Skip to content

Commit

Permalink
Merge pull request #864 from evankanderson/quiet-healthcheck
Browse files Browse the repository at this point in the history
Avoid log spam on CheckHealth
  • Loading branch information
JAORMX authored Sep 6, 2023
2 parents a3960a5 + cc76c4c commit 1812858
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 33 deletions.
4 changes: 4 additions & 0 deletions internal/logger/logging_interceptor.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,10 @@ func viperLogLevelToZerologLevel(viperLogLevel string) zerolog.Level {
// )
func Interceptor( /*logLevel string, logFormat string, logFile string*/ ) grpc.UnaryServerInterceptor {
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
// Don't log health checks, they spam the logs
if info.FullMethod == "/mediator.v1.HealthService/CheckHealth" {
return handler(ctx, req)
}
// Attach the resource to all logging events in the context
logger := zerolog.Ctx(ctx).With().Dict("Resource", resource(info.FullMethod)).Logger()
ctx = logger.WithContext(ctx)
Expand Down
50 changes: 17 additions & 33 deletions pkg/controlplane/handlers_authz.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"k8s.io/apimachinery/pkg/util/sets"

"github.com/stacklok/mediator/pkg/auth"
"github.com/stacklok/mediator/pkg/db"
Expand All @@ -52,15 +53,20 @@ func parseToken(token string, store db.Store) (auth.UserClaims, error) {
return userClaims, nil
}

// List of methods to skip entirely.
var noLogMethods = sets.New[string](
"/mediator.v1.HealthService/CheckHealth",
)

// List of methods that bypass authentication
var authBypassMethods = []string{
var authBypassMethods = sets.New[string](
"/mediator.v1.AuthService/LogIn",
"/mediator.v1.HealthService/CheckHealth",
"/mediator.v1.OAuthService/ExchangeCodeForTokenCLI",
"/mediator.v1.OAuthService/ExchangeCodeForTokenWEB",
}
)

var superAdminMethods = []string{
var superAdminMethods = sets.New[string](
"/mediator.v1.OrganizationService/CreateOrganization",
"/mediator.v1.OrganizationService/GetOrganizations",
"/mediator.v1.OrganizationService/DeleteOrganization",
Expand All @@ -70,7 +76,7 @@ var superAdminMethods = []string{
"/mediator.v1.UserService/GetUsers",
"/mediator.v1.ArtifactService/ListArtifacts",
"/mediator.v1.ArtifactService/GetArtifactByName",
}
)

var resourceAuthorizations = []map[string]map[string]interface{}{
{
Expand Down Expand Up @@ -331,23 +337,6 @@ var githubAuthorizations = []string{
"/mediator.v1.RepositoryService/AddRepository",
}

func canBypassAuth(ctx context.Context) bool {
// Extract the gRPC method name from the context
method, ok := grpc.Method(ctx)
if !ok {
// no method called, can bypass auth
return true
}

// Check if the current method is in the list of bypass methods
for _, bypassMethod := range authBypassMethods {
if bypassMethod == method {
return true
}
}
return false
}

// checks if an user is superadmin
func isSuperadmin(claims auth.UserClaims) bool {
// need to check that has a role that belongs to org 1 generally and is admin
Expand Down Expand Up @@ -391,14 +380,7 @@ func isMethodAuthorized(ctx context.Context, claims auth.UserClaims) bool {
}

// check if method is on superadmin ones, and fail
for _, bypassMethod := range superAdminMethods {
if bypassMethod == method {
return false
}
}

return true

return !superAdminMethods.Has(method)
}

// IsRequestAuthorized checks if the request is authorized
Expand Down Expand Up @@ -503,11 +485,13 @@ func IsProviderCallAuthorized(ctx context.Context, store db.Store, provider stri
// AuthUnaryInterceptor is a server interceptor for authentication
func AuthUnaryInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo,
handler grpc.UnaryHandler) (any, error) {
// bypass auth
canBypass := canBypassAuth(ctx)
if canBypass {

// bypass auth for public endpoints
if authBypassMethods.Has(info.FullMethod) {
// If the method is in the bypass list, return the context as is without authentication
zerolog.Ctx(ctx).Info().Msgf("Bypassing authentication")
if !noLogMethods.Has(info.FullMethod) {
zerolog.Ctx(ctx).Info().Msgf("Bypassing authentication")
}
return handler(ctx, req)
}

Expand Down

0 comments on commit 1812858

Please sign in to comment.