From 80965716b6734716f230c78af187c9d927e596a2 Mon Sep 17 00:00:00 2001 From: Drew Bailey <2614075+drewbailey@users.noreply.github.com> Date: Wed, 25 Mar 2020 10:38:40 -0400 Subject: [PATCH 1/4] allow all build contexts to use noOpAuditor --- command/agent/agent.go | 24 ++++++++++++++++++++++++ command/agent/agent_oss.go | 24 ------------------------ 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/command/agent/agent.go b/command/agent/agent.go index 19c82bee1..622adea87 100644 --- a/command/agent/agent.go +++ b/command/agent/agent.go @@ -1,6 +1,7 @@ package agent import ( + "context" "fmt" "io" "io/ioutil" @@ -1081,3 +1082,26 @@ func (a *Agent) setupConsul(consulConfig *config.ConsulConfig) error { go a.consulService.Run() return nil } + +// noOpAuditor is a no-op Auditor that fulfills the +// event.Auditor interface. +type noOpAuditor struct{} + +// Ensure noOpAuditor is an Auditor +var _ event.Auditor = &noOpAuditor{} + +func (e *noOpAuditor) Event(ctx context.Context, eventType string, payload interface{}) error { + return nil +} + +func (e *noOpAuditor) Enabled() bool { + return false +} + +func (e *noOpAuditor) Reopen() error { + return nil +} + +func (e *noOpAuditor) SetEnabled(enabled bool) {} + +func (e *noOpAuditor) DeliveryEnforced() bool { return false } diff --git a/command/agent/agent_oss.go b/command/agent/agent_oss.go index 3ad179d0b..255d21f39 100644 --- a/command/agent/agent_oss.go +++ b/command/agent/agent_oss.go @@ -3,34 +3,10 @@ package agent import ( - "context" - hclog "github.com/hashicorp/go-hclog" - "github.com/hashicorp/nomad/command/agent/event" "github.com/hashicorp/nomad/nomad/structs/config" ) -type noOpAuditor struct{} - -// Ensure noOpAuditor is an Eventer -var _ event.Auditor = &noOpAuditor{} - -func (e *noOpAuditor) Event(ctx context.Context, eventType string, payload interface{}) error { - return nil -} - -func (e *noOpAuditor) Enabled() bool { - return false -} - -func (e *noOpAuditor) Reopen() error { - return nil -} - -func (e *noOpAuditor) SetEnabled(enabled bool) {} - -func (e *noOpAuditor) DeliveryEnforced() bool { return false } - func (a *Agent) setupEnterpriseAgent(log hclog.Logger) error { // configure eventer a.auditor = &noOpAuditor{} From dc7e0bae775b52dc3f334d305ef0f321b0062e20 Mon Sep 17 00:00:00 2001 From: Drew Bailey <2614075+drewbailey@users.noreply.github.com> Date: Wed, 25 Mar 2020 10:48:23 -0400 Subject: [PATCH 2/4] add auditor --- command/agent/agent_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/command/agent/agent_test.go b/command/agent/agent_test.go index 6950da55b..0cbd42846 100644 --- a/command/agent/agent_test.go +++ b/command/agent/agent_test.go @@ -705,7 +705,8 @@ func TestServer_Reload_TLS_Certificate_Invalid(t *testing.T) { } agent := &Agent{ - config: agentConfig, + auditor: &noOpAuditor{}, + config: agentConfig, } newConfig := &Config{ From 5751ba6d160d9ff69e2e44865b46fe2fad2eb9e7 Mon Sep 17 00:00:00 2001 From: Drew Bailey <2614075+drewbailey@users.noreply.github.com> Date: Wed, 25 Mar 2020 10:53:38 -0400 Subject: [PATCH 3/4] add in change missed from ent --- command/agent/agent.go | 6 ++++++ command/agent/agent_test.go | 8 +++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/command/agent/agent.go b/command/agent/agent.go index 622adea87..24f206bf3 100644 --- a/command/agent/agent.go +++ b/command/agent/agent.go @@ -1010,6 +1010,12 @@ func (a *Agent) Reload(newConfig *Config) error { return err } } + // Allow auditor to call reopen regardless of config changes + // This is primarily for enterprise audit logging to allow the underlying + // file to be reopened if necessary + if err := a.auditor.Reopen(); err != nil { + return err + } fullUpdateTLSConfig := func() { // Completely reload the agent's TLS configuration (moving from non-TLS to diff --git a/command/agent/agent_test.go b/command/agent/agent_test.go index 0cbd42846..c5d5e232f 100644 --- a/command/agent/agent_test.go +++ b/command/agent/agent_test.go @@ -657,7 +657,8 @@ func TestServer_Reload_TLS_Certificate(t *testing.T) { } agent := &Agent{ - config: agentConfig, + auditor: &noOpAuditor{}, + config: agentConfig, } newConfig := &Config{ @@ -785,8 +786,9 @@ func TestServer_Reload_TLS_UpgradeToTLS(t *testing.T) { } agent := &Agent{ - logger: logger, - config: agentConfig, + auditor: &noOpAuditor{}, + logger: logger, + config: agentConfig, } newConfig := &Config{ From d945b2661263d818f09d5dd4f0c96175b7ae6aeb Mon Sep 17 00:00:00 2001 From: Drew Bailey <2614075+drewbailey@users.noreply.github.com> Date: Wed, 25 Mar 2020 10:57:44 -0400 Subject: [PATCH 4/4] sync changes made to oss files from ent --- command/agent/agent.go | 2 +- command/agent/http.go | 2 +- command/agent/http_oss.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/command/agent/agent.go b/command/agent/agent.go index 24f206bf3..42f21322f 100644 --- a/command/agent/agent.go +++ b/command/agent/agent.go @@ -1006,7 +1006,7 @@ func (a *Agent) Reload(newConfig *Config) error { // Update eventer config if newConfig.Audit != nil { - if err := a.entReloadEventer(a.config.Audit); err != nil { + if err := a.entReloadEventer(newConfig.Audit); err != nil { return err } } diff --git a/command/agent/http.go b/command/agent/http.go index 82d689d72..cb31a76a8 100644 --- a/command/agent/http.go +++ b/command/agent/http.go @@ -513,7 +513,7 @@ func (s *HTTPServer) wrapNonJSON(handler func(resp http.ResponseWriter, req *htt defer func() { s.logger.Debug("request complete", "method", req.Method, "path", reqURL, "duration", time.Now().Sub(start)) }() - obj, err := s.auditByteHandler(handler)(resp, req) + obj, err := s.auditNonJSONHandler(handler)(resp, req) // Check for an error if err != nil { diff --git a/command/agent/http_oss.go b/command/agent/http_oss.go index 71d73e8fa..b99fe79c6 100644 --- a/command/agent/http_oss.go +++ b/command/agent/http_oss.go @@ -27,7 +27,7 @@ func (s HTTPServer) auditHandler(h handlerFn) handlerFn { return h } -func (s *HTTPServer) auditByteHandler(h handlerByteFn) handlerByteFn { +func (s *HTTPServer) auditNonJSONHandler(h handlerByteFn) handlerByteFn { return h }