mirror of
https://dev.azure.com/schwarzit/schwarzit.stackit-public/_git/audit-go
synced 2026-02-08 00:57:24 +00:00
453 lines
22 KiB
Go
453 lines
22 KiB
Go
package api
|
|
|
|
import (
|
|
"fmt"
|
|
"time"
|
|
|
|
"google.golang.org/protobuf/types/known/wrapperspb"
|
|
|
|
auditV1 "dev.azure.com/schwarzit/schwarzit.stackit-public/audit-go.git/gen/go/audit/v1"
|
|
|
|
"github.com/google/uuid"
|
|
"google.golang.org/protobuf/types/known/structpb"
|
|
"google.golang.org/protobuf/types/known/timestamppb"
|
|
)
|
|
|
|
const clientCredentialsToken = "Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOGJlZjc1LWRmY2QtNGE3My1hMzkxLTU0YTdhZjU3YTdkNiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsic3RhY2tpdC1yZXNvdXJjZS1tYW5hZ2VyLWRldiJdLCJjbGllbnRfaWQiOiJzdGFja2l0LXJlc291cmNlLW1hbmFnZXItZGV2IiwiZXhwIjoxNzI0NDA1MzI2LCJpYXQiOjE3MjQ0MDQ0MjYsImlzcyI6Imh0dHBzOi8vYWNjb3VudHMuZGV2LnN0YWNraXQuY2xvdWQiLCJqdGkiOiJlNDZlYmEzOC1kZWRiLTQ1NDEtOTRmMy00OWY5N2E5MzRkNTgiLCJuYmYiOjE3MjQ0MDQ0MjYsInNjb3BlIjoidWFhLm5vbmUiLCJzdWIiOiJzdGFja2l0LXJlc291cmNlLW1hbmFnZXItZGV2In0.JP5Uy7AMdK4ukzQ6aOYzbVwEmq0Tp2ppQGRqGOhuVQgbqs6yJ33GKXo7RPsJVLw3FR7XAxENIVqNvzGotbDXr0NjBGdzyxIHzrOaUqM4w1iLzD1KF51dXFwkoigqDdD7Ze9eI_Uo3tSn8FwGLTSoO-ONQYpnceCiGut2Gc6VIL8HOLdh8dzlRENGQtgYd-3Y5zqpoLrsR2Bd-0sv15sF-5aI0CqcC8gE70JPImKf2u_IYI-TYMDNk86YSCtaYO5-alOrHXXWwgzSoH-r2s5qoOhPbei9myV_P4fdcKXxMqfap9hImXPUooVhpdUr1AabZw3MtW7rION8tJAiauhMQA"
|
|
const serviceAccountTokenRepeatedlyImpersonated = "Bearer eyJraWQiOiJaVFJqWlRNek5tSmlNRGt3TldJMU5USTRZVGxpT1RjMllUWXlZVE16WldNIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiIxNzM0YjRiNi0xZDVlLTQ4MTktOWI1MC0yOTkxN2ExYjlhZDUiLCJpc3MiOiJzdGFja2l0L3NlcnZpY2VhY2NvdW50IiwiYXVkIjpbInN0YWNraXQiLCJhcGkiXSwic3RhY2tpdC9zZXJ2aWNlYWNjb3VudC90b2tlbi5zb3VyY2UiOiJvYXV0aDIiLCJhY3QiOnsic3ViIjoiZjQ1MDA5YjItNjQzMy00M2MxLWI2YzctNjE4YzQ0MzU5ZTcxIiwiYWN0Ijp7InN1YiI6IjAyYWVmNTE2LTMxN2YtNGVjMS1hMWRmLTFhY2JkNGQ0OWZlMyJ9fSwic3RhY2tpdC9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJhcGkiLCJzdGFja2l0L3Byb2plY3QvcHJvamVjdC5pZCI6ImRhY2M3ODMwLTg0M2UtNGM1ZS04NmZmLWFhMGZiNTFkNjM2ZiIsImF6cCI6ImY0NTAwOWIyLTY0MzMtNDNjMS1iNmM3LTYxOGM0NDM1OWU3MSIsInN0YWNraXQvc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjE3MzRiNGI2LTFkNWUtNDgxOS05YjUwLTI5OTE3YTFiOWFkNSIsImV4cCI6MTcyNDA2Mjk2MywiaWF0IjoxNzI0MDU5MzYzLCJlbWFpbCI6InNlcnZpY2UtYWNjb3VudC0zLWZnaHN4dzFAc2Euc3RhY2tpdC5jbG91ZCIsImp0aSI6IjFmN2YxZWZjLTMzNDktNDExYS1hNWQ3LTIyNTVlMGE1YThhZSJ9.c1ae17bAtyOdmwXQbK37W-NTyOxo7iER5aHS_C0fU1qKl2BjOz708GLjH-_vxx9eKPeYznfI21_xlTaAvuG4Aco9f5YDK7fooTVHnDaOSSggqcEaDzDPrNXhhKEDxotJeq9zRMVCEStcbirjTounnLbuULRbO5GSY5jo-8n2UKxSZ2j5G_SjFHajdJwmzwvOttp08tdL8ck1uDdgVNBfcm0VIdb6WmgrCIUq5rmoa-cRPkdEurNtIEgEB_9U0Xh-SpmmsvFsWWeNIKz0e_5RCIyJonm_wMkGmblGegemkYL76ypeMNXTQsly1RozDIePfzHuZOWbySHSCd-vKQa2kw"
|
|
