From e3d3ab0214eaeab89723595296b175e0d113c945 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Fri, 4 Oct 2024 11:02:29 +0200 Subject: [PATCH 1/9] add user name to access log --- lib/constants.js | 3 ++- lib/middleware/proxy.js | 1 + lib/services/keystoneAuth.js | 7 +++++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/lib/constants.js b/lib/constants.js index 83f7107..d955013 100644 --- a/lib/constants.js +++ b/lib/constants.js @@ -32,7 +32,8 @@ var constants = { X_REAL_IP_HEADER: 'x-real-ip', CORRELATOR_HEADER: 'fiware-correlator', - GET_ROLES_PATH: '/user' + GET_ROLES_PATH: '/user', + NA: 'N/A' }; diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index 86878da..a2f0dd2 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -201,6 +201,7 @@ function accountInfo(req, res, next) { ' | Token=' + req.headers['x-auth-token'] + ' | Origin=' + req.connection.remoteAddress + ' | UserId=' + req.userId + + ' | UserName=' + req.userName + ' | ServiceId=' + req.serviceId + ' | Service=' + req.service + ' | SubServiceId=' + req.subserviceId + diff --git a/lib/services/keystoneAuth.js b/lib/services/keystoneAuth.js index a695d67..4ffacee 100644 --- a/lib/services/keystoneAuth.js +++ b/lib/services/keystoneAuth.js @@ -191,6 +191,7 @@ function retrieveUser(req, callback) { req.serviceId = cachedValue.serviceId; req.domainName = cachedValue.domainName; req.userId = cachedValue.userId; + req.userName = cachedValue.userName; logger.debug('User value processed with value: %j', cachedValue); @@ -245,7 +246,8 @@ function retrieveUser(req, callback) { cachedValue = { domainName: body.token.project.domain.name, serviceId: body.token.project.domain.id, - userId: body.token['OS-TRUST:trust'].trustor_user.id + userId: body.token['OS-TRUST:trust'].trustor_user.id, + userName: constants.NA }; innerCb(null, cachedValue); @@ -256,7 +258,8 @@ function retrieveUser(req, callback) { cachedValue = { domainName: body.token.user.domain.name, serviceId: body.token.user.domain.id, - userId: body.token.user.id + userId: body.token.user.id, + userName: body.token.user.name }; req.userData = cachedValue; From 632cfb9cff6f7df5ef7f8c11424f102c88608c80 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Fri, 4 Oct 2024 11:12:31 +0200 Subject: [PATCH 2/9] fix userName when token is from Trust --- lib/services/keystoneAuth.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/services/keystoneAuth.js b/lib/services/keystoneAuth.js index 4ffacee..a47aa6b 100644 --- a/lib/services/keystoneAuth.js +++ b/lib/services/keystoneAuth.js @@ -249,7 +249,9 @@ function retrieveUser(req, callback) { userId: body.token['OS-TRUST:trust'].trustor_user.id, userName: constants.NA }; - + if (body.token.user) { + cachedValue['userName'] = body.token.user.name; + } innerCb(null, cachedValue); } else if (body.token && body.token.user && body.token.user.domain && From 9b5d7502b2a5a9d7a52d56336f0ef4036f8ccb57 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Fri, 4 Oct 2024 11:16:14 +0200 Subject: [PATCH 3/9] fix linter --- lib/services/keystoneAuth.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/services/keystoneAuth.js b/lib/services/keystoneAuth.js index a47aa6b..f95f813 100644 --- a/lib/services/keystoneAuth.js +++ b/lib/services/keystoneAuth.js @@ -250,7 +250,7 @@ function retrieveUser(req, callback) { userName: constants.NA }; if (body.token.user) { - cachedValue['userName'] = body.token.user.name; + cachedValue.userName = body.token.user.name; } innerCb(null, cachedValue); From 5f12d00925da38a046a143c0a29ba757891f45b3 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Fri, 4 Oct 2024 11:23:14 +0200 Subject: [PATCH 4/9] add userName to account InfoError --- lib/fiware-pep-steelskin.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/fiware-pep-steelskin.js b/lib/fiware-pep-steelskin.js index 6be28ed..3b1946f 100644 --- a/lib/fiware-pep-steelskin.js +++ b/lib/fiware-pep-steelskin.js @@ -79,7 +79,10 @@ function accountInfoError(error, req, res, next) { ' | Token=' + req.headers['x-auth-token'] + ' | Origin=' + req.connection.remoteAddress + ' | UserId=' + req.userId + + ' | ServiceId=' + req.serviceId + + ' | UserName=' + req.userName + ' | Service=' + req.service + + ' | SubServiceId=' + req.subserviceId + ' | SubService=' + req.subService + ' | Action=' + req.action + ' | Date=' + new Date().toJSON()); From 72a9d5d11dc6d126d9ef5236e13aa7b361d61de2 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Fri, 4 