From a3f0e539073930af08f6fcf3341493dbc1379b88 Mon Sep 17 00:00:00 2001
From: Alejandro Pedraza <alejandro@buoyant.io>
Date: Mon, 15 Jul 2024 14:38:41 -0500
Subject: [PATCH] Audit mode

Audit mode is triggered by the policy controller, which will create an
authorization named "audit" allowing traffic for the given target. When
the proxy processes an authorization with such name it will log it at
INFO.

Also, add "audit" to the possible values for
`LINKERD2_PROXY_INBOUND_DEFAULT_POLICY`, whose effect is the same as
"all-unauthenticated".
---
 linkerd/app/inbound/src/policy/http.rs | 20 +++++++++++++++++++-
 linkerd/app/inbound/src/policy/tcp.rs  | 13 +++++++++++++
 linkerd/app/src/env.rs                 |  2 +-
 3 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/linkerd/app/inbound/src/policy/http.rs b/linkerd/app/inbound/src/policy/http.rs
index 7f446f7778..0417d28fcb 100644
--- a/linkerd/app/inbound/src/policy/http.rs
+++ b/linkerd/app/inbound/src/policy/http.rs
@@ -202,7 +202,25 @@ impl<T, N> HttpPolicyService<T, N> {
             .iter()
             .find(|a| super::is_authorized(a, self.connection.client, &self.connection.tls))
         {
-            Some(authz) => authz,
+            Some(authz) => {
+                if authz.meta.name() == "audit" {
+                    tracing::info!(
+                        server.group = %labels.server.0.group(),
+                        server.kind = %labels.server.0.kind(),
+                        server.name = %labels.server.0.name(),
+                        route.group = %labels.route.group(),
+                        route.kind = %labels.route.kind(),
+                        route.name = %labels.route.name(),
+                        client.tls = ?self.connection.tls,
+                        client.ip = %self.connection.client.ip(),
+                        authz.group = %authz.meta.group(),
+                        authz.kind = %authz.meta.kind(),
+                        authz.name = %authz.meta.name(),
+                        "Request allowed",
+                    );
+                }
+                authz
+            }
             None => {
                 tracing::info!(
                     server.group = %labels.server.0.group(),
diff --git a/linkerd/app/inbound/src/policy/tcp.rs b/linkerd/app/inbound/src/policy/tcp.rs
index 9cf0b74317..d24416386f 100644
--- a/linkerd/app/inbound/src/policy/tcp.rs
+++ b/linkerd/app/inbound/src/policy/tcp.rs
@@ -194,6 +194,19 @@ fn check_authorized(
     {
         for authz in &**authzs {
             if super::is_authorized(authz, client_addr, tls) {
+                if authz.meta.name() == "audit" {
+                    tracing::info!(
+                        server.group = %server.meta.group(),
+                        server.kind = %server.meta.kind(),
+                        server.name = %server.meta.name(),
+                        client.tls = ?tls,
+                        client.ip = %client_addr.ip(),
+                        authz.group = %authz.meta.group(),
+                        authz.kind = %authz.meta.kind(),
+                        authz.name = %authz.meta.name(),
+                        "Request allowed",
+                    );
+                }
                 return Ok(ServerPermit::new(dst, server, authz));
             }
         }
diff --git a/linkerd/app/src/env.rs b/linkerd/app/src/env.rs
index f0a2115222..154d510c8c 100644
--- a/linkerd/app/src/env.rs
+++ b/linkerd/app/src/env.rs
@@ -1008,7 +1008,7 @@ fn parse_default_policy(
         "all-authenticated" => {
             Ok(inbound::policy::defaults::all_authenticated(detect_timeout).into())
         }
-        "all-unauthenticated" => {
+        "all-unauthenticated" | "audit" => {
             Ok(inbound::policy::defaults::all_unauthenticated(detect_timeout).into())
         }