Documentation ¶
Overview ¶
Package util provides utilities for the audit logger.
Index ¶
- Constants
- Variables
- func RegisterAuditLogAgentServer(s grpc.ServiceRegistrar, srv AuditLogAgentServer)
- func ShouldFailClose(logMode AuditLogRequest_LogMode) bool
- type AuditLogAgentClient
- type AuditLogAgentServer
- type AuditLogRequest
- func (*AuditLogRequest) Descriptor() ([]byte, []int)deprecated
- func (x *AuditLogRequest) GetContext() *_struct.Struct
- func (x *AuditLogRequest) GetLabels() map[string]string
- func (x *AuditLogRequest) GetMode() AuditLogRequest_LogMode
- func (x *AuditLogRequest) GetOperation() *v2.LogEntryOperation
- func (x *AuditLogRequest) GetPayload() *audit.AuditLog
- func (x *AuditLogRequest) GetTimestamp() *timestamp.Timestamp
- func (x *AuditLogRequest) GetType() AuditLogRequest_LogType
- func (*AuditLogRequest) ProtoMessage()
- func (x *AuditLogRequest) ProtoReflect() protoreflect.Message
- func (x *AuditLogRequest) Reset()
- func (x *AuditLogRequest) String() string
- type AuditLogRequest_LogMode
- func (AuditLogRequest_LogMode) Descriptor() protoreflect.EnumDescriptor
- func (x AuditLogRequest_LogMode) Enum() *AuditLogRequest_LogMode
- func (AuditLogRequest_LogMode) EnumDescriptor() ([]byte, []int)deprecated
- func (x AuditLogRequest_LogMode) Number() protoreflect.EnumNumber
- func (x AuditLogRequest_LogMode) String() string
- func (AuditLogRequest_LogMode) Type() protoreflect.EnumType
- type AuditLogRequest_LogType
- func (AuditLogRequest_LogType) Descriptor() protoreflect.EnumDescriptor
- func (x AuditLogRequest_LogType) Enum() *AuditLogRequest_LogType
- func (AuditLogRequest_LogType) EnumDescriptor() ([]byte, []int)deprecated
- func (x AuditLogRequest_LogType) Number() protoreflect.EnumNumber
- func (x AuditLogRequest_LogType) String() string
- func (AuditLogRequest_LogType) Type() protoreflect.EnumType
- type AuditLogResponse
- func (*AuditLogResponse) Descriptor() ([]byte, []int)deprecated
- func (x *AuditLogResponse) GetResult() *AuditLogRequest
- func (*AuditLogResponse) ProtoMessage()
- func (x *AuditLogResponse) ProtoReflect() protoreflect.Message
- func (x *AuditLogResponse) Reset()
- func (x *AuditLogResponse) String() string
- type AuditRule
- type Backend
- type CloudLogging
- type Condition
- type Config
- type FromRawJWT
- type JWKs
- type Justification
- type RegexCondition
- type Remote
- type SecurityContext
- type UnimplementedAuditLogAgentServer
- type UnsafeAuditLogAgentServer
Constants ¶
const ( // Version of the API and config. Version = "v1alpha1" // Audit rule directive options. AuditRuleDirectiveDefault = "AUDIT" AuditRuleDirectiveRequestOnly = "AUDIT_REQUEST_ONLY" AuditRuleDirectiveRequestAndResponse = "AUDIT_REQUEST_AND_RESPONSE" )
Variables ¶
var ( AuditLogRequest_LogType_name = map[int32]string{ 0: "UNSPECIFIED", 1: "ADMIN_ACTIVITY", 2: "DATA_ACCESS", } AuditLogRequest_LogType_value = map[string]int32{ "UNSPECIFIED": 0, "ADMIN_ACTIVITY": 1, "DATA_ACCESS": 2, } )
Enum value maps for AuditLogRequest_LogType.
var ( AuditLogRequest_LogMode_name = map[int32]string{ 0: "LOG_MODE_UNSPECIFIED", 1: "FAIL_CLOSE", 2: "BEST_EFFORT", } AuditLogRequest_LogMode_value = map[string]int32{ "LOG_MODE_UNSPECIFIED": 0, "FAIL_CLOSE": 1, "BEST_EFFORT": 2, } )
Enum value maps for AuditLogRequest_LogMode.
