Add support for audit publishing

Add the support for actually sending the audit messages, or logging them using the standard logging mechanisms. Change-Id: I98067da8db4987f9f9859a8c6d5443a94677f856
2015-11-06 15:02:10 +11:00 · 2015-11-06 15:02:10 +11:00 · d7d6db29c7
parent fc9f4a44ff
commit d7d6db29c7
6 changed files with 71 additions and 6 deletions
--- a/anchor/app.py
+++ b/anchor/app.py
@ -22,6 +22,7 @@ import paste
 from paste import translogger  # noqa
 import pecan

+from anchor import audit
 from anchor import jsonloader

 logger = logging.getLogger(__name__)
@ -86,6 +87,26 @@ def validate_config(conf):
        logger.info("Checking config for authentication method: %s", name)
        validate_authentication_config(name, conf)

+    validate_audit_config(conf)
+
+
+def validate_audit_config(conf):
+    valid_targets = ('messaging', 'log')
+
+    if not conf.config.get('audit'):
+        # no audit configuration - that's ok
+        return
+
+    audit_conf = conf.audit
+    if audit_conf.get('target', 'log') not in valid_targets:
+        raise ConfigValidationException(
+            "Audit target not known (expected one of %s)" % (
+                ", ".join(valid_targets),))
+
+    if audit_conf.get('target') == 'messaging':
+        if audit_conf.get('url') is None:
+            raise ConfigValidationException("Audit url required")
+

 def validate_authentication_config(name, conf):
    auth_conf = conf.authentication[name]
@ -228,6 +249,8 @@ def setup_app(config):
    load_config()
    validate_config(jsonloader.conf)

+    audit.init_audit()
+
    app = pecan.make_app(
        app_conf.pop('root'),
        logging=config.logging,
--- a/anchor/audit/init.py
+++ b/anchor/audit/init.py
@ -13,6 +13,10 @@

 import logging

+from anchor import jsonloader
+
+import oslo_config
+import oslo_messaging
 from pycadf import cadftaxonomy
 from pycadf import event
 from pycadf import identifier
@ -20,12 +24,17 @@ from pycadf import resource


 logger = logging.getLogger(__name__)
+target = None
+notifier = None


-def _emit_event(ev):
-    # no actual implementation yet
-    if not ev.is_valid():
-        logger.error("created invalid audit event: %s", ev)
+def _emit_event(event_type, payload):
+    if not payload.is_valid():
+        logger.error("created invalid audit event: %s", payload)
+        return
+
+    if notifier is not None:
+        notifier.info({}, event_type, payload.as_dict())


 def _event_defaults(result):
@ -77,7 +86,7 @@ def emit_auth_event(ra_name, username, result):
    auth_res = _auth_resource(ra_name)
    params['observer'] = auth_res
    params['target'] = auth_res
-    _emit_event(event.Event(**params))
+    _emit_event('audit.auth', event.Event(**params))


 def emit_signing_event(ra_name, username, result, fingerprint=None):
@ -88,4 +97,20 @@ def emit_signing_event(ra_name, username, result, fingerprint=None):
    params['target'] = _certificate_resource(fingerprint)
    # add when pycadf merges event names
    # params['name'] = "certificate signing"
-    _emit_event(event.Event(**params))
+    _emit_event('audit.sign', event.Event(**params))
+
+
+def init_audit():
+    global target
+    global notifier
+    audit_conf = jsonloader.config_for_audit()
+    if audit_conf is None:
+        return
+
+    target = audit_conf.get('target', 'log')
+    cfg = oslo_config.cfg.ConfigOpts()
+    if target == 'messaging':
+        transport = oslo_messaging.get_transport(cfg, url=audit_conf['url'])
+    else:
+        transport = oslo_messaging.get_transport(cfg)
+    notifier = oslo_messaging.Notifier(transport, 'anchor', driver=target)
--- a/anchor/jsonloader.py
+++ b/anchor/jsonloader.py
@ -96,6 +96,15 @@ class AnchorConf():
 conf = AnchorConf(logger)


+def config_for_audit():
+    """Get configuration for a given name."""
+    try:
+        return conf.audit
+    except AttributeError:
+        # it's ok not to configure audit
+        return None
+
+
 def config_for_registration_authority(ra_name):
    """Get configuration for a given name."""
    return conf.registration_authority[ra_name]
--- a/config.json
+++ b/config.json
@ -30,5 +30,8 @@
        }
      }
    }
+  },
+  "audit": {
+    "target": "log"
  }
 }
--- a/config.py
+++ b/config.py
@ -37,6 +37,9 @@ logging = {
        "wsgi": {
            "level": "INFO"
        },
+        "oslo_messaging": {
+            "level": "DEBUG"
+        },
    },
    "root": {
        "handlers": ["console"],
--- a/requirements.txt
+++ b/requirements.txt
@ -11,3 +11,5 @@ ldap3>=0.9.8.2 # LGPLv3
 requests!=2.8.0,>=2.5.2
 stevedore>=1.5.0 # Apache-2.0
 pycadf>=1.1.0
+oslo.config>=2.7.0 # Apache-2.0
+oslo.messaging>2.6.1,!=2.8.0 # Apache-2.0