[RORDEV-1573] Enable/Disable audit per block (#1175)

Author: mgoworko

core/src/main/scala/tech/beshu/ror/accesscontrol/blocks/Block.scala

@@ -40,6 +40,7 @@ import tech.beshu.ror.implicits.*
 class Block(val name: Name,
             val policy: Policy,
             val verbosity: Verbosity,
+            val audit: Audit,
             val rules: NonEmptyList[Rule])
            (implicit val loggingContext: LoggingContext)
   extends Logging {
@@ -101,12 +102,13 @@ object Block {
   def createFrom(name: Name,
                  policy: Option[Policy],
                  verbosity: Option[Verbosity],
+                 audit: Option[Audit],
                  rules: NonEmptyList[RuleDefinition[Rule]])
                 (implicit loggingContext: LoggingContext): Either[BlocksLevelCreationError, Block] = {
     val sortedRules = rules.sorted
     BlockValidator.validate(name, sortedRules) match {
       case Validated.Valid(_) =>
-        Right(createBlockInstance(name, policy, verbosity, sortedRules))
+        Right(createBlockInstance(name, policy, verbosity, audit, sortedRules))
       case Validated.Invalid(errors) =>
         implicit val validationErrorShow: Show[BlockValidationError] = blockValidationErrorShow(name)
         Left(BlocksLevelCreationError(Message(errors.toList.map(_.show).mkString("\n"))))
@@ -116,12 +118,14 @@ object Block {
   private def createBlockInstance(name: Name,
                                   policy: Option[Policy],
                                   verbosity: Option[Verbosity],
+                                  audit: Option[Audit],
                                   rules: NonEmptyList[RuleDefinition[Rule]])
                                  (implicit loggingContext: LoggingContext) =
     new Block(
       name,
       policy.getOrElse(Block.Policy.Allow),
       verbosity.getOrElse(Block.Verbosity.Info),
+      audit.getOrElse(Block.Audit.Enabled),
       rules.map(_.rule)
     )
 
@@ -181,6 +185,16 @@ object Block {
     implicit val eq: Eq[Verbosity] = Eq.fromUniversalEquals
   }
 
+  sealed trait Audit
+
+  object Audit {
+    case object Enabled extends Audit
+
+    case object Disabled extends Audit
+
+    implicit val eq: Eq[Audit] = Eq.fromUniversalEquals
+  }
+
   private class Lifter[B <: BlockContext] {
     def apply[A](task: Task[A]): WriterT[Task, Vector[HistoryItem[B]], A] =
       WriterT.liftF[Task, Vector[HistoryItem[B]], A](task)

core/src/main/scala/tech/beshu/ror/accesscontrol/factory/RawRorConfigBasedCoreFactory.scala

@@ -220,24 +220,34 @@ class RawRorConfigBasedCoreFactory(esVersion: EsVersion)
         case "info" => Right(Verbosity.Info)
         case "error" => Right(Verbosity.Error)
         case unknown => Left(BlocksLevelCreationError(Message(s"Unknown verbosity value: ${unknown.show}. Supported types: 'info'(default), 'error'.")))
+      }.decoder
+    implicit val blockAuditDecoder: Decoder[Block.Audit] =
+      Decoder.instance { c =>
+        for {
+          enabled <- c.downField("enabled").as[Boolean]
+        } yield {
+          if (enabled) Block.Audit.Enabled else Block.Audit.Disabled
+        }
       }
-        .decoder
     Decoder
       .instance { c =>
         val result = for {
           name <- c.downField(Attributes.Block.name).as[Block.Name]
           policy <- c.downField(Attributes.Block.policy).as[Option[Block.Policy]]
           verbosity <- c.downField(Attributes.Block.verbosity).as[Option[Block.Verbosity]]
+          audit <- c.downField(Attributes.Block.audit).as[Option[Block.Audit]]
           rules <- rulesNelDecoder(definitions, globalSettings, mocksProvider)
             .toSyncDecoder
             .decoder
             .tryDecode(c.withFocus(
               _.mapObject(_
                 .remove(Attributes.Block.name)
                 .remove(Attributes.Block.policy)
-                .remove(Attributes.Block.verbosity))
+                .remove(Attributes.Block.verbosity)
+                .remove(Attributes.Block.audit)
+              )
             ))
-          block <- Block.createFrom(name, policy, verbosity, rules).left.map(DecodingFailureOps.fromError(_))
+          block <- Block.createFrom(name, policy, verbosity, audit, rules).left.map(DecodingFailureOps.fromError(_))
         } yield BlockDecodingResult(
           block = block,
           localUsers = rules.map(localUsersForRule).combineAll,
@@ -541,6 +551,7 @@ object RawRorConfigBasedCoreFactory {
       val name = "name"
       val policy = "type"
       val verbosity = "verbosity"
+      val audit = "audit"
     }
 
   }

core/src/main/scala/tech/beshu/ror/accesscontrol/logging/AccessControlListLoggingDecorator.scala

