From 28b5aa4004ea74e44887adba35fa251a54a4a0e8 Mon Sep 17 00:00:00 2001 From: "jan.kozlowski" Date: Fri, 13 Dec 2024 12:56:44 +0100 Subject: [PATCH] use policy id in lua logging filter --- .../main/resources/lua/ingress_rbac_logging.lua | 6 ++++-- .../lua_spec/ingress_rbac_logging_spec.lua | 15 +++++++++++++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/envoy-control-core/src/main/resources/lua/ingress_rbac_logging.lua b/envoy-control-core/src/main/resources/lua/ingress_rbac_logging.lua index 9478adf9f..1d3238bf1 100644 --- a/envoy-control-core/src/main/resources/lua/ingress_rbac_logging.lua +++ b/envoy-control-core/src/main/resources/lua/ingress_rbac_logging.lua @@ -76,6 +76,7 @@ function envoy_on_response(handle) local dynamic_metadata = handle:streamInfo():dynamicMetadata() local rbacMetadata = dynamic_metadata:get('envoy.filters.http.rbac') or {} local is_shadow_denied = (rbacMetadata['shadow_engine_result'] or '') == 'denied' + local rule = rbacMetadata['shadow_effective_policy_id'] or '' if is_shadow_denied then local headers = handle:headers() @@ -92,11 +93,11 @@ function envoy_on_response(handle) if upstream_request_time == nil and status_code == '403' then rbac_action = 'denied' end - log_request(handle, lua_metadata, jwt_status, rbac_action) + log_request(handle, rule, lua_metadata, jwt_status, rbac_action) end end -function log_request(handle, lua_metadata, jwt_status, rbac_action) +function log_request(handle, rule, lua_metadata, jwt_status, rbac_action) local client_name = lua_metadata['request.info.client_name'] or '' local trusted_client = lua_metadata['request.info.trusted_client'] or false local path = lua_metadata['request.info.path'] or '' @@ -112,6 +113,7 @@ function log_request(handle, lua_metadata, jwt_status, rbac_action) local message = { '\nINCOMING_PERMISSIONS {"method":"', method, + '","rule":"', rule, '","path":"', path, '","clientIp":"', source_ip, '","clientName":"', escape(client_name), diff --git a/envoy-control-tests/src/main/resources/lua_spec/ingress_rbac_logging_spec.lua b/envoy-control-tests/src/main/resources/lua_spec/ingress_rbac_logging_spec.lua index 0e51552d0..05849deeb 100644 --- a/envoy-control-tests/src/main/resources/lua_spec/ingress_rbac_logging_spec.lua +++ b/envoy-control-tests/src/main/resources/lua_spec/ingress_rbac_logging_spec.lua @@ -4,8 +4,9 @@ local _ = match._ local contains = function(substring) return match.matches(substring, nil, true) end -local function formatLog(method, path, source_ip, client_name, protocol, request_id, status_code, trusted_client, allowed_client, rbac_action, authority, lua_authority, jwt_token_status, headers_to_log) +local function formatLog(method, rule, path, source_ip, client_name, protocol, request_id, status_code, trusted_client, allowed_client, rbac_action, authority, lua_authority, jwt_token_status, headers_to_log) local message = "\nINCOMING_PERMISSIONS {\"method\":\"" .. method .. + "\",\"rule\":\"" .. rule .. "\",\"path\":\"" .. path .. "\",\"clientIp\":\"" .. source_ip .. "\",\"clientName\":\"" .. escape(client_name) .. @@ -397,7 +398,8 @@ describe("envoy_on_response:", function() } }, ['envoy.filters.http.rbac'] = { - ['shadow_engine_result'] = 'denied' + ['shadow_engine_result'] = 'denied', + ['shadow_effective_policy_id'] = '{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}' }, ['envoy.filters.http.lua'] = { ['service_name'] = "service", @@ -425,6 +427,7 @@ describe("envoy_on_response:", function() -- then assert.spy(handle.logInfo).was_called_with(_, formatLog( "POST", + "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}", "/path?query=val", "127.1.1.3", "service-first", @@ -452,6 +455,7 @@ describe("envoy_on_response:", function() -- then assert.spy(handle.logInfo).was_called_with(_, formatLog( "POST", + "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}", "/path?query=val", "127.1.1.3", "service-first", @@ -479,6 +483,7 @@ describe("envoy_on_response:", function() -- then assert.spy(handle.logInfo).was_called_with(_, formatLog( "POST", + "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}", "/path?query=val", "127.1.1.3", "service-first", @@ -507,6 +512,7 @@ describe("envoy_on_response:", function() -- then assert.spy(handle.logInfo).was_called_with(_, formatLog( "POST", + "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}", "/path?query=val", "127.1.1.3", "service-first", @@ -535,6 +541,7 @@ describe("envoy_on_response:", function() -- then assert.spy(handle.logInfo).was_called_with(_, formatLog( "", + "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}", "", "", "", @@ -563,6 +570,7 @@ describe("envoy_on_response:", function() -- then assert.spy(handle.logInfo).was_called_with(_, formatLog( "", + "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}", "", "", "", @@ -590,6 +598,7 @@ describe("envoy_on_response:", function() -- then assert.spy(handle.logInfo).was_called_with(_, formatLog( "POST", + "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}", "", "127.1.1.3", "service-first", @@ -618,6 +627,7 @@ describe("envoy_on_response:", function() -- then assert.spy(handle.logInfo).was_called_with(_, formatLog( "POST", + "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}", "/path?query=val", "127.1.1.3", "service-first", @@ -651,6 +661,7 @@ describe("envoy_on_response:", function() -- then assert.spy(handle.logInfo).was_called_with(_, formatLog( "POST", + "{\"path\":\"/path\",\"pathMatchingType\":\"PATH\",\"methods\":[\"POST\"],\"clients\":[{\"name\":\"service-first\",\"negated\":false},{\"name\":\"client2\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}", "/path?query=val", "127.1.1.3", "service-first",