Documentation
¶
Overview ¶
Package auditserver provides Vault audit log filtering and side-effect processing.
In library mode, callers can construct a server with `New`, then call `MatchFrame` to evaluate a raw audit log frame without running a gnet event loop.
Example:
server, err := New(nil)
if err != nil {
// handle init error
}
result, err := server.MatchFrame([]byte("{\"type\":\"request\",\"time\":\"2024-01-01T00:00:00Z\",\"request\":{\"operation\":\"update\",\"path\":\"secret/data/config\"},\"auth\":{\"policy_results\":{\"allowed\":true}}}"))
if err != nil {
// handle parse error
}
if result.Matched {
// result.Log holds the parsed AuditLog
// result.MatchedGroups lists matched rule group names
}
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuditServer ¶
type AuditServer struct {
*gnet.BuiltinEventEngine
// contains filtered or unexported fields
}
func (*AuditServer) MatchFrame ¶ added in v0.0.5
func (as *AuditServer) MatchFrame(frame []byte) (MatchResult, error)
MatchFrame evaluates a raw audit log frame against configured rule groups. It returns whether any group matched, the decoded audit log, and the names of matching rule groups in configured order.
Example ¶
viper.Reset()
defer viper.Reset()
viper.Set("rule_groups", []RuleGroupConfig{
{
Name: "writes",
Rules: []string{`Request.Operation == "update" && Auth.PolicyResults.Allowed == true`},
},
})
as, err := New(nil)
if err != nil {
panic(err)
}
result, err := as.MatchFrame([]byte(`{"type":"request","time":"2024-01-01T00:00:00Z","request":{"operation":"update","path":"secret/data/config"},"auth":{"policy_results":{"allowed":true}}}`))
if err != nil {
panic(err)
}
fmt.Printf("matched=%v groups=%v\n", result.Matched, result.MatchedGroups)
Output: matched=true groups=[writes]
type Auth ¶
type Auth struct {
ClientToken string `json:"client_token"`
Accessor string `json:"accessor"`
DisplayName string `json:"display_name"`
Policies []string `json:"policies"`
TokenPolicies []string `json:"token_policies"`
PolicyResults struct {
Allowed bool `json:"allowed"`
GrantingPolicies []struct {
Name string `json:"name"`
NamespaceID string `json:"namespace_id"`
Type string `json:"type"`
} `json:"granting_policies"`
} `json:"policy_results"`
TokenType string `json:"token_type"`
TokenIssueTime time.Time `json:"token_issue_time"`
}
type CompiledRule ¶
type ForwardingConfig ¶ added in v0.0.2
type LogFileConfig ¶
type MatchResult ¶ added in v0.0.5
MatchResult describes the outcome of matching a single audit frame. It mirrors the rule-group matching behavior used by the runtime event loop, returning the decoded log and any rule groups that matched.
type Request ¶
type Request struct {
ID string `json:"id"`
ClientID string `json:"client_id"`
Operation string `json:"operation"`
MountPoint string `json:"mount_point"`
MountType string `json:"mount_type"`
MountAccessor string `json:"mount_accessor"`
MountRunningVersion string `json:"mount_running_version"`
MountClass string `json:"mount_class"`
ClientToken string `json:"client_token"`
ClientTokenAccessor string `json:"client_token_accessor"`
Path string `json:"path"`
RemoteAddress string `json:"remote_address"`
RemotePort int `json:"remote_port"`
}
type Response ¶
type Response struct {
MountPoint string `json:"mount_point"`
MountType string `json:"mount_type"`
MountAccessor string `json:"mount_accessor"`
MountRunningPluginVersion string `json:"mount_running_plugin_version"`
MountClass string `json:"mount_class"`
Data struct {
CasRequired bool `json:"cas_required"`
CreatedTime string `json:"created_time"`
CurrentVersion int `json:"current_version"`
DeleteVersionAfter string `json:"delete_version_after"`
MaxVersions int `json:"max_versions"`
OldestVersion int `json:"oldest_version"`
UpdatedTime string `json:"updated_time"`
} `json:"data"`
}
type RuleGroupConfig ¶
type RuleGroupConfig struct {
Name string `mapstructure:"name"`
Rules []string `mapstructure:"rules"`
LogFile LogFileConfig `mapstructure:"log_file"`
Messaging Messaging `mapstructure:"messaging"`
Forwarding ForwardingConfig `mapstructure:"forwarding"`
}