Allow additional auditing backend based on TimescaleDB

cmd/metal-api/internal/grpc/grpc-server.go

@@ -52,7 +52,7 @@ type ServerConfig struct {
 	ResponseInterval         time.Duration
 	CheckInterval            time.Duration
 	BMCSuperUserPasswordFile string
-	Auditing                 auditing.Auditing
+	Auditing                 []auditing.Auditing
 	IPMISuperUser            metal.MachineIPMISuperUser
 }
 
@@ -121,7 +121,7 @@ func Run(cfg *ServerConfig) error {
 		logging.UnaryServerInterceptor(interceptorLogger(log)),
 		recovery.UnaryServerInterceptor(recovery.WithRecoveryHandler(grpcPanicRecoveryHandler)),
 	}
-	if cfg.Auditing != nil {
+	if len(cfg.Auditing) > 0 {
 		shouldAudit := func(fullMethod string) bool {
 			switch fullMethod {
 			case "/api.v1.BootService/Register":
@@ -130,16 +130,19 @@ func Run(cfg *ServerConfig) error {
 				return false
 			}
 		}
-		auditStreamInterceptor, err := auditing.StreamServerInterceptor(cfg.Auditing, log.WithGroup("auditing-grpc"), shouldAudit)
-		if err != nil {
-			return err
-		}
-		auditUnaryInterceptor, err := auditing.UnaryServerInterceptor(cfg.Auditing, log.WithGroup("auditing-grpc"), shouldAudit)
-		if err != nil {
-			return err
+
+		for _, backend := range cfg.Auditing {
+			auditStreamInterceptor, err := auditing.StreamServerInterceptor(backend, log.WithGroup("auditing-grpc"), shouldAudit)
+			if err != nil {
+				return err
+			}
+			auditUnaryInterceptor, err := auditing.UnaryServerInterceptor(backend, log.WithGroup("auditing-grpc"), shouldAudit)
+			if err != nil {
+				return err
+			}
+			streamInterceptors = append(streamInterceptors, auditStreamInterceptor)
+			unaryInterceptors = append(unaryInterceptors, auditUnaryInterceptor)
 		}
-		streamInterceptors = append(streamInterceptors, auditStreamInterceptor)
-		unaryInterceptors = append(unaryInterceptors, auditUnaryInterceptor)
 	}
 
 	unaryInterceptors = append(unaryInterceptors, metrics.GrpcMetrics, recovery.UnaryServerInterceptor(recoveryOpt))

cmd/metal-api/internal/service/audit-service.go

@@ -64,7 +64,7 @@ func (r *auditResource) find(request *restful.Request, response *restful.Respons
 		return
 	}
 
-	backendResult, err := r.a.Search(auditing.EntryFilter{
+	backendResult, err := r.a.Search(request.Request.Context(), auditing.EntryFilter{
 		Limit:        requestPayload.Limit,
 		From:         requestPayload.From,
 		To:           requestPayload.To,

cmd/metal-api/main.go

@@ -287,11 +287,20 @@ func init() {
 	rootCmd.Flags().StringP("masterdata-certkeypath", "", "", "the tls certificate key to talk to the masterdata-api")
 
 	rootCmd.Flags().Bool("auditing-enabled", false, "enable auditing")
-	rootCmd.Flags().String("auditing-url", "http://localhost:7700", "url of the auditing service")
-	rootCmd.Flags().String("auditing-api-key", "secret", "api key for the auditing service")
-	rootCmd.Flags().String("auditing-index-prefix", "auditing", "auditing index prefix")
-	rootCmd.Flags().String("auditing-index-interval", "@daily", "auditing index creation interval, can be one of @hourly|@daily|@monthly")
-	rootCmd.Flags().Int64("auditing-keep", 14, "the amount of indexes to keep until cleanup")
+	rootCmd.Flags().String("auditing-search-backend", "", "the auditing backend used as a source for search in the audit service. if explicitly specified the first one configured is picked given the following order of precedence: timescaledb,meilisearch")
+
+	rootCmd.Flags().String("auditing-meili-url", "http://localhost:7700", "url of the auditing service")
+	rootCmd.Flags().String("auditing-meili-api-key", "secret", "api key for the auditing service")
+	rootCmd.Flags().String("auditing-meili-index-prefix", "auditing", "auditing index prefix")
+	rootCmd.Flags().String("auditing-meili-index-interval", "@daily", "auditing index creation interval, can be one of @hourly|@daily|@monthly")
+	rootCmd.Flags().Int64("auditing-meili-keep", 14, "the amount of indexes to keep until cleanup")
+
+	rootCmd.Flags().String("auditing-timescaledb-host", "", "host of the auditing service")
+	rootCmd.Flags().String("auditing-timescaledb-port", "", "port of the auditing service")
+	rootCmd.Flags().String("auditing-timescaledb-db", "", "database name of the auditing service")
+	rootCmd.Flags().String("auditing-timescaledb-user", "", "user for the auditing service")
+	rootCmd.Flags().String("auditing-timescaledb-password", "", "password for the auditing service")
+	rootCmd.Flags().String("auditing-timescaledb-retention", "", "the time until audit traces are cleaned up")
 
