Add cadf auditing to credentials

added audit logging to credentials. This backport is a bit different than the original patch, since we don't have the adds caching of credentials patch find on commit 479a2a0afa and we were not able to backport it. So, there are sense on keep the invalidate cache calls in the original bits. Closes-bug: #1831918 Change-Id: I028a86f44e049bcc7c54e844bfc91aa0b11cd541 (cherry picked from commit 579cc19857)
2019-06-10 10:32:05 -07:00 · 2019-06-10 10:32:05 -07:00 · e57e44c0ec
parent 2de401b79b
commit e57e44c0ec
3 changed files with 26 additions and 3 deletions
--- a/keystone/api/credentials.py
+++ b/keystone/api/credentials.py
@ -148,7 +148,8 @@ class CredentialResource(ks_flask.ResourceBase):
        trust_id = getattr(self.oslo_context, 'trust_id', None)
        ref = self._assign_unique_id(
            self._normalize_dict(credential), trust_id=trust_id)
-        ref = PROVIDERS.credential_api.create_credential(ref['id'], ref)
+        ref = PROVIDERS.credential_api.create_credential(ref['id'], ref,
+                                                         initiator=self.audit_initiator)
        return self.wrap_member(ref), http_client.CREATED

    def patch(self, credential_id):
@ -173,7 +174,8 @@ class CredentialResource(ks_flask.ResourceBase):
            build_target=_build_target_enforcement
        )

-        return (PROVIDERS.credential_api.delete_credential(credential_id),
+        return (PROVIDERS.credential_api.delete_credential(credential_id,
+                                                           initiator=self.audit_initiator),
                http_client.NO_CONTENT)


--- a/keystone/credential/core.py
+++ b/keystone/credential/core.py
@ -21,6 +21,7 @@ from keystone.common import manager
 from keystone.common import provider_api
 import keystone.conf
 from keystone import exception
+from keystone import notifications


 CONF = keystone.conf.CONF
@ -38,6 +39,8 @@ class Manager(manager.Manager):
    driver_namespace = 'keystone.credential'
    _provides_api = 'credential_api'

+    _CRED = 'credential'
+
    def __init__(self):
        super(Manager, self).__init__(CONF.credential.driver)

@ -102,13 +105,18 @@ class Manager(manager.Manager):
        credential = self.driver.get_credential(credential_id)
        return self._decrypt_credential(credential)

-    def create_credential(self, credential_id, credential):
+    def create_credential(self, credential_id, credential,
+                          initiator=None):
        """Create a credential."""
        credential_copy = self._encrypt_credential(credential)
        ref = self.driver.create_credential(credential_id, credential_copy)
        ref.pop('key_hash', None)
        ref.pop('encrypted_blob', None)
        ref['blob'] = credential['blob']
+        notifications.Audit.created(
+            self._CRED,
+            credential_id,
+            initiator)
        return ref

    def _validate_credential_update(self, credential_id, credential):
@ -143,3 +151,10 @@ class Manager(manager.Manager):
        else:
            ref['blob'] = existing_blob
        return ref
+
+    def delete_credential(self, credential_id,
+                          initiator=None):
+        """Delete a credential."""
+        self.driver.delete_credential(credential_id)
+        notifications.Audit.deleted(
+            self._CRED, credential_id, initiator)
--- a/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml
+++ b/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    [`bug 1831918 <https://bugs.launchpad.net/keystone/+bug/1831918>`_]
+    Credentials now logs cadf audit messages.
+