From 0fa49f4802b3520c1a8bdf62c752ec1069a14cb9 Mon Sep 17 00:00:00 2001 From: Ellen-Yi-Dong Date: Mon, 24 Jun 2024 15:04:46 -0700 Subject: [PATCH 1/9] Add audit logs for when a group is created --- rbac/management/group/view.py | 8 +++++++- tests/management/group/test_view.py | 23 ++++++++++++++++++++++- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/rbac/management/group/view.py b/rbac/management/group/view.py index 392e1b6cc..61212671d 100644 --- a/rbac/management/group/view.py +++ b/rbac/management/group/view.py @@ -44,6 +44,7 @@ GroupSerializer, RoleMinimumSerializer, ) +from management.models import AuditLog from management.notifications.notification_handlers import ( group_obj_change_notification_handler, group_principal_change_notification_handler, @@ -250,7 +251,12 @@ def create(self, request, *args, **kwargs): } """ validate_group_name(request.data.get("name")) - return super().create(request=request, args=args, kwargs=kwargs) + create_group = super().create(request=request, args=args, kwargs=kwargs) + + if status.is_success(create_group.status_code): + auditlog = AuditLog() + auditlog.log_create(request, AuditLog.GROUP) + return create_group def list(self, request, *args, **kwargs): """Obtain the list of groups for the tenant. diff --git a/tests/management/group/test_view.py b/tests/management/group/test_view.py index 0fe6b1f0e..2f1abc214 100644 --- a/tests/management/group/test_view.py +++ b/tests/management/group/test_view.py @@ -21,7 +21,7 @@ from django.db import transaction from django.conf import settings -from django.urls import reverse +from django.urls import reverse, resolve from django.test.utils import override_settings from rest_framework import status from rest_framework.response import Response @@ -183,6 +183,27 @@ def test_create_group_success(self, send_kafka_message, mock_request): response = client.get(url, **self.headers) group = Group.objects.get(uuid=uuid) + # test whether newly created group is added correctly within audit log database + al_url = "/api/v1/auditlogs/" + al_client = APIClient() + al_response = al_client.get(al_url, **self.headers) + retrieve_data = al_response.data.get("data") + al_list = retrieve_data + al_dict = al_list[0] + + al_dict_principal_username = al_dict["principal_username"] + al_dict_description = al_dict["description"] + al_dict_resource = al_dict["resource_type"] + al_dict_action = al_dict["action"] + + self.assertEqual(self.user_data["username"], al_dict_principal_username) + self.assertIsNotNone(al_dict_description) + self.assertEqual(al_dict_resource, "group") + self.assertEqual(al_dict_action, "create") + + # test that we can retrieve the role + url = reverse("role-detail", kwargs={"uuid": response.data.get("uuid")}) + client = APIClient() self.assertIsNotNone(uuid) self.assertIsNotNone(response.data.get("name")) self.assertEqual(group_name, response.data.get("name")) From 903034c177cd62e860baac3871f58ddc6a1aa274 Mon Sep 17 00:00:00 2001 From: Ellen-Yi-Dong Date: Tue, 25 Jun 2024 13:13:21 -0700 Subject: [PATCH 2/9] Remove return statement from group and role creation audit log --- rbac/management/group/view.py | 3 ++- rbac/management/role/view.py | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/rbac/management/group/view.py b/rbac/management/group/view.py index 61212671d..abfa2e392 100644 --- a/rbac/management/group/view.py +++ b/rbac/management/group/view.py @@ -256,7 +256,8 @@ def create(self, request, *args, **kwargs): if status.is_success(create_group.status_code): auditlog = AuditLog() auditlog.log_create(request, AuditLog.GROUP) - return create_group + + return create_group def list(self, request, *args, **kwargs): """Obtain the list of groups for the tenant. diff --git a/rbac/management/role/view.py b/rbac/management/role/view.py index e50544f07..f4402319e 100644 --- a/rbac/management/role/view.py +++ b/rbac/management/role/view.py @@ -215,7 +215,8 @@ def create(self, request, *args, **kwargs): if status.is_success(create_role.status_code): auditlog = AuditLog() auditlog.log_create(request, AuditLog.ROLE) - return create_role + + return create_role def list(self, request, *args, **kwargs): """Obtain the list of roles for the tenant. From 7e54cba6871bea25c4baf48a224239a727e4b873 Mon Sep 17 00:00:00 2001 From: Ellen-Yi-Dong Date: Wed, 26 Jun 2024 11:41:08 -0700 Subject: [PATCH 3/9] update to use request.data instead of request._data --- rbac/management/audit_log/model.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rbac/management/audit_log/model.py b/rbac/management/audit_log/model.py index 5ea2c2931..8c5d91efc 100644 --- a/rbac/management/audit_log/model.py +++ b/rbac/management/audit_log/model.py @@ -82,7 +82,7 @@ def get_resource_item(self, r_type, request, *args, **kwargs): return role_object_id, role_object_name elif r_type == AuditLog.GROUP: - if request._data is not None: + if request.data is not None: group_object = get_object_or_404(Group, name=request.data["name"], tenant=verify_tenant) else: group_uuid = kwargs["kwargs"]["uuid"] From 69703ca169f7706264ad31371e5584d4a7411442 Mon Sep 17 00:00:00 2001 From: Ellen-Yi-Dong Date: Thu, 27 Jun 2024 10:05:34 -0700 Subject: [PATCH 4/9] adding kwargs in order to be able to use kwargs aspect --- rbac/management/audit_log/model.py | 6 +++--- rbac/management/group/view.py | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rbac/management/audit_log/model.py b/rbac/management/audit_log/model.py index 8c5d91efc..220194493 100644 --- a/rbac/management/audit_log/model.py +++ b/rbac/management/audit_log/model.py @@ -82,7 +82,7 @@ def get_resource_item(self, r_type, request, *args, **kwargs): return role_object_id, role_object_name elif r_type == AuditLog.GROUP: - if request.data is not None: + if request.data != {}: group_object = get_object_or_404(Group, name=request.data["name"], tenant=verify_tenant) else: group_uuid = kwargs["kwargs"]["uuid"] @@ -99,12 +99,12 @@ def get_resource_item(self, r_type, request, *args, **kwargs): principal_object = get_object_or_404(Principal, username=request.user.username, tenant=verify_tenant) return principal_object.id, principal_object.username - def log_create(self, request, resource): + def log_create(self, request, resource, kwargs): """Audit Log when a role or a group is created.""" self.principal_id, self.principal_username = self.get_resource_item("principal", request) self.resource_type = resource - self.resource_id, resource_name = self.get_resource_item(resource, request) + self.resource_id, resource_name = self.get_resource_item(resource, request, kwargs=kwargs) self.description = "Created " + resource_name self.action = AuditLog.CREATE diff --git a/rbac/management/group/view.py b/rbac/management/group/view.py index abfa2e392..44aafa039 100644 --- a/rbac/management/group/view.py +++ b/rbac/management/group/view.py @@ -255,7 +255,7 @@ def create(self, request, *args, **kwargs): if status.is_success(create_group.status_code): auditlog = AuditLog() - auditlog.log_create(request, AuditLog.GROUP) + auditlog.log_create(request, AuditLog.GROUP, kwargs=kwargs) return create_group From 996adc543ce9a2ba8a1b6fdb1a552fa8af9e3b34 Mon Sep 17 00:00:00 2001 From: Ellen-Yi-Dong Date: Thu, 27 Jun 2024 10:05:51 -0700 Subject: [PATCH 5/9] Adding tenant verification --- rbac/management/audit_log/model.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rbac/management/audit_log/model.py b/rbac/management/audit_log/model.py index 220194493..8657f2d8a 100644 --- a/rbac/management/audit_log/model.py +++ b/rbac/management/audit_log/model.py @@ -86,7 +86,7 @@ def get_resource_item(self, r_type, request, *args, **kwargs): group_object = get_object_or_404(Group, name=request.data["name"], tenant=verify_tenant) else: group_uuid = kwargs["kwargs"]["uuid"] - group_object = get_object_or_404(Group, uuid=group_uuid) + group_object = get_object_or_404(Group, uuid=group_uuid, tenant=verify_tenant) group_object_id = group_object.id group_object_name = "group: " + group_object.name return group_object_id, group_object_name From 1317da18ce3bd1f013462f38826a4cc2d5b3a58a Mon Sep 17 00:00:00 2001 From: Ellen-Yi-Dong Date: Thu, 27 Jun 2024 12:26:15 -0700 Subject: [PATCH 6/9] adding print statements to help decode iqe plugin tests --- rbac/management/audit_log/model.