schwarzit.stackit-public/audit-go
1
0
Fork 0
mirror of https://dev.azure.com/schwarzit/schwarzit.stackit-public/_git/audit-go synced 2026-02-07 16:47:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Rename fields, fix ToDo's and linter issues

Browse source
This commit is contained in:
Christian Schaible 2024-08-01 07:50:48 +02:00
parent fd8892aad8
commit db9440206f
15 changed files with 671 additions and 582 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -200,3 +200,4 @@ Python) will be extracted into separate repositories.
- Clarify if `client.go` file can be used for licence / legal reasons
- Extraction of python / java configurations and code
- Clean up repo (delete main.go, etc. files)
- Update dependencies

2
audit/api/api_common.go
View file

@ -111,7 +111,7 @@ func validateAndSerializePartially(
}
routableEvent := auditV1.RoutableAuditEvent{
EventName: event.ProtoPayload.MethodName,
OperationName: event.ProtoPayload.OperationName,
ObjectIdentifier: routableIdentifier.ToObjectIdentifier(),
Visibility: visibility,
Data: &auditV1.RoutableAuditEvent_UnencryptedData{UnencryptedData: &payload},

47
audit/api/api_legacy.go
View file

@ -5,7 +5,6 @@ import (
"encoding/json"
"errors"
"fmt"
"github.com/google/uuid"
"net/url"
"time"
@ -138,18 +137,16 @@ func (a *LegacyAuditApi) ValidateAndSerializeWithTrace(
}
message := CloudEvent{
SpecVersion: "1.0",
Source: event.ProtoPayload.ServiceName,
// TODO what is the correct id?
Id: uuid.NewString(),
SpecVersion: "1.0",
Source: event.ProtoPayload.ServiceName,
Id: event.InsertId,
Time: event.ProtoPayload.RequestMetadata.RequestAttributes.Time.AsTime(),
DataContentType: ContentTypeCloudEventsProtobuf,
DataType: fmt.Sprintf("%v", routableEvent.ProtoReflect().Descriptor().FullName()),
// TODO check if this is correct
Subject: event.ProtoPayload.ResourceName,
Data: legacyBytes,
TraceParent: traceParent,
TraceState: traceState,
Subject: event.ProtoPayload.ResourceName,
Data: legacyBytes,
TraceParent: traceParent,
TraceState: traceState,
}
return &message, nil
}
@ -300,23 +297,23 @@ func (a *LegacyAuditApi) convertAndSerializeIntoLegacyFormat(
// Severity
var severity string
switch event.Severity {
case auditV1.LogSeverity_DEFAULT:
case auditV1.LogSeverity_LOG_SEVERITY_DEFAULT:
fallthrough
case auditV1.LogSeverity_DEBUG:
case auditV1.LogSeverity_LOG_SEVERITY_DEBUG:
fallthrough
case auditV1.LogSeverity_INFO:
case auditV1.LogSeverity_LOG_SEVERITY_INFO:
fallthrough
case auditV1.LogSeverity_NOTICE:
case auditV1.LogSeverity_LOG_SEVERITY_NOTICE:
fallthrough
case auditV1.LogSeverity_WARNING:
case auditV1.LogSeverity_LOG_SEVERITY_WARNING:
severity = "INFO"
case auditV1.LogSeverity_ERROR:
case auditV1.LogSeverity_LOG_SEVERITY_ERROR:
fallthrough
case auditV1.LogSeverity_CRITICAL:
case auditV1.LogSeverity_LOG_SEVERITY_CRITICAL:
fallthrough
case auditV1.LogSeverity_ALERT:
case auditV1.LogSeverity_LOG_SEVERITY_ALERT:
fallthrough
case auditV1.LogSeverity_EMERGENCY:
case auditV1.LogSeverity_LOG_SEVERITY_EMERGENCY:
severity = "ERROR"
default:
return nil, ErrUnsupportedSeverity
@ -328,7 +325,7 @@ func (a *LegacyAuditApi) convertAndSerializeIntoLegacyFormat(
Visibility: visibility,
EventType: eventType,
EventTimeStamp: event.ProtoPayload.RequestMetadata.RequestAttributes.Time.AsTime(),
EventName: event.ProtoPayload.MethodName,
EventName: event.ProtoPayload.OperationName,
SourceIpAddress: sourceIpAddress,
UserAgent: userAgent,
Initiator: LegacyAuditEventPrincipal{
@ -338,12 +335,10 @@ func (a *LegacyAuditApi) convertAndSerializeIntoLegacyFormat(
ServiceAccountDelegationInfo: serviceAccountDelegationInfo,
Request: request,
Context: messageContext,
// TODO clarify
ResourceId: &event.LogName,
ResourceName: &event.ProtoPayload.ResourceName,
CorrelationId: event.CorrelationId,
Result: &result,
Details: &details,
ResourceName: &event.ProtoPayload.ResourceName,
CorrelationId: event.CorrelationId,
Result: &result,
Details: &details,
}
bytes, err := json.Marshal(legacyAuditEvent)

