zot/pkg/api/session.go

package api

import (
	"encoding/base64"
	"net/http"
	"strconv"
	"strings"
	"time"

	"github.com/didip/tollbooth/v6"
	"github.com/gorilla/mux"

	"zotregistry.io/zot/pkg/extensions/monitoring"
	"zotregistry.io/zot/pkg/log"
)

type statusWriter struct {
	http.ResponseWriter
	status int
	length int
}

func (w *statusWriter) WriteHeader(status int) {
	w.status = status
	w.ResponseWriter.WriteHeader(status)
}

func (w *statusWriter) Write(b []byte) (int, error) {
	if w.status == 0 {
		w.status = http.StatusOK
	}

	n, err := w.ResponseWriter.Write(b)
	w.length += n

	return n, err
}

// RateLimiter limits handling of incoming requests.
func RateLimiter(ctlr *Controller, rate int) mux.MiddlewareFunc {
	ctlr.Log.Info().Int("rate", rate).Msg("ratelimiter enabled")

	limiter := tollbooth.NewLimiter(float64(rate), nil)
	limiter.SetMessage(http.StatusText(http.StatusTooManyRequests)).
		SetStatusCode(http.StatusTooManyRequests).
		SetOnLimitReached(nil)

	return func(next http.Handler) http.Handler {
		return tollbooth.LimitHandler(limiter, next)
	}
}

// MethodRateLimiter limits handling of incoming requests.
func MethodRateLimiter(ctlr *Controller, method string, rate int) mux.MiddlewareFunc {
	ctlr.Log.Info().Str("method", method).Int("rate", rate).Msg("per-method ratelimiter enabled")

	limiter := tollbooth.NewLimiter(float64(rate), nil)
	limiter.SetMethods([]string{method}).
		SetMessage(http.StatusText(http.StatusTooManyRequests)).
		SetStatusCode(http.StatusTooManyRequests).
		SetOnLimitReached(nil)

	return func(next http.Handler) http.Handler {
		return tollbooth.LimitHandler(limiter, next)
	}
}

// SessionLogger logs session details.
func SessionLogger(ctlr *Controller) mux.MiddlewareFunc {
	logger := ctlr.Log.With().Str("module", "http").Logger()

	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
			// Start timer
			start := time.Now()
			path := request.URL.Path
			raw := request.URL.RawQuery

			stwr := statusWriter{ResponseWriter: response}

			// Process request
			next.ServeHTTP(&stwr, request)

			// Stop timer
			end := time.Now()
			latency := end.Sub(start)
			latency = latency.Truncate(time.Second)

			clientIP := request.RemoteAddr
			method := request.Method
			headers := map[string][]string{}
			log := logger.Info()
			for key, value := range request.Header {
				if key == "Authorization" { // anonymize from logs
					s := strings.SplitN(value[0], " ", 2) //nolint:gomnd
					if len(s) == 2 && strings.EqualFold(s[0], "basic") {
						b, err := base64.StdEncoding.DecodeString(s[1])
						if err == nil {
							pair := strings.SplitN(string(b), ":", 2) //nolint:gomnd
							//nolint:gomnd
							if len(pair) == 2 {
								log = log.Str("username", pair[0])
							}
						}
					}
					value = []string{"******"}
				}
				headers[key] = value
			}
			statusCode := stwr.status
			bodySize := stwr.length
			if raw != "" {
				path = path + "?" + raw
			}

			if path != "/v2/metrics" {
				// In order to test metrics feture,the instrumentation related to node exporter
				// should be handled by node exporter itself (ex: latency)
				monitoring.IncHTTPConnRequests(ctlr.Metrics, method, strconv.Itoa(statusCode))
				monitoring.ObserveHTTPRepoLatency(ctlr.Metrics, path, latency)     // summary
				monitoring.ObserveHTTPMethodLatency(ctlr.Metrics, method, latency) // histogram
			}

			log.Str("clientIP", clientIP).
				Str("method", method).
				Str("path", path).
				Int("statusCode", statusCode).
				Str("latency", latency.String()).
				Int("bodySize", bodySize).
				Interface("headers", headers).
				Msg("HTTP API")
		})
	}
}

func SessionAuditLogger(audit *log.Logger) mux.MiddlewareFunc {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
			path := request.URL.Path
			raw := request.URL.RawQuery

			statusWr := statusWriter{ResponseWriter: response}

			// Process request
			next.ServeHTTP(&statusWr, request)

			clientIP := request.RemoteAddr
			method := request.Method
			username := ""

