Skip to content

Commit

Permalink
fixed #855 - log client IPs and credentials used
Browse files Browse the repository at this point in the history
  • Loading branch information
Eugeny committed Aug 8, 2023
1 parent 673f519 commit 5d67f8b
Show file tree
Hide file tree
Showing 7 changed files with 49 additions and 18 deletions.
10 changes: 10 additions & 0 deletions warpgate-common/src/auth/cred.rs
Original file line number Diff line number Diff line change
Expand Up @@ -43,4 +43,14 @@ impl AuthCredential {
Self::WebUserApproval => CredentialKind::WebUserApproval,
}
}

pub fn safe_description(&self) -> String {
match self {
Self::Password { .. } => "password".to_string(),
Self::PublicKey { .. } => "public key".to_string(),
Self::Otp { .. } => "one-time password".to_string(),
Self::Sso { provider, .. } => format!("SSO ({provider})"),
Self::WebUserApproval => "in-browser auth".to_string(),
}
}
}
18 changes: 15 additions & 3 deletions warpgate-common/src/auth/state.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ use std::collections::HashSet;

use chrono::{DateTime, Utc};
use rand::Rng;
use tracing::info;
use uuid::Uuid;

use super::{AuthCredential, CredentialKind, CredentialPolicy, CredentialPolicyResponse};
Expand Down Expand Up @@ -96,9 +97,20 @@ impl AuthState {
.policy
.is_sufficient(&self.protocol, &self.valid_credentials[..])
{
CredentialPolicyResponse::Ok => AuthResult::Accepted {
username: self.username.clone(),
},
CredentialPolicyResponse::Ok => {
info!(
username=%self.username,
credentials=%self.valid_credentials
.iter()
.map(|x| x.safe_description())
.collect::<Vec<_>>()
.join(", "),
"Authenticated",
);
AuthResult::Accepted {
username: self.username.clone(),
}
}
CredentialPolicyResponse::Need(kinds) => AuthResult::Need(kinds),
}
}
Expand Down
1 change: 0 additions & 1 deletion warpgate-protocol-http/src/common.rs
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,6 @@ pub async fn authorize_session(req: &Request, username: String) -> poem::Result<
.await
.set_username(username.clone())
.await?;
info!(%username, "Authenticated");
session.set_auth(SessionAuthorization::User(username));

Ok(())
Expand Down
10 changes: 8 additions & 2 deletions warpgate-protocol-http/src/logging.rs
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,21 @@ use crate::session_handle::WarpgateServerHandleFromRequest;
pub async fn span_for_request(req: &Request) -> poem::Result<Span> {
let handle = WarpgateServerHandleFromRequest::from_request_without_body(req).await;

let client_ip = req
.remote_addr()
.as_socket_addr()
.map(|x| x.ip().to_string())
.unwrap_or("<unknown>".into());

Ok(match handle {
Ok(ref handle) => {
let handle = handle.lock().await;
let ss = handle.session_state().lock().await;
match { ss.username.clone() } {
Some(ref username) => {
info_span!("HTTP", session=%handle.id(), session_username=%username)
info_span!("HTTP", session=%handle.id(), session_username=%username, %client_ip)
}
None => info_span!("HTTP", session=%handle.id()),
None => info_span!("HTTP", session=%handle.id(), %client_ip),
}
}
Err(_) => info_span!("HTTP"),
Expand Down
4 changes: 2 additions & 2 deletions warpgate-protocol-mysql/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -86,13 +86,13 @@ impl ProtocolServer for MySQLProtocolServer {
.register_session(
&crate::common::PROTOCOL_NAME,
SessionStateInit {
remote_address: Some(remote_address),
remote_address: Some(remote_address.clone()),
handle: Box::new(session_handle),
},
)
.await?;

let session = MySqlSession::new(server_handle, services, stream, tls_config).await;
let session = MySqlSession::new(server_handle, services, stream, tls_config, remote_address).await;
let span = session.make_logging_span();
tokio::select! {
result = session.run().instrument(span) => match result {
Expand Down
15 changes: 9 additions & 6 deletions warpgate-protocol-mysql/src/session.rs
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
use std::net::SocketAddr;
use std::sync::Arc;

use bytes::{Buf, Bytes, BytesMut};
Expand Down Expand Up @@ -34,6 +35,7 @@ pub struct MySqlSession {
server_handle: Arc<Mutex<WarpgateServerHandle>>,
id: Uuid,
services: Services,
remote_address: SocketAddr,
}

impl MySqlSession {
Expand All @@ -42,6 +44,7 @@ impl MySqlSession {
services: Services,
stream: TcpStream,
tls_config: ServerConfig,
remote_address: SocketAddr,
) -> Self {
let id = server_handle.lock().await.id();
Self {
Expand All @@ -67,13 +70,17 @@ impl MySqlSession {
database: None,
server_handle,
id,
remote_address,
}
}

pub fn make_logging_span(&self) -> tracing::Span {
let client_ip = self.remote_address.ip().to_string();
match self.username {
Some(ref username) => info_span!("MySQL", session=%self.id, session_username=%username),
None => info_span!("MySQL", session=%self.id),
Some(ref username) => {
info_span!("MySQL", session=%self.id, session_username=%username, %client_ip)
}
None => info_span!("MySQL", session=%self.id, %client_ip),
}
}

Expand Down Expand Up @@ -269,8 +276,6 @@ impl MySqlSession {
)?;
self.stream.flush().await?;

info!(%username, "Authenticated");

let target = {
self.services
.config_provider
Expand Down Expand Up @@ -307,9 +312,7 @@ impl MySqlSession {
handle.set_target(&target).await?;
}

let span = self.make_logging_span();
self.run_authorized_inner(handshake, mysql_options)
.instrument(span)
.await
}

Expand Down
9 changes: 5 additions & 4 deletions warpgate-protocol-ssh/src/server/session.rs
Original file line number Diff line number Diff line change
Expand Up @@ -238,9 +238,12 @@ impl ServerSession {
}

pub fn make_logging_span(&self) -> tracing::Span {
let client_ip = self.remote_address.ip().to_string();
match self.username {
Some(ref username) => info_span!("SSH", session=%self.id, session_username=%username),
None => info_span!("SSH", session=%self.id),
Some(ref username) => {
info_span!("SSH", session=%self.id, session_username=%username, %client_ip)
}
None => info_span!("SSH", session=%self.id, %client_ip),
}
}

Expand Down Expand Up @@ -1437,8 +1440,6 @@ impl ServerSession {
username: &str,
target_name: &str,
) -> Result<(), WarpgateError> {
info!(%username, "Authenticated");

let _ = self
.server_handle
.lock()
Expand Down

0 comments on commit 5d67f8b

Please sign in to comment.