v1alpha1

package
v0.0.0-...-05145c8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 23, 2022 License: Apache-2.0 Imports: 15 Imported by: 1

Documentation

Overview

Package util provides utilities for the audit logger.

Index

Constants

View Source 
const (
	// Version of the API and config.
	Version = "v1alpha1"

	// Audit rule directive options.
	AuditRuleDirectiveDefault            = "AUDIT"
	AuditRuleDirectiveRequestOnly        = "AUDIT_REQUEST_ONLY"
	AuditRuleDirectiveRequestAndResponse = "AUDIT_REQUEST_AND_RESPONSE"
)

Variables

View Source 
var (
	AuditLogRequest_LogType_name = map[int32]string{
		0: "UNSPECIFIED",
		1: "ADMIN_ACTIVITY",
		2: "DATA_ACCESS",
	}
	AuditLogRequest_LogType_value = map[string]int32{
		"UNSPECIFIED":    0,
		"ADMIN_ACTIVITY": 1,
		"DATA_ACCESS":    2,
	}
)

Enum value maps for AuditLogRequest_LogType.

View Source 
var (
	AuditLogRequest_LogMode_name = map[int32]string{
		0: "LOG_MODE_UNSPECIFIED",
		1: "FAIL_CLOSE",
		2: "BEST_EFFORT",
	}
	AuditLogRequest_LogMode_value = map[string]int32{
		"LOG_MODE_UNSPECIFIED": 0,
		"FAIL_CLOSE":           1,
		"BEST_EFFORT":          2,
	}
)

Enum value maps for AuditLogRequest_LogMode.

View Source 
var AuditLogAgent_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "abcxyz.lumberjack.AuditLogAgent",
	HandlerType: (*AuditLogAgentServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "ProcessLog",
			Handler:    _AuditLogAgent_ProcessLog_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "protos/v1alpha1/audit_log_agent.proto",
}

AuditLogAgent_ServiceDesc is the grpc.ServiceDesc for AuditLogAgent service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

View Source 
var (
	// optional string log_name = 390161750;
	E_LogName = &file_protos_v1alpha1_audit_log_request_proto_extTypes[0]
)

Extension fields to descriptor.EnumValueOptions.

View Source 
var File_protos_v1alpha1_audit_log_agent_proto protoreflect.FileDescriptor
View Source 
var File_protos_v1alpha1_audit_log_request_proto protoreflect.FileDescriptor

Functions

func RegisterAuditLogAgentServer 

func RegisterAuditLogAgentServer(s grpc.ServiceRegistrar, srv AuditLogAgentServer)

func ShouldFailClose 

func ShouldFailClose(logMode AuditLogRequest_LogMode) bool

ShouldFailClose returns true only if FAIL_CLOSE is explicitly configured. On BEST_EFFORT or LOG_MODE_UNSPECIFIED (the default) then return false.

Types

type AuditLogAgentClient 

type AuditLogAgentClient interface {
	ProcessLog(ctx context.Context, in *AuditLogRequest, opts ...grpc.CallOption) (*AuditLogResponse, error)
}

AuditLogAgentClient is the client API for AuditLogAgent service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

func NewAuditLogAgentClient 

func NewAuditLogAgentClient(cc grpc.ClientConnInterface) AuditLogAgentClient

type AuditLogAgentServer 

type AuditLogAgentServer interface {
	ProcessLog(context.Context, *AuditLogRequest) (*AuditLogResponse, error)
	// contains filtered or unexported methods
}

AuditLogAgentServer is the server API for AuditLogAgent service. All implementations must embed UnimplementedAuditLogAgentServer for forward compatibility

type AuditLogRequest 

type AuditLogRequest struct {
	Type AuditLogRequest_LogType `protobuf:"varint,1,opt,name=type,proto3,enum=abcxyz.lumberjack.AuditLogRequest_LogType" json:"type,omitempty"`
	// The Cloud audit log payload.
	Payload *audit.AuditLog `protobuf:"bytes,2,opt,name=payload,proto3" json:"payload,omitempty"`
	// A map of key, value pairs that provides additional information about the
	// log entry. For example, an integration test can store a UUID in this field
	// to track a test log. Later, the integration test can query the UUID from a
	// BigQuery sink to ensure that a logging request completed successfully.
	Labels map[string]string       `` /* 153-byte string literal not displayed */
	Mode   AuditLogRequest_LogMode `protobuf:"varint,4,opt,name=mode,proto3,enum=abcxyz.lumberjack.AuditLogRequest_LogMode" json:"mode,omitempty"`
	// Standard object used for correlating logs across streams
	Operation *v2.LogEntryOperation `protobuf:"bytes,5,opt,name=operation,proto3" json:"operation,omitempty"`
	Timestamp *timestamp.Timestamp  `protobuf:"bytes,6,opt,name=timestamp,proto3" json:"timestamp,omitempty"`
	// Contextual info associated with the log request.
	// Such info is meant for log processors and may not be directly
	// reflected in the final audit log.
	Context *_struct.Struct `protobuf:"bytes,7,opt,name=context,proto3" json:"context,omitempty"`
	// contains filtered or unexported fields
}

Audit logging data pertaining to an operation, for use in-process.

Our cloud logging client converts from this form to one or more google.logging.v2.LogEntry messages for transmission to Cloud Logging.

func (*AuditLogRequest) Descriptor deprecated 

func (*AuditLogRequest) Descriptor() ([]byte, []int)

Deprecated: Use AuditLogRequest.ProtoReflect.Descriptor instead.

func (*AuditLogRequest) GetContext 

func (x *AuditLogRequest) GetContext() *_struct.Struct

func (*AuditLogRequest) GetLabels 

func (x *AuditLogRequest) GetLabels() map[string]string

func (*AuditLogRequest) GetMode 

func (x *AuditLogRequest) GetMode() AuditLogRequest_LogMode

func (*AuditLogRequest) GetOperation 

func (x *AuditLogRequest) GetOperation() *v2.LogEntryOperation

func (*AuditLogRequest) GetPayload 

func (x *AuditLogRequest) GetPayload() *audit.AuditLog

func (*AuditLogRequest) GetTimestamp 

func (x *AuditLogRequest) GetTimestamp() *timestamp.Timestamp

func (*AuditLogRequest) GetType 

func (x *AuditLogRequest) GetType() AuditLogRequest_LogType

func (*AuditLogRequest) ProtoMessage 

func (*AuditLogRequest) ProtoMessage()

func (*AuditLogRequest) ProtoReflect 

func (x *AuditLogRequest) ProtoReflect() protoreflect.Message

func (*AuditLogRequest) Reset 

func (x *AuditLogRequest) Reset()

func (*AuditLogRequest) String 

func (x *AuditLogRequest) String() string

type AuditLogRequest_LogMode 

type AuditLogRequest_LogMode int32

LogMode specifies the logging mode for the individual log request. 

const (
	// If unspecified, it's up to the audit client to decide what log
	// mode to use.
	AuditLogRequest_LOG_MODE_UNSPECIFIED AuditLogRequest_LogMode = 0
	// In FAIL_CLOSE mode, the log request must be persisted in the system
	// before return; in case of persistence failure, an error must be returned.
	AuditLogRequest_FAIL_CLOSE AuditLogRequest_LogMode = 1
	// In BEST_EFFORT mode, the log request will never return error; the
	// log request will be persisted with best effort.
	AuditLogRequest_BEST_EFFORT AuditLogRequest_LogMode = 2
)

func (AuditLogRequest_LogMode) Descriptor 

func (AuditLogRequest_LogMode) Descriptor() protoreflect.EnumDescriptor

func (AuditLogRequest_LogMode) Enum 

func (x AuditLogRequest_LogMode) Enum() *AuditLogRequest_LogMode

func (AuditLogRequest_LogMode) EnumDescriptor deprecated 

func (AuditLogRequest_LogMode) EnumDescriptor() ([]byte, []int)

Deprecated: Use AuditLogRequest_LogMode.Descriptor instead.

