Add user flag and log executed commands

kubernetes · Jan 19, 2021 · c5a40fb · c5a40fb
1 parent 857e0a2
commit c5a40fb
Show file tree

Hide file tree

Showing 42 changed files with 533 additions and 8 deletions.
diff --git a/cmd/minikube/cmd/root.go b/cmd/minikube/cmd/root.go
@@ -23,6 +23,7 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
+	"time"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -31,6 +32,7 @@ import (
 	"k8s.io/kubectl/pkg/util/templates"
 	configCmd "k8s.io/minikube/cmd/minikube/cmd/config"
 	"k8s.io/minikube/pkg/drivers/kic/oci"
+	"k8s.io/minikube/pkg/minikube/audit"
 	"k8s.io/minikube/pkg/minikube/config"
 	"k8s.io/minikube/pkg/minikube/constants"
 	"k8s.io/minikube/pkg/minikube/exit"
@@ -68,6 +70,8 @@ var RootCmd = &cobra.Command{
 // Execute adds all child commands to the root command sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
 func Execute() {
+	defer audit.Log(time.Now())
+
 	_, callingCmd := filepath.Split(os.Args[0])
 
 	if callingCmd == "kubectl" {
@@ -170,6 +174,7 @@ func init() {
 
 	RootCmd.PersistentFlags().StringP(config.ProfileName, "p", constants.DefaultClusterName, `The name of the minikube VM being used. This can be set to allow having multiple instances of minikube independently.`)
 	RootCmd.PersistentFlags().StringP(configCmd.Bootstrapper, "b", "kubeadm", "The name of the cluster bootstrapper that will set up the Kubernetes cluster.")
+	RootCmd.PersistentFlags().String(config.User, "", "Specifies the user executing the operation. Useful for auditing operations executed by 3rd party tools. Defaults to the operating system username.")
 
 	groups := templates.CommandGroups{
 		{

diff --git a/go.sum b/go.sum
@@ -986,8 +986,6 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
-github.com/ulikunitz/xz v0.5.5 h1:pFrO0lVpTBXLpYw+pnLj6TbvHuyjXMfjGeCwSqCVwok=
-github.com/ulikunitz/xz v0.5.5/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
 github.com/ulikunitz/xz v0.5.8 h1:ERv8V6GKqVi23rgu5cj9pVfVzJbOqAY2Ntl88O6c2nQ=
 github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/ultraware/funlen v0.0.1/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA=

