Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DO NOT MERGE: example audit trail service #480

Draft
wants to merge 2 commits into
base: development
Choose a base branch
from
Draft

DO NOT MERGE: example audit trail service #480

wants to merge 2 commits into from

Conversation

nbittich
Copy link
Collaborator

CLB-751 for context.

this PR is only an example on how we could use the new audit trail service in OP

This service works a bit like the privacy service, but logs the dcterms:identifier of the logged in user (vo-id on acmidm).

In order to test it, you would need to login with an user that has a dcterms:identifer in its foaf:OnlineAccount.

MOCK LOGIN users don't have it, so you would need to add it manually (through a migration, or directly on virtuoso)

Once logged in, copy the Cookie, then you can use curl to try it out.

Example for getting the family-name and given-name of person with id fa346447ef3262f90217c8534e49e9f7 and reason 3aeec145-acf3-4b6e-9c00-5b8e285736e0 :

curl 'http://localhost/access-with-audit-trail/people/fa346447ef3262f90217c8534e49e9f7?reasonId=3aeec145-acf3-4b6e-9c00-5b8e285736e0&include=given-name,family-name' \
-H 'Accept: application/vnd.api+json'   --compressed  \
-H  'Cookie: proxy_session=<your-session-cookie>

Result:

{
  "data": {
    "type": "people",
    "id": "7daa61fcd543c33f63014dd97db0950d0e6475ac40ed553346a9ce58d7775a95",
    "attributes": {
      "given-name": "the given name",
      "family-name": "the family name"
    },
    "relationships": {}
  }
}

Audit log:

PREFIX sh:   <http://www.w3.org/ns/shacl#>
PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>
PREFIX mu: <http://mu.semte.ch/vocabularies/core/>
PREFIX persoon: <https://data.vlaanderen.be/ns/persoon#>
PREFIX ext: <http://mu.semte.ch/vocabularies/ext/>
PREFIX person: <http://www.w3.org/ns/person#>
PREFIX session: <http://mu.semte.ch/vocabularies/session/>
PREFIX foaf: <http://xmlns.com/foaf/0.1/>
PREFIX besluit: <http://data.vlaanderen.be/ns/besluit#>
PREFIX dcterms: <http://purl.org/dc/terms/>
<http://data.lblod.info/id/node-paths/a6cc40d2-adbe-11ef-b5f4-fd38d66e2101>
        a        <http://www.w3.org/1999/02/22-rdf-syntax-ns#List>;
        <http://www.w3.org/1999/02/22-rdf-syntax-ns#first>
                foaf:givenName;
        <http://www.w3.org/1999/02/22-rdf-syntax-ns#rest>
                <http://www.w3.org/1999/02/22-rdf-syntax-ns#nil>;
        mu:uuid  "a6cc40d2-adbe-11ef-b5f4-fd38d66e2101" .

<http://data.lblod.info/id/node-shapes/a6cc40d3-adbe-11ef-b5f4-fd38d66e2101>
        a        sh:NodeShape;
        mu:uuid  "a6cc40d3-adbe-11ef-b5f4-fd38d66e2101";
        sh:path  <http://data.lblod.info/id/node-paths/a6cc40d4-adbe-11ef-b5f4-fd38d66e2101> .

<http://data.lblod.info/id/node-shapes/a6cc40d1-adbe-11ef-b5f4-fd38d66e2101>
        a        sh:NodeShape;
        mu:uuid  "a6cc40d1-adbe-11ef-b5f4-fd38d66e2101";
        sh:path  <http://data.lblod.info/id/node-paths/a6cc40d2-adbe-11ef-b5f4-fd38d66e2101> .

<http://data.lblod.info/id/node-paths/a6cc40d4-adbe-11ef-b5f4-fd38d66e2101>
        a        <http://www.w3.org/1999/02/22-rdf-syntax-ns#List>;
        <http://www.w3.org/1999/02/22-rdf-syntax-ns#first>
                foaf:familyName;
        <http://www.w3.org/1999/02/22-rdf-syntax-ns#rest>
                <http://www.w3.org/1999/02/22-rdf-syntax-ns#nil>;
        mu:uuid  "a6cc40d4-adbe-11ef-b5f4-fd38d66e2101" .

<http://data.lblod.info/id/audit-trail-entries/a6cc40d0-adbe-11ef-b5f4-fd38d66e2101>
        a                   ext:AuditTrailEntry;
        mu:uuid             "a6cc40d0-adbe-11ef-b5f4-fd38d66e2101";
        ext:code            <http://data.lblod.info/id/information-request-reason/3aeec145-acf3-4b6e-9c00-5b8e285736e0>;
        ext:requester       <http://data.lblod.info/id/account/cd52ed34-7bcd-41df-a7d4-c805c1d1a197>;
        ext:shape           <http://data.lblod.info/id/node-shapes/a6cc40d3-adbe-11ef-b5f4-fd38d66e2101> , <http://data.lblod.info/id/node-shapes/a6cc40d1-adbe-11ef-b5f4-fd38d66e2101>;
        ext:subject         <http://data.lblod.info/id/personen/fa346447ef3262f90217c8534e49e9f7>;
        dcterms:created     "2024-11-28T19:26:22.556Z"^^xsd:dateTime;
        dcterms:identifier  "b838f67c-6c4c-44b2-8297-c9eefccc5e35" .

@claire-lovisa
Copy link
Contributor

Very nice! So now the idea would be use it to access certain data for a specific goal, a bit like the privacy service and in that case called by the frontend right? Could it later on be used in a more systematic way, like the dispatcher would redirect the calls to the audit service so we log access to all resources we want?

I also added @mirdono to the reviewers, he's taking care of OP more than I do lately 😁

@nbittich
Copy link
Collaborator Author

nbittich commented Dec 2, 2024
edited
Loading

@claire-lovisa @mirdono yes, it still requires a reason tho, but if needed I can adapt the service to proivde a default reason id (based on an environment variable), so if it's missing we use the default one, that way you no longer need to show the extra form select to provide the reason before being able to access the sensitive data. let me know if that's something you would like to have if you decide to implement it on OP

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@claire-lovisa claire-lovisa Awaiting requested review from claire-lovisa

@mirdono mirdono Awaiting requested review from mirdono

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nbittich @claire-lovisa