Merge pull request #7878 from hashicorp/oss-sync/auditing-http

http: migrate from instrumentation in s.wrap() to an s.enterpriseHand…
This commit is contained in:
Kit Patella 2020-05-13 16:05:31 -07:00 committed by GitHub
commit 70761a345f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 35 deletions

View file

@ -350,6 +350,7 @@ func (s *HTTPServer) handler(enableDebug bool) http.Handler {
if s.agent.config.DisableHTTPUnprintableCharFilter { if s.agent.config.DisableHTTPUnprintableCharFilter {
h = mux h = mux
} }
h = s.enterpriseHandler(h)
return &wrappedMux{ return &wrappedMux{
mux: mux, mux: mux,
handler: h, handler: h,
@ -399,10 +400,6 @@ var (
func (s *HTTPServer) wrap(handler endpoint, methods []string) http.HandlerFunc { func (s *HTTPServer) wrap(handler endpoint, methods []string) http.HandlerFunc {
httpLogger := s.agent.logger.Named(logging.HTTP) httpLogger := s.agent.logger.Named(logging.HTTP)
return func(resp http.ResponseWriter, req *http.Request) { return func(resp http.ResponseWriter, req *http.Request) {
// Audit log the request
reqPayload := s.auditReq(req)
setHeaders(resp, s.agent.config.HTTPResponseHeaders) setHeaders(resp, s.agent.config.HTTPResponseHeaders)
setTranslateAddr(resp, s.agent.config.TranslateWANAddrs) setTranslateAddr(resp, s.agent.config.TranslateWANAddrs)
@ -480,44 +477,33 @@ func (s *HTTPServer) wrap(handler endpoint, methods []string) http.HandlerFunc {
"from", req.RemoteAddr, "from", req.RemoteAddr,
"error", err, "error", err,
) )
var httpCode int
switch { switch {
case isForbidden(err): case isForbidden(err):
httpCode = http.StatusForbidden resp.WriteHeader(http.StatusForbidden)
resp.WriteHeader(httpCode)
fmt.Fprint(resp, err.Error()) fmt.Fprint(resp, err.Error())
case structs.IsErrRPCRateExceeded(err): case structs.IsErrRPCRateExceeded(err):
httpCode = http.StatusTooManyRequests resp.WriteHeader(http.StatusTooManyRequests)
resp.WriteHeader(httpCode)
case isMethodNotAllowed(err): case isMethodNotAllowed(err):
// RFC2616 states that for 405 Method Not Allowed the response // RFC2616 states that for 405 Method Not Allowed the response
// MUST include an Allow header containing the list of valid // MUST include an Allow header containing the list of valid
// methods for the requested resource. // methods for the requested resource.
// https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html // https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
addAllowHeader(err.(MethodNotAllowedError).Allow) addAllowHeader(err.(MethodNotAllowedError).Allow)
httpCode = http.StatusMethodNotAllowed resp.WriteHeader(http.StatusMethodNotAllowed) // 405
resp.WriteHeader(httpCode) // 405
fmt.Fprint(resp, err.Error()) fmt.Fprint(resp, err.Error())
case isBadRequest(err): case isBadRequest(err):
httpCode = http.StatusBadRequest resp.WriteHeader(http.StatusBadRequest)
resp.WriteHeader(httpCode)
fmt.Fprint(resp, err.Error()) fmt.Fprint(resp, err.Error())
case isNotFound(err): case isNotFound(err):
httpCode = http.StatusNotFound resp.WriteHeader(http.StatusNotFound)
resp.WriteHeader(httpCode)
fmt.Fprintf(resp, err.Error()) fmt.Fprintf(resp, err.Error())
case isTooManyRequests(err): case isTooManyRequests(err):
httpCode = http.StatusTooManyRequests resp.WriteHeader(http.StatusTooManyRequests)
resp.WriteHeader(httpCode)
fmt.Fprint(resp, err.Error()) fmt.Fprint(resp, err.Error())
default: default:
httpCode = http.StatusInternalServerError resp.WriteHeader(http.StatusInternalServerError)
resp.WriteHeader(httpCode)
fmt.Fprint(resp, err.Error()) fmt.Fprint(resp, err.Error())
} }
// Audit log the error response
s.auditResp(reqPayload, httpCode)
} }
start := time.Now() start := time.Now()
@ -592,10 +578,6 @@ func (s *HTTPServer) wrap(handler endpoint, methods []string) http.HandlerFunc {
} }
resp.Header().Set("Content-Type", contentType) resp.Header().Set("Content-Type", contentType)
resp.WriteHeader(httpCode) resp.WriteHeader(httpCode)
// Audit log the success response
s.auditResp(reqPayload, httpCode)
resp.Write(buf) resp.Write(buf)
} }
} }

View file

@ -53,13 +53,7 @@ func parseACLAuthMethodEnterpriseMeta(req *http.Request, _ *structs.ACLAuthMetho
return nil return nil
} }
// auditReq is a noop stub for the corresponding func in http_ent.go // enterpriseHandler is a noop for the enterprise implementation. we pass the original back
func (s *HTTPServer) auditReq(req *http.Request) interface{} { func (s *HTTPServer) enterpriseHandler(next http.Handler) http.Handler {
// note(kit): We return an nil here so we can pass it to auditResp. Auditing the response requires the return next
// request object for context, so we have it pass it even when it's disabled
return nil
}
// auditResp is a noop stub for the corresponding func in http_ent.go
func (s *HTTPServer) auditResp(reqPayload interface{}, httpCode int) {
} }