for #2 added success and failure logging

TremoloSecurity · mlbiam · Dec 16, 2021 · Nov 21, 2021 · Nov 21, 2021 · Nov 21, 2021
commit 64ee2d8f8a28c60836295af2a20f96a37a575eac
diff --git a/pkg/proxy/handlers.go b/pkg/proxy/handlers.go
@@ -165,18 +165,23 @@ func (p *Proxy) withImpersonateRequest(handler http.Handler) http.Handler {
 
 // newErrorHandler returns a handler failed requests.
 func (p *Proxy) newErrorHandler() func(rw http.ResponseWriter, r *http.Request, err error) {
+
 	unauthedHandler := audit.NewUnauthenticatedHandler(p.auditor, func(rw http.ResponseWriter, r *http.Request) {
 		klog.V(2).Infof("unauthenticated user request %s", r.RemoteAddr)
 		http.Error(rw, "Unauthorized", http.StatusUnauthorized)
 	})
 
 	return func(rw http.ResponseWriter, r *http.Request, err error) {
+
 		if err == nil {
 			klog.Error("error was called with no error")
 			http.Error(rw, "", http.StatusInternalServerError)
 			return
 		}
 
+		// regardless of reason, log failed auth
+		p.logFailedRequest(r)
+
 		switch err {
 
 		// Failed auth

diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
@@ -28,6 +28,7 @@ import (
 
 const (
 	UserHeaderClientIPKey = "Remote-Client-IP"
+	timestampLayout       = "2006-01-02T15:04:05-0700"
 )
 
 var (
@@ -216,10 +217,43 @@ func (p *Proxy) RoundTrip(req *http.Request) (*http.Response, error) {
 	// Set up impersonation request.
 	rt := transport.NewImpersonatingRoundTripper(*conf, p.clientTransport)
 
+	// Log the request
+	p.logSuccessfulRequest(req, conf)
+
 	// Push request through round trippers to the API server.
 	return rt.RoundTrip(req)
 }
 
+// logs the request
+func (p *Proxy) logSuccessfulRequest(req *http.Request, conf *transport.ImpersonationConfig) {
+	remoteAddr := req.RemoteAddr
+	indexOfColon := strings.Index(remoteAddr, ":")
+	if indexOfColon > 0 {
+		remoteAddr = remoteAddr[0:indexOfColon]
+	}
+
+	inboundExtras := ""
+
+	if conf.Extra != nil {
+		for key, value := range conf.Extra {
+			inboundExtras += key + "=" + strings.Join(value, "|") + " "
+		}
+	}
+
+	fmt.Printf("[%s] AuSuccess src:[%s / % s] URI:%s inbound:[%s / %s /%s]\n", time.Now().Format(timestampLayout), remoteAddr, req.Header.Get(("x-forwarded-for")), req.RequestURI, conf.UserName, strings.Join(conf.Groups, "|"), inboundExtras)
+}
+
+// logs the failed request
+func (p *Proxy) logFailedRequest(req *http.Request) {
+	remoteAddr := req.RemoteAddr
+	indexOfColon := strings.Index(remoteAddr, ":")
+	if indexOfColon > 0 {
+		remoteAddr = remoteAddr[0:indexOfColon]
+	}
+
+	fmt.Printf("[%s] AuFail src:[%s / % s] URI:%s\n", time.Now().Format(timestampLayout), remoteAddr, req.Header.Get(("x-forwarded-for")), req.RequestURI)
+}
+
 func (p *Proxy) reviewToken(rw http.ResponseWriter, req *http.Request) bool {
 	var remoteAddr string
 	req, remoteAddr = context.RemoteAddr(req)