Add audit wrapper to metrics endpoints

mirskifa · mirskifa · commit dfc6be4f4e2a · 2025-05-28T18:04:24.000+01:00
diff --git a/internal/metrics/audit.go b/internal/metrics/audit.go
@@ -0,0 +1,110 @@
+/*
+© Copyright IBM Corporation 2025
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package metrics
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"os"
+	"time"
+)
+
+type auditEvent struct {
+	Timestamp        string `json:"timestamp"`
+	Event            string `json:"event"`
+	Pod              string `json:"pod"`
+	RemoteAddr       string `json:"remote_addr"`
+	Endpoint         string `json:"endpoint"`
+	Result           string `json:"result"`
+	StatusCode       int    `json:"status_code"`
+	QueuemanagerName string `json:"queuemanager_name"`
+}
+
+// passthroughHandlerFuncWrapper does not modify the base handler
+func passthroughHandlerFuncWrapper(base http.HandlerFunc) http.HandlerFunc {
+	return base
+}
+
+// newAuditingHandlerFuncWrapper generates a handlerFuncWrapper which allows creation of handlers that log audit entries for every request
+func newAuditingHandlerFuncWrapper(qmName string, logger logHandler) handlerFuncWrapper {
+	return func(base http.HandlerFunc) http.HandlerFunc {
+		return func(w http.ResponseWriter, req *http.Request) {
+			podName, _ := os.Hostname()
+			event := auditEvent{
+				Timestamp:        time.Now().UTC().Format(time.RFC3339),
+				Event:            "metrics",
+				Pod:              podName,
+				Endpoint:         req.URL.RequestURI(),
+				QueuemanagerName: qmName,
+				RemoteAddr:       req.RemoteAddr,
+			}
+
+			capWriter := newStatusCapturingResponseWriter(w)
+			base(capWriter, req)
+			statusCode := capWriter.statusCode
+			event.StatusCode = statusCode
+			event.Result = http.StatusText(statusCode)
+
+			eventBytes, err := json.Marshal(event)
+			if err != nil {
+				logger.Append(fmt.Sprintf("Error writing audit log; next event may contain incomplete data: %s", err.Error()), false)
+				fmt.Printf("Error constructing audit log event: %s\n", err.Error())
+			}
+			logger.Append(string(eventBytes), false)
+		}
+	}
+}
+
+// wrappedHandler implements http.Handler using a stored http.HandlerFunc for the ServeHTTP method
+type wrappedHandler struct {
+	handlerFunc http.HandlerFunc
+}
+
+func (wh wrappedHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	wh.handlerFunc(w, r)
+}
+
+// wrapHandler creates a new http.Handler with the function passed as wrapper around the base handler's ServeHTTP method, allowing augmentation of an existing http.Handler's ServeHTTP behaviour
+func wrapHandler(base http.Handler, wrapperFunc handlerFuncWrapper) wrappedHandler {
+	return wrappedHandler{
+		handlerFunc: wrapperFunc(base.ServeHTTP),
+	}
+}
+
+type handlerFuncWrapper func(base http.HandlerFunc) http.HandlerFunc
+
+// statusCapturingResponseWriter captures the status code sent to the client
+type statusCapturingResponseWriter struct {
+	http.ResponseWriter
+	statusCode int
+}
+
+func newStatusCapturingResponseWriter(base http.ResponseWriter) *statusCapturingResponseWriter {
+	return &statusCapturingResponseWriter{
+		ResponseWriter: base,
+	}
+}
+
+func (c *statusCapturingResponseWriter) WriteHeader(statusCode int) {
+	c.statusCode = statusCode
+	c.ResponseWriter.WriteHeader(statusCode)
+}
+
+type logHandler interface {
+	Append(messageLine string, deduplicateLine bool)
+}
diff --git a/internal/metrics/audit_test.go b/internal/metrics/audit_test.go
@@ -0,0 +1,88 @@
+package metrics
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+)
+
+func TestAuditingHandler(t *testing.T) {
+	tests := []struct {
+		name        string
+		writeStatus bool
+		statusCode  int
+	}{
+		{"goodpath", true, http.StatusOK},
+		{"badrequest", true, http.StatusBadRequest},
+		{"noresponse", false, 0},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			logger := &auditTestLogger{}
+			testAuditWrapper := newAuditingHandlerFuncWrapper(test.name, logger)
+			testBaseFunc := func(w http.ResponseWriter, req *http.Request) {
+				if test.writeStatus {
+					w.WriteHeader(test.statusCode)
+				}
+			}
+			handler := testAuditWrapper(testBaseFunc)
+			recorder := &httptest.ResponseRecorder{}
+			testRequest := httptest.NewRequest(http.MethodGet, "http://localhost/metrics", nil)
+			testRequestRemote := testRequest.RemoteAddr
+
+			beforeEvent := time.Now().UTC()
+			handler.ServeHTTP(recorder, testRequest)
+			afterEvent := time.Now().UTC()
+
+			if test.writeStatus && recorder.Code != test.statusCode {
+				t.Fatalf("Unexpected status code sent (expected %d, got %d)", test.statusCode, recorder.Code)
+			}
+
+			if len(logger.logs) != 1 {
+				t.Fatalf("Incorrect number of audit events produced (expect 1, got %d)", len(logger.logs))
+			}
+			event := logger.logs[0]
+
+			t.Logf("Audit event: %s", event)
+
+			decoded := auditEvent{}
+			err := json.Unmarshal([]byte(event), &decoded)
+			if err != nil {
+				t.Fatalf("Failed to unmarshal audit event: %s", err.Error())
+			}
+
+			if decoded.QueuemanagerName != test.name {
+				t.Fatalf("Incorrect queuemanager name recorded in audit event (expected '%s', got '%s')", test.name, decoded.QueuemanagerName)
+			}
+
+			if decoded.RemoteAddr != testRequestRemote {
+				t.Fatalf("Incorrect remote address recorded in audit event (expected '%s', got '%s')", testRequestRemote, decoded.RemoteAddr)
+			}
+
+			if test.writeStatus && decoded.StatusCode != test.statusCode {
+				t.Fatalf("Unexpected status code recorded in audit event (expected %d, got %d)", test.statusCode, decoded.StatusCode)
+			} else if !test.writeStatus && decoded.StatusCode != 0 {
+				t.Fatalf("Unexpected status code recorded in audit event (expected 0, got %d)", decoded.StatusCode)
+			}
+
+			ts, err := time.Parse(time.RFC3339, decoded.Timestamp)
+			if err != nil {
+				t.Fatalf("Failed to parse audit event timestamp: %s", err.Error())
+			}
+			if ts.Before(beforeEvent.Truncate(time.Second)) || ts.After(afterEvent) {
+				t.Fatalf("Audit timestamp outside expected range (expected between '%s' and '%s', got '%s')", beforeEvent.Format(time.RFC3339), afterEvent.Format(time.RFC3339), decoded.Timestamp)
+			}
+		})
+	}
+}
+
+type auditTestLogger struct {
+	logs []string
+}
+
+func (a *auditTestLogger) Append(messageLine string, deduplicateLine bool) {
+	a.logs = append(a.logs, messageLine)
+}
diff --git a/internal/metrics/metrics.go b/internal/metrics/metrics.go
@@ -28,6 +28,7 @@ import (
 