26
audit/api/api_legacy_test.go
View file

@ -330,7 +330,7 @@ func TestLegacyAuditApi(t *testing.T) {
var auditEvent LegacyAuditEvent
assert.NoError(t, json.Unmarshal(message.Data[0], &auditEvent))
assert.Equal(t, event.ProtoPayload.MethodName, auditEvent.EventName)
assert.Equal(t, event.ProtoPayload.OperationName, auditEvent.EventName)
assert.Equal(t, event.ProtoPayload.RequestMetadata.RequestAttributes.Time.AsTime(), auditEvent.EventTimeStamp)
assert.Equal(t, event.ProtoPayload.AuthenticationInfo.PrincipalId, auditEvent.Initiator.Id)
assert.Equal(t, "SYSTEM_EVENT", auditEvent.EventType)
@ -400,29 +400,29 @@ func validateSentMessage(
var severity string
switch event.Severity {
case auditV1.LogSeverity_DEFAULT:
case auditV1.LogSeverity_LOG_SEVERITY_DEFAULT:
fallthrough
case auditV1.LogSeverity_DEBUG:
case auditV1.LogSeverity_LOG_SEVERITY_DEBUG:
fallthrough
case auditV1.LogSeverity_INFO:
case auditV1.LogSeverity_LOG_SEVERITY_INFO:
fallthrough
case auditV1.LogSeverity_NOTICE:
case auditV1.LogSeverity_LOG_SEVERITY_NOTICE:
fallthrough
case auditV1.LogSeverity_WARNING:
case auditV1.LogSeverity_LOG_SEVERITY_WARNING:
severity = "INFO"
case auditV1.LogSeverity_ERROR:
case auditV1.LogSeverity_LOG_SEVERITY_ERROR:
fallthrough
case auditV1.LogSeverity_CRITICAL:
case auditV1.LogSeverity_LOG_SEVERITY_CRITICAL:
fallthrough
case auditV1.LogSeverity_ALERT:
case auditV1.LogSeverity_LOG_SEVERITY_ALERT:
fallthrough
case auditV1.LogSeverity_EMERGENCY:
case auditV1.LogSeverity_LOG_SEVERITY_EMERGENCY:
severity = "ERROR"
default:
assert.Fail(t, "unknown log severity")
}
assert.Equal(t, event.ProtoPayload.MethodName, auditEvent.EventName)
assert.Equal(t, event.ProtoPayload.OperationName, auditEvent.EventName)
assert.Equal(t, event.ProtoPayload.RequestMetadata.RequestAttributes.Time.AsTime(), auditEvent.EventTimeStamp)
assert.Equal(t, event.ProtoPayload.AuthenticationInfo.PrincipalId, auditEvent.Initiator.Id)
assert.Equal(t, "ADMIN_ACTIVITY", auditEvent.EventType)
@ -450,7 +450,7 @@ func validateSentMessageWithDetails(
var auditEvent LegacyAuditEvent
assert.NoError(t, json.Unmarshal(message.Data[0], &auditEvent))
assert.Equal(t, event.ProtoPayload.MethodName, auditEvent.EventName)
assert.Equal(t, event.ProtoPayload.OperationName, auditEvent.EventName)
assert.Equal(t, event.ProtoPayload.RequestMetadata.RequestAttributes.Time.AsTime(), auditEvent.EventTimeStamp)
assert.Equal(t, event.ProtoPayload.AuthenticationInfo.PrincipalId, auditEvent.Initiator.Id)
assert.Equal(t, "ADMIN_ACTIVITY", auditEvent.EventType)
@ -552,7 +552,7 @@ func TestLegacyAuditApi_ConvertAndSerializeIntoLegacyFormatInvalidObjectIdentifi
func TestLegacyAuditApi_ConvertAndSerializeIntoLegacyFormat_NoObjectIdentifier(t *testing.T) {
event, _ := NewProjectAuditEvent(nil)
routableEvent := auditV1.RoutableAuditEvent{
EventName: event.ProtoPayload.MethodName,
OperationName: event.ProtoPayload.OperationName,
Visibility: auditV1.Visibility_VISIBILITY_PUBLIC,
ObjectIdentifier: nil,
Data: nil,

17
audit/api/api_mock.go
View file

@ -3,7 +3,6 @@ package api
import (
"context"
"fmt"
"github.com/google/uuid"
"google.golang.org/protobuf/proto"
auditV1 "dev.azure.com/schwarzit/schwarzit.stackit-core-platform/common-audit.git/gen/go/audit/v1"
@ -83,18 +82,16 @@ func (a *MockAuditApi) ValidateAndSerializeWithTrace(
}
message := CloudEvent{
SpecVersion: "1.0",
Source: event.ProtoPayload.ServiceName,
// TODO what is the correct id?
Id: uuid.NewString(),
SpecVersion: "1.0",
Source: event.ProtoPayload.ServiceName,
Id: event.InsertId,
Time: event.ProtoPayload.RequestMetadata.RequestAttributes.Time.AsTime(),
DataContentType: "application/cloudevents+protobuf",
DataType: fmt.Sprintf("%v", routableEvent.ProtoReflect().Descriptor().FullName()),
// TODO check if this is correct
Subject: event.ProtoPayload.ResourceName,
Data: routableEventBytes,
TraceParent: traceParent,
TraceState: traceState,
Subject: event.ProtoPayload.ResourceName,
Data: routableEventBytes,
TraceParent: traceParent,
TraceState: traceState,
}
return &message, nil

