teleport icon indicating copy to clipboard operation
teleport copied to clipboard

Published 20 hours ago verified publisher icon gravitational

Add an audit event reference generator

Open ptgott opened this issue 1 year ago • 4 comments

Closes #5044

Add an audit event generator and generate a partial containing a list of audit events.

Background

Teleport audit events have unique codes (e.g., TDB01I) as well as types (e.g., user.login) that are not necessarily unique. The Teleport source assigns audit event codes and types as struct values when initializing an audit event. Otherwise, there is nothing intrinsic to an audit event that associates its code, type, and schema. Finding all parts of the source that emit an audit event is infeasible, so the best we can do is to take advantage of the naming conventions we use for declarations of types, codes, and schemas.

The reference generator assumes that event codes are constants declared in a single file with a declaration name in the following format:

CamelCaseName(Success|Failure)?Code

CamelCaseName is a prefix we expect to find across the names of event codes, types, and schemas.

The event type that corresponds to a code, also declared as a constant in a single Go file, has a declaration name with the following format:

CamelCaseNameEvent

Finally, the generator expects audit event schemas to be declared as protobuf messages with declaration names in the following format:

CamelCaseName

Not all audit event codes, types, and schemas follow this convention, but enough events do follow it that we can use this approach as a starting point and iterate to either adjust the naming convention or edit the names of event codes, types, and schemas.

Additional implementation details

  • Include one H3 section for each audit event code.
  • Add a directory to build.assets/tooling/cmd that contains the generator source.
  • To provide JSON schemas to the generator, use the protoc-gen-eventschema tool (./build.assets/tooling/cmd/protoc-gen-eventschema).
  • Add a function to eventschema to return all events schemas.
  • Use a Go parser to extract string constant declarations from source files, with the assumption that a single file includes all event code constants and another file includes all event type constants.
  • Where event schemas have multiple levels of child fields, flatten the fields into a single slice so we can include a single field table for each audit event.
  • Adds a target to build.assets/Makefile for generating the reference.

ptgott avatar Feb 16 '24 17:02 ptgott

@ptgott - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

public-teleport-github-review-bot[bot] avatar Feb 16 '24 17:02 public-teleport-github-review-bot[bot]

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

github-actions[bot] avatar Feb 16 '24 17:02 github-actions[bot]

I wanted to include the generated reference in the PR so we have a Vercel preview site available while we talk about implementation, but I can remove the reference from the PR (and generate it in a separate PR) to reduce diff size.

The list of event types is here: https://docs-1fnl7w0wf-goteleport.vercel.app/docs/reference/audit/#event-types

ptgott avatar Feb 16 '24 17:02 ptgott

🤖 Vercel preview here: https://docs-1fnl7w0wf-goteleport.vercel.app/docs/ver/preview

github-actions[bot] avatar Feb 16 '24 17:02 github-actions[bot]

🤖 Vercel preview here: https://docs-id0p662ou-goteleport.vercel.app/docs/ver/preview

github-actions[bot] avatar Mar 05 '24 15:03 github-actions[bot]

🤖 Vercel preview here: https://docs-crvvp0uf2-goteleport.vercel.app/docs/ver/preview

github-actions[bot] avatar Aug 13 '24 15:08 github-actions[bot]

Closing since I am going to try a new approach based on this comment.

ptgott avatar Aug 13 '24 15:08 ptgott