mirror of https://github.com/k3s-io/k3s
177 lines
5.0 KiB
Go
177 lines
5.0 KiB
Go
/*
|
|
Copyright 2018 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package utils
|
|
|
|
import (
|
|
"bufio"
|
|
"fmt"
|
|
"io"
|
|
"sort"
|
|
"strings"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
"k8s.io/apimachinery/pkg/types"
|
|
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
|
"k8s.io/apiserver/pkg/audit"
|
|
)
|
|
|
|
// AuditEvent is a simplified representation of an audit event for testing purposes
|
|
type AuditEvent struct {
|
|
ID types.UID
|
|
Level auditinternal.Level
|
|
Stage auditinternal.Stage
|
|
RequestURI string
|
|
Verb string
|
|
Code int32
|
|
User string
|
|
ImpersonatedUser string
|
|
ImpersonatedGroups string
|
|
Resource string
|
|
Namespace string
|
|
RequestObject bool
|
|
ResponseObject bool
|
|
AuthorizeDecision string
|
|
}
|
|
|
|
// CheckAuditLines searches the audit log for the expected audit lines.
|
|
// if includeID is true the event ids will also be verified
|
|
func CheckAuditLines(stream io.Reader, expected []AuditEvent, version schema.GroupVersion) (missing []AuditEvent, err error) {
|
|
expectations := buildEventExpectations(expected)
|
|
|
|
scanner := bufio.NewScanner(stream)
|
|
for scanner.Scan() {
|
|
line := scanner.Text()
|
|
e := &auditinternal.Event{}
|
|
decoder := audit.Codecs.UniversalDecoder(version)
|
|
if err := runtime.DecodeInto(decoder, []byte(line), e); err != nil {
|
|
return expected, fmt.Errorf("failed decoding buf: %s, apiVersion: %s", line, version)
|
|
}
|
|
|
|
event, err := testEventFromInternal(e)
|
|
if err != nil {
|
|
return expected, err
|
|
}
|
|
|
|
// If the event was expected, mark it as found.
|
|
if _, found := expectations[event]; found {
|
|
expectations[event] = true
|
|
}
|
|
}
|
|
if err := scanner.Err(); err != nil {
|
|
return expected, err
|
|
}
|
|
|
|
missing = findMissing(expectations)
|
|
return missing, nil
|
|
}
|
|
|
|
// CheckAuditList searches an audit event list for the expected audit events.
|
|
// if includeID is true the event ids will also be verified
|
|
func CheckAuditList(el auditinternal.EventList, expected []AuditEvent) (missing []AuditEvent, err error) {
|
|
expectations := buildEventExpectations(expected)
|
|
|
|
for _, e := range el.Items {
|
|
event, err := testEventFromInternal(&e)
|
|
if err != nil {
|
|
return expected, err
|
|
}
|
|
|
|
// If the event was expected, mark it as found.
|
|
if _, found := expectations[event]; found {
|
|
expectations[event] = true
|
|
}
|
|
}
|
|
|
|
missing = findMissing(expectations)
|
|
return missing, nil
|
|
}
|
|
|
|
// CheckForDuplicates checks a list for duplicate events
|
|
func CheckForDuplicates(el auditinternal.EventList) (auditinternal.EventList, error) {
|
|
// eventMap holds a map of audit events with just a nil value
|
|
eventMap := map[AuditEvent]*bool{}
|
|
duplicates := auditinternal.EventList{}
|
|
var err error
|
|
for _, e := range el.Items {
|
|
event, err := testEventFromInternal(&e)
|
|
if err != nil {
|
|
return duplicates, err
|
|
}
|
|
event.ID = e.AuditID
|
|
if _, ok := eventMap[event]; ok {
|
|
duplicates.Items = append(duplicates.Items, e)
|
|
err = fmt.Errorf("failed duplicate check")
|
|
continue
|
|
}
|
|
eventMap[event] = nil
|
|
}
|
|
return duplicates, err
|
|
}
|
|
|
|
// buildEventExpectations creates a bool map out of a list of audit events
|
|
func buildEventExpectations(expected []AuditEvent) map[AuditEvent]bool {
|
|
expectations := map[AuditEvent]bool{}
|
|
for _, event := range expected {
|
|
expectations[event] = false
|
|
}
|
|
return expectations
|
|
}
|
|
|
|
// testEventFromInternal takes an internal audit event and returns a test event
|
|
// if includeID is true the event id will be included
|
|
func testEventFromInternal(e *auditinternal.Event) (AuditEvent, error) {
|
|
event := AuditEvent{
|
|
Level: e.Level,
|
|
Stage: e.Stage,
|
|
RequestURI: e.RequestURI,
|
|
Verb: e.Verb,
|
|
User: e.User.Username,
|
|
}
|
|
if e.ObjectRef != nil {
|
|
event.Namespace = e.ObjectRef.Namespace
|
|
event.Resource = e.ObjectRef.Resource
|
|
}
|
|
if e.ResponseStatus != nil {
|
|
event.Code = e.ResponseStatus.Code
|
|
}
|
|
if e.ResponseObject != nil {
|
|
event.ResponseObject = true
|
|
}
|
|
if e.RequestObject != nil {
|
|
event.RequestObject = true
|
|
}
|
|
if e.ImpersonatedUser != nil {
|
|
event.ImpersonatedUser = e.ImpersonatedUser.Username
|
|
sort.Strings(e.ImpersonatedUser.Groups)
|
|
event.ImpersonatedGroups = strings.Join(e.ImpersonatedUser.Groups, ",")
|
|
}
|
|
event.AuthorizeDecision = e.Annotations["authorization.k8s.io/decision"]
|
|
return event, nil
|
|
}
|
|
|
|
// findMissing checks for false values in the expectations map and returns them as a list
|
|
func findMissing(expectations map[AuditEvent]bool) []AuditEvent {
|
|
var missing []AuditEvent
|
|
for event, found := range expectations {
|
|
if !found {
|
|
missing = append(missing, event)
|
|
}
|
|
}
|
|
return missing
|
|
}
|