github.com/pf-qiu/concourse/v6@v6.7.3-0.20201207032516-1f455d73275f/atc/auditor/auditor.go

github.com/pf-qiu/concourse/v6@v6.7.3-0.20201207032516-1f455d73275f/atc/auditor/auditor.go (about)

     1  package auditor
     2  
     3  import (
     4  	"fmt"
     5  	"net/http"
     6  
     7  	"code.cloudfoundry.org/lager"
     8  	"github.com/pf-qiu/concourse/v6/atc"
     9  )
    10  
    11  //go:generate counterfeiter . Auditor
    12  
    13  func NewAuditor(
    14  	EnableBuildAuditLog bool,
    15  	EnableContainerAuditLog bool,
    16  	EnableJobAuditLog bool,
    17  	EnablePipelineAuditLog bool,
    18  	EnableResourceAuditLog bool,
    19  	EnableSystemAuditLog bool,
    20  	EnableTeamAuditLog bool,
    21  	EnableWorkerAuditLog bool,
    22  	EnableVolumeAuditLog bool,
    23  	logger lager.Logger,
    24  ) *auditor {
    25  	return &auditor{
    26  		EnableBuildAuditLog:     EnableBuildAuditLog,
    27  		EnableContainerAuditLog: EnableContainerAuditLog,
    28  		EnableJobAuditLog:       EnableJobAuditLog,
    29  		EnablePipelineAuditLog:  EnablePipelineAuditLog,
    30  		EnableResourceAuditLog:  EnableResourceAuditLog,
    31  		EnableSystemAuditLog:    EnableSystemAuditLog,
    32  		EnableTeamAuditLog:      EnableTeamAuditLog,
    33  		EnableWorkerAuditLog:    EnableWorkerAuditLog,
    34  		EnableVolumeAuditLog:    EnableVolumeAuditLog,
    35  		logger:                  logger,
    36  	}
    37  }
    38  
    39  type Auditor interface {
    40  	Audit(action string, userName string, r *http.Request)
    41  }
    42  
    43  type auditor struct {
    44  	EnableBuildAuditLog     bool
    45  	EnableContainerAuditLog bool
    46  	EnableJobAuditLog       bool
    47  	EnablePipelineAuditLog  bool
    48  	EnableResourceAuditLog  bool
    49  	EnableSystemAuditLog    bool
    50  	EnableTeamAuditLog      bool
    51  	EnableWorkerAuditLog    bool
    52  	EnableVolumeAuditLog    bool
    53  	logger                  lager.Logger
    54  }
    55  
    56  func (a *auditor) ValidateAction(action string) bool {
    57  	switch action {
    58  	case atc.GetBuild,
    59  		atc.GetBuildPlan,
    60  		atc.CreateBuild,
    61  		atc.RerunJobBuild,
    62  		atc.ListBuilds,
    63  		atc.BuildEvents,
    64  		atc.BuildResources,
    65  		atc.AbortBuild,
    66  		atc.GetBuildPreparation,
    67  		atc.ListBuildsWithVersionAsInput,
    68  		atc.ListBuildsWithVersionAsOutput,
    69  		atc.CreateArtifact,
    70  		atc.GetArtifact,
    71  		atc.ListBuildArtifacts:
    72  		return a.EnableBuildAuditLog
    73  	case atc.ListContainers,
    74  		atc.GetContainer,
    75  		atc.HijackContainer,
    76  		atc.ListDestroyingContainers,
    77  		atc.ReportWorkerContainers:
    78  		return a.EnableContainerAuditLog
    79  	case atc.GetJob,
    80  		atc.CreateJobBuild,
    81  		atc.ListAllJobs,
    82  		atc.ListJobs,
    83  		atc.ListJobBuilds,
    84  		atc.ListJobInputs,
    85  		atc.GetJobBuild,
    86  		atc.PauseJob,
    87  		atc.UnpauseJob,
    88  		atc.ScheduleJob,
    89  		atc.JobBadge,
    90  		atc.MainJobBadge:
    91  		return a.EnableJobAuditLog
    92  	case atc.ListAllPipelines,
    93  		atc.ListPipelines,
    94  		atc.GetPipeline,
    95  		atc.DeletePipeline,
    96  		atc.OrderPipelines,
    97  		atc.PausePipeline,
    98  		atc.ArchivePipeline,
    99  		atc.UnpausePipeline,
   100  		atc.ExposePipeline,
   101  		atc.HidePipeline,
   102  		atc.RenamePipeline,
   103  		atc.ListPipelineBuilds,
   104  		atc.CreatePipelineBuild,
   105  		atc.PipelineBadge:
   106  		return a.EnablePipelineAuditLog
   107  	case atc.ListAllResources,
   108  		atc.ListResources,
   109  		atc.ListResourceTypes,
   110  		atc.GetResource,
   111  		atc.UnpinResource,
   112  		atc.SetPinCommentOnResource,
   113  		atc.CheckResource,
   114  		atc.CheckResourceWebHook,
   115  		atc.CheckResourceType,
   116  		atc.ListResourceVersions,
   117  		atc.GetResourceVersion,
   118  		atc.EnableResourceVersion,
   119  		atc.DisableResourceVersion,
   120  		atc.PinResourceVersion,
   121  		atc.GetResourceCausality:
   122  		return a.EnableResourceAuditLog
   123  	case
   124  		atc.SaveConfig,
   125  		atc.GetConfig,
   126  		atc.GetCC,
   127  		atc.GetVersionsDB,
   128  		atc.ClearTaskCache,
   129  		atc.SetLogLevel,
   130  		atc.GetLogLevel,
   131  		atc.DownloadCLI,
   132  		atc.GetInfo,
   133  		atc.GetInfoCreds,
   134  		atc.ListActiveUsersSince,
   135  		atc.GetUser,
   136  		atc.GetWall,
   137  		atc.SetWall,
   138  		atc.ClearWall:
   139  		return a.EnableSystemAuditLog
   140  	case atc.ListTeams,
   141  		atc.SetTeam,
   142  		atc.RenameTeam,
   143  		atc.DestroyTeam,
   144  		atc.ListTeamBuilds,
   145  		atc.GetTeam:
   146  		return a.EnableTeamAuditLog
   147  	case atc.RegisterWorker,
   148  		atc.LandWorker,
   149  		atc.RetireWorker,
   150  		atc.PruneWorker,
   151  		atc.HeartbeatWorker,
   152  		atc.ListWorkers,
   153  		atc.DeleteWorker:
   154  		return a.EnableWorkerAuditLog
   155  	case atc.ListVolumes,
   156  		atc.ListDestroyingVolumes,
   157  		atc.ReportWorkerVolumes:
   158  		return a.EnableVolumeAuditLog
   159  	default:
   160  		panic(fmt.Sprintf("unhandled action: %s", action))
   161  	}
   162  }
   163  
   164  func (a *auditor) Audit(action string, userName string, r *http.Request) {
   165  	err := r.ParseForm()
   166  	if err == nil && a.ValidateAction(action) {
   167  		a.logger.Info("audit", lager.Data{"action": action, "user": userName, "parameters": r.Form})
   168  	}
   169  }