const serviceAccountTokenImpersonated = "Bearer eyJraWQiOiJaVFJqWlRNek5tSmlNRGt3TldJMU5USTRZVGxpT1RjMllUWXlZVE16WldNIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJmNDUwMDliMi02NDMzLTQzYzEtYjZjNy02MThjNDQzNTllNzEiLCJpc3MiOiJzdGFja2l0L3NlcnZpY2VhY2NvdW50IiwiYXVkIjpbInN0YWNraXQiLCJhcGkiXSwic3RhY2tpdC9zZXJ2aWNlYWNjb3VudC90b2tlbi5zb3VyY2UiOiJvYXV0aDIiLCJhY3QiOnsic3ViIjoiMDJhZWY1MTYtMzE3Zi00ZWMxLWExZGYtMWFjYmQ0ZDQ5ZmUzIn0sInN0YWNraXQvc2VydmljZWFjY291bnQvbmFtZXNwYWNlIjoiYXBpIiwic3RhY2tpdC9wcm9qZWN0L3Byb2plY3QuaWQiOiJkYWNjNzgzMC04NDNlLTRjNWUtODZmZi1hYTBmYjUxZDYzNmYiLCJhenAiOiIwMmFlZjUxNi0zMTdmLTRlYzEtYTFkZi0xYWNiZDRkNDlmZTMiLCJzdGFja2l0L3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmNDUwMDliMi02NDMzLTQzYzEtYjZjNy02MThjNDQzNTllNzEiLCJleHAiOjE3MjQwNjI5MDcsImlhdCI6MTcyNDA1OTMwNywiZW1haWwiOiJzZXJ2aWNlLWFjY291bnQtMi10ajlzcnQxQHNhLnN0YWNraXQuY2xvdWQiLCJqdGkiOiIzNzU1NTE4My0wMWI5LTQyNzAtYmRjMS02OWI0ZmNmZDVlZTkifQ.auBvvsIesFMAlWOCPCPC77DrrHF7gSKZwKs_Zry5KFvu2bpZZC1BcSXOc8b9eh0SzANI9M9aGJBhOzOm39-ZZ5XOQ-6_y1aWuEenYQ6kT5D3GzCUTMDzSi1lcZ4IG5nFMa_AAlVEN_7AMv7LHGtz49bWLJnAgeTo1cvof-OgP4mCQ5O6E0iyAq-5u8V8NJL7HIZy7BDe4J1mjfYhwKagrN7QFWu4fhN4TNS7d922X_6V489BhjRFRYjLW_qDnv912JorbGRz_XwNy_dPA81EkdMyKE0BJUezguJUEKEG2_JEi9O64Flcoi6x8cFHYhaDuMMSLipzePaHdyk2lQtH7Q"
|
|
const serviceAccountToken = "Bearer eyJraWQiOiJaVFJqWlRNek5tSmlNRGt3TldJMU5USTRZVGxpT1RjMllUWXlZVE16WldNIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiIxMGYzOGIwMS01MzRiLTQ3YmItYTAzYS1lMjk0Y2EyYmU0ZGUiLCJhdWQiOlsic3RhY2tpdCIsImFwaSJdLCJzdGFja2l0L3NlcnZpY2VhY2NvdW50L3Rva2VuLnNvdXJjZSI6ImxlZ2FjeSIsInN0YWNraXQvc2VydmljZWFjY291bnQvbmFtZXNwYWNlIjoiYXBpIiwic3RhY2tpdC9wcm9qZWN0L3Byb2plY3QuaWQiOiJkYWNjNzgzMC04NDNlLTRjNWUtODZmZi1hYTBmYjUxZDYzNmYiLCJhenAiOiJjZDk0ZjAxYS1kZjJlLTQ0NTYtOTAyZS00OGY1ZTU3ZjBiNjMiLCJpc3MiOiJzdGFja2l0L3NlcnZpY2VhY2NvdW50Iiwic3RhY2tpdC9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTBmMzhiMDEtNTM0Yi00N2JiLWEwM2EtZTI5NGNhMmJlNGRlIiwiZXhwIjoxNzIyNjY5MzQzLCJpYXQiOjE3MjI1ODI5NDMsImVtYWlsIjoibXktc2VydmljZS15aWZjOWUxQHNhLnN0YWNraXQuY2xvdWQiLCJqdGkiOiI4NGMzMGE0Ni0xMDAxLTQzNmYtODU5Zi04OWMwYmExOWJlMWUifQ.hb8X9VKc9xViHgNMyFHT9ePj_lyEwTV1D2es8E278WtoCJ9-4GPPQGjhcLGGrigjnvpRYV2LKzNqpQslerT5lFT_pHACsryaAE0ImYjmoe-nutA7BBpYuM_JN6pk5VIjVFLTqRKeIvFexPacqS2Vo3YoK1GvxPB8WPWBbGIsBtMl-PTm8OTwwzooBOoCRhhMR-E1lFbAymLsc1JI4yDQKLLomvhEopgmocCnQ-P1QkiKMqdkNxiD_YYLLYTOApg6d62BhqpH66ziqx493AStdZ8d5Kjvf3e1knDhaxVwNCghQj7lSo2kNAqZe__g2tiXpiZNTXBFJ_5HgQMLh67wng"
|
|
