Merge pull request #1 from ncode/juliano/its_born

it's born

.gitignore

@@ -23,3 +23,6 @@ go.work.sum
 
 # env file
 .env
+
+# idea
+.idea

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2024 Juliano Martinez
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

cmd/auditServer.go

@@ -0,0 +1,57 @@
+/*
+Copyright © 2024 Juliano Martinez <[email protected]>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package cmd
+
+import (
+	"fmt"
+	"github.com/ncode/vault-audit-filter/pkg/auditserver"
+	"github.com/panjf2000/gnet"
+	"github.com/spf13/viper"
+	"log"
+
+	"github.com/spf13/cobra"
+)
+
+// auditServerCmd represents the auditServer command
+var auditServerCmd = &cobra.Command{
+	Use:   "auditServer",
+	Short: "A brief description of your command",
+	Long: `A longer description that spans multiple lines and likely contains examples
+and usage of using your command. For example:
+
+Cobra is a CLI library for Go that empowers applications.
+This application is a tool to generate the needed files
+to quickly create a Cobra application.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		addr := fmt.Sprintf("udp://%s", viper.GetString("vault.audit_address"))
+		server := auditserver.New(nil)
+		log.Fatal(gnet.Serve(server, addr, gnet.WithMulticore(true)))
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(auditServerCmd)
+
+	// Here you will define your flags and configuration settings.
+
+	// Cobra supports Persistent Flags which will work for this command
+	// and all subcommands, e.g.:
+	// auditServerCmd.PersistentFlags().String("foo", "", "A help for foo")
+
+	// Cobra supports local flags which will only run when this command
+	// is called directly, e.g.:
+	// auditServerCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
+}

cmd/root.go

@@ -0,0 +1,115 @@
+/*
+Copyright © 2024 Juliano Martinez <[email protected]>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package cmd
+
+import (
+	"fmt"
+	"log/slog"
+	"os"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+var logger *slog.Logger
+
+func init() {
+	logger = slog.New(slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelInfo}))
+}
+
+var cfgFile string
+
+// rootCmd represents the base command when called without any subcommands
+var rootCmd = &cobra.Command{
+	Use:   "vault-audit-filter",
+	Short: "A brief description of your application",
+	Long: `A longer description that spans multiple lines and likely contains
+examples and usage of using your application. For example:
+
+Cobra is a CLI library for Go that empowers applications.
+This application is a tool to generate the needed files
+to quickly create a Cobra application.`,
+	// Uncomment the following line if your bare application
+	// has an action associated with it:
+	// Run: func(cmd *cobra.Command, args []string) { },
+}
+
+// Execute adds all child commands to the root command and sets flags appropriately.
+// This is called by main.main(). It only needs to happen once to the rootCmd.
+func Execute() {
+	err := rootCmd.Execute()
+	if err != nil {
+		os.Exit(1)
+	}
+}
+
+func init() {
+	cobra.OnInitialize(initConfig)
+
+	// Here you will define your flags and configuration settings.
+	// Cobra supports persistent flags, which, if defined here,
+	// will be global for your application.
+
+	rootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is $HOME/.vault-audit-filter.yaml)")
+	rootCmd.PersistentFlags().String("vault.address", "http://127.0.0.1:8200", "Vault source address")
+	rootCmd.PersistentFlags().String("vault.token", "", "Vault source token")
+	rootCmd.PersistentFlags().String("vault.audit_path", "/vault-audit-filter", "Vault audit path")
+	rootCmd.PersistentFlags().String("vault.audit_address", "127.0.0.1:1269", "Courier audit device address to receive the audit")
+	rootCmd.PersistentFlags().String("vault.audit_description", "Courier audit device", "Vault audit description")
+
+	// Cobra also supports local flags, which will only run
+	// when this action is called directly.
+	rootCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
+}
+
+// initConfig reads in config file and ENV variables if set.
+func initConfig() {
+	if cfgFile != "" {
+		// Use config file from the flag.
+		viper.SetConfigFile(cfgFile)
+	} else {
+		// Find home directory.
+		home, err := os.UserHomeDir()
+		cobra.CheckErr(err)
+
+		// Search config in home directory with name ".vault-audit-filter" (without extension).
+		viper.AddConfigPath(home)
+		viper.SetConfigType("yaml")
+		viper.SetConfigName(".vault-audit-filter")
+	}
+
+	viper.BindPFlag("vault.address", rootCmd.PersistentFlags().Lookup("vault.address"))
+	viper.BindPFlag("vault.token", rootCmd.PersistentFlags().Lookup("vault.token"))
+	viper.BindPFlag("vault.audit_path", rootCmd.PersistentFlags().Lookup("vault.audit_path"))
+	viper.BindPFlag("vault.audit_address", rootCmd.PersistentFlags().Lookup("vault.audit_address"))
+	viper.BindPFlag("vault.audit_description", rootCmd.PersistentFlags().Lookup("vault.audit_description"))
+
+	viper.AutomaticEnv() // read in environment variables that match
+
+	// If a config file is found, read it in.
+	if err := viper.ReadInConfig(); err == nil {
+		fmt.Fprintln(os.Stderr, "Using config file:", viper.ConfigFileUsed())
+	}
+
+	if viper.GetString("vault.token") == "" {
+		logger.Error("vault.token is required")
+		os.Exit(1)
+	}
+
+	if !viper.IsSet("rule_groups") || len(viper.GetStringSlice("rule_groups")) == 0 {
+		logger.Info("No rules defined in configuration; all audit logs will be printed")
+	}
+}

