openstack/keystone
Code Issues Proposed changes

Set initiator id as user_id for auth events

Browse Source 
This change sets the initiator id as the user_id for
authentication events. The notificiation initiator id would
be set to a random UUID by default, which makes auditing the
identity of the user who is authenticating difficult. This
also adds the user_id as well for auth events for consistency.

Also removes the WIP unit-test header to verify that this
change works as intended.

Change-Id: I511a03eada22c66847bd1502b16cbd2c34b1b35d
Closes-Bug: #1780503
This commit is contained in:
Gage Hugo 2018-08-01 15:49:03 -05:00
parent b625ccc42c
commit fd8b5f3206
3 changed files with 15 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
keystone/notifications.py
View File

@ -517,6 +517,9 @@ class CadfNotificationWrapper(object):
def wrapper(wrapped_self, request, user_id, *args, **kwargs): def wrapper(wrapped_self, request, user_id, *args, **kwargs):
"""Will always send a notification.""" """Will always send a notification."""
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER) target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
initiator = request.audit_initiator
initiator.user_id = user_id
initiator.id = utils.resource_uuid(user_id)
try: try:
result = f(wrapped_self, request, user_id, *args, **kwargs) result = f(wrapped_self, request, user_id, *args, **kwargs)
except (exception.AccountLocked, except (exception.AccountLocked,
@ -524,19 +527,19 @@ class CadfNotificationWrapper(object):
# Send a CADF event with a reason for PCI-DSS related # Send a CADF event with a reason for PCI-DSS related
# authentication failures # authentication failures
audit_reason = reason.Reason(str(ex), str(ex.code)) audit_reason = reason.Reason(str(ex), str(ex.code))
_send_audit_notification(self.action, request.audit_initiator, _send_audit_notification(self.action, initiator,
taxonomy.OUTCOME_FAILURE, taxonomy.OUTCOME_FAILURE,
target, self.event_type, target, self.event_type,
reason=audit_reason) reason=audit_reason)
raise raise
except Exception: except Exception:
# For authentication failure send a CADF event as well # For authentication failure send a CADF event as well
_send_audit_notification(self.action, request.audit_initiator, _send_audit_notification(self.action, initiator,
taxonomy.OUTCOME_FAILURE, taxonomy.OUTCOME_FAILURE,
target, self.event_type) target, self.event_type)
raise raise
else: else:
_send_audit_notification(self.action, request.audit_initiator, _send_audit_notification(self.action, initiator,
taxonomy.OUTCOME_SUCCESS, taxonomy.OUTCOME_SUCCESS,
target, self.event_type) target, self.event_type)
return result return result

9
keystone/tests/unit/common/test_notifications.py
View File

@ -24,7 +24,6 @@ from pycadf import cadftaxonomy
from pycadf import cadftype from pycadf import cadftype
from pycadf import eventfactory from pycadf import eventfactory
from pycadf import resource as cadfresource from pycadf import resource as cadfresource
from testtools import matchers
from keystone.common import provider_api from keystone.common import provider_api
import keystone.conf import keystone.conf
@ -32,7 +31,6 @@ from keystone import exception
from keystone import notifications from keystone import notifications
from keystone.tests import unit from keystone.tests import unit
from keystone.tests.unit import test_v3 from keystone.tests.unit import test_v3
from keystone.tests.unit import utils as test_utils
CONF = keystone.conf.CONF CONF = keystone.conf.CONF
@ -1121,12 +1119,6 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
self.assertEqual(role_id, event.role) self.assertEqual(role_id, event.role)
self.assertEqual(inherit, event.inherited_to_projects) self.assertEqual(inherit, event.inherited_to_projects)
@test_utils.wip(
'Waiting on fix for random initiator id for identity.authentication '
'events for CADF notifications',
expected_exception=matchers.MismatchError,
bug='#1780503'
)
def test_initiator_id_always_matches_user_id(self): def test_initiator_id_always_matches_user_id(self):
# Clear notifications # Clear notifications
while self._notifications: while self._notifications:
@ -1137,6 +1129,7 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
note = self._notifications.pop() note = self._notifications.pop()
initiator = note['initiator'] initiator = note['initiator']
self.assertEqual(self.user_id, initiator.id) self.assertEqual(self.user_id, initiator.id)
self.assertEqual(self.user_id, initiator.user_id)
def test_v3_authenticate_user_name_and_domain_id(self): def test_v3_authenticate_user_name_and_domain_id(self):
user_id = self.user_id user_id = self.user_id

8
releasenotes/notes/bug-1780503-70ca1ba3f428dd41.yaml Normal file
View File

@ -0,0 +1,8 @@
---
fixes:
- |
[`bug 1780503 <https://bugs.launchpad.net/keystone/+bug/1780503>`_]
The notification wrapper now sets the initiator's id to the given user
id. This fixes an issue where identity.authentication event would result
in the initiator id being a random default UUID, rather than the user's id
when said user would authenticate against keystone.