frostfs-node/pkg/services/container/audit.go

package container

import (
	"context"
	"sync/atomic"

	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container"
	container_grpc "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container/grpc"
	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"
	"git.frostfs.info/TrueCloudLab/frostfs-node/internal/audit"
	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
)

var _ Server = (*auditService)(nil)

type auditService struct {
	next    Server
	log     *logger.Logger
	enabled *atomic.Bool
}

func NewAuditService(next Server, log *logger.Logger, enabled *atomic.Bool) Server {
	return &auditService{
		next:    next,
		log:     log,
		enabled: enabled,
	}
}

// AnnounceUsedSpace implements Server.
func (a *auditService) AnnounceUsedSpace(ctx context.Context, req *container.AnnounceUsedSpaceRequest) (*container.AnnounceUsedSpaceResponse, error) {
	res, err := a.next.AnnounceUsedSpace(ctx, req)
	if !a.enabled.Load() {
		return res, err
	}

	var ids []*refs.ContainerID
	for _, v := range req.GetBody().GetAnnouncements() {
		ids = append(ids, v.GetContainerID())
	}

	audit.LogRequest(a.log, container_grpc.ContainerService_AnnounceUsedSpace_FullMethodName, req,
		audit.TargetFromRefs(ids, &cid.ID{}), err == nil)

	return res, err
}

// Delete implements Server.
func (a *auditService) Delete(ctx context.Context, req *container.DeleteRequest) (*container.DeleteResponse, error) {
	res, err := a.next.Delete(ctx, req)
	if !a.enabled.Load() {
		return res, err
	}

	audit.LogRequest(a.log, container_grpc.ContainerService_Delete_FullMethodName, req,
		audit.TargetFromRef(req.GetBody().GetContainerID(), &cid.ID{}), err == nil)

	return res, err
}

// Get implements Server.
func (a *auditService) Get(ctx context.Context, req *container.GetRequest) (*container.GetResponse, error) {
	res, err := a.next.Get(ctx, req)
	if !a.enabled.Load() {
		return res, err
	}
	audit.LogRequest(a.log, container_grpc.ContainerService_Get_FullMethodName, req,
		audit.TargetFromRef(req.GetBody().GetContainerID(), &cid.ID{}), err == nil)
	return res, err
}

// GetExtendedACL implements Server.
func (a *auditService) GetExtendedACL(ctx context.Context, req *container.GetExtendedACLRequest) (*container.GetExtendedACLResponse, error) {
	res, err := a.next.GetExtendedACL(ctx, req)
	if !a.enabled.Load() {
		return res, err
	}
	audit.LogRequest(a.log, container_grpc.ContainerService_GetExtendedACL_FullMethodName, req,
		audit.TargetFromRef(req.GetBody().GetContainerID(), &cid.ID{}), err == nil)
	return res, err
}

// List implements Server.
func (a *auditService) List(ctx context.Context, req *container.ListRequest) (*container.ListResponse, error) {
	res, err := a.next.List(ctx, req)
	if !a.enabled.Load() {
		return res, err
	}
	audit.LogRequest(a.log, container_grpc.ContainerService_List_FullMethodName, req,
		audit.TargetFromRef(req.GetBody().GetOwnerID(), &user.ID{}), err == nil)
	return res, err
}

// Put implements Server.
func (a *auditService) Put(ctx context.Context, req *container.PutRequest) (*container.PutResponse, error) {
	res, err := a.next.Put(ctx, req)
	if !a.enabled.Load() {
		return res, err
	}
	audit.LogRequest(a.log, container_grpc.ContainerService_Put_FullMethodName, req,
		audit.TargetFromRef(res.GetBody().GetContainerID(), &cid.ID{}), err == nil)
	return res, err
}

// SetExtendedACL implements Server.
func (a *auditService) SetExtendedACL(ctx context.Context, req *container.SetExtendedACLRequest) (*container.SetExtendedACLResponse, error) {
	res, err := a.next.SetExtendedACL(ctx, req)
	if !a.enabled.Load() {
		return res, err
	}
	audit.LogRequest(a.log, container_grpc.ContainerService_SetExtendedACL_FullMethodName, req,
		audit.TargetFromRef(req.GetBody().GetEACL().GetContainerID(), &cid.ID{}), err == nil)
	return res, err
}
[#1184] node: Add audit middleware for grpc services Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com> 2024-06-18 09:40:03 +00:00			`package container`

			`import (`
			`"context"`
			`"sync/atomic"`

			`"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container"`
			`container_grpc "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container/grpc"`
			`"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"`
			`"git.frostfs.info/TrueCloudLab/frostfs-node/internal/audit"`
			`"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"`
			`cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"`
			`"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"`
			`)`

