Events - basic support for credentials

code/src/sixsq/nuvla/server/resources/credential.clj

@@ -9,6 +9,8 @@ passwords) or other services (e.g. TLS credentials for Docker). Creating new
     [sixsq.nuvla.auth.utils :as auth]
     [sixsq.nuvla.db.impl :as db]
     [sixsq.nuvla.server.resources.common.crud :as crud]
+    [sixsq.nuvla.server.resources.common.event-config :as ec]
+    [sixsq.nuvla.server.resources.common.event-context :as ectx]
     [sixsq.nuvla.server.resources.common.std-crud :as std-crud]
     [sixsq.nuvla.server.resources.common.utils :as u]
     [sixsq.nuvla.server.resources.job :as job]
@@ -314,13 +316,31 @@ passwords) or other services (e.g. TLS credentials for Docker). Creating new
 
 (defmethod crud/delete resource-type
   [{{uuid :uuid} :params :as request}]
-  (-> (str resource-type "/" uuid)
-      (db/retrieve request)
-      (a/throw-cannot-delete request)
-      (special-delete request)))
+  (let [resource (-> (str resource-type "/" uuid)
+                     (db/retrieve request))
+        delete-resp (-> resource
+                        (a/throw-cannot-delete request)
+                        (special-delete request))]
+    (ectx/add-to-context :resource resource)
+    (ectx/add-to-context :acl (:acl resource))
+    delete-resp))
 
 
 (def query-impl (std-crud/query-fn resource-type collection-acl collection-type))
 (defmethod crud/query resource-type
   [request]
   (query-impl request))
+
+
+;;
+;; Events
+;;
+
+(defmethod ec/events-enabled? resource-type
+  [_resource-type]
+  true)
+
+
+(defmethod ec/log-event? "credential.check"
+  [_event _response]
+  false)

code/test/sixsq/nuvla/server/resources/credential/vpn_utils_test.clj

@@ -1,6 +1,7 @@
 (ns sixsq.nuvla.server.resources.credential.vpn-utils-test
   (:require
     [clojure.data.json :as json]
+    [clojure.string :as string]
     [clojure.string :as str]
     [clojure.test :refer [is]]
     [peridot.core :refer [content-type header request session]]
@@ -76,7 +77,18 @@
                                :description description-attr
                                :tags        tags-attr
                                :template    {:href   href
-                                             :parent infra-service-id}}]
+                                             :parent infra-service-id}}
+
+        authn-info-admin      {:user-id      "group/nuvla-admin"
+                               :active-claim "group/nuvla-admin"
+                               :claims       ["group/nuvla-admin" "group/nuvla-anon" "group/nuvla-user"]}
+        test-claims           (-> claims (string/split #"\s"))
+        authn-info-test       {:user-id      (first test-claims)
+                               :active-claim (second test-claims)
+                               :claims       (set test-claims)}
+        authn-info-anon       {:user-id      "user/unknown"
+                               :active-claim "user/unknown"
+                               :claims       #{"user/unknown" "group/nuvla-anon"}}]
 
     ;; admin/user query should succeed but be empty (no credentials created yet)
     (doseq [session [session-admin session-test]]
@@ -96,13 +108,25 @@
         (ltu/is-status 403))
 
     ;; creating a new credential without reference will fail for all types of users
-    (doseq [session [session-admin session-test session-anon]]
+    (doseq [[session event-owners authn-info]
+            [[session-admin ["group/nuvla-admin"] authn-info-admin]
+             [session-test ["group/nuvla-admin"] authn-info-test]
+             [session-anon ["group/nuvla-admin"] authn-info-anon]]]
       (-> session
           (request base-uri
                    :request-method :post
                    :body (json/write-str create-import-no-href))
           (ltu/body->edn)
-          (ltu/is-status 400)))
+          (ltu/is-status 400))
+
+      (ltu/is-last-event nil
+                         {:name               "credential.add"
+                          :description        "credential.add attempt failed."
+                          :category           "add"
+                          :success            false
+                          :linked-identifiers []
+                          :authn-info         authn-info
+                          :acl                {:owners event-owners}}))
 
