keystonemiddleware/keystonemiddleware/tests/unit/audit/test_audit_middleware.py

#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

import uuid

import mock
from testtools import matchers
import webob

from keystonemiddleware import audit
from keystonemiddleware.tests.unit.audit import base


@mock.patch('oslo_messaging.get_transport', mock.MagicMock())
class AuditMiddlewareTest(base.BaseAuditMiddlewareTest):

    def test_api_request(self):
        req = webob.Request.blank('/foo/bar',
                                  environ=self.get_environ_header('GET'))
        with mock.patch('oslo_messaging.Notifier.info') as notify:
            self.middleware(req)
            # Check first notification with only 'request'
            call_args = notify.call_args_list[0][0]
            self.assertEqual('audit.http.request', call_args[1])
            self.assertEqual('/foo/bar', call_args[2]['requestPath'])
            self.assertEqual('pending', call_args[2]['outcome'])
            self.assertNotIn('reason', call_args[2])
            self.assertNotIn('reporterchain', call_args[2])

            # Check second notification with request + response
            call_args = notify.call_args_list[1][0]
            self.assertEqual('audit.http.response', call_args[1])
            self.assertEqual('/foo/bar', call_args[2]['requestPath'])
            self.assertEqual('success', call_args[2]['outcome'])
            self.assertIn('reason', call_args[2])
            self.assertIn('reporterchain', call_args[2])

    def test_api_request_failure(self):
        self.middleware = audit.AuditMiddleware(
            base.FakeFailingApp(),
            audit_map_file=self.audit_map,
            service_name='pycadf')
        req = webob.Request.blank('/foo/bar',
                                  environ=self.get_environ_header('GET'))
        with mock.patch('oslo_messaging.Notifier.info') as notify:
            try:
                self.middleware(req)
                self.fail('Application exception has not been re-raised')
            except Exception:
                pass
            # Check first notification with only 'request'
            call_args = notify.call_args_list[0][0]
            self.assertEqual('audit.http.request', call_args[1])
            self.assertEqual('/foo/bar', call_args[2]['requestPath'])
            self.assertEqual('pending', call_args[2]['outcome'])
            self.assertNotIn('reporterchain', call_args[2])

            # Check second notification with request + response
            call_args = notify.call_args_list[1][0]
            self.assertEqual('audit.http.response', call_args[1])
            self.assertEqual('/foo/bar', call_args[2]['requestPath'])
            self.assertEqual('unknown', call_args[2]['outcome'])
            self.assertIn('reporterchain', call_args[2])

    def test_process_request_fail(self):
        req = webob.Request.blank('/foo/bar',
                                  environ=self.get_environ_header('GET'))
        req.context = {}
        with mock.patch('oslo_messaging.Notifier.info',
                        side_effect=Exception('error')) as notify:
            self.middleware._process_request(req)
            self.assertTrue(notify.called)

    def test_process_response_fail(self):
        req = webob.Request.blank('/foo/bar',
                                  environ=self.get_environ_header('GET'))
        req.context = {}
        with mock.patch('oslo_messaging.Notifier.info',
                        side_effect=Exception('error')) as notify:
            self.middleware._process_response(req, webob.response.Response())
            self.assertTrue(notify.called)

    def test_ignore_req_opt(self):
        self.middleware = audit.AuditMiddleware(base.FakeApp(),
                                                audit_map_file=self.audit_map,
                                                ignore_req_list='get, PUT')
        req = webob.Request.blank('/skip/foo',
                                  environ=self.get_environ_header('GET'))
        req1 = webob.Request.blank('/skip/foo',
                                   environ=self.get_environ_header('PUT'))
        req2 = webob.Request.blank('/accept/foo',
                                   environ=self.get_environ_header('POST'))
        with mock.patch('oslo_messaging.Notifier.info') as notify:
            # Check GET/PUT request does not send notification
            self.middleware(req)
            self.middleware(req1)
            self.assertEqual([], notify.call_args_list)

            # Check non-GET/PUT request does send notification
            self.middleware(req2)
            self.assertThat(notify.call_args_list, matchers.HasLength(2))
            call_args = notify.call_args_list[0][0]
            self.assertEqual('audit.http.request', call_args[1])
            self.assertEqual('/accept/foo', call_args[2]['requestPath'])

            call_args = notify.call_args_list[1][0]
            self.assertEqual('audit.http.response', call_args[1])
            self.assertEqual('/accept/foo', call_args[2]['requestPath'])

    def test_api_request_no_messaging(self):
        req = webob.Request.blank('/foo/bar',
                                  environ=self.get_environ_header('GET'))
        with mock.patch('keystonemiddleware.audit._notifier.oslo_messaging',
                        None):
            with mock.patch('keystonemiddleware.audit._LOG.info') as log:
                self.middleware = audit.AuditMiddleware(
                    base.FakeApp(),
                    audit_map_file=self.audit_map)

                self.middleware(req)
                # Check first notification with only 'request'
                call_args = log.call_args_list[0][0]
                self.assertEqual('audit.http.request',
                                 call_args[1]['event_type'])

                # Check second notification with request + response
                call_args = log.call_args_list[1][0]
                self.assertEqual('audit.http.response',
                                 call_args[1]['event_type'])

    def test_cadf_event_context_scoped(self):
        middleware = audit.AuditMiddleware(
            base.FakeApp(),
            audit_map_file=self.audit_map,
            service_name='pycadf')
        req = webob.Request.blank('/foo/bar',
                                  environ=self.get_environ_header('GET'))
        with mock.patch('oslo_messaging.Notifier.info') as notify:
            middleware(req)

            self.assertEqual(2, notify.call_count)
            first, second = [a[0] for a in notify.call_args_list]

            # the Context is the first argument. Let's verify it.
            self.assertIsInstance(first[0], dict)

            # ensure exact same context is used between request and response
            self.assertIs(first[0], second[0])

    def test_cadf_event_scoped_to_request(self):
        middleware = audit.AuditMiddleware(
            base.FakeApp(),
            audit_map_file=self.audit_map,
            service_name='pycadf')
        req = webob.Request.blank('/foo/bar',
                                  environ=self.get_environ_header('GET'))
        with mock.patch('oslo_messaging.Notifier.info') as notify:
            middleware(req)
            self.assertIsNotNone(req.environ.get('cadf_event'))

            # ensure exact same event is used between request and response
            self.assertEqual(notify.call_args_list[0][0][2]['id'],
                             notify.call_args_list[1][0][2]['id'])

    def test_cadf_event_scoped_to_request_on_error(self):
        middleware = audit.AuditMiddleware(
            base.FakeApp(),
            audit_map_file=self.audit_map,
            service_name='pycadf')
        req = webob.Request.blank('/foo/bar',
                                  environ=self.get_environ_header('GET'))
        req.context = {}
        with mock.patch('oslo_messaging.Notifier.info',
                        side_effect=Exception('error')) as notify:
            middleware._process_request(req)
            self.assertTrue(notify.called)
        req2 = webob.Request.blank('/foo/bar',
                                   environ=self.get_environ_header('GET'))
        req2.context = {}
        with mock.patch('oslo_messaging.Notifier.info') as notify:
            middleware._process_response(req2, webob.response.Response())
            self.assertTrue(notify.called)
            # ensure event is not the same across requests
            self.assertNotEqual(req.environ['cadf_event'].id,
                                notify.call_args_list[0][0][2]['id'])

    def test_project_name_from_oslo_config(self):
        self.assertEqual(self.PROJECT_NAME,
                         self.middleware._conf.project)

    def test_project_name_from_local_config(self):
        project_name = uuid.uuid4().hex
        self.middleware = audit.AuditMiddleware(
            base.FakeApp(), audit_map_file=self.audit_map,
            service_name='pycadf', project=project_name)
        self.assertEqual(project_name, self.middleware._conf.project)


def _get_transport(conf, aliases=None, url=None):
    transport = mock.MagicMock()
    transport.conf = conf
    conf.register_opts = mock.MagicMock()
    return transport