 	rootCmd.Flags().String("headscale-addr", "", "address of headscale server")
 	rootCmd.Flags().String("headscale-cp-addr", "", "address of headscale control plane")
@@ -691,7 +700,7 @@ func initAuth(lg *slog.Logger) security.UserGetter {
 	return security.NewCreds(auths...)
 }
 
-func initRestServices(audit auditing.Auditing, withauth bool, ipmiSuperUser metal.MachineIPMISuperUser) *restfulspec.Config {
+func initRestServices(searchAuditBackend auditing.Auditing, allAuditBackends []auditing.Auditing, withauth bool, ipmiSuperUser metal.MachineIPMISuperUser) *restfulspec.Config {
 	service.BasePath = viper.GetString("base-path")
 	if !strings.HasPrefix(service.BasePath, "/") || !strings.HasSuffix(service.BasePath, "/") {
 		log.Fatal("base path must start and end with a slash")
@@ -757,7 +766,7 @@ func initRestServices(audit auditing.Auditing, withauth bool, ipmiSuperUser meta
 		releaseVersion = pointer.Pointer(viper.GetString("release-version"))
 	}
 
-	restful.DefaultContainer.Add(service.NewAudit(logger.WithGroup("audit-service"), audit))
+	restful.DefaultContainer.Add(service.NewAudit(logger.WithGroup("audit-service"), searchAuditBackend))
 	restful.DefaultContainer.Add(service.NewPartition(logger.WithGroup("partition-service"), ds, nsqer))
 	restful.DefaultContainer.Add(service.NewImage(logger.WithGroup("image-service"), ds))
 	restful.DefaultContainer.Add(service.NewSize(logger.WithGroup("size-service"), ds, mdc))
@@ -790,8 +799,8 @@ func initRestServices(audit auditing.Auditing, withauth bool, ipmiSuperUser meta
 		restful.DefaultContainer.Filter(ensurer.EnsureAllowedTenantFilter)
 	}
 
-	if audit != nil {
-		httpFilter, err := auditing.HttpFilter(audit, logger.WithGroup("audit-middleware"))
+	for _, backend := range allAuditBackends {
+		httpFilter, err := auditing.HttpFilter(backend, logger.WithGroup("audit-middleware"))
 		if err != nil {
 			log.Fatalf("unable to create http filter for auditing: %s", err)
 		}
@@ -830,10 +839,9 @@ func initHeadscale() error {
 }
 
 func dumpSwaggerJSON() {
-
 	// This is required to make dump work
 	ipamer = ipam.New(nil)
-	cfg := initRestServices(nil, false, metal.DisabledIPMISuperUser())
+	cfg := initRestServices(nil, nil, false, metal.DisabledIPMISuperUser())
 	actual := restfulspec.BuildSwagger(*cfg)
 
 	// declare custom type for default errors, see:
@@ -908,33 +916,74 @@ func evaluateVPNConnected() error {
 }
 
 // might return (nil, nil) if auditing is disabled!
-func createAuditingClient(log *slog.Logger) (auditing.Auditing, error) {
+func createAuditingClient(log *slog.Logger) (searchBackend auditing.Auditing, backends []auditing.Auditing, err error) {
 	isEnabled := viper.GetBool("auditing-enabled")
 	if !isEnabled {
 		log.Warn("auditing is disabled, can be enabled by setting --auditing-enabled=true")
-		return nil, nil
+		return nil, nil, nil
 	}
 