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rbac/management/audit_log/model.py b/rbac/management/audit_log/model.py index 8657f2d8a..1293dd4a7 100644 --- a/rbac/management/audit_log/model.py +++ b/rbac/management/audit_log/model.py @@ -64,6 +64,7 @@ class AuditLog(TenantAwareModel): def get_tenant_id(self, request): """Retrieve tenant id from request.""" + print("entering tenant") tenant_object = get_object_or_404(Tenant, org_id=request._user.org_id) return tenant_object.id @@ -82,6 +83,7 @@ def get_resource_item(self, r_type, request, *args, **kwargs): return role_object_id, role_object_name elif r_type == AuditLog.GROUP: + print("entering group") if request.data != {}: group_object = get_object_or_404(Group, name=request.data["name"], tenant=verify_tenant) else: @@ -96,6 +98,7 @@ def get_resource_item(self, r_type, request, *args, **kwargs): return None elif r_type == "principal": + print("entering principal") principal_object = get_object_or_404(Principal, username=request.user.username, tenant=verify_tenant) return principal_object.id, principal_object.username From b9db305743d9e0c2b1bc401ea050ff199a9b8c50 Mon Sep 17 00:00:00 2001 From: Ellen-Yi-Dong Date: Wed, 3 Jul 2024 06:34:36 -0700 Subject: [PATCH 7/9] update to include kwargs for role create as well --- rbac/management/role/view.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rbac/management/role/view.py b/rbac/management/role/view.py index f4402319e..b4733d21c 100644 --- a/rbac/management/role/view.py +++ b/rbac/management/role/view.py @@ -214,7 +214,7 @@ def create(self, request, *args, **kwargs): if status.is_success(create_role.status_code): auditlog = AuditLog() - auditlog.log_create(request, AuditLog.ROLE) + auditlog.log_create(request, AuditLog.ROLE, kwargs=kwargs) return create_role From 5b5cfe9393d407b851857d613397d502ba5c0e76 Mon Sep 17 00:00:00 2001 From: Ellen-Yi-Dong Date: Mon, 15 Jul 2024 11:18:23 -0700 Subject: [PATCH 8/9] Change principal check --- rbac/management/audit_log/model.py | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/rbac/management/audit_log/model.py b/rbac/management/audit_log/model.py index 1293dd4a7..56f37f243 100644 --- a/rbac/management/audit_log/model.py +++ b/rbac/management/audit_log/model.py @@ -64,14 +64,12 @@ class AuditLog(TenantAwareModel): def get_tenant_id(self, request): """Retrieve tenant id from request.""" - print("entering tenant") tenant_object = get_object_or_404(Tenant, org_id=request._user.org_id) return tenant_object.id def get_resource_item(self, r_type, request, *args, **kwargs): """Find related information (eg, name, id, etc...) for each resource item.""" verify_tenant = self.get_tenant_id(request) - if r_type == AuditLog.ROLE: if request.data != {}: role_object = get_object_or_404(Role, name=request.data["name"], tenant=verify_tenant) @@ -83,7 +81,6 @@ def get_resource_item(self, r_type, request, *args, **kwargs): return role_object_id, role_object_name elif r_type == AuditLog.GROUP: - print("entering group") if request.data != {}: group_object = get_object_or_404(Group, name=request.data["name"], tenant=verify_tenant) else: @@ -97,14 +94,11 @@ def get_resource_item(self, r_type, request, *args, **kwargs): # TODO: update for permission related items return None - elif r_type == "principal": - print("entering principal") - principal_object = get_object_or_404(Principal, username=request.user.username, tenant=verify_tenant) - return principal_object.id, principal_object.username - def log_create(self, request, resource, kwargs): """Audit Log when a role or a group is created.""" - self.principal_id, self.principal_username = self.get_resource_item("principal", request) + self.principal_id = None + self.principal_username = request.user.username + self.resource_type = resource self.resource_id, resource_name = self.get_resource_item(resource, request, kwargs=kwargs) From 063cc1aa95cd54990c932cf4a8dd039b55f6bca7 Mon Sep 17 00:00:00 2001 From: Ellen-Yi-Dong Date: Tue, 16 Jul 2024 10:13:21 -0700 Subject: [PATCH 9/9] remove unnecessary tenant verification --- rbac/management/audit_log/model.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rbac/management/audit_log/model.py b/rbac/management/audit_log/model.py index 56f37f243..0cd105896 100644 --- a/rbac/management/audit_log/model.py +++ b/rbac/management/audit_log/model.py @@ -85,7 +85,7 @@ def get_resource_item(self, r_type, request, *args, **kwargs): group_object = get_object_or_404(Group, name=request.data["name"], tenant=verify_tenant) else: group_uuid = kwargs["kwargs"]["uuid"] - group_object = get_object_or_404(Group, uuid=group_uuid, tenant=verify_tenant) + group_object = get_object_or_404(Group, uuid=group_uuid) group_object_id = group_object.id group_object_name = "group: " + group_object.name return group_object_id, group_object_name