Skip to content
This repository has been archived by the owner on Jan 12, 2024. It is now read-only.

Commit

Permalink
Feature/add principal event logging (#30)
Browse files Browse the repository at this point in the history
Added logging to endpoints to log what principal is attempting to invoke them
  • Loading branch information
fieldju authored Apr 4, 2017
1 parent 3faf9f8 commit 3100ee9
Show file tree
Hide file tree
Showing 16 changed files with 145 additions and 10 deletions.
4 changes: 4 additions & 0 deletions src/main/java/com/nike/cerberus/dao/SafeDepositBoxDao.java
Original file line number Diff line number Diff line change
Expand Up @@ -85,4 +85,8 @@ public String getSafeDepositBoxIdByName(String name) {
return safeDepositBoxMapper.getSafeDepositBoxIdByName(name);
}

public String getSafeDepositBoxNameById(String id) {
return safeDepositBoxMapper.getSafeDepositBoxNameById(id);
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@
import com.nike.riposte.server.http.ResponseInfo;
import com.nike.riposte.server.http.StandardEndpoint;
import io.netty.channel.ChannelHandlerContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.ws.rs.core.SecurityContext;
import java.util.Optional;
Expand All @@ -35,13 +37,24 @@
*/
public abstract class AdminStandardEndpoint<I, O> extends StandardEndpoint<I, O> {

private final Logger log = LoggerFactory.getLogger(getClass());

public final CompletableFuture<ResponseInfo<O>> execute(final RequestInfo<I> request,
final Executor longRunningTaskExecutor,
final ChannelHandlerContext ctx) {

final Optional<SecurityContext> securityContext =
CmsRequestSecurityValidator.getSecurityContextForRequest(request);

String principal = securityContext.isPresent() ?
securityContext.get().getUserPrincipal() instanceof VaultAuthPrincipal ?
securityContext.get().getUserPrincipal().getName() :
"( Principal is not a Vault auth principal. )" : "( Principal name is empty. )";

log.info("Admin Endpoint Event: the principal {} is attempting to access admin endpoint: {}", principal, this.getClass().getName());
if (!securityContext.isPresent() || !securityContext.get().isUserInRole(VaultAuthPrincipal.ROLE_ADMIN)) {
log.error("Admin Endpoint Event: the principal {} is attempted to access {}, an admin endpoint but was not an admin", principal,
this.getClass().getName());
throw new ApiException(DefaultApiError.ACCESS_DENIED);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpResponseStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.ws.rs.core.SecurityContext;
import java.util.concurrent.CompletableFuture;
Expand All @@ -37,6 +39,8 @@
*/
public class PutSDBMetadata extends AdminStandardEndpoint<SDBMetadata, Void> {

private final Logger log = LoggerFactory.getLogger(getClass());

private final MetadataService metadataService;

@Inject
Expand All @@ -52,7 +56,12 @@ public CompletableFuture<ResponseInfo<Void>> doExecute(RequestInfo<SDBMetadata>

return CompletableFuture.supplyAsync(() -> {
VaultAuthPrincipal vaultAuthPrincipal = (VaultAuthPrincipal) securityContext.getUserPrincipal();
metadataService.restoreMetadata(request.getContent(), vaultAuthPrincipal.getName());

String principal = vaultAuthPrincipal.getName();

log.info("Metadata Restore Event: the principal {} is attempting to restore sdb name: '{}'", principal, request.getContent().getName());

metadataService.restoreMetadata(request.getContent(), principal);

return ResponseInfo.<Void>newBuilder()
.withHttpStatusCode(HttpResponseStatus.NO_CONTENT.code())
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,15 @@
import com.nike.cerberus.domain.IamRoleAuthResponse;
import com.nike.cerberus.domain.IamRoleCredentialsV1;
import com.nike.cerberus.service.AuthenticationService;
import com.nike.cerberus.util.AwsIamRoleArnParser;
import com.nike.riposte.server.http.RequestInfo;
import com.nike.riposte.server.http.ResponseInfo;
import com.nike.riposte.server.http.StandardEndpoint;
import com.nike.riposte.util.Matcher;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.HttpMethod;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.inject.Inject;
import java.util.concurrent.CompletableFuture;
Expand All @@ -37,6 +40,8 @@
@Deprecated
public class AuthenticateIamRoleV1 extends StandardEndpoint<IamRoleCredentialsV1, IamRoleAuthResponse> {

private final Logger log = LoggerFactory.getLogger(getClass());

private final AuthenticationService authenticationService;

