Support audit logs with additional fields (#6738)

This PR adds support - Request query params - Request headers - Response headers AuditLogEntry is exported and versioned as well starting with this PR.
2025-11-07 12:52:58 -05:00 · 2018-11-02 18:40:08 -07:00
parent 3f19ea98bb
commit bef0318c36
14 changed files with 338 additions and 193 deletions
--- a/cmd/logger/audit-logger.go
+++ b/cmd/logger/audit-logger.go
@@ -0,0 +1,97 @@
+/*
+ * Minio Cloud Storage, (C) 2018 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package logger
+
+import (
+	"context"
+	"net/http"
+	"strings"
+	"time"
+)
+
+// Represents the current version of audit log structure.
+const auditLogVersion = "1"
+
+// AuditEntry - audit entry logs.
+type AuditEntry struct {
+	Version      string            `json:"version"`
+	DeploymentID string            `json:"deploymentid,omitempty"`
+	Time         string            `json:"time"`
+	API          *api              `json:"api,omitempty"`
+	RemoteHost   string            `json:"remotehost,omitempty"`
+	RequestID    string            `json:"requestID,omitempty"`
+	UserAgent    string            `json:"userAgent,omitempty"`
+	ReqQuery     map[string]string `json:"requestQuery,omitempty"`
+	ReqHeader    map[string]string `json:"requestHeader,omitempty"`
+	RespHeader   map[string]string `json:"responseHeader,omitempty"`
+}
+
+// AuditTargets is the list of enabled audit loggers
+var AuditTargets = []LoggingTarget{}
+
+// AddAuditTarget adds a new audit logger target to the
+// list of enabled loggers
+func AddAuditTarget(t LoggingTarget) {
+	AuditTargets = append(AuditTargets, t)
+}
+
+// AuditLog - logs audit logs to all targets.
+func AuditLog(ctx context.Context, w http.ResponseWriter, r *http.Request) {
+	if Disable {
+		return
+	}
+
+	req := GetReqInfo(ctx)
+	if req == nil {
+		req = &ReqInfo{API: "SYSTEM"}
+	}
+
+	reqQuery := make(map[string]string)
+	for k, v := range r.URL.Query() {
+		reqQuery[k] = strings.Join(v, ",")
+	}
+	reqHeader := make(map[string]string)
+	for k, v := range r.Header {
+		reqHeader[k] = strings.Join(v, ",")
+	}
+	respHeader := make(map[string]string)
+	for k, v := range w.Header() {
+		respHeader[k] = strings.Join(v, ",")
+	}
+
+	// Send audit logs only to http targets.
+	for _, t := range AuditTargets {
+		t.send(AuditEntry{
+			Version:      auditLogVersion,
+			DeploymentID: deploymentID,
+			RemoteHost:   req.RemoteHost,
+			RequestID:    req.RequestID,
+			UserAgent:    req.UserAgent,
+			Time:         time.Now().UTC().Format(time.RFC3339Nano),
+			API: &api{
+				Name: req.API,
+				Args: &args{
+					Bucket: req.BucketName,
+					Object: req.ObjectName,
+				},
+			},
+			ReqQuery:   reqQuery,
+			ReqHeader:  reqHeader,
+			RespHeader: respHeader,
+		})
+	}
+}
--- a/cmd/logger/logger.go
+++ b/cmd/logger/logger.go
@@ -21,7 +21,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"go/build"
-	"net/http"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -117,9 +116,11 @@ type traceEntry struct {
 	Source    []string          `json:"source,omitempty"`
 	Variables map[string]string `json:"variables,omitempty"`
 }
+
 type args struct {
-	Bucket string `json:"bucket,omitempty"`
-	Object string `json:"object,omitempty"`
+	Bucket   string            `json:"bucket,omitempty"`
+	Object   string            `json:"object,omitempty"`
+	Metadata map[string]string `json:"metadata,omitempty"`
 }

 type api struct {
@@ -342,55 +343,6 @@ func logIf(ctx context.Context, err error) {
 	}
 }

-type auditEntry struct {
-	DeploymentID string            `json:"deploymentid,omitempty"`
-	Time         string            `json:"time"`
-	API          *api              `json:"api,omitempty"`
-	RemoteHost   string            `json:"remotehost,omitempty"`
-	RequestID    string            `json:"requestID,omitempty"`
-	UserAgent    string            `json:"userAgent,omitempty"`
-	Metadata     map[string]string `json:"metadata,omitempty"`
-}
-
-// AuditLog - logs audit logs to all targets.
-func AuditLog(ctx context.Context, r *http.Request) {
-	if Disable {
-		return
-	}
-
-	req := GetReqInfo(ctx)
-	if req == nil {
-		req = &ReqInfo{API: "SYSTEM"}
-	}
-
-	API := "SYSTEM"
-	if req.API != "" {
-		API = req.API
-	}
-
-	tags := make(map[string]string)
-	for _, entry := range req.GetTags() {
-		tags[entry.Key] = entry.Val
-	}
-
-	entry := auditEntry{
-		DeploymentID: deploymentID,
-		RemoteHost:   req.RemoteHost,
-		RequestID:    req.RequestID,
-		UserAgent:    req.UserAgent,
-		Time:         time.Now().UTC().Format(time.RFC3339Nano),
-		API:          &api{Name: API, Args: &args{Bucket: req.BucketName, Object: req.ObjectName}},
-		Metadata:     tags,
-	}
-
-	// Send audit logs only to http targets.
-	for _, t := range Targets {
-		if _, ok := t.(*HTTPTarget); ok {
-			t.send(entry)
-		}
-	}
-}
-
 // ErrCritical is the value panic'd whenever CriticalIf is called.
 var ErrCritical struct{}