Merge pull request #2652 from cyberark/audit-list

CHANGELOG.md

@@ -11,6 +11,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [1.18.5] - 2022-09-14
 
+### Added
+- List resources request (`GET /resources`) now produce audit events.
+ ([cyberark/conjur#2652](https://github.com/cyberark/conjur/pull/2652)
+
 ## [1.18.4] - 2022-09-11
 
 ### Added

app/controllers/resources_controller.rb

@@ -19,8 +19,10 @@ def index
  options[:limit] = conjur_config.api_resource_list_limit_max.to_s unless options[:limit]
 
  unless options[:limit].to_i <= conjur_config.api_resource_list_limit_max
- raise ApplicationController::UnprocessableEntity, \
- "'Limit' parameter must not exceed #{conjur_config.api_resource_list_limit_max}"
+ error_message = "'Limit' parameter must not exceed #{conjur_config.api_resource_list_limit_max}"
+ audit_list_failure(options, error_message)
+ raise ApplicationController::UnprocessableEntity, error_message
+
  end
  end
 
@@ -35,8 +37,10 @@ def index
  begin
  scope = Resource.visible_to(assumed_role(query_role)).search(**options)
  rescue ApplicationController::Forbidden
+ audit_list_failure(options, "The authenticated user lacks the necessary privilege")
  raise
  rescue ArgumentError => e
+ audit_list_failure(options, e.message)
  raise ApplicationController::UnprocessableEntity, e.message
  end
 
@@ -51,7 +55,7 @@ def index
  eager(:policy_versions).
  all
  end
-
+ audit_list_success(options)
  render(json: result)
  end
 
@@ -120,4 +124,36 @@ def audit_failure(privilege, err)
  def conjur_config
  Rails.application.config.conjur_config
  end
+
+ private
+
+ def audit_list_success(options)
+ additional_params = %i[count acting_as role]
+ additional_options = params.permit(*additional_params)
+ .slice(*additional_params).to_h.symbolize_keys
+ Audit.logger.log(
+ Audit::Event::List.new(
+ user_id: current_user.role_id,
+ client_ip: request.ip,
+ subject: options.clone.merge(additional_options),
+ success: true
+ )
+ )
+ end
+
+ def audit_list_failure(options, error_message)
+ additional_params = %i[count acting_as role]
+ additional_options = params.permit(*additional_params)
+ .slice(*additional_params).to_h.symbolize_keys
+ Audit.logger.log(
+ Audit::Event::List.new(
+ user_id: current_user.role_id,
+ client_ip: request.ip,
+ subject: options.clone.merge(additional_options),
+ success: false,
+ error_message: error_message
+ )
+ )
+ end
+
 end

app/models/audit/event/list.rb

@@ -0,0 +1,90 @@
+module Audit
+ module Event
+ # NOTE: Breaking this class up further would harm clarity.
+ # :reek:TooManyInstanceVariables and :reek:TooManyParameters
+ class List
+
+ def initialize(
+ user_id:,
+ client_ip:,
+ success:,
+ subject:,
+ error_message: nil
+ )
+ @user_id = user_id
+ @client_ip = client_ip
+ @subject = subject
+ @success = success
+ @error_message = error_message
+
+ # Implements `==` for audit events
+ @comparable_evt = ComparableEvent.new(self)
+ end
+
+ # NOTE: We want this class to be responsible for providing `progname`.
+ # At the same time, `progname` is currently always "conjur" and this is
+ # unlikely to change. Moving `progname` into the constructor now
+ # feels like premature optimization, so we ignore reek here.
+ # :reek:UtilityFunction
+ def progname
+ Event.progname
+ end
+
+ # action_sd means "action structured data"
+ def action_sd
+ attempted_action.action_sd
+ end
+
+ def severity
+ attempted_action.severity
+ end
+
+ def to_s
+ message
+ end
+
+ def message
+ attempted_action.message(
+ success_msg: "#{@user_id} successfully listed resources with parameters: #{@subject}",
+ failure_msg: "#{@user_id} failed to list resources with parameters: #{@subject}",
+ error_msg: @error_message
+ )
+ end
+
+ def message_id
+ 'list'
+ end
+
+ def structured_data
+ {
+ SDID::AUTH => { user: @user_id },
+ SDID::SUBJECT => @subject,
+ SDID::CLIENT => { ip: @client_ip }
+ }.merge(
+ attempted_action.action_sd
+ )
+ end
+
+ def facility
+ # Security or authorization messages which should be kept private. See:
+ # https://github.com/ruby/ruby/blob/master/ext/syslog/syslog.c#L109
+ # Note: Changed this to from LOG_AUTH to LOG_AUTHPRIV because the former
+ # is deprecated.
+ Syslog::LOG_AUTHPRIV
+ end
+
+ def ==(other)
+ @comparable_evt == other
+ end
+
+ private
+
+ def attempted_action
+ @attempted_action ||= AttemptedAction.new(
+ success: @success,
+ operation: 'list'
+ )
+ end
+ end
+ end
+end

cucumber/api/features/resource_list.feature

@@ -3,33 +3,74 @@
 Feature: List resources with various types of filtering
 
  Background:
- Given I create 3 new resources
+ Given I am a user named "alice"
+ And I create 3 new resources
 
  @smoke
  Scenario: The resource list includes a new resource.
 
