Fix incomplete access logs #1273
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
scottinet
commented
Mar 26, 2019
| @@ -104,7 +104,7 @@ describe('lib/core/api/core/entrypoints/embedded/index', () => { | |||
|
|
|||
| entrypoint = new EntryPoint(kuzzle); | |||
|
|
|||
| Object.defineProperty(entrypoint, 'log', { | |||
| Object.defineProperty(entrypoint, 'logger', { | |||
There was a problem hiding this comment.
Unit tests were broken because they checked that the logger was never called... but sinon's spies were put on the wrong entrypoint property name, so the checks always passed 😑
Codecov Report
@@ Coverage Diff @@
## 1-dev #1273 +/- ##
==========================================
+ Coverage 93.75% 93.77% +0.02%
==========================================
Files 98 98
Lines 6793 6800 +7
==========================================
+ Hits 6369 6377 +8
+ Misses 424 423 -1
Continue to review full report at Codecov.
|
alexandrebouthinon
requested changes
Mar 27, 2019
| user = '-'; | ||
| } | ||
|
|
||
| this.logger.info(ip + |
There was a problem hiding this comment.
Why don't you use string literals?
There was a problem hiding this comment.
Because that would be impractical and hard to read in this very specific case, given the amount of variables used to create an access log message.
alexandrebouthinon
approved these changes
Mar 27, 2019
benoitvidis
approved these changes
Mar 28, 2019
Yoann-Abbes
reviewed
Apr 8, 2019
| try { | ||
| const | ||
| b64Payload = request.input.jwt.split('.')[1], | ||
| payload = Buffer.from(b64Payload, 'base64').toString('utf8'); | ||
| user = JSON.parse(payload)._id; | ||
| } | ||
| catch (err) { | ||
| this.kuzzle.pluginsManager.trigger('log:warn', `Unable to extract user from jwt token: ${request.input.jwt}`); | ||
| // do nothing: we don't know anything about the token, it may be | ||
| // invalid on-purpose for all we know |
There was a problem hiding this comment.
I don't understand this comment : how and in wich case the token would be invalid on-purpose ?
There was a problem hiding this comment.
Forgery.
We're dealing with data coming from the outside, so nothing can be trusted.
ballinette
reviewed
Apr 8, 2019
ballinette
reviewed
Apr 8, 2019
| verb = extra.method; | ||
| url = extra.url; | ||
|
|
||
| // try to get plain user name, 1st form jwt token if present, then from basic auth | ||
| if (connection.headers.authorization) { | ||
| // try to get plain user name, 1st form jwt token if present, then from |
There was a problem hiding this comment.
very-nitpicking: s/1st form jwt token/1st from jwt token/ ;)
ballinette
reviewed
Apr 8, 2019
ballinette
approved these changes
Apr 8, 2019
Merged
Aschen
pushed a commit
that referenced
this pull request
Apr 29, 2019
# [1.7.3](https://github.com/kuzzleio/kuzzle/releases/tag/1.7.3) (2019-04-29) #### Bug fixes - [ [#1288](#1288) ] [bulk] fix an error when trying a non-partial bulk update ([scottinet](https://github.com/scottinet)) - [ [#1286](#1286) ] [bugfix] allows bulk inserts on aliases ([benoitvidis](https://github.com/benoitvidis)) - [ [#1282](#1282) ] [bugfix] scan keys on redis cluster ([benoitvidis](https://github.com/benoitvidis)) - [ [#1279](#1279) ] Users must be authenticated to use auth:logout ([scottinet](https://github.com/scottinet)) #### Enhancements - [ [#1292](#1292) ] KZL 1032 - Throw an error when the realtime controller is invoked by plugin developers ([benoitvidis](https://github.com/benoitvidis)) - [ [#1257](#1257) ] Add ability to define mapping policy for new fields ([Aschen](https://github.com/Aschen)) - [ [#1291](#1291) ] [Kuzzle CLI] Fix --help on subcommands ([Yoann-Abbes](https://github.com/Yoann-Abbes)) - [ [#1289](#1289) ] [WebSocket] Handle ping/pong packets ([scottinet](https://github.com/scottinet)) - [ [#1273](#1273) ] Fix incomplete access logs ([scottinet](https://github.com/scottinet)) ---
Merged
Aschen
added a commit
that referenced
this pull request
Jun 14, 2019
Release 1.8.0
Bug fixes
[ #1311 ] Fix promise leaks (scottinet)
[ #1298 ] Fix disabled protocol initialization (Aschen)
[ #1297 ] Fix timeouts on plugin action returing the request (benoitvidis)
[ #1288 ] Fix an error when trying a non-partial bulk update (scottinet)
[ #1286 ] Allows bulk inserts on aliases (benoitvidis)
[ #1282 ] Scan keys on redis cluster (benoitvidis)
[ #1279 ] Users must be authenticated to use auth:logout (scottinet)
New features
[ #1315 ] Add the new Vault module to handle encrypted application secrets (Aschen)
[ #1302 ] Add write and mWrite (Aschen)
[ #1305 ] Add pipes & hooks wildcard event (thomasarbona)
Enhancements
[ #1318 ] Add a maximum ttl to auth:login (benoitvidis)
[ #1301 ] Upgrade the WebSocket libraries (scottinet)
[ #1308 ] Events triggering refactor (scottinet)
[ #1300 ] Collection specifications methods cloisoned to a collection (thomasarbona)
[ #1295 ] Improve validation error messages (benoitvidis)
[ #1292 ] Throw an error when the realtime controller is invoked by plugin developers (benoitvidis)
[ #1257 ] Add ability to define mapping policy for new fields (Aschen)
[ #1291 ] Fix --help on subcommands (Yoann-Abbes)
[ #1289 ] Handle ping/pong packets (scottinet)
[ #1273 ] Fix incomplete access logs (scottinet)
Others
[ #1317 ] Add ps dependency to plugin-dev Docker image for pm2 (benoitvidis)
[ #1312 ] Check that .kuzzlerc.sample is well-formed (scottinet)
[ #1299 ] Add Kuzzle Nightly & Redis 3 and 4 test (alexandrebouthinon)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Context: access logs are invoked every time an API route is invoked, to keep a trace about Kuzzle's activity.
There are two problems with how access logs are currently handled:
No connection retrieved for connection id: <connection id>is logged. This is a problem, because, even if the connection had since dropped, the query was executed. This means that our access logs are incompletepluginsManager.triggerwhich creates a promise in the event loop. With enough activity, this can quickly clogs up the event loop and endanger Kuzzle's stabilityThis PR solves the 1st problem by simply using the provided
Requestobject, which holds basic connection and token informations, when the raw network connection object is not available (meaning that the connection no longer exists).The second problem is solved by simply removing the usages of the
log:xxxevents, as those didn't provide valuable information at all.Other changes
When printing an access log, we now print
(anonymous)instead of-1when a query is executed by an unauthenticated user.How to test
server.logs.transports.silent = falsein the kuzzlerc configuration fileBefore this PR: many
No connection retrieved for connection id...warnings are printed on the console. With this PR: access logs are properly printed even on dead connections.Moreover, Kuzzle takes far less time to recover with this PR than without, because less promises are put on the event loop.
Script that you can use to test this PR: