From 919e9045fa9eb6c85fb6665362230750d4e8de2a Mon Sep 17 00:00:00 2001 From: Tim Allclair Date: Wed, 2 Nov 2022 15:23:48 -0700 Subject: [PATCH] Combine RequestAuditConfig with RequestAuditConfigWithLevel Kubernetes-commit: 1a1ca5173ea0f6b06a74d4a26e694cff521a2f8e --- pkg/audit/evaluator.go | 16 +++------- pkg/audit/policy/checker.go | 32 ++++++++----------- pkg/endpoints/filters/audit.go | 10 +++--- ...ericapiserver_graceful_termination_test.go | 7 ++-- 4 files changed, 25 insertions(+), 40 deletions(-) diff --git a/pkg/audit/evaluator.go b/pkg/audit/evaluator.go index 93907dc5f..f9664fef6 100644 --- a/pkg/audit/evaluator.go +++ b/pkg/audit/evaluator.go @@ -25,6 +25,9 @@ import ( // a given request. PolicyRuleEvaluator evaluates the audit policy against the // authorizer attributes and returns a RequestAuditConfig that applies to the request. type RequestAuditConfig struct { + // Level at which the request is being audited at + Level audit.Level + // OmitStages is the stages that need to be omitted from being audited. OmitStages []audit.Stage @@ -33,21 +36,10 @@ type RequestAuditConfig struct { OmitManagedFields bool } -// RequestAuditConfigWithLevel includes Level at which the request is being audited. -// PolicyRuleEvaluator evaluates the audit configuration for a request -// against the authorizer attributes and returns an RequestAuditConfigWithLevel -// that applies to the request. -type RequestAuditConfigWithLevel struct { - RequestAuditConfig - - // Level at which the request is being audited at - Level audit.Level -} - // PolicyRuleEvaluator exposes methods for evaluating the policy rules. type PolicyRuleEvaluator interface { // EvaluatePolicyRule evaluates the audit policy of the apiserver against // the given authorizer attributes and returns the audit configuration that // is applicable to the given equest. - EvaluatePolicyRule(authorizer.Attributes) RequestAuditConfigWithLevel + EvaluatePolicyRule(authorizer.Attributes) RequestAuditConfig } diff --git a/pkg/audit/policy/checker.go b/pkg/audit/policy/checker.go index 6a98ff4ac..cd6ec92bc 100644 --- a/pkg/audit/policy/checker.go +++ b/pkg/audit/policy/checker.go @@ -61,25 +61,21 @@ type policyRuleEvaluator struct { audit.Policy } -func (p *policyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) auditinternal.RequestAuditConfigWithLevel { +func (p *policyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) auditinternal.RequestAuditConfig { for _, rule := range p.Rules { if ruleMatches(&rule, attrs) { - return auditinternal.RequestAuditConfigWithLevel{ - Level: rule.Level, - RequestAuditConfig: auditinternal.RequestAuditConfig{ - OmitStages: rule.OmitStages, - OmitManagedFields: isOmitManagedFields(&rule, p.OmitManagedFields), - }, + return auditinternal.RequestAuditConfig{ + Level: rule.Level, + OmitStages: rule.OmitStages, + OmitManagedFields: isOmitManagedFields(&rule, p.OmitManagedFields), } } } - return auditinternal.RequestAuditConfigWithLevel{ - Level: DefaultAuditLevel, - RequestAuditConfig: auditinternal.RequestAuditConfig{ - OmitStages: p.OmitStages, - OmitManagedFields: p.OmitManagedFields, - }, + return auditinternal.RequestAuditConfig{ + Level: DefaultAuditLevel, + OmitStages: p.OmitStages, + OmitManagedFields: p.OmitManagedFields, } } @@ -235,11 +231,9 @@ type fakePolicyRuleEvaluator struct { stage []audit.Stage } -func (f *fakePolicyRuleEvaluator) EvaluatePolicyRule(_ authorizer.Attributes) auditinternal.RequestAuditConfigWithLevel { - return auditinternal.RequestAuditConfigWithLevel{ - Level: f.level, - RequestAuditConfig: auditinternal.RequestAuditConfig{ - OmitStages: f.stage, - }, +func (f *fakePolicyRuleEvaluator) EvaluatePolicyRule(_ authorizer.Attributes) auditinternal.RequestAuditConfig { + return auditinternal.RequestAuditConfig{ + Level: f.level, + OmitStages: f.stage, } } diff --git a/pkg/endpoints/filters/audit.go b/pkg/endpoints/filters/audit.go index b310c94ee..ccb628b44 100644 --- a/pkg/endpoints/filters/audit.go +++ b/pkg/endpoints/filters/audit.go @@ -133,10 +133,10 @@ func evaluatePolicyAndCreateAuditEvent(req *http.Request, policy audit.PolicyRul return ac, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err) } - ls := policy.EvaluatePolicyRule(attribs) - audit.ObservePolicyLevel(ctx, ls.Level) - ac.RequestAuditConfig = ls.RequestAuditConfig - if ls.Level == auditinternal.LevelNone { + rac := policy.EvaluatePolicyRule(attribs) + audit.ObservePolicyLevel(ctx, rac.Level) + ac.RequestAuditConfig = rac + if rac.Level == auditinternal.LevelNone { // Don't audit. return ac, nil } @@ -145,7 +145,7 @@ func evaluatePolicyAndCreateAuditEvent(req *http.Request, policy audit.PolicyRul if !ok { requestReceivedTimestamp = time.Now() } - ev, err := audit.NewEventFromRequest(req, requestReceivedTimestamp, ls.Level, attribs) + ev, err := audit.NewEventFromRequest(req, requestReceivedTimestamp, rac.Level, attribs) if err != nil { return nil, fmt.Errorf("failed to complete audit event from request: %v", err) } diff --git a/pkg/server/genericapiserver_graceful_termination_test.go b/pkg/server/genericapiserver_graceful_termination_test.go index c18ce70c4..373ce82d5 100644 --- a/pkg/server/genericapiserver_graceful_termination_test.go +++ b/pkg/server/genericapiserver_graceful_termination_test.go @@ -780,10 +780,9 @@ func (a *fakeAudit) requestAudited(auditID string) bool { return exists } -func (a *fakeAudit) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfigWithLevel { - return audit.RequestAuditConfigWithLevel{ - Level: auditinternal.LevelMetadata, - RequestAuditConfig: audit.RequestAuditConfig{}, +func (a *fakeAudit) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfig { + return audit.RequestAuditConfig{ + Level: auditinternal.LevelMetadata, } }