Merge "Make sure audit can handle API requests which does not require a token"

2016-06-06 23:55:30 +00:00 · 2016-06-06 23:55:30 +00:00 · 2ab0f98a9f
commit 2ab0f98a9f
parent ae0a7518e4 d8cb5a3e93
3 changed files with 65 additions and 9 deletions
--- a/keystonemiddleware/audit.py
+++ b/keystonemiddleware/audit.py
@ -51,7 +51,7 @@ from six.moves import configparser
 from six.moves.urllib import parse as urlparse
 import webob.dec
-from keystonemiddleware.i18n import _LE, _LI
+from keystonemiddleware.i18n import _LE, _LI, _LW
 _LOG = None
@ -286,13 +286,19 @@ class OpenStackAuditApi(object):
        service_info = Service(type=taxonomy.UNKNOWN, name=taxonomy.UNKNOWN,
                               id=taxonomy.UNKNOWN, admin_endp=None,
                               private_endp=None, public_endp=None)
        catalog = {}
        try:
            catalog = ast.literal_eval(
                req.environ['HTTP_X_SERVICE_CATALOG'])
        except KeyError:
-            raise PycadfAuditApiConfigError(
+            _LOG.warning(_LW('Unable to discover target information because '
-                'Service catalog is missing. '
+                             'service catalog is missing. Either the incoming '
-                'Cannot discover target information')
+                             'request does not contain an auth token or auth '
                             'token does not contain a service catalog. For '
                             'the latter, please make sure the '
                             '"include_service_catalog" property in '
                             'auth_token middleware is set to "True"'))
        default_endpoint = None
        for endp in catalog:
@ -431,13 +437,14 @@ class AuditMiddleware(object):
        initiator = ClientResource(
            typeURI=taxonomy.ACCOUNT_USER,
-            id=req.environ['HTTP_X_USER_ID'],
+            id=req.environ.get('HTTP_X_USER_ID', taxonomy.UNKNOWN),
-            name=req.environ['HTTP_X_USER_NAME'],
+            name=req.environ.get('HTTP_X_USER_NAME', taxonomy.UNKNOWN),
            host=host.Host(address=req.client_addr, agent=req.user_agent),
            credential=KeystoneCredential(
-                token=req.environ['HTTP_X_AUTH_TOKEN'],
+                token=req.environ.get('HTTP_X_AUTH_TOKEN', ''),
-                identity_status=req.environ['HTTP_X_IDENTITY_STATUS']),
+                identity_status=req.environ.get('HTTP_X_IDENTITY_STATUS',
-            project_id=req.environ['HTTP_X_PROJECT_ID'])
+                                                taxonomy.UNKNOWN)),
            project_id=req.environ.get('HTTP_X_PROJECT_ID', taxonomy.UNKNOWN))
        target = self._cadf_audit.get_target_resource(req)
        event = factory.EventFactory().new_event(
--- a/keystonemiddleware/tests/unit/test_audit_middleware.py
+++ b/keystonemiddleware/tests/unit/test_audit_middleware.py
@ -703,3 +703,43 @@ class AuditApiLogicTest(BaseAuditMiddlewareTest):
        self.middleware._process_request(req)
        payload = req.environ['cadf_event'].as_dict()
        self.assertEqual((payload['target']['addresses'][0]['url']), "unknown")
    def test_no_auth_token(self):
        # Test cases where API requests such as Swift list public containers
        # which does not require an auth token. In these cases, CADF event
        # should have the defaults (i.e taxonomy.UNKNOWN) instead of raising
        # an exception.
        env_headers = {'HTTP_X_IDENTITY_STATUS': 'Invalid',
                       'REQUEST_METHOD': 'GET'}
        req = webob.Request.blank('https://23.253.72.207/v1/'
                                  + str(uuid.uuid4()),
                                  environ=env_headers,
                                  remote_addr='192.168.0.1')
        req.context = {}
        self.middleware._process_request(req)
        payload = req.environ['cadf_event'].as_dict()
        self.assertEqual(payload['action'], 'read')
        self.assertEqual(payload['typeURI'],
                         'http://schemas.dmtf.org/cloud/audit/1.0/event')
        self.assertEqual(payload['outcome'], 'pending')
        self.assertEqual(payload['eventType'], 'activity')
        self.assertEqual(payload['target']['name'], taxonomy.UNKNOWN)
        self.assertEqual(payload['target']['id'], taxonomy.UNKNOWN)
        self.assertEqual(payload['target']['typeURI'], taxonomy.UNKNOWN)
        self.assertNotIn('addresses', payload['target'])
        self.assertEqual(payload['initiator']['id'], taxonomy.UNKNOWN)
        self.assertEqual(payload['initiator']['name'], taxonomy.UNKNOWN)
        self.assertEqual(payload['initiator']['project_id'],
                         taxonomy.UNKNOWN)
        self.assertEqual(payload['initiator']['host']['address'],
                         '192.168.0.1')
        self.assertEqual(payload['initiator']['typeURI'],
                         'service/security/account/user')
        self.assertNotEqual(payload['initiator']['credential']['token'],
                            None)
        self.assertEqual(payload['initiator']['credential']['identity_status'],
                         'Invalid')
        self.assertNotIn('reason', payload)
        self.assertNotIn('reporterchain', payload)
        self.assertEqual(payload['observer']['id'], 'target')
        self.assertEqual(req.path, payload['requestPath'])
--- a/releasenotes/notes/bug-1583699-dba4fe6c057e2be5.yaml
+++ b/releasenotes/notes/bug-1583699-dba4fe6c057e2be5.yaml
@ -0,0 +1,9 @@
 ---
 fixes:
  - >
    [`bug 1583699 <https://bugs.launchpad.net/keystonemiddleware/+bug/1583699>`_]
    Some service APIs (such as Swift list public containers) do not require
    a token. Therefore, there will be no identity or service catalog
    information available. In these cases, audit now fills in the default
    (i.e. taxonomy.UNKNOWN) for both initiator and target instead of raising
    an exception.