From bef8cf488b54b2ff58db118c000d2192f22c7dd8 Mon Sep 17 00:00:00 2001
From: Myles Penner <mj.penner@live.ca>
Date: Thu, 18 Apr 2024 15:19:06 -0700
Subject: [PATCH] Add keystone audit middleware API logging

This commit adds Keystone audit middleware API logging to the Cinder
charm in versions Yoga and newer to allow users to configure their
environment for CADF compliance. This feature can be enabled/disabled
and is set to 'disabled' by default to avoid bloat in log files.
The logging output is configured to /var/log/apache2/cinder_error.log.
This commit builds on previous discussions:
https://github.com/juju/charm-helpers/pull/808.

Related-Pr: https://github.com/juju/charm-helpers/pull/893
func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/1200
Closes-Bug: 1856555
Change-Id: Ia7dbd6af2305e92eaa9a65890644c4a324ab2c65
---
 config.yaml                       |   5 ++
 hooks/cinder_utils.py             |  13 +++-
 templates/yoga/api-paste.ini      | 101 ++++++++++++++++++++++++++++++
 templates/yoga/api_audit_map.conf |  28 +++++++++
 templates/yoga/cinder.conf        |  89 ++++++++++++++++++++++++++
 5 files changed, 233 insertions(+), 3 deletions(-)
 create mode 100644 templates/yoga/api-paste.ini
 create mode 100644 templates/yoga/api_audit_map.conf
 create mode 100644 templates/yoga/cinder.conf

diff --git a/config.yaml b/config.yaml
index 55b4dec8..89f37e5f 100644
--- a/config.yaml
+++ b/config.yaml
@@ -12,6 +12,11 @@ options:
     default: False
     description: |
       Setting this to True will allow supporting services to log to syslog.
+  audit-middleware:
+    type: boolean
+    default: False
+    description: |
+      Enable Keystone auditing middleware for logging API calls.
   openstack-origin:
     type: string
     default: bobcat
diff --git a/hooks/cinder_utils.py b/hooks/cinder_utils.py
index fa1d519f..14d226e2 100644
--- a/hooks/cinder_utils.py
+++ b/hooks/cinder_utils.py
@@ -167,6 +167,7 @@ CINDER_CONF_DIR = "/etc/cinder"
 CINDER_CONF = '%s/cinder.conf' % CINDER_CONF_DIR
 CINDER_API_CONF = '%s/api-paste.ini' % CINDER_CONF_DIR
 CINDER_POLICY_JSON = '%s/policy.json' % CINDER_CONF_DIR
+CINDER_AUDIT_MAP = '%s/api_audit_map.conf' % CINDER_CONF_DIR
 CEPH_CONF = '/etc/ceph/ceph.conf'
 
 HAPROXY_CONF = '/etc/haproxy/haproxy.cfg'
@@ -237,18 +238,24 @@ BASE_RESOURCE_MAP = OrderedDict([
                      cinder_contexts.VolumeUsageAuditContext(),
                      context.MemcacheContext(),
                      cinder_contexts.SectionalConfigContext(),
-                     cinder_contexts.LVMContext()],
+                     cinder_contexts.LVMContext(),
+                     context.KeystoneAuditMiddleware(service='cinder')],
         'services': ['cinder-api', 'cinder-volume', 'cinder-scheduler',
                      'haproxy']
     }),
     (CINDER_API_CONF, {
-        'contexts': [context.IdentityServiceContext()],
+        'contexts': [context.IdentityServiceContext(),
+                     context.KeystoneAuditMiddleware(service='cinder')],
         'services': ['cinder-api'],
     }),
     (CINDER_POLICY_JSON, {
         'contexts': [],
         'services': ['cinder-api']
     }),
+    (CINDER_AUDIT_MAP, {
+        'contexts': [context.KeystoneAuditMiddleware(service='cinder')],
+        'services': ['cinder-api']
+    }),
     (ceph_config_file(), {
         'contexts': [context.CephContext()],
         'services': ['cinder-volume']
@@ -773,7 +780,7 @@ def check_local_db_actions_complete():
             # Echo notification
             data = {CINDER_DB_INIT_ECHO_RKEY: init_id}
             # BUG: #1928383 - clear CINDER_DB_INIT_RKEY if not the leader
-            if not(is_elected_leader(CLUSTER_RES)):
+            if not is_elected_leader(CLUSTER_RES):
                 data[CINDER_DB_INIT_RKEY] = None
             relation_set(**data)
 
