forked from TrueCloudLab/frostfs-node
[#1184] node: Add audit middleware for grpc services
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
This commit is contained in:
parent
ac1f014747
commit
ecd1ed7a5e
16 changed files with 967 additions and 36 deletions
116
pkg/services/container/audit.go
Normal file
116
pkg/services/container/audit.go
Normal file
|
|
@ -0,0 +1,116 @@
|
|||
package container
|
||||
|
||||
import (
|
||||
"context"
|
||||
"sync/atomic"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container"
|
||||
container_grpc "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container/grpc"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-node/internal/audit"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
|
||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
||||
)
|
||||
|
||||
var _ Server = (*auditService)(nil)
|
||||
|
||||
type auditService struct {
|
||||
next Server
|
||||
log *logger.Logger
|
||||
enabled *atomic.Bool
|
||||
}
|
||||
|
||||
func NewAuditService(next Server, log *logger.Logger, enabled *atomic.Bool) Server {
|
||||
return &auditService{
|
||||
next: next,
|
||||
log: log,
|
||||
enabled: enabled,
|
||||
}
|
||||
}
|
||||
|
||||
// AnnounceUsedSpace implements Server.
|
||||
func (a *auditService) AnnounceUsedSpace(ctx context.Context, req *container.AnnounceUsedSpaceRequest) (*container.AnnounceUsedSpaceResponse, error) {
|
||||
res, err := a.next.AnnounceUsedSpace(ctx, req)
|
||||
if !a.enabled.Load() {
|
||||
return res, err
|
||||
}
|
||||
|
||||
var ids []*refs.ContainerID
|
||||
for _, v := range req.GetBody().GetAnnouncements() {
|
||||
ids = append(ids, v.GetContainerID())
|
||||
}
|
||||
|
||||
audit.LogRequest(a.log, container_grpc.ContainerService_AnnounceUsedSpace_FullMethodName, req,
|
||||
audit.TargetFromRefs(ids, &cid.ID{}), err == nil)
|
||||
|
||||
return res, err
|
||||
}
|
||||
|
||||
// Delete implements Server.
|
||||
func (a *auditService) Delete(ctx context.Context, req *container.DeleteRequest) (*container.DeleteResponse, error) {
|
||||
res, err := a.next.Delete(ctx, req)
|
||||
if !a.enabled.Load() {
|
||||
return res, err
|
||||
}
|
||||
|
||||
audit.LogRequest(a.log, container_grpc.ContainerService_Delete_FullMethodName, req,
|
||||
audit.TargetFromRef(req.GetBody().GetContainerID(), &cid.ID{}), err == nil)
|
||||
|
||||
return res, err
|
||||
}
|
||||
|
||||
// Get implements Server.
|
||||
func (a *auditService) Get(ctx context.Context, req *container.GetRequest) (*container.GetResponse, error) {
|
||||
res, err := a.next.Get(ctx, req)
|
||||
if !a.enabled.Load() {
|
||||
return res, err
|
||||
}
|
||||
audit.LogRequest(a.log, container_grpc.ContainerService_Get_FullMethodName, req,
|
||||
audit.TargetFromRef(req.GetBody().GetContainerID(), &cid.ID{}), err == nil)
|
||||
return res, err
|
||||
}
|
||||
|
||||
// GetExtendedACL implements Server.
|
||||
func (a *auditService) GetExtendedACL(ctx context.Context, req *container.GetExtendedACLRequest) (*container.GetExtendedACLResponse, error) {
|
||||
res, err := a.next.GetExtendedACL(ctx, req)
|
||||
if !a.enabled.Load() {
|
||||
return res, err
|
||||
}
|
||||
audit.LogRequest(a.log, container_grpc.ContainerService_GetExtendedACL_FullMethodName, req,
|
||||
audit.TargetFromRef(req.GetBody().GetContainerID(), &cid.ID{}), err == nil)
|
||||
return res, err
|
||||
}
|
||||
|
||||
// List implements Server.
|
||||
func (a *auditService) List(ctx context.Context, req *container.ListRequest) (*container.ListResponse, error) {
|
||||
res, err := a.next.List(ctx, req)
|
||||
if !a.enabled.Load() {
|
||||
return res, err
|
||||
}
|
||||
audit.LogRequest(a.log, container_grpc.ContainerService_List_FullMethodName, req,
|
||||
audit.TargetFromRef(req.GetBody().GetOwnerID(), &user.ID{}), err == nil)
|
||||
return res, err
|
||||
}
|
||||
|
||||
// Put implements Server.
|
||||
func (a *auditService) Put(ctx context.Context, req *container.PutRequest) (*container.PutResponse, error) {
|
||||
res, err := a.next.Put(ctx, req)
|
||||
if !a.enabled.Load() {
|
||||
return res, err
|
||||
}
|
||||
audit.LogRequest(a.log, container_grpc.ContainerService_Put_FullMethodName, req,
|
||||
audit.TargetFromRef(res.GetBody().GetContainerID(), &cid.ID{}), err == nil)
|
||||
return res, err
|
||||
}
|
||||
|
||||
// SetExtendedACL implements Server.
|
||||
func (a *auditService) SetExtendedACL(ctx context.Context, req *container.SetExtendedACLRequest) (*container.SetExtendedACLResponse, error) {
|
||||
res, err := a.next.SetExtendedACL(ctx, req)
|
||||
if !a.enabled.Load() {
|
||||
return res, err
|
||||
}
|
||||
audit.LogRequest(a.log, container_grpc.ContainerService_SetExtendedACL_FullMethodName, req,
|
||||
audit.TargetFromRef(req.GetBody().GetEACL().GetContainerID(), &cid.ID{}), err == nil)
|
||||
return res, err
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue