Update existing code for audit API changes
Kubernetes-commit: 4c54970d31f0e35f21247514fb946081e6ee0be5
This commit is contained in:
Tim St. Clair
Kubernetes Publisher
parent
ecba80695f
commit
dac438aa53
|
|
@ -40,10 +40,7 @@ import (
|
|||
authenticationv1 "k8s.io/client-go/pkg/apis/authentication/v1"
|
||||
)
|
||||
|
||||
const (
|
||||
AuditIDHeader = "X-Request-ID"
|
||||
)
|
||||
|
||||
// NewEventFromRequest generates an audit event for the request.
|
||||
func NewEventFromRequest(req *http.Request, policy *auditinternal.Policy, attribs authorizer.Attributes) (*auditinternal.Event, error) {
|
||||
ev := &auditinternal.Event{
|
||||
Timestamp: metav1.NewTime(time.Now()),
|
||||
|
|
@ -61,7 +58,7 @@ func NewEventFromRequest(req *http.Request, policy *auditinternal.Policy, attrib
|
|||
|
||||
// prefer the id from the headers. If not available, create a new one.
|
||||
// TODO(audit): do we want to forbid the header for non-front-proxy users?
|
||||
ids := req.Header[AuditIDHeader]
|
||||
ids := req.Header[auditinternal.HeaderAuditID]
|
||||
if len(ids) > 0 {
|
||||
ev.AuditID = types.UID(ids[0])
|
||||
} else {
|
||||
|
|
@ -157,7 +154,7 @@ func LogRequestPatch(ae *audit.Event, patch []byte) {
|
|||
return
|
||||
}
|
||||
|
||||
ae.RequestObject = runtime.Unknown{
|
||||
ae.RequestObject = &runtime.Unknown{
|
||||
Raw: patch,
|
||||
ContentType: runtime.ContentTypeJSON,
|
||||
}
|
||||
|
|
@ -182,21 +179,21 @@ func LogResponseObject(ae *audit.Event, obj runtime.Object, gv schema.GroupVersi
|
|||
}
|
||||
}
|
||||
|
||||
func encodeObject(obj runtime.Object, gv schema.GroupVersion, serializer runtime.NegotiatedSerializer) (runtime.Unknown, error) {
|
||||
func encodeObject(obj runtime.Object, gv schema.GroupVersion, serializer runtime.NegotiatedSerializer) (*runtime.Unknown, error) {
|
||||
supported := serializer.SupportedMediaTypes()
|
||||
for i := range supported {
|
||||
if supported[i].MediaType == "application/json" {
|
||||
enc := serializer.EncoderForVersion(supported[i].Serializer, gv)
|
||||
var buf bytes.Buffer
|
||||
if err := enc.Encode(obj, &buf); err != nil {
|
||||
return runtime.Unknown{}, fmt.Errorf("encoding failed: %v", err)
|
||||
return nil, fmt.Errorf("encoding failed: %v", err)
|
||||
}
|
||||
|
||||
return runtime.Unknown{
|
||||
return &runtime.Unknown{
|
||||
Raw: buf.Bytes(),
|
||||
ContentType: runtime.ContentTypeJSON,
|
||||
}, nil
|
||||
}
|
||||
}
|
||||
return runtime.Unknown{}, fmt.Errorf("no json encoder found")
|
||||
return nil, fmt.Errorf("no json encoder found")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -65,8 +65,22 @@ func TestAudit(t *testing.T) {
|
|||
simpleCPrimeJSON, _ := runtime.Encode(testCodec, simpleCPrime)
|
||||
|
||||
// event checks
|
||||
noRequestBody := func(i int) eventCheck {
|
||||
return func(events []*auditinternal.Event) error {
|
||||
if events[i].RequestObject == nil {
|
||||
return nil
|
||||
}
|
||||
return fmt.Errorf("expected RequestBody to be nil, got non-nill '%s'", events[i].RequestObject.Raw)
|
||||
}
|
||||
}
|
||||