Oct 2024 11:53:14 +0200 Subject: [PATCH 5/9] add path and body to account log --- lib/fiware-pep-steelskin.js | 2 ++ lib/middleware/proxy.js | 2 ++ 2 files changed, 4 insertions(+) diff --git a/lib/fiware-pep-steelskin.js b/lib/fiware-pep-steelskin.js index 3b1946f..2de643c 100644 --- a/lib/fiware-pep-steelskin.js +++ b/lib/fiware-pep-steelskin.js @@ -85,6 +85,8 @@ function accountInfoError(error, req, res, next) { ' | SubServiceId=' + req.subserviceId + ' | SubService=' + req.subService + ' | Action=' + req.action + + ' | Path=' + req.path + + ' | Body=' + JSON.stringify(req.body) + ' | Date=' + new Date().toJSON()); next(error); } diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index a2f0dd2..0dd8014 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -207,6 +207,8 @@ function accountInfo(req, res, next) { ' | SubServiceId=' + req.subserviceId + ' | SubService=' + req.subService + ' | Action=' + req.action + + ' | Path=' + req.path + + ' | Body=' + JSON.stringify(req.body).slice(0, 100) + ' | Date=' + new Date().toJSON()); }); } From efbb8f795a1771939e2f2e743b8a1be2851b14c9 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Mon, 7 Oct 2024 11:50:28 +0200 Subject: [PATCH 6/9] add check access match --- configAccessMatch.js | 29 +++++++++++++++++++++++++++++ lib/fiware-pep-steelskin.js | 1 + lib/middleware/proxy.js | 32 +++++++++++++++++++++++++++++++- 3 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 configAccessMatch.js diff --git a/configAccessMatch.js b/configAccessMatch.js new file mode 100644 index 0000000..51c2339 --- /dev/null +++ b/configAccessMatch.js @@ -0,0 +1,29 @@ +'use strict'; + +/** + * List of access match + */ +var configAccessMatch = {}; + +// Activity related with a list of users +configAccessMatch.users = [ + 'cloud_admin', 'pep', +]; + +// Activity related with request which the following headers +configAccessMatch.headers = [ + { "Fiware-service": "smartcity" }, +]; + +// Activity related with request including the following subpaths +configAccessMatch.subpath = [ + '/v1', +]; + +// Activity related with request including the following strings in body +configAccessMatch.body = [ + 'legacy' +]; + + +exports.configAccessMatch = configAccessMatch; diff --git a/lib/fiware-pep-steelskin.js b/lib/fiware-pep-steelskin.js index 2de643c..b425b81 100644 --- a/lib/fiware-pep-steelskin.js +++ b/lib/fiware-pep-steelskin.js @@ -123,6 +123,7 @@ function setAccessLogger() { }) ] }); + proxyMiddleware.watchConfigAccessMatchFile(); } /** diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index 0dd8014..2bb7924 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -36,8 +36,30 @@ var config = require('../../config'), 'x-auth-token' ], winston = require('winston'), + logger = require('logops'), + configAccessMatch = require('../../configAccessMatch.js').configAccessMatch, accessLogger; +const fs = require('fs'); +const configAccessMatchFilePath = './configAccessMatch.js'; + +function requireUncached(module) { + delete require.cache[require.resolve(module)]; + return require(module); +} + +function watchConfigAccessMatchFile() { + fs.watch(configAccessMatchFilePath, (event, filename) => { + logger.info('watchConfigAccessMatchFile changed by %s detected in file %s', event, filename); + try { + configAccessMatch = requireUncached('../../configAccessMatch.js').configAccessMatch; + logger.debug('reloaded configAccessMatch %j', configAccessMatch); + } catch (err) { + logger.error('Error %s reloading module: %s ', err, filename); + } + }); +} + /** * Middleware to extract the organization data from the request. * @@ -196,7 +218,14 @@ function accountInfo(req, res, next) { }); } req.fwdResponse = req.fwdResponse.on('response', function(res) { - accessLogger.info('Right Attempt' + + var accessMsg = "Right Attempt"; + + // CHeck here MATCH file patterns: + if (req.userName in configAccessMatch.users ) { + accessMsg += ' MATCHED USER'; + } + + accessLogger.info(accessMsg + ' | ResponseStatus=' + req.fwdResponse.response.statusCode + ' | Token=' + req.headers['x-auth-token'] + ' | Origin=' + req.connection.remoteAddress + @@ -260,3 +289,4 @@ exports.sendResponse = sendResponse; exports.accountInfo = accountInfo; exports.checkMandatoryHeaders = checkMandatoryHeaders(validationHeaders); exports.checkAuthorizationHeader = checkMandatoryHeaders(authorizationHeaders); +exports.watchConfigAccessMatchFile = watchConfigAccessMatchFile; From 103ce8baff4a5829e8e2eb3b9fcbe31eea6fb6a4 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Mon, 7 Oct 2024 11:56:27 +0200 Subject: [PATCH 7/9] fix linter --- lib/middleware/proxy.