From 8263ad9d5f314b5c4367762350b7372e037303dd Mon Sep 17 00:00:00 2001 From: Christian Schaible Date: Mon, 7 Oct 2024 07:19:15 +0200 Subject: [PATCH] Reject event type data-access as it is currently not supported by downstream services. --- audit/api/api_common.go | 3 +++ audit/api/api_legacy.go | 7 +++++ audit/api/api_legacy_dynamic.go | 7 +++++ audit/api/api_legacy_dynamic_test.go | 38 ++++++++++++++++++++++++++++ audit/api/api_legacy_test.go | 37 +++++++++++++++++++++++++++ audit/api/api_mock.go | 7 +++++ audit/api/api_mock_test.go | 11 ++++++++ audit/api/api_routable.go | 7 +++++ audit/api/api_routable_test.go | 27 ++++++++++++++++++++ 9 files changed, 144 insertions(+) diff --git a/audit/api/api_common.go b/audit/api/api_common.go index 18a1f55..f7754fc 100644 --- a/audit/api/api_common.go +++ b/audit/api/api_common.go @@ -59,6 +59,9 @@ var ErrMessagingApiNil = errors.New("messaging api nil") // ErrCloudEventNil states that the given cloud event is nil var ErrCloudEventNil = errors.New("cloud event nil") +// ErrUnsupportedEventTypeDataAccess states that the event type "data-access" is currently not supported +var ErrUnsupportedEventTypeDataAccess = errors.New("unsupported event type data access") + func validateAndSerializePartially( validator *ProtobufValidator, event *auditV1.AuditLogEntry, diff --git a/audit/api/api_legacy.go b/audit/api/api_legacy.go index 00ab816..aeebe72 100644 --- a/audit/api/api_legacy.go +++ b/audit/api/api_legacy.go @@ -5,6 +5,7 @@ import ( "dev.azure.com/schwarzit/schwarzit.stackit-core-platform/audit-go.git/audit/messaging" auditV1 "dev.azure.com/schwarzit/schwarzit.stackit-core-platform/audit-go.git/gen/go/audit/v1" "errors" + "strings" "google.golang.org/protobuf/proto" ) @@ -119,6 +120,12 @@ func (a *LegacyAuditApi) ValidateAndSerializeWithTrace( return nil, err } + // Reject event type data-access as the downstream services + // cannot handle it at the moment + if strings.HasSuffix(event.LogName, string(EventTypeDataAccess)) { + return nil, ErrUnsupportedEventTypeDataAccess + } + // Do nothing with the serialized data in the legacy solution _, err = proto.Marshal(routableEvent) if err != nil { diff --git a/audit/api/api_legacy_dynamic.go b/audit/api/api_legacy_dynamic.go index d687420..80c5f3a 100644 --- a/audit/api/api_legacy_dynamic.go +++ b/audit/api/api_legacy_dynamic.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "strings" "dev.azure.com/schwarzit/schwarzit.stackit-core-platform/audit-go.git/audit/messaging" auditV1 "dev.azure.com/schwarzit/schwarzit.stackit-core-platform/audit-go.git/gen/go/audit/v1" @@ -102,6 +103,12 @@ func (a *DynamicLegacyAuditApi) ValidateAndSerializeWithTrace( return nil, err } + // Reject event type data-access as the downstream services + // cannot handle it at the moment + if strings.HasSuffix(event.LogName, string(EventTypeDataAccess)) { + return nil, ErrUnsupportedEventTypeDataAccess + } + // Do nothing with the serialized data in the legacy solution _, err = proto.Marshal(routableEvent) if err != nil { diff --git a/audit/api/api_legacy_dynamic_test.go b/audit/api/api_legacy_dynamic_test.go index b694b7f..87f7ff8 100644 --- a/audit/api/api_legacy_dynamic_test.go +++ b/audit/api/api_legacy_dynamic_test.go @@ -7,6 +7,7 @@ import ( "log/slog" "net/url" "os" + "strings" "testing" "time" @@ -42,6 +43,43 @@ func TestDynamicLegacyAuditApi(t *testing.T) { traceParent := "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01" traceState := "rojo=00f067aa0ba902b7,congo=t61rcWkgMzE" + // Check that event-type data-access is rejected as