@mock.patch('oslo_messaging.get_transport', side_effect=_get_transport)
class AuditNotifierConfigTest(base.BaseAuditMiddlewareTest):

    def test_conf_middleware_log_and_default_as_messaging(self, t):
        self.cfg.config(driver='log', group='audit_middleware_notifications')
        middleware = audit.AuditMiddleware(
            base.FakeApp(),
            audit_map_file=self.audit_map,
            service_name='pycadf')
        req = webob.Request.blank('/foo/bar',
                                  environ=self.get_environ_header('GET'))
        req.context = {}
        with mock.patch('oslo_messaging.notify._impl_log.LogDriver.notify',
                        side_effect=Exception('error')) as driver:
            middleware._process_request(req)
            # audit middleware conf has 'log' make sure that driver is invoked
            # and not the one specified in DEFAULT section
            self.assertTrue(driver.called)

    def test_conf_middleware_log_and_oslo_msg_as_messaging(self, t):
        self.cfg.config(driver='messaging',
                        group='oslo_messaging_notifications')
        self.cfg.config(driver='log',
                        group='audit_middleware_notifications')
        middleware = audit.AuditMiddleware(
            base.FakeApp(),
            audit_map_file=self.audit_map,
            service_name='pycadf')
        req = webob.Request.blank('/foo/bar',
                                  environ=self.get_environ_header('GET'))
        req.context = {}
        with mock.patch('oslo_messaging.notify._impl_log.LogDriver.notify',
                        side_effect=Exception('error')) as driver:
            middleware._process_request(req)
            # audit middleware conf has 'log' make sure that driver is invoked
            # and not the one specified in oslo_messaging_notifications section
            self.assertTrue(driver.called)

    def test_conf_middleware_messaging_and_oslo_msg_as_log(self, t):
        self.cfg.config(driver='log', group='oslo_messaging_notifications')
        self.cfg.config(driver='messaging',
                        group='audit_middleware_notifications')
        middleware = audit.AuditMiddleware(
            base.FakeApp(),
            audit_map_file=self.audit_map,
            service_name='pycadf')
        req = webob.Request.blank('/foo/bar',
                                  environ=self.get_environ_header('GET'))
        req.context = {}
        with mock.patch('oslo_messaging.notify.messaging.MessagingDriver'
                        '.notify',
                        side_effect=Exception('error')) as driver:
            # audit middleware has 'messaging' make sure that driver is invoked
            # and not the one specified in oslo_messaging_notifications section
            middleware._process_request(req)
            self.assertTrue(driver.called)

    def test_with_no_middleware_notification_conf(self, t):
        self.cfg.config(driver='messaging',
                        group='oslo_messaging_notifications')
        self.cfg.config(driver=None, group='audit_middleware_notifications')

        middleware = audit.AuditMiddleware(
            base.FakeApp(),
            audit_map_file=self.audit_map,
            service_name='pycadf')
        req = webob.Request.blank('/foo/bar',
                                  environ=self.get_environ_header('GET'))
        req.context = {}
        with mock.patch('oslo_messaging.notify.messaging.MessagingDriver'
                        '.notify',
                        side_effect=Exception('error')) as driver:
            # audit middleware section is not set. So driver needs to be
            # invoked from oslo_messaging_notifications section.
            middleware._process_request(req)
            self.assertTrue(driver.called)

    def test_conf_middleware_messaging_and_transport_set(self, mock_transport):
        transport_url = 'rabbit://me:passwd@host:5672/virtual_host'
        self.cfg.config(driver='messaging',
                        transport_url=transport_url,
                        group='audit_middleware_notifications')

        audit.AuditMiddleware(
            base.FakeApp(),
            audit_map_file=self.audit_map,
            service_name='pycadf')
        self.assertTrue(mock_transport.called)
        # make sure first call kwarg 'url' is same as provided transport_url
        self.assertEqual(transport_url,
                         mock_transport.call_args_list[0][1]['url'])