3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-23 05:57:19 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: audit logging (#2050)

Browse source 
* authorize: add databroker server and record version to result, force sync via polling

* authorize: audit logging
This commit is contained in:
Caleb Doxsey 2021-04-05 09:58:55 -06:00 committed by GitHub
parent 00e56212ec
commit f4c4fe314a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
18 changed files with 1395 additions and 1390 deletions
Download patch file Download diff file Expand all files Collapse all files

54
authorize/grpc.go
View file

@ -8,23 +8,19 @@ import (
"net/url"
"strings"
"github.com/rs/zerolog"
envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
"github.com/pomerium/pomerium/authorize/evaluator"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/sessions"
"github.com/pomerium/pomerium/internal/telemetry/requestid"
"github.com/pomerium/pomerium/internal/telemetry/trace"
"github.com/pomerium/pomerium/internal/urlutil"
"github.com/pomerium/pomerium/pkg/grpc/user"
envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
)
// Check implements the envoy auth server gRPC endpoint.
func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) {
func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRequest) (out *envoy_service_auth_v3.CheckResponse, err error) {
ctx, span := trace.StartSpan(ctx, "authorize.grpc.Check")
defer span.End()
@ -65,7 +61,9 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
log.Error().Err(err).Msg("error during OPA evaluation")
return nil, err
}
logAuthorizeCheck(ctx, in, reply, u)
defer func() {
a.logAuthorizeCheck(ctx, in, out, reply, u)
}()
switch {
case reply.Status == http.StatusOK:
@ -226,45 +224,3 @@ func getPeerCertificate(in *envoy_service_auth_v3.CheckRequest) string {
cert, _ := url.QueryUnescape(in.GetAttributes().GetSource().GetCertificate())
return cert
}
func logAuthorizeCheck(
ctx context.Context,
in *envoy_service_auth_v3.CheckRequest,
reply *evaluator.Result,
u *user.User,
) {
hdrs := getCheckRequestHeaders(in)
hattrs := in.GetAttributes().GetRequest().GetHttp()
evt := log.Info().Str("service", "authorize")
// request
evt = evt.Str("request-id", requestid.FromContext(ctx))
evt = evt.Str("check-request-id", hdrs["X-Request-Id"])
evt = evt.Str("method", hattrs.GetMethod())
evt = evt.Str("path", stripQueryString(hattrs.GetPath()))
evt = evt.Str("host", hattrs.GetHost())
evt = evt.Str("query", hattrs.GetQuery())
// reply
if reply != nil {
evt = evt.Bool("allow", reply.Status == http.StatusOK)
evt = evt.Int("status", reply.Status)
evt = evt.Str("message", reply.Message)
evt = evt.Str("user", u.GetId())
evt = evt.Str("email", u.GetEmail())
evt = evt.Uint64("databroker_server_version", reply.DataBrokerServerVersion)
evt = evt.Uint64("databroker_record_version", reply.DataBrokerRecordVersion)
}
// potentially sensitive, only log if debug mode
if zerolog.GlobalLevel() <= zerolog.DebugLevel {
evt = evt.Interface("headers", hdrs)
}
evt.Msg("authorize check")
}
func stripQueryString(str string) string {
if idx := strings.Index(str, "?"); idx != -1 {
str = str[:idx]
}
return str
}

77
authorize/log.go Normal file
View file

@ -0,0 +1,77 @@
package authorize
import (
"context"
"net/http"
"strings"
envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
"github.com/rs/zerolog"
"github.com/pomerium/pomerium/authorize/evaluator"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/telemetry/requestid"
"github.com/pomerium/pomerium/pkg/grpc/audit"
"github.com/pomerium/pomerium/pkg/grpc/user"
)
func (a *Authorize) logAuthorizeCheck(
ctx context.Context,
in *envoy_service_auth_v3.CheckRequest, out *envoy_service_auth_v3.CheckResponse,
reply *evaluator.Result, u *user.User,
) {
hdrs := getCheckRequestHeaders(in)
hattrs := in.GetAttributes().GetRequest().GetHttp()
evt := log.Info().Str("service", "authorize")
// request
evt = evt.Str("request-id", requestid.FromContext(ctx))
evt = evt.Str("check-request-id", hdrs["X-Request-Id"])
evt = evt.Str("method", hattrs.GetMethod())
evt = evt.Str("path", stripQueryString(hattrs.GetPath()))
evt = evt.Str("host", hattrs.GetHost())
evt = evt.Str("query", hattrs.GetQuery())
// reply
if reply != nil {
evt = evt.Bool("allow", reply.Status == http.StatusOK)
evt = evt.Int("status", reply.Status)
evt = evt.Str("message", reply.Message)
evt = evt.Str("user", u.GetId())
evt = evt.Str("email", u.GetEmail())
evt = evt.Uint64("databroker_server_version", reply.DataBrokerServerVersion)
evt = evt.Uint64("databroker_record_version", reply.DataBrokerRecordVersion)
}
// potentially sensitive, only log if debug mode
if zerolog.GlobalLevel() <= zerolog.DebugLevel {
evt = evt.Interface("headers", hdrs)
}
evt.Msg("authorize check")
if enc := a.state.Load().auditEncryptor; enc != nil {
record := &audit.Record{
Request: in,
Response: out,
}
if reply != nil {
record.DatabrokerServerVersion = reply.DataBrokerServerVersion
record.DatabrokerRecordVersion = reply.DataBrokerRecordVersion
}
sealed, err := enc.Encrypt(record)
if err != nil {
log.Warn().Err(err).Msg("authorize: error encrypting audit record")
return
}
log.Info().
Str("request-id", requestid.FromContext(ctx)).
EmbedObject(sealed).
Msg("audit log")
}
}
func stripQueryString(str string) string {
if idx := strings.Index(str, "?"); idx != -1 {
str = str[:idx]
}
return str
}

10
authorize/state.go
View file

@ -11,12 +11,14 @@ import (
"github.com/pomerium/pomerium/internal/encoding/jws"
"github.com/pomerium/pomerium/pkg/grpc"
"github.com/pomerium/pomerium/pkg/grpc/databroker"
"github.com/pomerium/pomerium/pkg/protoutil"
)
type authorizeState struct {
evaluator *evaluator.Evaluator
encoder encoding.MarshalUnmarshaler
dataBrokerClient databroker.DataBrokerServiceClient
auditEncryptor *protoutil.Encryptor
}
func newAuthorizeStateFromConfig(cfg *config.Config, store *evaluator.Store) (*authorizeState, error) {
@ -61,6 +63,14 @@ func newAuthorizeStateFromConfig(cfg *config.Config, store *evaluator.Store) (*a
}
state.dataBrokerClient = databroker.NewDataBrokerServiceClient(cc)
auditKey, err := cfg.Options.GetAuditKey()
if err != nil {
return nil, fmt.Errorf("authorize: invalid audit key: %w", err)
}
if auditKey != nil {
state.auditEncryptor = protoutil.NewEncryptor(auditKey)
}
return state, nil
}

