Add cartID and configRevision to policy audit log

PiperOrigin-RevId: 310603268
Change-Id: I3fc934468e83122fa50573a1cec596bec3dbfc00

lib/auditlog/auditlog.go

@@ -108,6 +108,10 @@ type PolicyDecisionLog struct {
 	PassAuthCheck bool
 	// ErrorType of deny.
 	ErrorType string
+	// CartID of request.
+	CartID string
+	// ConfigRevision the request using. Can use /config/history/{revision} to see the policy.
+	ConfigRevision int64
 	// Message of deny.
 	Message interface{}
 }
@@ -126,6 +130,8 @@ func WritePolicyDecisionLog(client *logging.Client, log *PolicyDecisionLog) {
 		"project_id":      serviceinfo.Project,
 		"service_type":    serviceinfo.Type,
 		"service_name":    serviceinfo.Name,
+		"cart_id":         log.CartID,
+		"config_revision": strconv.FormatInt(log.ConfigRevision, 10),
 	}
 
 	entry := logging.Entry{

lib/auditlog/auditlog_test.go

@@ -109,14 +109,16 @@ func TestWritePolicyDecisionLog(t *testing.T) {
 	serviceinfo.Name = "n1"
 
 	pl := &PolicyDecisionLog{
-		TokenID:       "tid",
-		TokenSubject:  "sub",
-		TokenIssuer:   "http://issuer.example.com",
-		Resource:      "http://example.com/dam/v1alpha/resources/a-dataset/roles/viewer",
-		TTL:           "1d",
-		PassAuthCheck: false,
-		ErrorType:     "untrusted_issuer",
-		Message:       `{"error": "This is a json err"}`,
+		TokenID:        "tid",
+		TokenSubject:   "sub",
+		TokenIssuer:    "http://issuer.example.com",
+		Resource:       "http://example.com/dam/v1alpha/resources/a-dataset/roles/viewer",
+		TTL:            "1d",
+		PassAuthCheck:  false,
+		ErrorType:      "untrusted_issuer",
+		CartID:         "cart_id",
+		ConfigRevision: 1,
+		Message:        `{"error": "This is a json err"}`,
 	}
 
 	WritePolicyDecisionLog(server.Client, pl)
@@ -139,6 +141,8 @@ func TestWritePolicyDecisionLog(t *testing.T) {
 				"project_id":      "p1",
 				"service_type":    "t1",
 				"service_name":    "n1",
+				"cart_id":         "cart_id",
+				"config_revision": "1",
 			},
 		}},
 	}}

lib/auditlogsapi/handler_test.go

@@ -67,14 +67,16 @@ func Test_AccessLog(t *testing.T) {
 	}
 	auditlog.WriteAccessLog(ctx, f.logger, al)
 	pl := &auditlog.PolicyDecisionLog{
-		TokenID:       "tid",
-		TokenSubject:  "sub",
-		TokenIssuer:   "http://issuer.example.com",
-		Resource:      "http://example.com/dam/v1alpha/resources/a-dataset/roles/viewer",
-		TTL:           "1d",
-		PassAuthCheck: false,
-		ErrorType:     "untrusted_issuer",
-		Message:       `{"error": "This is a json err"}`,
+		TokenID:        "tid",
+		TokenSubject:   "sub",
+		TokenIssuer:    "http://issuer.example.com",
+		Resource:       "http://example.com/dam/v1alpha/resources/a-dataset/roles/viewer",
+		TTL:            "1d",
+		PassAuthCheck:  false,
+		ErrorType:      "untrusted_issuer",
+		CartID:         "cart_id",
+		ConfigRevision: 0,
+		Message:        `{"error": "This is a json err"}`,
 	}
 	auditlog.WritePolicyDecisionLog(f.logger, pl)
 	after := time.Now()
@@ -141,16 +143,18 @@ func Test_AccessLog(t *testing.T) {
 			{
 				Name: "users/sub@http:%2F%2Fissuer.example.com/auditlogs/",
 				PolicyLog: &apb.PolicyLog{
-					ServiceName:  "unset-serviceinfo-Name",
-					ServiceType:  "unset-serviceinfo-Type",
-					TokenId:      "tid",
-					TokenSubject: "sub",
-					TokenIssuer:  "http://issuer.example.com",
-					Decision:     apb.Decision_FAIL,
-					ErrorType:    "untrusted_issuer",
-					Reason:       `{"error": "This is a json err"}`,
-					ResourceName: "http://example.com/dam/v1alpha/resources/a-dataset/roles/viewer",
-					Ttl:          &dpb.Duration{Seconds: 86400},
+					ServiceName:    "unset-serviceinfo-Name",
+					ServiceType:    "unset-serviceinfo-Type",
+					TokenId:        "tid",
+					TokenSubject:   "sub",
+					TokenIssuer:    "http://issuer.example.com",
+					Decision:       apb.Decision_FAIL,
+					ErrorType:      "untrusted_issuer",
+					Reason:         `{"error": "This is a json err"}`,
+					ResourceName:   "http://example.com/dam/v1alpha/resources/a-dataset/roles/viewer",
+					Ttl:            &dpb.Duration{Seconds: 86400},
+					CartId:         "cart_id",
+					ConfigRevision: "0",
 				},
 			},
 		},