  The most basic resource listing route returns all resources in an account.
 
+ Given I save my place in the audit log file for remote
  When I successfully GET "/resources/cucumber"
  Then the resource list should include the newest resources
+ And there is an audit record matching:
+ """
+ <86>1 * * conjur * list
+ [auth@43868 user="cucumber:user:alice"]
+ [subject@43868 account="cucumber"]
+ [client@43868 ip="\d+\.\d+\.\d+\.\d+"]
+ [action@43868 result="success" operation="list"]
+ cucumber:user:alice successfully listed resources with parameters: {:account=>"cucumber"}
+ """
 
  @smoke
  Scenario: The resource list can be filtered by resource kind.
  Given I create a new "custom" resource
+ And I save my place in the audit log file for remote
  When I successfully GET "/resources/cucumber/custom"
  Then the resource list should include the newest resource
+ And there is an audit record matching:
+ """
+ <86>1 * * conjur * list
+ [auth@43868 user="cucumber:user:alice"]
+ [subject@43868 account="cucumber" kind="custom"]
+ [client@43868 ip="\d+\.\d+\.\d+\.\d+"]
+ [action@43868 result="success" operation="list"]
+ cucumber:user:alice successfully listed resources with parameters: {:account=>"cucumber", :kind=>"custom"}
+ """
 
  @acceptance
  Scenario: The resource list, when filtered by a different resource kind, does not include the newest resource.
  Given I create a new "custom" resource
+ And I save my place in the audit log file for remote
  When I successfully GET "/resources/cucumber/uncreated-resource-kind"
  Then the resource list should not include the newest resource
+ And there is an audit record matching:
+ """
+ <86>1 * * conjur * list
+ [auth@43868 user="cucumber:user:alice"]
+ [subject@43868 account="cucumber" kind="uncreated-resource-kind"]
+ [client@43868 ip="\d+\.\d+\.\d+\.\d+"]
+ [action@43868 result="success" operation="list"]
+ cucumber:user:alice successfully listed resources with parameters: {:account=>"cucumber", :kind=>"uncreated-resource-kind"}
+ """
 
  @smoke
  Scenario: The resource list is searched and contains a resource with a matching resource id.
  Given I create a new resource called "target"
+ And I save my place in the audit log file for remote
  When I successfully GET "/resources/cucumber/test-resource?search=target"
  Then the resource list should only include the searched resource
+ And there is an audit record matching:
+ """
+ <86>1 * * conjur * list
+ [auth@43868 user="cucumber:user:alice"]
+ [subject@43868 account="cucumber" kind="test-resource" search="target"]
+ [client@43868 ip="\d+\.\d+\.\d+\.\d+"]
+ [action@43868 result="success" operation="list"]
+ cucumber:user:alice successfully listed resources with parameters: {:account=>"cucumber", :kind=>"test-resource", :search=>"target"}
+ """
 
  @smoke
  Scenario: The resource list is searched and contains a resource with a matching annotation.
@@ -70,17 +111,39 @@ Feature: List resources with various types of filtering
 
  @negative @acceptance
  Scenario: The resource list cannot be limited with non numeric value
+ Given I save my place in the audit log file for remote
  When I GET "/resources/cucumber/test-resource?limit=abc"
  Then the HTTP response status code is 422
  And there is an error
  And the error message includes "'limit' contains an invalid value. 'limit' must be a positive integer."
+ And there is an audit record matching:
+ """
+ <84>1 * * conjur * list
+ [auth@43868 user="cucumber:user:alice"]
+ [subject@43868 account="cucumber" kind="test-resource" limit="abc"]
+ [client@43868 ip="\d+\.\d+\.\d+\.\d+"]
+ [action@43868 result="failure" operation="list"]
+ cucumber:user:alice failed to list resources with parameters: {:account=>"cucumber", :kind=>"test-resource", :limit=>"abc"}:
+ 'limit' contains an invalid value. 'limit' must be a positive integer
+ """
 
  @negative @acceptance
  Scenario: The resource list cannot be limited with zero
+ Given I save my place in the audit log file for remote
  When I GET "/resources/cucumber/test-resource?limit=0"
  Then the HTTP response status code is 422
  And there is an error
  And the error message includes "'limit' contains an invalid value. 'limit' must be a positive integer."
+ And there is an audit record matching:
+ """
+ <84>1 * * conjur * list
+ [auth@43868 user="cucumber:user:alice"]
+ [subject@43868 account="cucumber" kind="test-resource" limit="0"]
+ [client@43868 ip="\d+\.\d+\.\d+\.\d+"]
+ [action@43868 result="failure" operation="list"]
+ cucumber:user:alice failed to list resources with parameters: {:account=>"cucumber", :kind=>"test-resource", :limit=>"0"}:
+ 'limit' contains an invalid value. 'limit' must be a positive integer
+ """
 