func (AuditLogRequest_LogMode) Number 

func (x AuditLogRequest_LogMode) Number() protoreflect.EnumNumber

func (AuditLogRequest_LogMode) String 

func (x AuditLogRequest_LogMode) String() string

func (AuditLogRequest_LogMode) Type 

func (AuditLogRequest_LogMode) Type() protoreflect.EnumType

type AuditLogRequest_LogType 

type AuditLogRequest_LogType int32

The log type where this audit log entry goes. Our client converts the LogType enum to a Cloud Logging log name using the `log_name` option. 

const (
	AuditLogRequest_UNSPECIFIED AuditLogRequest_LogType = 0
	// Administrative actions or changes to configuration through public APIs.
	AuditLogRequest_ADMIN_ACTIVITY AuditLogRequest_LogType = 1
	// Reads of configuration data and all access to user data through public
	// APIs.
	AuditLogRequest_DATA_ACCESS AuditLogRequest_LogType = 2
)

func (AuditLogRequest_LogType) Descriptor 

func (AuditLogRequest_LogType) Descriptor() protoreflect.EnumDescriptor

func (AuditLogRequest_LogType) Enum 

func (x AuditLogRequest_LogType) Enum() *AuditLogRequest_LogType

func (AuditLogRequest_LogType) EnumDescriptor deprecated 

func (AuditLogRequest_LogType) EnumDescriptor() ([]byte, []int)

Deprecated: Use AuditLogRequest_LogType.Descriptor instead.

func (AuditLogRequest_LogType) Number 

func (x AuditLogRequest_LogType) Number() protoreflect.EnumNumber

func (AuditLogRequest_LogType) String 

func (x AuditLogRequest_LogType) String() string

func (AuditLogRequest_LogType) Type 

func (AuditLogRequest_LogType) Type() protoreflect.EnumType

type AuditLogResponse 

type AuditLogResponse struct {

	// Optional processed audit log request.
	// If unset and errorless, it means the processing is terminal,
	// which means the audit log entry has been written.
	Result *AuditLogRequest `protobuf:"bytes,1,opt,name=result,proto3" json:"result,omitempty"`
	// contains filtered or unexported fields
}

The parameters returned from ProcessLog.

func (*AuditLogResponse) Descriptor deprecated 

func (*AuditLogResponse) Descriptor() ([]byte, []int)

Deprecated: Use AuditLogResponse.ProtoReflect.Descriptor instead.

func (*AuditLogResponse) GetResult 

func (x *AuditLogResponse) GetResult() *AuditLogRequest

func (*AuditLogResponse) ProtoMessage 

func (*AuditLogResponse) ProtoMessage()

func (*AuditLogResponse) ProtoReflect 

func (x *AuditLogResponse) ProtoReflect() protoreflect.Message

func (*AuditLogResponse) Reset 

func (x *AuditLogResponse) Reset()

func (*AuditLogResponse) String 

func (x *AuditLogResponse) String() string

type AuditRule 

type AuditRule struct {
	// Selector is a string to match request methods/paths.
	// In gRPC, this is in the format of "/[service_name].[method_name]".
	Selector string `yaml:"selector,omitempty"`

	// Directive specifies what audit action to take for the matching requests.
	// Allowed values are:
	// "AUDIT" - write audit log without request/response.
	// "AUDIT_REQUEST_ONLY" - write audit log with only request.
	// "AUDIT_REQUEST_AND_RESPONSE" - write audit log with request and response.
	Directive string `yaml:"directive,omitempty"`

	// LogType specifies the audit log type for the matching requests.
	// Allowed values are:
	// "ADMIN_ACTIVITY" - the access is an admin operation
	// "DATA_ACCESS" - the access is a data access
	// If empty, the default value is "DATA_ACCESS".
	LogType string `yaml:"log_type,omitempty"`
}

AuditRule is an audit rule to instruct how to audit selected paths/methods.

func (*AuditRule) SetDefault 

func (r *AuditRule) SetDefault()

SetDefault sets default for the audit rule.

func (*AuditRule) Validate 

func (r *AuditRule) Validate() error

Validate validates the audit rule.

type Backend 

type Backend struct {
	Remote       *Remote       `yaml:"remote,omitempty" env:",noinit"`
	CloudLogging *CloudLogging `yaml:"cloudlogging,omitempty" env:",noinit"`
}

Backend holds information on the backends to send logs to.

