Skip to content
This repository has been archived by the owner on Jan 12, 2024. It is now read-only.

Commit

Permalink
Add logging to show X-Cerberus-Client header (#56)
Browse files Browse the repository at this point in the history
* Add logging to show X-Cerberus-Client header
  • Loading branch information
sdford authored Aug 4, 2017
1 parent c822107 commit 6786598
Show file tree
Hide file tree
Showing 16 changed files with 180 additions and 44 deletions.
2 changes: 1 addition & 1 deletion gradle.properties
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,6 @@
# limitations under the License.
#

version=0.25.0
version=0.26.0
groupId=com.nike.cerberus
artifactId=cms
7 changes: 7 additions & 0 deletions src/main/java/com/nike/cerberus/CerberusHttpHeaders.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
package com.nike.cerberus;

public final class CerberusHttpHeaders {

public static final String HEADER_X_CERBERUS_CLIENT = "X-Cerberus-Client";
public static final String HEADER_X_REFRESH_TOKEN = "X-Refresh-Token";
}
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
import com.nike.riposte.util.AsyncNettyHelper;
import com.nike.riposte.util.Matcher;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.HttpHeaders;
import io.netty.handler.codec.http.HttpMethod;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
Expand All @@ -34,6 +35,8 @@
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Executor;

import static com.nike.cerberus.CerberusHttpHeaders.HEADER_X_CERBERUS_CLIENT;

/**
* Authentication endpoint for IAM roles. If valid, a client token that is encrypted via KMS is returned. The
* IAM role will be the only role capable of decrypting the client token via KMS.
Expand All @@ -60,9 +63,16 @@ public CompletableFuture<ResponseInfo<IamRoleAuthResponse>> execute(final Reques
}

private ResponseInfo<IamRoleAuthResponse> authenticate(RequestInfo<IamPrincipalCredentials> request) {
IamPrincipalCredentials credentials = request.getContent();
log.info("IAM Auth Event: the IAM principal {} in attempting to authenticate in region {}",
credentials.getIamPrincipalArn(), credentials.getRegion());
final IamPrincipalCredentials credentials = request.getContent();
final HttpHeaders headers = request.getHeaders();
final boolean clientHeaderExists = headers != null && headers.get(HEADER_X_CERBERUS_CLIENT) != null;
final String clientHeader = clientHeaderExists ? headers.get(HEADER_X_CERBERUS_CLIENT) : "Unknown";

log.info("{}: {}, IAM Auth Event: the IAM principal {} in attempting to authenticate in region {}",
HEADER_X_CERBERUS_CLIENT,
clientHeader,
credentials.getIamPrincipalArn(),
credentials.getRegion());

return ResponseInfo.newBuilder(authenticationService.authenticate(request.getContent())).build();
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
import com.nike.riposte.util.AsyncNettyHelper;
import com.nike.riposte.util.Matcher;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.HttpHeaders;
import io.netty.handler.codec.http.HttpMethod;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
Expand All @@ -34,6 +35,8 @@
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Executor;

import static com.nike.cerberus.CerberusHttpHeaders.HEADER_X_CERBERUS_CLIENT;

/**
* Authentication endpoint for IAM roles. If valid, a client token that is encrypted via KMS is returned. The
* IAM role will be the only role capable of decrypting the client token via KMS.
Expand Down Expand Up @@ -62,10 +65,18 @@ public CompletableFuture<ResponseInfo<IamRoleAuthResponse>> execute(final Reques
}

private ResponseInfo<IamRoleAuthResponse> authenticate(RequestInfo<IamRoleCredentials> request) {
IamRoleCredentials credentials = request.getContent();
log.info("IAM Auth Event: the IAM principal {} in attempting to authenticate in region {}",
final IamRoleCredentials credentials = request.getContent();
final HttpHeaders headers = request.getHeaders();
final boolean clientHeaderExists = headers != null && headers.get(HEADER_X_CERBERUS_CLIENT) != null;
final String clientHeader = clientHeaderExists ? headers.get(HEADER_X_CERBERUS_CLIENT) : "Unknown";

log.info("{}: {}, IAM Auth Event: the IAM principal {} in attempting to authenticate in region {}",
HEADER_X_CERBERUS_CLIENT,
clientHeader,
String.format(AwsIamRoleArnParser.AWS_IAM_ROLE_ARN_TEMPLATE,
credentials.getAccountId(), credentials.getRoleName()), credentials.getRegion());
credentials.getAccountId(),
credentials.getRoleName()),
credentials.getRegion());

return ResponseInfo.newBuilder(authenticationService.authenticate(request.getContent())).build();
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Executor;

import static com.nike.cerberus.CerberusHttpHeaders.HEADER_X_CERBERUS_CLIENT;

/**
* Authentication endpoint for user credentials. If valid, a client token will be returned.
*/
Expand All @@ -65,8 +67,14 @@ public CompletableFuture<ResponseInfo<AuthResponse>> execute(final RequestInfo<V

private ResponseInfo<AuthResponse> authenticate(RequestInfo<Void> request) {
final UserCredentials credentials = extractCredentials(request.getHeaders().get(HttpHeaders.AUTHORIZATION));

log.info("User Auth Event: the principal: {} is attempting to authenticate", credentials.getUsername());
final io.netty.handler.codec.http.HttpHeaders headers = request.getHeaders();
final boolean clientHeaderExists = headers != null && headers.get(HEADER_X_CERBERUS_CLIENT) != null;
final String clientHeader = clientHeaderExists ? headers.get(HEADER_X_CERBERUS_CLIENT) : "Unknown";

log.info("{}: {}, User Auth Event: the principal: {} is attempting to authenticate",
HEADER_X_CERBERUS_CLIENT,
clientHeader,
credentials.getUsername());

return ResponseInfo.newBuilder(authenticationService.authenticate(credentials)).build();
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import com.nike.riposte.util.AsyncNettyHelper;
import com.nike.riposte.util.Matcher;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.HttpHeaders;
import io.netty.handler.codec.http.HttpMethod;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
Expand All @@ -38,6 +39,8 @@
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Executor;

import static com.nike.cerberus.CerberusHttpHeaders.HEADER_X_CERBERUS_CLIENT;

/**
* Authentication endpoint that allows refreshing the user token to pickup any permission changes.
*/
Expand Down Expand Up @@ -69,7 +72,14 @@ public ResponseInfo<AuthResponse> getRefreshedUserToken(final RequestInfo<Void>
if (securityContext.isPresent()) {
final VaultAuthPrincipal vaultAuthPrincipal =
(VaultAuthPrincipal) securityContext.get().getUserPrincipal();
log.info("Refresh User Token Auth Event: the principal: {} is attempting to refresh its token", vaultAuthPrincipal.getName());
final HttpHeaders headers = request.getHeaders();
final boolean clientHeaderExists = headers != null && headers.get(HEADER_X_CERBERUS_CLIENT) != null;
final String clientHeader = clientHeaderExists ? headers.get(HEADER_X_CERBERUS_CLIENT) : "Unknown";

log.info("{}: {}, Refresh User Token Auth Event: the principal: {} is attempting to refresh its token",
HEADER_X_CERBERUS_CLIENT,
clientHeader,
vaultAuthPrincipal.getName());

return ResponseInfo.newBuilder(
authenticationService.refreshUserToken(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import com.nike.riposte.util.AsyncNettyHelper;
import com.nike.riposte.util.Matcher;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.HttpHeaders;
import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpResponseStatus;
import org.slf4j.Logger;
Expand All @@ -38,6 +39,8 @@
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Executor;

import static com.nike.cerberus.CerberusHttpHeaders.HEADER_X_CERBERUS_CLIENT;

/**
* Revokes the token supplied in the Vault token header.
*/
Expand Down Expand Up @@ -69,8 +72,14 @@ public ResponseInfo<Void> revokeToken(RequestInfo<Void> request) {
if (securityContext.isPresent()) {
final VaultAuthPrincipal vaultAuthPrincipal =
(VaultAuthPrincipal) securityContext.get().getUserPrincipal();
final HttpHeaders headers = request.getHeaders();
final boolean clientHeaderExists = headers != null && headers.get(HEADER_X_CERBERUS_CLIENT) != null;
final String clientHeader = clientHeaderExists ? headers.get(HEADER_X_CERBERUS_CLIENT) : "Unknown";

log.info("Delete Token Auth Event: the principal: {} is attempting to delete a token", vaultAuthPrincipal.getName());
log.info("{}: {}, Delete Token Auth Event: the principal: {} is attempting to delete a token",
HEADER_X_CERBERUS_CLIENT,
clientHeader,
vaultAuthPrincipal.getName());

authenticationService.revoke(vaultAuthPrincipal.getClientToken().getId());
return ResponseInfo.<Void>newBuilder().withHttpStatusCode(HttpResponseStatus.NO_CONTENT.code()).build();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import com.nike.riposte.util.Matcher;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.DefaultHttpHeaders;
import io.netty.handler.codec.http.HttpHeaders;
import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpResponseStatus;
import org.slf4j.Logger;
Expand All @@ -42,6 +43,8 @@
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Executor;

import static com.nike.cerberus.CerberusHttpHeaders.HEADER_X_CERBERUS_CLIENT;
import static com.nike.cerberus.CerberusHttpHeaders.HEADER_X_REFRESH_TOKEN;
import static io.netty.handler.codec.http.HttpHeaders.Names.LOCATION;