var AuditLogAgent_ServiceDesc = grpc.ServiceDesc{ ServiceName: "abcxyz.lumberjack.AuditLogAgent", HandlerType: (*AuditLogAgentServer)(nil), Methods: []grpc.MethodDesc{ { MethodName: "ProcessLog", Handler: _AuditLogAgent_ProcessLog_Handler, }, }, Streams: []grpc.StreamDesc{}, Metadata: "protos/v1alpha1/audit_log_agent.proto", }
AuditLogAgent_ServiceDesc is the grpc.ServiceDesc for AuditLogAgent service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)
var (
// optional string log_name = 390161750;
E_LogName = &file_protos_v1alpha1_audit_log_request_proto_extTypes[0]
)
Extension fields to descriptor.EnumValueOptions.
var File_protos_v1alpha1_audit_log_agent_proto protoreflect.FileDescriptor
var File_protos_v1alpha1_audit_log_request_proto protoreflect.FileDescriptor
Functions ¶
func RegisterAuditLogAgentServer ¶
func RegisterAuditLogAgentServer(s grpc.ServiceRegistrar, srv AuditLogAgentServer)
func ShouldFailClose ¶
func ShouldFailClose(logMode AuditLogRequest_LogMode) bool
ShouldFailClose returns true only if FAIL_CLOSE is explicitly configured. On BEST_EFFORT or LOG_MODE_UNSPECIFIED (the default) then return false.
Types ¶
type AuditLogAgentClient ¶
type AuditLogAgentClient interface {
ProcessLog(ctx context.Context, in *AuditLogRequest, opts ...grpc.CallOption) (*AuditLogResponse, error)
}
AuditLogAgentClient is the client API for AuditLogAgent service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewAuditLogAgentClient ¶
func NewAuditLogAgentClient(cc grpc.ClientConnInterface) AuditLogAgentClient
type AuditLogAgentServer ¶
type AuditLogAgentServer interface { ProcessLog(context.Context, *AuditLogRequest) (*AuditLogResponse, error) // contains filtered or unexported methods }
AuditLogAgentServer is the server API for AuditLogAgent service. All implementations must embed UnimplementedAuditLogAgentServer for forward compatibility
type AuditLogRequest ¶
type AuditLogRequest struct { Type AuditLogRequest_LogType `protobuf:"varint,1,opt,name=type,proto3,enum=abcxyz.lumberjack.AuditLogRequest_LogType" json:"type,omitempty"` // The Cloud audit log payload. Payload *audit.AuditLog `protobuf:"bytes,2,opt,name=payload,proto3" json:"payload,omitempty"` // A map of key, value pairs that provides additional information about the // log entry. For example, an integration test can store a UUID in this field // to track a test log. Later, the integration test can query the UUID from a // BigQuery sink to ensure that a logging request completed successfully. Labels map[string]string `` /* 153-byte string literal not displayed */ Mode AuditLogRequest_LogMode `protobuf:"varint,4,opt,name=mode,proto3,enum=abcxyz.lumberjack.AuditLogRequest_LogMode" json:"mode,omitempty"` // Standard object used for correlating logs across streams Operation *v2.LogEntryOperation `protobuf:"bytes,5,opt,name=operation,proto3" json:"operation,omitempty"` Timestamp *timestamp.Timestamp `protobuf:"bytes,6,opt,name=timestamp,proto3" json:"timestamp,omitempty"` // Contextual info associated with the log request. // Such info is meant for log processors and may not be directly // reflected in the final audit log. Context *_struct.Struct `protobuf:"bytes,7,opt,name=context,proto3" json:"context,omitempty"` // contains filtered or unexported fields }
Audit logging data pertaining to an operation, for use in-process.
Our cloud logging client converts from this form to one or more google.logging.v2.LogEntry messages for transmission to Cloud Logging.
func (*AuditLogRequest) Descriptor
deprecated
func (*AuditLogRequest) Descriptor() ([]byte, []int)
Deprecated: Use AuditLogRequest.ProtoReflect.Descriptor instead.
func (*AuditLogRequest) GetContext ¶
func (x *AuditLogRequest) GetContext() *_struct.Struct
func (*AuditLogRequest) GetLabels ¶
func (x *AuditLogRequest) GetLabels() map[string]string
func (*AuditLogRequest) GetMode ¶
func (x *AuditLogRequest) GetMode() AuditLogRequest_LogMode
func (*AuditLogRequest) GetOperation ¶
func (x *AuditLogRequest) GetOperation() *v2.LogEntryOperation
func (*AuditLogRequest) GetPayload ¶
func (x *AuditLogRequest) GetPayload() *audit.AuditLog
func (*AuditLogRequest) GetTimestamp ¶
func (x *AuditLogRequest) GetTimestamp() *timestamp.Timestamp
func (*AuditLogRequest) GetType ¶
func (x *AuditLogRequest) GetType() AuditLogRequest_LogType
func (*AuditLogRequest) ProtoMessage ¶
func (*AuditLogRequest) ProtoMessage()
func (*AuditLogRequest) ProtoReflect ¶
func (x *AuditLogRequest) ProtoReflect() protoreflect.Message
func (*AuditLogRequest) Reset ¶
func (x *AuditLogRequest) Reset()
func (*AuditLogRequest) String ¶
func (x *AuditLogRequest) String() string
type AuditLogRequest_LogMode ¶
type AuditLogRequest_LogMode int32
LogMode specifies the logging mode for the individual log request.
