Prototype audit log improvements + coverage test #9467
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -26,11 +26,56 @@ use omicron_uuid_kinds::GenericUuid; | |
| use omicron_uuid_kinds::SiloUserUuid; | ||
| use oximeter::types::ProducerRegistry; | ||
| use oximeter_instruments::http::{HttpService, LatencyTracker}; | ||
| use schemars::JsonSchema; | ||
| use serde::Serialize; | ||
| use slog::Logger; | ||
| use std::env; | ||
| use std::future::Future; | ||
| use std::sync::Arc; | ||
| use uuid::Uuid; | ||
|
|
||
| use dropshot::{ | ||
| HttpError, HttpResponse, HttpResponseAccepted, HttpResponseCreated, | ||
| HttpResponseDeleted, HttpResponseOk, HttpResponseUpdatedNoContent, | ||
| }; | ||
| use omicron_common::api::external::SimpleIdentity; | ||
|
|
||
| /// Trait for extracting resource ID from HTTP response types to record in | ||
| /// the audit log. Implemented for response types that may contain a created | ||
| /// resource. | ||
| pub trait MaybeHasResourceId { | ||
| fn resource_id(&self) -> Option<Uuid> { | ||
| None | ||
| } | ||
| } | ||
|
|
||
| impl<T> MaybeHasResourceId for HttpResponseCreated<T> | ||
| where | ||
| T: SimpleIdentity + Serialize + JsonSchema + Send + Sync + 'static, | ||
| { | ||
| fn resource_id(&self) -> Option<Uuid> { | ||
| Some(self.0.id()) | ||
| } | ||
| } | ||
|
|
||
| // We only pull the ID out of HttpResponseCreated responses. For the rest of | ||
| // these, keep the default impl with no resource ID because the identifier is | ||
| // there in the URL. Something to think about: the identifier in the URL can | ||
| // be a name, which can then be reused after the thing is deleted or renamed, | ||
| // so names don't actually identify things uniquely the way IDs do. So we may | ||
| // end up needing to record the ID for delete or update operations as well. | ||
|
|
||
| impl<T> MaybeHasResourceId for HttpResponseOk<T> where | ||
| T: Serialize + JsonSchema + Send + Sync + 'static | ||
| { | ||
| } | ||
| impl MaybeHasResourceId for HttpResponseDeleted {} | ||
| impl MaybeHasResourceId for HttpResponseUpdatedNoContent {} | ||
| impl<T> MaybeHasResourceId for HttpResponseAccepted<T> where | ||
| T: Serialize + JsonSchema + Send + Sync + 'static | ||
| { | ||
| } | ||
|
|
||
| /// Indicates the kind of HTTP server. | ||
| #[derive(Clone, Copy)] | ||
| pub enum ServerKind { | ||
|
|
@@ -334,6 +379,45 @@ impl ServerContext { | |
| } | ||
| } | ||
|
|
||
| /// Execute an external API handler with audit logging and latency tracking. | ||
| /// | ||
| /// This helper: | ||
| /// 1. Creates an OpContext via authentication | ||
| /// 2. Initializes an audit log entry | ||
| /// 3. Runs the handler | ||
| /// 4. Completes the audit log entry with result info | ||
| /// 5. Wraps everything in latency instrumentation | ||
| pub async fn audit_and_time<F, Fut, R>( | ||
| rqctx: &dropshot::RequestContext<ApiContext>, | ||
| handler: F, | ||
| ) -> Result<R, HttpError> | ||
| where | ||
| F: FnOnce(Arc<OpContext>, Arc<Nexus>) -> Fut, | ||
| Fut: Future<Output = Result<R, HttpError>>, | ||
| R: HttpResponse + MaybeHasResourceId, | ||
| { | ||
| let apictx = rqctx.context(); | ||
| let nexus = Arc::clone(&apictx.context.nexus); | ||
| apictx | ||
| .context | ||
| .external_latencies | ||
| .instrument_dropshot_handler(rqctx, async { | ||
| let opctx = Arc::new(op_context_for_external_api(rqctx).await?); | ||
| let audit = nexus.audit_log_entry_init(&opctx, rqctx).await?; | ||
|
|
||
| let result = handler(Arc::clone(&opctx), Arc::clone(&nexus)).await; | ||
|
|
||
| // TODO: pass resource_id to audit_log_entry_complete once | ||
| // the schema supports it | ||
| let _resource_id = | ||
| result.as_ref().ok().and_then(|r| r.resource_id()); | ||
|
Comment on lines
+410
to
+413
Contributor
There was a problem hiding this comment. The idea being that
Contributor
Author
There was a problem hiding this comment. That was the idea here. Another way would be to have a general concept of response summary, like we talked about, probably as a JSON column so it could be free-form, and that would have the ID in it. The problem there is that the summary column would have no guaranteed schema because different things might get different summaries, and if the ID is going to be especially load-bearing, it would probably make sense to give it its own column. Especially if we're recording it for deletes and updates too, like my code comment mentions. In that case nearly every audit log entry would have a resource ID associated with it.
Contributor
Author
There was a problem hiding this comment. Though something that just occurred to me is that it is not necessarily always obvious what the ID is of. If you're doing a project update, then it's obvious that it would be the ID of the project. But if you update the firewall rules on a VPC, the ID would be that of the VPC because there is no ID associated with the firewall rules specifically. I wonder if I should include a resource type string indicating what kind of ID it is. That is kind of painful to think about, but we do probably have a string like that around for every resource (see omicron/common/src/api/external/mod.rs Lines 933 to 1013 in 1c69391 |
||
| let _ = | ||
| nexus.audit_log_entry_complete(&opctx, &audit, &result).await; | ||
| result | ||
| }) | ||
| .await | ||
| } | ||
|
|
||
| /// Authenticates an incoming request to the external API and produces a new | ||
| /// operation context for it | ||
| pub(crate) async fn op_context_for_external_api( | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good point.