = "access_denied"`
			`auditEventLoginFailure = "login_failure"`
			`auditEventLoginSuccess auditEvent = "login_success"`
			`auditEventLogout = "logout"`
			`auditEventValidate = "validate"`
			`)`

			`type auditLogger struct {`
			Targets []string `yaml:"targets"`
			Events []string `yaml:"events"`
			Headers []string `yaml:"headers"`
			TrustedIPHeaders []string `yaml:"trusted_ip_headers"`

			`lock sync.Mutex`
			`}`

			`func (a auditLogger) Log(event auditEvent, r http.Request, extraFields map[string]string) error {`
			`if len(a.Targets) == 0 {`
			`return nil`
			`}`

			`if !str.StringInSlice(string(event), a.Events) {`
			`return nil`
			`}`

			`// Ensure order of logs, prevent file operation collisions`
			`a.lock.Lock()`
			`defer a.lock.Unlock()`

			`// Compile log event`
			`evt := map[string]interface{}{}`
Add timestamp to audit log (#31) 2019-01-06 14:35:59 +00:00			`evt["timestamp"] = time.Now().Format(time.RFC3339)`
[#17] Implement audit logging - Add README entry for audit logging - On login log the redirection target - Do not log empty headers - Log login errors into AuditLog - Fix: Wrong length error is a sign for no Yubikey OTP - Add missing dependencies - [#17] Implement audit logging closes #17 Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-11-17 13:42:56 +00:00			`evt["event_type"] = event`
			`evt["remote_addr"] = a.findIP(r)`

Fix several linter errors Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-12-29 00:06:12 +00:00			`for k, v := range extraFields {`
			`evt[k] = v`
[#17] Implement audit logging - Add README entry for audit logging - On login log the redirection target - Do not log empty headers - Log login errors into AuditLog - Fix: Wrong length error is a sign for no Yubikey OTP - Add missing dependencies - [#17] Implement audit logging closes #17 Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-11-17 13:42:56 +00:00			`}`

			`headers := map[string]string{}`
			`for _, k := range a.Headers {`
			`if v := r.Header.Get(k); v != "" {`
			`headers[k] = v`
			`}`
			`}`

			`evt["headers"] = headers`

			`// Submit event to all specified targets`
			`for _, target := range a.Targets {`
			`if err := a.submitLog(target, evt); err != nil {`
			`return errors.Wrapf(err, "Could not submit log to target %q", target)`
			`}`
			`}`

			`return nil`
			`}`

			`func (a auditLogger) findIP(r http.Request) string {`
			`remoteAddr := strings.SplitN(r.RemoteAddr, ":", 2)[0]`

			`for _, hdr := range a.TrustedIPHeaders {`
			`if value := r.Header.Get(hdr); value != "" {`
			`return strings.SplitN(value, ",", 2)[0]`
			`}`
			`}`

			`return remoteAddr`
			`}`

			`func (a *auditLogger) submitLog(target string, event map[string]interface{}) error {`
			`u, err := url.Parse(target)`
			`if err != nil {`
			`return errors.Wrap(err, "Unable to parse target")`
			`}`

			`switch u.Scheme {`
			`case "fd":`
			`return a.submitLogFileDescriptor(u.Host, event)`
			`case "file":`
			`return a.submitLogFile(u.Path, event)`
			`default:`
			`return errors.Errorf("Unsupported target scheme %q", u.Scheme)`
			`}`
			`}`

			`func (a *auditLogger) submitLogFile(filename string, event map[string]interface{}) error {`
			`if err := os.MkdirAll(path.Dir(filename), 0600); err != nil {`
			`return errors.Wrap(err, "Unable to create required paths")`
			`}`

			`f, err := os.OpenFile(filename, os.O_APPEND\|os.O_WRONLY\|os.O_CREATE, 0600)`
			`if err != nil {`
			`return errors.Wrap(err, "Unable to open audit file")`
			`}`
			`defer f.Close()`

			`return json.NewEncoder(f).Encode(event)`
			`}`

			`func (a *auditLogger) submitLogFileDescriptor(descriptor string, event map[string]interface{}) error {`
			`var w io.Writer`

			`switch descriptor {`
			`case "stdout":`
			`w = os.Stdout`
			`case "stderr":`
			`w = os.Stderr`
			`default:`
			`return errors.Errorf("Unsupported file descriptor %q", descriptor)`
			`}`

			`return errors.Wrap(json.NewEncoder(w).Encode(event), "Unable to marshal event")`
			`}`