Auth-related tests for audit logging (#8790)

2019-04-18 04:45:41 -04:00 · 2019-04-18 04:45:41 -04:00 · 48fb15e94f
parent 6eb986825e
commit 48fb15e94f
11 changed files with 14 additions and 20 deletions
--- a/Documentation/Books/Manual/Security/Auditing/AuditConfiguration.md
+++ b/Documentation/Books/Manual/Security/Auditing/AuditConfiguration.md
@ -38,5 +38,5 @@ By default, the server will log all audit events. Some low-priority events, such
 as statistics operations, are logged with the `debug` log level. To keep such
 events from cluttering the log, set the appropriate topic to `info`. All other
 messages will be logged at the `info` level. Audit topics include
-`audit-authentication`, `audit-collection`, `audit-database`, `audit-document`,
-`audit-service`, and `audit-view`. 
+`audit-authentication`, `audit-authorization`, `audit-collection`,
+`audit-database`, `audit-document`, `audit-service`, and `audit-view`. 
--- a/Documentation/Books/Manual/Security/Auditing/AuditEvents.md
+++ b/Documentation/Books/Manual/Security/Auditing/AuditEvents.md
@ -30,12 +30,6 @@ Authentication
 Please note, that the user given as fourth part is the user that requested
 the login. In general it will be unavailable.

-### Password change required
-
-```
-2016-10-03 16:18:53 | server1 | audit-authentication | user1 | database1 | 127.0.0.1:62257 | http basic | password change required | /_api/version
-```
-
 ### JWT login succeeded

 ```
@ -60,7 +54,7 @@ Authorization
 ### User not authorized to access database

