NotificationsYou must be signed in to change notification settings
Fork905
Star10k

Commit3e61440

committed

feat: extend request logs with auth & DB info (#17304)

1 parent08abd9d commit3e61440Copy full SHA for 3e61440

File tree

18 files changed

+330

-33

lines changed

Makefile
coderd
- coderd.go
- database
  - dbauthz
    - dbauthz.go
  - queries
    - users.sql
  - queries.sql.go
- httpmw
  - apikey.go
  - loggermw
    - logger.go
    - logger_internal_test.go
    - loggermock
      - loggermock.go
  - workspaceagentparam.go
  - workspaceparam.go
- provisionerjobs.go
- provisionerjobs_internal_test.go
- rbac
  - authz.go
- workspaceagents.go
enterprise
- coderd
  - provisionerdaemons.go
- wsproxy
  - wsproxy.go
tailnet/test/integration
- integration.go

18 files changed

+330

-33

lines changed

`‎Makefile`

Lines changed: 4 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -564,7 +564,7 @@ GEN_FILES := \`
`564`	`564`	`examples/examples.gen.json\`
`565`	`565`	`$(TAILNETTEST_MOCKS)\`
`566`	`566`	`coderd/database/pubsub/psmock/psmock.go\`
`567`		`-coderd/httpmw/loggermock/loggermock.go`
	`567`	`+coderd/httpmw/loggermw/loggermock/loggermock.go`
`568`	`568`
`569`	`569`	`# all gen targets should be added here and to gen/mark-fresh`
`570`	`570`	`gen: gen/db$(GEN_FILES)`
`@@ -598,7 +598,7 @@ gen/mark-fresh:`
`598`	`598`	`examples/examples.gen.json\`
`599`	`599`	`$(TAILNETTEST_MOCKS)\`
`600`	`600`	`coderd/database/pubsub/psmock/psmock.go\`
`601`		`-coderd/httpmw/loggermock/loggermock.go\`
	`601`	`+coderd/httpmw/loggermw/loggermock/loggermock.go\`
`602`	`602`	`"`
`603`	`603`
`604`	`604`	`for file in $$files; do`
`@@ -630,9 +630,8 @@ coderd/database/dbmock/dbmock.go: coderd/database/db.go coderd/database/querier.`
`630`	`630`	`coderd/database/pubsub/psmock/psmock.go: coderd/database/pubsub/pubsub.go`
`631`	`631`	`go generate ./coderd/database/pubsub/psmock`
`632`	`632`
`633`		`-coderd/httpmw/loggermock/loggermock.go: coderd/httpmw/logger.go`
`634`		`-go generate ./coderd/httpmw/loggermock/`
`635`		`-touch"$@"`
	`633`	`+coderd/httpmw/loggermw/loggermock/loggermock.go: coderd/httpmw/loggermw/logger.go`
	`634`	`+go generate ./coderd/httpmw/loggermw/loggermock/`
`636`	`635`
`637`	`636`	`$(TAILNETTEST_MOCKS): tailnet/coordinator.go tailnet/service.go`
`638`	`637`	`go generate ./tailnet/tailnettest/`

`‎coderd/coderd.go`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,7 @@ import (`
`63`	`63`	`"github.com/coder/coder/v2/coderd/healthcheck/derphealth"`
`64`	`64`	`"github.com/coder/coder/v2/coderd/httpapi"`
`65`	`65`	`"github.com/coder/coder/v2/coderd/httpmw"`
	`66`	`+"github.com/coder/coder/v2/coderd/httpmw/loggermw"`
`66`	`67`	`"github.com/coder/coder/v2/coderd/metricscache"`
`67`	`68`	`"github.com/coder/coder/v2/coderd/notifications"`
`68`	`69`	`"github.com/coder/coder/v2/coderd/portsharing"`
`@@ -787,7 +788,7 @@ func New(options Options) API {`
`787`	`788`	`tracing.Middleware(api.TracerProvider),`
`788`	`789`	`httpmw.AttachRequestID,`
`789`	`790`	`httpmw.ExtractRealIP(api.RealIPConfig),`
`790`		`-httpmw.Logger(api.Logger),`
	`791`	`+loggermw.Logger(api.Logger),`
`791`	`792`	`rolestore.CustomRoleMW,`
`792`	`793`	`prometheusMW,`
`793`	`794`	`// Build-Version is helpful for debugging.`

