diff --git a/keystone/notifications.py b/keystone/notifications.py index 3a32865c03..e87bf09103 100644 --- a/keystone/notifications.py +++ b/keystone/notifications.py @@ -517,6 +517,9 @@ class CadfNotificationWrapper(object): def wrapper(wrapped_self, request, user_id, *args, **kwargs): """Will always send a notification.""" target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER) + initiator = request.audit_initiator + initiator.user_id = user_id + initiator.id = utils.resource_uuid(user_id) try: result = f(wrapped_self, request, user_id, *args, **kwargs) except (exception.AccountLocked, @@ -524,19 +527,19 @@ class CadfNotificationWrapper(object): # Send a CADF event with a reason for PCI-DSS related # authentication failures audit_reason = reason.Reason(str(ex), str(ex.code)) - _send_audit_notification(self.action, request.audit_initiator, + _send_audit_notification(self.action, initiator, taxonomy.OUTCOME_FAILURE, target, self.event_type, reason=audit_reason) raise except Exception: # For authentication failure send a CADF event as well - _send_audit_notification(self.action, request.audit_initiator, + _send_audit_notification(self.action, initiator, taxonomy.OUTCOME_FAILURE, target, self.event_type) raise else: - _send_audit_notification(self.action, request.audit_initiator, + _send_audit_notification(self.action, initiator, taxonomy.OUTCOME_SUCCESS, target, self.event_type) return result diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py index 379a30de00..5a5b8d503d 100644 --- a/keystone/tests/unit/common/test_notifications.py +++ b/keystone/tests/unit/common/test_notifications.py @@ -24,7 +24,6 @@ from pycadf import cadftaxonomy from pycadf import cadftype from pycadf import eventfactory from pycadf import resource as cadfresource -from testtools import matchers from keystone.common import provider_api import keystone.conf @@ -32,7 +31,6 @@ from keystone import exception from keystone import notifications from keystone.tests import unit from keystone.tests.unit import test_v3 -from keystone.tests.unit import utils as test_utils CONF = keystone.conf.CONF @@ -1121,12 +1119,6 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase): self.assertEqual(role_id, event.role) self.assertEqual(inherit, event.inherited_to_projects) - @test_utils.wip( - 'Waiting on fix for random initiator id for identity.authentication ' - 'events for CADF notifications', - expected_exception=matchers.MismatchError, - bug='#1780503' - ) def test_initiator_id_always_matches_user_id(self): # Clear notifications while self._notifications: @@ -1137,6 +1129,7 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase): note = self._notifications.pop() initiator = note['initiator'] self.assertEqual(self.user_id, initiator.id) + self.assertEqual(self.user_id, initiator.user_id) def test_v3_authenticate_user_name_and_domain_id(self): user_id = self.user_id diff --git a/releasenotes/notes/bug-1780503-70ca1ba3f428dd41.yaml b/releasenotes/notes/bug-1780503-70ca1ba3f428dd41.yaml new file mode 100644 index 0000000000..062cebbe9e --- /dev/null +++ b/releasenotes/notes/bug-1780503-70ca1ba3f428dd41.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + [`bug 1780503 `_] + The notification wrapper now sets the initiator's id to the given user + id. This fixes an issue where identity.authentication event would result + in the initiator id being a random default UUID, rather than the user's id + when said user would authenticate against keystone.