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index 2bb7924..65f3d85 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -218,7 +218,7 @@ function accountInfo(req, res, next) { }); } req.fwdResponse = req.fwdResponse.on('response', function(res) { - var accessMsg = "Right Attempt"; + var accessMsg = 'Right Attempt'; // CHeck here MATCH file patterns: if (req.userName in configAccessMatch.users ) { From 80f368b23df4cdb516a4ee015858b659926c4784 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Mon, 7 Oct 2024 14:40:41 +0200 Subject: [PATCH 8/9] add checks about body, subpaths and headers --- configAccessMatch.js | 5 +++-- lib/middleware/proxy.js | 29 +++++++++++++++++++++++++++-- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/configAccessMatch.js b/configAccessMatch.js index 51c2339..ee77c92 100644 --- a/configAccessMatch.js +++ b/configAccessMatch.js @@ -12,11 +12,12 @@ configAccessMatch.users = [ // Activity related with request which the following headers configAccessMatch.headers = [ - { "Fiware-service": "smartcity" }, + { "fiware-service": "smartcity" }, + { "x-real-ip": "127.0.0.1" } ]; // Activity related with request including the following subpaths -configAccessMatch.subpath = [ +configAccessMatch.subpaths = [ '/v1', ]; diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index 65f3d85..0786c7f 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -222,7 +222,32 @@ function accountInfo(req, res, next) { // CHeck here MATCH file patterns: if (req.userName in configAccessMatch.users ) { - accessMsg += ' MATCHED USER'; + accessMsg += ' MATCHED USER'; + } + for (var header of configAccessMatch.headers) { + if ('fiware-service' in Object.keys(header)) { + if (req.service.includes(header['fiware-service'])) { + accessMsg += ' MATCHED HEADER Service'; + } + } else if ('fiware-servicepath' in Object.keys(header)) { + if (req.subService.includes(header['fiware-servicepath'])) { + accessMsg += ' MATCHED HEADER SubService'; + } + } else if ('x-real-ip' in Object.keys(header)) { + if (req.connection.remoteAddress.includes(header['x-real-ip'])) { + accessMsg += ' MATCHED HEADER Origin'; + } + } + } + for (var subpath of configAccessMatch.subpaths) { + if (req.path.includes(subpath)) { + accessMsg += ' MATCHED SUBPATH ' + subpath; + } + } + for (var text of configAccessMatch.body) { + if (JSON.stringify(req.body).includes(text)) { + accessMsg += ' MATCHED BODY ' + text; + } } accessLogger.info(accessMsg + @@ -237,7 +262,7 @@ function accountInfo(req, res, next) { ' | SubService=' + req.subService + ' | Action=' + req.action + ' | Path=' + req.path + - ' | Body=' + JSON.stringify(req.body).slice(0, 100) + + ' | Body=' + JSON.stringify(req.body).slice(0, 100) + // not all body ' | Date=' + new Date().toJSON()); }); } From 2ea4f8398bc2145e88d8df3f79897980138e5b16 Mon Sep 17 00:00:00 2001 From: Alvaro Vega Date: Mon, 7 Oct 2024 15:39:36 +0200 Subject: [PATCH 9/9] add match value --- lib/middleware/proxy.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/middleware/proxy.js b/lib/middleware/proxy.js index 0786c7f..4158d90 100644 --- a/lib/middleware/proxy.js +++ b/lib/middleware/proxy.js @@ -222,20 +222,20 @@ function accountInfo(req, res, next) { // CHeck here MATCH file patterns: if (req.userName in configAccessMatch.users ) { - accessMsg += ' MATCHED USER'; + accessMsg += ' MATCHED USER ' + req.userName; } for (var header of configAccessMatch.headers) { - if ('fiware-service' in Object.keys(header)) { + if (Object.keys(header).includes('fiware-service')) { if (req.service.includes(header['fiware-service'])) { - accessMsg += ' MATCHED HEADER Service'; + accessMsg += ' MATCHED HEADER Service ' + header['fiware-service']; } - } else if ('fiware-servicepath' in Object.keys(header)) { + } else if (Object.keys(header).includes('fiware-servicepath')) { if (req.subService.includes(header['fiware-servicepath'])) { - accessMsg += ' MATCHED HEADER SubService'; + accessMsg += ' MATCHED HEADER SubService ' + header['fiware-servicepath']; } - } else if ('x-real-ip' in Object.keys(header)) { + } else if (Object.keys(header).includes('x-real-ip')) { if (req.connection.remoteAddress.includes(header['x-real-ip'])) { - accessMsg += ' MATCHED HEADER Origin'; + accessMsg += ' MATCHED HEADER Origin ' + header['x-real-ip']; } } }