const ( // If unspecified, it's up to the audit client to decide what log // mode to use. AuditLogRequest_LOG_MODE_UNSPECIFIED AuditLogRequest_LogMode = 0 // In FAIL_CLOSE mode, the log request must be persisted in the system // before return; in case of persistence failure, an error must be returned. AuditLogRequest_FAIL_CLOSE AuditLogRequest_LogMode = 1 // In BEST_EFFORT mode, the log request will never return error; the // log request will be persisted with best effort. AuditLogRequest_BEST_EFFORT AuditLogRequest_LogMode = 2 )
func (AuditLogRequest_LogMode) Descriptor ¶
func (AuditLogRequest_LogMode) Descriptor() protoreflect.EnumDescriptor
func (AuditLogRequest_LogMode) Enum ¶
func (x AuditLogRequest_LogMode) Enum() *AuditLogRequest_LogMode
func (AuditLogRequest_LogMode) EnumDescriptor
deprecated
func (AuditLogRequest_LogMode) EnumDescriptor() ([]byte, []int)
Deprecated: Use AuditLogRequest_LogMode.Descriptor instead.
func (AuditLogRequest_LogMode) Number ¶
func (x AuditLogRequest_LogMode) Number() protoreflect.EnumNumber
func (AuditLogRequest_LogMode) String ¶
func (x AuditLogRequest_LogMode) String() string
func (AuditLogRequest_LogMode) Type ¶
func (AuditLogRequest_LogMode) Type() protoreflect.EnumType
type AuditLogRequest_LogType ¶
type AuditLogRequest_LogType int32
The log type where this audit log entry goes. Our client converts the LogType enum to a Cloud Logging log name using the `log_name` option.
const ( AuditLogRequest_UNSPECIFIED AuditLogRequest_LogType = 0 // Administrative actions or changes to configuration through public APIs. AuditLogRequest_ADMIN_ACTIVITY AuditLogRequest_LogType = 1 // Reads of configuration data and all access to user data through public // APIs. AuditLogRequest_DATA_ACCESS AuditLogRequest_LogType = 2 )
func (AuditLogRequest_LogType) Descriptor ¶
func (AuditLogRequest_LogType) Descriptor() protoreflect.EnumDescriptor
func (AuditLogRequest_LogType) Enum ¶
func (x AuditLogRequest_LogType) Enum() *AuditLogRequest_LogType
func (AuditLogRequest_LogType) EnumDescriptor
deprecated
func (AuditLogRequest_LogType) EnumDescriptor() ([]byte, []int)
Deprecated: Use AuditLogRequest_LogType.Descriptor instead.
func (AuditLogRequest_LogType) Number ¶
func (x AuditLogRequest_LogType) Number() protoreflect.EnumNumber
func (AuditLogRequest_LogType) String ¶
func (x AuditLogRequest_LogType) String() string
func (AuditLogRequest_LogType) Type ¶
func (AuditLogRequest_LogType) Type() protoreflect.EnumType
type AuditLogResponse ¶
type AuditLogResponse struct { // Optional processed audit log request. // If unset and errorless, it means the processing is terminal, // which means the audit log entry has been written. Result *AuditLogRequest `protobuf:"bytes,1,opt,name=result,proto3" json:"result,omitempty"` // contains filtered or unexported fields }
The parameters returned from ProcessLog.
func (*AuditLogResponse) Descriptor
deprecated
func (*AuditLogResponse) Descriptor() ([]byte, []int)
Deprecated: Use AuditLogResponse.ProtoReflect.Descriptor instead.