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 20 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ import (`
`24`	`24`	`"github.com/coder/coder/v2/coderd/database"`
`25`	`25`	`"github.com/coder/coder/v2/coderd/database/dbtime"`
`26`	`26`	`"github.com/coder/coder/v2/coderd/httpapi/httpapiconstraints"`
	`27`	`+"github.com/coder/coder/v2/coderd/httpmw/loggermw"`
`27`	`28`	`"github.com/coder/coder/v2/coderd/rbac"`
`28`	`29`	`"github.com/coder/coder/v2/coderd/util/slice"`
`29`	`30`	`"github.com/coder/coder/v2/provisionersdk"`
`@@ -162,6 +163,7 @@ func ActorFromContext(ctx context.Context) (rbac.Subject, bool) {`
`162`	`163`
`163`	`164`	`var (`
`164`	`165`	`subjectProvisionerd= rbac.Subject{`
	`166`	`+Type:rbac.SubjectTypeProvisionerd,`
`165`	`167`	`FriendlyName:"Provisioner Daemon",`
`166`	`168`	`ID:uuid.Nil.String(),`
`167`	`169`	`Roles:rbac.Roles([]rbac.Role{`
`@@ -193,6 +195,7 @@ var (`
`193`	`195`	`}.WithCachedASTValue()`
`194`	`196`
`195`	`197`	`subjectAutostart= rbac.Subject{`
	`198`	`+Type:rbac.SubjectTypeAutostart,`
`196`	`199`	`FriendlyName:"Autostart",`
`197`	`200`	`ID:uuid.Nil.String(),`
`198`	`201`	`Roles:rbac.Roles([]rbac.Role{`
`@@ -216,6 +219,7 @@ var (`
`216`	`219`
`217`	`220`	`// See unhanger package.`
`218`	`221`	`subjectHangDetector= rbac.Subject{`
	`222`	`+Type:rbac.SubjectTypeHangDetector,`
`219`	`223`	`FriendlyName:"Hang Detector",`
`220`	`224`	`ID:uuid.Nil.String(),`
`221`	`225`	`Roles:rbac.Roles([]rbac.Role{`
`@@ -236,6 +240,7 @@ var (`
`236`	`240`
`237`	`241`	`// See cryptokeys package.`
`238`	`242`	`subjectCryptoKeyRotator= rbac.Subject{`
	`243`	`+Type:rbac.SubjectTypeCryptoKeyRotator,`
`239`	`244`	`FriendlyName:"Crypto Key Rotator",`
`240`	`245`	`ID:uuid.Nil.String(),`
`241`	`246`	`Roles:rbac.Roles([]rbac.Role{`
`@@ -254,6 +259,7 @@ var (`
`254`	`259`
`255`	`260`	`// See cryptokeys package.`
`256`	`261`	`subjectCryptoKeyReader= rbac.Subject{`
	`262`	`+Type:rbac.SubjectTypeCryptoKeyReader,`
`257`	`263`	`FriendlyName:"Crypto Key Reader",`
`258`	`264`	`ID:uuid.Nil.String(),`
`259`	`265`	`Roles:rbac.Roles([]rbac.Role{`
`@@ -271,6 +277,7 @@ var (`
`271`	`277`	`}.WithCachedASTValue()`
`272`	`278`
`273`	`279`	`subjectNotifier= rbac.Subject{`
	`280`	`+Type:rbac.SubjectTypeNotifier,`
`274`	`281`	`FriendlyName:"Notifier",`
`275`	`282`	`ID:uuid.Nil.String(),`
`276`	`283`	`Roles:rbac.Roles([]rbac.Role{`
`@@ -288,6 +295,7 @@ var (`
`288`	`295`	`}.WithCachedASTValue()`
`289`	`296`
`290`	`297`	`subjectSystemRestricted= rbac.Subject{`
	`298`	`+Type:rbac.SubjectTypeSystemRestricted,`
`291`	`299`	`FriendlyName:"System",`
`292`	`300`	`ID:uuid.Nil.String(),`
`293`	`301`	`Roles:rbac.Roles([]rbac.Role{`
`@@ -323,6 +331,7 @@ var (`
`323`	`331`	`}.WithCachedASTValue()`
`324`	`332`
`325`	`333`	`subjectSystemReadProvisionerDaemons= rbac.Subject{`
	`334`	`+Type:rbac.SubjectTypeSystemReadProvisionerDaemons,`
`326`	`335`	`FriendlyName:"Provisioner Daemons Reader",`
`327`	`336`	`ID:uuid.Nil.String(),`
`328`	`337`	`Roles:rbac.Roles([]rbac.Role{`
`@@ -343,47 +352,47 @@ var (`
`343`	`352`	`// AsProvisionerd returns a context with an actor that has permissions required`
`344`	`353`	`// for provisionerd to function.`
`345`	`354`	`funcAsProvisionerd(ctx context.Context) context.Context {`
