Merge pull request #2 from metal-stack/add-https

Adding https capability to the webhook webserver

cmd/splunk-audit-webhook/main.go

@@ -40,6 +40,10 @@ type Opts struct {
 	ServerURLs     []string `validate:"required"`
 	Token          string   `validate:"required"`
 	InsecureCert   bool     `validate:"required"`
+	ClientTLSKey   string
+	ClientTLSCert  string
+	WebhookTLSKey  string
+	WebhookTLSCert string
 }
 
 var cmd = &cobra.Command{
@@ -71,6 +75,12 @@ func init() {
 
 	cmd.Flags().BoolP("insecure-cert", "", false, "whether to skip certificate validation")
 
+	cmd.Flags().StringP("client-tls-key", "", "", "the path to the tls key file for client authentication to the splunk server with client certificate")
+	cmd.Flags().StringP("client-tls-cert", "", "", "the path to the tls certificate file for client authentication to the splunk server with client certificate")
+
+	cmd.Flags().StringP("webhook-tls-key", "", "", "the path to the tls key file for the webhook web server")
+	cmd.Flags().StringP("webhook-tls-cert", "", "", "the path to the tls certificate file for the webhook web server")
+
 	err := viper.BindPFlags(cmd.Flags())
 	if err != nil {
 		logger.Errorw("unable to construct root command", "error", err)
@@ -86,6 +96,10 @@ func initOpts() (*Opts, error) {
 		ServerURLs:     viper.GetStringSlice("server-urls"),
 		Token:          viper.GetString("token"),
 		InsecureCert:   viper.GetBool("insecure-cert"),
+		ClientTLSKey:   viper.GetString("client-tls-key"),
+		ClientTLSCert:  viper.GetString("client-tls-cert"),
+		WebhookTLSKey:  viper.GetString("webhook-tls-key"),
+		WebhookTLSCert: viper.GetString("webhook-tls-cert"),
 	}
 
 	validate := validator.New()
@@ -163,17 +177,41 @@ func run(opts *Opts) {
 		opts.ServerURLs,
 		opts.Token,
 	)
-	splunkClient.SetHTTPClient(&http.Client{Transport: &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: opts.InsecureCert}}})
+
+	if opts.ClientTLSCert != "" && opts.ClientTLSKey != "" {
+		logger.Infow("getting client certificates from file", "Certificate", opts.ClientTLSCert, "Key", opts.ClientTLSKey)
+		clientCert, err := tls.LoadX509KeyPair(opts.ClientTLSCert, opts.ClientTLSKey)
+		if err != nil {
+			logger.Errorw("failed to load client certificate and key", "Certificate", opts.ClientTLSCert, "Key", opts.ClientTLSKey, "error", err)
+		}
+		splunkClient.SetHTTPClient(&http.Client{Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: opts.InsecureCert,
+				Certificates:       []tls.Certificate{clientCert},
+			}}})
+	} else {
+		splunkClient.SetHTTPClient(&http.Client{Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: opts.InsecureCert,
+			}}})
+	}
 
 	auditController := audit.NewController(logger.Named("webhook-audit-controller"), splunkClient)
 
 	http.HandleFunc(opts.AuditServePath, auditController.AuditEvent)
 
 	addr := fmt.Sprintf("%s:%d", opts.BindAddr, opts.Port)
-	logger.Infow("starting splunk audit webhook", "version", v.V.String(), "address", addr)
-	err := http.ListenAndServe(addr, nil)
-	if err != nil {
-		logger.Errorw("failed to start audit webhook server", "error", err)
+	if opts.WebhookTLSCert != "" && opts.WebhookTLSKey != "" {
+		logger.Infow("starting splunk audit TLS webhook", "version", v.V.String(), "address", addr, "Cert", opts.WebhookTLSCert, "Key", opts.WebhookTLSKey)
+		err := http.ListenAndServeTLS(addr, opts.WebhookTLSCert, opts.WebhookTLSKey, nil)
+		if err != nil {
+			logger.Errorw("failed to start audit webhook TLS server", "error", err)
+		}
+	} else {
+		logger.Infow("starting splunk audit plain webhook", "version", v.V.String(), "address", addr)
+		err := http.ListenAndServe(addr, nil)
+		if err != nil {
+			logger.Errorw("failed to start audit webhook plain http server", "error", err)
+		}
 	}
 }

pkg/controllers/audit/webhook.go

@@ -1,8 +1,9 @@
 package audit
 
 import (
+	// "encoding/base64"
+	"io/ioutil"
 	"net/http"
-	"time"
 
 	hec "github.com/fuyufjh/splunk-hec-go"
 
@@ -26,10 +27,22 @@ func NewController(logger *zap.SugaredLogger, client hec.HEC) *Controller {
 
 // AuditEvent handles an audit event
 func (c *Controller) AuditEvent(response http.ResponseWriter, request *http.Request) {
-	c.logger.Infow("received audit event", "request", request.Body)
-
-	event := hec.NewEvent("event one")
-	event.SetTime(time.Now())
+	body, _ := ioutil.ReadAll(request.Body)
+	c.logger.Infow("received audit event", "request", string(body))
+
+	event := hec.NewEvent(string(body))
+	// event.SetHost("HOST") // FIXME Maybe set HOST to something sensical - cluster name? - it gets kept in Splunk
+	// event.SetTime(time.Now()) // Splunk sets the time if not specified here
+	// event.SetSource("SOURCE") // Could set this but Splunk defaults are probably good enough
+	// event.SetSourceType("SOURCETYPE") // dito
+
+	c.logger.Infow("HEC Event",
+		"Host", event.Host,
+		"Time", event.Time,
+		"Source", event.Source,
+		"Sourcetype", event.SourceType,
+		"Event", event.Event.(string),
+	)
 
 	err := c.client.WriteEvent(event)
 	if err != nil {