mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-08 13:07:41 +00:00
136 lines
4.3 KiB
Go
136 lines
4.3 KiB
Go
|
package record
|
||
|
|
||
|
import (
|
||
|
"net/http"
|
||
|
"strings"
|
||
|
"time"
|
||
|
|
||
|
"google.golang.org/grpc/codes"
|
||
|
|
||
|
zitadel_http "github.com/zitadel/zitadel/internal/api/http"
|
||
|
)
|
||
|
|
||
|
type AccessLog struct {
|
||
|
LogDate time.Time `json:"logDate"`
|
||
|
Protocol AccessProtocol `json:"protocol"`
|
||
|
RequestURL string `json:"requestUrl"`
|
||
|
ResponseStatus uint32 `json:"responseStatus"`
|
||
|
// RequestHeaders and ResponseHeaders are plain maps so varying implementations
|
||
|
// between HTTP and gRPC don't interfere with each other
|
||
|
RequestHeaders map[string][]string `json:"requestHeaders"`
|
||
|
ResponseHeaders map[string][]string `json:"responseHeaders"`
|
||
|
InstanceID string `json:"instanceId"`
|
||
|
ProjectID string `json:"projectId"`
|
||
|
RequestedDomain string `json:"requestedDomain"`
|
||
|
RequestedHost string `json:"requestedHost"`
|
||
|
// NotCountable can be used by the logging service to explicitly stating,
|
||
|
// that the request must not increase the amount of countable (authenticated) requests
|
||
|
NotCountable bool `json:"-"`
|
||
|
normalized bool `json:"-"`
|
||
|
}
|
||
|
|
||
|
type AccessProtocol uint8
|
||
|
|
||
|
const (
|
||
|
GRPC AccessProtocol = iota
|
||
|
HTTP
|
||
|
|
||
|
redacted = "[REDACTED]"
|
||
|
)
|
||
|
|
||
|
var (
|
||
|
unaccountableEndpoints = []string{
|
||
|
"/zitadel.system.v1.SystemService/",
|
||
|
"/zitadel.admin.v1.AdminService/Healthz",
|
||
|
"/zitadel.management.v1.ManagementService/Healthz",
|
||
|
"/zitadel.management.v1.ManagementService/GetOIDCInformation",
|
||
|
"/zitadel.auth.v1.AuthService/Healthz",
|
||
|
}
|
||
|
)
|
||
|
|
||
|
func (a AccessLog) IsAuthenticated() bool {
|
||
|
if a.NotCountable {
|
||
|
return false
|
||
|
}
|
||
|
if !a.normalized {
|
||
|
panic("access log not normalized, Normalize() must be called before IsAuthenticated()")
|
||
|
}
|
||
|
_, hasHTTPAuthHeader := a.RequestHeaders[strings.ToLower(zitadel_http.Authorization)]
|
||
|
// ignore requests, which were unauthorized or do not require an authorization (even if one was sent)
|
||
|
// also ignore if the limit was already reached or if the server returned an internal error
|
||
|
// not that endpoints paths are only checked with the gRPC representation as HTTP (gateway) will not log them
|
||
|
return hasHTTPAuthHeader &&
|
||
|
(a.Protocol == HTTP &&
|
||
|
a.ResponseStatus != http.StatusInternalServerError &&
|
||
|
a.ResponseStatus != http.StatusTooManyRequests &&
|
||
|
a.ResponseStatus != http.StatusUnauthorized) ||
|
||
|
(a.Protocol == GRPC &&
|
||
|
a.ResponseStatus != uint32(codes.Internal) &&
|
||
|
a.ResponseStatus != uint32(codes.ResourceExhausted) &&
|
||
|
a.ResponseStatus != uint32(codes.Unauthenticated) &&
|
||
|
!a.isUnaccountableEndpoint())
|
||
|
}
|
||
|
|
||
|
func (a AccessLog) isUnaccountableEndpoint() bool {
|
||
|
for _, endpoint := range unaccountableEndpoints {
|
||
|
if strings.HasPrefix(a.RequestURL, endpoint) {
|
||
|
return true
|
||
|
}
|
||
|
}
|
||
|
return false
|
||
|
}
|
||
|
|
||
|
func (a AccessLog) Normalize() *AccessLog {
|
||
|
a.RequestedDomain = cutString(a.RequestedDomain, 200)
|
||
|
a.RequestURL = cutString(a.RequestURL, 200)
|
||
|
a.RequestHeaders = normalizeHeaders(a.RequestHeaders, strings.ToLower(zitadel_http.Authorization), "grpcgateway-authorization", "cookie", "grpcgateway-cookie")
|
||
|
a.ResponseHeaders = normalizeHeaders(a.ResponseHeaders, "set-cookie")
|
||
|
a.normalized = true
|
||
|
return &a
|
||
|
}
|
||
|
|
||
|
// normalizeHeaders lowers all header keys and redacts secrets
|
||
|
func normalizeHeaders(header map[string][]string, redactKeysLower ...string) map[string][]string {
|
||
|
return pruneKeys(redactKeys(lowerKeys(header), redactKeysLower...))
|
||
|
}
|
||
|
|
||
|
func lowerKeys(header map[string][]string) map[string][]string {
|
||
|
lower := make(map[string][]string, len(header))
|
||
|
for k, v := range header {
|
||
|
lower[strings.ToLower(k)] = v
|
||
|
}
|
||
|
return lower
|
||
|
}
|
||
|
|
||
|
func redactKeys(header map[string][]string, redactKeysLower ...string) map[string][]string {
|
||
|
redactedKeys := make(map[string][]string, len(header))
|
||
|
for k, v := range header {
|
||
|
redactedKeys[k] = v
|
||
|
}
|
||
|
for _, redactKey := range redactKeysLower {
|
||
|
if _, ok := redactedKeys[redactKey]; ok {
|
||
|
redactedKeys[redactKey] = []string{redacted}
|
||
|
}
|
||
|
}
|
||
|
return redactedKeys
|
||
|
}
|
||
|
|
||
|
const maxValuesPerKey = 10
|
||
|
|
||
|
func pruneKeys(header map[string][]string) map[string][]string {
|
||
|
prunedKeys := make(map[string][]string, len(header))
|
||
|
for key, value := range header {
|
||
|
valueItems := make([]string, 0, maxValuesPerKey)
|
||
|
for i, valueItem := range value {
|
||
|
// Max 10 header values per key
|
||
|
if i > maxValuesPerKey {
|
||
|
break
|
||
|
}
|
||
|
// Max 200 value length
|
||
|
valueItems = append(valueItems, cutString(valueItem, 200))
|
||
|
}
|
||
|
prunedKeys[key] = valueItems
|
||
|
}
|
||
|
return prunedKeys
|
||
|
}
|