it is currently + // not supported by downstream services + t.Run("reject data access event", func(t *testing.T) { + defer solaceContainer.StopOnError() + + // Create the queue and topic subscription in solace + queueName := "reject-data-access-legacy" + assert.NoError(t, solaceContainer.QueueCreate(ctx, queueName)) + assert.NoError(t, solaceContainer.TopicSubscriptionCreate(ctx, queueName, topicSubscriptionTopicPattern)) + + topicName := "topic://audit-log/eu01/v1/resource-manager/organization-rejected" + assert.NoError(t, solaceContainer.ValidateTopicName(topicSubscriptionTopicPattern, topicName)) + + // Instantiate audit api + auditApi, err := NewDynamicLegacyAuditApi( + messagingApi, + validator, + ) + assert.NoError(t, err) + + // Instantiate test data + event, objectIdentifier := NewOrganizationAuditEvent(nil) + event.LogName = strings.Replace(event.LogName, string(EventTypeAdminActivity), string(EventTypeDataAccess), 1) + + // Log the event to solace + visibility := auditV1.Visibility_VISIBILITY_PUBLIC + ctx := context.WithValue(ctx, ContextKeyTopic, topicName) + assert.ErrorIs(t, (*auditApi).LogWithTrace( + ctx, + event, + visibility, + NewRoutableIdentifier(objectIdentifier), + &traceParent, + &traceState, + ), ErrUnsupportedEventTypeDataAccess) + }) + // Check logging of organization events t.Run("Log public organization event", func(t *testing.T) { defer solaceContainer.StopOnError() diff --git a/audit/api/api_legacy_test.go b/audit/api/api_legacy_test.go index 6f046e7..6dd37e7 100644 --- a/audit/api/api_legacy_test.go +++ b/audit/api/api_legacy_test.go @@ -8,6 +8,7 @@ import ( "log/slog" "net/url" "os" + "strings" "testing" "time" @@ -44,6 +45,42 @@ func TestLegacyAuditApi(t *testing.T) { traceParent := "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01" traceState := "rojo=00f067aa0ba902b7,congo=t61rcWkgMzE" + // Check that event-type data-access is rejected as it is currently + // not supported by downstream services + t.Run("reject data access event", func(t *testing.T) { + defer solaceContainer.StopOnError() + + // Create the queue and topic subscription in solace + queueName := "org-reject-data-access-legacy" + assert.NoError(t, solaceContainer.QueueCreate(ctx, queueName)) + assert.NoError(t, solaceContainer.TopicSubscriptionCreate(ctx, queueName, topicSubscriptionTopicPattern)) + + topicName := "topic://audit-log/eu01/v1/resource-manager/organization-rejected" + assert.NoError(t, solaceContainer.ValidateTopicName(topicSubscriptionTopicPattern, topicName)) + + // Instantiate audit api + auditApi, err := NewLegacyAuditApi( + messagingApi, + LegacyTopicNameConfig{TopicName: topicName}, + validator, + ) + assert.NoError(t, err) + + // Instantiate test data + event, objectIdentifier := NewOrganizationAuditEvent(nil) + event.LogName = strings.Replace(event.LogName, string(EventTypeAdminActivity), string(EventTypeDataAccess), 1) + + // Log the event to solace + assert.ErrorIs(t, (*auditApi).LogWithTrace( + ctx, + event, + auditV1.Visibility_VISIBILITY_PUBLIC, + NewRoutableIdentifier(objectIdentifier), + &traceParent, + &traceState, + ), ErrUnsupportedEventTypeDataAccess) + }) + // Check logging of organization events t.Run("Log public organization event", func(t *testing.T) { defer solaceContainer.StopOnError() diff --git a/audit/api/api_mock.go b/audit/api/api_mock.go index bc5c445..92aacb8 100644 --- a/audit/api/api_mock.go +++ b/audit/api/api_mock.go @@ -3,6 +3,7 @@ package api import ( "context" "fmt" + "strings" "google.golang.org/protobuf/proto" @@ -77,6 +78,12 @@ func (a *MockAuditApi) ValidateAndSerializeWithTrace( return nil, err } + // Reject event type data-access as the downstream services + // cannot handle it at the moment + if strings.HasSuffix(event.LogName, string(EventTypeDataAccess)) { + return nil, ErrUnsupportedEventTypeDataAccess + } + routableEventBytes, err := proto.Marshal(routableEvent) if err != nil { return nil, err diff --git a/audit/api/api_mock_test.go b/audit/api/api_mock_test.go index 8a0184a..2f673e8 100644 --- a/audit/api/api_mock_test.go +++ b/audit/api/api_mock_test.go @@ -2,6 +2,7 @@ package api import ( "context" + "strings" "testing" auditV1 "dev.azure.com/schwarzit/schwarzit.stackit-core-platform/audit-go.git/gen/go/audit/v1" @@ -24,6 +25,16 @@ func TestMockAuditApi_Log(t *testing.T) { context.Background(), event, auditV1.Visibility_VISIBILITY_PUBLIC, routableObjectIdentifier)) }) + t.Run("reject data access event", func(t *testing.T) { + event, objectIdentifier := NewOrganizationAuditEvent(nil) + event.LogName = strings.Replace(event.LogName, string(EventTypeAdminActivity), string(EventTypeDataAccess), 1) + routableObjectIdentifier := NewRoutableIdentifier(objectIdentifier) + + assert.ErrorIs(t, (*auditApi).Log( + context.Background(), event, auditV1.Visibility_VISIBILITY_PUBLIC, routableObjectIdentifier), + ErrUnsupportedEventTypeDataAccess) + }) + t.Run("ValidateAndSerialize", func(t *testing.T) { visibility := auditV1.Visibility_VISIBILITY_PUBLIC cloudEvent, err := (*auditApi).ValidateAndSerializeWithTrace( diff --git a/audit/api/api_routable.go b/audit/api/api_routable.go index 58b7245..eafe9de 100644 --- a/audit/api/api_routable.go +++ b/audit/api/api_routable.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "strings" "google.golang.org/protobuf/proto" @@ -159,6 +160,12 @@ func (a *routableAuditApi) ValidateAndSerializeWithTrace( return nil, err } + // Reject event type data-access as the downstream services + // cannot handle it at the moment + if strings.HasSuffix(event.LogName, string(EventTypeDataAccess)) { + return nil, ErrUnsupportedEventTypeDataAccess + } + routableEventBytes, err := proto.Marshal(routableEvent) if err != nil { return nil, err diff --git a/audit/api/api_routable_test.go b/audit/api/api_routable_test.go index 1203206..e9c0b3d 100644 --- a/audit/api/api_routable_test.go +++ b/audit/api/api_routable_test.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "strings" "testing" "time" @@ -58,6 +59,32 @@ func TestRoutableAuditApi(t *testing.T) { ) assert.NoError(t, err) + // Check that event-type data-access is rejected as it is currently + // not supported by downstream services + t.Run("reject data access event", func(t *testing.T) { + defer solaceContainer.StopOnError() + + // Create the queue and topic subscription in solace + queueName := "org-reject-data-access" + assert.NoError(t, solaceContainer.QueueCreate(ctx, queueName)) + assert.NoError(t, solaceContainer.TopicSubscriptionCreate(ctx, queueName, "org/*")) + + // Instantiate test data + event, objectIdentifier := NewOrganizationAuditEvent(nil) + event.LogName = strings.Replace(event.LogName, string(EventTypeAdminActivity), string(EventTypeDataAccess), 1) + + // Log the event to solace + visibility := auditV1.Visibility_VISIBILITY_PUBLIC + assert.ErrorIs(t, (*auditApi).LogWithTrace( + ctx, + event, + visibility, + NewRoutableIdentifier(objectIdentifier), + &traceParent, + &traceState, + ), ErrUnsupportedEventTypeDataAccess) + }) + // Check logging of organization events t.Run("Log public organization event", func(t *testing.T) { defer solaceContainer.StopOnError()