@Inject
Expand All @@ -48,9 +53,15 @@ public AuthenticateIamRoleV1(final AuthenticationService authenticationService)
public CompletableFuture<ResponseInfo<IamRoleAuthResponse>> execute(final RequestInfo<IamRoleCredentialsV1> request,
final Executor longRunningTaskExecutor,
final ChannelHandlerContext ctx) {
return CompletableFuture.supplyAsync(() ->
ResponseInfo.newBuilder(authenticationService.authenticate(request.getContent())).build(),
longRunningTaskExecutor);
return CompletableFuture.supplyAsync(() -> {
IamRoleCredentialsV1 credentials = request.getContent();
log.info("IAM Auth Event: the IAM principal {} in attempting to authenticate in region {}",
String.format(AwsIamRoleArnParser.AWS_IAM_ROLE_ARN_TEMPLATE,
credentials.getAccountId(), credentials.getRoleName()), credentials.getRegion());

return ResponseInfo.newBuilder(authenticationService.authenticate(request.getContent())).build();
}, longRunningTaskExecutor);

}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,18 @@
package com.nike.cerberus.endpoints.authentication;

import com.nike.cerberus.domain.IamRoleAuthResponse;
import com.nike.cerberus.domain.IamRoleCredentialsV1;
import com.nike.cerberus.domain.IamRoleCredentialsV2;
import com.nike.cerberus.service.AuthenticationService;
import com.nike.cerberus.util.AwsIamRoleArnParser;
import com.nike.riposte.server.http.RequestInfo;
import com.nike.riposte.server.http.ResponseInfo;
import com.nike.riposte.server.http.StandardEndpoint;
import com.nike.riposte.util.Matcher;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.HttpMethod;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.inject.Inject;
import java.util.concurrent.CompletableFuture;
Expand All @@ -37,6 +41,8 @@
*/
public class AuthenticateIamRoleV2 extends StandardEndpoint<IamRoleCredentialsV2, IamRoleAuthResponse> {

private final Logger log = LoggerFactory.getLogger(getClass());

private final AuthenticationService authenticationService;

@Inject
Expand All @@ -48,9 +54,13 @@ public AuthenticateIamRoleV2(final AuthenticationService authenticationService)
public CompletableFuture<ResponseInfo<IamRoleAuthResponse>> execute(final RequestInfo<IamRoleCredentialsV2> request,
final Executor longRunningTaskExecutor,
final ChannelHandlerContext ctx) {
return CompletableFuture.supplyAsync(() ->
ResponseInfo.newBuilder(authenticationService.authenticate(request.getContent())).build(),
longRunningTaskExecutor);
return CompletableFuture.supplyAsync(() -> {
IamRoleCredentialsV2 credentials = request.getContent();
log.info("IAM Auth Event: the IAM principal {} in attempting to authenticate in region {}",
credentials.getRoleArn(), credentials.getRegion());

return ResponseInfo.newBuilder(authenticationService.authenticate(request.getContent())).build();
}, longRunningTaskExecutor);
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@
import io.netty.handler.codec.http.HttpMethod;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.ArrayUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.inject.Inject;
import javax.ws.rs.core.HttpHeaders;
Expand All @@ -41,6 +43,8 @@
*/
public class AuthenticateUser extends StandardEndpoint<Void, AuthResponse> {

private final Logger log = LoggerFactory.getLogger(getClass());

private final AuthenticationService authenticationService;