@@ -105,17 +105,33 @@ class AccessControlListLoggingDecorator(val underlying: AccessControlList,
       import tech.beshu.ror.accesscontrol.logging.AccessControlListLoggingDecorator.responseContextShow
       logger.info(responseContextShow[B].show(responseContext))
     }
-    auditingTool.foreach {
-      _
-        .audit(responseContext, auditEnvironmentContext)
-        .runAsync {
-          case Right(_) =>
-          case Left(ex) =>
-            logger.warn(s"[${responseContext.requestContext.id.show}] Auditing issue", ex)
+    blockAuditSettings(responseContext) match {
+      case Some(Block.Audit.Disabled) =>
+        ()
+      case None | Some(Block.Audit.Enabled) =>
+        auditingTool.foreach {
+          _
+            .audit(responseContext, auditEnvironmentContext)
+            .runAsync {
+              case Right(_) =>
+              case Left(ex) =>
+                logger.warn(s"[${responseContext.requestContext.id.show}] Auditing issue", ex)
+            }
         }
     }
   }
 
+  private def blockAuditSettings[B <: BlockContext](responseContext: ResponseContext[B]): Option[Block.Audit] = {
+    responseContext match {
+      case AllowedBy(_, block, _, _) => Some(block.audit)
+      case Allow(_, _, block, _) => Some(block.audit)
+      case ForbiddenBy(_, block, _, _) => Some(block.audit)
+      case Forbidden(_, _) => None
+      case RequestedIndexNotExist(_, _) => None
+      case Errored(_, _) => None
+    }
+  }
+
   private def isLoggableEntry(context: ResponseContext[_]): Boolean = {
     def shouldBeLogged(block: Block) = {
       block.verbosity match {

core/src/test/scala/tech/beshu/ror/unit/acl/EnabledAccessControlListTests.scala

@@ -176,6 +176,7 @@ class EnabledAccessControlListTests extends AnyWordSpec with MockFactory with In
       Block.Name(name),
       policy,
       Block.Verbosity.Info,
+      Block.Audit.Enabled,
       NonEmptyList.of(
         new RegularRule {
           override val name: Rule.Name = Rule.Name("auth")

core/src/test/scala/tech/beshu/ror/unit/acl/blocks/BlockTests.scala

@@ -55,6 +55,7 @@ class BlockTests extends AnyWordSpec with BlockContextAssertion with Inside with
           name = blockName,
           policy = Block.Policy.Allow,
           verbosity = Block.Verbosity.Info,
+          audit = Block.Audit.Enabled,
           rules = NonEmptyList.fromListUnsafe(
             passingRule("r1") ::
               passingRule("r2", withLoggedUser) ::
@@ -83,6 +84,7 @@ class BlockTests extends AnyWordSpec with BlockContextAssertion with Inside with
           name = blockName,
           policy = Block.Policy.Allow,
           verbosity = Block.Verbosity.Info,
+          audit = Block.Audit.Enabled,
           rules = NonEmptyList.fromListUnsafe(
             passingRule("r1") :: passingRule("r2") :: throwingRule("r3") :: notPassingRule("r4") :: passingRule("r5") :: Nil
           )
@@ -109,6 +111,7 @@ class BlockTests extends AnyWordSpec with BlockContextAssertion with Inside with
         name = blockName,
         policy = Block.Policy.Allow,
         verbosity = Block.Verbosity.Info,
+        audit = Block.Audit.Enabled,
         rules = NonEmptyList.fromListUnsafe(
           passingRule("r1") :: passingRule("r2") :: passingRule("r3") :: Nil
         )
@@ -140,6 +143,7 @@ class BlockTests extends AnyWordSpec with BlockContextAssertion with Inside with
         name = blockName,
         policy = Block.Policy.Allow,
         verbosity = Block.Verbosity.Info,
+        audit = Block.Audit.Enabled,
         rules = NonEmptyList.fromListUnsafe(
           passingRule("r1", withLoggedUser) ::
             passingRule("r2") ::
@@ -178,6 +182,7 @@ class BlockTests extends AnyWordSpec with BlockContextAssertion with Inside with
         name = blockName,
         policy = Block.Policy.Allow,
         verbosity = Block.Verbosity.Info,
+        audit = Block.Audit.Enabled,
         rules = NonEmptyList.fromListUnsafe(
           passingRule("r1", _.withUserMetadata(_.withLoggedUser(DirectlyLoggedUser(User.Id("user1"))))) ::
           passingRule("r2", _.withUserMetadata(_.withLoggedUser(DirectlyLoggedUser(User.Id("user2"))))) ::

