[Audit Logging] Stdout logger implementation (grpc#33026)

The logger uses `absl::FPrintF` to write to stdout. After reading a number of sources online, I got the impression that `std::fwrite` which is used by `absl::FPrintF` is atomic so there is no locking required here. --------- Co-authored-by: rockspore <rockspore@users.noreply.github.com>
eugeneo · May 17, 2023 · 14b75f5 · 14b75f5
1 parent 10b79dc
commit 14b75f5
Show file tree

Hide file tree

Showing 19 changed files with 229 additions and 6 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
diff --git a/Makefile b/Makefile
diff --git a/build_autogenerated.yaml b/build_autogenerated.yaml
diff --git a/config.m4 b/config.m4
diff --git a/config.w32 b/config.w32
diff --git a/gRPC-C++.podspec b/gRPC-C++.podspec
diff --git a/gRPC-Core.podspec b/gRPC-Core.podspec
diff --git a/grpc.gemspec b/grpc.gemspec
diff --git a/grpc.gyp b/grpc.gyp
diff --git a/package.xml b/package.xml
diff --git a/src/core/BUILD b/src/core/BUILD
@@ -2777,16 +2777,19 @@ grpc_cc_library(
     name = "grpc_audit_logging",
     srcs = [
         "lib/security/authorization/audit_logging.cc",
+        "lib/security/authorization/stdout_logger.cc",
     ],
     hdrs = [
         "lib/security/authorization/audit_logging.h",
+        "lib/security/authorization/stdout_logger.h",
     ],
     external_deps = [
         "absl/base:core_headers",
         "absl/status",
         "absl/status:statusor",
         "absl/strings",
         "absl/strings:str_format",
+        "absl/time",
     ],
     deps = [
         "//:gpr",

diff --git a/src/core/lib/security/authorization/audit_logging.cc b/src/core/lib/security/authorization/audit_logging.cc
@@ -31,9 +31,11 @@
 #include "absl/strings/string_view.h"
 
 #include <grpc/grpc_audit_logging.h>
+#include <grpc/support/json.h>
 #include <grpc/support/log.h>
 
 #include "src/core/lib/gprpp/sync.h"
+#include "src/core/lib/security/authorization/stdout_logger.h"
 
 namespace grpc_core {
 namespace experimental {
@@ -42,6 +44,12 @@ Mutex* AuditLoggerRegistry::mu = new Mutex();
 
 AuditLoggerRegistry* AuditLoggerRegistry::registry = new AuditLoggerRegistry();
 
+AuditLoggerRegistry::AuditLoggerRegistry() {
+  auto factory = std::make_unique<StdoutAuditLoggerFactory>();
+  absl::string_view name = factory->name();
+  GPR_ASSERT(logger_factories_map_.emplace(name, std::move(factory)).second);
+}
+
 void AuditLoggerRegistry::RegisterFactory(
     std::unique_ptr<AuditLoggerFactory> factory) {
   GPR_ASSERT(factory != nullptr);

diff --git a/src/core/lib/security/authorization/audit_logging.h b/src/core/lib/security/authorization/audit_logging.h
@@ -56,8 +56,7 @@ class AuditLoggerRegistry {
   static void TestOnlyResetRegistry();
 
  private:
-  // TODO(lwge): Add built-in logger registrations once avaialble.
-  AuditLoggerRegistry() = default;
+  AuditLoggerRegistry();
 
   static Mutex* mu;
 

diff --git a/src/core/lib/security/authorization/stdout_logger.cc b/src/core/lib/security/authorization/stdout_logger.cc
@@ -0,0 +1,75 @@
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/authorization/stdout_logger.h"
+
+#include <cstdio>
+#include <initializer_list>
+#include <memory>
+#include <string>
+
+#include "absl/status/statusor.h"
+#include "absl/strings/str_format.h"
+#include "absl/strings/string_view.h"
+#include "absl/time/clock.h"
+#include "absl/time/time.h"
+
+#include <grpc/grpc_audit_logging.h>
+#include <grpc/support/json.h>
+#include <grpc/support/log.h>
+
+namespace grpc_core {
+namespace experimental {
+
+namespace {
+
+constexpr absl::string_view kName = "stdout_logger";
+constexpr char kLogFormat[] =
+    "{\"grpc_audit_log\":{\"timestamp\":\"%s\",\"rpc_method\":\"%s\","
+    "\"principal\":\"%s\",\"policy_name\":\"%s\",\"matched_rule\":\"%s\","
+    "\"authorized\":%s}}\n";
+
+}  // namespace
+
+void StdoutAuditLogger::Log(const AuditContext& context) {
+  absl::FPrintF(stdout, kLogFormat, absl::FormatTime(absl::Now()),
+                context.rpc_method(), context.principal(),
+                context.policy_name(), context.matched_rule(),
+                context.authorized() ? "true" : "false");
+}
+
+absl::string_view StdoutAuditLoggerFactory::Config::name() const {
+  return kName;
+}
+
+std::string StdoutAuditLoggerFactory::Config::ToString() const { return "{}"; }
+
+absl::string_view StdoutAuditLoggerFactory::name() const { return kName; }
+
+absl::StatusOr<std::unique_ptr<AuditLoggerFactory::Config>>
+StdoutAuditLoggerFactory::ParseAuditLoggerConfig(const Json&) {
+  return std::make_unique<StdoutAuditLoggerFactory::Config>();
+}
+
+std::unique_ptr<AuditLogger> StdoutAuditLoggerFactory::CreateAuditLogger(
+    std::unique_ptr<AuditLoggerFactory::Config> config) {
+  // Sanity check.
+  GPR_ASSERT(config != nullptr && config->name() == name());
+  return std::make_unique<StdoutAuditLogger>();
+}
+
+}  // namespace experimental
+}  // namespace grpc_core
diff --git a/src/core/lib/security/authorization/stdout_logger.h b/src/core/lib/security/authorization/stdout_logger.h
@@ -0,0 +1,60 @@
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_STDOUT_LOGGER_H
+#define GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_STDOUT_LOGGER_H
+
+#include <grpc/support/port_platform.h>
+
+#include <memory>
+#include <string>
+
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+
+#include <grpc/grpc_audit_logging.h>
+#include <grpc/support/json.h>
+
+namespace grpc_core {
+namespace experimental {
+
+class StdoutAuditLogger : public AuditLogger {
+ public:
+  StdoutAuditLogger() = default;
+  void Log(const AuditContext&) override;
+};
+
+class StdoutAuditLoggerFactory : public AuditLoggerFactory {
+ public:
+  class Config : public AuditLoggerFactory::Config {
+   public:
+    Config() = default;
+    absl::string_view name() const override;
+    std::string ToString() const override;
+  };
+  StdoutAuditLoggerFactory() = default;
+
+  absl::string_view name() const override;
+
+  absl::StatusOr<std::unique_ptr<AuditLoggerFactory::Config>>
+  ParseAuditLoggerConfig(const Json& json) override;
+
+  std::unique_ptr<AuditLogger> CreateAuditLogger(
+      std::unique_ptr<AuditLoggerFactory::Config>) override;
+};
+
+}  // namespace experimental
+}  // namespace grpc_core
+
+#endif  // GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_STDOUT_LOGGER_H
diff --git a/src/python/grpcio/grpc_core_dependencies.py b/src/python/grpcio/grpc_core_dependencies.py