const userToken = "Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOGJlZjc1LWRmY2QtNGE3My1hMzkxLTU0YTdhZjU3YTdkNiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsic3RhY2tpdC1wb3J0YWwtbG9naW4tZGV2LWNsaWVudC1pZCJdLCJjbGllbnRfaWQiOiJzdGFja2l0LXBvcnRhbC1sb2dpbi1kZXYtY2xpZW50LWlkIiwiZW1haWwiOiJDaHJpc3RpYW4uU2NoYWlibGVAbm92YXRlYy1nbWJoLmRlIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImV4cCI6MTcyMjU5MDM2NywiaWF0IjoxNzIyNTg2NzY3LCJpc3MiOiJodHRwczovL2FjY291bnRzLmRldi5zdGFja2l0LmNsb3VkIiwianRpIjoiZDczYTY3YWMtZDFlYy00YjU1LTk5ZDQtZTk1MzI3NWYwMjJhIiwibmJmIjoxNzIyNTg2NzY3LCJzY29wZSI6Im9wZW5pZCBlbWFpbCIsInN1YiI6ImNkOTRmMDFhLWRmMmUtNDQ1Ni05MDJlLTQ4ZjVlNTdmMGI2MyJ9.ajhjYbC5l5g7un9NSheoAwBT83YcZM91rH4DJxPTDsB78HzIVrmaKTPrK3AI_E1THlD2Z3_ot9nFr_eX7XcwWp_ZBlataKmakdXlAmeb4xSMGNYefIfzV_3w9ZZAZ66yoeTrtn8dUx5ezquenCYpctB1NcccmK4U09V0kNcq9dFcfF3Sg9YilF3orUCR0ql1d9RnOs3EiFZuUpdBEkyoVsAdSh2P-PRbNViR_FgCcAJem97TsN5CQc9RlvKYe4sYKgqQoqa2GDVi9Niiw3fe1V8SCnROYcpkOzBBWdvuzFMBUjln3uOogYVOz93xkmImV6jidgyQ70fLt-eDUmZZfg"
|
|
const userTokenWithSimpleAudience = "Bearer eyJhbGciOiJSUzUxMiIsImtpZCI6InNlcnZpY2UtYWNjb3VudC1mMDdiZjZhOC02MjA3LTRmOGItYjNlOS03M2VkMGJlYjg4ZjUiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL3N0YWNraXQtc2VydmljZS1hY2NvdW50LWRldi5hcHBzLjAxLmNmLmV1MDEuc3RhY2tpdC5jbG91ZCIsImVtYWlsIjoiTHVrYXMuU2NobWl0dEBzdGFja2l0LmNsb3VkIiwiZXhwIjoxNzMyMTgyMDM1LCJpYXQiOjE3MzIxNzg0MzUsImlzcyI6Imh0dHBzOi8vYXBpLmRldi5zdGFja2l0LmNsb3VkIiwianRpIjoiYzJiZTE2NTEtMWU1NC00ZTZlLWJhYzMtZWYwNzJiM2YwMTQ5IiwibmJmIjoxNzMyMTc4NDE4LCJyb2xlcyI6bnVsbCwic2NvcGUiOiJvcGVuaWQgZW1haWwgcG9ydGFsLWJmZiIsInN1YiI6IjVlNDI2YWVkLWM0ODctNGM0OC1hZjI1LTg3ZjY5Y2Y5Y2RkNCIsInVzZXJfaWQiOiIiLCJ4X2NsaWVudF9pZCI6IiIsInppZCI6IiJ9.notavailable"
|
|
|
|
var TestHeaders = map[string][]string{"user-agent": {"custom"}, "authorization": {userToken}}
|
|
|
|
func newOrganizationAuditEvent(
|
|
customization *func(
|
|
*auditV1.AuditLogEntry,
|
|
*auditV1.ObjectIdentifier,
|
|
)) (
|
|
*auditV1.AuditLogEntry,
|
|
*auditV1.ObjectIdentifier,
|
|
) {
|
|
|
|
identifier := uuid.New()
|
|
permission := "resourcemanager.organization.edit"
|
|
permissionGranted := true
|
|
requestId := fmt.Sprintf("%s/1", identifier)
|
|
claims, _ := structpb.NewStruct(map[string]interface{}{})
|
|
correlationId := "cad100e2-e139-43b9-8c3b-335731e032bc"
|
|
headers := make(map[string]string)
|
|
headers["Content-Type"] = "application/json"
|
|
labels := make(map[string]string)
|
|
labels["label1"] = "value1"
|
|
auditEvent := &auditV1.AuditLogEntry{
|
|
LogName: fmt.Sprintf("%s/%s/logs/%s", ObjectTypeOrganization.Plural(), identifier, EventTypeAdminActivity),
|
|
ProtoPayload: &auditV1.AuditLog{
|
|
ServiceName: "resource-manager",
|
|
OperationName: "stackit.resourcemanager.v2.organization.created",
|
|
ResourceName: fmt.Sprintf("%s/%s", ObjectTypeOrganization.Plural(), identifier),
|
|
AuthenticationInfo: &auditV1.AuthenticationInfo{
|
|
PrincipalId: uuid.NewString(),
|
|
PrincipalEmail: "user@example.com",
|
|
ServiceAccountName: nil,
|
|
ServiceAccountDelegationInfo: nil,
|
|
},
|
|
AuthorizationInfo: []*auditV1.AuthorizationInfo{{
|
|
Resource: fmt.Sprintf("%s/%s", ObjectTypeOrganization.Plural(), identifier),
|
|
Permission: &permission,
|
|
Granted: &permissionGranted,
|
|