			`var _ Server = (*auditService)(nil)`

			`type auditService struct {`
			`next Server`
			`log *logger.Logger`
			`enabled *atomic.Bool`
			`}`

			`func NewAuditService(next Server, log logger.Logger, enabled atomic.Bool) Server {`
			`return &auditService{`
			`next: next,`
			`log: log,`
			`enabled: enabled,`
			`}`
			`}`

			`// AnnounceUsedSpace implements Server.`
			`func (a auditService) AnnounceUsedSpace(ctx context.Context, req container.AnnounceUsedSpaceRequest) (*container.AnnounceUsedSpaceResponse, error) {`
			`res, err := a.next.AnnounceUsedSpace(ctx, req)`
			`if !a.enabled.Load() {`
			`return res, err`
			`}`

			`var ids []*refs.ContainerID`
			`for _, v := range req.GetBody().GetAnnouncements() {`
			`ids = append(ids, v.GetContainerID())`
			`}`

			`audit.LogRequest(a.log, container_grpc.ContainerService_AnnounceUsedSpace_FullMethodName, req,`
			`audit.TargetFromRefs(ids, &cid.ID{}), err == nil)`

			`return res, err`
			`}`

			`// Delete implements Server.`
			`func (a auditService) Delete(ctx context.Context, req container.DeleteRequest) (*container.DeleteResponse, error) {`
			`res, err := a.next.Delete(ctx, req)`
			`if !a.enabled.Load() {`
			`return res, err`
			`}`

			`audit.LogRequest(a.log, container_grpc.ContainerService_Delete_FullMethodName, req,`
			`audit.TargetFromRef(req.GetBody().GetContainerID(), &cid.ID{}), err == nil)`

			`return res, err`
			`}`

			`// Get implements Server.`
			`func (a auditService) Get(ctx context.Context, req container.GetRequest) (*container.GetResponse, error) {`
			`res, err := a.next.Get(ctx, req)`
			`if !a.enabled.Load() {`
			`return res, err`
			`}`
			`audit.LogRequest(a.log, container_grpc.ContainerService_Get_FullMethodName, req,`
			`audit.TargetFromRef(req.GetBody().GetContainerID(), &cid.ID{}), err == nil)`
			`return res, err`
			`}`

			`// GetExtendedACL implements Server.`
			`func (a auditService) GetExtendedACL(ctx context.Context, req container.GetExtendedACLRequest) (*container.GetExtendedACLResponse, error) {`
			`res, err := a.next.GetExtendedACL(ctx, req)`
			`if !a.enabled.Load() {`
			`return res, err`
			`}`
			`audit.LogRequest(a.log, container_grpc.ContainerService_GetExtendedACL_FullMethodName, req,`
			`audit.TargetFromRef(req.GetBody().GetContainerID(), &cid.ID{}), err == nil)`
			`return res, err`
			`}`

			`// List implements Server.`
			`func (a auditService) List(ctx context.Context, req container.ListRequest) (*container.ListResponse, error) {`
			`res, err := a.next.List(ctx, req)`
			`if !a.enabled.Load() {`
			`return res, err`
			`}`
			`audit.LogRequest(a.log, container_grpc.ContainerService_List_FullMethodName, req,`
			`audit.TargetFromRef(req.GetBody().GetOwnerID(), &user.ID{}), err == nil)`
			`return res, err`
			`}`

			`// Put implements Server.`
			`func (a auditService) Put(ctx context.Context, req container.PutRequest) (*container.PutResponse, error) {`
			`res, err := a.next.Put(ctx, req)`
			`if !a.enabled.Load() {`
			`return res, err`
			`}`
			`audit.LogRequest(a.log, container_grpc.ContainerService_Put_FullMethodName, req,`
			`audit.TargetFromRef(res.GetBody().GetContainerID(), &cid.ID{}), err == nil)`
			`return res, err`
			`}`

			`// SetExtendedACL implements Server.`
			`func (a auditService) SetExtendedACL(ctx context.Context, req container.SetExtendedACLRequest) (*container.SetExtendedACLResponse, error) {`
			`res, err := a.next.SetExtendedACL(ctx, req)`
			`if !a.enabled.Load() {`
			`return res, err`
			`}`
			`audit.LogRequest(a.log, container_grpc.ContainerService_SetExtendedACL_FullMethodName, req,`
			`audit.TargetFromRef(req.GetBody().GetEACL().GetContainerID(), &cid.ID{}), err == nil)`
			`return res, err`
			`}`