func (*Backend) SetDefault 

func (b *Backend) SetDefault()

SetDefault sets default for the Backend.

func (*Backend) Validate 

func (b *Backend) Validate() error

Validate validates the Backend.

type CloudLogging 

type CloudLogging struct {
	// DefaultProject indicates whether to use the project where the client runs.
	DefaultProject bool `yaml:"default_project,omitempty" env:"BACKEND_CLOUDLOGGING_DEFAULT_PROJECT,overwrite"`

	// Project allows overriding the project where to send the audit logs.
	// The client must be run with a service account that has log writer role on the project.
	Project string `yaml:"project,omitempty" env:"BACKEND_CLOUDLOGGING_PROJECT,overwrite"`
}

CloudLogging is the GCP cloud logging backend to send audit logs to.

func (*CloudLogging) SetDefault 

func (cl *CloudLogging) SetDefault()

SetDefault sets default on the CloudLogging backend.

func (*CloudLogging) Validate 

func (cl *CloudLogging) Validate() error

Validate validates the CloudLogging backend.

type Condition 

type Condition struct {
	// Regex specifies the regular experessions to match request principals.
	Regex *RegexCondition `yaml:"regex,omitempty" env:",noinit"`
}

Condition is the condition the condition under which an incoming request should be audit logged. Only one condition can be used.

type Config 

type Config struct {
	// Version is the version of the config.
	Version string `yaml:"version,omitempty" env:"VERSION,overwrite"`

	// Backend specifies what remote backend to send audit logs to.
	// If a remote backend config is nil, audit logs will be written to stdout.
	Backend *Backend `yaml:"backend,omitempty" env:",noinit"`

	// Condition specifies the condition under which an incoming request should be
	// audit logged. If the condition is nil, the default is to audit log all requests.
	Condition *Condition `yaml:"condition,omitempty" env:",noinit"`

	// SecurityContext specifies how to retrieve security context such as
	// authentication info from the incoming requests.
	// This config is only used for auto audit logging, and it must not be nil.
	// When auto audit logging is not used, setting this field has no effect.
	SecurityContext *SecurityContext `yaml:"security_context,omitempty" env:",noinit"`

	// Rules specifies audit logging instructions per matching requests
	// method/path. If the rules is nil or empty, no audit logs will be collected.
	// This config is only used for auto audit logging.
	// When auto audit logging is not used, setting this field has no effect.
	Rules []*AuditRule `yaml:"rules,omitempty"`

	// Labels are additional labels that the calling code wants added to each
	// audit log request. Each label will only be added if it is not already added
	// in the audit log, and will not overwrite explicitly added labels.
	Labels map[string]string `yaml:"labels,omitempty"`

	// LogMode specifies whether the audit logger should fail open or close.
	// If fail-close is not chosen, the audit logger will log errors that occur,
	// and then continue without impeding the application in any way.
	LogMode string `yaml:"log_mode,omitempty" env:"LOG_MODE,overwrite"`

	// Justification specifies the config used to integrate with JVS.
	Justification *Justification `yaml:"justification,omitempty" env:",noinit"`
}

Config is the full audit client config.

func (*Config) GetLogMode 

func (cfg *Config) GetLogMode() AuditLogRequest_LogMode

GetLogMode converts the LogMode string to a AuditLogRequest_LogMode.

func (*Config) SetDefault 

func (cfg *Config) SetDefault()

SetDefault sets default for the config.

func (*Config) Validate 

func (cfg *Config) Validate() error

Validate checks if the config is valid.

type FromRawJWT 

type FromRawJWT struct {
	// Key is the metadata key whose value is a JWT.
	Key string `yaml:"key,omitempty"`
	// Prefix is the prefix to truncate the metadata value
	// to retrieve the JWT.
	Prefix string `yaml:"prefix,omitempty"`
	// JWKs specifies the JWKs to validate the JWT.
	// If JWTs is nil, the JWT won't be validated.
	JWKs *JWKs `yaml:"jwks,omitempty"`
}

FromRawJWT provides info for how to retrieve security context from a raw JWT.

func (*FromRawJWT) Validate 

func (j *FromRawJWT) Validate() error

Validate validates the FromRawJWT.