 	c := auditing.Config{
-		Component:        "metal-api",
-		URL:              viper.GetString("auditing-url"),
-		APIKey:           viper.GetString("auditing-api-key"),
-		IndexPrefix:      viper.GetString("auditing-index-prefix"),
-		RotationInterval: auditing.Interval(viper.GetString("auditing-index-interval")),
-		Keep:             viper.GetInt64("auditing-keep"),
-		Log:              log, //FIXME
-	}
-	return auditing.New(c)
+		Component: "metal-api",
+		Log:       log,
+	}
+
+	if viper.IsSet("auditing-timescaledb-host") {
+		backend, err := auditing.NewTimescaleDB(c, auditing.TimescaleDbConfig{
+			Host:      viper.GetString("auditing-timescaledb-host"),
+			Port:      viper.GetString("auditing-timescaledb-port"),
+			DB:        viper.GetString("auditing-timescaledb-db"),
+			User:      viper.GetString("auditing-timescaledb-user"),
+			Password:  viper.GetString("auditing-timescaledb-password"),
+			Retention: viper.GetString("auditing-timescaledb-retention"),
+		})
+
+		if err != nil {
+			return nil, nil, err
+		}
+
+		backends = append(backends, backend)
+
+		if viper.GetString("auditing-search-backend") == "timescaledb" {
+			searchBackend = backend
+		}
+	}
+
+	if viper.IsSet("auditing-meili-api-key") {
+		backend, err := auditing.NewMeilisearch(c, auditing.MeilisearchConfig{
+			URL:              viper.GetString("auditing-meili-url"),
+			APIKey:           viper.GetString("auditing-meili-api-key"),
+			IndexPrefix:      viper.GetString("auditing-meili-index-prefix"),
+			RotationInterval: auditing.Interval(viper.GetString("auditing-meili-index-interval")),
+			Keep:             viper.GetInt64("auditing-meili-keep"),
+		})
+
+		if err != nil {
+			return nil, nil, err
+		}
+
+		backends = append(backends, backend)
+
+		if viper.GetString("auditing-search-backend") == "meilisearch" {
+			searchBackend = backend
+		}
+	}
+
+	if searchBackend == nil {
+		searchBackend = pointer.FirstOrZero(backends)
+	}
+
+	return searchBackend, backends, nil
 }
 
 func run() error {
 	ipmiSuperUser := metal.NewIPMISuperUser(logger, viper.GetString("bmc-superuser-pwd-file"))
 
-	audit, err := createAuditingClient(logger)
+	auditSearchBackend, allAuditBackends, err := createAuditingClient(logger)
 	if err != nil {
 		log.Fatalf("cannot create auditing client:%s ", err)
 	}
-	initRestServices(audit, true, ipmiSuperUser)
+	initRestServices(auditSearchBackend, allAuditBackends, true, ipmiSuperUser)
 
 	// enable OPTIONS-request so clients can query CORS information
 	restful.DefaultContainer.Filter(restful.DefaultContainer.OPTIONSFilter)
@@ -994,7 +1043,7 @@ func run() error {
 			ServerCertFile:           viper.GetString("grpc-server-cert-file"),
 			ServerKeyFile:            viper.GetString("grpc-server-key-file"),
 			BMCSuperUserPasswordFile: viper.GetString("bmc-superuser-pwd-file"),
-			Auditing:                 audit,
+			Auditing:                 allAuditBackends,
 			IPMISuperUser:            ipmiSuperUser,
 		})
 		if err != nil {

go.mod

@@ -20,8 +20,8 @@ require (
 	github.com/looplab/fsm v1.0.2
 	github.com/metal-stack/go-ipam v1.14.8
 	github.com/metal-stack/masterdata-api v0.11.5
-	github.com/metal-stack/metal-lib v0.19.0
-	github.com/metal-stack/security v0.9.1
+	github.com/metal-stack/metal-lib v0.20.0
+	github.com/metal-stack/security v0.9.3
 	github.com/metal-stack/v v1.0.3
 	github.com/nsqio/go-nsq v1.1.0
 	github.com/prometheus/client_golang v1.20.5
@@ -110,6 +110,7 @@ require (
 	github.com/lestrrat-go/jwx/v2 v2.1.3 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lib/pq v1.10.9 // indirect
+	github.com/lopezator/migrator v0.3.1 // indirect
 	github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 // indirect
 	github.com/magiconair/properties v1.8.9 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect

go.sum

@@ -174,10 +174,22 @@ github.com/icza/dyno v0.0.0-20230330125955-09f820a8d9c0 h1:nHoRIX8iXob3Y2kdt9Ksj
 github.com/icza/dyno v0.0.0-20230330125955-09f820a8d9c0/go.mod h1:c1tRKs5Tx7E2+uHGSyyncziFjvGpgv4H2HrqXeUQ/Uk=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jackc/chunkreader/v2 v2.0.1 h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8=
+github.com/jackc/chunkreader/v2 v2.0.1/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
+github.com/jackc/pgconn v1.11.0 h1:HiHArx4yFbwl91X3qqIHtUFoiIfLNJXCQRsnzkiwwaQ=
+github.com/jackc/pgconn v1.11.0/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI=
+github.com/jackc/pgio v1.0.0 h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE=
+github.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
+github.com/jackc/pgproto3/v2 v2.2.0 h1:r7JypeP2D3onoQTCxWdTpCtJ4D+qpKr0TxvoyMhZ5ns=
+github.com/jackc/pgproto3/v2 v2.2.0/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgtype v1.10.0 h1:ILnBWrRMSXGczYvmkYD6PsYyVFUNLTnIUJHHDLmqk38=
+github.com/jackc/pgtype v1.10.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
+github.com/jackc/pgx/v4 v4.15.0 h1:B7dTkXsdILD3MF987WGGCcg+tvLW6bZJdEcqVFeU//w=
+github.com/jackc/pgx/v4 v4.15.0/go.mod h1:D/zyOyXiaM1TmVWnOM18p0xdDtdakRBa0RsVGI3U3bw=
 github.com/jackc/pgx/v5 v5.6.0 h1:SWJzexBzPL5jb0GEsrPMLIsi/3jOo7RHlzTjcAeDrPY=
 github.com/jackc/pgx/v5 v5.6.0/go.mod h1:DNZ/vlrUnhWCoFGxHAG8U2ljioxukquj7utPDgtQdTw=
 github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
@@ -233,6 +245,8 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/looplab/fsm v1.0.2 h1:f0kdMzr4CRpXtaKKRUxwLYJ7PirTdwrtNumeLN+mDx8=
 github.com/looplab/fsm v1.0.2/go.mod h1:PmD3fFvQEIsjMEfvZdrCDZ6y8VwKTwWNjlpEr6IKPO4=
+github.com/lopezator/migrator v0.3.1 h1:ZFPT6aC7+nGWkqhleynABZ6ftycSf6hmHHLOaryq1Og=
+github.com/lopezator/migrator v0.3.1/go.mod h1:X+lHDMZ9Ci3/KdbypJcQYFFwipVrJsX4fRCQ4QLauYk=
 github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 h1:7UMa6KCCMjZEMDtTVdcGu0B1GmmC7QJKiCCjyTAWQy0=
 github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
 github.com/magiconair/properties v1.8.9 h1:nWcCbLq1N2v/cpNsy5WvQ37Fb+YElfq20WJ/a8RkpQM=
@@ -257,10 +271,10 @@ github.com/metal-stack/go-ipam v1.14.8 h1:M840hp1RcM2fHfMjFG5rn02yKFq6hXh+WvmYIS
 github.com/metal-stack/go-ipam v1.14.8/go.mod h1:LzAKT0X9dGAMs1uoLyJfJZkhwMMDLaSYvx9n6MJ9FI4=
 github.com/metal-stack/masterdata-api v0.11.5 h1:r7bYdhdVgOjCk6k7K/SCLlHALH23ZuMGY8E4udk4wXQ=
 github.com/metal-stack/masterdata-api v0.11.5/go.mod h1:Xk8kqxAp3NkAc2BX8yTIWgSlD77T897QSdRSluWvP4w=
-github.com/metal-stack/metal-lib v0.19.0 h1:4yBnp/jPGgX9KeCje3A4MFL2oDjgjOjgsIK391LltRI=
-github.com/metal-stack/metal-lib v0.19.0/go.mod h1:fCMaWwVGA/xAoGvBk72/nfzqBkHly0iOzrWpc55Fau4=
-github.com/metal-stack/security v0.9.1 h1:cx3afSJPSOh03E9gKjdG6mbNU+ox/dqV7q8T9MkrHxo=
-github.com/metal-stack/security v0.9.1/go.mod h1:ENm5kPjqh4uYvn79sAIxd6GZBwtF2GSsGdkLELrB/D4=
+github.com/metal-stack/metal-lib v0.20.0 h1:9JHzGSNpmUoREisSU/KT67Wca+J3A64pqVhMBcPSo5E=
+github.com/metal-stack/metal-lib v0.20.0/go.mod h1:zYzXYpNA4nQ+ANx19s/+1Yb/Q6xhS1nQK2yK2/ryXZM=
+github.com/metal-stack/security v0.9.3 h1:ZF5rGeZ4fIFe0DFFQWkXsUDCzODyjdrpvKmeaLOz9lo=
+github.com/metal-stack/security v0.9.3/go.mod h1:ENm5kPjqh4uYvn79sAIxd6GZBwtF2GSsGdkLELrB/D4=
 github.com/metal-stack/v v1.0.3 h1:Sh2oBlnxrCUD+mVpzfC8HiqL045YWkxs0gpTvkjppqs=
 github.com/metal-stack/v v1.0.3/go.mod h1:YTahEu7/ishwpYKnp/VaW/7nf8+PInogkfGwLcGPdXg=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=