diff options
author | Simo Sorce <simo@redhat.com> | 2015-10-05 13:46:24 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2015-10-19 12:18:16 -0400 |
commit | 9f9e8ab04f7478688d41c9bcb6ec3e3a7913fd8d (patch) | |
tree | e3617ab8385306d652b3448b4219266e8c566f35 /custodia/httpd/authorizers.py | |
parent | a94ac9cec35e12765bba61409cf4db88f564af4c (diff) | |
download | custodia-9f9e8ab04f7478688d41c9bcb6ec3e3a7913fd8d.tar.gz custodia-9f9e8ab04f7478688d41c9bcb6ec3e3a7913fd8d.tar.xz custodia-9f9e8ab04f7478688d41c9bcb6ec3e3a7913fd8d.zip |
Add auditing to auth/authz modules
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
Diffstat (limited to 'custodia/httpd/authorizers.py')
-rw-r--r-- | custodia/httpd/authorizers.py | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/custodia/httpd/authorizers.py b/custodia/httpd/authorizers.py index dbf3d37..d6fe7c7 100644 --- a/custodia/httpd/authorizers.py +++ b/custodia/httpd/authorizers.py @@ -2,11 +2,14 @@ import os +from custodia import log + class HTTPAuthorizer(object): def __init__(self, config=None): self.config = config + self._auditlog = log.AuditLog(self.config) self.store_name = None if self.config and 'store' in self.config: self.store_name = self.config['store'] @@ -36,10 +39,16 @@ class SimplePathAuthz(HTTPAuthorizer): # special case to match a path ending in / authz = authz[:-1] if authz == path: + self._auditlog.svc_access(log.AUDIT_SVC_AUTHZ_PASS, + request['creds']['pid'], + "SPA", path) return True while path != '': if path in self.paths: + self._auditlog.svc_access(log.AUDIT_SVC_AUTHZ_PASS, + request['creds']['pid'], + "SPA", path) return True if path == '/': path = '' @@ -63,12 +72,21 @@ class UserNameSpace(HTTPAuthorizer): name = request.get('remote_user', None) if name is None: # UserNameSpace requires a user ... + self._auditlog.svc_access(log.AUDIT_SVC_AUTHZ_FAIL, + request.get('creds', {'pid': 0})['pid'], + "UNS(%s)" % self.path, path) return False namespace = self.path.rstrip('/') + '/' + name + '/' if not path.startswith(namespace): # Not in the namespace + self._auditlog.svc_access(log.AUDIT_SVC_AUTHZ_FAIL, + request.get('creds', {'pid': 0})['pid'], + "UNS(%s)" % self.path, path) return False request['default_namespace'] = name + self._auditlog.svc_access(log.AUDIT_SVC_AUTHZ_PASS, + request.get('creds', {'pid': 0})['pid'], + "UNS(%s)" % self.path, path) return True |