Skip to content

Commit 310c086

Browse files
david-crespodavid-crespo
authored
Test making sure we don't audit log GET endpoints (#9710)
Turns out we were auditing a few already! Very straightforward: modified the existing coverage test from #9467 to also look at the list of GET endpoints and make sure none of them have audit logging in them.
1 parent 9ccd203 commit 310c086

3 files changed

Lines changed: 241 additions & 81 deletions

File tree

nexus/src/external_api/http_entrypoints.rs

Lines changed: 161 additions & 57 deletions
Original file line numberDiff line numberDiff line change
@@ -800,14 +800,22 @@ impl NexusExternalApi for NexusExternalApiImpl {
800800
query_params: Query<params::SiloSelector>,
801801
) -> Result<HttpResponseOk<Vec<views::ScimClientBearerToken>>, HttpError>
802802
{
803-
audit_and_time(&rqctx, |opctx, nexus| async move {
804-
let query = query_params.into_inner();
803+
let apictx = rqctx.context();
804+
let nexus = &apictx.context.nexus;
805+
let query = query_params.into_inner();
806+
let handler = async {
807+
let opctx =
808+
crate::context::op_context_for_external_api(&rqctx).await?;
805809
let silo_lookup = nexus.silo_lookup(&opctx, query.silo)?;
806810
let tokens =
807811
nexus.scim_idp_get_tokens(&opctx, &silo_lookup).await?;
808812
Ok(HttpResponseOk(tokens))
809-
})
810-
.await
813+
};
814+
apictx
815+
.context
816+
.external_latencies
817+
.instrument_dropshot_handler(&rqctx, handler)
818+
.await
811819
}
812820

813821
async fn scim_token_create(
@@ -830,16 +838,24 @@ impl NexusExternalApi for NexusExternalApiImpl {
830838
path_params: Path<params::ScimV2TokenPathParam>,
831839
query_params: Query<params::SiloSelector>,
832840
) -> Result<HttpResponseOk<views::ScimClientBearerToken>, HttpError> {
833-
audit_and_time(&rqctx, |opctx, nexus| async move {
834-
let query = query_params.into_inner();
835-
let path = path_params.into_inner();
841+
let apictx = rqctx.context();
842+
let nexus = &apictx.context.nexus;
843+
let query = query_params.into_inner();
844+
let path = path_params.into_inner();
845+
let handler = async {
846+
let opctx =
847+
crate::context::op_context_for_external_api(&rqctx).await?;
836848
let silo_lookup = nexus.silo_lookup(&opctx, query.silo)?;
837849
let token = nexus
838850
.scim_idp_get_token_by_id(&opctx, &silo_lookup, path.token_id)
839851
.await?;
840852
Ok(HttpResponseOk(token))
841-
})
842-
.await
853+
};
854+
apictx
855+
.context
856+
.external_latencies
857+
.instrument_dropshot_handler(&rqctx, handler)
858+
.await
843859
}
844860

845861
async fn scim_token_delete(
@@ -5622,16 +5638,24 @@ impl NexusExternalApi for NexusExternalApiImpl {
56225638
// TODO: Check If-Match and fail if the ETag doesn't match anymore.
56235639
// Without this check, if firewall rules change while someone is listing
56245640
// the rules, they will see a mix of the old and new rules.
5625-
audit_and_time(&rqctx, |opctx, nexus| async move {
5626-
let query = query_params.into_inner();
5641+
let apictx = rqctx.context();
5642+
let nexus = &apictx.context.nexus;
5643+
let query = query_params.into_inner();
5644+
let handler = async {
5645+
let opctx =
5646+
crate::context::op_context_for_external_api(&rqctx).await?;
56275647
let vpc_lookup = nexus.vpc_lookup(&opctx, query)?;
56285648
let rules =
56295649
nexus.vpc_list_firewall_rules(&opctx, &vpc_lookup).await?;
56305650
Ok(HttpResponseOk(VpcFirewallRules {
56315651
rules: rules.into_iter().map(|rule| rule.into()).collect(),
56325652
}))
5633-
})
5634-
.await
5653+
};
5654+
apictx
5655+
.context
5656+
.external_latencies
5657+
.instrument_dropshot_handler(&rqctx, handler)
5658+
.await
56355659
}
56365660

