Added traces to privilege computations and Graylog API calls

This commit is contained in:
Emmanuel BENOîT 2021-02-11 23:05:48 +01:00
parent c84f52b012
commit 31cb613822
2 changed files with 28 additions and 8 deletions

View file

@ -53,7 +53,6 @@ To Do
------
* Proper logging, work in progress:
* Add logs to the privilege computations and related API calls.
* Sending logs to... well, Graylog... through CLI switches.
* Writing logs to a file.
* Document command line flags.

View file

@ -184,7 +184,7 @@ func deleteAccount(cfg GraylogConfig, user string) {
log.WithFields(logrus.Fields{
"status": code,
"body": string(body),
}).Fatal("Could not delete user")
}).Error("Could not delete user")
}
}
@ -208,33 +208,50 @@ func getDifference(a []string, b []string) (diff []string) {
// Set an account's roles and grant it access to Graylog objects
func setUserPrivileges(cfg GraylogConfig, user GraylogUser, roles []string, privileges []string) {
log := log.WithField("user", user.Username)
type perms struct {
Permissions []string `json:"permissions"`
}
p := perms{Permissions: privileges}
data, err := json.Marshal(p)
if err != nil {
log.Fatalf("unable to generate permissions JSON for %s: %v", user, err)
log.WithField("error", err).Fatal("Unable to generate permissions JSON")
}
code, body := executeApiCall(cfg, "PUT", fmt.Sprintf("users/%s/permissions", user.Username), bytes.NewBuffer(data))
log.WithField("privileges", privileges).Info("Setting permissions")
code, body := executeApiCall(cfg, "PUT",
fmt.Sprintf("users/%s/permissions", user.Username),
bytes.NewBuffer(data))
if code != 204 {
log.Fatalf("could not set permissions for %s: code %d, body '%s'", user.Username, code, string(body))
log.WithFields(logrus.Fields{
"status": code,
"body": string(body),
}).Error("Could not set permissions")
}
placeholder := bytes.NewBuffer([]byte("{}"))
for _, role := range getDifference(roles, user.Roles) {
ep := fmt.Sprintf("roles/%s/members/%s", role, user.Username)
log.WithField("role", role).Info("Adding role")
code, body := executeApiCall(cfg, "PUT", ep, placeholder)
if code != 204 {
log.Fatalf("could not add role %s to %s: code %d, body '%s'", role, user.Username, code, string(body))
log.WithFields(logrus.Fields{
"status": code,
"body": string(body),
"role": role,
}).Error("Could not add role")
}
}
for _, role := range getDifference(user.Roles, roles) {
ep := fmt.Sprintf("roles/%s/members/%s", role, user.Username)
log.WithField("role", role).Info("Removing role")
code, body := executeApiCall(cfg, "DELETE", ep, nil)
if code != 204 {
log.Fatalf("could not remove role %s from %s: code %d, body '%s'", role, user.Username, code, string(body))
log.WithFields(logrus.Fields{
"status": code,
"body": string(body),
"role": role,
}).Error("Could not remove role")
}
}
}
@ -242,9 +259,13 @@ func setUserPrivileges(cfg GraylogConfig, user GraylogUser, roles []string, priv
// Apply privilege mappings to the external Graylog users
func applyMapping(cfg Configuration, users []GraylogUser, groups GroupMembers) {
for _, user := range users {
log := log.WithField("user", user.Username)
membership := getUserGroups(user.Username, groups)
log.WithField("groups", membership).Trace("Computed group membership")
roles := computeRoles(cfg.Mapping, membership)
log.WithField("roles", roles).Trace("Computed roles")
privileges := computePrivileges(cfg.Mapping, membership)
log.WithField("privileges", privileges).Trace("Computed privileges")
if cfg.Graylog.DeleteAccounts && len(roles) == 0 && len(privileges) == 0 {
deleteAccount(cfg.Graylog, user.Username)
} else {