akanealw
eec8c28fb3
Go Benchmark / Performance Regression Check (push) Has been cancelled
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Quality Checks / Backend (Go) (push) Has been cancelled
Quality Checks / Frontend (React) (push) Has been cancelled
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
WAF integration / Coraza WAF Integration (push) Has been cancelled
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
Repo Health Check / Repo health (push) Has been cancelled
History Rewrite Dry-Run / Dry-run preview for history rewrite (push) Has been cancelled
Prune Renovate Branches / prune (push) Has been cancelled
Renovate / renovate (push) Has been cancelled
Nightly Build & Package / sync-development-to-nightly (push) Has been cancelled
Nightly Build & Package / Trigger Nightly Validation Workflows (push) Has been cancelled
Nightly Build & Package / build-and-push-nightly (push) Has been cancelled
Nightly Build & Package / test-nightly-image (push) Has been cancelled
Nightly Build & Package / verify-nightly-supply-chain (push) Has been cancelled
Update GeoLite2 Checksum / update-checksum (push) Has been cancelled
Container Registry Prune / prune-ghcr (push) Has been cancelled
Container Registry Prune / prune-dockerhub (push) Has been cancelled
Container Registry Prune / summarize (push) Has been cancelled
Supply Chain Verification / Verify SBOM (push) Has been cancelled
Supply Chain Verification / Verify Release Artifacts (push) Has been cancelled
Supply Chain Verification / Verify Docker Image Supply Chain (push) Has been cancelled
Monitor Caddy Major Release / check-caddy-major (push) Has been cancelled
Weekly Nightly to Main Promotion / Verify Nightly Branch Health (push) Has been cancelled
Weekly Nightly to Main Promotion / Create Promotion PR (push) Has been cancelled
Weekly Nightly to Main Promotion / Trigger Missing Required Checks (push) Has been cancelled
Weekly Nightly to Main Promotion / Notify on Failure (push) Has been cancelled
Weekly Nightly to Main Promotion / Workflow Summary (push) Has been cancelled
Weekly Security Rebuild / Security Rebuild & Scan (push) Has been cancelled
96 lines
3.3 KiB
Go
Executable File
96 lines
3.3 KiB
Go
Executable File
// Package security provides audit logging for security-sensitive operations.
|
|
package security
|
|
|
|
import (
|
|
"encoding/json"
|
|
"log"
|
|
"time"
|
|
)
|
|
|
|
// AuditEvent represents a security audit log entry.
|
|
// All fields are included in JSON output for structured logging.
|
|
type AuditEvent struct {
|
|
Timestamp string `json:"timestamp"` // RFC3339 timestamp of the event
|
|
Action string `json:"action"` // Action being performed (e.g., "url_validation", "url_test")
|
|
Host string `json:"host"` // Target hostname from URL
|
|
RequestID string `json:"request_id"` // Unique request identifier for tracing
|
|
Result string `json:"result"` // Result of action: "allowed", "blocked", "error"
|
|
ResolvedIPs []string `json:"resolved_ips"` // DNS resolution results (for debugging)
|
|
BlockedReason string `json:"blocked_reason"` // Why the request was blocked
|
|
UserID string `json:"user_id"` // User who made the request (CRITICAL for attribution)
|
|
SourceIP string `json:"source_ip"` // IP address of the request originator
|
|
}
|
|
|
|
// AuditLogger provides structured security audit logging.
|
|
type AuditLogger struct {
|
|
// prefix is prepended to all log messages
|
|
prefix string
|
|
}
|
|
|
|
// NewAuditLogger creates a new security audit logger.
|
|
func NewAuditLogger() *AuditLogger {
|
|
return &AuditLogger{
|
|
prefix: "[SECURITY AUDIT]",
|
|
}
|
|
}
|
|
|
|
// LogURLValidation logs a URL validation event.
|
|
func (al *AuditLogger) LogURLValidation(event AuditEvent) {
|
|
// Ensure timestamp is set
|
|
if event.Timestamp == "" {
|
|
event.Timestamp = time.Now().UTC().Format(time.RFC3339)
|
|
}
|
|
|
|
// Serialize to JSON for structured logging
|
|
eventJSON, err := json.Marshal(event)
|
|
if err != nil {
|
|
log.Printf("%s ERROR: Failed to serialize audit event: %v", al.prefix, err)
|
|
return
|
|
}
|
|
|
|
// Log to standard logger (will be captured by application logger)
|
|
log.Printf("%s %s", al.prefix, string(eventJSON))
|
|
}
|
|
|
|
// LogURLTest is a convenience method for logging URL connectivity tests.
|
|
func (al *AuditLogger) LogURLTest(host, requestID, userID, sourceIP, result string) {
|
|
event := AuditEvent{
|
|
Timestamp: time.Now().UTC().Format(time.RFC3339),
|
|
Action: "url_connectivity_test",
|
|
Host: host,
|
|
RequestID: requestID,
|
|
Result: result,
|
|
UserID: userID,
|
|
SourceIP: sourceIP,
|
|
}
|
|
al.LogURLValidation(event)
|
|
}
|
|
|
|
// LogSSRFBlock is a convenience method for logging blocked SSRF attempts.
|
|
func (al *AuditLogger) LogSSRFBlock(host string, resolvedIPs []string, reason, userID, sourceIP string) {
|
|
event := AuditEvent{
|
|
Timestamp: time.Now().UTC().Format(time.RFC3339),
|
|
Action: "ssrf_block",
|
|
Host: host,
|
|
ResolvedIPs: resolvedIPs,
|
|
BlockedReason: reason,
|
|
Result: "blocked",
|
|
UserID: userID,
|
|
SourceIP: sourceIP,
|
|
}
|
|
al.LogURLValidation(event)
|
|
}
|
|
|
|
// Global audit logger instance
|
|
var globalAuditLogger = NewAuditLogger()
|
|
|
|
// LogURLTest logs a URL test event using the global logger.
|
|
func LogURLTest(host, requestID, userID, sourceIP, result string) {
|
|
globalAuditLogger.LogURLTest(host, requestID, userID, sourceIP, result)
|
|
}
|
|
|
|
// LogSSRFBlock logs a blocked SSRF attempt using the global logger.
|
|
func LogSSRFBlock(host string, resolvedIPs []string, reason, userID, sourceIP string) {
|
|
globalAuditLogger.LogSSRFBlock(host, resolvedIPs, reason, userID, sourceIP)
|
|
}
|