add logging middleware for server

[devang-gaur]

fixes #784

[devang-gaur]

Here's how the logs look :

./bin/terrascan server
2021-05-18T18:33:14.591+0530	info	http-server/start.go:61	registering routes...
2021-05-18T18:33:14.591+0530	info	http-server/start.go:65	Route GET - /health
2021-05-18T18:33:14.591+0530	info	http-server/start.go:65	Route POST - /v1/{iac}/{iacVersion}/{cloud}/local/file/scan
2021-05-18T18:33:14.591+0530	info	http-server/start.go:65	Route POST - /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan
2021-05-18T18:33:14.591+0530	info	http-server/start.go:65	Route GET - /k8s/webhooks/{apiKey}/logs
2021-05-18T18:33:14.591+0530	info	http-server/start.go:65	Route GET - /k8s/webhooks/logs/{uid}
2021-05-18T18:33:14.592+0530	info	http-server/start.go:65	Route POST - /v1/k8s/webhooks/{apiKey}/scan/validate
2021-05-18T18:33:14.592+0530	info	http-server/start.go:95	http server listening at port 9010
2021-05-18T18:33:19.345+0530	info	logging/logwriter.go:25	::1 - - "GET /health HTTP/1.1" 200 0
2021-05-18T18:33:42.464+0530	info	logging/logwriter.go:25	::1 - - "GET /health HTTP/1.1" 200 0
2021-05-18T18:33:53.427+0530	info	logging/logwriter.go:25	::1 - - "GET /health HTTP/1.1" 200 0
2021-05-18T18:34:01.815+0530	info	logging/logwriter.go:25	::1 - - "GET / HTTP/1.1" 404 0

In JSON fomat :

./bin/terrascan server --log-type json
{"level":"info","time":"2021-05-18T18:34:47.494+0530","file":"http-server/start.go:61","msg":"registering routes..."}
{"level":"info","time":"2021-05-18T18:34:47.494+0530","file":"http-server/start.go:65","msg":"Route GET - /health"}
{"level":"info","time":"2021-05-18T18:34:47.494+0530","file":"http-server/start.go:65","msg":"Route POST - /v1/{iac}/{iacVersion}/{cloud}/local/file/scan"}
{"level":"info","time":"2021-05-18T18:34:47.494+0530","file":"http-server/start.go:65","msg":"Route POST - /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan"}
{"level":"info","time":"2021-05-18T18:34:47.494+0530","file":"http-server/start.go:65","msg":"Route GET - /k8s/webhooks/{apiKey}/logs"}
{"level":"info","time":"2021-05-18T18:34:47.494+0530","file":"http-server/start.go:65","msg":"Route GET - /k8s/webhooks/logs/{uid}"}
{"level":"info","time":"2021-05-18T18:34:47.495+0530","file":"http-server/start.go:65","msg":"Route POST - /v1/k8s/webhooks/{apiKey}/scan/validate"}
{"level":"info","time":"2021-05-18T18:34:47.495+0530","file":"http-server/start.go:95","msg":"http server listening at port 9010"}
{"level":"info","time":"2021-05-18T18:34:52.123+0530","file":"logging/logwriter.go:25","msg":"::1 - - \"GET /health HTTP/1.1\" 200 0"}
{"level":"info","time":"2021-05-18T18:34:53.262+0530","file":"logging/logwriter.go:25","msg":"::1 - - \"GET /health HTTP/1.1\" 200 0"}
{"level":"info","time":"2021-05-18T18:34:54.702+0530","file":"logging/logwriter.go:25","msg":"::1 - - \"GET /health HTTP/1.1\" 200 0"}
{"level":"info","time":"2021-05-18T18:35:01.599+0530","file":"logging/logwriter.go:25","msg":"::1 - - \"GET / HTTP/1.1\" 404 0"}
{"level":"info","time":"2021-05-18T18:35:03.543+0530","file":"logging/logwriter.go:25","msg":"::1 - - \"GET / HTTP/1.1\" 404 0"}
{"level":"info","time":"2021-05-18T18:35:10.529+0530","file":"logging/logwriter.go:25","msg":"::1 - - \"GET /health HTTP/1.1\" 200 0"}

[codecov]

Codecov Report

Merging #785 (1282b93) into master (fafdda4) will decrease coverage by 0.21%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master     #785      +/-   ##
==========================================
- Coverage   75.20%   74.99%   -0.22%     
==========================================
  Files         112      113       +1     
  Lines        3453     3463      +10     
==========================================
  Hits         2597     2597              
- Misses        665      675      +10     
  Partials      191      191              

Impacted Files	Coverage Δ
pkg/http-server/start.go	0.00% <0.00%> (ø)
pkg/utils/http/response.go	0.00% <0.00%> (ø)

[kanchwala-yusuf]

I am wondering, why do we need a separate logwriter? The already created logger won't help in this case?

[devang-gaur]

the logwriter consumes the logger.

logger object doesn't implement the Writer interface. so had to create a logwriter object that does.

[kanchwala-yusuf]

Not sure if gorillaHandlers should be a part of the logging package? Looks more like a candiate for http utils.

[devang-gaur]

but its logging :)

[patilpankaj212]

the log formatter which is used by the gorilla handler would be only writing http(s) logs. So, I agree with @kanchwala-yusuf.
the log formatter (if required) can be moved.

[patilpankaj212]

This functions accepts a var of type time.Time but never uses it.

[patilpankaj212]

was the sole purpose of using a custom logging handler to remove the timestamp that is logged by the default log formatter provided by gorilla handlers?

[devang-gaur]

nope. its more than that. its apache standard http server log format.

[patilpankaj212]

The reason I asked is because, it seems to be the only difference between the default log formatter and the log formatter you have implemented. Can you please check once?
https://github.com/gorilla/handlers/blob/master/logging.go#L144

[patilpankaj212]

since the log writer only logs at the info level, we would end up logging the webhook apikey at info level. Is that expected?

[devang-gaur]

good catch. @kanchwala-yusuf wdyt? would that we severe security threat?

[devang-gaur]

Updated the PR as per the reviews. PTAL

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[devang-gaur]

This is how the logging output looks now.