Skip to content

Commit

Permalink
feat: Add authenticating ID and user ID to request logging (#24474) (#…
Browse files Browse the repository at this point in the history
…24479)

To allow rudimentary security auditing of logs,
add the authenticating ID and the user ID when
possible to the request logs. When a request is
authorized for V1 or V2 API, store the authorizer
object to be used by the logger up the call stack.

closes #24473

(cherry picked from commit 13cf6be)

closes #24475
  • Loading branch information
davidby-influx authored Nov 22, 2023
1 parent 19e5c0e commit 6159c85
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 1 deletion.
22 changes: 21 additions & 1 deletion context/token.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ import (
type contextKey string

const (
authorizerCtxKey contextKey = "influx/authorizer/v1"
authorizerCtxKey contextKey = "influx/authorizer/v1"
authorizerCtxPtrKey contextKey = "influx/authorizer/pointer"
)

// SetAuthorizer sets an authorizer on context.
Expand Down Expand Up @@ -68,3 +69,22 @@ func GetUserID(ctx context.Context) (platform.ID, error) {
}
return a.GetUserID(), nil
}

// ProvideAuthorizerStorage puts a pointer to an Authorizer in the context.
// This is used to pass an Authorizer up the stack for logging purposes
func ProvideAuthorizerStorage(ctx context.Context, ap *influxdb.Authorizer) context.Context {
return context.WithValue(ctx, authorizerCtxPtrKey, ap)
}

// StoreAuthorizer stores an Authorizer in a pointer from the Context.
// This permits functions deep in the stack to set the pointer to return
// values up the call chain
func StoreAuthorizer(ctx context.Context, auth influxdb.Authorizer) bool {
ap, ok := ctx.Value(authorizerCtxPtrKey).(*influxdb.Authorizer)
if ok && (ap != nil) {
(*ap) = auth
return true
} else {
return false
}
}
3 changes: 3 additions & 0 deletions http/authentication_middleware.go
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,9 @@ func (h *AuthenticationHandler) ServeHTTP(w http.ResponseWriter, r *http.Request
return
}

// Set the Authorizer pointer for use in logging high up the call stack
platcontext.StoreAuthorizer(ctx, auth)

// jwt based auth is permission based rather than identity based
// and therefor has no associated user. if the user ID is invalid
// disregard the user active check
Expand Down
4 changes: 4 additions & 0 deletions http/legacy/influx1x_authentication_handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,10 @@ func (h *Influx1xAuthenticationHandler) ServeHTTP(w http.ResponseWriter, r *http
}

auth, err := h.auth.Authorize(ctx, creds)

// Set the Authorizer pointer for use in logging high up the call stack
platcontext.StoreAuthorizer(ctx, auth)

if err != nil {
var erri *errors2.Error
if errors.As(err, &erri) {
Expand Down
14 changes: 14 additions & 0 deletions http/middleware.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ import (
"strings"
"time"

"github.com/influxdata/influxdb/v2"
platcontext "github.com/influxdata/influxdb/v2/context"
kithttp "github.com/influxdata/influxdb/v2/kit/transport/http"
"go.uber.org/zap"
)
Expand All @@ -25,6 +27,10 @@ func LoggingMW(log *zap.Logger) kithttp.Middleware {
teedR: io.TeeReader(r.Body, &buf),
}

var auth influxdb.Authorizer

r = r.WithContext(platcontext.ProvideAuthorizerStorage(r.Context(), &auth))

defer func(start time.Time) {
errField := zap.Skip()
if errStr := w.Header().Get(kithttp.PlatformErrorCodeHeader); errStr != "" {
Expand All @@ -36,6 +42,12 @@ func LoggingMW(log *zap.Logger) kithttp.Middleware {
errReferenceField = zap.String("error_code", errReference)
}

var id, userid string
if auth != nil {
id = auth.Identifier().String()
userid = auth.GetUserID().String()
}

fields := []zap.Field{
zap.String("method", r.Method),
zap.String("host", r.Host),
Expand All @@ -48,6 +60,8 @@ func LoggingMW(log *zap.Logger) kithttp.Middleware {
zap.String("referrer", r.Referer()),
zap.String("remote", r.RemoteAddr),
zap.String("user_agent", kithttp.UserAgent(r)),
zap.String("authenticated_id", id),
zap.String("user_id", userid),
zap.Duration("took", time.Since(start)),
errField,
errReferenceField,
Expand Down

0 comments on commit 6159c85

Please sign in to comment.