Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid log spam on CheckHealth #864

Merged
merged 1 commit into from
Sep 6, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions internal/logger/logging_interceptor.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,10 @@ func viperLogLevelToZerologLevel(viperLogLevel string) zerolog.Level {
// )
func Interceptor( /*logLevel string, logFormat string, logFile string*/ ) grpc.UnaryServerInterceptor {
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
// Don't log health checks, they spam the logs
if info.FullMethod == "/mediator.v1.HealthService/CheckHealth" {
return handler(ctx, req)
}
// Attach the resource to all logging events in the context
logger := zerolog.Ctx(ctx).With().Dict("Resource", resource(info.FullMethod)).Logger()
ctx = logger.WithContext(ctx)
Expand Down
50 changes: 17 additions & 33 deletions pkg/controlplane/handlers_authz.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"k8s.io/apimachinery/pkg/util/sets"

"github.com/stacklok/mediator/pkg/auth"
"github.com/stacklok/mediator/pkg/db"
Expand All @@ -52,15 +53,20 @@ func parseToken(token string, store db.Store) (auth.UserClaims, error) {
return userClaims, nil
}

// List of methods to skip entirely.
var noLogMethods = sets.New[string](
"/mediator.v1.HealthService/CheckHealth",
)

// List of methods that bypass authentication
var authBypassMethods = []string{
var authBypassMethods = sets.New[string](
"/mediator.v1.AuthService/LogIn",
"/mediator.v1.HealthService/CheckHealth",
"/mediator.v1.OAuthService/ExchangeCodeForTokenCLI",
"/mediator.v1.OAuthService/ExchangeCodeForTokenWEB",
}
)

var superAdminMethods = []string{
var superAdminMethods = sets.New[string](
"/mediator.v1.OrganizationService/CreateOrganization",
"/mediator.v1.OrganizationService/GetOrganizations",
"/mediator.v1.OrganizationService/DeleteOrganization",
Expand All @@ -70,7 +76,7 @@ var superAdminMethods = []string{
"/mediator.v1.UserService/GetUsers",
"/mediator.v1.ArtifactService/ListArtifacts",
"/mediator.v1.ArtifactService/GetArtifactByName",
}
)

var resourceAuthorizations = []map[string]map[string]interface{}{
{
Expand Down Expand Up @@ -331,23 +337,6 @@ var githubAuthorizations = []string{
"/mediator.v1.RepositoryService/AddRepository",
}

func canBypassAuth(ctx context.Context) bool {
// Extract the gRPC method name from the context
method, ok := grpc.Method(ctx)
if !ok {
// no method called, can bypass auth
return true
}

// Check if the current method is in the list of bypass methods
for _, bypassMethod := range authBypassMethods {
if bypassMethod == method {
return true
}
}
return false
}

// checks if an user is superadmin
func isSuperadmin(claims auth.UserClaims) bool {
// need to check that has a role that belongs to org 1 generally and is admin
Expand Down Expand Up @@ -391,14 +380,7 @@ func isMethodAuthorized(ctx context.Context, claims auth.UserClaims) bool {
}

// check if method is on superadmin ones, and fail
for _, bypassMethod := range superAdminMethods {
if bypassMethod == method {
return false
}
}

return true

return !superAdminMethods.Has(method)
}

// IsRequestAuthorized checks if the request is authorized
Expand Down Expand Up @@ -503,11 +485,13 @@ func IsProviderCallAuthorized(ctx context.Context, store db.Store, provider stri
// AuthUnaryInterceptor is a server interceptor for authentication
func AuthUnaryInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo,
handler grpc.UnaryHandler) (any, error) {
// bypass auth
canBypass := canBypassAuth(ctx)
if canBypass {

// bypass auth for public endpoints
if authBypassMethods.Has(info.FullMethod) {
// If the method is in the bypass list, return the context as is without authentication
zerolog.Ctx(ctx).Info().Msgf("Bypassing authentication")
if !noLogMethods.Has(info.FullMethod) {
zerolog.Ctx(ctx).Info().Msgf("Bypassing authentication")
}
return handler(ctx, req)
}

Expand Down