feat(gateway): Add Identity in event (#949)

formancehq · Dec 6, 2023 · 6986e85 · 6986e85 · vercel · Dec 6, 2023
1 parent c57bfb1
commit 6986e85
Show file tree

Hide file tree

Showing 11 changed files with 51 additions and 11 deletions.
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -8,15 +8,15 @@ on:
       - synchronize
 
 jobs:
-  Triage:
-    permissions:
-      contents: read
-      pull-requests: write
-    runs-on: formance-runner
-    steps:
-      - uses: actions/labeler@v5
-        with:
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+#  Triage:
+#    permissions:
+#      contents: read
+#      pull-requests: write
+#    runs-on: formance-runner
+#    steps:
+#      - uses: actions/labeler@v5
+#        with:
+#          repo-token: "${{ secrets.GITHUB_TOKEN }}"
 
   PR:
     name: Check PR Title

diff --git a/components/gateway/go.mod b/components/gateway/go.mod
@@ -7,6 +7,7 @@ require (
 	github.com/ThreeDotsLabs/watermill v1.2.0
 	github.com/ThreeDotsLabs/watermill-nats/v2 v2.0.0
 	github.com/caddyserver/caddy/v2 v2.7.5
+	github.com/golang-jwt/jwt/v5 v5.0.0
 	github.com/hashicorp/go-retryablehttp v0.7.2
 	github.com/nats-io/nats.go v1.28.0
 	github.com/xdg-go/scram v1.1.2

diff --git a/components/gateway/go.sum b/components/gateway/go.sum
@@ -228,6 +228,8 @@ github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRx
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
+github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
 github.com/golang/glog v1.1.0 h1:/d3pCKDPWNnvIWe0vVUpNP32qc8U3PDVxySP/y360qE=

diff --git a/components/gateway/internal/audit/messages/audit.go b/components/gateway/internal/audit/messages/audit.go
@@ -1,11 +1,15 @@
 package messages
 
 import (
+	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/formancehq/stack/libs/go-libs/publish"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
+	"go.uber.org/zap"
 )
 
 const (
@@ -42,17 +46,43 @@ func NewHttpResponse(
 
 type Payload struct {
 	ID       string       `json:"id"`
+	Identity string       `json:"identity"`
 	Request  HttpRequest  `json:"request"`
 	Response HttpResponse `json:"response"`
 }
 
 func NewAuditMessagePayload(
+	logger *zap.Logger,
 	request HttpRequest,
 	response HttpResponse,
 ) publish.EventMessage {
+	identity := ""
+
+	if request.Header != nil {
+		tokenString := strings.Replace(strings.Replace(request.Header.Get("Authorization"), "Bearer ", "", 1), "bearer ", "", 1)
+		token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
+		if err != nil {
+			logger.Error(fmt.Sprintf("error for Parse %s", err))
+		}
+		if token != nil {
+			if claims, ok := token.Claims.(jwt.MapClaims); ok {
+				identity = fmt.Sprint(claims["sub"])
+			} else {
+				fmt.Printf("error get claims JWT token: %s", err)
+				fmt.Printf("\n")
+			}
+		}
+
+		request.Header.Del("Authorization")
+	}
+
+	if request.Path == "/api/auth/oauth/token" {
+		response.Body = ""
+	}
 
 	payload := Payload{
 		ID:       uuid.New().String(),
+		Identity: identity,
 		Request:  request,
 		Response: response,
 	}

diff --git a/components/gateway/pkg/plugins/audit.go b/components/gateway/pkg/plugins/audit.go
@@ -327,6 +327,7 @@ func (a Audit) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.
 		publish.NewMessage(
 			r.Context(),
 			messages.NewAuditMessagePayload(
+				a.logger,
 				request,
 				response,
 			),

diff --git a/...data/multipod-with-audit-log-unvalid-tag/results/configmaps--v1/search-benthos-audit.yaml b/...data/multipod-with-audit-log-unvalid-tag/results/configmaps--v1/search-benthos-audit.yaml
@@ -19,6 +19,7 @@ data:
                       "document": {
                         "data": this.payload,
                         "indexed": {
+                          "identity": this.payload.identity,
                           "requestPath": this.payload.request.path,
                           "requestMethod": this.payload.request.method,
                           "responseStatusCode": this.payload.response.status_code,

diff --git a/...tdata/multipod-with-audit-log-unvalid-tag/results/deployments-apps-v1/search-benthos.yaml b/...tdata/multipod-with-audit-log-unvalid-tag/results/deployments-apps-v1/search-benthos.yaml
@@ -20,7 +20,7 @@ spec:
     template:
         metadata:
             annotations:
-                stack.formance.cloud/volumes-hash: lXfe3GqqBjag3Ue3MTwtbrUBP1wM5r6bH_efM1sJhzs=
+                stack.formance.cloud/volumes-hash: ID1fyzORUCwXdYaPQ7rJHn3rc0fOb0lKs9QD4ux47is=
             creationTimestamp: null
             labels:
                 app.kubernetes.io/name: search-benthos

diff --git a/...s/stack/testdata/multipod-with-audit-log/results/configmaps--v1/search-benthos-audit.yaml b/...s/stack/testdata/multipod-with-audit-log/results/configmaps--v1/search-benthos-audit.yaml
@@ -19,6 +19,7 @@ data:
                       "document": {
                         "data": this.payload,
                         "indexed": {
+                          "identity": this.payload.identity,
                           "requestPath": this.payload.request.path,
                           "requestMethod": this.payload.request.method,
                           "responseStatusCode": this.payload.response.status_code,

diff --git a/...rs/stack/testdata/multipod-with-audit-log/results/deployments-apps-v1/search-benthos.yaml b/...rs/stack/testdata/multipod-with-audit-log/results/deployments-apps-v1/search-benthos.yaml
@@ -20,7 +20,7 @@ spec:
     template:
         metadata:
             annotations:
-                stack.formance.cloud/volumes-hash: lXfe3GqqBjag3Ue3MTwtbrUBP1wM5r6bH_efM1sJhzs=
+                stack.formance.cloud/volumes-hash: ID1fyzORUCwXdYaPQ7rJHn3rc0fOb0lKs9QD4ux47is=
             creationTimestamp: null
             labels:
                 app.kubernetes.io/name: search-benthos

diff --git a/components/operator/internal/modules/search/benthos/audit/gateway_audit.yaml b/components/operator/internal/modules/search/benthos/audit/gateway_audit.yaml
@@ -16,6 +16,7 @@ pipeline:
               "document": {
                 "data": this.payload,
                 "indexed": {
+                  "identity": this.payload.identity,
                   "requestPath": this.payload.request.path,
                   "requestMethod": this.payload.request.method,
                   "responseStatusCode": this.payload.response.status_code,

diff --git a/components/search/pkg/searchengine/indexed_mapping.json b/components/search/pkg/searchengine/indexed_mapping.json
@@ -61,5 +61,8 @@
   },
   "responseStatusCode" : {
     "type": "short"
+  },
+  "identity" : {
+    "type": "keyword"
   }
 }