EXT-1523 Write audit records always except for denylist (#25387) (#25642)

Co-authored-by: nfrmtk <[email protected]>

Author: StekPerepolnen

ydb/core/mon/audit/audit.cpp

@@ -1,5 +1,5 @@
 #include "audit.h"
-#include "auditable_actions.cpp"
+#include "audit_denylist.cpp"
 
 #include <ydb/core/audit/audit_log.h>
 #include <ydb/core/audit/audit_config/audit_config.h>
@@ -50,9 +50,9 @@ namespace {
         return reason;
     }
 
-    inline TUrlMatcher CreateAuditableActionsMatcher() {
+    inline TUrlMatcher CreateDenylistMatcher() {
         TUrlMatcher policy;
-        for (const auto& pattern : AUDITABLE_ACTIONS) {
+        for (const auto& pattern : AUDIT_DENYLIST) {
             policy.AddPattern(pattern);
         }
         return policy;
@@ -73,8 +73,8 @@ void TAuditCtx::AddAuditLogPart(TStringBuf name, const TString& value) {
     Parts.emplace_back(name, value);
 }
 
-bool TAuditCtx::AuditableRequest(const NHttp::THttpIncomingRequestPtr& request) {
-    // only modifying methods are audited
+bool TAuditCtx::AuditableRequest(const NHttp::THttpIncomingRequestPtr& request) const {
+    // modifying methods are always audited
     const TString method(request->Method);
     static const THashSet<TString> MODIFYING_METHODS = {"POST", "PUT", "DELETE"};
     if (MODIFYING_METHODS.contains(method)) {
@@ -86,13 +86,13 @@ bool TAuditCtx::AuditableRequest(const NHttp::THttpIncomingRequestPtr& request)
         return false;
     }
 
-    // force audit for specific URLs
-    static auto FORCE_AUDIT_MATCHER = CreateAuditableActionsMatcher();
-    if (FORCE_AUDIT_MATCHER.Match(request->URL)) {
-        return true;
+    // skip audit for URLs from denylist
+    static auto DENYLIST_MATCHER = CreateDenylistMatcher();
+    if (DENYLIST_MATCHER.Match(request->URL)) {
+        return false;
     }
 
-    return false;
+    return true;
 }
 
 void TAuditCtx::InitAudit(const NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr& ev) {

ydb/core/mon/audit/audit.h

@@ -27,10 +27,10 @@ class TAuditCtx {
     void LogOnCompleted(const NHttp::THttpOutgoingResponsePtr& response);
     void SetSubjectType(NACLibProto::ESubjectType subjectType);
     static bool AuditEnabled(NKikimrConfig::TAuditConfig::TLogClassConfig::ELogPhase logPhase, NACLibProto::ESubjectType subjectType);
+    bool AuditableRequest(const NHttp::THttpIncomingRequestPtr& request) const;
 
 private:
     void AddAuditLogPart(TStringBuf name, const TString& value);
-    bool AuditableRequest(const NHttp::THttpIncomingRequestPtr& request);
 
     TAuditParts Parts;
     bool Auditable = false;

ydb/core/mon/audit/audit_denylist.cpp

@@ -0,0 +1,36 @@
+#include "url_matcher.h"
+
+#include <util/generic/string.h>
+#include <util/generic/vector.h>
+
+namespace NMonitoring::NAudit {
+
+// Audit logging is enabled for all requests that either
+// 1) use modifying HTTP methods (POST, PUT, DELETE), or
+// 2) target endpoints not listed in AUDIT_DENYLIST.
+// The denylist excludes frequently queried read-only endpoints with no security value.
+const TVector<TUrlPattern> AUDIT_DENYLIST = {
+    { .Path = "/" },
+    { .Path = "/internal"},
+    { .Path = "/ver"},
+    { .Path = "/counters", .Recursive = true },
+
+    // viewer endpoints
+    { .Path = "/viewer", .Recursive = true },
+    { .Path = "/vdisk", .Recursive = true },
+    { .Path = "/pdisk", .Recursive = true },
+    { .Path = "/monitoring", .Recursive = true },
+    { .Path = "/healthcheck", .Recursive = true },
+    { .Path = "/operation", .Recursive = true },
+    { .Path = "/query", .Recursive = true },
+    { .Path = "/scheme", .Recursive = true },
+    { .Path = "/storage", .Recursive = true },
+
+    // static resources such as JS, CSS, images
+    { .Path = "/static", .Recursive = true },
+    { .Path = "/jquery.tablesorter.js" },
+    { .Path = "/jquery.tablesorter.css" },
+    { .Path = "/lwtrace/mon/static", .Recursive = true },
+};
+
+}

ydb/core/mon/audit/audit_ut.cpp

@@ -5,8 +5,57 @@
 
 using namespace NMonitoring::NAudit;
 