diff --git a/pkg/minikube/audit/audit.go b/pkg/minikube/audit/audit.go
@@ -0,0 +1,74 @@
+/*
+Copyright 2020 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package audit
+
+import (
+	"os"
+	"os/user"
+	"strings"
+	"time"
+
+	"github.com/spf13/viper"
+	"k8s.io/klog"
+	"k8s.io/minikube/pkg/minikube/config"
+)
+
+// username pulls the user flag, if empty gets the os username.
+func username() string {
+	u := viper.GetString(config.User)
+	if u != "" {
+		return u
+	}
+	osUser, err := user.Current()
+	if err != nil {
+		return "UNKNOWN"
+	}
+	return osUser.Username
+}
+
+// args concats the args into space delimited string.
+func args() string {
+	// first arg is binary and second is command, anything beyond is a minikube arg
+	if len(os.Args) < 3 {
+		return ""
+	}
+	return strings.Join(os.Args[2:], " ")
+}
+
+// Log details about the executed command.
+func Log(startTime time.Time) {
+	if !shouldLog() {
+		return
+	}
+	e := newEntry(os.Args[1], args(), username(), startTime, time.Now())
+	if err := appendToLog(e); err != nil {
+		klog.Error(err)
+	}
+}
+
+// shouldLog returns if the command should be logged.
+func shouldLog() bool {
+	// commands that should not be logged.
+	no := []string{"status", "version"}
+	a := os.Args[1]
+	for _, c := range no {
+		if a == c {
+			return false
+		}
+	}
+	return true
+}
diff --git a/pkg/minikube/audit/audit_test.go b/pkg/minikube/audit/audit_test.go
@@ -0,0 +1,125 @@
+/*
+Copyright 2020 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package audit
+
+import (
+	"os"
+	"os/user"
+	"testing"
+
+	"github.com/spf13/viper"
+	"k8s.io/minikube/pkg/minikube/config"
+)
+
+func TestAudit(t *testing.T) {
+	t.Run("Username", func(t *testing.T) {
+		u, err := user.Current()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		tests := []struct {
+			userFlag string
+			want     string
+		}{
+			{
+				"test123",
+				"test123",
+			},
+			{
+				"",
+				u.Username,
+			},
+		}
+
+		for _, test := range tests {
+			viper.Set(config.User, test.userFlag)
+
+			got := username()
+
+			if got != test.want {
+				t.Errorf("userFlag = %q; username() = %q; want %q", test.userFlag, got, test.want)
+			}
+		}
+	})
+
+	t.Run("Args", func(t *testing.T) {
+		oldArgs := os.Args
+		defer func() { os.Args = oldArgs }()
+
+		tests := []struct {
+			args []string
+			want string
+		}{
+			{
+				[]string{"minikube", "start"},
+				"",
+			},
+			{
+				[]string{"minikube", "start", "--user", "test123"},
+				"--user test123",
+			},
+		}
+
+		for _, test := range tests {
+			os.Args = test.args
+
+			got := args()
+
+			if got != test.want {
+				t.Errorf("os.Args = %q; args() = %q; want %q", os.Args, got, test.want)
+			}
+		}
+	})
+
+	t.Run("ShouldLog", func(t *testing.T) {
+		oldArgs := os.Args
+		defer func() { os.Args = oldArgs }()
+
+		tests := []struct {
+			args []string
+			want bool
+		}{
+			{
+				[]string{"minikube", "start"},
+				true,
+			},
+			{
+				[]string{"minikube", "delete"},
+				true,
+			},
+			{
+				[]string{"minikube", "status"},
+				false,
+			},
+			{
+				[]string{"minikube", "version"},
+				false,
+			},
+		}
+
+		for _, test := range tests {
+			os.Args = test.args
+
+			got := shouldLog()
+
+			if got != test.want {
+				t.Errorf("os.Args = %q; shouldLog() = %t; want %t", os.Args, got, test.want)
+			}
+		}
+	})
+}
diff --git a/pkg/minikube/audit/entry.go b/pkg/minikube/audit/entry.go
@@ -0,0 +1,46 @@
+/*
+Copyright 2020 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package audit
+
+import (
+	"time"
+
+	"k8s.io/minikube/pkg/minikube/constants"
+)
+
+// entry represents the execution of a command.
+type entry struct {
+	data map[string]string
+}
+
+// Type returns the cloud events compatible type of this struct.
+func (e *entry) Type() string {
+	return "io.k8s.sigs.minikube.audit"
+}
+
+// newEntry returns a new audit type.
+func newEntry(command string, args string, user string, startTime time.Time, endTime time.Time) *entry {
+	return &entry{
+		map[string]string{
+			"args":      args,
+			"command":   command,
+			"endTime":   endTime.Format(constants.TimeFormat),
+			"startTime": startTime.Format(constants.TimeFormat),
+			"user":      user,
+		},
+	}
+}
diff --git a/pkg/minikube/audit/logFile.go b/pkg/minikube/audit/logFile.go
@@ -0,0 +1,57 @@
+/*
+Copyright 2020 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package audit
+
+import (
+	"fmt"
+	"os"
+
+	"k8s.io/minikube/pkg/minikube/localpath"
+	"k8s.io/minikube/pkg/minikube/out/register"
+)
+
+// currentLogFile the file that's used to store audit logs
+var currentLogFile *os.File
+
+// setLogFile sets the logPath and creates the log file if it doesn't exist.
+func setLogFile() error {
+	lp := localpath.AuditLog()
+	f, err := os.OpenFile(lp, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		return fmt.Errorf("unable to open %s: %v", lp, err)
+	}
+	currentLogFile = f
+	return nil
+}
+
+// appendToLog appends the audit entry to the log file.
+func appendToLog(entry *entry) error {
+	if currentLogFile == nil {
+		if err := setLogFile(); err != nil {
+			return err
+		}
+	}
+	e := register.CloudEvent(entry, entry.data)
+	bs, err := e.MarshalJSON()
+	if err != nil {
+		return fmt.Errorf("error marshalling event: %v", err)
+	}
+	if _, err := currentLogFile.WriteString(string(bs) + "\n"); err != nil {
+		return fmt.Errorf("unable to write to audit log: %v", err)
+	}
+	return nil
+}