26
config/crypt.go Normal file
View file

@ -0,0 +1,26 @@
package config
import (
"encoding/base64"
"github.com/pomerium/pomerium/pkg/cryptutil"
)
// A PublicKeyEncryptionKeyOptions represents options for a public key encryption key.
type PublicKeyEncryptionKeyOptions struct {
ID string `mapstructure:"id" yaml:"id"`
Data string `mapstructure:"data" yaml:"data"` // base64-encoded
}
// GetAuditKey gets the audit key from the options. If no audit key is provided it will return (nil, nil).
func (o *Options) GetAuditKey() (*cryptutil.PublicKeyEncryptionKey, error) {
if o.AuditKey == nil {
return nil, nil
}
raw, err := base64.StdEncoding.DecodeString(o.AuditKey.Data)
if err != nil {
return nil, err
}
return cryptutil.NewPublicKeyEncryptionKey(o.AuditKey.ID, raw)
}

8
config/options.go
View file

@ -285,6 +285,8 @@ type Options struct {
// ProgrammaticRedirectDomainWhitelist restricts the allowed redirect URLs when using programmatic login.
ProgrammaticRedirectDomainWhitelist []string `mapstructure:"programmatic_redirect_domain_whitelist" yaml:"programmatic_redirect_domain_whitelist,omitempty" json:"programmatic_redirect_domain_whitelist,omitempty"` //nolint
AuditKey *PublicKeyEncryptionKeyOptions `mapstructure:"audit_key"`
}
type certificateFilePair struct {
@ -1130,6 +1132,12 @@ func (o *Options) ApplySettings(settings *config.Settings) {
if len(settings.ProgrammaticRedirectDomainWhitelist) > 0 {
o.ProgrammaticRedirectDomainWhitelist = settings.GetProgrammaticRedirectDomainWhitelist()
}
if settings.AuditKey != nil {
o.AuditKey = &PublicKeyEncryptionKeyOptions{
ID: settings.AuditKey.GetId(),
Data: base64.StdEncoding.EncodeToString(settings.AuditKey.GetData()),
}
}
}
func dataDir() string {

4
pkg/cryptutil/kek.go
View file

@ -121,7 +121,9 @@ func NewPublicKeyEncryptionKey(id string, raw []byte) (*PublicKeyEncryptionKey,
return nil, fmt.Errorf("cryptutil: invalid key encryption key, expected %d bytes, got %d",
KeyEncryptionKeySize, len(raw))
}
kek := new(PublicKeyEncryptionKey)
kek := &PublicKeyEncryptionKey{
id: id,
}
copy(kek.data[:], raw)
return kek, nil
}