}},
|
|
RequestMetadata: &auditV1.RequestMetadata{
|
|
CallerIp: "127.0.0.1",
|
|
CallerSuppliedUserAgent: "OpenAPI-Generator/ 1.0.0/ go",
|
|
RequestAttributes: &auditV1.AttributeContext_Request{
|
|
Id: &requestId,
|
|
Method: auditV1.AttributeContext_HTTP_METHOD_POST,
|
|
Headers: headers,
|
|
Path: "/v2/organizations",
|
|
Host: "stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud",
|
|
Scheme: "https",
|
|
Query: nil,
|
|
Time: timestamppb.New(time.Now().UTC()),
|
|
Protocol: "http/1.1",
|
|
Auth: &auditV1.AttributeContext_Auth{
|
|
Principal: "https%3A%2F%2Faccounts.dev.stackit.cloud/stackit-resource-manager-dev",
|
|
Audiences: []string{"https:// stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud", "stackit", "api"},
|
|
Claims: claims,
|
|
},
|
|
},
|
|
},
|
|
Request: nil,
|
|
ResponseMetadata: &auditV1.ResponseMetadata{
|
|
StatusCode: wrapperspb.Int32(200),
|
|
ErrorMessage: nil,
|
|
ErrorDetails: nil,
|
|
ResponseAttributes: &auditV1.AttributeContext_Response{
|
|
NumResponseItems: nil,
|
|
Size: nil,
|
|
Headers: nil,
|
|
Time: timestamppb.New(time.Now().UTC()),
|
|
},
|
|
},
|
|
Response: nil,
|
|
Metadata: nil,
|
|
},
|
|
InsertId: fmt.Sprintf("%d/eu01/e72182e8-0bb9-4be2-a19f-87fc0dd6e738/00000000001", time.Now().UnixNano()),
|
|
Labels: labels,
|
|
CorrelationId: &correlationId,
|
|
Timestamp: timestamppb.New(time.Now()),
|
|
Severity: auditV1.LogSeverity_LOG_SEVERITY_DEFAULT,
|
|
}
|
|
|
|
objectIdentifier := &auditV1.ObjectIdentifier{
|
|
Identifier: identifier.String(),
|
|
Type: string(ObjectTypeOrganization),
|
|
}
|
|
|
|
if customization != nil {
|
|
(*customization)(auditEvent, objectIdentifier)
|
|
}
|
|
|
|
return auditEvent, objectIdentifier
|
|
}
|
|
|
|
func newFolderAuditEvent(
|
|
customization *func(
|
|
*auditV1.AuditLogEntry,
|
|
*auditV1.ObjectIdentifier,
|
|
)) (
|
|
*auditV1.AuditLogEntry,
|
|
*auditV1.ObjectIdentifier,
|
|
) {
|
|
|
|
identifier := uuid.New()
|
|
permission := "resourcemanager.folder.edit"
|
|
permissionGranted := true
|
|
requestId := fmt.Sprintf("%s/1", identifier)
|
|
claims, _ := structpb.NewStruct(map[string]interface{}{})
|
|
correlationId := "9c71cedf-ca52-4f9c-a519-ed006e810cdd"
|
|
headers := make(map[string]string)
|
|
headers["Content-Type"] = "application/json"
|
|
labels := make(map[string]string)
|
|
labels["label1"] = "value1"
|
|
auditEvent := &auditV1.AuditLogEntry{
|
|
LogName: fmt.Sprintf("%s/%s/logs/%s", ObjectTypeFolder.Plural(), identifier, EventTypeAdminActivity),
|
|
ProtoPayload: &auditV1.AuditLog{
|
|
ServiceName: "resource-manager",
|
|
OperationName: "stackit.resourcemanager.v2.folder.created",
|
|
ResourceName: fmt.Sprintf("%s/%s", ObjectTypeFolder.Plural(), identifier),
|
|
AuthenticationInfo: &auditV1.AuthenticationInfo{
|
|
PrincipalId: uuid.NewString(),
|
|
PrincipalEmail: "user@example.com",