 	"github.com/ibm-messaging/mq-container/internal/ready"
 	"github.com/ibm-messaging/mq-container/pkg/logger"
+	"github.com/ibm-messaging/mq-container/pkg/logrotation"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 )
@@ -37,6 +38,11 @@ const (
 
 	// keyDirMetrics is the location of the TLS keys to use for HTTPS metrics
 	keyDirMetrics = "/etc/mqm/metrics/pki/keys"
+
+	auditLogDirectory      = "/var/mqm/errors"
+	auditLogFilenameFormat = "metricaudit%02d.json"
+	auditLogMaxBytes       = 4 * 1024 * 1024
+	auditLogNumFiles       = 3
 )
 
 var (
@@ -82,6 +88,17 @@ func startMetricsGathering(qmName string, log *logger.Logger) error {
 		return fmt.Errorf("Failed to validate HTTPS metrics configuration: %v", err)
 	}
 
+	// Generate appropriate audit log wrapper based on configuration
+	auditWrapper := passthroughHandlerFuncWrapper
+	if os.Getenv("MQ_LOGGING_METRICS_AUDIT_ENABLED") == "true" {
+		auditLog := logrotation.NewRotatingLogger(auditLogDirectory, auditLogFilenameFormat, auditLogMaxBytes, auditLogNumFiles)
+		err := auditLog.Init()
+		if err != nil {
+			return fmt.Errorf("Failed to set up metric audit log: %v", err)
+		}
+		auditWrapper = newAuditingHandlerFuncWrapper(qmName, auditLog)
+	}
+
 	if httpsMetricsEnabled {
 		log.Println("Starting HTTPS metrics gathering")
 	} else {
@@ -121,12 +138,14 @@ func startMetricsGathering(qmName string, log *logger.Logger) error {
 	}
 
 	// Setup HTTP server to handle requests from Prometheus
-	http.Handle("/metrics", promhttp.Handler())
-	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(200)
-		// #nosec G104
-		w.Write([]byte("Status: METRICS ACTIVE"))
-	})
+	http.Handle("/metrics", wrapHandler(promhttp.Handler(), auditWrapper))
+	http.HandleFunc("/", auditWrapper(
+		func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(200)
+			// #nosec G104
+			w.Write([]byte("Status: METRICS ACTIVE"))
+		},
+	))
 
 	go func() {
 		var err error
