118 lines
3.6 KiB
Go
118 lines
3.6 KiB
Go
package logging
|
|
|
|
// This file contains example code showing how to integrate the security logger
|
|
// into various parts of the server application.
|
|
|
|
import (
|
|
"github.com/Fimeg/RedFlag/aggregator-server/internal/config"
|
|
"github.com/Fimeg/RedFlag/aggregator-server/internal/models"
|
|
"github.com/google/uuid"
|
|
"github.com/jmoiron/sqlx"
|
|
)
|
|
|
|
// Example of how to initialize the security logger in main.go
|
|
func ExampleInitializeSecurityLogger(cfg *config.Config, db *sqlx.DB) (*SecurityLogger, error) {
|
|
// Convert config to security logger config
|
|
secConfig := SecurityLogConfig{
|
|
Enabled: cfg.SecurityLogging.Enabled,
|
|
Level: cfg.SecurityLogging.Level,
|
|
LogSuccesses: cfg.SecurityLogging.LogSuccesses,
|
|
FilePath: cfg.SecurityLogging.FilePath,
|
|
MaxSizeMB: cfg.SecurityLogging.MaxSizeMB,
|
|
MaxFiles: cfg.SecurityLogging.MaxFiles,
|
|
RetentionDays: cfg.SecurityLogging.RetentionDays,
|
|
LogToDatabase: cfg.SecurityLogging.LogToDatabase,
|
|
HashIPAddresses: cfg.SecurityLogging.HashIPAddresses,
|
|
}
|
|
|
|
// Create the security logger
|
|
securityLogger, err := NewSecurityLogger(secConfig, db)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return securityLogger, nil
|
|
}
|
|
|
|
// Example of using the security logger in authentication handlers
|
|
func ExampleAuthHandler(securityLogger *SecurityLogger, clientIP string) {
|
|
// Example: JWT validation failed
|
|
securityLogger.LogAuthJWTValidationFailure(
|
|
uuid.Nil, // Agent ID might not be known yet
|
|
"invalid.jwt.token",
|
|
"expired signature",
|
|
)
|
|
|
|
// Example: Unauthorized access attempt
|
|
securityLogger.LogUnauthorizedAccessAttempt(
|
|
clientIP,
|
|
"/api/v1/admin/users",
|
|
"insufficient privileges",
|
|
uuid.Nil,
|
|
)
|
|
}
|
|
|
|
// Example of using the security logger in command/verification handlers
|
|
func ExampleCommandVerificationHandler(securityLogger *SecurityLogger, agentID, commandID uuid.UUID, signature string) {
|
|
// Simulate signature verification
|
|
signatureValid := false // In real code, this would be actual verification result
|
|
|
|
if !signatureValid {
|
|
securityLogger.LogCommandVerificationFailure(
|
|
agentID,
|
|
commandID,
|
|
"signature mismatch: expected X, got Y",
|
|
)
|
|
} else {
|
|
// Only log success if configured to do so
|
|
if securityLogger.config.LogSuccesses {
|
|
event := models.NewSecurityEvent(
|
|
"INFO",
|
|
models.SecurityEventTypes.CmdSignatureVerificationSuccess,
|
|
agentID,
|
|
"Command signature verification succeeded",
|
|
)
|
|
event.WithDetail("command_id", commandID.String())
|
|
securityLogger.Log(event)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Example of using the security logger in update handlers
|
|
func ExampleUpdateHandler(securityLogger *SecurityLogger, agentID uuid.UUID, updateData []byte, signature string) {
|
|
// Simulate update nonce validation
|
|
nonceValid := false // In real code, this would be actual validation
|
|
|
|
if !nonceValid {
|
|
securityLogger.LogNonceValidationFailure(
|
|
agentID,
|
|
"12345678-1234-1234-1234-123456789012",
|
|
"nonce not found in database",
|
|
)
|
|
}
|
|
|
|
// Simulate signature verification
|
|
signatureValid := false
|
|
if !signatureValid {
|
|
securityLogger.LogUpdateSignatureValidationFailure(
|
|
agentID,
|
|
"update-123",
|
|
"invalid signature format",
|
|
)
|
|
}
|
|
}
|
|
|
|
// Example of using the security logger on agent registration
|
|
func ExampleAgentRegistrationHandler(securityLogger *SecurityLogger, clientIP string) {
|
|
securityLogger.LogAgentRegistrationFailed(
|
|
clientIP,
|
|
"invalid registration token",
|
|
)
|
|
}
|
|
|
|
// Example of checking if a private key is configured
|
|
func ExampleCheckPrivateKey(securityLogger *SecurityLogger, cfg *config.Config) {
|
|
if cfg.SigningPrivateKey == "" {
|
|
securityLogger.LogPrivateKeyNotConfigured()
|
|
}
|
|
} |