correctly report token, use "{none}" instead of "" for folder_id

Author: qrort

internal/audit/audit_event.go

@@ -65,7 +65,7 @@ type GRPCCallEvent struct {
 	GenericAuditFields
 
 	MethodName  string          `json:"operation"`
-	GRPCRequest json.RawMessage `json:"grpc_request"`
+	GRPCRequest json.RawMessage `json:"grpc_request,omitempty"`
 }
 
 func makeEnvelope(event any) (*EventEnvelope, error) {
@@ -101,6 +101,15 @@ func getStatus(inProgress bool, err error) (AuditEventStatus, string) {
 	return status, reason
 }
 
+func formatContainerID(containerID string) string {
+	switch containerID {
+	case "", "{none}":
+		return "{none}"
+	default:
+		return containerID
+	}
+}
+
 func formatDatabase(database string) string {
 	switch database {
 	case "", "{none}":
@@ -164,7 +173,7 @@ func GRPCCallAuditEvent(
 			Action:         ActionFromMethodName(ctx, methodName),
 			Resource:       ResourceFromMethodName(ctx, methodName),
 			Component:      "grpc_api",
-			FolderID:       containerID,
+			FolderID:       formatContainerID(containerID),
 			Database:       formatDatabase(database),
 			Subject:        formatSubject(subject),
 			SanitizedToken: token,
@@ -191,7 +200,7 @@ func ReportGRPCCallBegin(
 
 func ReportGRPCCallEnd(
 	ctx context.Context, methodName string,
-	subject string, containerID string, token string, database string, err error,
+	subject string, token string, containerID string, database string, err error,
 ) {
 	event := GRPCCallAuditEvent(
 		ctx, methodName, nil, subject, token, containerID, database, false, err,

internal/audit/audit_event_test.go

@@ -400,3 +400,82 @@ func TestWithGRPCInfo(t *testing.T) {
 	require.Equal(t, "container-1", fields.ContainerID)
 	require.Equal(t, "db-1", fields.Database)
 }
+
+func TestReportGRPCCallBeginJSON(t *testing.T) {
+	ctx := grpcinfo.WithGRPCInfo(context.Background())
+	ctx = peer.NewContext(
+		ctx, &peer.Peer{
+			Addr: &mockAddr{address: "192.168.1.1"},
+		},
+	)
+	ctx = metadata.NewIncomingContext(ctx, metadata.Pairs("x_forwarded_for", "10.0.0.1"))
+
+	req := &pb.GetBackupRequest{Id: "id-req"}
+	method := pb.BackupScheduleService_GetBackupSchedule_FullMethodName
+	subj := "subj"
+	token := "tok.***"
+
+	out := CaptureEventAsString(
+		t, func() {
+			ReportGRPCCallBegin(ctx, req, method, subj, token)
+		},
+	)
+
+	var ej EventJson
+	require.NoError(t, json.Unmarshal([]byte(out), &ej))
+
+	var evt GRPCCallEvent
+	require.NoError(t, json.Unmarshal([]byte(ej.Event.TextData), &evt))
+
+	assert.Equal(t, method, evt.MethodName)
+	assert.Equal(t, StatusInProcess, evt.Status)
+	assert.Equal(t, formatSubject(subj), evt.Subject)
+	assert.Equal(t, token, evt.SanitizedToken)
+	assert.Equal(t, "{none}", evt.FolderID)
+	assert.Equal(t, "{none}", evt.Database)
+	requestID, _ := grpcinfo.GetRequestID(ctx)
+	assert.Equal(t, requestID, evt.IdempotencyKey)
+	assert.Contains(t, string(evt.GRPCRequest), "id-req")
+	assert.Contains(t, evt.RemoteAddress, "10.0.0.1")
+	assert.Contains(t, evt.RemoteAddress, "192.168.1.1")
+}
+
+func TestReportGRPCCallEndJSON(t *testing.T) {
+	ctx := grpcinfo.WithGRPCInfo(context.Background())
+	// add peer info and forwarded header
+	ctx = peer.NewContext(
+		ctx, &peer.Peer{
+			Addr: &mockAddr{address: "192.168.2.2"},
+		},
+	)
+	ctx = metadata.NewIncomingContext(ctx, metadata.Pairs("x_forwarded_for", "172.16.0.5"))
+
+	method := pb.BackupScheduleService_GetBackupSchedule_FullMethodName
+	subj := "end-subj"
+	token := "end-tok"
+	database := "db-1"
+	err := status.Error(codes.NotFound, "not found")
+
+	out := CaptureEventAsString(
+		t, func() {
+			ReportGRPCCallEnd(ctx, method, subj, token, "", database, err)
+		},
+	)
+
+	var ej EventJson
+	require.NoError(t, json.Unmarshal([]byte(out), &ej))
+
+	var evt GRPCCallEvent
+	require.NoError(t, json.Unmarshal([]byte(ej.Event.TextData), &evt))
+
+	assert.Equal(t, method, evt.MethodName)
+	assert.Equal(t, formatSubject(subj), evt.Subject)
+	assert.Equal(t, token, evt.SanitizedToken)
+	assert.Equal(t, "{none}", evt.FolderID)
+	assert.Equal(t, database, evt.Database)
+	assert.Equal(t, StatusError, evt.Status)
+	assert.Equal(t, err.Error(), evt.Reason)
+	assert.Nil(t, evt.GRPCRequest)
+	assert.Contains(t, evt.RemoteAddress, "172.16.0.5")
+	assert.Contains(t, evt.RemoteAddress, "192.168.2.2")
+}

internal/audit/audit_interceptor.go

@@ -30,8 +30,8 @@ func GetAuditFieldsForRequest(requestID string) *AuditFields {
 	v, ok := containerStore.Load(requestID)
 	if !ok {
 		return &AuditFields{
-			ContainerID: "",
-			Database:    "",
+			ContainerID: "{none}",
+			Database:    "{none}",
 		}
 	}
 	return v.(*AuditFields)
@@ -60,7 +60,7 @@ func NewAuditGRPCInterceptor(provider auth.AuthProvider) grpc.UnaryServerInterce
 		requestID, _ := grpcinfo.GetRequestID(ctx)
 		fields := GetAuditFieldsForRequest(requestID)
 		defer ClearAuditFieldsForRequest(requestID)
-		ReportGRPCCallEnd(ctx, info.FullMethod, subject, fields.ContainerID, fields.Database, token, grpcErr)
+		ReportGRPCCallEnd(ctx, info.FullMethod, subject, token, fields.ContainerID, fields.Database, grpcErr)
 		return response, grpcErr
 	}
 }