feat: audit trail in stdout logs

audit/agent.go

@@ -0,0 +1,22 @@
+// Copyright 2024 Mia srl
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package audit
+
+import "context"
+
+type Agent interface {
+	Trace(context.Context, Audit)
+	Cache() AuditCache
+}

audit/agent_log.go

@@ -0,0 +1,49 @@
+// Copyright 2024 Mia srl
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package audit
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/rond-authz/rond/logging"
+)
+
+type logAgent struct {
+	l     logging.Logger
+	cache AuditCache
+}
+
+func NewLogAgent(l logging.Logger) Agent {
+	return &logAgent{
+		l:     l,
+		cache: &SingleRecordCache{},
+	}
+}
+
+func (a *logAgent) Trace(ctx context.Context, auditData Audit) {
+	data := a.cache.Load("")
+	auditData.generateID()
+	if data != nil {
+		auditData.applyDataFromPolicy(data)
+	}
+
+	fmt.Printf("ADDITIONAL DATA IN TRACE %+v\n", data)
+	a.l.WithField("trail", toMap(auditData)).Info("audit trail")
+}
+
+func (a *logAgent) Cache() AuditCache {
+	return a.cache
+}

audit/agent_log_test.go

@@ -0,0 +1,47 @@
+// Copyright 2024 Mia srl
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package audit
+
+import (
+	"context"
+	"testing"
+
+	rondlogrus "github.com/rond-authz/rond/logging/logrus"
+	"github.com/stretchr/testify/require"
+
+	"github.com/sirupsen/logrus/hooks/test"
+)
+
+func TestLogAgtent(t *testing.T) {
+	l, hook := test.NewNullLogger()
+	agent := NewLogAgent(rondlogrus.NewLogger(l))
+
+	agent.Trace(context.TODO(), Audit{
+		AggregationID: "the-aggregation-id",
+		Authorization: AuthzInfo{
+			Allowed:    true,
+			PolicyName: "some_policy",
+		},
+		Subject: SubjectInfo{
+			ID:     "some user",
+			Groups: []string{"g1", "g2"},
+		},
+		RequestBody: []byte("some body"),
+	})
+
+	entries := hook.AllEntries()
+	require.Len(t, entries, 1)
+	require.Equal(t, "audit trail", entries[0].Message)
+}

audit/agent_noop.go

@@ -0,0 +1,24 @@
+// Copyright 2024 Mia srl
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package audit
+
+import "context"
+
+type noopAgent struct{}
+
+func NewNoopAgent() Agent { return &noopAgent{} }
+
+func (a *noopAgent) Trace(context.Context, Audit) {}
+func (a *noopAgent) Cache() AuditCache            { return &SingleRecordCache{} }

