Add audit filter that will be able to catch authn failures

soltysh · soltysh · commit 42e6065fa6ea · 2017-06-14T16:54:29.000+02:00
diff --git a/pkg/cmd/server/handlers/authentication.go b/pkg/cmd/server/handlers/authentication.go
@@ -9,20 +9,29 @@ import (
 	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 )
 
+const (
+	AuditAuthnUser  = "audit-authn-user"
+	AuditAuthnError = "audit-authn-error"
+)
+
 // AuthenticationHandlerFilter creates a filter object that will enforce authentication directly
 func AuthenticationHandlerFilter(handler http.Handler, authenticator authenticator.Request, contextMapper apirequest.RequestContextMapper) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		ctx, ok := contextMapper.Get(req)
+		if !ok {
+			http.Error(w, "Unable to find request context", http.StatusInternalServerError)
+			return
+		}
+
 		user, ok, err := authenticator.AuthenticateRequest(req)
 		if err != nil || !ok {
+			ctx = apirequest.WithValue(ctx, AuditAuthnUser, user)
+			ctx = apirequest.WithValue(ctx, AuditAuthnError, err)
+			contextMapper.Update(req, ctx)
 			http.Error(w, "Unauthorized", http.StatusUnauthorized)
 			return
 		}
 
-		ctx, ok := contextMapper.Get(req)
-		if !ok {
-			http.Error(w, "Unable to find request context", http.StatusInternalServerError)
-			return
-		}
 		if err := contextMapper.Update(req, apirequest.WithUser(ctx, user)); err != nil {
 			glog.V(4).Infof("Error setting authenticated context: %v", err)
 			http.Error(w, "Unable to set authenticated request context", http.StatusInternalServerError)
diff --git a/pkg/cmd/server/origin/audit.go b/pkg/cmd/server/origin/audit.go
@@ -0,0 +1,146 @@
+package origin
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/golang/glog"
+	"github.com/pborman/uuid"
+
+	utilnet "k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/apiserver/pkg/authentication/user"
+	apiresponsewriters "k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
+	apirequest "k8s.io/apiserver/pkg/endpoints/request"
+
+	serverhandlers "github.com/openshift/origin/pkg/cmd/server/handlers"
+)
+
+const AuditTriggered = "audit-triggered"
+
+var _ http.ResponseWriter = &auditResponseWriter{}
+
+// auditResponseWriter is responsible for serving as a fallback audit, responsible
+// for logging failed authn events.
+type auditResponseWriter struct {
+	http.ResponseWriter
+	contextMapper apirequest.RequestContextMapper
+	req           *http.Request
+	out           io.Writer
+}
+
+func (a *auditResponseWriter) WriteHeader(code int) {
+	ctx, ok := a.contextMapper.Get(a.req)
+	if !ok {
+		apiresponsewriters.InternalError(a.ResponseWriter, a.req, errors.New("no context found for request"))
+		return
+	}
+	// if the original audit handler triggered there's no need to do anything
+	triggeredValue := ctx.Value(AuditTriggered)
+	if triggered, ok := triggeredValue.(bool); ok && triggered {
+		a.ResponseWriter.WriteHeader(code)
+		return
+	}
+	// else we log simulating original audit lines
+	authnUserValue := ctx.Value(serverhandlers.AuditAuthnUser)
+	username := "<none>"
+	if userInfo, ok := authnUserValue.(user.Info); ok {
+		username = userInfo.GetName()
+	}
+	authnErrorValue := ctx.Value(serverhandlers.AuditAuthnUser)
+	authnError, ok := authnErrorValue.(error)
+	if !ok {
+		authnError = errors.New("<none>")
+	}
+	id := uuid.NewRandom().String()
+	line := fmt.Sprintf("%s AUDIT: id=%q ip=%q method=%q user=%q error=%q uri=%q\n",
+		time.Now().Format(time.RFC3339Nano), id, utilnet.GetClientIP(a.req), a.req.Method, username, authnError, a.req.URL)
+	if _, err := fmt.Fprint(a.out, line); err != nil {
+		glog.Errorf("Unable to write audit log: %s, the error is: %v", line, err)
+	}
+	line = fmt.Sprintf("%s AUDIT: id=%q response=\"%d\"\n", time.Now().Format(time.RFC3339Nano), id, code)
+	if _, err := fmt.Fprint(a.out, line); err != nil {
+		glog.Errorf("Unable to write audit log: %s, the error is: %v", line, err)
+	}
+
+	a.ResponseWriter.WriteHeader(code)
+}
+
+// fancyResponseWriterDelegator implements http.CloseNotifier, http.Flusher and
+// http.Hijacker which are needed to make certain http operation (e.g. watch, rsh, etc)
+// working.
+type fancyResponseWriterDelegator struct {
+	*auditResponseWriter
+}
+
+func (f *fancyResponseWriterDelegator) CloseNotify() <-chan bool {
+	return f.ResponseWriter.(http.CloseNotifier).CloseNotify()
+}
+
+func (f *fancyResponseWriterDelegator) Flush() {
+	f.ResponseWriter.(http.Flusher).Flush()
+}
+
+func (f *fancyResponseWriterDelegator) Hijack() (net.Conn, *bufio.ReadWriter, error) {
+	return f.ResponseWriter.(http.Hijacker).Hijack()
+}
+
+var _ http.CloseNotifier = &fancyResponseWriterDelegator{}
+var _ http.Flusher = &fancyResponseWriterDelegator{}
+var _ http.Hijacker = &fancyResponseWriterDelegator{}
+
+// WithAuditTriggeredMarker is responsible for marking that the audit did actually
+// took place and fallback audit should not trigger.
+func WithAuditTriggeredMarker(handler http.Handler, contextMapper apirequest.RequestContextMapper, out io.Writer) http.Handler {
+	if out == nil {
+		return handler
+	}
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		ctx, ok := contextMapper.Get(req)
+		if !ok {
+			apiresponsewriters.InternalError(w, req, errors.New("no context found for request"))
+			return
+		}
+		contextMapper.Update(req, apirequest.WithValue(ctx, AuditTriggered, true))
+		handler.ServeHTTP(w, req)
+	})
+}
+
+// WithAuthFallbackAudit decorates a http.Handler with a fallback audit, logging
+// information only when the original one did was not triggered.
+// This needs to be used with WithAuditTriggeredMarker, which wraps the original
+// audit filter.
+func WithAuthFallbackAudit(handler http.Handler, contextMapper apirequest.RequestContextMapper, out io.Writer) http.Handler {
+	if out == nil {
+		return handler
+	}
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		respWriter := decorateResponseWriter(w, req, contextMapper, out)
+		handler.ServeHTTP(respWriter, req)
+	})
+}
+
+// decorateResponseWriter is a copy method from the upstream audit, adapted
+// to work with the fallback audit mechanism.
+func decorateResponseWriter(responseWriter http.ResponseWriter, req *http.Request,
+	contextMapper apirequest.RequestContextMapper, out io.Writer) http.ResponseWriter {
+	delegate := &auditResponseWriter{
+		ResponseWriter: responseWriter,
+		req:            req,
+		contextMapper:  contextMapper,
+		out:            out,
+	}
+	// check if the ResponseWriter we're wrapping is the fancy one we need
+	// or if the basic is sufficient
+	_, cn := responseWriter.(http.CloseNotifier)
+	_, fl := responseWriter.(http.Flusher)
+	_, hj := responseWriter.(http.Hijacker)
+	if cn && fl && hj {
+		return &fancyResponseWriterDelegator{delegate}
+	}
+	return delegate
+}
diff --git a/pkg/cmd/server/origin/master.go b/pkg/cmd/server/origin/master.go
@@ -186,8 +186,8 @@ func (c *MasterConfig) buildHandlerChain(assetConfig *AssetConfig) (func(http.Ha
 		handler = serverhandlers.ImpersonationFilter(handler, c.Authorizer, c.GroupCache, contextMapper)
 