core/src/test/scala/tech/beshu/ror/unit/acl/logging/AuditingToolTests.scala

@@ -128,6 +128,7 @@ class AuditingToolTests extends AnyWordSpec with MockFactory with BeforeAndAfter
                 Block.Name("mock-block"),
                 Block.Policy.Forbid(),
                 Block.Verbosity.Info,
+                Block.Audit.Enabled,
                 NonEmptyList.one(new MethodsRule(MethodsRule.Settings(NonEmptySet.one(Method.GET))))
               ),
               GeneralIndexRequestBlockContext(requestContext, UserMetadata.empty, Set.empty, List.empty, Set.empty, Set.empty),
@@ -248,6 +249,7 @@ class AuditingToolTests extends AnyWordSpec with MockFactory with BeforeAndAfter
         Block.Name("mock-block"),
         policy,
         verbosity,
+        Block.Audit.Enabled,
         NonEmptyList.one(new MethodsRule(MethodsRule.Settings(NonEmptySet.one(Method.GET))))
       ),
       GeneralIndexRequestBlockContext(requestContext, UserMetadata.empty, Set.empty, List.empty, Set.empty, Set.empty),

gradle.properties

@@ -1,5 +1,5 @@
 publishedPluginVersion=1.67.1
-pluginVersion=1.68.0-pre5
+pluginVersion=1.68.0-pre6
 pluginName=readonlyrest
 
 org.gradle.jvmargs=-Xmx6144m

integration-tests/src/test/resources/ror_audit/enabled_auditing_tools/readonlyrest.yml

@@ -14,6 +14,7 @@ readonlyrest:
             another_field: "{ES_CLUSTER_NAME} {HTTP_METHOD}"
             tid: "{TASK_ID}"
             bytes: "{CONTENT_LENGTH_IN_BYTES}"
+            block: "{REASON}"
       - type: data_stream
         data_stream: "audit_data_stream"
         serializer:
@@ -25,6 +26,7 @@ readonlyrest:
             another_field: "{ES_CLUSTER_NAME} {HTTP_METHOD}"
             tid: "{TASK_ID}"
             bytes: "{CONTENT_LENGTH_IN_BYTES}"
+            block: "{REASON}"
 
   access_control_rules:
 
@@ -37,6 +39,8 @@ readonlyrest:
       methods: GET
       auth_key: username:dev
       indices: ["twitter"]
+      audit:
+        enabled: true ## twitter audit toggle
 
     - name: "Rule 2"
       verbosity: error

integration-tests/src/test/resources/ror_audit/enabled_auditing_tools/readonlyrest_audit_index.yml

@@ -14,6 +14,7 @@ readonlyrest:
             another_field: "{ES_CLUSTER_NAME} {HTTP_METHOD}"
             tid: "{TASK_ID}"
             bytes: "{CONTENT_LENGTH_IN_BYTES}"
+            block: "{REASON}"
 
   access_control_rules:
 
@@ -26,6 +27,8 @@ readonlyrest:
       methods: GET
       auth_key: username:dev
       indices: ["twitter"]
+      audit:
+        enabled: true ## twitter audit toggle
 
     - name: "Rule 2"
       verbosity: error

integration-tests/src/test/scala/tech/beshu/ror/integration/suites/audit/LocalClusterAuditingToolsSuite.scala

@@ -161,25 +161,49 @@ class LocalClusterAuditingToolsSuite
       "using ConfigurableQueryAuditLogSerializer" in {
         val indexManager = new IndexManager(basicAuthClient("username", "dev"), esVersionUsed)
 
+        // Change config to use configurable serializer and perform the request
         updateRorConfig(
           originalString = """type: "static"""",
           newString = """type: "configurable"""",
         )
         performAndAssertExampleSearchRequest(indexManager)
 
+        // Assert, that there is a single audit entry
         forEachAuditManager { adminAuditManager =>
           eventually {
             val auditEntries = adminAuditManager.getEntries.force().jsons
             auditEntries.size shouldBe 1
 
             auditEntries.exists(entry =>
-              entry("node_name_with_static_suffix").str == "ROR_SINGLE_1 with suffix" &&
+              entry("block").str.contains("name: 'Rule 1'") &&
+                entry("node_name_with_static_suffix").str == "ROR_SINGLE_1 with suffix" &&
                 entry("another_field").str == "ROR_SINGLE GET" &&
                 entry("tid").numOpt.isDefined &&
                 entry("bytes").num == 0
             ) shouldBe true
           }
         }
+
+        // Disable audit for Rule 1, clean managers, perform second request
+        updateRorConfig(
+          "enabled: true ## twitter audit toggle",
+          "enabled: false ## twitter audit toggle",
+        )
+        adminAuditManagers.values.foreach(_.truncate())
+        performAndAssertExampleSearchRequest(indexManager)
+
+        // Wait for 2s and assert, that there is no serialized event
+        Thread.sleep(2000)
+        forEachAuditManager { adminAuditManager =>
+          val auditEntries = adminAuditManager.getEntries.force().jsons
+          auditEntries.size shouldBe 0
+        }
+
+        // Restore the default config
+        updateRorConfig(
+          "enabled: false ## twitter audit toggle",
+          "enabled: true ## twitter audit toggle",
+        )
         updateRorConfigToUseSerializer("tech.beshu.ror.audit.instances.DefaultAuditLogSerializerV1")
       }
     }