|
|
ServiceAccountName: nil,
|
|
ServiceAccountDelegationInfo: nil,
|
|
},
|
|
AuthorizationInfo: []*auditV1.AuthorizationInfo{{
|
|
Resource: fmt.Sprintf("%s/%s", ObjectTypeFolder.Plural(), identifier),
|
|
Permission: &permission,
|
|
Granted: &permissionGranted,
|
|
}},
|
|
RequestMetadata: &auditV1.RequestMetadata{
|
|
CallerIp: "127.0.0.1",
|
|
CallerSuppliedUserAgent: "OpenAPI-Generator/ 1.0.0/ go",
|
|
RequestAttributes: &auditV1.AttributeContext_Request{
|
|
Id: &requestId,
|
|
Method: auditV1.AttributeContext_HTTP_METHOD_POST,
|
|
Headers: headers,
|
|
Path: "/v2/folders",
|
|
Host: "stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud",
|
|
Scheme: "https",
|
|
Query: nil,
|
|
Time: timestamppb.New(time.Now().UTC()),
|
|
Protocol: "http/1.1",
|
|
Auth: &auditV1.AttributeContext_Auth{
|
|
Principal: "https%3A%2F%2Faccounts.dev.stackit.cloud/stackit-resource-manager-dev",
|
|
Audiences: []string{"https:// stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud", "stackit", "api"},
|
|
Claims: claims,
|
|
},
|
|
},
|
|
},
|
|
Request: nil,
|
|
ResponseMetadata: &auditV1.ResponseMetadata{
|
|
StatusCode: wrapperspb.Int32(200),
|
|
ErrorMessage: nil,
|
|
ErrorDetails: nil,
|
|
ResponseAttributes: &auditV1.AttributeContext_Response{
|
|
NumResponseItems: nil,
|
|
Size: nil,
|
|
Headers: nil,
|
|
Time: timestamppb.New(time.Now().UTC()),
|
|
},
|
|
},
|
|
Response: nil,
|
|
Metadata: nil,
|
|
},
|
|
InsertId: fmt.Sprintf("%d/eu01/e72182e8-0bb9-4be2-a19f-87fc0dd6e738/00000000001", time.Now().UnixNano()),
|
|
Labels: labels,
|
|
CorrelationId: &correlationId,
|
|
Timestamp: timestamppb.New(time.Now()),
|
|
Severity: auditV1.LogSeverity_LOG_SEVERITY_DEFAULT,
|
|
}
|
|
|
|
objectIdentifier := &auditV1.ObjectIdentifier{
|
|
Identifier: identifier.String(),
|
|
Type: string(ObjectTypeFolder),
|
|
}
|
|
|
|
if customization != nil {
|
|
(*customization)(auditEvent, objectIdentifier)
|
|
}
|
|
|
|
return auditEvent, objectIdentifier
|
|
}
|
|
|
|
func newProjectAuditEvent(
|
|
customization *func(
|
|
*auditV1.AuditLogEntry,
|
|
*auditV1.ObjectIdentifier,
|
|
)) (
|
|
*auditV1.AuditLogEntry,
|
|
*auditV1.ObjectIdentifier,
|
|
) {
|
|
|
|
identifier := uuid.New()
|
|
permission := "resourcemanager.project.edit"
|
|
permissionGranted := true
|
|
requestId := fmt.Sprintf("%s/1", identifier)
|
|
claims, _ := structpb.NewStruct(map[string]interface{}{})
|
|
correlationId := "14d5b611-ccce-4cfa-9085-9ccbfccce3cb"
|
|
headers := make(map[string]string)
|
|
headers["Content-Type"] = "application/json"
|
|
labels := make(map[string]string)
|
|
labels["label1"] = "value1"
|
|
auditEvent := &auditV1.AuditLogEntry{
|
|
LogName: fmt.Sprintf("%s/%s/logs/%s", ObjectTypeProject.Plural(), identifier, EventTypeAdminActivity),
|
|
ProtoPayload: &auditV1.AuditLog{
|
|
ServiceName: "resource-manager",