2
audit/api/api_mock_test.go
View file

@ -32,7 +32,7 @@ func TestMockAuditApi_Log(t *testing.T) {
assert.NoError(t, err)
validateRoutableEventPayload(
t, cloudEvent.Data, objectIdentifier, event, event.ProtoPayload.MethodName, visibility)
t, cloudEvent.Data, objectIdentifier, event, event.ProtoPayload.OperationName, visibility)
})
t.Run("ValidateAndSerialize event nil", func(t *testing.T) {

17
audit/api/api_routable.go
View file

@ -4,7 +4,6 @@ import (
"context"
"errors"
"fmt"
"github.com/google/uuid"
"google.golang.org/protobuf/proto"
"dev.azure.com/schwarzit/schwarzit.stackit-core-platform/common-audit.git/audit/messaging"
@ -165,18 +164,16 @@ func (a *routableAuditApi) ValidateAndSerializeWithTrace(
}
message := CloudEvent{
SpecVersion: "1.0",
Source: event.ProtoPayload.ServiceName,
// TODO what is the correct id?
Id: uuid.NewString(),
SpecVersion: "1.0",
Source: event.ProtoPayload.ServiceName,
Id: event.InsertId,
Time: event.ProtoPayload.RequestMetadata.RequestAttributes.Time.AsTime(),
DataContentType: ContentTypeCloudEventsProtobuf,
DataType: fmt.Sprintf("%v", routableEvent.ProtoReflect().Descriptor().FullName()),
// TODO check if this is correct
Subject: event.ProtoPayload.ResourceName,
Data: routableEventBytes,
TraceParent: traceParent,
TraceState: traceState,
Subject: event.ProtoPayload.ResourceName,
Data: routableEventBytes,
TraceParent: traceParent,
TraceState: traceState,
}
return &message, nil

8
audit/api/api_routable_test.go
View file

@ -389,7 +389,7 @@ func validateSentEvent(
message *amqp.Message,
objectIdentifier *auditV1.ObjectIdentifier,
event *auditV1.AuditLogEntry,
eventName string,
operationName string,
visibility auditV1.Visibility,
traceParent *string,
traceState *string,
@ -414,7 +414,7 @@ func validateSentEvent(
// Check deserialized message
validateRoutableEventPayload(
t, message.Data[0], objectIdentifier, event, eventName, visibility)
t, message.Data[0], objectIdentifier, event, operationName, visibility)
}
func validateRoutableEventPayload(
@ -422,7 +422,7 @@ func validateRoutableEventPayload(
payload []byte,
objectIdentifier *auditV1.ObjectIdentifier,
event *auditV1.AuditLogEntry,
eventName string,
operationName string,
visibility auditV1.Visibility,
) {
@ -430,7 +430,7 @@ func validateRoutableEventPayload(
var routableAuditEvent auditV1.RoutableAuditEvent
assert.NoError(t, proto.Unmarshal(payload, &routableAuditEvent))
assert.Equal(t, eventName, routableAuditEvent.EventName)
assert.Equal(t, operationName, routableAuditEvent.OperationName)
assert.Equal(t, visibility, routableAuditEvent.Visibility)
assert.True(t, proto.Equal(objectIdentifier, routableAuditEvent.ObjectIdentifier))

