keep track of request entries in the role audit log (#2782)

Signed-off-by: Henry Avetisyan <[email protected]>
AthenZ · Oct 25, 2024 · 51de9a6 · 51de9a6
1 parent a1478eb
commit 51de9a6
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 11 deletions.
diff --git a/...server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/JDBCConnection.java b/...server_common/src/main/java/com/yahoo/athenz/common/server/store/impl/JDBCConnection.java
@@ -49,6 +49,11 @@ public class JDBCConnection implements ObjectStoreConnection {
     private static final String MYSQL_EXC_STATE_DEADLOCK   = "40001";
     private static final String MYSQL_EXC_STATE_COMM_ERROR = "08S01";
 
+    private static final String AUDIT_OPERATION_APPROVE = "APPROVE";
+    private static final String AUDIT_OPERATION_ADD     = "ADD";
+    private static final String AUDIT_OPERATION_UPDATE  = "UPDATE";
+    private static final String AUDIT_OPERATION_REQUEST = "REQUEST";
+
     private static final String SQL_TABLE_DOMAIN = "domain";
     private static final String SQL_TABLE_ROLE = "role";
     private static final String SQL_TABLE_ROLE_MEMBER = "role_member";
@@ -2666,7 +2671,7 @@ public boolean insertRoleMember(String domainName, String roleName, RoleMember r
         boolean result;
         if (pendingRequest) {
             result = insertPendingRoleMember(roleId, principalId, roleMember, admin,
-                    auditRef, roleMemberExists, caller);
+                    principal, auditRef, roleMemberExists, caller);
         } else {
             result = insertStandardRoleMember(roleId, principalId, roleMember, admin,
                     principal, auditRef, roleMemberExists, false, caller);
@@ -2675,7 +2680,8 @@ public boolean insertRoleMember(String domainName, String roleName, RoleMember r
     }
 
     boolean insertPendingRoleMember(int roleId, int principalId, RoleMember roleMember,
-            final String admin, final String auditRef, boolean roleMemberExists, final String caller) throws ServerResourceException {
+            final String admin, final String principal, final String auditRef, boolean roleMemberExists,
+            final String caller) throws ServerResourceException {
 
         java.sql.Timestamp expiration = roleMember.getExpiration() == null ? null :
                 new java.sql.Timestamp(roleMember.getExpiration().millis());
@@ -2713,7 +2719,15 @@ boolean insertPendingRoleMember(int roleId, int principalId, RoleMember roleMemb
             }
         }
 
-        return (affectedRows > 0);
+        // add audit log entry for this change if the operation was successful
+        // add return the result of the audit log insert operation
+
+        boolean result = affectedRows > 0;
+        if (result) {
+            result = insertRoleAuditLog(roleId, admin, principal, AUDIT_OPERATION_REQUEST, auditRef);
+        }
+
+        return result;
     }
 
     boolean insertStandardRoleMember(int roleId, int principalId, RoleMember roleMember,
@@ -2743,7 +2757,7 @@ boolean insertStandardRoleMember(int roleId, int principalId, RoleMember roleMem
             } catch (SQLException ex) {
                 throw sqlError(ex, caller);
             }
-            auditOperation = approveRequest ? "APPROVE" : "UPDATE";
+            auditOperation = approveRequest ? AUDIT_OPERATION_APPROVE : AUDIT_OPERATION_UPDATE;
             result = true;
 
         } else {
@@ -2762,7 +2776,7 @@ boolean insertStandardRoleMember(int roleId, int principalId, RoleMember roleMem
                 throw sqlError(ex, caller);
             }
 
-            auditOperation = approveRequest ? "APPROVE" : "ADD";
+            auditOperation = approveRequest ? AUDIT_OPERATION_APPROVE : AUDIT_OPERATION_ADD;
             result = (affectedRows > 0);
         }
 
@@ -6605,7 +6619,7 @@ boolean insertStandardGroupMember(int groupId, int principalId, GroupMember grou
             } catch (SQLException ex) {
                 throw sqlError(ex, caller);
             }
-            auditOperation = approveRequest ? "APPROVE" : "UPDATE";
+            auditOperation = approveRequest ? AUDIT_OPERATION_APPROVE : AUDIT_OPERATION_UPDATE;
             result = true;
 
         } else {
@@ -6623,7 +6637,7 @@ boolean insertStandardGroupMember(int groupId, int principalId, GroupMember grou
                 throw sqlError(ex, caller);
             }
 
-            auditOperation = approveRequest ? "APPROVE" : "ADD";
+            auditOperation = approveRequest ? AUDIT_OPERATION_APPROVE : AUDIT_OPERATION_ADD;
             result = (affectedRows > 0);
         }
 

diff --git a/...er_common/src/test/java/com/yahoo/athenz/common/server/store/impl/JDBCConnectionTest.java b/...er_common/src/test/java/com/yahoo/athenz/common/server/store/impl/JDBCConnectionTest.java
@@ -2408,10 +2408,16 @@ public void testInsertPendingRoleMember() throws Exception {
 
         Mockito.verify(mockPrepStmt, times(1)).setString(1, "user.user1");
 
-        // additional operation to check for roleMember exist using roleID and principal ID.
-        Mockito.verify(mockPrepStmt, times(2)).setInt(1, 7);
+        // additional operation to check for roleMember exist using roleID and principal ID
+        // and audit log entry
+        Mockito.verify(mockPrepStmt, times(3)).setInt(1, 7);
         Mockito.verify(mockPrepStmt, times(2)).setInt(2, 9);
 
+        Mockito.verify(mockPrepStmt, times(1)).setString(2, "user.admin");
+        Mockito.verify(mockPrepStmt, times(1)).setString(3, "user.user1");
+        Mockito.verify(mockPrepStmt, times(1)).setString(4, "REQUEST");
+        Mockito.verify(mockPrepStmt, times(2)).setString(5, "audit-ref");
+
         assertTrue(requestSuccess);
         jdbcConn.close();
     }
@@ -2474,7 +2480,7 @@ public void testInsertPendingRoleMemberUpdate() throws Exception {
                         .setExpiration(Timestamp.fromMillis(now))
                         .setReviewReminder(Timestamp.fromMillis(now))
                         .setPendingState("ADD"),
-                "user.admin", "audit-ref");
+                        "user.admin", "audit-ref");
 
         // this is combined for all operations above
 
@@ -2493,9 +2499,14 @@ public void testInsertPendingRoleMemberUpdate() throws Exception {
         Mockito.verify(mockPrepStmt, times(1)).setInt(6, 9);
 
         // operation to check for roleMember exist using roleID and principal ID.
-        Mockito.verify(mockPrepStmt, times(1)).setInt(1, 7);
+        Mockito.verify(mockPrepStmt, times(2)).setInt(1, 7);
         Mockito.verify(mockPrepStmt, times(1)).setInt(2, 9);
 
+        Mockito.verify(mockPrepStmt, times(1)).setString(2, "user.admin");
+        Mockito.verify(mockPrepStmt, times(1)).setString(3, "user.user1");
+        Mockito.verify(mockPrepStmt, times(1)).setString(4, "REQUEST");
+        Mockito.verify(mockPrepStmt, times(1)).setString(5, "audit-ref");
+
         assertTrue(requestSuccess);
         jdbcConn.close();
     }