+namespace {
+
+struct TRequestHolder : public NHttp::THttpIncomingRequest {
+    TStringBuf Store(TString value) {
+        return Storage.emplace_back(std::move(value));
+    }
+private:
+    TVector<TString> Storage;
+};
+
+NHttp::THttpIncomingRequestPtr MakeRequest(TString method, TString url) {
+    auto request = MakeIntrusive<TRequestHolder>();
+    request->Method = request->Store(std::move(method));
+    request->URL = request->Store(std::move(url));
+    return std::move(request);
+}
+
+} // namespace
+
 Y_UNIT_TEST_SUITE(TAuditTest) {
     Y_UNIT_TEST(AuditDisabledWithoutAppData) {
         UNIT_ASSERT(!TAuditCtx::AuditEnabled(NKikimrConfig::TAuditConfig::TLogClassConfig::Completed, NACLibProto::SUBJECT_TYPE_ANONYMOUS));
     }
+
+    Y_UNIT_TEST(ModifyingMethodsAlwaysAuditable) {
+        TAuditCtx ctx;
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("POST", "/path")));
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("PUT", "/path")));
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("DELETE", "/path")));
+
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("POST", "/counters")));
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("PUT", "/counters")));
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("DELETE", "/counters")));
+    }
+
+    Y_UNIT_TEST(OptionsRequestsAreNotAudited) {
+        TAuditCtx ctx;
+        UNIT_ASSERT(!ctx.AuditableRequest(MakeRequest("OPTIONS", "/path")));
+    }
+
+    Y_UNIT_TEST(BlacklistedPathsAreNotAudited) {
+        TAuditCtx ctx;
+        UNIT_ASSERT(!ctx.AuditableRequest(MakeRequest("GET", "/counters")));
+        UNIT_ASSERT(!ctx.AuditableRequest(MakeRequest("GET", "/viewer/subpage")));
+        UNIT_ASSERT(!ctx.AuditableRequest(MakeRequest("GET", "/viewer?mode=overview")));
+        UNIT_ASSERT(!ctx.AuditableRequest(MakeRequest("GET", "/monitoring/cluster/static/js/24615.12b53f26.chunk.js")));
+    }
+
+    Y_UNIT_TEST(OtherGetRequestsAreAudited) {
+        TAuditCtx ctx;
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("GET", "/other")));
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("GET", "/viewerstats?mode=overview")));
+    }
 }

ydb/core/mon/audit/auditable_actions.cpp

@@ -3,8 +3,6 @@
 
 namespace NMonitoring::NAudit {
 
-const TString ANY_PATH = "*";
-
 void TUrlMatcher::AddPattern(const TUrlPattern& pattern) {
     TStringBuf path = pattern.Path;
     TNode* node = &Root;
@@ -18,17 +16,11 @@ void TUrlMatcher::AddPattern(const TUrlPattern& pattern) {
         node = &node->Children[part];
     }
 
-    if (pattern.ParamName.empty()) {
-        node->MatchWithoutParams = true;
-    } else {
-        TParamCondition param;
-        param.Name = pattern.ParamName;
-        param.ExpectedValue = pattern.ParamValue;
-        node->MatchedParams.push_back(std::move(param));
-    }
+    node->PatternEnd = true;
+    node->Recursive = pattern.Recursive;
 }
 
-bool TUrlMatcher::Match(const TStringBuf originalPath, const TCgiParameters& params) const {
+bool TUrlMatcher::MatchPath(const TStringBuf originalPath) const {
     TStringBuf path(originalPath);
     if (path.StartsWith('/')) {
         path = path.Skip(1);
@@ -44,33 +36,24 @@ bool TUrlMatcher::Match(const TStringBuf originalPath, const TCgiParameters& par
         }
 
         auto it = node->Children.find(part);
-        if (it == node->Children.end()) {
-            it = node->Children.find(ANY_PATH);
-        }
         if (it == node->Children.end()) {
             return false;
         }
         node = &it->second;
-    };
-
-    if (node->MatchWithoutParams) {
-        return true;
-    }
-    for (const auto& p : node->MatchedParams) {
-        if (params.Has(p.Name) && (p.ExpectedValue.empty() || params.Get(p.Name) == p.ExpectedValue)) {
+        if (node->Recursive) {
             return true;
         }
-    }
+    };
 
-    return false;
+    return node->PatternEnd;
 }
 
 bool TUrlMatcher::Match(const TStringBuf url) const {
     const auto path = url.Before('?');
     const auto params = url.After('?');
     const auto cgiParams = TCgiParameters(params);
 
-    return Match(path, cgiParams);
+    return MatchPath(path);
 }
 
 }

ydb/core/mon/audit/url_matcher.cpp

@@ -12,26 +12,20 @@ namespace NMonitoring::NAudit {
 
 struct TUrlPattern {
     TString Path;
-    TString ParamName;
-    TString ParamValue;
+    bool Recursive = false;
 };
 
 class TUrlMatcher {
 public:
-    void AddPattern(const TUrlPattern& rule);
-    bool Match(const TStringBuf path, const TCgiParameters& params) const;
+    void AddPattern(const TUrlPattern& pattern);
+    bool MatchPath(const TStringBuf path) const;
     bool Match(const TStringBuf url) const;
 
 private:
-    struct TParamCondition {
-        TString Name;
-        TString ExpectedValue;
-    };
-
     struct TNode {
         THashMap<TString, TNode> Children;
-        bool MatchWithoutParams = false;
-        TVector<TParamCondition> MatchedParams;
+        bool PatternEnd = false;
+        bool Recursive = false;
     };
 
