Migrates various components in lib/srv to use slog (#49840)

* Convert srv.AuthHandlers to use slog * Convert srv.Heartbeat and srv.HeartbeatV2 to use slog * Convert srv.KeepAlive to use slog * Convert srv.Monitor to use slog * Convert srv.SessionControl to use slog * Convert srv.TermManager to use slog
gravitational · Dec 5, 2024 · ffa762d · ffa762d
1 parent 0131f45
commit ffa762d
Show file tree

Hide file tree

Showing 15 changed files with 134 additions and 118 deletions.
diff --git a/lib/kube/proxy/forwarder.go b/lib/kube/proxy/forwarder.go
@@ -25,6 +25,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"log/slog"
 	"maps"
 	"net"
 	"net/http"
@@ -2348,9 +2349,11 @@ func (s *clusterSession) monitorConn(conn net.Conn, err error, hostID string) (n
 		Context:               s.connCtx,
 		TeleportUser:          s.User.GetName(),
 		ServerID:              s.parent.cfg.HostID,
-		Entry:                 s.parent.log,
-		Emitter:               s.parent.cfg.AuthClient,
-		EmitterContext:        s.parent.ctx,
+		// TODO(tross) update this to use the child logger
+		// once Forwarder is converted to use a slog.Logger
+		Logger:         slog.Default(),
+		Emitter:        s.parent.cfg.AuthClient,
+		EmitterContext: s.parent.ctx,
 	})
 	if err != nil {
 		tc.CloseWithCause(err)

diff --git a/lib/service/db.go b/lib/service/db.go
@@ -137,7 +137,7 @@ func (process *TeleportProcess) initDatabaseService() (retErr error) {
 		ServerID:       process.Config.HostUUID,
 		Emitter:        asyncEmitter,
 		EmitterContext: process.ExitContext(),
-		Logger:         process.log,
+		Logger:         process.logger,
 	})
 	if err != nil {
 		return trace.Wrap(err)

diff --git a/lib/service/service.go b/lib/service/service.go
@@ -2967,7 +2967,7 @@ func (process *TeleportProcess) initSSH() error {
 			LockEnforcer:   lockWatcher,
 			Emitter:        &events.StreamerAndEmitter{Emitter: asyncEmitter, Streamer: conn.Client},
 			Component:      teleport.ComponentNode,
-			Logger:         process.log.WithField(teleport.ComponentKey, teleport.Component(teleport.ComponentNode, process.id)).WithField(teleport.ComponentKey, "sessionctrl"),
+			Logger:         process.logger.With(teleport.ComponentKey, teleport.Component(teleport.ComponentNode, process.id, "sessionctrl")),
 			TracerProvider: process.TracingProvider,
 			ServerID:       serverID,
 		})
@@ -4468,7 +4468,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
 		LockEnforcer:   lockWatcher,
 		Emitter:        asyncEmitter,
 		Component:      teleport.ComponentProxy,
-		Logger:         process.log.WithField(teleport.ComponentKey, "sessionctrl"),
+		Logger:         process.logger.With(teleport.ComponentKey, "sessionctrl"),
 		TracerProvider: process.TracingProvider,
 		ServerID:       serverID,
 	})
@@ -4561,7 +4561,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
 			ServerID:       cfg.HostUUID,
 			Emitter:        asyncEmitter,
 			EmitterContext: process.GracefulExitContext(),
-			Logger:         process.log,
+			Logger:         process.logger,
 		})
 		if err != nil {
 			return trace.Wrap(err)
@@ -4924,7 +4924,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
 		ServerID:       serverID,
 		Emitter:        asyncEmitter,
 		EmitterContext: process.ExitContext(),
-		Logger:         process.log,
+		Logger:         process.logger,
 	})
 	if err != nil {
 		return trace.Wrap(err)
@@ -5142,7 +5142,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
 			ServerID:       process.Config.HostUUID,
 			Emitter:        asyncEmitter,
 			EmitterContext: process.ExitContext(),
-			Logger:         process.log,
+			Logger:         process.logger,
 		})
 		if err != nil {
 			return trace.Wrap(err)
@@ -6024,7 +6024,7 @@ func (process *TeleportProcess) initApps() {
 			ServerID:            process.Config.HostUUID,
 			Emitter:             asyncEmitter,
 			EmitterContext:      process.ExitContext(),
-			Logger:              process.log,
+			Logger:              process.logger,
 			MonitorCloseChannel: process.Config.Apps.MonitorCloseChannel,
 		})
 		if err != nil {

diff --git a/lib/srv/authhandlers.go b/lib/srv/authhandlers.go
@@ -22,6 +22,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"log/slog"
 	"net"
 	"strconv"
 	"time"
@@ -30,7 +31,6 @@ import (
 	"github.com/gravitational/trace"
 	"github.com/jonboulle/clockwork"
 	"github.com/prometheus/client_golang/prometheus"
-	log "github.com/sirupsen/logrus"
 	"golang.org/x/crypto/ssh"
 