@Inject
Expand All @@ -56,6 +60,9 @@ public CompletableFuture<ResponseInfo<AuthResponse>> execute(final RequestInfo<V
() -> {
final UserCredentials credentials =
extractCredentials(request.getHeaders().get(HttpHeaders.AUTHORIZATION));

log.info("User Auth Event: the principal: {} is attempting to authenticate", credentials.getUsername());

return ResponseInfo.newBuilder(authenticationService.authenticate(credentials)).build();
},
longRunningTaskExecutor
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@
import com.nike.riposte.util.Matcher;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.HttpMethod;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.inject.Inject;
import javax.ws.rs.core.SecurityContext;
Expand All @@ -40,6 +42,8 @@
*/
public class RefreshUserToken extends StandardEndpoint<Void, AuthResponse> {

private final Logger log = LoggerFactory.getLogger(getClass());

private final AuthenticationService authenticationService;

@Inject
Expand All @@ -62,6 +66,10 @@ public ResponseInfo<AuthResponse> getRefreshedUserToken(final RequestInfo<Void>
CmsRequestSecurityValidator.getSecurityContextForRequest(request);

if (securityContext.isPresent()) {
final VaultAuthPrincipal vaultAuthPrincipal =
(VaultAuthPrincipal) securityContext.get().getUserPrincipal();
log.info("Refresh User Token Auth Event: the principal: {} is attempting to refresh its token", vaultAuthPrincipal.getName());

return ResponseInfo.newBuilder(
authenticationService.refreshUserToken(
(VaultAuthPrincipal) securityContext.get().getUserPrincipal())).build();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpResponseStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.inject.Inject;
import javax.ws.rs.core.SecurityContext;
Expand All @@ -40,6 +42,8 @@
*/
public class RevokeToken extends StandardEndpoint<Void, Void> {

private final Logger log = LoggerFactory.getLogger(getClass());

private final AuthenticationService authenticationService;

@Inject
Expand All @@ -61,6 +65,9 @@ public ResponseInfo<Void> revokeToken(RequestInfo<Void> request) {
if (securityContext.isPresent()) {
final VaultAuthPrincipal vaultAuthPrincipal =
(VaultAuthPrincipal) securityContext.get().getUserPrincipal();

log.info("Delete Token Auth Event: the principal: {} is attempting to delete a token", vaultAuthPrincipal.getName());

authenticationService.revoke(vaultAuthPrincipal.getClientToken().getId());
return ResponseInfo.<Void>newBuilder().withHttpStatusCode(HttpResponseStatus.NO_CONTENT.code()).build();
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@
import io.netty.handler.codec.http.DefaultHttpHeaders;
import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpResponseStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.inject.Inject;
import javax.ws.rs.core.SecurityContext;
Expand All @@ -46,6 +48,8 @@
*/
public class CreateSafeDepositBox extends StandardEndpoint<SafeDepositBox, Map<String, String>> {

private final Logger log = LoggerFactory.getLogger(getClass());

public static final String BASE_PATH = "/v1/safe-deposit-box";

public static final String HEADER_X_REFRESH_TOKEN = "X-Refresh-Token";
Expand All @@ -71,6 +75,10 @@ private ResponseInfo<Map<String, String>> createSafeDepositBox(final RequestInfo

if (securityContext.isPresent()) {
final VaultAuthPrincipal vaultAuthPrincipal = (VaultAuthPrincipal) securityContext.get().getUserPrincipal();

log.info("Create SDB Event: the principal: {} is attempting to create sdb name: '{}'",
vaultAuthPrincipal.getName(), request.getContent().getName());

final String id =
safeDepositBoxService.createSafeDepositBox(request.getContent(), vaultAuthPrincipal.getName());

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@
import io.netty.handler.codec.http.DefaultHttpHeaders;
import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpResponseStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.inject.Inject;
import javax.ws.rs.core.SecurityContext;
Expand All @@ -41,6 +43,8 @@
*/
public class DeleteSafeDepositBox extends StandardEndpoint<Void, Void> {

private final Logger log = LoggerFactory.getLogger(getClass());

public static final String HEADER_X_REFRESH_TOKEN = "X-Refresh-Token";

private final SafeDepositBoxService safeDepositBoxService;
Expand All @@ -61,7 +65,15 @@ private ResponseInfo<Void> deleteSafeDepositBox(final RequestInfo<Void> request)

if (securityContext.isPresent()) {
final VaultAuthPrincipal vaultAuthPrincipal = (VaultAuthPrincipal) securityContext.get().getUserPrincipal();
safeDepositBoxService.deleteSafeDepositBox(vaultAuthPrincipal.getUserGroups(), request.getPathParam("id"));