cmd/setup.go

@@ -0,0 +1,67 @@
+/*
+Copyright © 2024 Juliano Martinez <[email protected]>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package cmd
+
+import (
+	"os"
+
+	"github.com/ncode/vault-audit-filter/pkg/vault"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+// setupCmd represents the setup command
+var setupCmd = &cobra.Command{
+	Use:   "setup",
+	Short: "Setup vault audit device",
+	Long:  ``,
+	Run: func(cmd *cobra.Command, args []string) {
+		client, err := vault.NewVaultClient(viper.GetString("vault.address"), vault.TokenAuth{Token: viper.GetString("vault.token")})
+		if err != nil {
+			logger.Error("setup", "unable to setup vault client", err.Error())
+			os.Exit(1)
+		}
+		err = client.EnableAuditDevice(
+			viper.GetString("vault.audit_path"),
+			"socket",
+			viper.GetString("vault.audit_description"),
+			map[string]string{
+				"address":     viper.GetString("vault.audit_address"),
+				"description": viper.GetString("vault.audit_description"),
+				"socket_type": "udp",
+				"log_raw":     "false",
+			},
+		)
+		if err != nil {
+			logger.Error("setup", "unable to enable audit device", err.Error())
+			os.Exit(1)
+		}
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(setupCmd)
+
+	// Here you will define your flags and configuration settings.
+
+	// Cobra supports Persistent Flags which will work for this command
+	// and all subcommands, e.g.:
+	// setupCmd.PersistentFlags().String("foo", "", "A help for foo")
+
+	// Cobra supports local flags which will only run when this command
+	// is called directly, e.g.:
+	// setupCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
+}

configs/docker/Dockerfile

@@ -0,0 +1,3 @@
+FROM scratch
+COPY vault-audit-filter /vault-audit-filter
+ENTRYPOINT ["/vault-audit-filter"]

configs/docker/Makefile

@@ -0,0 +1,15 @@
+.PHONY: build docker-build down up
+
+all: build docker-build down up
+
+build:
+	GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" ../../
+
+docker-build:
+	docker build -t ncode/vault-audit-filter:dev .
+
+up:
+	docker compose up
+
+down:
+	docker compose down

configs/docker/config/config.yaml

@@ -0,0 +1,22 @@
+rule_groups:
+  - name: "normal_operations"
+    rules:
+      - 'Auth.PolicyResults.Allowed == true'
+    log_file:
+      file_path: "/var/log/vault_normal_operations.log"
+      max_size: 100
+      max_backups: 5
+      max_age: 30
+      compress: true
+
+  - name: "critical_events"
+    rules:
+      - 'Request.Operation == "delete" && Auth.PolicyResults.Allowed == true'
+      - 'Request.Path startsWith "secret/metadata/" && Auth.PolicyResults.Allowed == true'
+      - 'Request.Path == "secret/data/myapp/database" && Request.Operation == "update"'
+    log_file:
+      file_path: "/var/log/vault_critical_events.log"
+      max_size: 100
+      max_backups: 5
+      max_age: 30
+      compress: true

configs/docker/docker-compose.yaml

@@ -0,0 +1,44 @@
+services:
+  vault_primary:
+    image: hashicorp/vault:latest
+    container_name: vault_primary
+    ports:
+      - "8200:8200"
+    environment:
+      VAULT_DEV_ROOT_TOKEN_ID: "root"
+      VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
+    cap_add:
+      - IPC_LOCK
+    command: "vault server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8200"
+
+  vault-audit-filter_auditserver:
+    image: ncode/vault-audit-filter:dev
+    container_name: vault-audit-filter_auditserver
+    volumes:
+      - ./config:/config:ro
+      - ./logs:/var/log/
+    depends_on:
+      - vault_primary
+    command: "auditServer --config /config/config.yaml --vault.token root --vault.audit_address vault-audit-filter_auditserver:1269"
+
+  vault-audit-filter_setup:
+    image: ncode/vault-audit-filter:dev
+    container_name: vault-audit-filter_setup
+    depends_on:
+      - vault-audit-filter_auditserver
+    command: "setup --vault.token root --vault.address http://vault_primary:8200 --vault.audit_address vault-audit-filter_auditserver:1269"
+
+  vault_writer:
+    image: hashicorp/vault:latest
+    container_name: vault_writer
+    depends_on:
+      - vault-audit-filter_setup
+    volumes:
+      - ./scripts:/scripts:ro
+    environment:
+      VAULT_TOKEN: root
+      VAULT_ADDR: http://vault_primary:8200
+    cap_add:
+      - IPC_LOCK
+    entrypoint: "/scripts/writer.sh"
+

configs/docker/scripts/writer.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+sleep 5
+
+set -x
+
+vault kv put secret/data/myapp/config api_key=12345 environment=production
+vault kv metadata put -custom-metadata="replicate_to=vault_replica" secret/metadata/myapp/config
+vault kv metadata get secret/metadata/myapp/config
+
+vault kv put secret/data/myapp/database username=dbuser password=supersecret host=db.example.com port=5432
+
+vault kv get -field=api_key secret/data/myapp/config
+vault kv get -format=json secret/data/myapp/database
+
+vault kv list secret/metadata/myapp/
+vault kv delete secret/data/myapp/config
+
+