749
pkg/grpc/audit/audit.pb.go
View file

@ -7,14 +7,9 @@
package audit
import (
context "context"
grpc "google.golang.org/grpc"
codes "google.golang.org/grpc/codes"
status "google.golang.org/grpc/status"
v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
emptypb "google.golang.org/protobuf/types/known/emptypb"
timestamppb "google.golang.org/protobuf/types/known/timestamppb"
reflect "reflect"
sync "sync"
)
@ -31,20 +26,10 @@ type Record struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
OrganizationId string `protobuf:"bytes,1,opt,name=organization_id,json=organizationId,proto3" json:"organization_id,omitempty"`
Id string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"`
Time *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=time,proto3" json:"time,omitempty"`
AuthenticationInfo *AuthenticationInfo `protobuf:"bytes,4,opt,name=authentication_info,json=authenticationInfo,proto3" json:"authentication_info,omitempty"`
Source string `protobuf:"bytes,5,opt,name=source,proto3" json:"source,omitempty"`
Destination string `protobuf:"bytes,6,opt,name=destination,proto3" json:"destination,omitempty"`
// Types that are assignable to Request:
// *Record_HttpRequest
Request isRecord_Request `protobuf_oneof:"request"`
// Types that are assignable to Response:
// *Record_HttpResponse
Response isRecord_Response `protobuf_oneof:"response"`
Status *Status `protobuf:"bytes,9,opt,name=status,proto3" json:"status,omitempty"`
Metadata map[string]string `protobuf:"bytes,10,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
Request *v3.CheckRequest `protobuf:"bytes,1,opt,name=request,proto3" json:"request,omitempty"`
Response *v3.CheckResponse `protobuf:"bytes,2,opt,name=response,proto3" json:"response,omitempty"`
DatabrokerServerVersion uint64 `protobuf:"varint,3,opt,name=databroker_server_version,json=databrokerServerVersion,proto3" json:"databroker_server_version,omitempty"`
DatabrokerRecordVersion uint64 `protobuf:"varint,4,opt,name=databroker_record_version,json=databrokerRecordVersion,proto3" json:"databroker_record_version,omitempty"`
}
func (x *Record) Reset() {
@ -79,513 +64,62 @@ func (*Record) Descriptor() ([]byte, []int) {
return file_audit_proto_rawDescGZIP(), []int{0}
}
func (x *Record) GetOrganizationId() string {
func (x *Record) GetRequest() *v3.CheckRequest {
if x != nil {
return x.OrganizationId
}
return ""
}
func (x *Record) GetId() string {
if x != nil {
return x.Id
}
return ""
}
func (x *Record) GetTime() *timestamppb.Timestamp {
if x != nil {
return x.Time
return x.Request
}
return nil
}
func (x *Record) GetAuthenticationInfo() *AuthenticationInfo {
func (x *Record) GetResponse() *v3.CheckResponse {
if x != nil {
return x.AuthenticationInfo
return x.Response
}
return nil
}
func (x *Record) GetSource() string {
func (x *Record) GetDatabrokerServerVersion() uint64 {
if x != nil {
return x.Source
}
return ""
}
func (x *Record) GetDestination() string {
if x != nil {
return x.Destination
}
return ""
}
func (m *Record) GetRequest() isRecord_Request {
if m != nil {
return m.Request
}
return nil
}
func (x *Record) GetHttpRequest() *HTTPRequest {
if x, ok := x.GetRequest().(*Record_HttpRequest); ok {
return x.HttpRequest
}
return nil
}
func (m *Record) GetResponse() isRecord_Response {
if m != nil {
return m.Response
}
return nil
}
func (x *Record) GetHttpResponse() *HTTPResponse {
if x, ok := x.GetResponse().(*Record_HttpResponse); ok {
return x.HttpResponse
}
return nil
}
func (x *Record) GetStatus() *Status {
if x != nil {
return x.Status
}
return nil
}
func (x *Record) GetMetadata() map[string]string {
if x != nil {
return x.Metadata
}
return nil
}
type isRecord_Request interface {
isRecord_Request()
}
type Record_HttpRequest struct {
HttpRequest *HTTPRequest `protobuf:"bytes,7,opt,name=http_request,json=httpRequest,proto3,oneof"`
}
func (*Record_HttpRequest) isRecord_Request() {}
type isRecord_Response interface {
isRecord_Response()
}
type Record_HttpResponse struct {
HttpResponse *HTTPResponse `protobuf:"bytes,8,opt,name=http_response,json=httpResponse,proto3,oneof"`
}
func (*Record_HttpResponse) isRecord_Response() {}
type AuthenticationInfo struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
SessionId string `protobuf:"bytes,1,opt,name=session_id,json=sessionId,proto3" json:"session_id,omitempty"`
IdpProvider string `protobuf:"bytes,2,opt,name=idp_provider,json=idpProvider,proto3" json:"idp_provider,omitempty"`
IdpSubject string `protobuf:"bytes,3,opt,name=idp_subject,json=idpSubject,proto3" json:"idp_subject,omitempty"`
}
func (x *AuthenticationInfo) Reset() {
*x = AuthenticationInfo{}
if protoimpl.UnsafeEnabled {
mi := &file_audit_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *AuthenticationInfo) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*AuthenticationInfo) ProtoMessage() {}
func (x *AuthenticationInfo) ProtoReflect() protoreflect.Message {
mi := &file_audit_proto_msgTypes[1]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use AuthenticationInfo.ProtoReflect.Descriptor instead.
func (*AuthenticationInfo) Descriptor() ([]byte, []int) {
return file_audit_proto_rawDescGZIP(), []int{1}
}
func (x *AuthenticationInfo) GetSessionId() string {
if x != nil {
return x.SessionId
}
return ""
}
func (x *AuthenticationInfo) GetIdpProvider() string {
if x != nil {
return x.IdpProvider
}
return ""
}
func (x *AuthenticationInfo) GetIdpSubject() string {
if x != nil {
return x.IdpSubject
}
return ""
}
type HTTPRequest struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
Method string `protobuf:"bytes,2,opt,name=method,proto3" json:"method,omitempty"`
Headers map[string]string `protobuf:"bytes,3,rep,name=headers,proto3" json:"headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
Path string `protobuf:"bytes,4,opt,name=path,proto3" json:"path,omitempty"`
Host string `protobuf:"bytes,5,opt,name=host,proto3" json:"host,omitempty"`
Scheme string `protobuf:"bytes,6,opt,name=scheme,proto3" json:"scheme,omitempty"`
Query string `protobuf:"bytes,7,opt,name=query,proto3" json:"query,omitempty"`
Fragment string `protobuf:"bytes,8,opt,name=fragment,proto3" json:"fragment,omitempty"`
Size int64 `protobuf:"varint,9,opt,name=size,proto3" json:"size,omitempty"`
Protocol string `protobuf:"bytes,10,opt,name=protocol,proto3" json:"protocol,omitempty"`
Body string `protobuf:"bytes,11,opt,name=body,proto3" json:"body,omitempty"`
}
func (x *HTTPRequest) Reset() {
*x = HTTPRequest{}
if protoimpl.UnsafeEnabled {
mi := &file_audit_proto_msgTypes[2]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *HTTPRequest) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*HTTPRequest) ProtoMessage() {}
func (x *HTTPRequest) ProtoReflect() protoreflect.Message {
mi := &file_audit_proto_msgTypes[2]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use HTTPRequest.ProtoReflect.Descriptor instead.
func (*HTTPRequest) Descriptor() ([]byte, []int) {
return file_audit_proto_rawDescGZIP(), []int{2}
}
func (x *HTTPRequest) GetId() string {
if x != nil {
return x.Id
}
return ""
}
func (x *HTTPRequest) GetMethod() string {
if x != nil {
return x.Method
}
return ""
}
func (x *HTTPRequest) GetHeaders() map[string]string {
if x != nil {
return x.Headers
}
return nil
}
func (x *HTTPRequest) GetPath() string {
if x != nil {
return x.Path
}
return ""
}
func (x *HTTPRequest) GetHost() string {
if x != nil {
return x.Host
}
return ""
}
func (x *HTTPRequest) GetScheme() string {
if x != nil {
return x.Scheme
}
return ""
}
func (x *HTTPRequest) GetQuery() string {
if x != nil {
return x.Query
}
return ""
}
func (x *HTTPRequest) GetFragment() string {
if x != nil {
return x.Fragment
}
return ""
}
func (x *HTTPRequest) GetSize() int64 {
if x != nil {
return x.Size
return x.DatabrokerServerVersion
}
return 0
}
func (x *HTTPRequest) GetProtocol() string {
func (x *Record) GetDatabrokerRecordVersion() uint64 {
if x != nil {
return x.Protocol
}
return ""
}
func (x *HTTPRequest) GetBody() string {
if x != nil {
return x.Body
}
return ""
}
type HTTPResponse struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
StatusCode int32 `protobuf:"varint,1,opt,name=status_code,json=statusCode,proto3" json:"status_code,omitempty"`
Headers map[string]string `protobuf:"bytes,2,rep,name=headers,proto3" json:"headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
Body string `protobuf:"bytes,3,opt,name=body,proto3" json:"body,omitempty"`
}
func (x *HTTPResponse) Reset() {
*x = HTTPResponse{}
if protoimpl.UnsafeEnabled {
mi := &file_audit_proto_msgTypes[3]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *HTTPResponse) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*HTTPResponse) ProtoMessage() {}
func (x *HTTPResponse) ProtoReflect() protoreflect.Message {
mi := &file_audit_proto_msgTypes[3]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use HTTPResponse.ProtoReflect.Descriptor instead.
func (*HTTPResponse) Descriptor() ([]byte, []int) {
return file_audit_proto_rawDescGZIP(), []int{3}
}
func (x *HTTPResponse) GetStatusCode() int32 {
if x != nil {
return x.StatusCode
return x.DatabrokerRecordVersion
}
return 0
}
func (x *HTTPResponse) GetHeaders() map[string]string {
if x != nil {
return x.Headers
}
return nil
}
func (x *HTTPResponse) GetBody() string {
if x != nil {
return x.Body
}
return ""
}
type Status struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Code int32 `protobuf:"varint,1,opt,name=code,proto3" json:"code,omitempty"`
Message string `protobuf:"bytes,2,opt,name=message,proto3" json:"message,omitempty"`
}
func (x *Status) Reset() {
*x = Status{}
if protoimpl.UnsafeEnabled {
mi := &file_audit_proto_msgTypes[4]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *Status) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*Status) ProtoMessage() {}
func (x *Status) ProtoReflect() protoreflect.Message {
mi := &file_audit_proto_msgTypes[4]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use Status.ProtoReflect.Descriptor instead.
func (*Status) Descriptor() ([]byte, []int) {
return file_audit_proto_rawDescGZIP(), []int{4}
}
func (x *Status) GetCode() int32 {
if x != nil {
return x.Code
}
return 0
}
func (x *Status) GetMessage() string {
if x != nil {
return x.Message
}
return ""
}
var File_audit_proto protoreflect.FileDescriptor
var file_audit_proto_rawDesc = []byte{
0x0a, 0x0b, 0x61, 0x75, 0x64, 0x69, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x05, 0x61,
0x75, 0x64, 0x69, 0x74, 0x1a, 0x1b, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f,
0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f,
0x74, 0x6f, 0x22, 0xa0, 0x04, 0x0a, 0x06, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x12, 0x27, 0x0a,
0x0f, 0x6f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64,
0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x6f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61,
0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01,
0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2e, 0x0a, 0x04, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x03,
0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70,
0x52, 0x04, 0x74, 0x69, 0x6d, 0x65, 0x12, 0x4a, 0x0a, 0x13, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e,
0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0x04, 0x20,
0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x61, 0x75, 0x64, 0x69, 0x74, 0x2e, 0x41, 0x75, 0x74, 0x68,
0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x12,
0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e,
0x66, 0x6f, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x05, 0x20, 0x01,
0x28, 0x09, 0x52, 0x06, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65,
0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52,
0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x37, 0x0a, 0x0c,
0x68, 0x74, 0x74, 0x70, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x18, 0x07, 0x20, 0x01,
0x28, 0x0b, 0x32, 0x12, 0x2e, 0x61, 0x75, 0x64, 0x69, 0x74, 0x2e, 0x48, 0x54, 0x54, 0x50, 0x52,
0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x0b, 0x68, 0x74, 0x74, 0x70, 0x52, 0x65,
0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x3a, 0x0a, 0x0d, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x72, 0x65,
0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x61,
0x75, 0x64, 0x69, 0x74, 0x2e, 0x48, 0x54, 0x54, 0x50, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
0x65, 0x48, 0x01, 0x52, 0x0c, 0x68, 0x74, 0x74, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
0x65, 0x12, 0x25, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x09, 0x20, 0x01, 0x28,
0x0b, 0x32, 0x0d, 0x2e, 0x61, 0x75, 0x64, 0x69, 0x74, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73,
0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x37, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61,
0x64, 0x61, 0x74, 0x61, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x61, 0x75, 0x64,
0x69, 0x74, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
0x61, 0x1a, 0x3b, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74,
0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20,
0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x09,
0x0a, 0x07, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x42, 0x0a, 0x0a, 0x08, 0x72, 0x65, 0x73,
0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x77, 0x0a, 0x12, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74,
0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1d, 0x0a, 0x0a, 0x73,
0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x09, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x69, 0x64,
0x70, 0x5f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
0x52, 0x0b, 0x69, 0x64, 0x70, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x1f, 0x0a,
0x0b, 0x69, 0x64, 0x70, 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x03, 0x20, 0x01,
0x28, 0x09, 0x52, 0x0a, 0x69, 0x64, 0x70, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x22, 0xe2,
0x02, 0x0a, 0x0b, 0x48, 0x54, 0x54, 0x50, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e,
0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x16,
0x0a, 0x06, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06,
0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x12, 0x39, 0x0a, 0x07, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72,
0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x61, 0x75, 0x64, 0x69, 0x74, 0x2e,
0x48, 0x54, 0x54, 0x50, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x48, 0x65, 0x61, 0x64,
0x65, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72,
0x73, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
0x04, 0x70, 0x61, 0x74, 0x68, 0x12, 0x12, 0x0a, 0x04, 0x68, 0x6f, 0x73, 0x74, 0x18, 0x05, 0x20,
0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x6f, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x63, 0x68,
0x65, 0x6d, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x63, 0x68, 0x65, 0x6d,
0x65, 0x12, 0x14, 0x0a, 0x05, 0x71, 0x75, 0x65, 0x72, 0x79, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09,
0x52, 0x05, 0x71, 0x75, 0x65, 0x72, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x66, 0x72, 0x61, 0x67, 0x6d,
0x65, 0x6e, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x66, 0x72, 0x61, 0x67, 0x6d,
0x65, 0x6e, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28,
0x03, 0x52, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f,
0x63, 0x6f, 0x6c, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f,
0x63, 0x6f, 0x6c, 0x12, 0x12, 0x0a, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x18, 0x0b, 0x20, 0x01, 0x28,
0x09, 0x52, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x1a, 0x3a, 0x0a, 0x0c, 0x48, 0x65, 0x61, 0x64, 0x65,
0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01,
0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c,
0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a,
0x02, 0x38, 0x01, 0x22, 0xbb, 0x01, 0x0a, 0x0c, 0x48, 0x54, 0x54, 0x50, 0x52, 0x65, 0x73, 0x70,
0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x5f, 0x63,
0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74, 0x75,
0x73, 0x43, 0x6f, 0x64, 0x65, 0x12, 0x3a, 0x0a, 0x07, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73,
0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x61, 0x75, 0x64, 0x69, 0x74, 0x2e, 0x48,
0x54, 0x54, 0x50, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x48, 0x65, 0x61, 0x64,
0x65, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72,
0x73, 0x12, 0x12, 0x0a, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
0x04, 0x62, 0x6f, 0x64, 0x79, 0x1a, 0x3a, 0x0a, 0x0c, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73,
0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01,
0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65,
0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38,
0x01, 0x22, 0x36, 0x0a, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x63,
0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x12,
0x18, 0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
0x52, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x32, 0x3c, 0x0a, 0x06, 0x49, 0x6e, 0x74,
0x61, 0x6b, 0x65, 0x12, 0x32, 0x0a, 0x07, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x73, 0x68, 0x12, 0x0d,
0x2e, 0x61, 0x75, 0x64, 0x69, 0x74, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x1a, 0x16, 0x2e,
0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
0x45, 0x6d, 0x70, 0x74, 0x79, 0x28, 0x01, 0x42, 0x2d, 0x5a, 0x2b, 0x67, 0x69, 0x74, 0x68, 0x75,
0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70,