func (*AuditLogResponse) GetResult ¶
func (x *AuditLogResponse) GetResult() *AuditLogRequest
func (*AuditLogResponse) ProtoMessage ¶
func (*AuditLogResponse) ProtoMessage()
func (*AuditLogResponse) ProtoReflect ¶
func (x *AuditLogResponse) ProtoReflect() protoreflect.Message
func (*AuditLogResponse) Reset ¶
func (x *AuditLogResponse) Reset()
func (*AuditLogResponse) String ¶
func (x *AuditLogResponse) String() string
type AuditRule ¶
type AuditRule struct { // Selector is a string to match request methods/paths. // In gRPC, this is in the format of "/[service_name].[method_name]". Selector string `yaml:"selector,omitempty"` // Directive specifies what audit action to take for the matching requests. // Allowed values are: // "AUDIT" - write audit log without request/response. // "AUDIT_REQUEST_ONLY" - write audit log with only request. // "AUDIT_REQUEST_AND_RESPONSE" - write audit log with request and response. Directive string `yaml:"directive,omitempty"` // LogType specifies the audit log type for the matching requests. // Allowed values are: // "ADMIN_ACTIVITY" - the access is an admin operation // "DATA_ACCESS" - the access is a data access // If empty, the default value is "DATA_ACCESS". LogType string `yaml:"log_type,omitempty"` }
AuditRule is an audit rule to instruct how to audit selected paths/methods.
func (*AuditRule) SetDefault ¶
func (r *AuditRule) SetDefault()
SetDefault sets default for the audit rule.
type Backend ¶
type Backend struct { Remote *Remote `yaml:"remote,omitempty" env:",noinit"` CloudLogging *CloudLogging `yaml:"cloudlogging,omitempty" env:",noinit"` }
Backend holds information on the backends to send logs to.
func (*Backend) SetDefault ¶
func (b *Backend) SetDefault()
SetDefault sets default for the Backend.
type CloudLogging ¶
type CloudLogging struct { // DefaultProject indicates whether to use the project where the client runs. DefaultProject bool `yaml:"default_project,omitempty" env:"BACKEND_CLOUDLOGGING_DEFAULT_PROJECT,overwrite"` // Project allows overriding the project where to send the audit logs. // The client must be run with a service account that has log writer role on the project. Project string `yaml:"project,omitempty" env:"BACKEND_CLOUDLOGGING_PROJECT,overwrite"` }
CloudLogging is the GCP cloud logging backend to send audit logs to.
func (*CloudLogging) SetDefault ¶
func (cl *CloudLogging) SetDefault()
SetDefault sets default on the CloudLogging backend.
func (*CloudLogging) Validate ¶
func (cl *CloudLogging) Validate() error
Validate validates the CloudLogging backend.
type Condition ¶
type Condition struct { // Regex specifies the regular experessions to match request principals. Regex *RegexCondition `yaml:"regex,omitempty" env:",noinit"` }
Condition is the condition the condition under which an incoming request should be audit logged. Only one condition can be used.
type Config ¶
type Config struct { // Version is the version of the config. Version string `yaml:"version,omitempty" env:"VERSION,overwrite"` // Backend specifies what remote backend to send audit logs to. // If a remote backend config is nil, audit logs will be written to stdout. Backend *Backend `yaml:"backend,omitempty" env:",noinit"` // Condition specifies the condition under which an incoming request should be // audit logged. If the condition is nil, the default is to audit log all requests. Condition *Condition `yaml:"condition,omitempty" env:",noinit"` // SecurityContext specifies how to retrieve security context such as // authentication info from the incoming requests. // This config is only used for auto audit logging, and it must not be nil. // When auto audit logging is not used, setting this field has no effect. SecurityContext *SecurityContext `yaml:"security_context,omitempty" env:",noinit"` // Rules specifies audit logging instructions per matching requests // method/path. If the rules is nil or empty, no audit logs will be collected. // This config is only used for auto audit logging. // When auto audit logging is not used, setting this field has no effect. Rules []*AuditRule `yaml:"rules,omitempty"` // Labels are additional labels that the calling code wants added to each // audit log request. Each label will only be added if it is not already added // in the audit log, and will not overwrite explicitly added labels. Labels map[string]string `yaml:"labels,omitempty"` // LogMode specifies whether the audit logger should fail open or close. // If fail-close is not chosen, the audit logger will log errors that occur, // and then continue without impeding the application in any way. LogMode string `yaml:"log_mode,omitempty" env:"LOG_MODE,overwrite"` // Justification specifies the config used to integrate with JVS. Justification *Justification `yaml:"justification,omitempty" env:",noinit"` }
Config is the full audit client config.
func (*Config) GetLogMode ¶
func (cfg *Config) GetLogMode() AuditLogRequest_LogMode
GetLogMode converts the LogMode string to a AuditLogRequest_LogMode.
