From 945f5dab0d1c1deae8fcec6300b107d7a6f59e84 Mon Sep 17 00:00:00 2001
From: Pavlo Shchelokovskyy <shchelokovskyy@gmail.com>
Date: Wed, 20 Jul 2022 15:36:43 +0300
Subject: [PATCH] Add ignore_path_list option

some API frameworks and how they are used in OpenStack projects
(e.g. Pecan in Octavia or Ironic) do not allow for enabling audit middleware
only on specific paths, plus they have intentional API parts that do not use
Keystone authentication by design (for communications with agents
running inside instances).
As a result, audit middleware is triggered on API paths that have not
went thru authtoken middleware, producing not-so valid CADF messages,
and for some paths (like root '/' or '/healthcheck') to much of such
messages too (triggered by monitoring).

This patch adds an additonal recognised configuration parameter for
audit middleware - ignore_path_list. This is a coma-separated list of
api paths that will be excempted from triggering audit notifications.

Change-Id: I3d6934c2dceadd476d335efaacda935625c792e5
---
 keystonemiddleware/audit/__init__.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/keystonemiddleware/audit/__init__.py b/keystonemiddleware/audit/__init__.py
index bf7bae92..61480925 100644
--- a/keystonemiddleware/audit/__init__.py
+++ b/keystonemiddleware/audit/__init__.py
@@ -99,6 +99,9 @@ class AuditMiddleware(object):
         self._service_name = conf.get('service_name')
         self._ignore_req_list = [x.upper().strip() for x in
                                  conf.get('ignore_req_list', '').split(',')]
+        self._ignore_path_list = [x for x in
+                                  conf.get('ignore_path_list', '').split(',')
+                                  if x]
         self._cadf_audit = _api.OpenStackAuditApi(conf.get('audit_map_file'),
                                                   _LOG)
         self._notifier = _notifier.create_notifier(self._conf, _LOG)
@@ -145,7 +148,10 @@ class AuditMiddleware(object):
 
     @webob.dec.wsgify
     def __call__(self, req):
-        if req.method in self._ignore_req_list:
+        if (
+            req.method in self._ignore_req_list or
+            req.path_info in self._ignore_path_list
+        ):
             return req.get_response(self._application)
 
         # Cannot use a RequestClass on wsgify above because the `req` object is