 	"github.com/gravitational/teleport"
@@ -123,7 +123,7 @@ func (c *AuthHandlerConfig) CheckAndSetDefaults() error {
 type AuthHandlers struct {
 	loginChecker
 
-	log *log.Entry
+	log *slog.Logger
 
 	c *AuthHandlerConfig
 }
@@ -140,7 +140,7 @@ func NewAuthHandlers(config *AuthHandlerConfig) (*AuthHandlers, error) {
 
 	ah := &AuthHandlers{
 		c:   config,
-		log: log.WithField(teleport.ComponentKey, config.Component),
+		log: slog.With(teleport.ComponentKey, config.Component),
 	}
 	ah.loginChecker = &ahLoginChecker{
 		log: ah.log,
@@ -284,10 +284,10 @@ func (h *AuthHandlers) CheckPortForward(addr string, ctx *ServerContext) error {
 				Error:   systemErrorMessage,
 			},
 		}); err != nil {
-			h.log.WithError(err).Warn("Failed to emit port forward deny audit event.")
+			h.log.WarnContext(h.c.Server.Context(), "Failed to emit port forward deny audit event", "error", err)
 		}
 
-		h.log.Warnf("Port forwarding request denied: %v.", systemErrorMessage)
+		h.log.WarnContext(h.c.Server.Context(), "Port forwarding request denied", "error", systemErrorMessage)
 
 		return trace.AccessDenied(userErrorMessage)
 	}
@@ -303,28 +303,38 @@ func (h *AuthHandlers) UserKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*s
 	fingerprint := fmt.Sprintf("%v %v", key.Type(), sshutils.Fingerprint(key))
 
 	// create a new logging entry with info specific to this login attempt
-	log := h.log.WithField(teleport.ComponentFields, log.Fields{
-		"local":       conn.LocalAddr(),
-		"remote":      conn.RemoteAddr(),
-		"user":        conn.User(),
-		"fingerprint": fingerprint,
-	})
-
-	cid := fmt.Sprintf("conn(%v->%v, user=%v)", conn.RemoteAddr(), conn.LocalAddr(), conn.User())
-	log.Debugf("%v auth attempt", cid)
+	log := h.log.With(
+		"local_addr", conn.LocalAddr(),
+		"remote_addr", conn.RemoteAddr(),
+		"user", conn.User(),
+		"fingerprint", fingerprint,
+	)
 
 	cert, ok := key.(*ssh.Certificate)
-	log.Debugf("%v auth attempt with key %v, %#v", cid, fingerprint, cert)
 	if !ok {
-		log.Debugf("auth attempt, unsupported key type")
+		log.DebugContext(ctx, "rejecting auth attempt, unsupported key type")
 		return nil, trace.BadParameter("unsupported key type: %v", fingerprint)
 	}
+
+	log.DebugContext(ctx, "processing auth attempt with key",
+		slog.Group("cert",
+			"serial", cert.Serial,
+			"type", cert.CertType,
+			"key_id", cert.KeyId,
+			"valid_principals", cert.ValidPrincipals,
+			"valid_after", cert.ValidAfter,
+			"valid_before", cert.ValidBefore,
+			"permissions", cert.Permissions,
+			"reserved", cert.Reserved,
+		),
+	)
+
 	if len(cert.ValidPrincipals) == 0 {
-		log.Debugf("need a valid principal for key")
+		log.DebugContext(ctx, "rejecting auth attempt without valid principals")
 		return nil, trace.BadParameter("need a valid principal for key %v", fingerprint)
 	}
 	if len(cert.KeyId) == 0 {
-		log.Debugf("need a valid key ID for key")
+		log.DebugContext(ctx, "rejecting auth attempt without valid key ID")
 		return nil, trace.BadParameter("need a valid key for key %v", fingerprint)
 	}
 	teleportUser := cert.KeyId
@@ -380,7 +390,7 @@ func (h *AuthHandlers) UserKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*s
 			message,
 			err,
 		); err != nil {
-			h.log.WithError(err).Warn("Failed to append Trace to ConnectionDiagnostic.")
+			h.log.WarnContext(ctx, "Failed to append Trace to ConnectionDiagnostic", "error", err)
 		}
 
