audit

package
v0.38.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 7, 2024 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Index

Constants

View Source
const (
	SetByGRPCGatewayKey = "x-cerbos-set-by-grpc-gateway"
	HTTPRemoteAddrKey   = "x-cerbos-http-remote-addr"
)
View Source
const (
	KindAccess   = "access"
	KindDecision = "decision"
)
View Source
const (
	ConfKey = "audit"
)

Variables

View Source
var (
	ErrIteratorClosed = errors.New("iterator closed")
)
View Source
var SetByGRPCGatewayVal string

Functions

func NewContextWithCallID

func NewContextWithCallID(ctx context.Context, id ID) context.Context

func NewUnaryInterceptor

func NewUnaryInterceptor(log Log, exclude ExcludeMethod) (grpc.UnaryServerInterceptor, error)

func PeerFromContext

func PeerFromContext(ctx context.Context) *auditv1.Peer

func RegisterBackend

func RegisterBackend(name string, cons Constructor)

RegisterBackend registers an audit log backend.

Types

type AccessLogEntryMaker

type AccessLogEntryMaker func() (*auditv1.AccessLogEntry, error)

AccessLogEntryMaker is a lazy constructor for access log entries.

type AccessLogIterator

type AccessLogIterator interface {
	Next() (*auditv1.AccessLogEntry, error)
}

type CheckResourcesFilter added in v0.24.0

type CheckResourcesFilter struct {
	// IgnoreAllowAll ignores responses that don't contain an EFFECT_DENY.
	IgnoreAllowAll bool `yaml:"ignoreAllowAll" conf:",example=false"`
}

type Conf

type Conf struct {
	// contains filtered or unexported fields
}

Conf is optional configuration for Audit.

func GetConf added in v0.15.0

func GetConf() (*Conf, error)

func (*Conf) Key

func (c *Conf) Key() string

func (*Conf) SetDefaults

func (c *Conf) SetDefaults()

func (*Conf) UnmarshalYAML added in v0.7.0

func (c *Conf) UnmarshalYAML(unmarshal func(any) error) error

type Constructor

Constructor for backends.

type DecisionLogEntryFilter added in v0.24.0

type DecisionLogEntryFilter func(*auditv1.DecisionLogEntry) *auditv1.DecisionLogEntry

func NewDecisionLogEntryFilter added in v0.24.0

func NewDecisionLogEntryFilter() (DecisionLogEntryFilter, error)

func NewDecisionLogEntryFilterFromConf added in v0.24.0

func NewDecisionLogEntryFilterFromConf(conf *Conf) DecisionLogEntryFilter

type DecisionLogEntryMaker

type DecisionLogEntryMaker func() (*auditv1.DecisionLogEntry, error)

DecisionLogEntryMaker is a lazy constructor for decision log entries.

type DecisionLogFilters added in v0.24.0

type DecisionLogFilters struct {
	// CheckResources defines the filters that apply to CheckResources calls.
	CheckResources CheckResourcesFilter `yaml:"checkResources"`
	// PlanResources defines the filters that apply to PlanResources calls.
	PlanResources PlanResourcesFilter `yaml:"planResources"`
}

type DecisionLogIterator

type DecisionLogIterator interface {
	Next() (*auditv1.DecisionLogEntry, error)
}

type ExcludeMethod

type ExcludeMethod func(string) bool

type ID

type ID string

func CallIDFromContext

func CallIDFromContext(ctx context.Context) (ID, bool)

func FromRepr

func FromRepr(id IDBytes) ID

FromRepr converts the byte representation to a string ID.

func NewID

func NewID() (ID, error)

NewID generates a new ULID using the current time.

func NewIDForTS

func NewIDForTS(ts uint64) (ID, error)

NewIDForTS generates a new ULID for the given timestamp.

func NewIDForTime

func NewIDForTime(ts time.Time) (ID, error)

NewIDForTime generates a new ULID using the given time.

func (ID) Repr

func (id ID) Repr() (IDBytes, error)

type IDBytes

type IDBytes = ulid.ULID

type IDGen

type IDGen struct {
	// contains filtered or unexported fields
}

IDGen is a generator for ULIDs without the monotonicity guarantee. Monotonicity adds overhead that we don't really need because approximate order is good enough for decision logs.

func NewIDGen

func NewIDGen(poolSize uint64, randSeed int64) *IDGen

func (*IDGen) New

func (ug *IDGen) New() (ID, error)

New generates a new ULID using the current time.

func (*IDGen) NewForTS

func (ug *IDGen) NewForTS(ts uint64) (ID, error)

NewForTS generates a new ULID for the given timestamp.

func (*IDGen) NewForTime

func (ug *IDGen) NewForTime(ts time.Time) (ID, error)

NewForTime generates a new ULID using the given time.

type IncludeKeysMethod added in v0.21.0

type IncludeKeysMethod func(string) bool

type Info added in v0.23.0

type Info interface {
	Backend() string
	Enabled() bool
}

type Log

type Log interface {
	Info
	io.Closer
	WriteAccessLogEntry(context.Context, AccessLogEntryMaker) error
	WriteDecisionLogEntry(context.Context, DecisionLogEntryMaker) error
}

func NewLog

func NewLog(ctx context.Context) (Log, error)

NewLog creates a new audit log.

func NewLogFromConf added in v0.15.0

func NewLogFromConf(ctx context.Context, confW *config.Wrapper) (Log, error)

func NewNopLog

func NewNopLog() Log

NewNopLog returns an audit log that does nothing.

type MetadataExtractor added in v0.24.0

type MetadataExtractor func(context.Context) map[string]*auditv1.MetaValues

func NewMetadataExtractor added in v0.24.0

func NewMetadataExtractor() (MetadataExtractor, error)

func NewMetadataExtractorFromConf added in v0.24.0

func NewMetadataExtractorFromConf(conf *Conf) MetadataExtractor

type PlanResourcesFilter added in v0.24.0

type PlanResourcesFilter struct {
	// IgnoreAll prevents any plan responses from being logged. Takes precedence over other filters.
	IgnoreAll bool `yaml:"ignoreAll" conf:",example=false"`
	// IgnoreAlwaysAllow ignores ALWAYS_ALLOWED plans.
	IgnoreAlwaysAllow bool `yaml:"ignoreAlwaysAllow" conf:",example=false"`
}

type QueryableLog added in v0.17.0

type QueryableLog interface {
	Log
	LastNAccessLogEntries(context.Context, uint) AccessLogIterator
	LastNDecisionLogEntries(context.Context, uint) DecisionLogIterator
	AccessLogEntriesBetween(context.Context, time.Time, time.Time) AccessLogIterator
	DecisionLogEntriesBetween(context.Context, time.Time, time.Time) DecisionLogIterator
	AccessLogEntryByID(context.Context, ID) AccessLogIterator
	DecisionLogEntryByID(context.Context, ID) DecisionLogIterator
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL