externalauditstorage

package
v0.0.0-...-5c79d48 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2024 License: AGPL-3.0 Imports: 32 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// TokenLifetime is the lifetime of OIDC tokens used by the
	// ExternalAuditStorage service with the AWS OIDC integration.
	TokenLifetime = time.Hour
)

Variables

This section is empty.

Functions

func BootstrapInfra 

func BootstrapInfra(ctx context.Context, params BootstrapInfraParams) error

BootstrapInfra bootstraps External Audit Storage infrastructure. We are currently very opinionated about inputs and have additional checks to ensure a stricter setup is created.

func WithClock 

func WithClock(clock clockwork.Clock) func(*Options)

WithClock is a functional option to set the clock.

func WithSTSClient 

func WithSTSClient(clt stscreds.AssumeRoleWithWebIdentityAPIClient) func(*Options)

WithSTSClient is a functional option to set the sts client.

Types

type BootstrapAthenaClient 

type BootstrapAthenaClient interface {
	// Creates a workgroup with the specified name.
	CreateWorkGroup(ctx context.Context, params *athena.CreateWorkGroupInput, optFns ...func(*athena.Options)) (*athena.CreateWorkGroupOutput, error)
}

BootstrapAthenaClient is a subset of athena.Client methods needed for athena bootstrap.

type BootstrapGlueClient 

type BootstrapGlueClient interface {
	// Creates a new database in a Data Catalog.
	CreateDatabase(ctx context.Context, params *glue.CreateDatabaseInput, optFns ...func(*glue.Options)) (*glue.CreateDatabaseOutput, error)
	// Creates a new table definition in the Data Catalog.
	CreateTable(ctx context.Context, params *glue.CreateTableInput, optFns ...func(*glue.Options)) (*glue.CreateTableOutput, error)
	// Updates a metadata table in the Data Catalog.
	UpdateTable(ctx context.Context, params *glue.UpdateTableInput, optFns ...func(*glue.Options)) (*glue.UpdateTableOutput, error)
}

BootstrapGlueClient is a subset of glue.Client methods needed for glue boostrap.

type BootstrapInfraParams 

type BootstrapInfraParams struct {
	Athena BootstrapAthenaClient
	Glue   BootstrapGlueClient
	S3     BootstrapS3Client

	Spec   *eastypes.ExternalAuditStorageSpec
	Region string
}

BootstrapInfraParams are the input parameters for BootstrapInfra.

type BootstrapS3Client 

type BootstrapS3Client interface {
	// Creates a new S3 bucket.
	CreateBucket(ctx context.Context, params *s3.CreateBucketInput, optFns ...func(*s3.Options)) (*s3.CreateBucketOutput, error)
	// Places an Object Lock configuration on the specified bucket.
	PutObjectLockConfiguration(ctx context.Context, params *s3.PutObjectLockConfigurationInput, optFns ...func(*s3.Options)) (*s3.PutObjectLockConfigurationOutput, error)
	// Sets the versioning state of an existing bucket.
	PutBucketVersioning(ctx context.Context, params *s3.PutBucketVersioningInput, optFns ...func(*s3.Options)) (*s3.PutBucketVersioningOutput, error)
	// Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.
	PutBucketLifecycleConfiguration(ctx context.Context, params *s3.PutBucketLifecycleConfigurationInput, optFns ...func(*s3.Options)) (*s3.PutBucketLifecycleConfigurationOutput, error)
}

BootstrapS3Client is a subset of s3.Client methods needed to bootstrap S3 buckets.

type ClusterAlertService 

type ClusterAlertService interface {
	// UpsertClusterAlert creates the specified alert, overwriting any preexising alert with the same ID.
	UpsertClusterAlert(ctx context.Context, alert types.ClusterAlert) error
	// DeleteClusterAlert deletes the cluster alert with the specified ID.
	DeleteClusterAlert(ctx context.Context, alertID string) error
}

ClusterAlertService abstracts a service providing Upsert and Delete operations for cluster alerts.

type Configurator 

type Configurator struct {
	// ErrorCounter provides audit middlewares that count errors and raise or clear
	// cluster alerts based on recent error rates.
	// It will be nil if created via NewDraftConfigurator.
	ErrorCounter *ErrorCounter
	// contains filtered or unexported fields
}

Configurator provides functionality necessary for configuring the External Cloud Audit feature.

Specifically:

  • IsUsed() reports whether the feature is currently activated and in use.
  • GetSpec() provides the current cluster ExternalAuditStorageSpec
  • CredentialsProvider() provides AWS credentials for the necessary customer resources that can be used with aws-sdk-go-v2
  • CredentialsProviderSDKV1() provides AWS credentials for the necessary customer resources that can be used with aws-sdk-go

Configurator is a dependency to both the S3 session uploader and the Athena audit logger. They are both initialized before Auth. However, Auth needs to be initialized in order to provide signatures for the OIDC tokens. That's why SetGenerateOIDCTokenFn() must be called after auth is initialized to inject the OIDC token source dynamically.

