Skip to content

Commit

Permalink
Add extra metadata to the join_token.create audit event (#47766)
Browse files Browse the repository at this point in the history 
Include the [potentially redacted] token name, expiry, and the
name of the user who performed the create/update operation.

Closes #44017
  • Loading branch information
@zmb3
zmb3 authored Oct 21, 2024
1 parent 2837295 commit e909569
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 10 deletions.
20 changes: 10 additions & 10 deletions lib/auth/auth_with_roles.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2137,21 +2137,22 @@ func enforceEnterpriseJoinMethodCreation(token types.ProvisionToken) error {

// emitTokenEvent is called by Create/Upsert Token in order to emit any relevant
// events.
func emitTokenEvent(
ctx context.Context,
e apievents.Emitter,
roles types.SystemRoles,
joinMethod types.JoinMethod,
func emitTokenEvent(ctx context.Context, e apievents.Emitter, token types.ProvisionToken,
) {
userMetadata := authz.ClientUserMetadata(ctx)
if err := e.EmitAuditEvent(ctx, &apievents.ProvisionTokenCreate{
Metadata: apievents.Metadata{
Type: events.ProvisionTokenCreateEvent,
Code: events.ProvisionTokenCreateCode,
},
ResourceMetadata: apievents.ResourceMetadata{
Name: token.GetSafeName(),
Expires: token.Expiry(),
UpdatedBy: userMetadata.GetUser(),
},
UserMetadata: userMetadata,
Roles: roles,
JoinMethod: joinMethod,
Roles: token.GetRoles(),
JoinMethod: token.GetJoinMethod(),
}); err != nil {
log.WithError(err).Warn("Failed to emit join token create event.")
}
Expand All @@ -2175,12 +2176,11 @@ func (a *ServerWithRoles) UpsertToken(ctx context.Context, token types.Provision
return trace.Wrap(err)
}

emitTokenEvent(ctx, a.authServer.emitter, token.GetRoles(), token.GetJoinMethod())
emitTokenEvent(ctx, a.authServer.emitter, token)
return nil
}

func (a *ServerWithRoles) CreateToken(ctx context.Context, token types.ProvisionToken) error {
jm := token.GetJoinMethod()
if err := a.action(apidefaults.Namespace, types.KindToken, types.VerbCreate); err != nil {
return trace.Wrap(err)
}
Expand All @@ -2197,7 +2197,7 @@ func (a *ServerWithRoles) CreateToken(ctx context.Context, token types.Provision
return trace.Wrap(err)
}

emitTokenEvent(ctx, a.authServer.emitter, token.GetRoles(), jm)
emitTokenEvent(ctx, a.authServer.emitter, token)
return nil
}

Expand Down
20 changes: 20 additions & 0 deletions lib/auth/tls_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4303,6 +4303,10 @@ func TestGRPCServer_CreateTokenV2(t *testing.T) {
Type: events.ProvisionTokenCreateEvent,
Code: events.ProvisionTokenCreateCode,
},
ResourceMetadata: eventtypes.ResourceMetadata{
Name: "*******",
UpdatedBy: "token-creator",
},
UserMetadata: eventtypes.UserMetadata{
User: "token-creator",
UserKind: eventtypes.UserKind_USER_KIND_HUMAN,
Expand Down Expand Up @@ -4332,6 +4336,10 @@ func TestGRPCServer_CreateTokenV2(t *testing.T) {
Type: events.ProvisionTokenCreateEvent,
Code: events.ProvisionTokenCreateCode,
},
ResourceMetadata: eventtypes.ResourceMetadata{
Name: "*****************luster",
UpdatedBy: "token-creator",
},
UserMetadata: eventtypes.UserMetadata{
User: "token-creator",
UserKind: eventtypes.UserKind_USER_KIND_HUMAN,
Expand Down Expand Up @@ -4454,6 +4462,10 @@ func TestGRPCServer_UpsertTokenV2(t *testing.T) {
Type: events.ProvisionTokenCreateEvent,
Code: events.ProvisionTokenCreateCode,
},
ResourceMetadata: eventtypes.ResourceMetadata{
Name: "*******",
UpdatedBy: "token-upserter",
},
UserMetadata: eventtypes.UserMetadata{
User: "token-upserter",
UserKind: eventtypes.UserKind_USER_KIND_HUMAN,
Expand Down Expand Up @@ -4483,6 +4495,10 @@ func TestGRPCServer_UpsertTokenV2(t *testing.T) {
Type: events.ProvisionTokenCreateEvent,
Code: events.ProvisionTokenCreateCode,
},
ResourceMetadata: eventtypes.ResourceMetadata{
Name: "*****************luster",
UpdatedBy: "token-upserter",
},
UserMetadata: eventtypes.UserMetadata{
User: "token-upserter",
UserKind: eventtypes.UserKind_USER_KIND_HUMAN,
Expand Down Expand Up @@ -4514,6 +4530,10 @@ func TestGRPCServer_UpsertTokenV2(t *testing.T) {
Type: events.ProvisionTokenCreateEvent,
Code: events.ProvisionTokenCreateCode,
},
ResourceMetadata: eventtypes.ResourceMetadata{
Name: "**************",
UpdatedBy: "token-upserter",
},
UserMetadata: eventtypes.UserMetadata{
User: "token-upserter",
UserKind: eventtypes.UserKind_USER_KIND_HUMAN,
Expand Down

0 comments on commit e909569

Please sign in to comment.