Skip to content

Add audit log #487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
May 27, 2025
Merged

Add audit log #487

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
58151c8
Add audit log in admin - v1
abuabraham-ttd May 21, 2025
f6cd0fd
Add audit log in admin - v1
abuabraham-ttd May 21, 2025
a896f1f
Add audit log in admin -test
abuabraham-ttd May 22, 2025
f07aa9f
[CI Pipeline] Released Snapshot version: 5.23.13-alpha-168-SNAPSHOT
May 22, 2025
f5b32a2
Add tests
abuabraham-ttd May 27, 2025
9b8ab69
use new shared
abuabraham-ttd May 27, 2025
24008ca
revert and try
abuabraham-ttd May 27, 2025
f4d9484
merge main
abuabraham-ttd May 27, 2025
cf1c808
Add scope test
abuabraham-ttd May 27, 2025
889d2a3
Add scope test
abuabraham-ttd May 27, 2025
51611f3
Add scope test
abuabraham-ttd May 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
<!-- check micrometer.version vertx-micrometer-metrics consumes before bumping up -->
<micrometer.version>1.12.2</micrometer.version>
<junit-jupiter.version>5.11.2</junit-jupiter.version>
<uid2-shared.version>9.2.0</uid2-shared.version>
<uid2-shared.version>9.4.11</uid2-shared.version>
<okta-jwt.version>0.5.10</okta-jwt.version>
<image.version>${project.version}</image.version>
</properties>
Expand Down
31 changes: 29 additions & 2 deletions src/main/java/com/uid2/admin/auth/AdminAuthMiddleware.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@
import io.vertx.ext.web.RoutingContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.uid2.shared.audit.AuditParams;
import com.uid2.shared.audit.Audit;

import java.util.*;

Expand All @@ -17,6 +19,7 @@ public class AdminAuthMiddleware {
private final AuthProvider authProvider;
private final String environment;
private final boolean isAuthDisabled;
private final Audit audit;

final Map<Role, List<OktaGroup>> roleToOktaGroups = new EnumMap<>(Role.class);
public AdminAuthMiddleware(AuthProvider authProvider, JsonObject config) {
Expand All @@ -26,6 +29,7 @@ public AdminAuthMiddleware(AuthProvider authProvider, JsonObject config) {
roleToOktaGroups.put(Role.MAINTAINER, parseOktaGroups(config.getString(AdminConst.ROLE_OKTA_GROUP_MAP_MAINTAINER)));
roleToOktaGroups.put(Role.PRIVILEGED, parseOktaGroups(config.getString(AdminConst.ROLE_OKTA_GROUP_MAP_PRIVILEGED)));
roleToOktaGroups.put(Role.SUPER_USER, parseOktaGroups(config.getString(AdminConst.ROLE_OKTA_GROUP_MAP_SUPER_USER)));
this.audit = new Audit(AdminAuthMiddleware.class.getPackage().getName());
}

private List<OktaGroup> parseOktaGroups(final String oktaGroups) {
Expand All @@ -40,15 +44,29 @@ private List<OktaGroup> parseOktaGroups(final String oktaGroups) {
return allOktaGroups;
}

public Handler<RoutingContext> handle(Handler<RoutingContext> handler, Role... roles) {
public Handler<RoutingContext> handle(Handler<RoutingContext> handler, AuditParams params, Role... roles) {
if (isAuthDisabled) return handler;
if (roles == null || roles.length == 0) {
throw new IllegalArgumentException("must specify at least one role");
}
AdminAuthHandler adminAuthHandler = new AdminAuthHandler(handler, authProvider, Set.of(roles), environment, roleToOktaGroups);
Handler<RoutingContext> loggedHandler = logAndHandle(handler, params);
AdminAuthHandler adminAuthHandler = new AdminAuthHandler(loggedHandler, authProvider, Set.of(roles),
environment, roleToOktaGroups);
return adminAuthHandler::handle;
}

public Handler<RoutingContext> handle(Handler<RoutingContext> handler, Role... roles) {
return this.handle(handler, new AuditParams(), roles);
}


private Handler<RoutingContext> logAndHandle(Handler<RoutingContext> handler, AuditParams params) {
return ctx -> {
ctx.addBodyEndHandler(v -> this.audit.log(ctx, params));
handler.handle(ctx);
};
}

private static class AdminAuthHandler {
private final String environment;
private final Handler<RoutingContext> innerHandler;
Expand Down Expand Up @@ -133,6 +151,10 @@ private void validateAccessToken(RoutingContext rc, String accessToken) {
return;
}
List<String> scopes = (List<String>) jwt.getClaims().get("scp");
JsonObject serviceAccountDetails = new JsonObject();
serviceAccountDetails.put("scope", scopes);
serviceAccountDetails.put("client_id", jwt.getClaims().get("client_id"));
rc.put("userDetails", serviceAccountDetails);
if(isAuthorizedService(scopes)) {
innerHandler.handle(rc);
} else {
Expand All @@ -154,6 +176,11 @@ private void validateIdToken(RoutingContext rc, String idToken) {
return;
}
List<String> groups = (List<String>) jwt.getClaims().get("groups");
JsonObject userDetails = new JsonObject();
userDetails.put("groups", groups);
userDetails.put("email", jwt.getClaims().get("email"));
userDetails.put("sub", jwt.getClaims().get("sub"));
rc.put("userDetails", userDetails);
if(isAuthorizedUser(groups)) {
innerHandler.handle(rc);
} else {
Expand Down
41 changes: 33 additions & 8 deletions src/test/java/com/uid2/admin/auth/AdminAuthMiddlewareTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
import io.vertx.core.Handler;
import io.vertx.core.http.HttpServerRequest;
import io.vertx.core.http.HttpServerResponse;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.User;
import io.vertx.ext.web.RoutingContext;
Expand All @@ -22,10 +23,11 @@
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;

import java.util.List;
import java.util.Map;
import java.util.*;
import java.util.stream.Collectors;
import java.util.stream.Stream;

import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
Expand Down Expand Up @@ -67,6 +69,20 @@ public void setup() {
when(rc.response()).thenReturn(response);
when(rc.session()).thenReturn(session);

Map<String, Object> contextData = new HashMap<>();

when(rc.put(anyString(), any())).thenAnswer(invocation -> {
String key = invocation.getArgument(0);
Object value = invocation.getArgument(1);
contextData.put(key, value);
return rc; // Return rc for chaining
});

when(rc.get(anyString())).thenAnswer(invocation -> {
String key = invocation.getArgument(0);
return contextData.get(key);
});

when(response.setStatusCode(anyInt())).thenReturn(response);
when(response.putHeader(anyString(), anyString())).thenReturn(response);
}
Expand Down Expand Up @@ -151,7 +167,7 @@ public void testIdToken_GoodTokenUnauthorized() throws JwtVerificationException
handler.handle(rc);

verify(idTokenVerifier).decode(eq("testIdToken"), any());
verify(jwt, times(3)).getClaims();
verify(jwt, times(5)).getClaims();
verifyUnauthorized(false);
}

Expand All @@ -173,7 +189,7 @@ public void testIdToken_GoodTokenRealRoleUnauthorized(List<String> userOktaGroup
handler.handle(rc);

verify(idTokenVerifier).decode(eq("testIdToken"), any());
verify(jwt, times(3)).getClaims();
verify(jwt, times(5)).getClaims();
verifyUnauthorized(false);
}

Expand All @@ -197,9 +213,13 @@ public void testIdToken_GoodTokenAuthorized(List<String> userOktaGroups, Role...

Handler<RoutingContext> handler = adminAuthMiddleware.handle(innerHandler, endpointRoles);
handler.handle(rc);

JsonObject userDetails = rc.get("userDetails");
Set<String> groups = userDetails.getJsonArray("groups").stream()
.map(Object::toString)
.collect(Collectors.toSet());
assertEquals(new HashSet<>(userOktaGroups), groups);
verify(idTokenVerifier).decode(eq("testIdToken"), any());
verify(jwt, times(3)).getClaims();
verify(jwt, times(5)).getClaims();
verify(innerHandler).handle(eq(rc));
}

Expand Down Expand Up @@ -251,7 +271,7 @@ public void testAccessToken_GoodTokenUnauthorized(String customOktaScope, Role..
handler.handle(rc);

verify(accessTokenVerifier).decode(eq("testAccessToken"));
verify(jwt, times(3)).getClaims();
verify(jwt, times(4)).getClaims();
verifyUnauthorized(false);
}

Expand All @@ -272,9 +292,14 @@ public void testAccessToken_GoodTokenAuthorized(OktaCustomScope scope, Role allo

Handler<RoutingContext> handler = adminAuthMiddleware.handle(innerHandler, allowedRole);
handler.handle(rc);
JsonObject userDetails = rc.get("userDetails");
Set<String> scopes = userDetails.getJsonArray("scope").stream()
.map(Object::toString)
.collect(Collectors.toSet());
assertEquals(Set.of(scope.getName()), scopes);

verify(accessTokenVerifier).decode(eq("testAccessToken"));
verify(jwt, times(3)).getClaims();
verify(jwt, times(4)).getClaims();
verify(innerHandler).handle(eq(rc));
}
}