/**
Expand All @@ -54,8 +57,6 @@ public class CreateSafeDepositBoxV1 extends StandardEndpoint<SafeDepositBoxV1, M

public static final String BASE_PATH = "/v1/safe-deposit-box";

public static final String HEADER_X_REFRESH_TOKEN = "X-Refresh-Token";

private final SafeDepositBoxService safeDepositBoxService;

@Inject
Expand All @@ -80,9 +81,15 @@ private ResponseInfo<Map<String, String>> createSafeDepositBox(final RequestInfo

if (securityContext.isPresent()) {
final VaultAuthPrincipal vaultAuthPrincipal = (VaultAuthPrincipal) securityContext.get().getUserPrincipal();

log.info("Create SDB Event: the principal: {} is attempting to create sdb name: '{}'",
vaultAuthPrincipal.getName(), request.getContent().getName());
final HttpHeaders headers = request.getHeaders();
final boolean clientHeaderExists = headers != null && headers.get(HEADER_X_CERBERUS_CLIENT) != null;
final String clientHeader = clientHeaderExists ? headers.get(HEADER_X_CERBERUS_CLIENT) : "Unknown";

log.info("{}: {}, Create SDB Event: the principal: {} is attempting to create sdb name: '{}'",
HEADER_X_CERBERUS_CLIENT,
clientHeader,
vaultAuthPrincipal.getName(),
request.getContent().getName());

final String id =
safeDepositBoxService.createSafeDepositBoxV1(request.getContent(), vaultAuthPrincipal.getName());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,7 @@

package com.nike.cerberus.endpoints.sdb;

import com.google.common.collect.Maps;
import com.nike.backstopper.exception.ApiException;
import com.nike.cerberus.domain.SafeDepositBox;
import com.nike.cerberus.domain.SafeDepositBoxV2;
import com.nike.cerberus.error.DefaultApiError;
import com.nike.cerberus.security.CmsRequestSecurityValidator;
Expand All @@ -32,26 +30,30 @@
import com.nike.riposte.util.Matcher;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.DefaultHttpHeaders;
import io.netty.handler.codec.http.HttpHeaders;
import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpResponseStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.inject.Inject;
import javax.ws.rs.core.SecurityContext;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Executor;

import static com.nike.cerberus.CerberusHttpHeaders.HEADER_X_CERBERUS_CLIENT;
import static com.nike.cerberus.CerberusHttpHeaders.HEADER_X_REFRESH_TOKEN;
import static io.netty.handler.codec.http.HttpHeaders.Names.LOCATION;

/**
* Creates a new safe deposit box. Returns the assigned unique identifier.
*/
public class CreateSafeDepositBoxV2 extends StandardEndpoint<SafeDepositBoxV2, SafeDepositBoxV2> {

public static final String BASE_PATH = "/v2/safe-deposit-box";
private final Logger log = LoggerFactory.getLogger(getClass());

public static final String HEADER_X_REFRESH_TOKEN = "X-Refresh-Token";
public static final String BASE_PATH = "/v2/safe-deposit-box";

private final SafeDepositBoxService safeDepositBoxService;

Expand All @@ -77,11 +79,19 @@ private ResponseInfo<SafeDepositBoxV2> createSafeDepositBox(final RequestInfo<Sa

if (securityContext.isPresent()) {
final VaultAuthPrincipal vaultAuthPrincipal = (VaultAuthPrincipal) securityContext.get().getUserPrincipal();
final HttpHeaders headers = request.getHeaders();
final boolean clientHeaderExists = headers != null && headers.get(HEADER_X_CERBERUS_CLIENT) != null;
final String clientHeader = clientHeaderExists ? headers.get(HEADER_X_CERBERUS_CLIENT) : "Unknown";

log.info("{}: {}, Create SDB Event: the principal: {} is attempting to create sdb name: '{}'",
HEADER_X_CERBERUS_CLIENT,
clientHeader,
vaultAuthPrincipal.getName(),
request.getContent().getName());

final SafeDepositBoxV2 safeDepositBox =
safeDepositBoxService.createSafeDepositBoxV2(request.getContent(), vaultAuthPrincipal.getName());

final String location = basePath + "/" + safeDepositBox.getId();

return ResponseInfo.newBuilder(safeDepositBox)
.withHeaders(new DefaultHttpHeaders()
.set(LOCATION, location)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import com.nike.riposte.util.MultiMatcher;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.DefaultHttpHeaders;
import io.netty.handler.codec.http.HttpHeaders;
import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpResponseStatus;
import org.slf4j.Logger;
Expand All @@ -41,15 +42,16 @@
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Executor;

import static com.nike.cerberus.CerberusHttpHeaders.HEADER_X_CERBERUS_CLIENT;
import static com.nike.cerberus.CerberusHttpHeaders.HEADER_X_REFRESH_TOKEN;