0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63,
0x2f, 0x61, 0x75, 0x64, 0x69, 0x74, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x0a, 0x0b, 0x61, 0x75, 0x64, 0x69, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0e, 0x70,
0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x61, 0x75, 0x64, 0x69, 0x74, 0x1a, 0x29, 0x65,
0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x61, 0x75, 0x74,
0x68, 0x2f, 0x76, 0x33, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x61, 0x75,
0x74, 0x68, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x81, 0x02, 0x0a, 0x06, 0x52, 0x65, 0x63,
0x6f, 0x72, 0x64, 0x12, 0x3d, 0x0a, 0x07, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x18, 0x01,
0x20, 0x01, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x73, 0x65, 0x72,
0x76, 0x69, 0x63, 0x65, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x33, 0x2e, 0x43, 0x68, 0x65,
0x63, 0x6b, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x07, 0x72, 0x65, 0x71, 0x75, 0x65,
0x73, 0x74, 0x12, 0x40, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x18, 0x02,
0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x73, 0x65, 0x72,
0x76, 0x69, 0x63, 0x65, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x33, 0x2e, 0x43, 0x68, 0x65,
0x63, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x52, 0x08, 0x72, 0x65, 0x73, 0x70,
0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3a, 0x0a, 0x19, 0x64, 0x61, 0x74, 0x61, 0x62, 0x72, 0x6f, 0x6b,
0x65, 0x72, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f,
0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x04, 0x52, 0x17, 0x64, 0x61, 0x74, 0x61, 0x62, 0x72, 0x6f,
0x6b, 0x65, 0x72, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e,
0x12, 0x3a, 0x0a, 0x19, 0x64, 0x61, 0x74, 0x61, 0x62, 0x72, 0x6f, 0x6b, 0x65, 0x72, 0x5f, 0x72,
0x65, 0x63, 0x6f, 0x72, 0x64, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20,
0x01, 0x28, 0x04, 0x52, 0x17, 0x64, 0x61, 0x74, 0x61, 0x62, 0x72, 0x6f, 0x6b, 0x65, 0x72, 0x52,
0x65, 0x63, 0x6f, 0x72, 0x64, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x42, 0x2d, 0x5a, 0x2b,
0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72,
0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67,
0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x61, 0x75, 0x64, 0x69, 0x74, 0x62, 0x06, 0x70, 0x72, 0x6f,
0x74, 0x6f, 0x33,
}
var (
@ -600,35 +134,20 @@ func file_audit_proto_rawDescGZIP() []byte {
return file_audit_proto_rawDescData
}
var file_audit_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
var file_audit_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
var file_audit_proto_goTypes = []interface{}{
(*Record)(nil), // 0: audit.Record
(*AuthenticationInfo)(nil), // 1: audit.AuthenticationInfo
(*HTTPRequest)(nil), // 2: audit.HTTPRequest
(*HTTPResponse)(nil), // 3: audit.HTTPResponse
(*Status)(nil), // 4: audit.Status
nil, // 5: audit.Record.MetadataEntry
nil, // 6: audit.HTTPRequest.HeadersEntry
nil, // 7: audit.HTTPResponse.HeadersEntry
(*timestamppb.Timestamp)(nil), // 8: google.protobuf.Timestamp
(*emptypb.Empty)(nil), // 9: google.protobuf.Empty
(*Record)(nil), // 0: pomerium.audit.Record
(*v3.CheckRequest)(nil), // 1: envoy.service.auth.v3.CheckRequest
(*v3.CheckResponse)(nil), // 2: envoy.service.auth.v3.CheckResponse
}
var file_audit_proto_depIdxs = []int32{
8, // 0: audit.Record.time:type_name -> google.protobuf.Timestamp
1, // 1: audit.Record.authentication_info:type_name -> audit.AuthenticationInfo
2, // 2: audit.Record.http_request:type_name -> audit.HTTPRequest
3, // 3: audit.Record.http_response:type_name -> audit.HTTPResponse
4, // 4: audit.Record.status:type_name -> audit.Status
5, // 5: audit.Record.metadata:type_name -> audit.Record.MetadataEntry
6, // 6: audit.HTTPRequest.headers:type_name -> audit.HTTPRequest.HeadersEntry
7, // 7: audit.HTTPResponse.headers:type_name -> audit.HTTPResponse.HeadersEntry
0, // 8: audit.Intake.Publish:input_type -> audit.Record
9, // 9: audit.Intake.Publish:output_type -> google.protobuf.Empty
9, // [9:10] is the sub-list for method output_type
8, // [8:9] is the sub-list for method input_type
8, // [8:8] is the sub-list for extension type_name
8, // [8:8] is the sub-list for extension extendee
0, // [0:8] is the sub-list for field type_name
1, // 0: pomerium.audit.Record.request:type_name -> envoy.service.auth.v3.CheckRequest
2, // 1: pomerium.audit.Record.response:type_name -> envoy.service.auth.v3.CheckResponse
2, // [2:2] is the sub-list for method output_type
2, // [2:2] is the sub-list for method input_type
2, // [2:2] is the sub-list for extension type_name
2, // [2:2] is the sub-list for extension extendee
0, // [0:2] is the sub-list for field type_name
}
func init() { file_audit_proto_init() }
@ -649,58 +168,6 @@ func file_audit_proto_init() {
return nil
}
}
file_audit_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*AuthenticationInfo); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_audit_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*HTTPRequest); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_audit_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*HTTPResponse); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_audit_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*Status); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
}
file_audit_proto_msgTypes[0].OneofWrappers = []interface{}{
(*Record_HttpRequest)(nil),
(*Record_HttpResponse)(nil),
}
type x struct{}
out := protoimpl.TypeBuilder{
@ -708,9 +175,9 @@ func file_audit_proto_init() {
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_audit_proto_rawDesc,
NumEnums: 0,
NumMessages: 8,
NumMessages: 1,
NumExtensions: 0,
NumServices: 1,
NumServices: 0,
},
GoTypes: file_audit_proto_goTypes,
DependencyIndexes: file_audit_proto_depIdxs,
@ -721,117 +188,3 @@ func file_audit_proto_init() {
file_audit_proto_goTypes = nil
file_audit_proto_depIdxs = nil
}
// Reference imports to suppress errors if they are not otherwise used.
var _ context.Context
var _ grpc.ClientConnInterface
// This is a compile-time assertion to ensure that this generated file
// is compatible with the grpc package it is being compiled against.
const _ = grpc.SupportPackageIsVersion6
// IntakeClient is the client API for Intake service.
//
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
type IntakeClient interface {
Publish(ctx context.Context, opts ...grpc.CallOption) (Intake_PublishClient, error)
}
type intakeClient struct {
cc grpc.ClientConnInterface
}
func NewIntakeClient(cc grpc.ClientConnInterface) IntakeClient {
return &intakeClient{cc}
}
func (c *intakeClient) Publish(ctx context.Context, opts ...grpc.CallOption) (Intake_PublishClient, error) {
stream, err := c.cc.NewStream(ctx, &_Intake_serviceDesc.Streams[0], "/audit.Intake/Publish", opts...)
if err != nil {
return nil, err
}
x := &intakePublishClient{stream}
return x, nil
}
type Intake_PublishClient interface {
Send(*Record) error
CloseAndRecv() (*emptypb.Empty, error)
grpc.ClientStream
}
type intakePublishClient struct {
grpc.ClientStream
}
func (x *intakePublishClient) Send(m *Record) error {
return x.ClientStream.SendMsg(m)
}
func (x *intakePublishClient) CloseAndRecv() (*emptypb.Empty, error) {
if err := x.ClientStream.CloseSend(); err != nil {
return nil, err
}
m := new(emptypb.Empty)
if err := x.ClientStream.RecvMsg(m); err != nil {
return nil, err
}
return m, nil
}
// IntakeServer is the server API for Intake service.
type IntakeServer interface {
Publish(Intake_PublishServer) error
}
// UnimplementedIntakeServer can be embedded to have forward compatible implementations.
type UnimplementedIntakeServer struct {
}
func (*UnimplementedIntakeServer) Publish(Intake_PublishServer) error {
return status.Errorf(codes.Unimplemented, "method Publish not implemented")
}
func RegisterIntakeServer(s *grpc.Server, srv IntakeServer) {
s.RegisterService(&_Intake_serviceDesc, srv)
}
func _Intake_Publish_Handler(srv interface{}, stream grpc.ServerStream) error {
return srv.(IntakeServer).Publish(&intakePublishServer{stream})
}
type Intake_PublishServer interface {
SendAndClose(*emptypb.Empty) error
Recv() (*Record, error)
grpc.ServerStream
}
type intakePublishServer struct {
grpc.ServerStream
}
func (x *intakePublishServer) SendAndClose(m *emptypb.Empty) error {
return x.ServerStream.SendMsg(m)
}
func (x *intakePublishServer) Recv() (*Record, error) {
m := new(Record)
if err := x.ServerStream.RecvMsg(m); err != nil {
return nil, err
}
return m, nil
}
var _Intake_serviceDesc = grpc.ServiceDesc{
ServiceName: "audit.Intake",
HandlerType: (*IntakeServer)(nil),
Methods: []grpc.MethodDesc{},
Streams: []grpc.StreamDesc{
{
StreamName: "Publish",
Handler: _Intake_Publish_Handler,
ClientStreams: true,
},
},
Metadata: "audit.proto",
}

