From 654dd5ee47d0b2a38506cd76f91faf1497a19f14 Mon Sep 17 00:00:00 2001 From: Nathan Oyler Date: Mon, 10 Jun 2019 10:32:05 -0700 Subject: [PATCH] Add cadf auditing to credentials added audit logging to credentials. This backport is a bit different than the original patch, since we don't have the adds caching of credentials patch find on commit 479a2a0afaeb505c371ee97a1f2fbc1b11e3cef1 and we were not able to backport it. Also, since there was no flask support on stable/queens we needed to backport the audit initiator on keystone/api/credentials.py stable/rocky: https://review.opendev.org/#/c/711547 stable/stein: https://review.opendev.org/#/c/711545 master: https://review.opendev.org/#/c/664618 Change-Id: I028a86f44e049bcc7c54e844bfc91aa0b11cd541 (cherry picked from commit abf5cb6a55b78afceade692dceba7542e06736b4) --- keystone/credential/controllers.py | 6 ++++-- keystone/credential/core.py | 17 ++++++++++++++++- .../notes/bug-1831918-c70cf87ef086d871.yaml | 6 ++++++ 3 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml diff --git a/keystone/credential/controllers.py b/keystone/credential/controllers.py index 95cc7d0230..f64495e093 100644 --- a/keystone/credential/controllers.py +++ b/keystone/credential/controllers.py @@ -86,7 +86,8 @@ class CredentialV3(controller.V3Controller): trust_id=trust_id, app_cred_id=app_cred_id, access_token_id=access_token_id) - ref = PROVIDERS.credential_api.create_credential(ref['id'], ref) + ref = PROVIDERS.credential_api.create_credential( + ref['id'], ref, initiator=request.audit_initiator) return CredentialV3.wrap_member(request.context_dict, ref) @staticmethod @@ -147,4 +148,5 @@ class CredentialV3(controller.V3Controller): @controller.protected() def delete_credential(self, request, credential_id): - return PROVIDERS.credential_api.delete_credential(credential_id) + return (PROVIDERS.credential_api.delete_credential(credential_id, + initiator=request.audit_initiator)) diff --git a/keystone/credential/core.py b/keystone/credential/core.py index cb28b314e0..d6c48ff163 100644 --- a/keystone/credential/core.py +++ b/keystone/credential/core.py @@ -21,6 +21,7 @@ from keystone.common import manager from keystone.common import provider_api import keystone.conf from keystone import exception +from keystone import notifications CONF = keystone.conf.CONF @@ -38,6 +39,8 @@ class Manager(manager.Manager): driver_namespace = 'keystone.credential' _provides_api = 'credential_api' + _CRED = 'credential' + def __init__(self): super(Manager, self).__init__(CONF.credential.driver) @@ -102,13 +105,18 @@ class Manager(manager.Manager): credential = self.driver.get_credential(credential_id) return self._decrypt_credential(credential) - def create_credential(self, credential_id, credential): + def create_credential(self, credential_id, credential, + initiator=None): """Create a credential.""" credential_copy = self._encrypt_credential(credential) ref = self.driver.create_credential(credential_id, credential_copy) ref.pop('key_hash', None) ref.pop('encrypted_blob', None) ref['blob'] = credential['blob'] + notifications.Audit.created( + self._CRED, + credential_id, + initiator) return ref def _validate_credential_update(self, credential_id, credential): @@ -143,3 +151,10 @@ class Manager(manager.Manager): else: ref['blob'] = existing_blob return ref + + def delete_credential(self, credential_id, + initiator=None): + """Delete a credential.""" + self.driver.delete_credential(credential_id) + notifications.Audit.deleted( + self._CRED, credential_id, initiator) diff --git a/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml b/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml new file mode 100644 index 0000000000..33a355cc5d --- /dev/null +++ b/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + [`bug 1831918 `_] + Credentials now logs cadf audit messages. +