mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add audit logging for all mutating gRPC operations

Browse Source 
Log Info-level audit events on success for:
- system: Init, Unseal, Seal
- auth: Login, Logout
- engine: Mount, Unmount
- policy: CreatePolicy, DeletePolicy
- ca: ImportRoot, CreateIssuer, DeleteIssuer, IssueCert, RenewCert

Each log line includes relevant identifiers (mount, issuer, serial, CN,
SANs, username) so that certificate issuance and other privileged
operations are traceable in the server logs.

Co-authored-by: Junie <junie@jetbrains.com>
This commit is contained in:
Kyle Isom
2026-03-15 13:11:17 -07:00
parent 8215aaccc5
commit 65c92fe5ec
8 changed files with 45 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
internal/grpcserver/ca.go
View File

@@ -48,6 +48,14 @@ func (cs *caServer) caHandleRequest(ctx context.Context, mount, operation string
return resp, nil
}
func callerUsername(ctx context.Context) string {
ti := tokenInfoFromContext(ctx)
if ti == nil {
return ""
}
return ti.Username
}
func (cs *caServer) callerInfo(ctx context.Context) *engine.CallerInfo {
ti := tokenInfoFromContext(ctx)
if ti == nil {
@@ -82,6 +90,7 @@ func (cs *caServer) ImportRoot(ctx context.Context, req *pb.ImportRootRequest) (
expiresAt = timestamppb.New(t)
}
}
cs.s.logger.Info("audit: root CA imported", "mount", req.Mount, "cn", cn, "username", callerUsername(ctx))
return &pb.ImportRootResponse{CommonName: cn, ExpiresAt: expiresAt}, nil
}
@@ -128,6 +137,7 @@ func (cs *caServer) CreateIssuer(ctx context.Context, req *pb.CreateIssuerReques
}
name, _ := resp.Data["name"].(string)
certPEM, _ := resp.Data["cert_pem"].(string)
cs.s.logger.Info("audit: issuer created", "mount", req.Mount, "issuer", name, "username", callerUsername(ctx))
return &pb.CreateIssuerResponse{Name: name, CertPem: []byte(certPEM)}, nil
}
@@ -143,6 +153,7 @@ func (cs *caServer) DeleteIssuer(ctx context.Context, req *pb.DeleteIssuerReques
if err != nil {
return nil, err
}
cs.s.logger.Info("audit: issuer deleted", "mount", req.Mount, "issuer", req.Name, "username", callerUsername(ctx))
return &pb.DeleteIssuerResponse{}, nil
}
@@ -270,6 +281,7 @@ func (cs *caServer) IssueCert(ctx context.Context, req *pb.IssueCertRequest) (*p
expiresAt = timestamppb.New(t)
}
}
cs.s.logger.Info("audit: certificate issued", "mount", req.Mount, "issuer", issuedBy, "serial", serial, "cn", cn, "sans", sans, "username", callerUsername(ctx))
return &pb.IssueCertResponse{
Serial: serial,
CommonName: cn,
@@ -346,6 +358,7 @@ func (cs *caServer) RenewCert(ctx context.Context, req *pb.RenewCertRequest) (*p
expiresAt = timestamppb.New(t)
}
}
cs.s.logger.Info("audit: certificate renewed", "mount", req.Mount, "old_serial", req.Serial, "new_serial", serial, "cn", cn, "issued_by", issuedBy, "username", callerUsername(ctx))
return &pb.RenewCertResponse{
Serial: serial,
CommonName: cn,