52
pkg/grpc/audit/audit.proto
View file

@ -1,53 +1,13 @@
syntax = "proto3";
package audit;
package pomerium.audit;
option go_package = "github.com/pomerium/pomerium/pkg/grpc/audit";
import "google/protobuf/empty.proto";
import "google/protobuf/timestamp.proto";
import "envoy/service/auth/v3/external_auth.proto";
message Record {
string organization_id = 1;
string id = 2;
google.protobuf.Timestamp time = 3;
AuthenticationInfo authentication_info = 4;
string source = 5;
string destination = 6;
oneof request { HTTPRequest http_request = 7; }
oneof response { HTTPResponse http_response = 8; }
Status status = 9;
map<string, string> metadata = 10;
envoy.service.auth.v3.CheckRequest request = 1;
envoy.service.auth.v3.CheckResponse response = 2;
uint64 databroker_server_version = 3;
uint64 databroker_record_version = 4;
}
message AuthenticationInfo {
string session_id = 1;
string idp_provider = 2;
string idp_subject = 3;
}
message HTTPRequest {
string id = 1;
string method = 2;
map<string, string> headers = 3;
string path = 4;
string host = 5;
string scheme = 6;
string query = 7;
string fragment = 8;
int64 size = 9;
string protocol = 10;
string body = 11;
}
message HTTPResponse {
int32 status_code = 1;
map<string, string> headers = 2;
string body = 3;
}
message Status {
int32 code = 1;
string message = 2;
}
service Intake { rpc Publish(stream Record) returns (google.protobuf.Empty); }

1208
pkg/grpc/config/config.pb.go
View file

File diff suppressed because it is too large Load diff

4
pkg/grpc/config/config.proto
View file

@ -5,9 +5,10 @@ option go_package = "github.com/pomerium/pomerium/pkg/grpc/config";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "envoy/config/cluster/v3/cluster.proto";
import "github.com/pomerium/pomerium/pkg/grpc/crypt/crypt.proto";
message Config {
string name = 1;
repeated Route routes = 2;
@ -179,4 +180,5 @@ message Settings {
optional bool skip_xff_append = 61;
optional uint32 xff_num_trusted_hops = 70;
repeated string programmatic_redirect_domain_whitelist = 68;
optional pomerium.crypt.PublicKeyEncryptionKey audit_key = 72;
}

27
pkg/grpc/crypt/crypt.go Normal file
View file

@ -0,0 +1,27 @@
// Package crypt contains cryptographic protobuf messages.
package crypt
import (
"encoding/base64"
"github.com/rs/zerolog"
"google.golang.org/protobuf/encoding/protojson"
)
// MarshalZerologObject fills the zerolog event fields.
func (x *SealedMessage) MarshalZerologObject(evt *zerolog.Event) {
evt.Str("@type", "type.googleapis.com/pomerium.crypt.SealedMessage").
Str("key_id", x.GetKeyId()).
Str("data_encryption_key", base64.StdEncoding.EncodeToString(x.GetDataEncryptionKey())).
Str("message_type", x.GetMessageType()).
Str("encrypted_message", base64.StdEncoding.EncodeToString(x.GetEncryptedMessage()))
}
// UnmarshalFromRawZerolog unmarshals a raw zerolog object into the sealed message.
func (x *SealedMessage) UnmarshalFromRawZerolog(raw []byte) error {
opts := protojson.UnmarshalOptions{
AllowPartial: true,
DiscardUnknown: true,
}
return opts.Unmarshal(raw, x)
}

254
pkg/grpc/crypt/crypt.pb.go Normal file
View file

@ -0,0 +1,254 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.26.0
// protoc v3.14.0
// source: crypt.proto
package crypt
import (
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
reflect "reflect"
sync "sync"
)
const (
// Verify that this generated code is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
// Verify that runtime/protoimpl is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
// A SealedMessage is an encrypted protobuf message.
type SealedMessage struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// The Curve25519 public key used to encrypt the data encryption key.
KeyId string `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"`
// The XChacha20poly1305 key used to encrypt the data,
// itself stored encrypted by the Curve25519 public key.
DataEncryptionKey []byte `protobuf:"bytes,2,opt,name=data_encryption_key,json=dataEncryptionKey,proto3" json:"data_encryption_key,omitempty"`
// The message type indicates the type of the protobuf message stored encrypted in encrypted_message.
MessageType string `protobuf:"bytes,3,opt,name=message_type,json=messageType,proto3" json:"message_type,omitempty"`
// An arbitrary encrypted protobuf message (marshaled as protojson before encryption).
EncryptedMessage []byte `protobuf:"bytes,4,opt,name=encrypted_message,json=encryptedMessage,proto3" json:"encrypted_message,omitempty"`
}
func (x *SealedMessage) Reset() {
*x = SealedMessage{}
if protoimpl.UnsafeEnabled {
mi := &file_crypt_proto_msgTypes[0]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *SealedMessage) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*SealedMessage) ProtoMessage() {}
func (x *SealedMessage) ProtoReflect() protoreflect.Message {
mi := &file_crypt_proto_msgTypes[0]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use SealedMessage.ProtoReflect.Descriptor instead.
func (*SealedMessage) Descriptor() ([]byte, []int) {
return file_crypt_proto_rawDescGZIP(), []int{0}
}
func (x *SealedMessage) GetKeyId() string {
if x != nil {
return x.KeyId
}
return ""
}
func (x *SealedMessage) GetDataEncryptionKey() []byte {
if x != nil {
return x.DataEncryptionKey
}
return nil
}
func (x *SealedMessage) GetMessageType() string {
if x != nil {
return x.MessageType
}
return ""
}
func (x *SealedMessage) GetEncryptedMessage() []byte {
if x != nil {
return x.EncryptedMessage
}
return nil
}
type PublicKeyEncryptionKey struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"`
}
func (x *PublicKeyEncryptionKey) Reset() {
*x = PublicKeyEncryptionKey{}
if protoimpl.UnsafeEnabled {
mi := &file_crypt_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *PublicKeyEncryptionKey) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*PublicKeyEncryptionKey) ProtoMessage() {}
func (x *PublicKeyEncryptionKey) ProtoReflect() protoreflect.Message {
mi := &file_crypt_proto_msgTypes[1]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use PublicKeyEncryptionKey.ProtoReflect.Descriptor instead.
func (*PublicKeyEncryptionKey) Descriptor() ([]byte, []int) {
return file_crypt_proto_rawDescGZIP(), []int{1}
}
func (x *PublicKeyEncryptionKey) GetId() string {
if x != nil {
return x.Id
}
return ""
}
func (x *PublicKeyEncryptionKey) GetData() []byte {
if x != nil {
return x.Data
}
return nil
}
var File_crypt_proto protoreflect.FileDescriptor
var file_crypt_proto_rawDesc = []byte{
0x0a, 0x0b, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0e, 0x70,
0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x22, 0xa6, 0x01,
0x0a, 0x0d, 0x53, 0x65, 0x61, 0x6c, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12,
0x15, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x2e, 0x0a, 0x13, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x65,
0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20,
0x01, 0x28, 0x0c, 0x52, 0x11, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x0a, 0x0c, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67,
0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x6d, 0x65,
0x73, 0x73, 0x61, 0x67, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x2b, 0x0a, 0x11, 0x65, 0x6e, 0x63,
0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x04,
0x20, 0x01, 0x28, 0x0c, 0x52, 0x10, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d,
0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x3c, 0x0a, 0x16, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63,
0x4b, 0x65, 0x79, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79,
0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64,
0x12, 0x12, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04,
0x64, 0x61, 0x74, 0x61, 0x42, 0x2d, 0x5a, 0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65,
0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x63, 0x72,
0x79, 0x70, 0x74, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
file_crypt_proto_rawDescOnce sync.Once
file_crypt_proto_rawDescData = file_crypt_proto_rawDesc
)
func file_crypt_proto_rawDescGZIP() []byte {
file_crypt_proto_rawDescOnce.Do(func() {
file_crypt_proto_rawDescData = protoimpl.X.CompressGZIP(file_crypt_proto_rawDescData)
})
return file_crypt_proto_rawDescData
}
var file_crypt_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
var file_crypt_proto_goTypes = []interface{}{
(*SealedMessage)(nil), // 0: pomerium.crypt.SealedMessage
(*PublicKeyEncryptionKey)(nil), // 1: pomerium.crypt.PublicKeyEncryptionKey
}
var file_crypt_proto_depIdxs = []int32{
0, // [0:0] is the sub-list for method output_type
0, // [0:0] is the sub-list for method input_type
0, // [0:0] is the sub-list for extension type_name
0, // [0:0] is the sub-list for extension extendee
0, // [0:0] is the sub-list for field type_name
}
func init() { file_crypt_proto_init() }
func file_crypt_proto_init() {
if File_crypt_proto != nil {
return
}
if !protoimpl.UnsafeEnabled {
file_crypt_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*SealedMessage); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_crypt_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*PublicKeyEncryptionKey); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_crypt_proto_rawDesc,
NumEnums: 0,
NumMessages: 2,
NumExtensions: 0,
NumServices: 0,
},
GoTypes: file_crypt_proto_goTypes,
DependencyIndexes: file_crypt_proto_depIdxs,
MessageInfos: file_crypt_proto_msgTypes,
}.Build()
File_crypt_proto = out.File
file_crypt_proto_rawDesc = nil
file_crypt_proto_goTypes = nil
file_crypt_proto_depIdxs = nil
}