     ;; creating a new credential as anon will fail; expect 400 because href cannot be accessed
     (-> session-anon
@@ -162,6 +186,15 @@
         ;; resource id and the uri (location) should be the same
         (is (= id uri))
 
+        (ltu/is-last-event uri
+                           {:name               "credential.add"
+                            :description        (str user-id " added credential " name-attr ".")
+                            :category           "add"
+                            :success            true
+                            :linked-identifiers []
+                            :authn-info         authn-info-test
+                            :acl                {:owners ["group/nuvla-admin"]}})
+
         ;; admin should be able to see and delete credential
         (-> session-admin
             (request abs-uri)
@@ -226,7 +259,15 @@
               (request abs-uri
                        :request-method :delete)
               (ltu/body->edn)
-              (ltu/is-status 200)))
+              (ltu/is-status 200))
 
+          (ltu/is-last-event uri
+                             {:name               "credential.delete"
+                              :description        (str user-id " deleted credential " name-attr ".")
+                              :category           "delete"
+                              :success            true
+                              :linked-identifiers []
+                              :authn-info         authn-info-test
+                              :acl                {:owners ["group/nuvla-admin"]}}))
         ))
     ))

code/test/sixsq/nuvla/server/resources/credential_api_key_lifecycle_test.clj

@@ -35,7 +35,7 @@
                                         session
                                         (content-type "application/json"))
         session-admin               (header session authn-info-header
-                                            "group/nuvla-admin group/nuvla-user group/nuvla-anon")
+                                            "group/nuvla-admin group/nuvla-admin group/nuvla-user group/nuvla-anon")
         session-user                (header session authn-info-header "user/jane user/jane group/nuvla-user group/nuvla-anon")
         session-anon                (header session authn-info-header "user/unknown user/unknown group/nuvla-anon")
 
@@ -63,7 +63,17 @@
         create-import-href-zero-ttl {:template {:href href
                                                 :ttl  0}}
 
-        create-import-href-no-ttl   {:template {:href href}}]
+        create-import-href-no-ttl   {:template {:href href}}
+        authn-info-admin            {:user-id      "group/nuvla-admin"
+                                     :active-claim "group/nuvla-admin"
+                                     :claims       ["group/nuvla-admin" "group/nuvla-anon" "group/nuvla-user"]}
+        authn-info-jane             {:user-id      "user/jane"
+                                     :active-claim "user/jane"
+                                     :claims       ["group/nuvla-anon" "user/jane" "group/nuvla-user"]}
+        authn-info-anon             {:user-id      "user/unknown"
+                                     :active-claim "user/unknown"
+                                     :claims       #{"user/unknown" "group/nuvla-anon"}}
+        admin-group-name            "Nuvla Administrator Group"]
 
     ;; admin/user query should succeed but be empty (no credentials created yet)
     (if (env/env :nuvla-super-password)
@@ -91,13 +101,25 @@
         (ltu/is-status 403))
 
     ;; creating a new credential without reference will fail for all types of users
-    (doseq [session [session-admin session-user session-anon]]
+    (doseq [[session event-owners authn-info]
+            [[session-admin ["group/nuvla-admin"] authn-info-admin]
+             [session-user ["group/nuvla-admin"] authn-info-jane]
+             [session-anon ["group/nuvla-admin"] authn-info-anon]]]
       (-> session
           (request base-uri
                    :request-method :post
                    :body (json/write-str create-import-no-href))
           (ltu/body->edn)
-          (ltu/is-status 400)))
+          (ltu/is-status 400))
+
+      (ltu/is-last-event nil
+                         {:name               "credential.add"
+                          :description        "credential.add attempt failed."
+                          :category           "add"
+                          :success            false
+                          :linked-identifiers []
+                          :authn-info         authn-info
+                          :acl                {:owners event-owners}}))
 
     ;; creating a new credential as anon will fail; expect 400 because href cannot be accessed
     (-> session-anon
@@ -123,6 +145,15 @@
       ;; resource id and the uri (location) should be the same
       (is (= id uri))
 