`346`		`-returncontext.WithValue(ctx,authContextKey{},subjectProvisionerd)`
	`355`	`+returnAs(ctx,subjectProvisionerd)`
`347`	`356`	`}`
`348`	`357`
`349`	`358`	`// AsAutostart returns a context with an actor that has permissions required`
`350`	`359`	`// for autostart to function.`
`351`	`360`	`funcAsAutostart(ctx context.Context) context.Context {`
`352`		`-returncontext.WithValue(ctx,authContextKey{},subjectAutostart)`
	`361`	`+returnAs(ctx,subjectAutostart)`
`353`	`362`	`}`
`354`	`363`
`355`	`364`	`// AsHangDetector returns a context with an actor that has permissions required`
`356`	`365`	`// for unhanger.Detector to function.`
`357`	`366`	`funcAsHangDetector(ctx context.Context) context.Context {`
`358`		`-returncontext.WithValue(ctx,authContextKey{},subjectHangDetector)`
	`367`	`+returnAs(ctx,subjectHangDetector)`
`359`	`368`	`}`
`360`	`369`
`361`	`370`	`// AsKeyRotator returns a context with an actor that has permissions required for rotating crypto keys.`
`362`	`371`	`funcAsKeyRotator(ctx context.Context) context.Context {`
`363`		`-returncontext.WithValue(ctx,authContextKey{},subjectCryptoKeyRotator)`
	`372`	`+returnAs(ctx,subjectCryptoKeyRotator)`
`364`	`373`	`}`
`365`	`374`
`366`	`375`	`// AsKeyReader returns a context with an actor that has permissions required for reading crypto keys.`
`367`	`376`	`funcAsKeyReader(ctx context.Context) context.Context {`
`368`		`-returncontext.WithValue(ctx,authContextKey{},subjectCryptoKeyReader)`
	`377`	`+returnAs(ctx,subjectCryptoKeyReader)`
`369`	`378`	`}`
`370`	`379`
`371`	`380`	`// AsNotifier returns a context with an actor that has permissions required for`
`372`	`381`	`// creating/reading/updating/deleting notifications.`
`373`	`382`	`funcAsNotifier(ctx context.Context) context.Context {`
`374`		`-returncontext.WithValue(ctx,authContextKey{},subjectNotifier)`
	`383`	`+returnAs(ctx,subjectNotifier)`
`375`	`384`	`}`
`376`	`385`
`377`	`386`	`// AsSystemRestricted returns a context with an actor that has permissions`
`378`	`387`	`// required for various system operations (login, logout, metrics cache).`
`379`	`388`	`funcAsSystemRestricted(ctx context.Context) context.Context {`
`380`		`-returncontext.WithValue(ctx,authContextKey{},subjectSystemRestricted)`
	`389`	`+returnAs(ctx,subjectSystemRestricted)`
`381`	`390`	`}`
`382`	`391`
`383`	`392`	`// AsSystemReadProvisionerDaemons returns a context with an actor that has permissions`
`384`	`393`	`// to read provisioner daemons.`
`385`	`394`	`funcAsSystemReadProvisionerDaemons(ctx context.Context) context.Context {`
`386`		`-returncontext.WithValue(ctx,authContextKey{},subjectSystemReadProvisionerDaemons)`
	`395`	`+returnAs(ctx,subjectSystemReadProvisionerDaemons)`
`387`	`396`	`}`
`388`	`397`
`389`	`398`	`varAsRemoveActor= rbac.Subject{`
`@@ -401,6 +410,9 @@ func As(ctx context.Context, actor rbac.Subject) context.Context {`
`401`	`410`	`// should be removed from the context.`
`402`	`411`	`returncontext.WithValue(ctx,authContextKey{},nil)`
`403`	`412`	`}`
	`413`	`+ifrlogger:=loggermw.RequestLoggerFromContext(ctx);rlogger!=nil {`
	`414`	`+rlogger.WithAuthContext(actor)`
	`415`	`+}`
`404`	`416`	`returncontext.WithValue(ctx,authContextKey{},actor)`
`405`	`417`	`}`
`406`	`418`