type JWKs 

type JWKs struct {
	// Endpoint is the endpoint to retrieve the JWKs to validate JWT.
	Endpoint string `yaml:"endpoint,omitempty"`
}

JWKs provides JWKs to validate a JWT.

type Justification 

type Justification struct {
	// PublicKeysEndpoint is the endpoint where public keys may be retrieved from the JVS.
	// These will be used to validate JWT tokens that are passed in through the
	// "justification-token" header.
	PublicKeysEndpoint string `yaml:"public_keys_endpoint,omitempty" env:"JUSTIFICATION_PUBLIC_KEYS_ENDPOINT,overwrite"`

	// Enabled indicates whether enables adding justification information to audit logs or not. If this is enabled,
	// all manual calls are expected to pass in a justification in the "justification-token" header.
	// If omitted, justifications will not be added to logs, even if provided.
	Enabled bool `yaml:"enabled,omitempty" env:"JUSTIFICATION_ENABLED,overwrite"`
}

Justification specifies the config used to integrate with JVS.

func (*Justification) Validate 

func (justification *Justification) Validate() error

Validate validates the Justification.

type RegexCondition 

type RegexCondition struct {
	// PrincipalInclude specifies a regular expression to match request principals to be included in audit logging.
	PrincipalInclude string `yaml:"principal_include,omitempty" env:"CONDITION_REGEX_PRINCIPAL_INCLUDE,overwrite"`
	// PrincipalExclude specifies a regular expression to match request principals to be excluded from audit logging.
	PrincipalExclude string `yaml:"principal_exclude,omitempty" env:"CONDITION_REGEX_PRINCIPAL_EXCLUDE,overwrite"`
}

RegexCondition matches condition with regular expression. If PrincipalInclude and PrincipalExclude are both empty, all requests will be audit logged. When only PrincipalInclude is set, only the matching requests will be audit logged. When only PrincipalExclude is set, only the non-matching requests will be audit logged. When both PrincipalInclude and PrincipalExclude are both set, PrincipalInclude takes precedence. If a request matches PrincipalInclude, it will be audit logged no matter whether it matches PrincipalExclude.

type Remote 

type Remote struct {
	// Address is the remote backend address. It must be set.
	Address string `yaml:"address,omitempty" env:"BACKEND_REMOTE_ADDRESS,overwrite"`

	// InsecureEnabled indicates whether to insecurely connect to the backend.
	// This should be set to false for production usage.
	InsecureEnabled bool `yaml:"insecure_enabled,omitempty" env:"BACKEND_REMOTE_INSECURE_ENABLED,overwrite"`

	// ImpersonateAccount specifies which service account to impersonate to call the backend.
	// If empty, there will be no impersonation.
	ImpersonateAccount string `yaml:"impersonate_account,omitempty" env:"BACKEND_REMOTE_IMPERSONATE_ACCOUNT,overwrite"`
}

Remote is the remote backend service to send audit logs to. The backend must be a gRPC service that implements protos/v1alpha1/audit_log_agent.proto.

func (*Remote) Validate 

func (b *Remote) Validate() error

Validate validates the backend.

type SecurityContext 

type SecurityContext struct {
	// FromRawJWT specifies where to look up the JWT.
	FromRawJWT []*FromRawJWT `yaml:"from_raw_jwt,omitempty"`
}

SecurityContext provides instructive info for where to retrieve the security context, e.g. authentication info.

func (*SecurityContext) Validate 

func (sc *SecurityContext) Validate() error

Validate validates the security context.

type UnimplementedAuditLogAgentServer 

type UnimplementedAuditLogAgentServer struct {
}

UnimplementedAuditLogAgentServer must be embedded to have forward compatible implementations.

func (UnimplementedAuditLogAgentServer) ProcessLog 

func (UnimplementedAuditLogAgentServer) ProcessLog(context.Context, *AuditLogRequest) (*AuditLogResponse, error)

type UnsafeAuditLogAgentServer 

type UnsafeAuditLogAgentServer interface {
	// contains filtered or unexported methods
}

UnsafeAuditLogAgentServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to AuditLogAgentServer will result in compilation errors.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.