56375661
// Note: the limits in the below comment come from the firewall rules model
@@ -5699,9 +5723,13 @@ impl NexusExternalApi for NexusExternalApiImpl {
56995723
path_params: Path<params::RouterPath>,
57005724
query_params: Query<params::OptionalVpcSelector>,
57015725
) -> Result<HttpResponseOk<VpcRouter>, HttpError> {
5702-
audit_and_time(&rqctx, |opctx, nexus| async move {
5703-
let path = path_params.into_inner();
5704-
let query = query_params.into_inner();
5726+
let apictx = rqctx.context();
5727+
let nexus = &apictx.context.nexus;
5728+
let path = path_params.into_inner();
5729+
let query = query_params.into_inner();
5730+
let handler = async {
5731+
let opctx =
5732+
crate::context::op_context_for_external_api(&rqctx).await?;
57055733
let router_selector = params::RouterSelector {
57065734
project: query.project,
57075735
vpc: query.vpc,
@@ -5712,8 +5740,12 @@ impl NexusExternalApi for NexusExternalApiImpl {
57125740
.fetch()
57135741
.await?;
57145742
Ok(HttpResponseOk(vpc_router.into()))
5715-
})
5716-
.await
5743+
};
5744+
apictx
5745+
.context
5746+
.external_latencies
5747+
.instrument_dropshot_handler(&rqctx, handler)
5748+
.await
57175749
}
57185750

57195751
async fn vpc_router_create(
@@ -5825,9 +5857,13 @@ impl NexusExternalApi for NexusExternalApiImpl {
58255857
path_params: Path<params::RoutePath>,
58265858
query_params: Query<params::OptionalRouterSelector>,
58275859
) -> Result<HttpResponseOk<RouterRoute>, HttpError> {
5828-
audit_and_time(&rqctx, |opctx, nexus| async move {
5829-
let path = path_params.into_inner();
5830-
let query = query_params.into_inner();
5860+
let apictx = rqctx.context();
5861+
let nexus = &apictx.context.nexus;
5862+
let path = path_params.into_inner();
5863+
let query = query_params.into_inner();
5864+
let handler = async {
5865+
let opctx =
5866+
crate::context::op_context_for_external_api(&rqctx).await?;
58315867
let route_selector = params::RouteSelector {
58325868
project: query.project,
58335869
vpc: query.vpc,
@@ -5839,8 +5875,12 @@ impl NexusExternalApi for NexusExternalApiImpl {
58395875
.fetch()
58405876
.await?;
58415877
Ok(HttpResponseOk(route.into()))
5842-
})
5843-
.await
5878+
};
5879+
apictx
5880+
.context
5881+
.external_latencies
5882+
.instrument_dropshot_handler(&rqctx, handler)
5883+
.await
58445884
}
58455885

58465886
async fn vpc_router_route_create(
@@ -5957,9 +5997,13 @@ impl NexusExternalApi for NexusExternalApiImpl {
59575997
path_params: Path<params::InternetGatewayPath>,
59585998
query_params: Query<params::OptionalVpcSelector>,
59595999
) -> Result<HttpResponseOk<views::InternetGateway>, HttpError> {
5960-
audit_and_time(&rqctx, |opctx, nexus| async move {
5961-
let path = path_params.into_inner();
5962-
let query = query_params.into_inner();
6000+
let apictx = rqctx.context();
6001+
let nexus = &apictx.context.nexus;
6002+
let path = path_params.into_inner();
6003+
let query = query_params.into_inner();
6004+
let handler = async {
6005+
let opctx =
6006+
crate::context::op_context_for_external_api(&rqctx).await?;
59636007
let selector = params::InternetGatewaySelector {
59646008
project: query.project,
59656009
vpc: query.vpc,
@@ -5970,8 +6014,12 @@ impl NexusExternalApi for NexusExternalApiImpl {
59706014
.fetch()
59716015
.await?;
59726016
Ok(HttpResponseOk(internet_gateway.into()))
5973-
})
5974-
.await
6017+
};
6018+
apictx
6019+
.context
6020+
.external_latencies
6021+
.instrument_dropshot_handler(&rqctx, handler)
6022+
.await
59756023
}
59766024

59776025
/// Create VPC internet gateway
@@ -6292,12 +6340,20 @@ impl NexusExternalApi for NexusExternalApiImpl {
62926340
rqctx: RequestContext<ApiContext>,
62936341
path_params: Path<params::RackPath>,
62946342
) -> Result<HttpResponseOk<Rack>, HttpError> {
6295-
audit_and_time(&rqctx, |opctx, nexus| async move {
6296-
let path = path_params.into_inner();
6343+
let apictx = rqctx.context();
6344+
let nexus = &apictx.context.nexus;
6345+
let path = path_params.into_inner();
6346+
let handler = async {
6347+
let opctx =
6348+
crate::context::op_context_for_external_api(&rqctx).await?;
62976349
let rack_info = nexus.rack_lookup(&opctx, &path.rack_id).await?;
62986350
Ok(HttpResponseOk(rack_info.into()))
6299-
})
6300-
.await
6351+
};
6352+
apictx
6353+
.context
6354+
.external_latencies
6355+
.instrument_dropshot_handler(&rqctx, handler)
6356+
.await
63016357
}
63026358

63036359
async fn sled_list_uninitialized(
@@ -6376,13 +6432,21 @@ impl NexusExternalApi for NexusExternalApiImpl {
63766432
rqctx: RequestContext<ApiContext>,
63776433
path_params: Path<params::SledPath>,
63786434
) -> Result<HttpResponseOk<Sled>, HttpError> {
6379-
audit_and_time(&rqctx, |opctx, nexus| async move {
6380-
let path = path_params.into_inner();
6435+
let apictx = rqctx.context();
6436+
let nexus = &apictx.context.nexus;
6437+
let path = path_params.into_inner();
6438+
let handler = async {
6439+
let opctx =
6440+
crate::context::op_context_for_external_api(&rqctx).await?;
63816441
let (.., sled) =
63826442
nexus.sled_lookup(&opctx, &path.sled_id)?.fetch().await?;
63836443
Ok(HttpResponseOk(sled.into()))
6384-
})
6385-
.await
6444+
};
6445+
apictx
6446+
.context
6447+
.external_latencies
6448+
.instrument_dropshot_handler(&rqctx, handler)
6449+
.await
63866450
}
63876451

63886452
async fn sled_set_provision_policy(
@@ -6535,8 +6599,12 @@ impl NexusExternalApi for NexusExternalApiImpl {
65356599
rqctx: RequestContext<ApiContext>,
65366600
path_params: Path<params::SwitchPath>,
65376601
) -> Result<HttpResponseOk<views::Switch>, HttpError> {
6538-
audit_and_time(&rqctx, |opctx, nexus| async move {
6539-
let path = path_params.into_inner();
6602+
let apictx = rqctx.context();
6603+
let nexus = &apictx.context.nexus;
6604+
let path = path_params.into_inner();
6605+
let handler = async {
6606+
let opctx =
6607+
crate::context::op_context_for_external_api(&rqctx).await?;
65406608
let (.., switch) = nexus
65416609
.switch_lookup(
65426610
&opctx,
@@ -6545,8 +6613,12 @@ impl NexusExternalApi for NexusExternalApiImpl {
65456613
.fetch()
65466614
.await?;
65476615
Ok(HttpResponseOk(switch.into()))
6548-
})
6549-
.await
6616+
};
6617+
apictx
6618+
.context
6619+
.external_latencies
6620+
.instrument_dropshot_handler(&rqctx, handler)
6621+
.await
65506622
}
65516623

65526624
async fn sled_physical_disk_list(
@@ -6595,11 +6667,15 @@ impl NexusExternalApi for NexusExternalApiImpl {
65956667
other_params: Query<params::OptionalSiloSelector>,
65966668
) -> Result<HttpResponseOk<ResultsPage<oximeter_db::Measurement>>, HttpError>
65976669
{
6670+
let apictx = rqctx.context();
6671+
let nexus = &apictx.context.nexus;
65986672
let pagination = pag_params.into_inner();
65996673
let limit = rqctx.page_limit(&pagination)?;
6600-
audit_and_time(&rqctx, |opctx, nexus| async move {
6601-
let metric_name = path_params.into_inner().metric_name;
6602-
let silo_selector = other_params.into_inner().silo;
6674+
let metric_name = path_params.into_inner().metric_name;
6675+
let silo_selector = other_params.into_inner().silo;
6676+
let handler = async {
6677+
let opctx =
6678+
crate::context::op_context_for_external_api(&rqctx).await?;
66036679
let silo_lookup = match silo_selector {
66046680
Some(silo) => Some(nexus.silo_lookup(&opctx, silo)?),
66056681
_ => None,
@@ -6616,8 +6692,12 @@ impl NexusExternalApi for NexusExternalApiImpl {
66166692
.await?;
66176693