`‎coderd/database/queries.sql.go`

Lines changed: 4 additions & 2 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/queries/users.sql`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -244,10 +244,10 @@ WHERE`
`244`	`244`	`-- This function returns roles for authorization purposes. Implied member roles`
`245`	`245`	`-- are included.`
`246`	`246`	`SELECT`
`247`		`--- usernameis returned just to help for logging purposes`
	`247`	`+-- usernameand email are returned just to help for logging purposes`
`248`	`248`	`-- status is used to enforce 'suspended' users, as all roles are ignored`
`249`	`249`	`--when suspended.`
`250`		`-id, username, status,`
	`250`	`+id, username, status, email,`
`251`	`251`	`-- All user roles, including their org roles.`
`252`	`252`	`array_cat(`
`253`	`253`	`-- All users are members`

`‎coderd/httpmw/apikey.go`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -465,7 +465,9 @@ func UserRBACSubject(ctx context.Context, db database.Store, userID uuid.UUID, s`
`465`	`465`	`}`
`466`	`466`
`467`	`467`	`actor:= rbac.Subject{`
	`468`	`+Type:rbac.SubjectTypeUser,`
`468`	`469`	`FriendlyName:roles.Username,`
	`470`	`+Email:roles.Email,`
`469`	`471`	`ID:userID.String(),`
`470`	`472`	`Roles:rbacRoles,`
`471`	`473`	`Groups:roles.Groups,`

