feat: added securityLog to TornadoService

DIRACGrid · Jan 6, 2022 · 54b6db3 · 54b6db3
1 parent ff83bbb
commit 54b6db3
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/src/DIRAC/Core/DISET/private/Service.py b/src/DIRAC/Core/DISET/private/Service.py
@@ -416,7 +416,8 @@ def _processInThread(self, clientTransport):
             if monReport:
                 self.__endReportToMonitoring(*monReport)
 
-    def _createIdentityString(self, credDict, clientTransport=None):
+    @staticmethod
+    def _createIdentityString(credDict, clientTransport=None):
         if "username" in credDict:
             if "group" in credDict:
                 identity = "[%s:%s]" % (credDict["username"], credDict["group"])

diff --git a/src/DIRAC/Core/Tornado/Server/TornadoService.py b/src/DIRAC/Core/Tornado/Server/TornadoService.py
@@ -25,10 +25,12 @@
 
 from DIRAC import gConfig, gLogger, S_OK
 from DIRAC.ConfigurationSystem.Client import PathFinder
+from DIRAC.ConfigurationSystem.Client.Helpers.Operations import Operations
 from DIRAC.Core.DISET.AuthManager import AuthManager
 from DIRAC.Core.Security.X509Chain import X509Chain  # pylint: disable=import-error
 from DIRAC.Core.Utilities.JEncode import decode, encode
 from DIRAC.FrameworkSystem.Client.MonitoringClient import MonitoringClient
+from DIRAC.FrameworkSystem.Client.SecurityLogClient import SecurityLogClient
 
 sLog = gLogger.getSubLogger(__name__)
 
@@ -121,6 +123,8 @@ def export_streamToClient(self, myDataToSend, token):
     # We also need to add specific attributes for each service
     _monitor = None
 
+    SVC_SECLOG_CLIENT = SecurityLogClient()
+
     @classmethod
     def _initMonitoring(cls, serviceName, fullUrl):
         """
@@ -255,6 +259,10 @@ def initialize(self):  # pylint: disable=arguments-differ
                 sLog.error("Error in initialization", repr(e))
                 raise
 
+            self.securityLogging = Operations().getValue("EnableSecurityLogging", True) and self.srv_getCSOption(
+                "EnableSecurityLogging", True
+            )
+
     def prepare(self):
         """
         Prepare the request. It reads certificates and check authorizations.
@@ -292,6 +300,22 @@ def prepare(self):
         # Check whether we are authorized to perform the query
         # Note that performing the authQuery modifies the credDict...
         authorized = self._authManager.authQuery(self.method, self.credDict, hardcodedAuth)
+
+        if self.securityLogging:
+            from DIRAC.Core.DISET.private.Service import Service
+
+            sourceAddress = self.getRemoteAddress()
+            TornadoService.SVC_SECLOG_CLIENT.addMessage(
+                authorized,
+                sourceAddress[0],
+                sourceAddress[1],
+                Service._createIdentityString(self.credDict),
+                "currentHost",
+                "8443",
+                "Tornado/%s" % self.serviceName,
+                self.method,
+            )
+
         if not authorized:
             sLog.error(
                 "Unauthorized access",