If auth needs to emit any events during initialization (before SetGenerateOIDCTokenFn is called) that is okay. Events are written to SQS first, credentials from the Configurator are not needed until the batcher reads the events from SQS and tries to write a batch to the customer S3 bucket. If the batcher tries to write a batch before the Configurator is initialized and gets an error when trying to retrieve credentials, that's still okay, it will always retry.

func NewConfigurator 

func NewConfigurator(ctx context.Context, ecaSvc ExternalAuditStorageGetter, integrationSvc services.IntegrationsGetter, alertService ClusterAlertService, optFns ...func(*Options)) (*Configurator, error)

NewConfigurator returns a new Configurator set up with the current active cluster ExternalAuditStorage spec from [ecaSvc].

If the External Audit Storage feature is not used in this cluster then a valid instance will be returned where IsUsed() will return false.

func NewDraftConfigurator 

func NewDraftConfigurator(ctx context.Context, ecaSvc ExternalAuditStorageGetter, integrationSvc services.IntegrationsGetter, optFns ...func(*Options)) (*Configurator, error)

NewDraftConfigurator is equivalent to NewConfigurator but is based on the current *draft* ExternalAuditStorage configuration instead of the active configuration.

If a draft ExternalAuditStorage configuration is not found, an error will be returned.

func (*Configurator) CredentialsProvider 

func (p *Configurator) CredentialsProvider() aws.CredentialsProvider

CredentialsProvider returns an aws.CredentialsProvider that can be used to authenticate with the customer AWS account via the configured AWS OIDC integration with aws-sdk-go-v2.

func (*Configurator) CredentialsProviderSDKV1 

func (p *Configurator) CredentialsProviderSDKV1() credentials.ProviderWithContext

CredentialsProviderSDKV1 returns a credentials.ProviderWithContext that can be used to authenticate with the customer AWS account via the configured AWS OIDC integration with aws-sdk-go.

func (*Configurator) GetSpec 

func (c *Configurator) GetSpec() *externalauditstorage.ExternalAuditStorageSpec

GetSpec returns the current active ExternalAuditStorageSpec.

func (*Configurator) IsUsed 

func (c *Configurator) IsUsed() bool

IsUsed returns a boolean indicating whether the ExternalAuditStorage feature is currently in active use.

func (*Configurator) SetGenerateOIDCTokenFn 

func (c *Configurator) SetGenerateOIDCTokenFn(fn GenerateOIDCTokenFn)

SetGenerateOIDCTokenFn sets the source of OIDC tokens for this Configurator.

func (*Configurator) WaitForFirstCredentials 

func (p *Configurator) WaitForFirstCredentials(ctx context.Context)

WaitForFirstCredentials waits for the internal credentials cache to finish fetching its first credentials (or getting an error attempting to do so). This can be called after SetGenerateOIDCTokenFn to make sure any returned credential providers won't return errors simply due to the cache not being ready yet.

type ErrorCounter 

type ErrorCounter struct {
	// contains filtered or unexported fields
}

ErrorCounter is used when the External Audit Storage feature is enabled to store audit events and session recordings on external infrastructure. It effectively provides audit middlewares that count errors and raise or clear cluster alerts based on recent error rates. Cluster alerts are used to surface this information because Cloud customers don't have access to their own Auth server logs.

func NewErrorCounter 

func NewErrorCounter(alertService ClusterAlertService) *ErrorCounter

NewErrorCounter takes a ClusterAlertService that will be used to raise or clear cluster alerts and returns a new ErrorCounter.

func (*ErrorCounter) ObserveEmitError 

func (c *ErrorCounter) ObserveEmitError(err error)

ObserveEmitError can be called to observe relevant event emit errors not captured by WrapAuditLogger. In particular this should be used by the Athena consumer which batches event writes to S3.

func (*ErrorCounter) WrapAuditLogger 

func (c *ErrorCounter) WrapAuditLogger(wrapped events.AuditLogger) *ErrorCountingLogger

WrapAuditLogger returns an events.AuditLogger that will forward all calls to [wrapped] and observe all errors encountered.

func (*ErrorCounter) WrapSessionHandler 

func (c *ErrorCounter) WrapSessionHandler(wrapped events.MultipartHandler) *ErrorCountingSessionHandler

WrapSessionHandler returns an events.MultipartHandler that will forward all calls to [wrapped] and observe all errors encountered.

type ErrorCountingLogger 

type ErrorCountingLogger struct {
	// contains filtered or unexported fields
}

ErrorCountingLogger wraps an AuditLogger and counts errors on emit and search operations.