type FromRawJWT ¶
type FromRawJWT struct { // Key is the metadata key whose value is a JWT. Key string `yaml:"key,omitempty"` // Prefix is the prefix to truncate the metadata value // to retrieve the JWT. Prefix string `yaml:"prefix,omitempty"` // JWKs specifies the JWKs to validate the JWT. // If JWTs is nil, the JWT won't be validated. JWKs *JWKs `yaml:"jwks,omitempty"` }
FromRawJWT provides info for how to retrieve security context from a raw JWT.
func (*FromRawJWT) Validate ¶
func (j *FromRawJWT) Validate() error
Validate validates the FromRawJWT.
type JWKs ¶
type JWKs struct { // Endpoint is the endpoint to retrieve the JWKs to validate JWT. Endpoint string `yaml:"endpoint,omitempty"` }
JWKs provides JWKs to validate a JWT.
type Justification ¶
type Justification struct { // PublicKeysEndpoint is the endpoint where public keys may be retrieved from the JVS. // These will be used to validate JWT tokens that are passed in through the // "justification-token" header. PublicKeysEndpoint string `yaml:"public_keys_endpoint,omitempty" env:"JUSTIFICATION_PUBLIC_KEYS_ENDPOINT,overwrite"` // Enabled indicates whether enables adding justification information to audit logs or not. If this is enabled, // all manual calls are expected to pass in a justification in the "justification-token" header. // If omitted, justifications will not be added to logs, even if provided. Enabled bool `yaml:"enabled,omitempty" env:"JUSTIFICATION_ENABLED,overwrite"` }
Justification specifies the config used to integrate with JVS.
func (*Justification) Validate ¶
func (justification *Justification) Validate() error
Validate validates the Justification.
type RegexCondition ¶
type RegexCondition struct { // PrincipalInclude specifies a regular expression to match request principals to be included in audit logging. PrincipalInclude string `yaml:"principal_include,omitempty" env:"CONDITION_REGEX_PRINCIPAL_INCLUDE,overwrite"` // PrincipalExclude specifies a regular expression to match request principals to be excluded from audit logging. PrincipalExclude string `yaml:"principal_exclude,omitempty" env:"CONDITION_REGEX_PRINCIPAL_EXCLUDE,overwrite"` }
RegexCondition matches condition with regular expression. If PrincipalInclude and PrincipalExclude are both empty, all requests will be audit logged. When only PrincipalInclude is set, only the matching requests will be audit logged. When only PrincipalExclude is set, only the non-matching requests will be audit logged. When both PrincipalInclude and PrincipalExclude are both set, PrincipalInclude takes precedence. If a request matches PrincipalInclude, it will be audit logged no matter whether it matches PrincipalExclude.
type Remote ¶
type Remote struct { // Address is the remote backend address. It must be set. Address string `yaml:"address,omitempty" env:"BACKEND_REMOTE_ADDRESS,overwrite"` // InsecureEnabled indicates whether to insecurely connect to the backend. // This should be set to false for production usage. InsecureEnabled bool `yaml:"insecure_enabled,omitempty" env:"BACKEND_REMOTE_INSECURE_ENABLED,overwrite"` // ImpersonateAccount specifies which service account to impersonate to call the backend. // If empty, there will be no impersonation. ImpersonateAccount string `yaml:"impersonate_account,omitempty" env:"BACKEND_REMOTE_IMPERSONATE_ACCOUNT,overwrite"` }
Remote is the remote backend service to send audit logs to. The backend must be a gRPC service that implements protos/v1alpha1/audit_log_agent.proto.
type SecurityContext ¶
type SecurityContext struct { // FromRawJWT specifies where to look up the JWT. FromRawJWT []*FromRawJWT `yaml:"from_raw_jwt,omitempty"` }
SecurityContext provides instructive info for where to retrieve the security context, e.g. authentication info.
func (*SecurityContext) Validate ¶
func (sc *SecurityContext) Validate() error
Validate validates the security context.
type UnimplementedAuditLogAgentServer ¶
type UnimplementedAuditLogAgentServer struct { }
UnimplementedAuditLogAgentServer must be embedded to have forward compatible implementations.
func (UnimplementedAuditLogAgentServer) ProcessLog ¶
func (UnimplementedAuditLogAgentServer) ProcessLog(context.Context, *AuditLogRequest) (*AuditLogResponse, error)
type UnsafeAuditLogAgentServer ¶
type UnsafeAuditLogAgentServer interface {
// contains filtered or unexported methods
}
UnsafeAuditLogAgentServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to AuditLogAgentServer will result in compilation errors.