40
audit/api/test_data.go
View file

@ -36,9 +36,9 @@ func NewOrganizationAuditEvent(
auditEvent := &auditV1.AuditLogEntry{
LogName: fmt.Sprintf("%s/%s/logs/%s", PluralTypeOrganization, identifier, EventTypeAdminActivity),
ProtoPayload: &auditV1.AuditLog{
ServiceName: "resource-manager",
MethodName: "stackit.resourcemanager.v2.organization.created",
ResourceName: fmt.Sprintf("%s/%s", PluralTypeOrganization, identifier),
ServiceName: "resource-manager",
OperationName: "stackit.resourcemanager.v2.organization.created",
ResourceName: fmt.Sprintf("%s/%s", PluralTypeOrganization, identifier),
AuthenticationInfo: &auditV1.AuthenticationInfo{
PrincipalId: uuid.NewString(),
PrincipalEmail: "user@example.com",
@ -55,7 +55,7 @@ func NewOrganizationAuditEvent(
CallerSuppliedUserAgent: "OpenAPI-Generator/ 1.0.0/ go",
RequestAttributes: &auditV1.AttributeContext_Request{
Id: &requestId,
Method: "POST",
Method: auditV1.AttributeContext_HTTP_METHOD_POST,
Headers: headers,
Path: "/v2/organizations",
Host: "stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud",
@ -84,7 +84,7 @@ func NewOrganizationAuditEvent(
Labels: labels,
CorrelationId: &correlationId,
Timestamp: timestamppb.New(time.Now()),
Severity: auditV1.LogSeverity_DEFAULT,
Severity: auditV1.LogSeverity_LOG_SEVERITY_DEFAULT,
TraceParent: nil,
TraceState: nil,
}
@ -125,9 +125,9 @@ func NewFolderAuditEvent(
auditEvent := &auditV1.AuditLogEntry{
LogName: fmt.Sprintf("%s/%s/logs/%s", PluralTypeFolder, identifier, EventTypeAdminActivity),
ProtoPayload: &auditV1.AuditLog{
ServiceName: "resource-manager",
MethodName: "stackit.resourcemanager.v2.folder.created",
ResourceName: fmt.Sprintf("%s/%s", PluralTypeFolder, identifier),
ServiceName: "resource-manager",
OperationName: "stackit.resourcemanager.v2.folder.created",
ResourceName: fmt.Sprintf("%s/%s", PluralTypeFolder, identifier),
AuthenticationInfo: &auditV1.AuthenticationInfo{
PrincipalId: uuid.NewString(),
PrincipalEmail: "user@example.com",
@ -144,7 +144,7 @@ func NewFolderAuditEvent(
CallerSuppliedUserAgent: "OpenAPI-Generator/ 1.0.0/ go",
RequestAttributes: &auditV1.AttributeContext_Request{
Id: &requestId,
Method: "POST",
Method: auditV1.AttributeContext_HTTP_METHOD_POST,
Headers: headers,
Path: "/v2/folders",
Host: "stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud",
@ -173,7 +173,7 @@ func NewFolderAuditEvent(
Labels: labels,
CorrelationId: &correlationId,
Timestamp: timestamppb.New(time.Now()),
Severity: auditV1.LogSeverity_DEFAULT,
Severity: auditV1.LogSeverity_LOG_SEVERITY_DEFAULT,
TraceParent: nil,
TraceState: nil,
}
@ -214,9 +214,9 @@ func NewProjectAuditEvent(
auditEvent := &auditV1.AuditLogEntry{
LogName: fmt.Sprintf("%s/%s/logs/%s", PluralTypeProject, identifier, EventTypeAdminActivity),
ProtoPayload: &auditV1.AuditLog{
ServiceName: "resource-manager",
MethodName: "stackit.resourcemanager.v2.project.created",
ResourceName: fmt.Sprintf("%s/%s", PluralTypeProject, identifier),
ServiceName: "resource-manager",
OperationName: "stackit.resourcemanager.v2.project.created",
ResourceName: fmt.Sprintf("%s/%s", PluralTypeProject, identifier),
AuthenticationInfo: &auditV1.AuthenticationInfo{
PrincipalId: uuid.NewString(),
PrincipalEmail: "user@example.com",
@ -233,7 +233,7 @@ func NewProjectAuditEvent(
CallerSuppliedUserAgent: "OpenAPI-Generator/ 1.0.0/ go",
RequestAttributes: &auditV1.AttributeContext_Request{
Id: &requestId,
Method: "POST",
Method: auditV1.AttributeContext_HTTP_METHOD_POST,
Headers: headers,
Path: "/v2/projects",
Host: "stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud",
@ -262,7 +262,7 @@ func NewProjectAuditEvent(
Labels: labels,
CorrelationId: &correlationId,
Timestamp: timestamppb.New(time.Now()),
Severity: auditV1.LogSeverity_DEFAULT,
Severity: auditV1.LogSeverity_LOG_SEVERITY_DEFAULT,
TraceParent: nil,
TraceState: nil,
}
@ -298,9 +298,9 @@ func NewSystemAuditEvent(
auditEvent := &auditV1.AuditLogEntry{
LogName: fmt.Sprintf("%s/%s/logs/%s", PluralTypeSystem, identifier, EventTypeSystemEvent),
ProtoPayload: &auditV1.AuditLog{
ServiceName: "resource-manager",
MethodName: "stackit.resourcemanager.v2.system.changed",
ResourceName: fmt.Sprintf("%s/%s", PluralTypeSystem, identifier),
ServiceName: "resource-manager",
OperationName: "stackit.resourcemanager.v2.system.changed",
ResourceName: fmt.Sprintf("%s/%s", PluralTypeSystem, identifier),
AuthenticationInfo: &auditV1.AuthenticationInfo{
PrincipalId: serviceAccountId,
PrincipalEmail: "service-account@sa.stackit.cloud",
@ -317,7 +317,7 @@ func NewSystemAuditEvent(
CallerSuppliedUserAgent: "OpenAPI-Generator/ 1.0.0/ go",
RequestAttributes: &auditV1.AttributeContext_Request{
Id: &requestId,
Method: "POST",
Method: auditV1.AttributeContext_HTTP_METHOD_POST,
Headers: headers,
Path: "/v2/projects",
Host: "stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud",
@ -346,7 +346,7 @@ func NewSystemAuditEvent(
Labels: labels,
CorrelationId: &correlationId,
Timestamp: timestamppb.New(time.Now()),
Severity: auditV1.LogSeverity_DEFAULT,
Severity: auditV1.LogSeverity_LOG_SEVERITY_DEFAULT,
TraceParent: nil,
TraceState: nil,
}

906
gen/go/audit/v1/audit_event.pb.go
View file

File diff suppressed because it is too large Load diff

2
gen/go/audit/v1/audit_event.pb.validate.go
View file

@ -237,7 +237,7 @@ func (m *AuditLog) validate(all bool) error {
// no validation rules for ServiceName
// no validation rules for MethodName
// no validation rules for OperationName
// no validation rules for ResourceName

93
gen/go/audit/v1/routable_event.pb.go
View file

@ -269,17 +269,16 @@ type RoutableAuditEvent struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// TODO rename to operation_name (equivalent to AuditLog.method_name)
// Functional event name with pattern
//
// Format: stackit.<product>.<version>.<type>.<operation>
//
// Examples:
//
// "stackit.resourcemanager.v1.organization.created"
// "stackit.resource-manager.v1.organization.created"
// "stackit.authorization.v2.organization.moved"
// "stackit.authorization.v2.folder.moved"
EventName string `protobuf:"bytes,1,opt,name=event_name,json=eventName,proto3" json:"event_name,omitempty"`
OperationName string `protobuf:"bytes,1,opt,name=operation_name,json=operationName,proto3" json:"operation_name,omitempty"`
// Visibility relevant for differentiating between internal and public events
Visibility Visibility `protobuf:"varint,2,opt,name=visibility,proto3,enum=audit.v1.Visibility" json:"visibility,omitempty"`
// Identifier the audit log event refers to.
@ -327,9 +326,9 @@ func (*RoutableAuditEvent) Descriptor() ([]byte, []int) {
return file_audit_v1_routable_event_proto_rawDescGZIP(), []int{3}
}
func (x *RoutableAuditEvent) GetEventName() string {
func (x *RoutableAuditEvent) GetOperationName() string {
if x != nil {
return x.EventName
return x.OperationName
}
return ""
}
@ -417,48 +416,48 @@ var file_audit_v1_routable_event_proto_rawDesc = []byte{
0x74, 0x61, 0x12, 0x2f, 0x0a, 0x0d, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x5f, 0x74,
0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0xc8, 0x01,
0x01, 0x72, 0x02, 0x10, 0x01, 0x52, 0x0c, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x54,
0x79, 0x70, 0x65, 0x22, 0xa4, 0x03, 0x0a, 0x12, 0x52, 0x6f, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65,
0x41, 0x75, 0x64, 0x69, 0x74, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x12, 0x61, 0x0a, 0x0a, 0x65, 0x76,
0x65, 0x6e, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x42,
0xba, 0x48, 0x3f, 0xc8, 0x01, 0x01, 0x72, 0x3a, 0x32, 0x38, 0x5e, 0x73, 0x74, 0x61, 0x63, 0x6b,
0x69, 0x74, 0x5c, 0x2e, 0x5b, 0x61, 0x2d, 0x7a, 0x30, 0x2d, 0x39, 0x5d, 0x2b, 0x5c, 0x2e, 0x76,
0x5b, 0x31, 0x2d, 0x39, 0x5d, 0x5b, 0x30, 0x2d, 0x39, 0x5d, 0x2a, 0x5c, 0x2e, 0x5b, 0x61, 0x2d,
0x7a, 0x30, 0x2d, 0x39, 0x5d, 0x2b, 0x5c, 0x2e, 0x5b, 0x61, 0x2d, 0x7a, 0x30, 0x2d, 0x39, 0x5d,
0x2b, 0x24, 0x52, 0x09, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x41, 0x0a,
0x0a, 0x76, 0x69, 0x73, 0x69, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28,
0x0e, 0x32, 0x14, 0x2e, 0x61, 0x75, 0x64, 0x69, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x56, 0x69, 0x73,
0x69, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x42, 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01, 0x82,
0x01, 0x02, 0x10, 0x01, 0x52, 0x0a, 0x76, 0x69, 0x73, 0x69, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79,
0x12, 0x4f, 0x0a, 0x11, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74,
0x69, 0x66, 0x69, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x61, 0x75,
0x64, 0x69, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x65,
0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52,
0x10, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65,
0x72, 0x12, 0x46, 0x0a, 0x10, 0x75, 0x6e, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64,
0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x61, 0x75,
0x64, 0x69, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x6e, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
0x65, 0x64, 0x44, 0x61, 0x74, 0x61, 0x48, 0x00, 0x52, 0x0f, 0x75, 0x6e, 0x65, 0x6e, 0x63, 0x72,
0x79, 0x70, 0x74, 0x65, 0x64, 0x44, 0x61, 0x74, 0x61, 0x12, 0x40, 0x0a, 0x0e, 0x65, 0x6e, 0x63,
0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, 0x05, 0x20, 0x01, 0x28,
0x0b, 0x32, 0x17, 0x2e, 0x61, 0x75, 0x64, 0x69, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x63,
0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x44, 0x61, 0x74, 0x61, 0x48, 0x00, 0x52, 0x0d, 0x65, 0x6e,
0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x44, 0x61, 0x74, 0x61, 0x42, 0x0d, 0x0a, 0x04, 0x64,
0x61, 0x74, 0x61, 0x12, 0x05, 0xba, 0x48, 0x02, 0x08, 0x01, 0x2a, 0x57, 0x0a, 0x0a, 0x56, 0x69,
0x73, 0x69, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x12, 0x1a, 0x0a, 0x16, 0x56, 0x49, 0x53, 0x49,
0x42, 0x49, 0x4c, 0x49, 0x54, 0x59, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49,
0x45, 0x44, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x56, 0x49, 0x53, 0x49, 0x42, 0x49, 0x4c, 0x49,
0x54, 0x59, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x10, 0x01, 0x12, 0x16, 0x0a, 0x12, 0x56,
0x49, 0x53, 0x49, 0x42, 0x49, 0x4c, 0x49, 0x54, 0x59, 0x5f, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54,