|
|
OperationName: "stackit.resourcemanager.v2.project.created",
|
|
ResourceName: fmt.Sprintf("%s/%s", ObjectTypeProject.Plural(), identifier),
|
|
AuthenticationInfo: &auditV1.AuthenticationInfo{
|
|
PrincipalId: uuid.NewString(),
|
|
PrincipalEmail: "user@example.com",
|
|
ServiceAccountName: nil,
|
|
ServiceAccountDelegationInfo: nil,
|
|
},
|
|
AuthorizationInfo: []*auditV1.AuthorizationInfo{{
|
|
Resource: fmt.Sprintf("%s/%s", ObjectTypeProject.Plural(), identifier),
|
|
Permission: &permission,
|
|
Granted: &permissionGranted,
|
|
}},
|
|
RequestMetadata: &auditV1.RequestMetadata{
|
|
CallerIp: "127.0.0.1",
|
|
CallerSuppliedUserAgent: "OpenAPI-Generator/ 1.0.0/ go",
|
|
RequestAttributes: &auditV1.AttributeContext_Request{
|
|
Id: &requestId,
|
|
Method: auditV1.AttributeContext_HTTP_METHOD_POST,
|
|
Headers: headers,
|
|
Path: "/v2/projects",
|
|
Host: "stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud",
|
|
Scheme: "https",
|
|
Query: nil,
|
|
Time: timestamppb.New(time.Now().UTC()),
|
|
Protocol: "http/1.1",
|
|
Auth: &auditV1.AttributeContext_Auth{
|
|
Principal: "https%3A%2F%2Faccounts.dev.stackit.cloud/stackit-resource-manager-dev",
|
|
Audiences: []string{"https:// stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud", "stackit", "api"},
|
|
Claims: claims,
|
|
},
|
|
},
|
|
},
|
|
Request: nil,
|
|
ResponseMetadata: &auditV1.ResponseMetadata{
|
|
StatusCode: wrapperspb.Int32(200),
|
|
ErrorMessage: nil,
|
|
ErrorDetails: nil,
|
|
ResponseAttributes: &auditV1.AttributeContext_Response{
|
|
NumResponseItems: nil,
|
|
Size: nil,
|
|
Headers: nil,
|
|
Time: timestamppb.New(time.Now().UTC()),
|
|
},
|
|
},
|
|
Response: nil,
|
|
Metadata: nil,
|
|
},
|
|
InsertId: fmt.Sprintf("%d/eu01/e72182e8-0bb9-4be2-a19f-87fc0dd6e738/00000000001", time.Now().UnixNano()),
|
|
Labels: labels,
|
|
CorrelationId: &correlationId,
|
|
Timestamp: timestamppb.New(time.Now()),
|
|
Severity: auditV1.LogSeverity_LOG_SEVERITY_DEFAULT,
|
|
}
|
|
|
|
objectIdentifier := &auditV1.ObjectIdentifier{
|
|
Identifier: identifier.String(),
|
|
Type: string(ObjectTypeProject),
|
|
}
|
|
|
|
if customization != nil {
|
|
(*customization)(auditEvent, objectIdentifier)
|
|
}
|
|
|
|
return auditEvent, objectIdentifier
|
|
}
|
|
|
|
func newProjectSystemAuditEvent(
|
|
customization *func(*auditV1.AuditLogEntry)) *auditV1.AuditLogEntry {
|
|
|
|
identifier := uuid.New()
|
|
requestId := fmt.Sprintf("%s/1", identifier)
|
|
claims, _ := structpb.NewStruct(map[string]interface{}{})
|
|
correlationId := "9b5a8e9b-32a0-435f-b97b-a9a42b9e016b"
|
|
headers := make(map[string]string)
|
|
headers["Content-Type"] = "application/json"
|
|
labels := make(map[string]string)
|
|
labels["label1"] = "value1"
|
|
serviceAccountId := uuid.NewString()
|
|
serviceAccountName := fmt.Sprintf("projects/%s/service-accounts/%s", identifier, serviceAccountId)
|
|
delegationPrincipal := auditV1.ServiceAccountDelegationInfo{Authority: &auditV1.ServiceAccountDelegationInfo_SystemPrincipal_{}}
|
|
auditEvent := &auditV1.AuditLogEntry{
|
|
LogName: fmt.Sprintf("%s/%s/logs/%s", SystemIdentifier.Type, SystemIdentifier.Identifier, EventTypeSystemEvent),
|
|
ProtoPayload: &auditV1.AuditLog{
|
|
ServiceName: "resource-manager",
|
|
OperationName: "stackit.resourcemanager.v2.system.changed",
|
|
ResourceName: fmt.Sprintf("%s/%s", ObjectTypeProject.Plural(), identifier),
|
|
AuthenticationInfo: &auditV1.AuthenticationInfo{
|
|
PrincipalId: serviceAccountId,
|
|
PrincipalEmail: "service-account@sa.stackit.cloud",
|
|
ServiceAccountName: &serviceAccountName,
|
|
ServiceAccountDelegationInfo: []*auditV1.ServiceAccountDelegationInfo{&delegationPrincipal},
|
|
},
|
|
AuthorizationInfo: []*auditV1.AuthorizationInfo{{
|
|
Resource: fmt.Sprintf("%s/%s", ObjectTypeProject.Plural(), identifier),
|
|
Permission: nil,
|
|
Granted: nil,
|
|
}},
|
|
RequestMetadata: &auditV1.RequestMetadata{
|
|
CallerIp: "127.0.0.1",
|
|
CallerSuppliedUserAgent: "OpenAPI-Generator/ 1.0.0/ go",
|
|
RequestAttributes: &auditV1.AttributeContext_Request{
|
|
Id: &requestId,
|
|
Method: auditV1.AttributeContext_HTTP_METHOD_POST,
|
|
Headers: headers,
|
|
Path: "/v2/projects",
|
|
Host: "stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud",
|
|
Scheme: "https",
|
|
Query: nil,
|
|
Time: timestamppb.New(time.Now().UTC()),
|
|
Protocol: "http/1.1",
|
|
Auth: &auditV1.AttributeContext_Auth{
|
|
Principal: "https%3A%2F%2Faccounts.dev.stackit.cloud/stackit-resource-manager-dev",
|
|
Audiences: []string{"https:// stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud", "stackit", "api"},
|
|
Claims: claims,
|
|
},
|
|
},
|
|
},
|
|
Request: nil,
|
|
ResponseMetadata: &auditV1.ResponseMetadata{
|
|
StatusCode: wrapperspb.Int32(200),
|
|
ErrorMessage: nil,
|
|
ErrorDetails: nil,
|
|
ResponseAttributes: &auditV1.AttributeContext_Response{
|
|
NumResponseItems: nil,
|
|
Size: nil,
|
|
Headers: nil,
|
|
Time: timestamppb.New(time.Now().UTC()),
|
|
},
|
|
},
|
|
Response: nil,
|
|
Metadata: nil,
|
|
},
|
|
InsertId: fmt.Sprintf("%d/eu01/e72182e8-0bb9-4be2-a19f-87fc0dd6e738/00000000001", time.Now().UnixNano()),
|
|
Labels: labels,
|
|
CorrelationId: &correlationId,
|
|
Timestamp: timestamppb.New(time.Now()),
|
|
Severity: auditV1.LogSeverity_LOG_SEVERITY_DEFAULT,
|
|
}
|
|
|
|
if customization != nil {
|
|
(*customization)(auditEvent)
|
|
}
|
|
|
|
return auditEvent
|
|
}
|
|
|
|
func newSystemAuditEvent(
|
|
customization *func(*auditV1.AuditLogEntry)) *auditV1.AuditLogEntry {
|
|
|
|
identifier := uuid.Nil
|
|
requestId := fmt.Sprintf("%s/1", identifier)
|
|
claims, _ := structpb.NewStruct(map[string]interface{}{})
|
|
