use policy id in lua logging filter

allegro · Dec 13, 2024 · 28b5aa4 · 28b5aa4
1 parent b650c65
commit 28b5aa4
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 4 deletions.
diff --git a/envoy-control-core/src/main/resources/lua/ingress_rbac_logging.lua b/envoy-control-core/src/main/resources/lua/ingress_rbac_logging.lua
@@ -76,6 +76,7 @@ function envoy_on_response(handle)
     local dynamic_metadata = handle:streamInfo():dynamicMetadata()
     local rbacMetadata = dynamic_metadata:get('envoy.filters.http.rbac') or {}
     local is_shadow_denied = (rbacMetadata['shadow_engine_result'] or '') == 'denied'
+    local rule = rbacMetadata['shadow_effective_policy_id'] or ''
 
     if is_shadow_denied then
         local headers = handle:headers()
@@ -92,11 +93,11 @@ function envoy_on_response(handle)
         if upstream_request_time == nil and status_code == '403' then
             rbac_action = 'denied'
         end
-        log_request(handle, lua_metadata, jwt_status, rbac_action)
+        log_request(handle, rule, lua_metadata, jwt_status, rbac_action)
     end
 end
 
-function log_request(handle, lua_metadata, jwt_status, rbac_action)
+function log_request(handle, rule, lua_metadata, jwt_status, rbac_action)
     local client_name = lua_metadata['request.info.client_name'] or ''
     local trusted_client = lua_metadata['request.info.trusted_client'] or false
     local path = lua_metadata['request.info.path'] or ''
@@ -112,6 +113,7 @@ function log_request(handle, lua_metadata, jwt_status, rbac_action)
 
     local message = {
         '\nINCOMING_PERMISSIONS {"method":"', method,
+        '","rule":"', rule,
         '","path":"', path,
         '","clientIp":"', source_ip,
         '","clientName":"', escape(client_name),

diff --git a/envoy-control-tests/src/main/resources/lua_spec/ingress_rbac_logging_spec.lua b/envoy-control-tests/src/main/resources/lua_spec/ingress_rbac_logging_spec.lua
@@ -4,8 +4,9 @@ local _ = match._
 local contains = function(substring)
     return match.matches(substring, nil, true)
 end
-local function formatLog(method, path, source_ip, client_name, protocol, request_id, status_code, trusted_client, allowed_client, rbac_action, authority, lua_authority, jwt_token_status, headers_to_log)
+local function formatLog(method, rule, path, source_ip, client_name, protocol, request_id, status_code, trusted_client, allowed_client, rbac_action, authority, lua_authority, jwt_token_status, headers_to_log)
     local message = "\nINCOMING_PERMISSIONS {\"method\":\"" .. method ..
+        "\",\"rule\":\"" .. rule ..
         "\",\"path\":\"" .. path ..
         "\",\"clientIp\":\"" .. source_ip ..
         "\",\"clientName\":\"" .. escape(client_name) ..
@@ -397,7 +398,8 @@ describe("envoy_on_response:", function()
                 }
             },
             ['envoy.filters.http.rbac'] = {
-                ['shadow_engine_result'] = 'denied'
+                ['shadow_engine_result'] = 'denied',
+                ['shadow_effective_policy_id'] = '{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}'
             },
             ['envoy.filters.http.lua'] = {
                 ['service_name'] = "service",
@@ -425,6 +427,7 @@ describe("envoy_on_response:", function()
             -- then
             assert.spy(handle.logInfo).was_called_with(_, formatLog(
                 "POST",
+                "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}",
                 "/path?query=val",
                 "127.1.1.3",
                 "service-first",
@@ -452,6 +455,7 @@ describe("envoy_on_response:", function()
             -- then
             assert.spy(handle.logInfo).was_called_with(_, formatLog(
                 "POST",
+                "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}",
                 "/path?query=val",
                 "127.1.1.3",
                 "service-first",
@@ -479,6 +483,7 @@ describe("envoy_on_response:", function()
             -- then
             assert.spy(handle.logInfo).was_called_with(_, formatLog(
                 "POST",
+                "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}",
                 "/path?query=val",
                 "127.1.1.3",
                 "service-first",
@@ -507,6 +512,7 @@ describe("envoy_on_response:", function()
             -- then
             assert.spy(handle.logInfo).was_called_with(_, formatLog(
                 "POST",
+                "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}",
                 "/path?query=val",
                 "127.1.1.3",
                 "service-first",
@@ -535,6 +541,7 @@ describe("envoy_on_response:", function()
             -- then
             assert.spy(handle.logInfo).was_called_with(_, formatLog(
                 "",
+                "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}",
                 "",
                 "",
                 "",
@@ -563,6 +570,7 @@ describe("envoy_on_response:", function()
             -- then
             assert.spy(handle.logInfo).was_called_with(_, formatLog(
                 "",
+                "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}",
                 "",
                 "",
                 "",
@@ -590,6 +598,7 @@ describe("envoy_on_response:", function()
             -- then
             assert.spy(handle.logInfo).was_called_with(_, formatLog(
                 "POST",
+                "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}",
                 "",
                 "127.1.1.3",
                 "service-first",
@@ -618,6 +627,7 @@ describe("envoy_on_response:", function()
             -- then
             assert.spy(handle.logInfo).was_called_with(_, formatLog(
                 "POST",
+                "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}",
                 "/path?query=val",
                 "127.1.1.3",
                 "service-first",
@@ -651,6 +661,7 @@ describe("envoy_on_response:", function()
             -- then
             assert.spy(handle.logInfo).was_called_with(_, formatLog(
                 "POST",
+                "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}",
                 "/path?query=val",
                 "127.1.1.3",
                 "service-first",