 ```
-2016-10-03 16:20:52 | server1 | audit-authentication | user1 | database2 | 127.0.0.1:62262 | http basic | not authorized | /_api/version
+2016-10-03 16:20:52 | server1 | audit-authorization | user1 | database2 | 127.0.0.1:62262 | http basic | not authorized | /_api/version
 ```

 Databases
--- a/Documentation/DocuBlocks/Rest/Administration/get_admin_modules_flush.md
+++ b/Documentation/DocuBlocks/Rest/Administration/get_admin_modules_flush.md
@ -222,6 +222,9 @@ One of the possible log levels.
@RESTBODYPARAM{audit-authentication,string,optional,string}
 One of the possible log levels.

+@RESTBODYPARAM{audit-authorization,string,optional,string}
+One of the possible log levels.
+
@RESTBODYPARAM{audit-database,string,optional,string}
 One of the possible log levels.

--- a/arangod/Utils/Events.cpp
+++ b/arangod/Utils/Events.cpp
@ -29,7 +29,6 @@ void CredentialsMissing(GeneralRequest const&) {}
 void LoggedIn(GeneralRequest const&, std::string const& username) {}
 void CredentialsBad(GeneralRequest const&, std::string const& username) {}
 void CredentialsBad(GeneralRequest const&, rest::AuthenticationMethod) {}
-void PasswordChangeRequired(GeneralRequest const&) {}
 void Authenticated(GeneralRequest const&, rest::AuthenticationMethod) {}
 void NotAuthorized(GeneralRequest const&) {}
 void CreateCollection(std::string const& db, std::string const& name, int result) {}
--- a/arangod/Utils/Events.h
+++ b/arangod/Utils/Events.h
@ -42,7 +42,6 @@ void CredentialsMissing(GeneralRequest const&);
 void LoggedIn(GeneralRequest const&, std::string const& username);
 void CredentialsBad(GeneralRequest const&, std::string const& username);
 void CredentialsBad(GeneralRequest const&, rest::AuthenticationMethod);
-void PasswordChangeRequired(GeneralRequest const&);
 void Authenticated(GeneralRequest const&, rest::AuthenticationMethod);
 void NotAuthorized(GeneralRequest const&);
 void CreateCollection(std::string const& db, std::string const& name, int result);
--- a/js/client/modules/@arangodb/testsuites/audit.js
+++ b/js/client/modules/@arangodb/testsuites/audit.js
@ -69,11 +69,17 @@ function auditLog(onServer) {
    };
    
    options.auditLoggingEnabled = true;
+    
+    const serverOptions = {
+      'server.authentication': 'true',
+      'server.jwt-secret': 'haxxmann',
+      'log.level': 'audit-authentication=info',
+    };

    print(CYAN + 'Audit log server tests...' + RESET);
    let testCases = tu.scanTestPaths(testPaths['audit_' + (onServer ? 'server' : 'client')]);

-    return tu.performTests(options, testCases, 'audit', onServer ? tu.runThere : tu.runInArangosh);
+    return tu.performTests(options, testCases, 'audit', onServer ? tu.runThere : tu.runInArangosh, serverOptions);
  };
 }

--- a/js/common/bootstrap/errors.js
+++ b/js/common/bootstrap/errors.js
@ -239,7 +239,6 @@
    "ERROR_USER_INVALID_PASSWORD"  : { "code" : 1701, "message" : "invalid password" },
    "ERROR_USER_DUPLICATE"         : { "code" : 1702, "message" : "duplicate user" },
    "ERROR_USER_NOT_FOUND"         : { "code" : 1703, "message" : "user not found" },
-    "ERROR_USER_CHANGE_PASSWORD"   : { "code" : 1704, "message" : "user must change his password" },
    "ERROR_USER_EXTERNAL"          : { "code" : 1705, "message" : "user is external" },
    "ERROR_SERVICE_INVALID_NAME"   : { "code" : 1750, "message" : "invalid service name" },
    "ERROR_SERVICE_INVALID_MOUNT"  : { "code" : 1751, "message" : "invalid mount" },
--- a/lib/Basics/errors.dat
+++ b/lib/Basics/errors.dat
@ -308,7 +308,6 @@ ERROR_USER_INVALID_NAME,1700,"invalid user name","Will be raised when an invalid
 ERROR_USER_INVALID_PASSWORD,1701,"invalid password","Will be raised when an invalid password is used."
 ERROR_USER_DUPLICATE,1702,"duplicate user","Will be raised when a user name already exists."
 ERROR_USER_NOT_FOUND,1703,"user not found","Will be raised when a user name is updated that does not exist."
-ERROR_USER_CHANGE_PASSWORD,1704,"user must change his password","Will be raised when the user must change his password."
 ERROR_USER_EXTERNAL,1705,"user is external","Will be raised when the user is authenicated by an external server."

 ###############################################################################
--- a/lib/Basics/voc-errors.cpp
+++ b/lib/Basics/voc-errors.cpp
@ -238,7 +238,6 @@ void TRI_InitializeErrorMessages() {
  REG_ERROR(ERROR_USER_INVALID_PASSWORD, "invalid password");
  REG_ERROR(ERROR_USER_DUPLICATE, "duplicate user");
  REG_ERROR(ERROR_USER_NOT_FOUND, "user not found");
-  REG_ERROR(ERROR_USER_CHANGE_PASSWORD, "user must change his password");
  REG_ERROR(ERROR_USER_EXTERNAL, "user is external");
  REG_ERROR(ERROR_SERVICE_INVALID_NAME, "invalid service name");
  REG_ERROR(ERROR_SERVICE_INVALID_MOUNT, "invalid mount");
--- a/lib/Basics/voc-errors.h
+++ b/lib/Basics/voc-errors.h
@ -1276,11 +1276,6 @@ constexpr int TRI_ERROR_USER_DUPLICATE
 /// Will be raised when a user name is updated that does not exist.
 constexpr int TRI_ERROR_USER_NOT_FOUND                                          = 1703;

-/// 1704: ERROR_USER_CHANGE_PASSWORD
-/// "user must change his password"
-/// Will be raised when the user must change his password.
-constexpr int TRI_ERROR_USER_CHANGE_PASSWORD                                    = 1704;
-
 /// 1705: ERROR_USER_EXTERNAL
 /// "user is external"
 /// Will be raised when the user is authenicated by an external server.
--- a/lib/Logger/LogTopic.cpp
+++ b/lib/Logger/LogTopic.cpp
@ -147,6 +147,7 @@ LogTopic Logger::VIEWS("views", LogLevel::FATAL);
 LogTopic LdapFeature::LDAP("ldap", LogLevel::INFO);

 LogTopic AuditFeature::AUDIT_AUTHENTICATION("audit-authentication", LogLevel::DEBUG);
+LogTopic AuditFeature::AUDIT_AUTHORIZATION("audit-authorization", LogLevel::INFO);
 LogTopic AuditFeature::AUDIT_DATABASE("audit-database", LogLevel::INFO);
 LogTopic AuditFeature::AUDIT_COLLECTION("audit-collection", LogLevel::INFO);
 LogTopic AuditFeature::AUDIT_VIEW("audit-view", LogLevel::INFO);