diff --git a/lib/auth/join.go b/lib/auth/join.go index 53880bf9955e2..00d4f8847f1e9 100644 --- a/lib/auth/join.go +++ b/lib/auth/join.go @@ -22,13 +22,12 @@ import ( "context" "crypto/rand" "encoding/base64" - "fmt" + "log/slog" "net" "slices" "strings" "github.com/gravitational/trace" - "github.com/sirupsen/logrus" "google.golang.org/grpc/peer" "google.golang.org/protobuf/types/known/structpb" "google.golang.org/protobuf/types/known/timestamppb" @@ -60,7 +59,11 @@ func (a *Server) checkTokenJoinRequestCommon(ctx context.Context, req *types.Reg // make sure the token is valid provisionToken, err := a.ValidateToken(ctx, req.Token) if err != nil { - log.Warningf("%q can not join the cluster with role %s, token error: %v", req.NodeName, req.Role, err) + a.logger.WarnContext(ctx, "cannot join the cluster with invalid token", + "node_name", req.NodeName, + "role", req.Role, + "error", err, + ) msg := "the token is not valid" // default to most generic message if strings.Contains(err.Error(), TokenExpiredOrNotFound) { // propagate ExpiredOrNotFound message so that clients can attempt @@ -80,17 +83,22 @@ func (a *Server) checkTokenJoinRequestCommon(ctx context.Context, req *types.Reg } } if !hasLocalServiceRole { - msg := fmt.Sprintf("%q [%v] cannot requisition instance certs (token contains no local service roles)", req.NodeName, req.HostID) - log.Warn(msg) - return nil, trace.AccessDenied(msg) + a.logger.WarnContext(ctx, "cannot requisition instance certs (token contains no local service roles)", + "node_name", req.NodeName, + "host_id", req.HostID, + ) + return nil, trace.AccessDenied("%s [%v] cannot requisition instance certs (token contains no local service roles)", req.NodeName, req.HostID) } } // make sure the caller is requesting a role allowed by the token if !provisionToken.GetRoles().Include(req.Role) && req.Role != types.RoleInstance { - msg := fmt.Sprintf("node %q [%v] can not join the cluster, the token does not allow %q role", req.NodeName, req.HostID, req.Role) - log.Warn(msg) - return nil, trace.BadParameter(msg) + a.logger.WarnContext(ctx, "token does not allow role to join the cluster", + "node_name", req.NodeName, + "host_id", req.HostID, + "role", req.Role, + ) + return nil, trace.BadParameter("node %q [%v] can not join the cluster, the token does not allow %q role", req.NodeName, req.HostID, req.Role) } return provisionToken, nil @@ -121,17 +129,20 @@ func setRemoteAddrFromContext(ctx context.Context, req *types.RegisterUsingToken // handleJoinFailure logs and audits the failure of a join. It is intentionally // designed to handle potential nullness of the input parameters. func (a *Server) handleJoinFailure( + ctx context.Context, origErr error, pt types.ProvisionToken, attributeSource joinAttributeSourcer, req *types.RegisterUsingTokenRequest, ) { - fields := logrus.Fields{} + attrs := []slog.Attr{slog.Any("error", origErr)} if req != nil { - fields["role"] = req.Role - fields["host_id"] = req.HostID - fields["node_name"] = req.NodeName - fields["remote_addr"] = req.RemoteAddr + attrs = append(attrs, []slog.Attr{ + slog.String("role", string(req.Role)), + slog.String("host_id", req.HostID), + slog.String("node_name", req.NodeName), + slog.String("remote_addr", req.RemoteAddr), + }...) } // Fetch and encode attributes if they are available. @@ -140,21 +151,21 @@ func (a *Server) handleJoinFailure( var err error attributes, err := attributeSource.JoinAuditAttributes() if err != nil { - log.WithError(err).Warn("Unable to fetch join attributes from join method") + a.logger.WarnContext(ctx, "Unable to fetch join attributes from join method", "error", err) } - fields["attributes"] = attributes + attrs = append(attrs, slog.Any("attributes", attributes)) attributesProto, err = apievents.EncodeMap(attributes) if err != nil { - log.WithError(err).Warn("Unable to encode join attributes for audit event") + a.logger.WarnContext(ctx, "Unable to encode join attributes for audit event", "error", err) } } // Add log fields from token if available. if pt != nil { - fields["join_method"] = string(pt.GetJoinMethod()) - fields["token_name"] = pt.GetSafeName() + attrs = append(attrs, slog.String("join_method", string(pt.GetJoinMethod()))) + attrs = append(attrs, slog.String("token_name", pt.GetSafeName())) } - log.WithError(origErr).WithFields(fields).Warn("Failure to join cluster occurred") + a.logger.LogAttrs(ctx, slog.LevelWarn, "Failure to join cluster occurred", attrs...) var evt apievents.AuditEvent status := apievents.Status{ @@ -201,7 +212,7 @@ func (a *Server) handleJoinFailure( evt = instanceJoinEvent } if err := a.emitter.EmitAuditEvent(a.closeCtx, evt); err != nil { - log.WithError(err).Warn("Failed to emit failed join event") + a.logger.WarnContext(ctx, "Failed to emit failed join event", "error", err) } } @@ -222,7 +233,7 @@ func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsin defer func() { // Emit a log message and audit event on join failure. if err != nil { - a.handleJoinFailure(err, provisionToken, joinAttributeSrc, req) + a.handleJoinFailure(ctx, err, provisionToken, joinAttributeSrc, req) } }() @@ -398,16 +409,16 @@ func (a *Server) generateCertsBot( if joinAttributeSrc != nil { attributes, err := joinAttributeSrc.JoinAuditAttributes() if err != nil { - log.WithError(err).Warn("Unable to fetch join attributes from join method.") + a.logger.WarnContext(ctx, "Unable to fetch join attributes from join method", "error", err) } joinEvent.Attributes, err = apievents.EncodeMap(attributes) if err != nil { - log.WithError(err).Warn("Unable to encode join attributes for audit event.") + a.logger.WarnContext(ctx, "Unable to encode join attributes for audit event", "error", err) } auth.Metadata, err = structpb.NewStruct(attributes) if err != nil { - log.WithError(err).Warn("Unable to encode struct value for join metadata.") + a.logger.WarnContext(ctx, "Unable to encode struct value for join metadata", "error", err) } } @@ -432,16 +443,20 @@ func (a *Server) generateCertsBot( if shouldDeleteToken { // delete ephemeral bot join tokens so they can't be re-used if err := a.DeleteToken(ctx, provisionToken.GetName()); err != nil { - log.WithError(err).Warnf("Could not delete bot provision token %q after generating certs", - provisionToken.GetSafeName(), + a.logger.WarnContext(ctx, "Could not delete bot provision token after generating certs", + "provision_token", provisionToken.GetSafeName(), + "error", err, ) } } // Emit audit event for bot join. - log.Infof("Bot %q (instance: %s) has joined the cluster.", botName, botInstanceID) + a.logger.InfoContext(ctx, "Bot has joined the cluster", + "bot_name", botName, + "bot_instance", botInstanceID, + ) if err := a.emitter.EmitAuditEvent(ctx, joinEvent); err != nil { - log.WithError(err).Warn("Failed to emit bot join event.") + a.logger.WarnContext(ctx, "Failed to emit bot join event", "error", err) } return certs, nil } @@ -464,7 +479,7 @@ func (a *Server) generateCerts( if r.IsLocalService() { systemRoles = append(systemRoles, r) } else { - log.Warnf("Omitting non-service system role from instance cert: %q", r) + a.logger.WarnContext(ctx, "Omitting non-service system role from instance cert", "system_role", string(r)) } } } @@ -488,9 +503,18 @@ func (a *Server) generateCerts( // Emit audit event if req.Role == types.RoleInstance { - log.Infof("Instance %q [%v] has joined the cluster. role=%s, systemRoles=%+v", req.NodeName, req.HostID, req.Role, systemRoles) + a.logger.InfoContext(ctx, "Instance has joined the cluster", + "node_name", req.NodeName, + "host_id", req.HostID, + "role", req.Role, + "system_roles", systemRoles, + ) } else { - log.Infof("Instance %q [%v] has joined the cluster. role=%s", req.NodeName, req.HostID, req.Role) + a.logger.InfoContext(ctx, "Instance has joined the cluster", + "node_name", req.NodeName, + "host_id", req.HostID, + "role", req.Role, + ) } joinEvent := &apievents.InstanceJoin{ Metadata: apievents.Metadata{ @@ -513,15 +537,15 @@ func (a *Server) generateCerts( if joinAttributeSrc != nil { attributes, err := joinAttributeSrc.JoinAuditAttributes() if err != nil { - log.WithError(err).Warn("Unable to fetch join attributes from join method.") + a.logger.WarnContext(ctx, "Unable to fetch join attributes from join method", "error", err) } joinEvent.Attributes, err = apievents.EncodeMap(attributes) if err != nil { - log.WithError(err).Warn("Unable to encode join attributes for audit event.") + a.logger.WarnContext(ctx, "Unable to encode join attributes for audit event", "error", err) } } if err := a.emitter.EmitAuditEvent(ctx, joinEvent); err != nil { - log.WithError(err).Warn("Failed to emit instance join event.") + a.logger.WarnContext(ctx, "Failed to emit instance join event", "error", err) } return certs, nil } diff --git a/lib/auth/join_azure.go b/lib/auth/join_azure.go index 721a53ff2d7fa..70ae17918b7fa 100644 --- a/lib/auth/join_azure.go +++ b/lib/auth/join_azure.go @@ -366,9 +366,7 @@ func (a *Server) RegisterUsingAzureMethodWithOpts( defer func() { // Emit a log message and audit event on join failure. if err != nil { - a.handleJoinFailure( - err, provisionToken, nil, joinRequest, - ) + a.handleJoinFailure(ctx, err, provisionToken, nil, joinRequest) } }() diff --git a/lib/auth/join_gcp.go b/lib/auth/join_gcp.go index a6cf1db4ccd7e..9cfecca822637 100644 --- a/lib/auth/join_gcp.go +++ b/lib/auth/join_gcp.go @@ -24,7 +24,6 @@ import ( "strings" "github.com/gravitational/trace" - "github.com/sirupsen/logrus" "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/lib/gcp" @@ -50,17 +49,18 @@ func (a *Server) checkGCPJoinRequest(ctx context.Context, req *types.RegisterUsi claims, err := a.gcpIDTokenValidator.Validate(ctx, req.IDToken) if err != nil { - log.WithFields(logrus.Fields{ - "claims": claims, - "token": pt.GetName(), - }).WithError(err).Warn("Unable to validate GCP IDToken") + a.logger.WarnContext(ctx, "Unable to validate GCP IDToken", + "error", err, + "claims", claims, + "token", pt.GetName(), + ) return nil, trace.Wrap(err) } - log.WithFields(logrus.Fields{ - "claims": claims, - "token": pt.GetName(), - }).Info("GCP VM trying to join cluster") + a.logger.InfoContext(ctx, "GCP VM trying to join cluster", + "claims", claims, + "token", pt.GetName(), + ) if err := checkGCPAllowRules(token, claims); err != nil { return nil, trace.Wrap(err) diff --git a/lib/auth/join_github.go b/lib/auth/join_github.go index 226f1c501c6b0..87d9e0aaa3ea4 100644 --- a/lib/auth/join_github.go +++ b/lib/auth/join_github.go @@ -24,7 +24,6 @@ import ( "time" "github.com/gravitational/trace" - "github.com/sirupsen/logrus" "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/lib/githubactions" @@ -87,10 +86,10 @@ func (a *Server) checkGitHubJoinRequest(ctx context.Context, req *types.Register } } - log.WithFields(logrus.Fields{ - "claims": claims, - "token": pt.GetName(), - }).Info("Github actions run trying to join cluster") + a.logger.InfoContext(ctx, "Github actions run trying to join cluster", + "claims", claims, + "token", pt.GetName(), + ) return claims, trace.Wrap(checkGithubAllowRules(token, claims)) } diff --git a/lib/auth/join_gitlab.go b/lib/auth/join_gitlab.go index e20b9f8f343d8..0296c9ad3ed24 100644 --- a/lib/auth/join_gitlab.go +++ b/lib/auth/join_gitlab.go @@ -24,7 +24,6 @@ import ( "strings" "github.com/gravitational/trace" - "github.com/sirupsen/logrus" "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/lib/gitlab" @@ -57,10 +56,10 @@ func (a *Server) checkGitLabJoinRequest(ctx context.Context, req *types.Register return nil, trace.Wrap(err) } - log.WithFields(logrus.Fields{ - "claims": claims, - "token": pt.GetName(), - }).Info("GitLab CI run trying to join cluster") + a.logger.InfoContext(ctx, "GitLab CI run trying to join cluster", + "claims", claims, + "token", pt.GetName(), + ) return claims, trace.Wrap(checkGitLabAllowRules(token, claims)) } diff --git a/lib/auth/join_iam.go b/lib/auth/join_iam.go index ba2209105c7c0..5ca3f4af1877d 100644 --- a/lib/auth/join_iam.go +++ b/lib/auth/join_iam.go @@ -344,9 +344,7 @@ func (a *Server) RegisterUsingIAMMethodWithOpts( defer func() { // Emit a log message and audit event on join failure. if err != nil { - a.handleJoinFailure( - err, provisionToken, nil, joinRequest, - ) + a.handleJoinFailure(ctx, err, provisionToken, nil, joinRequest) } }() diff --git a/lib/auth/join_kubernetes.go b/lib/auth/join_kubernetes.go index d5bbc6586d831..317f6cc7dfd3e 100644 --- a/lib/auth/join_kubernetes.go +++ b/lib/auth/join_kubernetes.go @@ -24,7 +24,6 @@ import ( "time" "github.com/gravitational/trace" - "github.com/sirupsen/logrus" "github.com/gravitational/teleport/api/types" kubetoken "github.com/gravitational/teleport/lib/kube/token" @@ -82,10 +81,10 @@ func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.Regi ) } - log.WithFields(logrus.Fields{ - "validated_identity": result, - "token": token.GetName(), - }).Info("Kubernetes workload trying to join cluster") + a.logger.InfoContext(ctx, "Kubernetes workload trying to join cluster", + "validated_identity", result, + "token", token.GetName(), + ) return result, trace.Wrap(checkKubernetesAllowRules(token, result)) } diff --git a/lib/auth/join_spacelift.go b/lib/auth/join_spacelift.go index 30fecf5424abd..67b84de5f0e38 100644 --- a/lib/auth/join_spacelift.go +++ b/lib/auth/join_spacelift.go @@ -23,7 +23,6 @@ import ( "fmt" "github.com/gravitational/trace" - "github.com/sirupsen/logrus" "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/lib/modules" @@ -64,10 +63,10 @@ func (a *Server) checkSpaceliftJoinRequest(ctx context.Context, req *types.Regis return nil, trace.Wrap(err) } - log.WithFields(logrus.Fields{ - "claims": claims, - "token": pt.GetName(), - }).Info("Spacelift run trying to join cluster") + a.logger.InfoContext(ctx, "Spacelift run trying to join cluster", + "claims", claims, + "token", pt.GetName(), + ) return claims, trace.Wrap(checkSpaceliftAllowRules(token, claims)) } diff --git a/lib/auth/join_terraformcloud.go b/lib/auth/join_terraformcloud.go index 9302004858608..827319733a39a 100644 --- a/lib/auth/join_terraformcloud.go +++ b/lib/auth/join_terraformcloud.go @@ -23,7 +23,6 @@ import ( "fmt" "github.com/gravitational/trace" - "github.com/sirupsen/logrus" "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/lib/modules" @@ -75,10 +74,10 @@ func (a *Server) checkTerraformCloudJoinRequest(ctx context.Context, req *types. return nil, trace.Wrap(err) } - log.WithFields(logrus.Fields{ - "claims": claims, - "token": pt.GetName(), - }).Info("Terraform Cloud run trying to join cluster") + a.logger.InfoContext(ctx, "Terraform Cloud run trying to join cluster", + "claims", claims, + "token", pt.GetName(), + ) return claims, trace.Wrap(checkTerraformCloudAllowRules(token, claims)) } diff --git a/lib/auth/join_tpm.go b/lib/auth/join_tpm.go index 05bf9e3c35a54..12463e8ecd811 100644 --- a/lib/auth/join_tpm.go +++ b/lib/auth/join_tpm.go @@ -43,9 +43,7 @@ func (a *Server) RegisterUsingTPMMethod( defer func() { // Emit a log message and audit event on join failure. if err != nil { - a.handleJoinFailure( - err, provisionToken, attributeSrc, initReq.JoinRequest, - ) + a.handleJoinFailure(ctx, err, provisionToken, attributeSrc, initReq.JoinRequest) } }()