lib/auditlogsapi/translation.go

@@ -125,6 +125,9 @@ func ToPolicyLog(e *lepb.LogEntry) (*apb.AuditLog, error) {
 
 		ResourceName: labels["resource"],
 		Ttl:          timeutil.DurationProto(ttl),
+
+		CartId:        labels["cart_id"],
+		ConfigRevision: labels["config_revision"],
 	}
 	return &apb.AuditLog{Name: name, PolicyLog: l}, nil
 }

lib/dam/dam_test.go

@@ -1750,6 +1750,8 @@ func TestLoggedIn_Hydra_Success_Log(t *testing.T) {
 			"project_id":      "p1",
 			"service_type":    "t1",
 			"service_name":    "n1",
+			"cart_id":         "ls-1234",
+			"config_revision":  "1",
 		},
 	}
 

lib/dam/token_flow.go

@@ -442,14 +442,16 @@ func resourceToString(res *pb.ResourceTokenRequestState_Resource) string {
 	return fmt.Sprintf("%s/%s/%s/%s", res.Realm, res.Resource, res.View, res.Role)
 }
 
-func writePolicyDeccisionLog(logger *logging.Client, id *ga4gh.Identity, res *pb.ResourceTokenRequestState_Resource, ttl time.Duration, err error) {
+func writePolicyDeccisionLog(logger *logging.Client, id *ga4gh.Identity, res *pb.ResourceTokenRequestState_Resource, ttl time.Duration, cartID string, cfgRevision int64, err error) {
 	log := &auditlog.PolicyDecisionLog{
-		TokenID:       id.ID,
-		TokenSubject:  id.Subject,
-		TokenIssuer:   id.Issuer,
-		Resource:      resourceToString(res),
-		TTL:           timeutil.TTLString(ttl),
-		PassAuthCheck: true,
+		TokenID:        id.ID,
+		TokenSubject:   id.Subject,
+		TokenIssuer:    id.Issuer,
+		Resource:       resourceToString(res),
+		TTL:            timeutil.TTLString(ttl),
+		PassAuthCheck:  true,
+		CartID:         cartID,
+		ConfigRevision: cfgRevision,
 	}
 
 	if err != nil {
@@ -479,7 +481,7 @@ func (s *Service) loggedInForDatasetToken(ctx context.Context, id *ga4gh.Identit
 		}
 
 		err := checkAuthorization(ctx, id, ttl, r.Resource, r.View, r.Role, cfg, state.ClientId, s.ValidateCfgOpts(realm, tx))
-		writePolicyDeccisionLog(s.logger, id, r, ttl, err)
+		writePolicyDeccisionLog(s.logger, id, r, ttl, stateID, cfg.Revision, err)
 		if err != nil {
 			return nil, err
 		}

proto/auditlogs/v0/auditlogs.proto

@@ -106,6 +106,11 @@ message PolicyLog {
   // TokenIssuer is the iss of the token.
   string token_issuer = 5;
 
+  // CartId of the request.
+  string cart_id = 12;
+  // ConfigRevision that the request using.
+  string config_revision = 13;
+
   // Decission if the request pass the auth checker.
   Decision decision = 6;
   // ErrorType of deny.