String sdbId = request.getPathParam("id");
Optional<String> sdbNameOptional = safeDepositBoxService.getSafeDepositBoxNameById(sdbId);
String sdbName = sdbNameOptional.isPresent() ? sdbNameOptional.get() :
String.format("(Failed to lookup name from id: %s)", sdbId);
log.info("Delete SDB Event: the principal: {} is attempting to delete sdb name: '{}' and id: '{}'",
vaultAuthPrincipal.getName(), sdbName, sdbId);

safeDepositBoxService.deleteSafeDepositBox(vaultAuthPrincipal.getUserGroups(), sdbId);
return ResponseInfo.<Void>newBuilder().withHttpStatusCode(HttpResponseStatus.OK.code())
.withHeaders(new DefaultHttpHeaders().set(HEADER_X_REFRESH_TOKEN, Boolean.TRUE.toString()))
.build();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@
import com.nike.riposte.util.Matcher;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.HttpMethod;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.inject.Inject;
import javax.ws.rs.core.SecurityContext;
Expand All @@ -42,6 +44,8 @@
*/
public class GetSafeDepositBox extends StandardEndpoint<Void, SafeDepositBox> {

private final Logger log = LoggerFactory.getLogger(getClass());

private final SafeDepositBoxService safeDepositBoxService;

@Inject
Expand All @@ -62,10 +66,18 @@ public ResponseInfo<SafeDepositBox> getSafeDepositBox(final RequestInfo<Void> re

if (securityContext.isPresent()) {
final VaultAuthPrincipal vaultAuthPrincipal = (VaultAuthPrincipal) securityContext.get().getUserPrincipal();

String sdbId = request.getPathParam("id");
Optional<String> sdbNameOptional = safeDepositBoxService.getSafeDepositBoxNameById(sdbId);
String sdbName = sdbNameOptional.isPresent() ? sdbNameOptional.get() :
String.format("(Failed to lookup name from id: %s)", sdbId);
log.info("Read SDB Event: the principal: {} is attempting to read sdb name: '{}' and id: '{}'",
vaultAuthPrincipal.getName(), sdbName, sdbId);

final Optional<SafeDepositBox> safeDepositBox =
safeDepositBoxService.getAssociatedSafeDepositBox(
vaultAuthPrincipal.getUserGroups(),
request.getPathParam("id"));
sdbId);

if (safeDepositBox.isPresent()) {
return ResponseInfo.newBuilder(safeDepositBox.get()).build();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@
import com.nike.riposte.util.Matcher;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.HttpMethod;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.inject.Inject;
import javax.ws.rs.core.SecurityContext;
Expand All @@ -42,6 +44,8 @@
*/
public class GetSafeDepositBoxes extends StandardEndpoint<Void, List<SafeDepositBoxSummary>> {

private final Logger log = LoggerFactory.getLogger(getClass());

private final SafeDepositBoxService safeDepositBoxService;

@Inject
Expand All @@ -63,6 +67,9 @@ public ResponseInfo<List<SafeDepositBoxSummary>> getSafeDepositBoxes(final Reque
if (securityContext.isPresent()) {
final VaultAuthPrincipal vaultAuthPrincipal = (VaultAuthPrincipal) securityContext.get().getUserPrincipal();

log.info("List SDB Event: the principal: {} is attempting to list the SDBs that it has access to",
vaultAuthPrincipal.getName());

return ResponseInfo.newBuilder(
safeDepositBoxService.getAssociatedSafeDepositBoxes(vaultAuthPrincipal.getUserGroups())).build();
}
Expand Down
Loading

0 comments on commit 3100ee9

Please sign in to comment.