mirror of
https://github.com/moby/moby.git
synced 2026-01-11 18:51:37 +00:00
117 lines
3.5 KiB
Go
117 lines
3.5 KiB
Go
package middleware
|
|
|
|
import (
|
|
"bufio"
|
|
"context"
|
|
"encoding/json"
|
|
"io"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/containerd/log"
|
|
"github.com/moby/moby/v2/daemon/server/httpstatus"
|
|
"github.com/moby/moby/v2/daemon/server/httputils"
|
|
"github.com/moby/moby/v2/pkg/ioutils"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
// DebugRequestMiddleware dumps the request to logger
|
|
func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
|
|
return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
|
|
logger := log.G(ctx)
|
|
|
|
// Use a variable for fields to prevent overhead of repeatedly
|
|
// calling WithFields.
|
|
fields := log.Fields{
|
|
"module": "api",
|
|
"method": r.Method,
|
|
"request-url": r.RequestURI,
|
|
"vars": vars,
|
|
}
|
|
handleWithLogs := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
|
|
logger.WithFields(fields).Debugf("handling %s request", r.Method)
|
|
err := handler(ctx, w, r, vars)
|
|
if err != nil {
|
|
// TODO(thaJeztah): unify this with Server.makeHTTPHandler, which also logs internal server errors as error-log. See https://github.com/moby/moby/pull/48740#discussion_r1816675574
|
|
fields["error-response"] = err
|
|
fields["status"] = httpstatus.FromError(err)
|
|
logger.WithFields(fields).Debugf("error response for %s request", r.Method)
|
|
}
|
|
return err
|
|
}
|
|
|
|
if r.Method != http.MethodPost {
|
|
return handleWithLogs(ctx, w, r, vars)
|
|
}
|
|
if err := httputils.CheckForJSON(r); err != nil {
|
|
return handleWithLogs(ctx, w, r, vars)
|
|
}
|
|
maxBodySize := 4096 // 4KB
|
|
if r.ContentLength > int64(maxBodySize) {
|
|
return handleWithLogs(ctx, w, r, vars)
|
|
}
|
|
|
|
body := r.Body
|
|
bufReader := bufio.NewReaderSize(body, maxBodySize)
|
|
r.Body = ioutils.NewReadCloserWrapper(bufReader, func() error { return body.Close() })
|
|
|
|
b, err := bufReader.Peek(maxBodySize)
|
|
if err != io.EOF {
|
|
// either there was an error reading, or the buffer is full (in which case the request is too large)
|
|
return handleWithLogs(ctx, w, r, vars)
|
|
}
|
|
|
|
var postForm map[string]any
|
|
if err := json.Unmarshal(b, &postForm); err == nil {
|
|
maskSecretKeys(postForm)
|
|
// TODO(thaJeztah): is there a better way to detect if we're using JSON-formatted logs?
|
|
if _, ok := logger.Logger.Formatter.(*logrus.JSONFormatter); ok {
|
|
fields["form-data"] = postForm
|
|
} else {
|
|
if data, err := json.Marshal(postForm); err != nil {
|
|
fields["form-data"] = postForm
|
|
} else {
|
|
fields["form-data"] = string(data)
|
|
}
|
|
}
|
|
}
|
|
|
|
return handleWithLogs(ctx, w, r, vars)
|
|
}
|
|
}
|
|
|
|
func maskSecretKeys(inp any) {
|
|
if arr, ok := inp.([]any); ok {
|
|
for _, f := range arr {
|
|
maskSecretKeys(f)
|
|
}
|
|
return
|
|
}
|
|
|
|
if form, ok := inp.(map[string]any); ok {
|
|
scrub := []string{
|
|
// Note: The Data field contains the base64-encoded secret in 'secret'
|
|
// and 'config' create and update requests. Currently, no other POST
|
|
// API endpoints use a data field, so we scrub this field unconditionally.
|
|
// Change this handling to be conditional if a new endpoint is added
|
|
// in future where this field should not be scrubbed.
|
|
"data",
|
|
"jointoken",
|
|
"password",
|
|
"secret",
|
|
"signingcakey",
|
|
"unlockkey",
|
|
}
|
|
loop0:
|
|
for k, v := range form {
|
|
for _, m := range scrub {
|
|
if strings.EqualFold(m, k) {
|
|
form[k] = "*****"
|
|
continue loop0
|
|
}
|
|
}
|
|
maskSecretKeys(v)
|
|
}
|
|
}
|
|
}
|