diff --git a/templates/yoga/api-paste.ini b/templates/yoga/api-paste.ini
new file mode 100644
index 00000000..5a632263
--- /dev/null
+++ b/templates/yoga/api-paste.ini
@@ -0,0 +1,101 @@
+#############
+# OpenStack #
+#############
+
+[composite:osapi_volume]
+use = call:cinder.api:root_app_factory
+/: apiversions
+/healthcheck: healthcheck
+/v1: openstack_volume_api_v1
+/v2: openstack_volume_api_v2
+/v3: openstack_volume_api_v3
+
+[composite:openstack_volume_api_v1]
+use = call:cinder.api.middleware.auth:pipeline_factory
+noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1
+{% if audit_middleware and service_name -%}
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv1
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv1
+{% else -%}
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+{% endif %}
+
+[composite:openstack_volume_api_v2]
+use = call:cinder.api.middleware.auth:pipeline_factory
+noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
+{% if audit_middleware and service_name -%}
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv2
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv2
+{% else -%}
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+{% endif %}
+
+[composite:openstack_volume_api_v3]
+use = call:cinder.api.middleware.auth:pipeline_factory
+noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
+{% if audit_middleware and service_name -%}
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv3
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv3
+{% else -%}
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
+{% endif %}
+
+[filter:request_id]
+paste.filter_factory = oslo_middleware.request_id:RequestId.factory
+
+[filter:http_proxy_to_wsgi]
+paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = cinder
+
+[filter:faultwrap]
+paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
+
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
+
+[filter:noauth]
+paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
+
+[filter:sizelimit]
+paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
+
+[app:apiv1]
+paste.app_factory = cinder.api.v1.router:APIRouter.factory
+
+[app:apiv2]
+paste.app_factory = cinder.api.v2.router:APIRouter.factory
+
+[app:apiv3]
+paste.app_factory = cinder.api.v3.router:APIRouter.factory
+
+[pipeline:apiversions]
+pipeline = cors http_proxy_to_wsgi faultwrap osvolumeversionapp
+
+[app:osvolumeversionapp]
+paste.app_factory = cinder.api.versions:Versions.factory
+
+[pipeline:healthcheck]
+pipeline = request_id healthcheckapp
+
+[app:healthcheckapp]
+paste.app_factory = oslo_middleware:Healthcheck.app_factory
+backends = disable_by_file
+disable_by_file_path = /etc/cinder/healthcheck_disable
+
+##########
+# Shared #
+##########
+
+[filter:keystonecontext]
+paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+{% include "section-filter-audit" %}
\ No newline at end of file
diff --git a/templates/yoga/api_audit_map.conf b/templates/yoga/api_audit_map.conf
new file mode 100644
index 00000000..17889f8c
--- /dev/null
+++ b/templates/yoga/api_audit_map.conf
@@ -0,0 +1,28 @@
+[DEFAULT]
+# default target endpoint type
+# should match the endpoint type defined in service catalog
+target_endpoint_type = None
+
+# map urls ending with specific text to a unique action
+[custom_actions]
+associate = update/associate
+disassociate = update/disassociate
+disassociate_all = update/disassociate_all
+associations = read/list/associations
+
+# possible end path of api requests
+[path_keywords]
+defaults = None
+detail = None
+limits = None
+os-quota-specs = project
+qos-specs = qos-spec
+snapshots = snapshot
+types = type
+volumes = volume
+
+# map endpoint type defined in service catalog to CADF typeURI
+[service_endpoints]
+volume = service/storage/block
+volumev2 = service/storage/block
+volumev3 = service/storage/block
\ No newline at end of file
diff --git a/templates/yoga/cinder.conf b/templates/yoga/cinder.conf
new file mode 100644
index 00000000..42f7421f
--- /dev/null
+++ b/templates/yoga/cinder.conf
@@ -0,0 +1,89 @@
+###############################################################################
+# [ WARNING ]
+# cinder configuration file maintained by Juju
+# local changes may be overwritten.
+###############################################################################
+[DEFAULT]
+rootwrap_config = /etc/cinder/rootwrap.conf
+api_paste_confg = /etc/cinder/api-paste.ini
+iscsi_helper = tgtadm
+verbose = {{ verbose }}
+debug = {{ debug }}
+use_syslog = {{ use_syslog }}
+auth_strategy = keystone
+state_path = /var/lib/cinder
+osapi_volume_workers = {{ workers }}
+
+{% if transport_url %}
+transport_url = {{ transport_url }}
+{% endif %}
+
+{% if use_internal_endpoints -%}
+swift_catalog_info = object-store:swift:internalURL
+keystone_catalog_info = identity:Identity Service:internalURL
+glance_catalog_info = image:glance:internalURL
+nova_catalog_info = compute:Compute Service:internalURL
+{% endif %}
+
+osapi_volume_listen = {{ bind_host }}
+{% if osapi_volume_listen_port -%}
+osapi_volume_listen_port = {{ osapi_volume_listen_port }}
+{% endif -%}
+
+{% if glance_api_servers -%}
+glance_api_servers = {{ glance_api_servers }}
+{% endif -%}
+
+{% if glance_api_version -%}
+glance_api_version = {{ glance_api_version }}
+{% endif -%}
+
+{% if region -%}
+os_region_name = {{ region }}
+{% endif -%}
+
+{% if user_config_flags -%}
+{% for key, value in user_config_flags.items() -%}
+{{ key }} = {{ value }}
+{% endfor -%}
+{% endif -%}
+
+volume_usage_audit_period = {{ volume_usage_audit_period }}
+
+{% if auth_host -%}
+cinder_internal_tenant_project_id = {{ admin_tenant_id }}
+{% if admin_user_id -%}
+cinder_internal_tenant_user_id = {{ admin_user_id }}
+{% else -%}
+cinder_internal_tenant_user_id = {{ admin_user }}
+{% endif -%}
+{% endif -%}
+
+{% include "parts/backends" %}
+{% include "section-keystone-authtoken-mitaka" %}
+
+{% if keystone_authtoken -%}
+{% include "section-service-user" %}
+{% endif -%}
+
+{% include "parts/section-database" %}
+
+{% include "section-oslo-messaging-rabbit-ocata" %}
+
+{% include "section-oslo-notifications" %}
+
+{% include "section-audit-middleware-notifications" %}
+
+[oslo_concurrency]
+lock_path = /var/lock/cinder
+
+[keymgr]
+# XXX: hack to work around http://pad.lv/1516085
+#      will be superseded by SRU to cinder package
+encryption_auth_url = {{ service_protocol }}://{{ service_host }}:{{ service_port }}/v3
+
+{% include "section-oslo-middleware" %}
+
+[nova]
+{% include "parts/service-auth" %}
+