  @negative @acceptance
  Scenario: The resource list cannot be limited with negative integer
@@ -96,10 +159,21 @@ Feature: List resources with various types of filtering
 
  @negative @acceptance
  Scenario: The resource list cannot be retrieved starting from a specific offset with non numeric value
+ Given I save my place in the audit log file for remote
  When I GET "/resources/cucumber/test-resource?offset=abc"
  Then the HTTP response status code is 422
  And there is an error
  And the error message includes "'offset' contains an invalid value. 'offset' must be an integer greater than or equal to 0."
+ And there is an audit record matching:
+ """
+ <84>1 * * conjur * list
+ [auth@43868 user="cucumber:user:alice"]
+ [subject@43868 account="cucumber" kind="test-resource" offset="abc"]
+ [client@43868 ip="\d+\.\d+\.\d+\.\d+"]
+ [action@43868 result="failure" operation="list"]
+ cucumber:user:alice failed to list resources with parameters: {:account=>"cucumber", :kind=>"test-resource", :offset=>"abc"}:
+ 'offset' contains an invalid value. 'offset' must be an integer greater than or equal to 0
+ """
 
  @negative @acceptance
  Scenario: The resource list cannot be retrieved starting from a specific offset with negative integer
@@ -110,9 +184,18 @@ Feature: List resources with various types of filtering
 
  @smoke
  Scenario: The resource list is retrieved starting from a specific offset and is limited
+ Given I save my place in the audit log file for remote
  When I successfully GET "/resources/cucumber/test-resource?offset=1&limit=1"
  Then I receive 1 resources
-
+ And there is an audit record matching:
+ """
+ <86>1 * * conjur * list
+ [auth@43868 user="cucumber:user:alice"]
+ [subject@43868 account="cucumber" kind="test-resource" limit="1" offset="1"]
+ [client@43868 ip="\d+\.\d+\.\d+\.\d+"]
+ [action@43868 result="success" operation="list"]
+ cucumber:user:alice successfully listed resources with parameters: {:account=>"cucumber", :kind=>"test-resource", :limit=>"1", :offset=>"1"}
+ """
  @negative @acceptance
  Scenario: The resource list cannot be retrieved with non numeric limit delimiter
  When I GET "/resources/cucumber/test-resource?offset=1&limit=abc"
@@ -129,5 +212,15 @@ Feature: List resources with various types of filtering
 
  @smoke
  Scenario: The resource list is counted.
+ Given I save my place in the audit log file for remote
  When I successfully GET "/resources/cucumber/test-resource?count=true"
  Then I receive a count of 3
+ And there is an audit record matching:
+ """
+ <86>1 * * conjur * list
+ [auth@43868 user="cucumber:user:alice"]
+ [subject@43868 account="cucumber" kind="test-resource" count="true"]
+ [client@43868 ip="\d+\.\d+\.\d+\.\d+"]
+ [action@43868 result="success" operation="list"]
+ cucumber:user:alice successfully listed resources with parameters: {:account=>"cucumber", :kind=>"test-resource", :count=>"true"}
+ """

cucumber/api/features/resource_list_by_role.feature

@@ -21,9 +21,19 @@ Feature: List resources for another role
 
  @smoke
  Scenario: The resource list can be retrieved for a different role, specified the query parameter role
+ Given I save my place in the audit log file for remote
  When I successfully GET "/resources?role=cucumber:user:alice"
  Then the resource list should contain "variable" "dev/dev-var"
  And the resource list should not contain "variable" "prod/prod-var"
+ And there is an audit record matching:
+ """
+ <86>1 * * conjur * list
+ [auth@43868 user="cucumber:user:admin"]
+ [subject@43868 role="cucumber:user:alice"]
+ [client@43868 ip="\d+\.\d+\.\d+\.\d+"]
+ [action@43868 result="success" operation="list"]
+ cucumber:user:admin successfully listed resources with parameters: {:role=>"cucumber:user:alice"}
+ """
 
  @smoke
  Scenario: The resource list can be retrieved for a different role, specified the query parameter acting_as
@@ -33,5 +43,16 @@ Feature: List resources for another role
 
  @negative @acceptance
  Scenario: Attempting to retrieve the resource list for a different role but without giving the account in the ID results in a 403
+ Given I save my place in the audit log file for remote
  When I GET "/resources?acting_as=user:alice"
  Then the HTTP response status code is 403
+ And there is an audit record matching:
+ """
+ <84>1 * * conjur * list
+ [auth@43868 user="cucumber:user:admin"]
+ [subject@43868 acting_as="user:alice"]
+ [client@43868 ip="\d+\.\d+\.\d+\.\d+"]
+ [action@43868 result="failure" operation="list"]
+ cucumber:user:admin failed to list resources with parameters: {:acting_as=>"user:alice"}:
+ The authenticated user lacks the necessary privilege
+ """