66186694
Ok(HttpResponseOk(result))
6619-
})
6620-
.await
6695+
};
6696+
apictx
6697+
.context
6698+
.external_latencies
6699+
.instrument_dropshot_handler(&rqctx, handler)
6700+
.await
66216701
}
66226702

66236703
async fn silo_metric(
@@ -6629,11 +6709,15 @@ impl NexusExternalApi for NexusExternalApiImpl {
66296709
other_params: Query<params::OptionalProjectSelector>,
66306710
) -> Result<HttpResponseOk<ResultsPage<oximeter_db::Measurement>>, HttpError>
66316711
{
6712+
let apictx = rqctx.context();
6713+
let nexus = &apictx.context.nexus;
66326714
let pagination = pag_params.into_inner();
66336715
let limit = rqctx.page_limit(&pagination)?;
6634-
audit_and_time(&rqctx, |opctx, nexus| async move {
6635-
let metric_name = path_params.into_inner().metric_name;
6636-
let project_selector = other_params.into_inner().project;
6716+
let metric_name = path_params.into_inner().metric_name;
6717+
let project_selector = other_params.into_inner().project;
6718+
let handler = async {
6719+
let opctx =
6720+
crate::context::op_context_for_external_api(&rqctx).await?;
66376721
let project_lookup = match project_selector {
66386722
Some(project) => {
66396723
let project_selector = params::ProjectSelector { project };
@@ -6653,8 +6737,12 @@ impl NexusExternalApi for NexusExternalApiImpl {
66536737
.await?;
66546738

66556739
Ok(HttpResponseOk(result))
6656-
})
6657-
.await
6740+
};
6741+
apictx
6742+
.context
6743+
.external_latencies
6744+
.instrument_dropshot_handler(&rqctx, handler)
6745+
.await
66586746
}
66596747

66606748
async fn system_timeseries_schema_list(
@@ -6664,16 +6752,24 @@ impl NexusExternalApi for NexusExternalApiImpl {
66646752
HttpResponseOk<ResultsPage<oximeter_db::TimeseriesSchema>>,
66656753
HttpError,
66666754
> {
6755+
let apictx = rqctx.context();
6756+
let nexus = &apictx.context.nexus;
66676757
let pagination = pag_params.into_inner();
66686758
let limit = rqctx.page_limit(&pagination)?;
6669-
audit_and_time(&rqctx, |opctx, nexus| async move {
6759+
let handler = async {
6760+
let opctx =
6761+
crate::context::op_context_for_external_api(&rqctx).await?;
66706762
nexus
66716763
.timeseries_schema_list(&opctx, &pagination, limit)
66726764
.await
66736765
.map(HttpResponseOk)
66746766
.map_err(HttpError::from)
6675-
})
6676-
.await
6767+
};
6768+
apictx
6769+
.context
6770+
.external_latencies
6771+
.instrument_dropshot_handler(&rqctx, handler)
6772+
.await
66776773
}
66786774

66796775
async fn system_timeseries_query(
@@ -6786,14 +6882,22 @@ impl NexusExternalApi for NexusExternalApiImpl {
67866882
rqctx: RequestContext<ApiContext>,
67876883
path_params: Path<params::UpdatesGetRepositoryParams>,
67886884
) -> Result<HttpResponseOk<views::TufRepo>, HttpError> {
6789-
audit_and_time(&rqctx, |opctx, nexus| async move {
6790-
let params = path_params.into_inner();
6885+
let apictx = rqctx.context();
6886+
let nexus = &apictx.context.nexus;
6887+
let params = path_params.into_inner();
6888+
let handler = async {
6889+
let opctx =
6890+
crate::context::op_context_for_external_api(&rqctx).await?;
67916891
let repo = nexus
67926892
.updates_get_repository(&opctx, params.system_version)
67936893
.await?;
67946894
Ok(HttpResponseOk(repo.into()))
6795-
})
6796-
.await
6895+
};
6896+
apictx
6897+
.context
6898+
.external_latencies
6899+
.instrument_dropshot_handler(&rqctx, handler)
6900+
.await
67976901
}
67986902

67996903
async fn system_update_repository_list(

0 commit comments

Comments
 (0)