22
pkg/grpc/crypt/crypt.proto Normal file
View file

@ -0,0 +1,22 @@
syntax = "proto3";
package pomerium.crypt;
option go_package = "github.com/pomerium/pomerium/pkg/grpc/crypt";
// A SealedMessage is an encrypted protobuf message.
message SealedMessage {
// The Curve25519 public key used to encrypt the data encryption key.
string key_id = 1;
// The XChacha20poly1305 key used to encrypt the data,
// itself stored encrypted by the Curve25519 public key.
bytes data_encryption_key = 2;
// The message type indicates the type of the protobuf message stored encrypted in encrypted_message.
string message_type = 3;
// An arbitrary encrypted protobuf message (marshaled as protojson before encryption).
bytes encrypted_message = 4;
}
message PublicKeyEncryptionKey {
string id = 1;
bytes data = 2;
}

29
pkg/grpc/crypt/crypt_test.go Normal file
View file

@ -0,0 +1,29 @@
package crypt
import (
"bytes"
"testing"
"github.com/rs/zerolog"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestZerolog(t *testing.T) {
var buf bytes.Buffer
log := zerolog.New(&buf)
log.Info().EmbedObject(&SealedMessage{
KeyId: "KEY_ID",
DataEncryptionKey: []byte("DATA_ENCRYPTION_KEY"),
MessageType: "MESSAGE_TYPE",
EncryptedMessage: []byte("ENCRYPTED_MESSAGE"),
}).Msg("TEST")
var msg SealedMessage
err := msg.UnmarshalFromRawZerolog(buf.Bytes())
require.NoError(t, err)
assert.Equal(t, "KEY_ID", msg.GetKeyId())
assert.Equal(t, []byte("DATA_ENCRYPTION_KEY"), msg.GetDataEncryptionKey())
assert.Equal(t, "MESSAGE_TYPE", msg.GetMessageType())
assert.Equal(t, []byte("ENCRYPTED_MESSAGE"), msg.GetEncryptedMessage())
}

9
pkg/grpc/protoc.bash
View file

@ -27,11 +27,14 @@ _protos=(
"envoy/config/endpoint/v3/endpoint_components.proto"
"envoy/config/endpoint/v3/endpoint.proto"
"envoy/config/route/v3/route_components.proto"
"envoy/service/auth/v3/attribute_context.proto"
"envoy/service/auth/v3/external_auth.proto"
"envoy/type/matcher/v3/regex.proto"
"envoy/type/matcher/v3/string.proto"
"envoy/type/metadata/v3/metadata.proto"
"envoy/type/tracing/v3/custom_tag.proto"
"envoy/type/v3/http.proto"
"envoy/type/v3/http_status.proto"
"envoy/type/v3/percent.proto"
"envoy/type/v3/range.proto"
"envoy/type/v3/semantic_version.proto"
@ -56,10 +59,14 @@ _import_paths=$(join_by , "${_imports[@]}")
--go_out="$_import_paths,plugins=grpc,paths=source_relative:./audit/." \
./audit/audit.proto
../../scripts/protoc -I ./config/ \
../../scripts/protoc -I "$GOPATH/src" -I ./config/ \
--go_out="$_import_paths,plugins=grpc,paths=source_relative:./config/." \
./config/config.proto
../../scripts/protoc -I ./crypt/ \
--go_out="$_import_paths,plugins=grpc,paths=source_relative:./crypt/." \
./crypt/crypt.proto
../../scripts/protoc -I ./databroker/ \
--go_out="$_import_paths,plugins=grpc,paths=source_relative:./databroker/." \
./databroker/databroker.proto

8
pkg/protoutil/any.go
View file

@ -1,6 +1,7 @@
package protoutil
import (
"google.golang.org/protobuf/proto"
"google.golang.org/protobuf/types/known/anypb"
"google.golang.org/protobuf/types/known/wrapperspb"
)
@ -106,3 +107,10 @@ func NewAnyUInt32(v uint32) *anypb.Any {
a, _ := anypb.New(wrapperspb.UInt32(v))
return a
}
// GetTypeURL gets the TypeURL for a protobuf message.
func GetTypeURL(msg proto.Message) string {
// taken from the anypb package
const urlPrefix = "type.googleapis.com/"
return urlPrefix + string(msg.ProtoReflect().Descriptor().FullName())
}