audit/audit.go

@@ -0,0 +1,126 @@
+// Copyright 2024 Mia srl
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package audit
+
+import (
+	"reflect"
+	"slices"
+
+	"github.com/google/uuid"
+)
+
+const (
+	AuditAdditionalDataGrantedPermissionKey = "authorization.permissions"
+	AuditAdditionalDataGrantedBindingKey    = "authorization.binding"
+)
+
+var reservedLabelKeys = []string{
+	AuditAdditionalDataGrantedPermissionKey,
+	AuditAdditionalDataGrantedBindingKey,
+}
+
+type auditReservedFields struct {
+	ID string `audit:"id"`
+}
+
+type Audit struct {
+	auditReservedFields
+	AggregationID string                 `audit:"aggregationId"`
+	Authorization AuthzInfo              `audit:"authorization"`
+	Subject       SubjectInfo            `audit:"subject"`
+	RequestBody   interface{}            `audit:"requestBody"`
+	Labels        map[string]interface{} `audit:"labels"`
+}
+
+type authzinfoReservedFields struct {
+	GrantingPermission string `audit:"permission"`
+	GrantingBindingID  string `audit:"binding"`
+}
+
+type AuthzInfo struct {
+	Allowed    bool   `audit:"allowed"`
+	PolicyName string `audit:"policyName"`
+	authzinfoReservedFields
+}
+
+type SubjectInfo struct {
+	ID     string   `audit:"id"`
+	Groups []string `audit:"groups"`
+}
+
+func (a *Audit) generateID() {
+	a.auditReservedFields.ID = uuid.NewString()
+}
+
+func (a *Audit) applyDataFromPolicy(data map[string]interface{}) {
+	grantedBinding, ok := data[AuditAdditionalDataGrantedBindingKey]
+	if ok && grantedBinding != nil {
+		str, ok := grantedBinding.(string)
+		if ok {
+			a.Authorization.authzinfoReservedFields.GrantingBindingID = str
+		}
+	}
+
+	grantedPermission, ok := data[AuditAdditionalDataGrantedPermissionKey]
+	if ok && grantedPermission != nil {
+		str, ok := grantedPermission.(string)
+		if ok {
+			a.Authorization.authzinfoReservedFields.GrantingBindingID = str
+		}
+	}
+
+	if a.Labels == nil {
+		a.Labels = make(map[string]interface{})
+	}
+	for k, v := range data {
+		if slices.Contains(reservedLabelKeys, k) {
+			continue
+		}
+
+		a.Labels[k] = v
+	}
+}
+
+func toMap(val interface{}) map[string]interface{} {
+	const tagTitle = "audit"
+
+	var data map[string]interface{} = make(map[string]interface{})
+	varType := reflect.TypeOf(val)
+	if varType.Kind() != reflect.Struct {
+		return nil
+	}
+
+	value := reflect.ValueOf(val)
+	for i := 0; i < varType.NumField(); i++ {
+		if !value.Field(i).CanInterface() {
+			// Skip unexported fields
+			continue
+		}
+		tag, ok := varType.Field(i).Tag.Lookup(tagTitle)
+		var fieldName string
+		if ok && len(tag) > 0 {
+			fieldName = tag
+		} else {
+			fieldName = varType.Field(i).Name
+		}
+		if varType.Field(i).Type.Kind() != reflect.Struct {
+			data[fieldName] = value.Field(i).Interface()
+		} else {
+			data[fieldName] = toMap(value.Field(i).Interface())
+		}
+	}
+
+	return data
+}

audit/audit_test.go

@@ -0,0 +1,53 @@
+// Copyright 2024 Mia srl
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package audit
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestToMap(t *testing.T) {
+	type SubStruct struct {
+		F float64 `audit:"f"`
+	}
+	type ToConvert struct {
+		S  string    `audit:"s"`
+		I  int       `audit:"i"`
+		St SubStruct `audit:"st"`
+		Sl []string  `audit:"sl"`
+	}
+
+	c := ToConvert{
+		S:  "val",
+		I:  42,
+		St: SubStruct{F: 4.2},
+		Sl: []string{"g1", "g2"},
+	}
+
+	result := toMap(c)
+	require.Equal(t,
+		map[string]interface{}{
+			"s": "val",
+			"i": 42,
+			"st": map[string]interface{}{
+				"f": 4.2,
+			},
+			"sl": []string{"g1", "g2"},
+		},
+		result,
+	)
+}

audit/cache.go

@@ -0,0 +1,52 @@
+// Copyright 2024 Mia srl
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package audit
+
+type Data map[string]interface{}
+
+type AuditCache interface {
+	Store(id string, d Data)
+	Load(id string) Data
+}
+
+// func New() AuditCache {
+// 	return &cache{m: sync.Map{}}
+// }
+
+// type cache struct {
+// 	m sync.Map
+// }
+
+// func (c *cache) Store(id string, d Data) {
+// 	c.m.Store(id, d)
+// }
+
+// func (c *cache) Load(id string) Data {
+// 	d, _ := c.m.LoadAndDelete(id)
+// 	data, _ := d.(Data)
+// 	return data
+// }
+
+type SingleRecordCache struct {
+	data Data
+}
+
+func (c *SingleRecordCache) Store(id string, d Data) {
+	c.data = d
+}
+
+func (c *SingleRecordCache) Load(id string) Data {
+	return c.data
+}