 		if err := h.c.Emitter.EmitAuditEvent(h.c.Server.Context(), &apievents.AuthAttempt{
@@ -402,7 +412,7 @@ func (h *AuthHandlers) UserKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*s
 				Error:   err.Error(),
 			},
 		}); err != nil {
-			h.log.WithError(err).Warn("Failed to emit failed login audit event.")
+			h.log.WarnContext(ctx, "Failed to emit failed login audit event", "error", err)
 		}
 
 		auditdMsg := auditd.Message{
@@ -412,7 +422,7 @@ func (h *AuthHandlers) UserKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*s
 		}
 
 		if err := auditd.SendEvent(auditd.AuditUserErr, auditd.Failed, auditdMsg); err != nil {
-			log.Warnf("Failed to send an event to auditd: %v", err)
+			log.WarnContext(ctx, "Failed to send an event to auditd", "error", err)
 		}
 	}
 
@@ -433,7 +443,7 @@ func (h *AuthHandlers) UserKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*s
 		recordFailedLogin(err)
 		return nil, trace.Wrap(err)
 	}
-	log.Debugf("Successfully authenticated")
+	log.DebugContext(ctx, "Successfully authenticated")
 
 	clusterName, err := h.c.AccessPoint.GetClusterName()
 	if err != nil {
@@ -452,7 +462,7 @@ func (h *AuthHandlers) UserKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*s
 	case ssh.HostCert:
 		permissions.Extensions[utils.ExtIntCertType] = utils.ExtIntCertTypeHost
 	default:
-		log.Warnf("Unexpected cert type: %v", cert.CertType)
+		log.WarnContext(ctx, "Received unexpected cert type", "cert_type", cert.CertType)
 	}
 
 	if h.isProxy() {
@@ -464,7 +474,7 @@ func (h *AuthHandlers) UserKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*s
 	// client's certificate
 	ca, err := h.authorityForCert(types.UserCA, cert.SignatureKey)
 	if err != nil {
-		log.Errorf("Permission denied: %v", err)
+		log.ErrorContext(ctx, "Permission denied", "error", err)
 		recordFailedLogin(err)
 		return nil, trace.Wrap(err)
 	}
@@ -483,7 +493,7 @@ func (h *AuthHandlers) UserKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*s
 		err = h.canLoginWithRBAC(cert, ca, clusterName.GetClusterName(), h.c.Server.GetInfo(), teleportUser, conn.User())
 	}
 	if err != nil {
-		log.Errorf("Permission denied: %v", err)
+		log.ErrorContext(ctx, "Permission denied", "error", err)
 		recordFailedLogin(err)
 		return nil, trace.Wrap(err)
 	}
@@ -572,7 +582,7 @@ func (h *AuthHandlers) hostKeyCallback(hostname string, remote net.Addr, key ssh
 
 	// If strict host key checking is not enabled, log that Teleport trusted an
 	// insecure key, but allow the request to go through.
-	h.log.Warnf("Insecure configuration! Strict host key checking disabled, allowing login without checking host key of type %v.", key.Type())
+	h.log.WarnContext(ctx, "Insecure configuration! Strict host key checking disabled, allowing login without checking host key", "key_type", key.Type())
 	return nil
 }
 
@@ -591,7 +601,7 @@ func (h *AuthHandlers) IsUserAuthority(cert ssh.PublicKey) bool {
 // Teleport CA.
 func (h *AuthHandlers) IsHostAuthority(cert ssh.PublicKey, address string) bool {
 	if _, err := h.authorityForCert(types.HostCA, cert); err != nil {
-		h.log.Debugf("Unable to find SSH host CA: %v.", err)
+		h.log.DebugContext(h.c.Server.Context(), "Unable to find SSH host CA", "error", err)
 		return false
 	}
 	return true
@@ -607,7 +617,7 @@ type loginChecker interface {
 }
 
 type ahLoginChecker struct {
-	log *log.Entry
+	log *slog.Logger
 	c   *AuthHandlerConfig
 }
 
@@ -618,7 +628,7 @@ func (a *ahLoginChecker) canLoginWithRBAC(cert *ssh.Certificate, ca types.CertAu
 	// Use the server's shutdown context.
 	ctx := a.c.Server.Context()
 