0x45, 0x10, 0x02, 0x42, 0x84, 0x01, 0x0a, 0x1c, 0x63, 0x6f, 0x6d, 0x2e, 0x73, 0x63, 0x68, 0x77,
0x61, 0x72, 0x7a, 0x2e, 0x73, 0x74, 0x61, 0x63, 0x6b, 0x69, 0x74, 0x2e, 0x61, 0x75, 0x64, 0x69,
0x74, 0x2e, 0x76, 0x31, 0x42, 0x12, 0x52, 0x6f, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x45, 0x76,
0x65, 0x6e, 0x74, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x0f, 0x2e, 0x2f, 0x61, 0x75,
0x64, 0x69, 0x74, 0x3b, 0x61, 0x75, 0x64, 0x69, 0x74, 0x56, 0x31, 0xa2, 0x02, 0x03, 0x41, 0x58,
0x58, 0xaa, 0x02, 0x08, 0x41, 0x75, 0x64, 0x69, 0x74, 0x2e, 0x56, 0x31, 0xca, 0x02, 0x08, 0x41,
0x75, 0x64, 0x69, 0x74, 0x5c, 0x56, 0x31, 0xe2, 0x02, 0x14, 0x41, 0x75, 0x64, 0x69, 0x74, 0x5c,
0x56, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02,
0x09, 0x41, 0x75, 0x64, 0x69, 0x74, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x33,
0x79, 0x70, 0x65, 0x22, 0xaf, 0x03, 0x0a, 0x12, 0x52, 0x6f, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65,
0x41, 0x75, 0x64, 0x69, 0x74, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x12, 0x6c, 0x0a, 0x0e, 0x6f, 0x70,
0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01,
0x28, 0x09, 0x42, 0x45, 0xba, 0x48, 0x42, 0xc8, 0x01, 0x01, 0x72, 0x3d, 0x32, 0x3b, 0x5e, 0x73,
0x74, 0x61, 0x63, 0x6b, 0x69, 0x74, 0x5c, 0x2e, 0x5b, 0x61, 0x2d, 0x7a, 0x30, 0x2d, 0x39, 0x2d,
0x5d, 0x2b, 0x5c, 0x2e, 0x76, 0x5b, 0x31, 0x2d, 0x39, 0x5d, 0x5b, 0x30, 0x2d, 0x39, 0x5d, 0x2a,
0x5c, 0x2e, 0x5b, 0x61, 0x2d, 0x7a, 0x30, 0x2d, 0x39, 0x2d, 0x5d, 0x2b, 0x5c, 0x2e, 0x5b, 0x61,
0x2d, 0x7a, 0x30, 0x2d, 0x39, 0x2d, 0x5d, 0x2b, 0x24, 0x52, 0x0d, 0x6f, 0x70, 0x65, 0x72, 0x61,
0x74, 0x69, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x41, 0x0a, 0x0a, 0x76, 0x69, 0x73, 0x69,
0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x14, 0x2e, 0x61,
0x75, 0x64, 0x69, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x56, 0x69, 0x73, 0x69, 0x62, 0x69, 0x6c, 0x69,
0x74, 0x79, 0x42, 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52,
0x0a, 0x76, 0x69, 0x73, 0x69, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x12, 0x4f, 0x0a, 0x11, 0x6f,
0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72,
0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x61, 0x75, 0x64, 0x69, 0x74, 0x2e, 0x76,
0x31, 0x2e, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69,
0x65, 0x72, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x10, 0x6f, 0x62, 0x6a, 0x65,
0x63, 0x74, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x46, 0x0a, 0x10,
0x75, 0x6e, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x5f, 0x64, 0x61, 0x74, 0x61,
0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x61, 0x75, 0x64, 0x69, 0x74, 0x2e, 0x76,
0x31, 0x2e, 0x55, 0x6e, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x44, 0x61, 0x74,
0x61, 0x48, 0x00, 0x52, 0x0f, 0x75, 0x6e, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64,
0x44, 0x61, 0x74, 0x61, 0x12, 0x40, 0x0a, 0x0e, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
0x64, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x61,
0x75, 0x64, 0x69, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
0x64, 0x44, 0x61, 0x74, 0x61, 0x48, 0x00, 0x52, 0x0d, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
0x65, 0x64, 0x44, 0x61, 0x74, 0x61, 0x42, 0x0d, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x12, 0x05,
0xba, 0x48, 0x02, 0x08, 0x01, 0x2a, 0x57, 0x0a, 0x0a, 0x56, 0x69, 0x73, 0x69, 0x62, 0x69, 0x6c,
0x69, 0x74, 0x79, 0x12, 0x1a, 0x0a, 0x16, 0x56, 0x49, 0x53, 0x49, 0x42, 0x49, 0x4c, 0x49, 0x54,
0x59, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12,
0x15, 0x0a, 0x11, 0x56, 0x49, 0x53, 0x49, 0x42, 0x49, 0x4c, 0x49, 0x54, 0x59, 0x5f, 0x50, 0x55,
0x42, 0x4c, 0x49, 0x43, 0x10, 0x01, 0x12, 0x16, 0x0a, 0x12, 0x56, 0x49, 0x53, 0x49, 0x42, 0x49,
0x4c, 0x49, 0x54, 0x59, 0x5f, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54, 0x45, 0x10, 0x02, 0x42, 0x84,
0x01, 0x0a, 0x1c, 0x63, 0x6f, 0x6d, 0x2e, 0x73, 0x63, 0x68, 0x77, 0x61, 0x72, 0x7a, 0x2e, 0x73,
0x74, 0x61, 0x63, 0x6b, 0x69, 0x74, 0x2e, 0x61, 0x75, 0x64, 0x69, 0x74, 0x2e, 0x76, 0x31, 0x42,
0x12, 0x52, 0x6f, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x50, 0x72,
0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x0f, 0x2e, 0x2f, 0x61, 0x75, 0x64, 0x69, 0x74, 0x3b, 0x61,
0x75, 0x64, 0x69, 0x74, 0x56, 0x31, 0xa2, 0x02, 0x03, 0x41, 0x58, 0x58, 0xaa, 0x02, 0x08, 0x41,
0x75, 0x64, 0x69, 0x74, 0x2e, 0x56, 0x31, 0xca, 0x02, 0x08, 0x41, 0x75, 0x64, 0x69, 0x74, 0x5c,
0x56, 0x31, 0xe2, 0x02, 0x14, 0x41, 0x75, 0x64, 0x69, 0x74, 0x5c, 0x56, 0x31, 0x5c, 0x47, 0x50,
0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x09, 0x41, 0x75, 0x64, 0x69,
0x74, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (

2
gen/go/audit/v1/routable_event.pb.validate.go
View file

@ -373,7 +373,7 @@ func (m *RoutableAuditEvent) validate(all bool) error {
var errors []error
// no validation rules for EventName
// no validation rules for OperationName
// no validation rules for Visibility

83
proto/audit/v1/audit_event.proto
View file

@ -1,7 +1,6 @@
syntax = "proto3";
import "buf/validate/validate.proto";
import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/timestamp.proto";
import "google/protobuf/wrappers.proto";
@ -53,23 +52,24 @@ message AuditLogEntry {
// Sequence-Number: Increasing number, representing the message offset per Worker-Id
// If the Worker-Id changes, the sequence-number has to be reset to 0.
//
// NOTE: The ID will be masked by the SDK, applying the XOR Operation to not leak internal
// information to the customer
//
// Examples:
// "1721899117/eu01/319a7fb9-edd2-46c6-953a-a724bb377c61/8792726390909855142"
//
// Required: true
// TODO XOR
string insert_id = 3[
(buf.validate.field).required = true,
// TODO how do worker ids look like?
(buf.validate.field).string.pattern = "^[0-9]+/[a-z0-9]+/[a-z0-9-]+/[0-9]+$"
];
// A set of user-defined (key, value) data that provides additional
// information about the log entry.
//
// Required: true
map<string, string> labels = 4 [
(buf.validate.field).required = true
];
// Required: false
map<string, string> labels = 4;
// Correlate multiple audit logs by setting the same id
//
@ -125,36 +125,35 @@ message AuditLogEntry {
// standard severity levels listed below.
enum LogSeverity {
UNSPECIFIED = 0;
LOG_SEVERITY_UNSPECIFIED = 0;
// (1) The log entry has no assigned severity level.
// TODO check index
DEFAULT = 1;
LOG_SEVERITY_DEFAULT = 100;
// (100) Debug or trace information.
DEBUG = 100;
LOG_SEVERITY_DEBUG = 200;
// (200) Routine information, such as ongoing status or performance.
INFO = 200;
LOG_SEVERITY_INFO = 300;
// (300) Normal but significant events, such as start up, shut down, or
// a configuration change.
NOTICE = 300;
LOG_SEVERITY_NOTICE = 400;
// (400) Warning events might cause problems.
WARNING = 400;
LOG_SEVERITY_WARNING = 500;
// (500) Error events are likely to cause problems.
ERROR = 500;
LOG_SEVERITY_ERROR = 600;
// (600) Critical events cause more severe problems or outages.
CRITICAL = 600;
LOG_SEVERITY_CRITICAL = 700;
// (700) A person must take an action immediately.
ALERT = 700;
LOG_SEVERITY_ALERT = 800;
// (800) One or more systems are unusable.
EMERGENCY = 800;
LOG_SEVERITY_EMERGENCY = 900;
}
// Common audit log format for STACKIT API operations.
@ -171,7 +170,6 @@ message AuditLog {
(buf.validate.field).string.min_len = 1
];
// TODO rename into operation_name?
// The name of the service method or operation.
//
// Format: stackit.<product>.<version>.<singularType>.<operation>
@ -187,7 +185,7 @@ message AuditLog {
// "stackit.authorization.v2.folder.moved"
//
// Required: true
string method_name = 2 [
string operation_name = 2 [
(buf.validate.field).required = true,
(buf.validate.field).string.pattern = "^stackit\\.[a-z0-9-]+\\.v[1-9][0-9]*\\.[a-z0-9-]+\\.[a-z0-9-]+$"
];
@ -377,9 +375,10 @@ message AttributeContext {
// Format: <sub-claim>/<iss-claim>
// Where:
// Sub-Claim: Sub-Claim from JWT with `/` percent-encoded (url-encoded)
// Issuer-Claim: Iss-Claim from JWT with `/` percent-encoded (url-encoded)
//
// Examples:
// "https%3A%2F%2Faccounts.dev.stackit.cloud/stackit-resource-manager-dev"
// "stackit-resource-manager-dev/https%3A%2F%2Faccounts.dev.stackit.cloud"
//
// Required: true
string principal = 1 [
@ -392,7 +391,7 @@ message AttributeContext {
// to receive the credential.
//
// Examples:
// ["https://stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud", "stackit", "api"]
// ["stackit-resource-manager-dev", "stackit", "api"]