`‎coderd/httpmw/logger.gorenamed to‎coderd/httpmw/loggermw/logger.go`

Lines changed: 77 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,17 @@`
`1`		`-packagehttpmw`
	`1`	`+packageloggermw`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"context"`
`5`	`5`	`"fmt"`
`6`	`6`	`"net/http"`
	`7`	`+"sync"`
`7`	`8`	`"time"`
`8`	`9`
	`10`	`+"github.com/go-chi/chi/v5"`
	`11`	`+`
`9`	`12`	`"cdr.dev/slog"`
`10`	`13`	`"github.com/coder/coder/v2/coderd/httpapi"`
	`14`	`+"github.com/coder/coder/v2/coderd/rbac"`
`11`	`15`	`"github.com/coder/coder/v2/coderd/tracing"`
`12`	`16`	`)`
`13`	`17`
`@@ -62,13 +66,17 @@ func Logger(log slog.Logger) func(next http.Handler) http.Handler {`
`62`	`66`	`typeRequestLoggerinterface {`
`63`	`67`	`WithFields(fields...slog.Field)`
`64`	`68`	`WriteLog(ctx context.Context,statusint)`
	`69`	`+WithAuthContext(actor rbac.Subject)`
`65`	`70`	`}`
`66`	`71`
`67`	`72`	`typeSlogRequestLoggerstruct {`
`68`	`73`	`log slog.Logger`
`69`	`74`	`writtenbool`
`70`	`75`	`messagestring`
`71`	`76`	`start time.Time`
	`77`	`+// Protects actors map for concurrent writes.`
	`78`	`+mu sync.RWMutex`
	`79`	`+actorsmap[rbac.SubjectType]rbac.Subject`
`72`	`80`	`}`
`73`	`81`
`74`	`82`	`var_RequestLogger=&SlogRequestLogger{}`
`@@ -79,25 +87,93 @@ func NewRequestLogger(log slog.Logger, message string, start time.Time) RequestL`
`79`	`87`	`written:false,`
`80`	`88`	`message:message,`
`81`	`89`	`start:start,`
	`90`	`+actors:make(map[rbac.SubjectType]rbac.Subject),`
`82`	`91`	`}`
`83`	`92`	`}`
`84`	`93`
`85`	`94`	`func (c*SlogRequestLogger)WithFields(fields...slog.Field) {`
`86`	`95`	`c.log=c.log.With(fields...)`
`87`	`96`	`}`
`88`	`97`
	`98`	`+func (c*SlogRequestLogger)WithAuthContext(actor rbac.Subject) {`
	`99`	`+c.mu.Lock()`
	`100`	`+deferc.mu.Unlock()`
	`101`	`+c.actors[actor.Type]=actor`
	`102`	`+}`
	`103`	`+`
	`104`	`+func (c*SlogRequestLogger)addAuthContextFields() {`
	`105`	`+c.mu.RLock()`
	`106`	`+deferc.mu.RUnlock()`
	`107`	`+`
	`108`	`+usr,ok:=c.actors[rbac.SubjectTypeUser]`
	`109`	`+ifok {`
	`110`	`+c.log=c.log.With(`
	`111`	`+slog.F("requestor_id",usr.ID),`
	`112`	`+slog.F("requestor_name",usr.FriendlyName),`
	`113`	`+slog.F("requestor_email",usr.Email),`
	`114`	`+)`
	`115`	`+}else {`
	`116`	`+// If there is no user, we log the requestor name for the first`
	`117`	`+// actor in a defined order.`
	`118`	`+for_,v:=rangeactorLogOrder {`
	`119`	`+subj,ok:=c.actors[v]`
	`120`	`+if!ok {`
	`121`	`+continue`
	`122`	`+}`
	`123`	`+c.log=c.log.With(`
	`124`	`+slog.F("requestor_name",subj.FriendlyName),`
	`125`	`+)`
	`126`	`+break`
	`127`	`+}`
	`128`	`+}`
	`129`	`+}`
	`130`	`+`
	`131`	`+varactorLogOrder= []rbac.SubjectType{`
	`132`	`+rbac.SubjectTypeAutostart,`
	`133`	`+rbac.SubjectTypeCryptoKeyReader,`
	`134`	`+rbac.SubjectTypeCryptoKeyRotator,`
	`135`	`+rbac.SubjectTypeHangDetector,`
	`136`	`+rbac.SubjectTypeNotifier,`
	`137`	`+rbac.SubjectTypePrebuildsOrchestrator,`
	`138`	`+rbac.SubjectTypeProvisionerd,`
	`139`	`+rbac.SubjectTypeResourceMonitor,`
	`140`	`+rbac.SubjectTypeSystemReadProvisionerDaemons,`
	`141`	`+rbac.SubjectTypeSystemRestricted,`
	`142`	`+}`
	`143`	`+`
`89`	`144`	`func (c*SlogRequestLogger)WriteLog(ctx context.Context,statusint) {`
`90`	`145`	`ifc.written {`
`91`	`146`	`return`
`92`	`147`	`}`
`93`	`148`	`c.written=true`
`94`	`149`	`end:=time.Now()`
`95`	`150`
	`151`	`+// Right before we write the log, we try to find the user in the actors`
	`152`	`+// and add the fields to the log.`
	`153`	`+c.addAuthContextFields()`
	`154`	`+`
`96`	`155`	`logger:=c.log.With(`
`97`	`156`	`slog.F("took",end.Sub(c.start)),`
`98`	`157`	`slog.F("status_code",status),`
`99`	`158`	`slog.F("latency_ms",float64(end.Sub(c.start)/time.Millisecond)),`
`100`	`159`	`)`
	`160`	`+`
	`161`	`+// If the request is routed, add the route parameters to the log.`
	`162`	`+ifchiCtx:=chi.RouteContext(ctx);chiCtx!=nil {`
	`163`	`+urlParams:=chiCtx.URLParams`
	`164`	`+routeParamsFields:=make([]slog.Field,0,len(urlParams.Keys))`
	`165`	`+`
	`166`	`+fork,v:=rangeurlParams.Keys {`
	`167`	`+ifurlParams.Values[k]!="" {`
	`168`	`+routeParamsFields=append(routeParamsFields,slog.F("params_"+v,urlParams.Values[k]))`
	`169`	`+}`
	`170`	`+}`
	`171`	`+`
	`172`	`+iflen(routeParamsFields)>0 {`
	`173`	`+logger=logger.With(routeParamsFields...)`
	`174`	`+}`
	`175`	`+}`
	`176`	`+`
`101`	`177`	`// We already capture most of this information in the span (minus`
`102`	`178`	`// the response body which we don't want to capture anyways).`
`103`	`179`	`tracing.RunWithoutSpan(ctx,func(ctx context.Context) {`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit3e61440

File tree

18 files changed

18 files changed

`‎Makefile`

`‎coderd/coderd.go`

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/database/queries.sql.go`

`‎coderd/database/queries/users.sql`

`‎coderd/httpmw/apikey.go`

`‎coderd/httpmw/logger.gorenamed to‎coderd/httpmw/loggermw/logger.go`

0 commit comments