func (*ErrorCountingLogger) Close 

func (c *ErrorCountingLogger) Close() error

Close calls [c.wrapped.Close]

func (*ErrorCountingLogger) EmitAuditEvent 

func (c *ErrorCountingLogger) EmitAuditEvent(ctx context.Context, e apievents.AuditEvent) error

EmitAuditEvent calls [c.wrapped.EmitAuditEvent] and counts the error or success.

func (*ErrorCountingLogger) SearchEvents 

func (c *ErrorCountingLogger) SearchEvents(ctx context.Context, req events.SearchEventsRequest) ([]apievents.AuditEvent, string, error)

SearchEvents calls [c.wrapped.SearchEvents] and counts the error or success.

func (*ErrorCountingLogger) SearchSessionEvents 

func (c *ErrorCountingLogger) SearchSessionEvents(ctx context.Context, req events.SearchSessionEventsRequest) ([]apievents.AuditEvent, string, error)

SearchSessionEvents calls [c.wrapped.SearchSessionEvents] and counts the error or success.

type ErrorCountingSessionHandler 

type ErrorCountingSessionHandler struct {
	// contains filtered or unexported fields
}

ErrorCountingSessionHandler wraps a MultipartHandler and counts errors on all operations.

func (*ErrorCountingSessionHandler) CompleteUpload 

func (c *ErrorCountingSessionHandler) CompleteUpload(ctx context.Context, upload events.StreamUpload, parts []events.StreamPart) error

CompleteUpload calls [c.wrapped.CompleteUpload] and counts the error or success.

func (*ErrorCountingSessionHandler) CreateUpload 

func (c *ErrorCountingSessionHandler) CreateUpload(ctx context.Context, sessionID session.ID) (*events.StreamUpload, error)

CreateUpload calls [c.wrapped.CreateUpload] and counts the error or success.

func (*ErrorCountingSessionHandler) Download 

func (c *ErrorCountingSessionHandler) Download(ctx context.Context, sessionID session.ID, writer io.WriterAt) error

Download calls [c.wrapped.Download] and counts the error or success.

func (*ErrorCountingSessionHandler) GetUploadMetadata 

func (c *ErrorCountingSessionHandler) GetUploadMetadata(sessionID session.ID) events.UploadMetadata

GetUploadMetadata calls [c.wrapped.GetUploadMetadata] and counts the error or success.

func (*ErrorCountingSessionHandler) ListParts 

func (c *ErrorCountingSessionHandler) ListParts(ctx context.Context, upload events.StreamUpload) ([]events.StreamPart, error)

ListParts calls [c.wrapped.ListParts] and counts the error or success.

func (*ErrorCountingSessionHandler) ListUploads 

func (c *ErrorCountingSessionHandler) ListUploads(ctx context.Context) ([]events.StreamUpload, error)

ListUploads calls [c.wrapped.ListUploads] and counts the error or success.

func (*ErrorCountingSessionHandler) ReserveUploadPart 

func (c *ErrorCountingSessionHandler) ReserveUploadPart(ctx context.Context, upload events.StreamUpload, partNumber int64) error

ReserveUploadPart calls [c.wrapped.ReserveUploadPart] and counts the error or success.

func (*ErrorCountingSessionHandler) Upload 

func (c *ErrorCountingSessionHandler) Upload(ctx context.Context, sessionID session.ID, reader io.Reader) (string, error)

Upload calls [c.wrapped.Upload] and counts the error or success.

func (*ErrorCountingSessionHandler) UploadPart 

func (c *ErrorCountingSessionHandler) UploadPart(ctx context.Context, upload events.StreamUpload, partNumber int64, partBody io.ReadSeeker) (*events.StreamPart, error)

UploadPart calls [c.wrapped.UploadPart] and counts the error or success.

type ExternalAuditStorageGetter 

type ExternalAuditStorageGetter interface {
	// GetClusterExternalAuditStorage returns the current cluster External Audit
	// Storage configuration.
	GetClusterExternalAuditStorage(context.Context) (*externalauditstorage.ExternalAuditStorage, error)
	// GetDraftExternalAuditStorage returns the current draft External Audit
	// Storage configuration.
	GetDraftExternalAuditStorage(context.Context) (*externalauditstorage.ExternalAuditStorage, error)
}

ExternalAuditStorageGetter is an interface for a service that can retrieve External Audit Storage configuration.

type GenerateOIDCTokenFn 

type GenerateOIDCTokenFn func(ctx context.Context) (string, error)

GenerateOIDCTokenFn is a function that should return a valid, signed JWT for authenticating to AWS via OIDC.

type IntegrationGetter 

type IntegrationGetter interface {
	// GetIntegration returns the specified integration resources.
	GetIntegration(ctx context.Context, name string) (types.Integration, error)
}

IntegrationGetter is an interface for a service that can retrieve an integration by name.

type Options 

type Options struct {
	// contains filtered or unexported fields
}

Options holds options for the Configurator.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.