/**
* Endpoint for deleting a safe deposit box.
*/
public class DeleteSafeDepositBox extends StandardEndpoint<Void, Void> {

private final Logger log = LoggerFactory.getLogger(getClass());

public static final String HEADER_X_REFRESH_TOKEN = "X-Refresh-Token";

private final SafeDepositBoxService safeDepositBoxService;

@Inject
Expand All @@ -71,13 +73,20 @@ private ResponseInfo<Void> deleteSafeDepositBox(final RequestInfo<Void> request)

if (securityContext.isPresent()) {
final VaultAuthPrincipal vaultAuthPrincipal = (VaultAuthPrincipal) securityContext.get().getUserPrincipal();
final HttpHeaders headers = request.getHeaders();
final boolean clientHeaderExists = headers != null && headers.get(HEADER_X_CERBERUS_CLIENT) != null;
final String clientHeader = clientHeaderExists ? headers.get(HEADER_X_CERBERUS_CLIENT) : "Unknown";

String sdbId = request.getPathParam("id");
Optional<String> sdbNameOptional = safeDepositBoxService.getSafeDepositBoxNameById(sdbId);
String sdbName = sdbNameOptional.isPresent() ? sdbNameOptional.get() :
String.format("(Failed to lookup name from id: %s)", sdbId);
log.info("Delete SDB Event: the principal: {} is attempting to delete sdb name: '{}' and id: '{}'",
vaultAuthPrincipal.getName(), sdbName, sdbId);
String sdbName = sdbNameOptional.orElse(String.format("(Failed to lookup name from id: %s)", sdbId));

log.info("{}: {}, Delete SDB Event: the principal: {} is attempting to delete sdb name: '{}' and id: '{}'",
HEADER_X_CERBERUS_CLIENT,
clientHeader,
vaultAuthPrincipal.getName(),
sdbName,
sdbId);

safeDepositBoxService.deleteSafeDepositBox(vaultAuthPrincipal, sdbId);
return ResponseInfo.<Void>newBuilder().withHttpStatusCode(HttpResponseStatus.OK.code())
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import com.nike.riposte.util.AsyncNettyHelper;
import com.nike.riposte.util.Matcher;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.HttpHeaders;
import io.netty.handler.codec.http.HttpMethod;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
Expand All @@ -38,6 +39,8 @@
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Executor;

import static com.nike.cerberus.CerberusHttpHeaders.HEADER_X_CERBERUS_CLIENT;

/**
* Extracts the user groups from the security context for the request and attempts to get details about the safe
* deposit box by its unique id.
Expand Down Expand Up @@ -70,13 +73,19 @@ public ResponseInfo<SafeDepositBoxV1> getSafeDepositBox(final RequestInfo<Void>

if (securityContext.isPresent()) {
final VaultAuthPrincipal vaultAuthPrincipal = (VaultAuthPrincipal) securityContext.get().getUserPrincipal();
final HttpHeaders headers = request.getHeaders();
final boolean clientHeaderExists = headers != null && headers.get(HEADER_X_CERBERUS_CLIENT) != null;
final String clientHeader = clientHeaderExists ? headers.get(HEADER_X_CERBERUS_CLIENT) : "Unknown";

String sdbId = request.getPathParam("id");
Optional<String> sdbNameOptional = safeDepositBoxService.getSafeDepositBoxNameById(sdbId);
String sdbName = sdbNameOptional.isPresent() ? sdbNameOptional.get() :
String.format("(Failed to lookup name from id: %s)", sdbId);
log.info("Read SDB Event: the principal: {} is attempting to read sdb name: '{}' and id: '{}'",
vaultAuthPrincipal.getName(), sdbName, sdbId);
String sdbName = sdbNameOptional.orElse(String.format("(Failed to lookup name from id: %s)", sdbId));
log.info("{}: {}, Read SDB Event: the principal: {} is attempting to read sdb name: '{}' and id: '{}'",
HEADER_X_CERBERUS_CLIENT,
clientHeader,
vaultAuthPrincipal.getName(),
sdbName,
sdbId);

final SafeDepositBoxV1 safeDepositBox =
safeDepositBoxService.getSDBAndValidatePrincipalAssociationV1(
Expand Down
Loading

0 comments on commit 6786598

Please sign in to comment.