openstack/keystone
Code Issues Proposed changes

Set initiator id as user_id for auth events

Browse Source 
This change sets the initiator id as the user_id for
authentication events. The notificiation initiator id would
be set to a random UUID by default, which makes auditing the
identity of the user who is authenticating difficult. This
also adds the user_id as well for auth events for consistency.

Also removes the WIP unit-test header to verify that this
change works as intended.

Change-Id: I511a03eada22c66847bd1502b16cbd2c34b1b35d
Closes-Bug: #1780503
This commit is contained in:
Gage Hugo 2018-08-01 15:49:03 -05:00
parent b625ccc42c
commit fd8b5f3206
3 changed files with 15 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
keystone/notifications.py
View File

@ -517,6 +517,9 @@ class CadfNotificationWrapper(object):
def wrapper(wrapped_self, request, user_id, *args, **kwargs):
"""Will always send a notification."""
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
initiator = request.audit_initiator
initiator.user_id = user_id
initiator.id = utils.resource_uuid(user_id)
try:
result = f(wrapped_self, request, user_id, *args, **kwargs)
except (exception.AccountLocked,
@ -524,19 +527,19 @@ class CadfNotificationWrapper(object):
# Send a CADF event with a reason for PCI-DSS related
# authentication failures
audit_reason = reason.Reason(str(ex), str(ex.code))
_send_audit_notification(self.action, request.audit_initiator,
_send_audit_notification(self.action, initiator,
taxonomy.OUTCOME_FAILURE,
target, self.event_type,
reason=audit_reason)
raise
except Exception:
# For authentication failure send a CADF event as well
_send_audit_notification(self.action, request.audit_initiator,
_send_audit_notification(self.action, initiator,
taxonomy.OUTCOME_FAILURE,
target, self.event_type)
raise
else:
_send_audit_notification(self.action, request.audit_initiator,
_send_audit_notification(self.action, initiator,
taxonomy.OUTCOME_SUCCESS,
target, self.event_type)
return result

9
keystone/tests/unit/common/test_notifications.py
View File

@ -24,7 +24,6 @@ from pycadf import cadftaxonomy
from pycadf import cadftype
from pycadf import eventfactory
from pycadf import resource as cadfresource
from testtools import matchers
from keystone.common import provider_api
import keystone.conf
@ -32,7 +31,6 @@ from keystone import exception
from keystone import notifications
from keystone.tests import unit
from keystone.tests.unit import test_v3
from keystone.tests.unit import utils as test_utils
CONF = keystone.conf.CONF
@ -1121,12 +1119,6 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
self.assertEqual(role_id, event.role)
self.assertEqual(inherit, event.inherited_to_projects)
@test_utils.wip(
'Waiting on fix for random initiator id for identity.authentication '
'events for CADF notifications',
expected_exception=matchers.MismatchError,
bug='#1780503'
)
def test_initiator_id_always_matches_user_id(self):
# Clear notifications
while self._notifications:
@ -1137,6 +1129,7 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
note = self._notifications.pop()
initiator = note['initiator']
self.assertEqual(self.user_id, initiator.id)
self.assertEqual(self.user_id, initiator.user_id)
def test_v3_authenticate_user_name_and_domain_id(self):
user_id = self.user_id

8
releasenotes/notes/bug-1780503-70ca1ba3f428dd41.yaml Normal file
View File

@ -0,0 +1,8 @@
---
fixes:
- |
[`bug 1780503 <https://bugs.launchpad.net/keystone/+bug/1780503>`_]
The notification wrapper now sets the initiator's id to the given user
id. This fixes an issue where identity.authentication event would result
in the initiator id being a random default UUID, rather than the user's id
when said user would authenticate against keystone.