 		// audit handler must comes before the impersonationFilter to read the original user
+		var writer io.Writer
 		if c.Options.AuditConfig.Enabled {
-			var writer io.Writer
 			if len(c.Options.AuditConfig.AuditFilePath) > 0 {
 				writer = &lumberjack.Logger{
 					Filename:   c.Options.AuditConfig.AuditFilePath,
@@ -200,7 +200,9 @@ func (c *MasterConfig) buildHandlerChain(assetConfig *AssetConfig) (func(http.Ha
 				writer = cmdutil.NewGLogWriterV(0)
 			}
 			handler = apifilters.WithAudit(handler, contextMapper, writer)
+			handler = WithAuditTriggeredMarker(handler, contextMapper, writer)
 		}
+
 		handler = serverhandlers.AuthenticationHandlerFilter(handler, c.Authenticator, contextMapper)
 		handler = namespacingFilter(handler, contextMapper)
 		handler = cacheControlFilter(handler, "no-store") // protected endpoints should not be cached
@@ -216,6 +218,10 @@ func (c *MasterConfig) buildHandlerChain(assetConfig *AssetConfig) (func(http.Ha
 			}
 		}
 
+		if c.Options.AuditConfig.Enabled {
+			handler = WithAuthFallbackAudit(handler, contextMapper, writer)
+		}
+
 		handler, err := assetConfig.WithAssets(handler)
 		if err != nil {
 			glog.Fatalf("Failed to setup serving of assets: %v", err)