169
pkg/protoutil/crypt.go Normal file
View file

@ -0,0 +1,169 @@
package protoutil
import (
"fmt"
"sync"
"time"
"google.golang.org/protobuf/encoding/protojson"
"google.golang.org/protobuf/proto"
"google.golang.org/protobuf/types/known/anypb"
"github.com/pomerium/pomerium/pkg/cryptutil"
cryptpb "github.com/pomerium/pomerium/pkg/grpc/crypt"
)
// An Encryptor encrypts protobuf messages using a key encryption key and periodically rotated
// generated data encryption keys.
type Encryptor struct {
kek *cryptutil.PublicKeyEncryptionKey
rotateEvery time.Duration
sync.RWMutex
nextRotate time.Time
dek *cryptutil.DataEncryptionKey
encryptedDEK []byte
}
// NewEncryptor returns a new protobuf Encryptor.
func NewEncryptor(kek *cryptutil.PublicKeyEncryptionKey) *Encryptor {
return &Encryptor{
kek: kek,
rotateEvery: time.Hour,
}
}
func (enc *Encryptor) getDataEncryptionKey() (*cryptutil.DataEncryptionKey, []byte, error) {
// double-checked locking
// first time we do a read only lookup
enc.RLock()
dek, encryptedDEK, err := enc.getDataEncryptionKeyLocked(true)
enc.RUnlock()
if err != nil {
return nil, nil, err
} else if dek != nil {
return dek, encryptedDEK, nil
}
// second time we do a read/write lookup
enc.Lock()
dek, encryptedDEK, err = enc.getDataEncryptionKeyLocked(false)
enc.Unlock()
return dek, encryptedDEK, err
}
func (enc *Encryptor) getDataEncryptionKeyLocked(readOnly bool) (*cryptutil.DataEncryptionKey, []byte, error) {
needsNewKey := enc.dek == nil || time.Now().After(enc.nextRotate)
if !needsNewKey {
return enc.dek, enc.encryptedDEK, nil
}
if readOnly {
return nil, nil, nil
}
// generate a new data encryption key
dek, err := cryptutil.GenerateDataEncryptionKey()
if err != nil {
return nil, nil, err
}
// seal the data encryption key using the key encryption key
encryptedDEK, err := enc.kek.EncryptDataEncryptionKey(dek)
if err != nil {
return nil, nil, err
}
enc.dek = dek
enc.encryptedDEK = encryptedDEK
enc.nextRotate = time.Now().Add(enc.rotateEvery)
return enc.dek, enc.encryptedDEK, nil
}
// Encrypt encrypts a protobuf message.
func (enc *Encryptor) Encrypt(msg proto.Message) (*cryptpb.SealedMessage, error) {
// get the data encryption key
dek, encryptedDEK, err := enc.getDataEncryptionKey()
if err != nil {
return nil, err
}
plaintext, err := protojson.Marshal(msg)
if err != nil {
return nil, err
}
ciphertext := dek.Encrypt(plaintext)
return &cryptpb.SealedMessage{
KeyId: enc.kek.ID(),
DataEncryptionKey: encryptedDEK,
MessageType: GetTypeURL(msg),
EncryptedMessage: ciphertext,
}, nil
}
// A Decryptor decrypts encrypted protobuf messages.
type Decryptor struct {
keySource cryptutil.KeyEncryptionKeySource
dekCache *cryptutil.DataEncryptionKeyCache
}
// NewDecryptor creates a new decryptor.
func NewDecryptor(keySource cryptutil.KeyEncryptionKeySource) *Decryptor {
return &Decryptor{
keySource: keySource,
dekCache: cryptutil.NewDataEncryptionKeyCache(),
}
}
func (dec *Decryptor) getDataEncryptionKey(keyEncryptionKeyID string, encryptedDEK []byte) (*cryptutil.DataEncryptionKey, error) {
// return a dek if its already cached
dek, ok := dec.dekCache.Get(encryptedDEK)
if ok {
return dek, nil
}
// look up the kek used for this dek
kek, err := dec.keySource.GetKeyEncryptionKey(keyEncryptionKeyID)
if err != nil {
return nil, fmt.Errorf("protoutil: error getting key-encryption-key (%s): %w",
keyEncryptionKeyID, err)
}
// decrypt the dek via the private kek
dek, err = kek.DecryptDataEncryptionKey(encryptedDEK)
if err != nil {
return nil, fmt.Errorf("protoutil: error decrypting data-encryption-key: %w", err)
}
// cache it for next time
dec.dekCache.Put(encryptedDEK, dek)
return dek, nil
}
// Decrypt decrypts an encrypted protobuf message.
func (dec *Decryptor) Decrypt(src *cryptpb.SealedMessage) (proto.Message, error) {
dek, err := dec.getDataEncryptionKey(src.GetKeyId(), src.GetDataEncryptionKey())
if err != nil {
return nil, err
}
plaintext, err := dek.Decrypt(src.GetEncryptedMessage())
if err != nil {
return nil, err
}
msg, err := (&anypb.Any{TypeUrl: src.GetMessageType()}).UnmarshalNew()
if err != nil {
return nil, err
}
err = protojson.Unmarshal(plaintext, msg)
if err != nil {
return nil, err
}
return msg, nil
}

75
pkg/protoutil/crypt_test.go Normal file
View file

@ -0,0 +1,75 @@
package protoutil
import (
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/encoding/protojson"
"google.golang.org/protobuf/proto"
"google.golang.org/protobuf/types/known/wrapperspb"
"github.com/pomerium/pomerium/pkg/cryptutil"
)
func TestEncryptor_Encrypt(t *testing.T) {
t.Run("simple", func(t *testing.T) {
kek, err := cryptutil.GenerateKeyEncryptionKey()
require.NoError(t, err)
enc := NewEncryptor(kek.Public())
sealed, err := enc.Encrypt(wrapperspb.String("HELLO WORLD"))
require.NoError(t, err)
require.Equal(t, kek.Public().ID(), sealed.GetKeyId())
require.NotEmpty(t, sealed.GetDataEncryptionKey())
require.Equal(t, "type.googleapis.com/google.protobuf.StringValue", sealed.GetMessageType())
require.NotEmpty(t, sealed.GetEncryptedMessage())
})
t.Run("reuse dek", func(t *testing.T) {
kek, err := cryptutil.GenerateKeyEncryptionKey()
require.NoError(t, err)
enc := NewEncryptor(kek.Public())
s1, err := enc.Encrypt(wrapperspb.String("HELLO WORLD"))
require.NoError(t, err)
s2, err := enc.Encrypt(wrapperspb.String("HELLO WORLD"))
require.NoError(t, err)
assert.Equal(t, s1.GetDataEncryptionKey(), s2.GetDataEncryptionKey())
})
t.Run("rotate dek", func(t *testing.T) {
kek, err := cryptutil.GenerateKeyEncryptionKey()
require.NoError(t, err)
enc := NewEncryptor(kek.Public())
s1, err := enc.Encrypt(wrapperspb.String("HELLO WORLD"))
require.NoError(t, err)
enc.nextRotate = time.Now()
s2, err := enc.Encrypt(wrapperspb.String("HELLO WORLD"))
require.NoError(t, err)
assert.NotEqual(t, s1.GetDataEncryptionKey(), s2.GetDataEncryptionKey())
})
}
func TestDecryptor_Decrypt(t *testing.T) {
expect := wrapperspb.String("HELLO WORLD")
kek, err := cryptutil.GenerateKeyEncryptionKey()
require.NoError(t, err)
enc := NewEncryptor(kek.Public())
sealed, err := enc.Encrypt(expect)
require.NoError(t, err)
dec := NewDecryptor(cryptutil.KeyEncryptionKeySourceFunc(func(id string) (*cryptutil.PrivateKeyEncryptionKey, error) {
require.Equal(t, kek.ID(), id)
return kek, nil
}))
opened, err := dec.Decrypt(sealed)
require.NoError(t, err)
assertProtoEqual(t, expect, opened)
}
func assertProtoEqual(t *testing.T, x, y proto.Message) {
xbs, _ := protojson.Marshal(x)
ybs, _ := protojson.Marshal(y)
assert.True(t, proto.Equal(x, y), "%s != %s", xbs, ybs)
}