correlationId := "14d5b611-ccce-4cfa-9085-9ccbfccce3cb"
|
|
headers := make(map[string]string)
|
|
headers["Content-Type"] = "application/json"
|
|
labels := make(map[string]string)
|
|
labels["label1"] = "value1"
|
|
serviceAccountId := uuid.NewString()
|
|
serviceAccountName := fmt.Sprintf("projects/%s/service-accounts/%s", identifier, serviceAccountId)
|
|
delegationPrincipal := auditV1.ServiceAccountDelegationInfo{Authority: &auditV1.ServiceAccountDelegationInfo_SystemPrincipal_{}}
|
|
auditEvent := &auditV1.AuditLogEntry{
|
|
LogName: fmt.Sprintf("%s/%s/logs/%s", ObjectTypeSystem.Plural(), identifier, EventTypeSystemEvent),
|
|
ProtoPayload: &auditV1.AuditLog{
|
|
ServiceName: "resource-manager",
|
|
OperationName: "stackit.resourcemanager.v2.system.changed",
|
|
ResourceName: fmt.Sprintf("%s/%s", ObjectTypeSystem.Plural(), identifier),
|
|
AuthenticationInfo: &auditV1.AuthenticationInfo{
|
|
PrincipalId: serviceAccountId,
|
|
PrincipalEmail: "service-account@sa.stackit.cloud",
|
|
ServiceAccountName: &serviceAccountName,
|
|
ServiceAccountDelegationInfo: []*auditV1.ServiceAccountDelegationInfo{&delegationPrincipal},
|
|
},
|
|
AuthorizationInfo: []*auditV1.AuthorizationInfo{{
|
|
Resource: fmt.Sprintf("%s/%s", ObjectTypeSystem.Plural(), identifier),
|
|
Permission: nil,
|
|
Granted: nil,
|
|
}},
|
|
RequestMetadata: &auditV1.RequestMetadata{
|
|
CallerIp: "127.0.0.1",
|
|
CallerSuppliedUserAgent: "OpenAPI-Generator/ 1.0.0/ go",
|
|
RequestAttributes: &auditV1.AttributeContext_Request{
|
|
Id: &requestId,
|
|
Method: auditV1.AttributeContext_HTTP_METHOD_POST,
|
|
Headers: headers,
|
|
Path: "/v2/projects",
|
|
Host: "stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud",
|
|
Scheme: "https",
|
|
Query: nil,
|
|
Time: timestamppb.New(time.Now().UTC()),
|
|
Protocol: "http/1.1",
|
|
Auth: &auditV1.AttributeContext_Auth{
|
|
Principal: "https%3A%2F%2Faccounts.dev.stackit.cloud/stackit-resource-manager-dev",
|
|
Audiences: []string{"https:// stackit-resource-manager-dev.apps.01.cf.eu01.stackit.cloud", "stackit", "api"},
|
|
Claims: claims,
|
|
},
|
|
},
|
|
},
|
|
Request: nil,
|
|
ResponseMetadata: &auditV1.ResponseMetadata{
|
|
StatusCode: wrapperspb.Int32(200),
|
|
ErrorMessage: nil,
|
|
ErrorDetails: nil,
|
|
ResponseAttributes: &auditV1.AttributeContext_Response{
|
|
NumResponseItems: nil,
|
|
Size: nil,
|
|
Headers: nil,
|
|
Time: timestamppb.New(time.Now().UTC()),
|
|
},
|
|
},
|
|
Response: nil,
|
|
Metadata: nil,
|
|
},
|
|
InsertId: fmt.Sprintf("%d/eu01/e72182e8-0bb9-4be2-a19f-87fc0dd6e738/00000000001", time.Now().UnixNano()),
|
|
Labels: labels,
|
|
CorrelationId: &correlationId,
|
|
Timestamp: timestamppb.New(time.Now()),
|
|
Severity: auditV1.LogSeverity_LOG_SEVERITY_DEFAULT,
|
|
}
|
|
|
|
if customization != nil {
|
|
(*customization)(auditEvent)
|
|
}
|
|
|
|
return auditEvent
|
|
}
|