requestBodyIs := func(i int, text string) eventCheck {
|
||||
return func(events []*auditinternal.Event) error {
|
||||
if events[i].RequestObject == nil {
|
||||
if text != "" {
|
||||
return fmt.Errorf("expected RequestBody %q, got <nil>", text)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
if string(events[i].RequestObject.Raw) != text {
|
||||
return fmt.Errorf("expected RequestBody %q, got %q", text, string(events[i].RequestObject.Raw))
|
||||
}
|
||||
|
|
@ -81,12 +95,12 @@ func TestAudit(t *testing.T) {
|
|||
return nil
|
||||
}
|
||||
}
|
||||
responseBodyIs := func(i int, text string) eventCheck {
|
||||
noResponseBody := func(i int) eventCheck {
|
||||
return func(events []*auditinternal.Event) error {
|
||||
if string(events[i].ResponseObject.Raw) != text {
|
||||
return fmt.Errorf("expected ResponseBody %q, got %q", text, string(events[i].ResponseObject.Raw))
|
||||
if events[i].ResponseObject == nil {
|
||||
return nil
|
||||
}
|
||||
return nil
|
||||
return fmt.Errorf("expected ResponseBody to be nil, got non-nill '%s'", events[i].ResponseObject.Raw)
|
||||
}
|
||||
}
|
||||
responseBodyMatches := func(i int, pattern string) eventCheck {
|
||||
|
|
@ -115,7 +129,7 @@ func TestAudit(t *testing.T) {
|
|||
200,
|
||||
1,
|
||||
[]eventCheck{
|
||||
requestBodyIs(0, ""),
|
||||
noRequestBody(0),
|
||||
responseBodyMatches(0, `{.*"name":"c".*}`),
|
||||
},
|
||||
},
|
||||
|
|
@ -132,7 +146,7 @@ func TestAudit(t *testing.T) {
|
|||
200,
|
||||
1,
|
||||
[]eventCheck{
|
||||
requestBodyMatches(0, ""),
|
||||
noRequestBody(0),
|
||||
responseBodyMatches(0, `{.*"name":"a".*"name":"b".*}`),
|
||||
},
|
||||
},
|
||||
|
|
@ -158,8 +172,8 @@ func TestAudit(t *testing.T) {
|
|||
405,
|
||||
1,
|
||||
[]eventCheck{
|
||||
requestBodyIs(0, ""), // the 405 is thrown long before the create handler would be executed
|
||||
responseBodyIs(0, ""), // the 405 is thrown long before the create handler would be executed
|
||||
noRequestBody(0), // the 405 is thrown long before the create handler would be executed
|
||||
noResponseBody(0), // the 405 is thrown long before the create handler would be executed
|
||||
},
|
||||
},
|
||||
{
|
||||
|
|
@ -171,8 +185,8 @@ func TestAudit(t *testing.T) {
|
|||
200,
|
||||
1,
|
||||
[]eventCheck{
|
||||
requestBodyMatches(0, ""),
|
||||
responseBodyMatches(0, ""),
|
||||
noRequestBody(0),
|
||||
responseBodyMatches(0, `{.*"kind":"Status".*"status":"Success".*}`),
|
||||
},
|
||||
},
|
||||
{
|
||||
|
|
@ -185,7 +199,7 @@ func TestAudit(t *testing.T) {
|
|||
1,
|
||||
[]eventCheck{
|
||||
requestBodyMatches(0, "DeleteOptions"),
|
||||
responseBodyMatches(0, ""),
|
||||
responseBodyMatches(0, `{.*"kind":"Status".*"status":"Success".*}`),
|
||||
},
|
||||
},
|
||||
{
|
||||
|
|
@ -247,8 +261,8 @@ func TestAudit(t *testing.T) {
|
|||
200,
|
||||
2,
|
||||
[]eventCheck{
|
||||
requestBodyMatches(0, ""),
|
||||
responseBodyMatches(0, ""),
|
||||
noRequestBody(0),
|
||||
noResponseBody(0),
|
||||
},
|
||||
},
|
||||
} {
|
||||
|
|
|
|||
Loading…
Reference in New Issue