Merge "Fully log RBAC enforcement data"

2018-12-03 23:31:44 +00:00 · 2018-12-03 23:31:44 +00:00 · f1505dd407
commit f1505dd407
parent 21f3ba6695 0d7c5b3947
2 changed files with 33 additions and 0 deletions
--- a/oslo_policy/policy.py
+++ b/oslo_policy/policy.py
@ -230,6 +230,7 @@ import warnings
 from oslo_config import cfg
 from oslo_context import context
 from oslo_serialization import jsonutils
+from oslo_utils import strutils
 import six
 import yaml

@ -838,6 +839,37 @@ class Enforcer(object):
            )
            raise InvalidContextObject(msg)

+        if LOG.isEnabledFor(logging.DEBUG):
+            try:
+                # NOTE(jdennis) Although a MutableMapping behaves like
+                # a dict oslo.strutils.mask_dict_password() requires a
+                # dict. Bug #1804528 was opened to fix this, once that
+                # bug is fixed the conversion to dict can be removed.
+                if isinstance(creds, dict):
+                    creds_dict = creds
+                elif isinstance(creds, collections.MutableMapping):
+                    creds_dict = dict(creds)
+                else:
+                    raise TypeError('unexpected type %(creds_type)s' %
+                                    {'creds_type': type(creds)})
+                creds_dict = strutils.mask_dict_password(creds_dict)
+                creds_msg = jsonutils.dumps(creds_dict,
+                                            skipkeys=True, sort_keys=True)
+            except Exception as e:
+                creds_msg = ('cannot format data, exception: %(exp)s' %
+                             {'exp': e})
+
+            try:
+                target_msg = jsonutils.dumps(target,
+                                             skipkeys=True, sort_keys=True)
+            except Exception as e:
+                target_msg = ('cannot format data, exception: %(exp)s' %
+                              {'exp': e})
+
+            LOG.debug('enforce: rule=%s creds=%s target=%s',
+                      rule.__class__ if isinstance(rule, _checks.BaseCheck)
+                      else '"%s"' % rule, creds_msg, target_msg)
+
        # Allow the rule to be a Check tree
        if isinstance(rule, _checks.BaseCheck):
            # If the thing we're given is a Check, we don't know the
--- a/oslo_policy/tests/test_policy.py
+++ b/oslo_policy/tests/test_policy.py
@ -773,6 +773,7 @@ class EnforcerTest(base.PolicyBaseTestCase):

    @mock.patch.object(policy.Enforcer, '_map_context_attributes_into_creds')
    def test_enforcer_call_map_context_attributes(self, map_mock):
+        map_mock.return_value = {}
        rule = policy.RuleDefault(name='fake_rule', check_str='role:test')
        self.enforcer.register_default(rule)