+      (ltu/is-last-event uri
+                         {:name               "credential.add"
+                          :description        (str "user/jane added credential " name-attr ".")
+                          :category           "add"
+                          :success            true
+                          :linked-identifiers []
+                          :authn-info         authn-info-jane
+                          :acl                {:owners ["group/nuvla-admin" "user/jane"]}})
+
       ;; the secret key must be returned as part of the 201 response
       (is secret-key)
 
@@ -155,7 +186,16 @@
           (request abs-uri
                    :request-method :delete)
           (ltu/body->edn)
-          (ltu/is-status 200)))
+          (ltu/is-status 200))
+
+      (ltu/is-last-event uri
+                         {:name               "credential.delete"
+                          :description        (str "user/jane deleted credential " name-attr ".")
+                          :category           "delete"
+                          :success            true
+                          :linked-identifiers []
+                          :authn-info         authn-info-jane
+                          :acl                {:owners ["group/nuvla-admin" "user/jane"]}}))
 
     ;; execute the same tests but now create an API key without an expiry date
     (let [resp       (-> session-user
@@ -236,7 +276,8 @@
                                                            (request abs-uri)
                                                            (ltu/body->edn)
                                                            (ltu/is-status 200)
-                                                           (ltu/body))]
+                                                           (ltu/body))
+            new-name-attr "UPDATED!"]
         (is digest)
         (is (key-utils/valid? secret-key digest))
         (is (nil? expiry))
@@ -249,7 +290,7 @@
                      :request-method :put
                      :body (json/write-str
                              (assoc current
-                               :name "UPDATED!"
+                               :name new-name-attr
                                :claims {:identity "super",
                                         :roles    ["group/nuvla-user" "group/nuvla-anon" "group/nuvla-admin"]})))
             (ltu/body->edn)
@@ -266,6 +307,15 @@
           (is (= (dissoc expected :updated) (dissoc reread :updated :updated-by)))
           (is (not= (:updated expected) (:updated reread))))
 
+        (ltu/is-last-event uri
+                           {:name               "credential.edit"
+                            :description        (str "user/jane edited credential " new-name-attr ".")
+                            :category           "edit"
+                            :success            true
+                            :linked-identifiers []
+                            :authn-info         authn-info-jane
+                            :acl                {:owners ["group/nuvla-admin" "user/jane"]}})
+
         ;; update the credential by changing the name attribute
         ;; claims are editable for super
         (-> session-admin
@@ -280,17 +330,27 @@
             (ltu/is-status 200))
 
         ;; verify that the attribute has been changed
-        (let [expected (assoc current :name "UPDATED by super!"
-                                      :claims {:identity "super",
-                                               :roles    ["group/nuvla-user" "group/nuvla-anon" "group/nuvla-admin"]})
-              reread   (-> session-admin
-                           (request abs-uri)
-                           (ltu/body->edn)
-                           (ltu/is-status 200)
-                           (ltu/body))]
+        (let [new-name-attr "UPDATED by super!"
+              expected      (assoc current :name new-name-attr
+                                           :claims {:identity "super",
+                                                    :roles    ["group/nuvla-user" "group/nuvla-anon" "group/nuvla-admin"]})
+              reread        (-> session-admin
+                                (request abs-uri)
+                                (ltu/body->edn)
+                                (ltu/is-status 200)
+                                (ltu/body))]
 
           (is (= (dissoc expected :updated) (dissoc reread :updated :updated-by)))
-          (is (not= (:updated expected) (:updated reread)))))
+          (is (not= (:updated expected) (:updated reread)))
+
+          (ltu/is-last-event uri
+                             {:name               "credential.edit"
+                              :description        (str admin-group-name " edited credential " new-name-attr ".")
+                              :category           "edit"
+                              :success            true
+                              :linked-identifiers []
+                              :authn-info         authn-info-admin
+                              :acl                {:owners ["group/nuvla-admin" "user/jane"]}})))
 
       ;; delete the credential
       (-> session-user