warp-tech/warpgate
1
1
Fork 0
mirror of https://github.com/warp-tech/warpgate.git synced 2025-09-08 23:54:23 +08:00
Code Issues Projects Releases Packages Wiki Activity

fixed #855 - log client IPs and credentials used

Browse source
This commit is contained in:
Eugene Pankov 2023-08-08 09:39:22 +02:00 committed by Eugene
parent 0c7ed120b9
commit 49b92cde7a
7 changed files with 49 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
warpgate-common/src/auth/cred.rs
View file

@ -43,4 +43,14 @@ impl AuthCredential {
Self::WebUserApproval => CredentialKind::WebUserApproval, Self::WebUserApproval => CredentialKind::WebUserApproval,
} }
} }
pub fn safe_description(&self) -> String {
match self {
Self::Password { .. } => "password".to_string(),
Self::PublicKey { .. } => "public key".to_string(),
Self::Otp { .. } => "one-time password".to_string(),
Self::Sso { provider, .. } => format!("SSO ({provider})"),
Self::WebUserApproval => "in-browser auth".to_string(),
}
}
} }

18
warpgate-common/src/auth/state.rs
View file

@ -2,6 +2,7 @@ use std::collections::HashSet;
use chrono::{DateTime, Utc}; use chrono::{DateTime, Utc};
use rand::Rng; use rand::Rng;
use tracing::info;
use uuid::Uuid; use uuid::Uuid;
use super::{AuthCredential, CredentialKind, CredentialPolicy, CredentialPolicyResponse}; use super::{AuthCredential, CredentialKind, CredentialPolicy, CredentialPolicyResponse};
@ -96,9 +97,20 @@ impl AuthState {
.policy .policy
.is_sufficient(&self.protocol, &self.valid_credentials[..]) .is_sufficient(&self.protocol, &self.valid_credentials[..])
{ {
CredentialPolicyResponse::Ok => AuthResult::Accepted { CredentialPolicyResponse::Ok => {
username: self.username.clone(), info!(
}, username=%self.username,
credentials=%self.valid_credentials
.iter()
.map(|x| x.safe_description())
.collect::<Vec<_>>()
.join(", "),
"Authenticated",
);
AuthResult::Accepted {
username: self.username.clone(),
}
}
CredentialPolicyResponse::Need(kinds) => AuthResult::Need(kinds), CredentialPolicyResponse::Need(kinds) => AuthResult::Need(kinds),
} }
} }

1
warpgate-protocol-http/src/common.rs
View file

@ -222,7 +222,6 @@ pub async fn authorize_session(req: &Request, username: String) -> poem::Result<
.await .await
.set_username(username.clone()) .set_username(username.clone())
.await?; .await?;
info!(%username, "Authenticated");
session.set_auth(SessionAuthorization::User(username)); session.set_auth(SessionAuthorization::User(username));
Ok(()) Ok(())

10
warpgate-protocol-http/src/logging.rs
View file

@ -7,15 +7,21 @@ use crate::session_handle::WarpgateServerHandleFromRequest;
pub async fn span_for_request(req: &Request) -> poem::Result<Span> { pub async fn span_for_request(req: &Request) -> poem::Result<Span> {
let handle = WarpgateServerHandleFromRequest::from_request_without_body(req).await; let handle = WarpgateServerHandleFromRequest::from_request_without_body(req).await;
let client_ip = req
.remote_addr()
.as_socket_addr()
.map(|x| x.ip().to_string())
.unwrap_or("<unknown>".into());
Ok(match handle { Ok(match handle {
Ok(ref handle) => { Ok(ref handle) => {
let handle = handle.lock().await; let handle = handle.lock().await;
let ss = handle.session_state().lock().await; let ss = handle.session_state().lock().await;
match { ss.username.clone() } { match { ss.username.clone() } {
Some(ref username) => { Some(ref username) => {
info_span!("HTTP", session=%handle.id(), session_username=%username) info_span!("HTTP", session=%handle.id(), session_username=%username, %client_ip)
} }
None => info_span!("HTTP", session=%handle.id()), None => info_span!("HTTP", session=%handle.id(), %client_ip),
} }
} }
Err(_) => info_span!("HTTP"), Err(_) => info_span!("HTTP"),

4
warpgate-protocol-mysql/src/lib.rs
View file

@ -86,13 +86,13 @@ impl ProtocolServer for MySQLProtocolServer {
.register_session( .register_session(
&crate::common::PROTOCOL_NAME, &crate::common::PROTOCOL_NAME,
SessionStateInit { SessionStateInit {
remote_address: Some(remote_address), remote_address: Some(remote_address.clone()),
handle: Box::new(session_handle), handle: Box::new(session_handle),
}, },
) )
.await?; .await?;
let session = MySqlSession::new(server_handle, services, stream, tls_config).await; let session = MySqlSession::new(server_handle, services, stream, tls_config, remote_address).await;
let span = session.make_logging_span(); let span = session.make_logging_span();
tokio::select! { tokio::select! {
result = session.run().instrument(span) => match result { result = session.run().instrument(span) => match result {

15
warpgate-protocol-mysql/src/session.rs
View file

@ -1,3 +1,4 @@
use std::net::SocketAddr;
use std::sync::Arc; use std::sync::Arc;
use bytes::{Buf, Bytes, BytesMut}; use bytes::{Buf, Bytes, BytesMut};
@ -34,6 +35,7 @@ pub struct MySqlSession {
server_handle: Arc<Mutex<WarpgateServerHandle>>, server_handle: Arc<Mutex<WarpgateServerHandle>>,
id: Uuid, id: Uuid,
services: Services, services: Services,
remote_address: SocketAddr,
} }
impl MySqlSession { impl MySqlSession {
@ -42,6 +44,7 @@ impl MySqlSession {
services: Services, services: Services,
stream: TcpStream, stream: TcpStream,
tls_config: ServerConfig, tls_config: ServerConfig,
remote_address: SocketAddr,
) -> Self { ) -> Self {
let id = server_handle.lock().await.id(); let id = server_handle.lock().await.id();
Self { Self {
@ -67,13 +70,17 @@ impl MySqlSession {
database: None, database: None,
server_handle, server_handle,
id, id,
remote_address,
} }
} }
pub fn make_logging_span(&self) -> tracing::Span { pub fn make_logging_span(&self) -> tracing::Span {
let client_ip = self.remote_address.ip().to_string();
match self.username { match self.username {
Some(ref username) => info_span!("MySQL", session=%self.id, session_username=%username), Some(ref username) => {
None => info_span!("MySQL", session=%self.id), info_span!("MySQL", session=%self.id, session_username=%username, %client_ip)
}
None => info_span!("MySQL", session=%self.id, %client_ip),
} }
} }
@ -269,8 +276,6 @@ impl MySqlSession {
)?; )?;
self.stream.flush().await?; self.stream.flush().await?;
info!(%username, "Authenticated");
let target = { let target = {
self.services self.services
.config_provider .config_provider
@ -307,9 +312,7 @@ impl MySqlSession {
handle.set_target(&target).await?; handle.set_target(&target).await?;
} }
let span = self.make_logging_span();
self.run_authorized_inner(handshake, mysql_options) self.run_authorized_inner(handshake, mysql_options)
.instrument(span)
.await .await
} }

9
warpgate-protocol-ssh/src/server/session.rs
View file

@ -238,9 +238,12 @@ impl ServerSession {
} }
pub fn make_logging_span(&self) -> tracing::Span { pub fn make_logging_span(&self) -> tracing::Span {
let client_ip = self.remote_address.ip().to_string();
match self.username { match self.username {
Some(ref username) => info_span!("SSH", session=%self.id, session_username=%username), Some(ref username) => {
None => info_span!("SSH", session=%self.id), info_span!("SSH", session=%self.id, session_username=%username, %client_ip)
}
None => info_span!("SSH", session=%self.id, %client_ip),
} }
} }
@ -1437,8 +1440,6 @@ impl ServerSession {
username: &str, username: &str,
target_name: &str, target_name: &str,
) -> Result<(), WarpgateError> { ) -> Result<(), WarpgateError> {
info!(%username, "Authenticated");
let _ = self let _ = self
.server_handle .server_handle
.lock() .lock()