fix: add attributes for better logging (#897)

* fix: add attributes for better logging * add userRole info to audit logs
awslabs · Feb 2, 2022 · 0a3ea5c · 0a3ea5c
1 parent 4c652a2
commit 0a3ea5c
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 8 deletions.
diff --git a/addons/addon-base-rest-api/packages/base-controllers/lib/middlewares/prepare-context.js b/addons/addon-base-rest-api/packages/base-controllers/lib/middlewares/prepare-context.js
@@ -14,6 +14,7 @@
  */
 
 const RequestContext = require('@aws-ee/base-services-container/lib/request-context');
+const _ = require('lodash');
 
 async function configure(context) {
   const router = context.router();
@@ -38,6 +39,7 @@ async function configure(context) {
       requestContext.authenticated = authenticated;
       requestContext.principal = user;
       requestContext.principalIdentifier = { uid };
+      requestContext.ipAddress = getRemoteIpAddress(req);
 
       return next();
     }),
@@ -46,4 +48,15 @@ async function configure(context) {
   return router;
 }
 
+function getRemoteIpAddress(req) {
+  const ipString =
+    req.header('X-Forwarded-For') ||
+    _.get(req, 'requestContext.identity.sourceIp') ||
+    _.get(req, 'connection.remoteAddress');
+
+  // Sometime 'X-Forwarded-For' can be an string with ', ' if there were multiple forwards.
+  // We take the first element.
+  return _.trim(_.first(_.split(ipString, ',')));
+}
+
 module.exports = configure;
diff --git a/addons/addon-base/packages/services/lib/audit/audit-writer-service.js b/addons/addon-base/packages/services/lib/audit/audit-writer-service.js
@@ -112,10 +112,26 @@ class AuditWriterService extends Service {
       // Add actor, if it's not there
       auditEvent.actor = _.get(requestContext, 'principalIdentifier.uid');
     }
-    if (auditEvent.timestamp) {
+    if (!auditEvent.firstName) {
+      // Add firstName, if it's not there
+      auditEvent.firstName = _.get(requestContext, 'principal.firstName');
+    }
+    if (!auditEvent.lastName) {
+      // Add lastName, if it's not there
+      auditEvent.lastName = _.get(requestContext, 'principal.lastName');
+    }
+    if (!auditEvent.userRole) {
+      // Add userRole, if it's not there
+      auditEvent.userRole = _.get(requestContext, 'principal.userRole');
+    }
+    if (!auditEvent.timestamp) {
       // Add timestamp, if it's not there
       auditEvent.timestamp = Date.now();
     }
+    if (!auditEvent.ipAddress) {
+      // Add ipAddress, if it's not there
+      auditEvent.ipAddress = requestContext.ipAddress;
+    }
 
     // Give all plugins a chance in preparing the audit event
     // Each plugin will receive the following payload object with the shape {requestContext, container, auditEvent}

diff --git a/addons/addon-base/packages/services/lib/logger/log-transformer.js b/addons/addon-base/packages/services/lib/logger/log-transformer.js
@@ -17,7 +17,7 @@ const _ = require('lodash');
 const cycle = require('cycle');
 
 class LogTransformer {
-  constructor(loggingContext = {}, fieldsToMask = ['x-amz-security-token', 'user', 'accessKey', 'password']) {
+  constructor(loggingContext = {}, fieldsToMask = ['x-amz-security-token', 'accessKey', 'password']) {
     if (!Array.isArray(fieldsToMask) || fieldsToMask.some(field => typeof field !== 'string')) {
       throw new Error(
         `expected fieldsToMask to be an array of strings, but got instead: ${JSON.stringify(fieldsToMask)}`,

diff --git a/addons/addon-base/packages/services/lib/logger/logger-service.js b/addons/addon-base/packages/services/lib/logger/logger-service.js
@@ -17,11 +17,7 @@ const Service = require('@aws-ee/base-services-container/lib/service');
 const LogTransformer = require('./log-transformer');
 
 class LoggerService extends Service {
-  constructor(
-    logger = console,
-    loggingContext = {},
-    fieldsToMask = ['x-amz-security-token', 'user', 'accessKey', 'password'],
-  ) {
+  constructor(logger = console, loggingContext = {}, fieldsToMask = ['x-amz-security-token', 'accessKey', 'password']) {
     super();
     this.logger = logger;
     this.logTransformer = new LogTransformer(loggingContext, fieldsToMask);

diff --git a/addons/addon-base/packages/services/lib/utils/services-registration-util.js b/addons/addon-base/packages/services/lib/utils/services-registration-util.js
@@ -112,7 +112,7 @@ async function registerLoggerService(container, plugins, settingsService, plugin
   // Each plugin is passed an array containing the names of the fields to mask. The plugins are called in the same order as returned by the
   // registry.
   // Each plugin gets a chance to add, remove, update, or delete fields to mask array by mutating the provided fieldsToMask array.
-  const initialFieldsToMask = ['x-amz-security-token', 'user', 'accessKey', 'password']; // initialize with default fields to mask
+  const initialFieldsToMask = ['x-amz-security-token', 'accessKey', 'password']; // initialize with default fields to mask
   const fieldsToMask = await _.reduce(
     plugins,
     async (fieldsToMaskSoFar, plugin) => {