Add entitlement audit events #583
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change brings Layout/MultilineMethodCallIndentation and Layout/AlignParameters in line with the most common style currently used in the project.
- Abstract audit events - Add a new Util::Struct class for clearer and more concise explicit declaration of structures - Move some subclasses of Audit to better places in the codebase
Add the tests using audit steps for the policy events already emitted. Also modify matchers in audit_steps to disregard the order of parameters in structured data for more robust tests.
To support emitting audit events from entitlements, policy_version is now an optional parameter for Audit::Event::Policy. You can provide user role instead, and the event will use that for auth@43868 and won't have policy@43868 field.
micahlee
reviewed
Jun 22, 2018
There was a problem hiding this comment.
I really like the refactor! I was able to understand and follow everything clearly, without having looked at the audit code before.
I'm going to leave the approval for Alan, but I have no changes to request on either the refactor or the entitlement audit messages. The only concern I have is the tests not running in the CI pipeline yet, but as there is a ticket to address this, I'm satisfied for now.
Merged
conjur-jenkins
pushed a commit
that referenced
this pull request
Nov 22, 2024
CNJR-6108 Add delete items to policy dryrun REST API response
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #572.
What does this pull request do?
Ultimately, this pull request adds audit events for entitlement operations (
roles#add_memberandroles#delete_member).This addition prompted a thorough refactoring of audit code. Hopefully now it's a bit clearer and better organized.
What background context can you provide?
Audit events were generated for policy loading, but similar events when using entitlements were missing. This brings them in.
Where should the reviewer start?
It's probably a good idea to take a look at the cukes and see if the audit messages seem reasonable. In particular I wasn't sure if the audit events generated from entitlements should carry a
policy@43868structured data element; when loading a policy, it describes which version of which policy caused the given change.Then, since this PR encompasses a supporting refactoring in addition to the nominal change, I suggest examining the code commit-by-commit instead of wholesale.
How should this be manually tested?
When a server from this codebase is run and entitlement endpoints are being used, there should be messages in the log stream describing these actions.
Link to build in Jenkins (if appropriate)
https://jenkins.conjur.net/job/cyberark--conjur/job/entitlement-events/1/
Questions:
Yes. However they're not currently ran on Jenkins as they rely on an in-process server (#579).