     TNode Root;

ydb/core/mon/audit/url_matcher.h

@@ -8,7 +8,7 @@ using namespace NMonitoring::NAudit;
 Y_UNIT_TEST_SUITE(TUrlMatcherTest) {
     Y_UNIT_TEST(MatchExactPathOnly) {
         NMonitoring::NAudit::TUrlMatcher matcher;
-        matcher.AddPattern({.Path = "/a/b/c"});
+        matcher.AddPattern({.Path = "/a/b/c", .Recursive = false});
 
         UNIT_ASSERT(matcher.Match("/a/b/c"));
         UNIT_ASSERT(matcher.Match("a/b/c"));
@@ -24,48 +24,19 @@ Y_UNIT_TEST_SUITE(TUrlMatcherTest) {
         UNIT_ASSERT(!matcher.Match("//a/b/c"));
         UNIT_ASSERT(!matcher.Match("/a/b///c"));
         UNIT_ASSERT(!matcher.Match("/a/b/c/d"));
+        UNIT_ASSERT(!matcher.Match("/a/b/c/d/e/f"));
     }
 
-    Y_UNIT_TEST(MatchWithParamNameOnly) {
+    Y_UNIT_TEST(MatchRecursive) {
         NMonitoring::NAudit::TUrlMatcher matcher;
-        matcher.AddPattern({.Path = "/a/b", .ParamName = "mode"});
-
-        UNIT_ASSERT(matcher.Match("/a/b?mode="));
-        UNIT_ASSERT(matcher.Match("/a/b?mode="));
-        UNIT_ASSERT(matcher.Match("/a/b?mode=1"));
-        UNIT_ASSERT(matcher.Match("/a/b?other=1&mode=1"));
-
-        UNIT_ASSERT(!matcher.Match("/a/b"));
-        UNIT_ASSERT(!matcher.Match("/a?mode=1"));
-        UNIT_ASSERT(!matcher.Match("/a/b?other=1"));
-        UNIT_ASSERT(!matcher.Match("/a/b/c?mode=1"));
-    }
-
-    Y_UNIT_TEST(MatchWithParamNameAndValue) {
-        NMonitoring::NAudit::TUrlMatcher matcher;
-        matcher.AddPattern({.Path = "/a/b", .ParamName = "action", .ParamValue = "start"});
-        matcher.AddPattern({.Path = "/a/b", .ParamName = "action", .ParamValue = "stop"});
-
-        UNIT_ASSERT(matcher.Match("/a/b?action=start"));
-        UNIT_ASSERT(matcher.Match("/a/b?action=stop"));
-        UNIT_ASSERT(matcher.Match("/a/b?k=stop&action=start"));
-
-        UNIT_ASSERT(!matcher.Match("/a/b"));
-        UNIT_ASSERT(!matcher.Match("/a/b?action=restart"));
-        UNIT_ASSERT(!matcher.Match("/a/b?k=stop"));
-        UNIT_ASSERT(!matcher.Match("/a/b/c?action=start"));
-    }
-
-    Y_UNIT_TEST(MatchWithWildcardPath) {
-        NMonitoring::NAudit::TUrlMatcher matcher;
-        matcher.AddPattern({.Path = "/actors/blobstorageproxies/*", .ParamName = "PutSamplingRate"});
+        matcher.AddPattern({.Path = "/actors/blobstorageproxies", .Recursive = true});
 
+        UNIT_ASSERT(matcher.Match("/actors/blobstorageproxies"));
+        UNIT_ASSERT(matcher.Match("/actors/blobstorageproxies/blobstorageproxy2181038080"));
         UNIT_ASSERT(matcher.Match("/actors/blobstorageproxies/blobstorageproxy2181038080?PutSamplingRate=1"));
         UNIT_ASSERT(matcher.Match("/actors/blobstorageproxies/somethingelse?PutSamplingRate=123"));
 
-        UNIT_ASSERT(!matcher.Match("/actors/blobstorageproxies"));
-        UNIT_ASSERT(!matcher.Match("/actors/blobstorageproxies/blobstorageproxy2181038080"));
-        UNIT_ASSERT(!matcher.Match("/actors/blobstorageproxies/blobstorageproxy2181038080?OtherParam=1"));
+        UNIT_ASSERT(!matcher.Match("/actors/blobstorageproxies123"));
         UNIT_ASSERT(!matcher.Match("/actors/otherproxy/blobstorageproxy2181038080?PutSamplingRate=1"));
     }
 }

ydb/core/mon/audit/url_matcher_ut.cpp

@@ -5,7 +5,7 @@ RECURSE_FOR_TESTS(
 LIBRARY()
 
 SRCS(
-    auditable_actions.cpp
+    audit_denylist.cpp
     audit.cpp
     url_matcher.cpp
 )