feat(handler/reverseproxy): add toggle for access logs

nais · Dec 20, 2023 · e71e4a2 · e71e4a2
1 parent 55839d7
commit e71e4a2
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 5 deletions.
diff --git a/charts/wonderwall/templates/replicationconfig.yaml b/charts/wonderwall/templates/replicationconfig.yaml
@@ -76,6 +76,7 @@ spec:
           WONDERWALL_SSO_MODE: "proxy"
           WONDERWALL_SSO_SESSION_COOKIE_NAME: "{{ .Values.idporten.sessionCookieName | required ".Values.idporten.sessionCookieName is required." }}"
           WONDERWALL_SSO_SERVER_URL: "{{- include "wonderwall.idporten.ssoServerURL" . }}"
+          WONDERWALL_UPSTREAM_ACCESS_LOGS: "true"
     # used by naiserator to inject idp config into sidecar and application, primarily for token validation
     - template: |
         apiVersion: v1

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -2,6 +2,7 @@ package config
 
 import (
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"net/url"
 	"runtime/debug"
@@ -32,6 +33,7 @@ type Config struct {
 	CookiePrefix         string   `json:"cookie-prefix"`
 	EncryptionKey        string   `json:"encryption-key"`
 	Ingresses            []string `json:"ingress"`
+	UpstreamAccessLogs   bool     `json:"upstream-access-logs"`
 	UpstreamHost         string   `json:"upstream-host"`
 	UpstreamIP           string   `json:"upstream-ip"`
 	UpstreamPort         int      `json:"upstream-port"`
@@ -168,6 +170,7 @@ const (
 	CookiePrefix         = "cookie-prefix"
 	EncryptionKey        = "encryption-key"
 	Ingress              = "ingress"
+	UpstreamAccessLogs   = "upstream-access-logs"
 	UpstreamHost         = "upstream-host"
 	UpstreamIP           = "upstream-ip"
 	UpstreamPort         = "upstream-port"
@@ -222,6 +225,7 @@ func Initialize() (*Config, error) {
 	flag.String(CookiePrefix, "io.nais.wonderwall", "Prefix for cookie names.")
 	flag.String(EncryptionKey, "", "Base64 encoded 256-bit cookie encryption key; must be identical in instances that share session store.")
 	flag.StringSlice(Ingress, []string{}, "Comma separated list of ingresses used to access the main application.")
+	flag.Bool(UpstreamAccessLogs, false, "Enable access logs for upstream requests.")
 	flag.String(UpstreamHost, "127.0.0.1:8080", "Address of upstream host.")
 	flag.String(UpstreamIP, "", "IP of upstream host. Overrides 'upstream-host' if set.")
 	flag.Int(UpstreamPort, 0, "Port of upstream host. Overrides 'upstream-host' if set.")
@@ -263,7 +267,7 @@ func Initialize() (*Config, error) {
 	flag.Parse()
 
 	if err := viper.ReadInConfig(); err != nil {
-		if err.(viper.ConfigFileNotFoundError) != err {
+		if !errors.Is(err, err.(viper.ConfigFileNotFoundError)) {
 			return nil, err
 		}
 	}

diff --git a/pkg/handler/handler.go b/pkg/handler/handler.go
@@ -84,7 +84,7 @@ func NewStandalone(
 		Ingresses:      ingresses,
 		Redirect:       url.NewStandaloneRedirect(),
 		SessionManager: sessionManager,
-		UpstreamProxy:  NewReverseProxy(upstream, true),
+		UpstreamProxy:  NewUpstreamProxy(upstream, cfg.UpstreamAccessLogs),
 	}, nil
 }
 

diff --git a/pkg/handler/handler_sso_proxy.go b/pkg/handler/handler_sso_proxy.go
@@ -69,7 +69,7 @@ func NewSSOProxy(cfg *config.Config, crypter crypto.Crypter) (*SSOProxy, error)
 		SSOServerURL:          serverURL,
 		SSOServerReverseProxy: NewReverseProxy(serverURL, false),
 		SessionReader:         sessionReader,
-		UpstreamProxy:         NewReverseProxy(upstream, true),
+		UpstreamProxy:         NewUpstreamProxy(upstream, cfg.UpstreamAccessLogs),
 	}, nil
 }
 

diff --git a/pkg/handler/reverseproxy.go b/pkg/handler/reverseproxy.go
@@ -28,6 +28,13 @@ type ReverseProxySource interface {
 
 type ReverseProxy struct {
 	*httputil.ReverseProxy
+	EnableAccessLogs bool
+}
+
+func NewUpstreamProxy(upstream *urllib.URL, enableAccessLogs bool) *ReverseProxy {
+	rp := NewReverseProxy(upstream, true)
+	rp.EnableAccessLogs = enableAccessLogs
+	return rp
 }
 
 func NewReverseProxy(upstream *urllib.URL, preserveInboundHostHeader bool) *ReverseProxy {
@@ -88,7 +95,9 @@ func NewReverseProxy(upstream *urllib.URL, preserveInboundHostHeader bool) *Reve
 		},
 		Transport: server.DefaultTransport(),
 	}
-	return &ReverseProxy{rp}
+	return &ReverseProxy{
+		ReverseProxy: rp,
+	}
 }
 
 func (rp *ReverseProxy) Handler(src ReverseProxySource, w http.ResponseWriter, r *http.Request) {
@@ -145,7 +154,10 @@ func (rp *ReverseProxy) Handler(src ReverseProxySource, w http.ResponseWriter, r
 
 	if isAuthenticated {
 		ctx = mw.WithAccessToken(ctx, accessToken)
-		logger.Info("default: authenticated request")
+
+		if rp.EnableAccessLogs {
+			logger.Info("default: authenticated request")
+		}
 	}
 
 	rp.ServeHTTP(w, r.WithContext(ctx))