			for key, value := range request.Header {
				if key == "Authorization" { // anonymize from logs
					s := strings.SplitN(value[0], " ", 2) //nolint:gomnd
					if len(s) == 2 && strings.EqualFold(s[0], "basic") {
						b, err := base64.StdEncoding.DecodeString(s[1])
						if err == nil {
							pair := strings.SplitN(string(b), ":", 2) //nolint:gomnd
							if len(pair) == 2 {                       //nolint:gomnd
								username = pair[0]
							}
						}
					}
				}
			}

			statusCode := statusWr.status
			if raw != "" {
				path = path + "?" + raw
			}

			if (method == http.MethodPost || method == http.MethodPut ||
				method == http.MethodPatch || method == http.MethodDelete) &&
				(statusCode == http.StatusOK || statusCode == http.StatusCreated || statusCode == http.StatusAccepted) {
				audit.Info().
					Str("clientIP", clientIP).
					Str("subject", username).
					Str("action", method).
					Str("object", path).
					Int("status", statusCode).
					Msg("HTTP API Audit")
			}
		})
	}
}
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`package api`

			`import (`
			`"encoding/base64"`
			`"net/http"`
			`"strconv"`
			`"strings"`
			`"time"`

controller: support rate-limiting incoming requests helps constraining resource usage and against flood attacks. Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2022-01-21 15:30:09 -05:00			`"github.com/didip/tollbooth/v6"`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`"github.com/gorilla/mux"`
chore(lint): gci to separate zot from other imports (#870) Signed-off-by: Andrei Aaron <andaaron@cisco.com> 2022-10-20 11:39:20 -05:00
move references to zotregistry.io and project-zot Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-03 22:50:58 -05:00			`"zotregistry.io/zot/pkg/extensions/monitoring"`
			`"zotregistry.io/zot/pkg/log"`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`)`

			`type statusWriter struct {`
			`http.ResponseWriter`
			`status int`
			`length int`
			`}`

			`func (w *statusWriter) WriteHeader(status int) {`
			`w.status = status`
			`w.ResponseWriter.WriteHeader(status)`
			`}`

			`func (w *statusWriter) Write(b []byte) (int, error) {`
			`if w.status == 0 {`
controller: support rate-limiting incoming requests helps constraining resource usage and against flood attacks. Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2022-01-21 15:30:09 -05:00			`w.status = http.StatusOK`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`}`

			`n, err := w.ResponseWriter.Write(b)`
			`w.length += n`

			`return n, err`
			`}`

controller: support rate-limiting incoming requests helps constraining resource usage and against flood attacks. Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2022-01-21 15:30:09 -05:00			`// RateLimiter limits handling of incoming requests.`
			`func RateLimiter(ctlr *Controller, rate int) mux.MiddlewareFunc {`
			`ctlr.Log.Info().Int("rate", rate).Msg("ratelimiter enabled")`

			`limiter := tollbooth.NewLimiter(float64(rate), nil)`
			`limiter.SetMessage(http.StatusText(http.StatusTooManyRequests)).`
			`SetStatusCode(http.StatusTooManyRequests).`
			`SetOnLimitReached(nil)`

			`return func(next http.Handler) http.Handler {`
			`return tollbooth.LimitHandler(limiter, next)`
			`}`
			`}`

			`// MethodRateLimiter limits handling of incoming requests.`
			`func MethodRateLimiter(ctlr *Controller, method string, rate int) mux.MiddlewareFunc {`
			`ctlr.Log.Info().Str("method", method).Int("rate", rate).Msg("per-method ratelimiter enabled")`

			`limiter := tollbooth.NewLimiter(float64(rate), nil)`
			`limiter.SetMethods([]string{method}).`
			`SetMessage(http.StatusText(http.StatusTooManyRequests)).`
			`SetStatusCode(http.StatusTooManyRequests).`
			`SetOnLimitReached(nil)`

			`return func(next http.Handler) http.Handler {`
			`return tollbooth.LimitHandler(limiter, next)`
			`}`
			`}`

Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`// SessionLogger logs session details.`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`func SessionLogger(ctlr *Controller) mux.MiddlewareFunc {`
			`logger := ctlr.Log.With().Str("module", "http").Logger()`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00
			`return func(next http.Handler) http.Handler {`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`// Start timer`
			`start := time.Now()`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`path := request.URL.Path`
			`raw := request.URL.RawQuery`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`stwr := statusWriter{ResponseWriter: response}`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00
			`// Process request`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`next.ServeHTTP(&stwr, request)`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00
			`// Stop timer`
			`end := time.Now()`
			`latency := end.Sub(start)`
chore: rename search route prefix (#887) * chore: rename search route prefix * chore: use builtin time.Duration.Truncate() on latencies Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2022-10-18 22:46:06 -05:00			`latency = latency.Truncate(time.Second)`

lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`clientIP := request.RemoteAddr`
			`method := request.Method`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`headers := map[string][]string{}`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`log := logger.Info()`
			`for key, value := range request.Header {`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`if key == "Authorization" { // anonymize from logs`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`s := strings.SplitN(value[0], " ", 2) //nolint:gomnd`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`if len(s) == 2 && strings.EqualFold(s[0], "basic") {`
			`b, err := base64.StdEncoding.DecodeString(s[1])`
			`if err == nil {`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`pair := strings.SplitN(string(b), ":", 2) //nolint:gomnd`
Update go version to 1.19 (#829) * ci: Update go version to 1.19 Signed-off-by: Nicol Draghici <idraghic@cisco.com> * ci: Fix lint issues Signed-off-by: Nicol Draghici <idraghic@cisco.com> * ci: Added needprivileges to lint, made needprivileges pass lint Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com> Signed-off-by: Nicol Draghici <idraghic@cisco.com> Signed-off-by: Nicol Draghici <idraghic@cisco.com> Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com> Co-authored-by: Catalin Hofnar <catalin.hofnar@gmail.com> 2022-10-05 05:21:14 -05:00			`//nolint:gomnd`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`if len(pair) == 2 {`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`log = log.Str("username", pair[0])`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`}`
			`}`
			`}`
			`value = []string{"******"}`
			`}`
			`headers[key] = value`
			`}`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`statusCode := stwr.status`
			`bodySize := stwr.length`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`if raw != "" {`
			`path = path + "?" + raw`
			`}`

			`if path != "/v2/metrics" {`
			`// In order to test metrics feture,the instrumentation related to node exporter`
			`// should be handled by node exporter itself (ex: latency)`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`monitoring.IncHTTPConnRequests(ctlr.Metrics, method, strconv.Itoa(statusCode))`
			`monitoring.ObserveHTTPRepoLatency(ctlr.Metrics, path, latency) // summary`
			`monitoring.ObserveHTTPMethodLatency(ctlr.Metrics, method, latency) // histogram`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`}`

			`log.Str("clientIP", clientIP).`
			`Str("method", method).`
			`Str("path", path).`
			`Int("statusCode", statusCode).`
			`Str("latency", latency.String()).`
			`Int("bodySize", bodySize).`
			`Interface("headers", headers).`
			`Msg("HTTP API")`
			`})`
			`}`
			`}`

			`func SessionAuditLogger(audit *log.Logger) mux.MiddlewareFunc {`
			`return func(next http.Handler) http.Handler {`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {`
			`path := request.URL.Path`
			`raw := request.URL.RawQuery`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`statusWr := statusWriter{ResponseWriter: response}`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00
			`// Process request`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`next.ServeHTTP(&statusWr, request)`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`clientIP := request.RemoteAddr`
			`method := request.Method`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`username := ""`

lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`for key, value := range request.Header {`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`if key == "Authorization" { // anonymize from logs`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`s := strings.SplitN(value[0], " ", 2) //nolint:gomnd`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`if len(s) == 2 && strings.EqualFold(s[0], "basic") {`
			`b, err := base64.StdEncoding.DecodeString(s[1])`
			`if err == nil {`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`pair := strings.SplitN(string(b), ":", 2) //nolint:gomnd`
			`if len(pair) == 2 { //nolint:gomnd`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`username = pair[0]`
			`}`
			`}`
			`}`
			`}`
			`}`

lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`statusCode := statusWr.status`
Implement an API for performance monitoring Signed-off-by: Alexei Dodon <adodon@cisco.com> 2021-10-15 10:05:00 -05:00			`if raw != "" {`
			`path = path + "?" + raw`
			`}`

			`if (method == http.MethodPost \|\| method == http.MethodPut \|\|`
			`method == http.MethodPatch \|\| method == http.MethodDelete) &&`
			`(statusCode == http.StatusOK \|\| statusCode == http.StatusCreated \|\| statusCode == http.StatusAccepted) {`
			`audit.Info().`
			`Str("clientIP", clientIP).`
			`Str("subject", username).`
			`Str("action", method).`
			`Str("object", path).`
			`Int("status", statusCode).`
			`Msg("HTTP API Audit")`
			`}`
			`})`
			`}`
			`}`