Add AuditConfig validation and backwards compatibility if no AuditFil…

…ePath is provided
openshift · Oct 18, 2016 · 8eb72f0 · 8eb72f0
1 parent fa8395e
commit 8eb72f0
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 6 deletions.
diff --git a/pkg/cmd/server/api/helpers.go b/pkg/cmd/server/api/helpers.go
@@ -256,6 +256,8 @@ func GetMasterFileReferences(config *MasterConfig) []*string {
 		refs = append(refs, &config.ControllerConfig.ServiceServingCert.Signer.KeyFile)
 	}
 
+	refs = append(refs, &config.AuditConfig.AuditFilePath)
+
 	return refs
 }
 

diff --git a/pkg/cmd/server/api/validation/master.go b/pkg/cmd/server/api/validation/master.go
@@ -191,6 +191,28 @@ func ValidateMasterConfig(config *api.MasterConfig, fldPath *field.Path) Validat
 
 	validationResults.Append(ValidateControllerConfig(config.ControllerConfig, fldPath.Child("controllerConfig")))
 
+	validationResults.Append(ValidateAuditConfig(config.AuditConfig, fldPath.Child("auditConfig")))
+
+	return validationResults
+}
+
+func ValidateAuditConfig(config api.AuditConfig, fldPath *field.Path) ValidationResults {
+	validationResults := ValidationResults{}
+
+	if len(config.AuditFilePath) == 0 {
+		// for backwards compatibility reasons we can't error this out
+		validationResults.AddWarnings(field.Required(fldPath.Child("auditFilePath"), "audit can now be logged to a separate file"))
+	}
+	if config.MaximumFileRetentionDays < 0 {
+		validationResults.AddErrors(field.Invalid(fldPath.Child("maximumFileRetentionDays"), config.MaximumFileRetentionDays, "must be greater than or equal to 0"))
+	}
+	if config.MaximumRetainedFiles < 0 {
+		validationResults.AddErrors(field.Invalid(fldPath.Child("maximumRetainedFiles"), config.MaximumRetainedFiles, "must be greater than or equal to 0"))
+	}
+	if config.MaximumFileSizeMegabytes < 0 {
+		validationResults.AddErrors(field.Invalid(fldPath.Child("maximumFileSizeMegabytes"), config.MaximumFileSizeMegabytes, "must be greater than or equal to 0"))
+	}
+
 	return validationResults
 }
 

diff --git a/pkg/cmd/server/origin/master.go b/pkg/cmd/server/origin/master.go
@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"os"
 	"regexp"
@@ -184,14 +185,19 @@ func (c *MasterConfig) Run(protected []APIInstaller, unprotected []APIInstaller)
 	// audit handler must comes before the impersonationFilter to read the original user
 	if c.Options.AuditConfig.Enabled {
 		attributeGetter := apiserver.NewRequestAttributeGetter(c.getRequestContextMapper(), c.getRequestInfoResolver())
-		writer := &lumberjack.Logger{
-			Filename:   c.Options.AuditConfig.AuditFilePath,
-			MaxAge:     c.Options.AuditConfig.MaximumFileRetentionDays,
-			MaxBackups: c.Options.AuditConfig.MaximumRetainedFiles,
-			MaxSize:    c.Options.AuditConfig.MaximumFileSizeMegabytes,
+		var writer io.Writer
+		if len(c.Options.AuditConfig.AuditFilePath) > 0 {
+			writer = &lumberjack.Logger{
+				Filename:   c.Options.AuditConfig.AuditFilePath,
+				MaxAge:     c.Options.AuditConfig.MaximumFileRetentionDays,
+				MaxBackups: c.Options.AuditConfig.MaximumRetainedFiles,
+				MaxSize:    c.Options.AuditConfig.MaximumFileSizeMegabytes,
+			}
+		} else {
+			// backwards compatible writer to regular log
+			writer = cmdutil.NewGLogWriterV(0)
 		}
 		handler = audit.WithAudit(handler, attributeGetter, writer)
-		defer writer.Close()
 	}
 	handler = authenticationHandlerFilter(handler, c.Authenticator, c.getRequestContextMapper())
 	handler = namespacingFilter(handler, c.getRequestContextMapper())