//
// Required: false
repeated string audiences = 2;
@ -400,22 +399,15 @@ message AttributeContext {
// Structured claims presented with the credential. JWTs include
// {"key": <value>} pairs for standard and private claims.
//
// The following is a subset of the standard required and optional claims that would
// typically be presented for a STACKIT JWT:
// The following is a subset of the standard required and optional claims that should
// typically be presented for a STACKIT JWT.
// Don't add other claims to not leak internal or personal information:
//
// {
// "aud": "https://stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud",
// "aud": "stackit-resource-manager-dev",
// "email": "max@mail.schwarz",
// "exp": 1721905449,
// "iat": 1721901849,
// "iss": "https://api.dev.stackit.cloud",
// "jti": "45a196e0-480f-4c34-a592-dc5db81c8c3a",
// "nbf": 1721900462,
// "roles": null,
// "sub": "cd94f01a-df2e-4456-902f-48f5e57f0b63",
// "user_id": "",
// "x_client_id": "",
// "zid": ""
// "jti": "45a196e0-480f-4c34-a592-dc5db81c8c3a"
// }
//
// Required: true
@ -424,6 +416,19 @@ message AttributeContext {
];
}
enum HttpMethod {
HTTP_METHOD_UNSPECIFIED = 0;
HTTP_METHOD_GET = 1;
HTTP_METHOD_HEAD = 2;
HTTP_METHOD_POST = 3;
HTTP_METHOD_PUT = 4;
HTTP_METHOD_DELETE = 5;
HTTP_METHOD_CONNECT = 6;
HTTP_METHOD_OPTIONS = 7;
HTTP_METHOD_TRACE = 8;
HTTP_METHOD_PATCH = 9;
}
// This message defines attributes for an HTTP request. If the actual
// request is not an HTTP request, the runtime system should try to map
// the actual request to an equivalent HTTP request.
@ -448,16 +453,19 @@ message AttributeContext {
// The HTTP request method, such as `GET`, `POST`.
//
// Required: true
// TODO does it make sense to define an enum?
string method = 2 [
HttpMethod method = 2 [
(buf.validate.field).required = true,
(buf.validate.field).string.min_len = 1
(buf.validate.field).enum.defined_only = true
];
// The HTTP request headers. If multiple headers share the same key, they
// must be merged according to the HTTP spec. All header keys must be
// lowercased, because HTTP header keys are case-insensitive.
//
// Internal IP-Addresses have to be removed (e.g. in x-forwarded-xxx headers).
//
// TODO specify whitelist
//
// Required: true
map<string, string> headers = 3 [
(buf.validate.field).required = true
@ -525,7 +533,6 @@ message AttributeContext {
// This message defines attributes for a typical network response. It
// generally models semantics of an HTTP response.
// TODO do we need another status code attribute in the Response?
message Response {
// The HTTP response size in bytes.
@ -660,7 +667,7 @@ message ServiceAccountDelegationInfo {
// Entity that creates credentials for service account and assumes its
// identity for authentication.
oneof Authority {
oneof authority {
option (buf.validate.oneof).required = true;
// System identity

7
proto/audit/v1/routable_event.proto
View file

@ -51,18 +51,17 @@ message UnencryptedData {
message RoutableAuditEvent {
// TODO rename to operation_name (equivalent to AuditLog.method_name)
// Functional event name with pattern
//
// Format: stackit.<product>.<version>.<type>.<operation>
//
// Examples:
// "stackit.resourcemanager.v1.organization.created"
// "stackit.resource-manager.v1.organization.created"
// "stackit.authorization.v2.organization.moved"
// "stackit.authorization.v2.folder.moved"
string event_name = 1 [
string operation_name = 1 [
(buf.validate.field).required = true,
(buf.validate.field).string.pattern = "^stackit\\.[a-z0-9]+\\.v[1-9][0-9]*\\.[a-z0-9]+\\.[a-z0-9]+$"
(buf.validate.field).string.pattern = "^stackit\\.[a-z0-9-]+\\.v[1-9][0-9]*\\.[a-z0-9-]+\\.[a-z0-9-]+$"
];
// Visibility relevant for differentiating between internal and public events