-	a.log.Debugf("Checking permissions for (%v,%v) to login to node with RBAC checks.", teleportUser, osUser)
+	a.log.DebugContext(ctx, "Checking permissions for (%v,%v) to login to node with RBAC checks.", teleportUser, osUser)
 
 	// get roles assigned to this user
 	accessInfo, err := fetchAccessInfo(cert, ca, teleportUser, clusterName)
@@ -694,9 +704,9 @@ func fetchAccessInfo(cert *ssh.Certificate, ca types.CertAuthority, teleportUser
 // Certificate Authority and returns it.
 func (h *AuthHandlers) authorityForCert(caType types.CertAuthType, key ssh.PublicKey) (types.CertAuthority, error) {
 	// get all certificate authorities for given type
-	cas, err := h.c.AccessPoint.GetCertAuthorities(context.TODO(), caType, false)
+	cas, err := h.c.AccessPoint.GetCertAuthorities(h.c.Server.Context(), caType, false)
 	if err != nil {
-		h.log.Warnf("%v", trace.DebugReport(err))
+		h.log.WarnContext(h.c.Server.Context(), "failed retrieving cert authority", "error", err)
 		return nil, trace.Wrap(err)
 	}
 
@@ -705,7 +715,7 @@ func (h *AuthHandlers) authorityForCert(caType types.CertAuthType, key ssh.Publi
 	for i := range cas {
 		checkers, err := sshutils.GetCheckers(cas[i])
 		if err != nil {
-			h.log.Warnf("%v", err)
+			h.log.WarnContext(h.c.Server.Context(), "unable to get cert checker for ca", "ca", cas[i].GetName(), "error", err)
 			return nil, trace.Wrap(err)
 		}
 		for _, checker := range checkers {

diff --git a/lib/srv/ctx.go b/lib/srv/ctx.go
@@ -22,6 +22,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"log/slog"
 	"net"
 	"os"
 	"strconv"
@@ -490,9 +491,11 @@ func NewServerContext(ctx context.Context, parent *sshutils.ConnectionContext, s
 		TeleportUser:          child.Identity.TeleportUser,
 		Login:                 child.Identity.Login,
 		ServerID:              child.srv.ID(),
-		Entry:                 child.Entry,
-		Emitter:               child.srv,
-		EmitterContext:        ctx,
+		// TODO(tross) update this to use the child logger
+		// once ServerContext is converted to use a slog.Logger
+		Logger:         slog.Default(),
+		Emitter:        child.srv,
+		EmitterContext: ctx,
 	}
 	for _, opt := range monitorOpts {
 		opt(&monitorConfig)

diff --git a/lib/srv/db/access_test.go b/lib/srv/db/access_test.go
@@ -2389,7 +2389,7 @@ func setupTestContext(ctx context.Context, t testing.TB, withDatabases ...withDa
 		ServerID:       testCtx.hostID,
 		Emitter:        testCtx.emitter,
 		EmitterContext: ctx,
-		Logger:         utils.NewLoggerForTests(),
+		Logger:         utils.NewSlogLoggerForTests(),
 	})
 	require.NoError(t, err)
 
@@ -2542,7 +2542,7 @@ func (c *testContext) setupDatabaseServer(ctx context.Context, t testing.TB, p a
 		ServerID:       p.HostID,
 		Emitter:        c.emitter,
 		EmitterContext: context.Background(),
-		Logger:         utils.NewLoggerForTests(),
+		Logger:         utils.NewSlogLoggerForTests(),
 	})
 	require.NoError(t, err)
 

diff --git a/lib/srv/desktop/windows_server.go b/lib/srv/desktop/windows_server.go
@@ -1000,7 +1000,7 @@ func (s *WindowsService) connectRDP(ctx context.Context, log *slog.Logger, tdpCo
 		Clock:                 s.cfg.Clock,
 		ClientIdleTimeout:     authCtx.Checker.AdjustClientIdleTimeout(netConfig.GetClientIdleTimeout()),
 		DisconnectExpiredCert: authCtx.GetDisconnectCertExpiry(authPref),
-		Entry:                 logrus.NewEntry(logrus.StandardLogger()),
+		Logger:                s.cfg.Logger,
 		Emitter:               s.cfg.Emitter,
 		EmitterContext:        s.closeCtx,
 		LockWatcher:           s.cfg.LockWatcher,