From 54b35c30daf52a42b43f861086abcd83b1835d82 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 21 Nov 2024 10:38:16 -0800 Subject: [PATCH] rename `tokenIdentifier` to `tokenID` in the audit logs Because `tokenID` is more consistent with the names of the other correlation keys. --- .../endpoints/token/token_handler.go | 2 +- .../endpoints/token/token_handler_test.go | 28 +++++++-------- internal/registry/credentialrequest/rest.go | 2 +- .../registry/credentialrequest/rest_test.go | 36 +++++++++---------- site/content/docs/reference/audit-logging.md | 14 ++++---- 5 files changed, 41 insertions(+), 41 deletions(-) diff --git a/internal/federationdomain/endpoints/token/token_handler.go b/internal/federationdomain/endpoints/token/token_handler.go index 7dd0ef053..278a94cb5 100644 --- a/internal/federationdomain/endpoints/token/token_handler.go +++ b/internal/federationdomain/endpoints/token/token_handler.go @@ -439,7 +439,7 @@ func auditLogIDToken( ReqCtx: reqCtx, Session: accessRequest, KeysAndValues: []any{ - "tokenIdentifier", fmt.Sprintf("%x", sha256.Sum256([]byte(idToken))), + "tokenID", fmt.Sprintf("%x", sha256.Sum256([]byte(idToken))), }, }) } diff --git a/internal/federationdomain/endpoints/token/token_handler_test.go b/internal/federationdomain/endpoints/token/token_handler_test.go index 343da2035..b6bc43217 100644 --- a/internal/federationdomain/endpoints/token/token_handler_test.go +++ b/internal/federationdomain/endpoints/token/token_handler_test.go @@ -404,8 +404,8 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { }), testutil.WantAuditLog("Session Found", map[string]any{"sessionID": sessionID}), testutil.WantAuditLog("ID Token Issued", map[string]any{ - "sessionID": sessionID, - "tokenIdentifier": idTokenToHash(idToken), + "sessionID": sessionID, + "tokenID": idTokenToHash(idToken), }), } }, @@ -479,8 +479,8 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) { testutil.WantAuditLog("HTTP Request Basic Auth", map[string]any{"clientID": dynamicClientID}), testutil.WantAuditLog("Session Found", map[string]any{"sessionID": sessionID}), testutil.WantAuditLog("ID Token Issued", map[string]any{ - "sessionID": sessionID, - "tokenIdentifier": idTokenToHash(idToken), + "sessionID": sessionID, + "tokenID": idTokenToHash(idToken), }), } }, @@ -1229,8 +1229,8 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn }), testutil.WantAuditLog("Session Found", map[string]any{"sessionID": sessionID}), testutil.WantAuditLog("ID Token Issued", map[string]any{ - "sessionID": sessionID, - "tokenIdentifier": idTokenToHash(idToken), + "sessionID": sessionID, + "tokenID": idTokenToHash(idToken), }), } }, @@ -1252,8 +1252,8 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn }), testutil.WantAuditLog("Session Found", map[string]any{"sessionID": sessionID}), testutil.WantAuditLog("ID Token Issued", map[string]any{ - "sessionID": sessionID, - "tokenIdentifier": idTokenToHash(idToken), + "sessionID": sessionID, + "tokenID": idTokenToHash(idToken), }), } }, @@ -2413,8 +2413,8 @@ func TestRefreshGrant(t *testing.T) { }, }), testutil.WantAuditLog("ID Token Issued", map[string]any{ - "sessionID": sessionID, - "tokenIdentifier": idTokenToHash(idToken), + "sessionID": sessionID, + "tokenID": idTokenToHash(idToken), }), } }, @@ -2669,8 +2669,8 @@ func TestRefreshGrant(t *testing.T) { }), testutil.WantAuditLog("Session Found", map[string]any{"sessionID": sessionID}), testutil.WantAuditLog("ID Token Issued", map[string]any{ - "sessionID": sessionID, - "tokenIdentifier": idTokenToHash(idToken), + "sessionID": sessionID, + "tokenID": idTokenToHash(idToken), }), } }, @@ -3061,8 +3061,8 @@ func TestRefreshGrant(t *testing.T) { }, }), testutil.WantAuditLog("ID Token Issued", map[string]any{ - "sessionID": sessionID, - "tokenIdentifier": idTokenToHash(idToken), + "sessionID": sessionID, + "tokenID": idTokenToHash(idToken), }), } }, diff --git a/internal/registry/credentialrequest/rest.go b/internal/registry/credentialrequest/rest.go index a05da3189..a8ef1c318 100644 --- a/internal/registry/credentialrequest/rest.go +++ b/internal/registry/credentialrequest/rest.go @@ -117,7 +117,7 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation r.auditLogger.Audit(auditevent.TokenCredentialRequestTokenReceived, &plog.AuditParams{ ReqCtx: ctx, KeysAndValues: []any{ - "tokenIdentifier", fmt.Sprintf("%x", sha256.Sum256([]byte(credentialRequest.Spec.Token))), + "tokenID", fmt.Sprintf("%x", sha256.Sum256([]byte(credentialRequest.Spec.Token))), }, }) diff --git a/internal/registry/credentialrequest/rest_test.go b/internal/registry/credentialrequest/rest_test.go index b970a6c25..854746738 100644 --- a/internal/registry/credentialrequest/rest_test.go +++ b/internal/registry/credentialrequest/rest_test.go @@ -131,8 +131,8 @@ func TestCreate(t *testing.T) { wantAuditLog = []testutil.WantedAuditLog{ testutil.WantAuditLog("TokenCredentialRequest Token Received", map[string]any{ - "auditID": "fake-audit-id", - "tokenIdentifier": tokenToHash(req.Spec.Token), + "auditID": "fake-audit-id", + "tokenID": tokenToHash(req.Spec.Token), }), testutil.WantAuditLog("TokenCredentialRequest Authenticated User", map[string]any{ "auditID": "fake-audit-id", @@ -172,8 +172,8 @@ func TestCreate(t *testing.T) { wantAuditLog = []testutil.WantedAuditLog{ testutil.WantAuditLog("TokenCredentialRequest Token Received", map[string]any{ - "auditID": "fake-audit-id", - "tokenIdentifier": tokenToHash(req.Spec.Token), + "auditID": "fake-audit-id", + "tokenID": tokenToHash(req.Spec.Token), }), testutil.WantAuditLog("TokenCredentialRequest Unexpected Error", map[string]any{ "auditID": "fake-audit-id", @@ -202,8 +202,8 @@ func TestCreate(t *testing.T) { wantAuditLog = []testutil.WantedAuditLog{ testutil.WantAuditLog("TokenCredentialRequest Token Received", map[string]any{ - "auditID": "fake-audit-id", - "tokenIdentifier": tokenToHash(req.Spec.Token), + "auditID": "fake-audit-id", + "tokenID": tokenToHash(req.Spec.Token), }), testutil.WantAuditLog("TokenCredentialRequest Authentication Failed", map[string]any{ "auditID": "fake-audit-id", @@ -232,8 +232,8 @@ func TestCreate(t *testing.T) { wantAuditLog = []testutil.WantedAuditLog{ testutil.WantAuditLog("TokenCredentialRequest Token Received", map[string]any{ - "auditID": "fake-audit-id", - "tokenIdentifier": tokenToHash(req.Spec.Token), + "auditID": "fake-audit-id", + "tokenID": tokenToHash(req.Spec.Token), }), testutil.WantAuditLog("TokenCredentialRequest Unexpected Error", map[string]any{ "auditID": "fake-audit-id", @@ -263,8 +263,8 @@ func TestCreate(t *testing.T) { wantAuditLog = []testutil.WantedAuditLog{ testutil.WantAuditLog("TokenCredentialRequest Token Received", map[string]any{ - "auditID": "fake-audit-id", - "tokenIdentifier": tokenToHash(req.Spec.Token), + "auditID": "fake-audit-id", + "tokenID": tokenToHash(req.Spec.Token), }), testutil.WantAuditLog("TokenCredentialRequest Unsupported UserInfo", map[string]any{ "auditID": "fake-audit-id", @@ -303,8 +303,8 @@ func TestCreate(t *testing.T) { wantAuditLog = []testutil.WantedAuditLog{ testutil.WantAuditLog("TokenCredentialRequest Token Received", map[string]any{ - "auditID": "fake-audit-id", - "tokenIdentifier": tokenToHash(req.Spec.Token), + "auditID": "fake-audit-id", + "tokenID": tokenToHash(req.Spec.Token), }), testutil.WantAuditLog("TokenCredentialRequest Unsupported UserInfo", map[string]any{ "auditID": "fake-audit-id", @@ -343,8 +343,8 @@ func TestCreate(t *testing.T) { wantAuditLog = []testutil.WantedAuditLog{ testutil.WantAuditLog("TokenCredentialRequest Token Received", map[string]any{ - "auditID": "fake-audit-id", - "tokenIdentifier": tokenToHash(req.Spec.Token), + "auditID": "fake-audit-id", + "tokenID": tokenToHash(req.Spec.Token), }), testutil.WantAuditLog("TokenCredentialRequest Unsupported UserInfo", map[string]any{ "auditID": "fake-audit-id", @@ -423,8 +423,8 @@ func TestCreate(t *testing.T) { wantAuditLog = []testutil.WantedAuditLog{ testutil.WantAuditLog("TokenCredentialRequest Token Received", map[string]any{ - "auditID": "fake-audit-id", - "tokenIdentifier": tokenToHash(req.Spec.Token), + "auditID": "fake-audit-id", + "tokenID": tokenToHash(req.Spec.Token), }), testutil.WantAuditLog("TokenCredentialRequest Authenticated User", map[string]any{ "auditID": "fake-audit-id", @@ -474,8 +474,8 @@ func TestCreate(t *testing.T) { wantAuditLog = []testutil.WantedAuditLog{ testutil.WantAuditLog("TokenCredentialRequest Token Received", map[string]any{ - "auditID": "fake-audit-id", - "tokenIdentifier": tokenToHash(req.Spec.Token), + "auditID": "fake-audit-id", + "tokenID": tokenToHash(req.Spec.Token), }), testutil.WantAuditLog("TokenCredentialRequest Authenticated User", map[string]any{ "auditID": "fake-audit-id", diff --git a/site/content/docs/reference/audit-logging.md b/site/content/docs/reference/audit-logging.md index ce97b2a0f..e39796283 100644 --- a/site/content/docs/reference/audit-logging.md +++ b/site/content/docs/reference/audit-logging.md @@ -92,7 +92,7 @@ correlate an audit event log line to other logs. The values for these keys are o - When applicable, audit logs have an `authorizeID` which is a unique ID to allow audit events to be correlated across some of the browser redirects which relate to a single login attempt by an end user. This is only applicable to those browser-based login flows which use redirects to identity providers and/or interstitial pages in the login flow. -- When applicable, audit logs have a `tokenIdentifier` which is a unique ID of a token to allow audit events to be correlated +- When applicable, audit logs have a `tokenID` which is a unique ID of a token to allow audit events to be correlated between where a token is issued to an end user in the Supervisor and where a token is used to gain access to a Kubernetes cluster in the Concierge. @@ -392,7 +392,7 @@ The logs from the token endpoint are shown below. "auditEvent": true, "auditID": "4effaac3-3f56-4133-9fa8-15104a3022c9", "sessionID": "316fa17f-2ea3-47fd-b7b0-2b02097d8c87", - "tokenIdentifier": "255b785220fe841e950aaf2f78df167991f2b38d2f0b25cc4449301e91d63913" + "tokenID": "255b785220fe841e950aaf2f78df167991f2b38d2f0b25cc4449301e91d63913" } { "level": "info", @@ -455,7 +455,7 @@ for the target workload cluster (technically, an ID token with a different `aud` "auditEvent": true, "auditID": "b49b0a29-b1af-4902-a4fc-bea2c851fcb6", "sessionID": "316fa17f-2ea3-47fd-b7b0-2b02097d8c87", - "tokenIdentifier": "931aabb59f2ecedb1ae9ed1d3c94dd37d169aecce5cbd3dd2096295d3b409720" + "tokenID": "931aabb59f2ecedb1ae9ed1d3c94dd37d169aecce5cbd3dd2096295d3b409720" } { "level": "info", @@ -470,12 +470,12 @@ for the target workload cluster (technically, an ID token with a different `aud` } ``` -Note that when the ID token is issued, it prints a `tokenIdentifier` which is a unique identifier for that +Note that when the ID token is issued, it prints a `tokenID` which is a unique identifier for that specific token. Technically, it is a sha256sum of the token. This can be used to cross-reference the usage of this specific token to other systems. Finally, that ID token is submitted to the workload cluster's Concierge to get a temporary credential which -grants access to that workload cluster. In those logs below, you can see how the `tokenIdentifier` can be used +grants access to that workload cluster. In those logs below, you can see how the `tokenID` can be used to follow the user's session to another cluster by following the token. This `TokenCredentialRequest` endpoint s a Kubernetes API, so the `auditID` value from the Concierge pod logs will match the `auditID` value in the Kubernetes audit logs, allowing them to be correlated. @@ -487,7 +487,7 @@ the Kubernetes audit logs, allowing them to be correlated. "message": "TokenCredentialRequest Token Received", "auditEvent": true, "auditID": "6776ad70-b587-4bfd-ae41-74ab5e3e00f5", - "tokenIdentifier": "931aabb59f2ecedb1ae9ed1d3c94dd37d169aecce5cbd3dd2096295d3b409720" + "tokenID": "931aabb59f2ecedb1ae9ed1d3c94dd37d169aecce5cbd3dd2096295d3b409720" } { "level": "info", @@ -509,7 +509,7 @@ the Kubernetes audit logs, allowing them to be correlated. ``` As we've seen, a user's entire authentication journey across clusters can be followed by using the -`auditID`, `authorizeID`, `sessionID`, and `tokenIdentifier` correlation values to find related audit log events. +`auditID`, `authorizeID`, `sessionID`, and `tokenID` correlation values to find related audit log events. ## Watching the audit logs