1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
# Copyright (C) 2015 Custodia Project Contributors - see LICENSE file
import sys
import time
import traceback
try:
from StringIO import StringIO
except ImportError:
from io import StringIO
DEBUG = False
def stacktrace():
_, _, tb = sys.exc_info()
if tb is None:
return None
try:
f = StringIO()
traceback.print_tb(tb, None, file=f)
return f.getvalue()
finally:
del tb
def get_time():
t = time.gmtime(time.time())
return '%04d/%02d/%02d %02d:%02d:%02d' % (
t[0], t[1], t[2], t[3], t[4], t[5])
def error(msg, head=None):
if head is not None:
head = get_time()
sys.stderr.write('[%s] %s\n' % (head, msg))
def debug(msg):
if DEBUG:
error(msg, 'DEBUG')
trace = stacktrace()
if trace is not None:
sys.stderr.write(trace + '\n')
AUDIT_NONE = 0
AUDIT_GET_ALLOWED = 1
AUDIT_GET_DENIED = 2
AUDIT_SET_ALLOWED = 3
AUDIT_SET_DENIED = 4
AUDIT_DEL_ALLOWED = 5
AUDIT_DEL_DENIED = 6
AUDIT_LAST = 7
AUDIT_SVC_NONE = 8
AUDIT_SVC_AUTH_PASS = 9
AUDIT_SVC_AUTH_FAIL = 10
AUDIT_SVC_AUTHZ_PASS = 11
AUDIT_SVC_AUTHZ_FAIL = 12
AUDIT_SVC_LAST = 13
AUDIT_MESSAGES = [
"AUDIT FAILURE",
"ALLOWED: '{client:s}' requested key '{key:s}'", # AUDIT_GET_ALLOWED
"DENIED: '{client:s}' requested key '{key:s}'", # AUDIT_GET_DENIED
"ALLOWED: '{client:s}' stored key '{key:s}'", # AUDIT_SET_ALLOWED
"DENIED: '{client:s}' stored key '{key:s}'", # AUDIT_SET_DENIED
"ALLOWED: '{client:s}' deleted key '{key:s}'", # AUDIT_DEL_ALLOWED
"DENIED: '{client:s}' deleted key '{key:s}'", # AUDIT_DEL_DENIED
"AUDIT FAILURE 7",
"AUDIT FAILURE 8",
"PASS({tag:s}): '{cli:s}' authenticated as '{name:s}'", # SVC_AUTH_PASS
"FAIL({tag:s}): '{cli:s}' authenticated as '{name:s}'", # SVC_AUTH_FAIL
"PASS({tag:s}): '{cli:s}' authorized for '{name:s}'", # SVC_AUTHZ_PASS
"FAIL({tag:s}): '{cli:s}' authorized for '{name:s}'", # SVC_AUTHZ_FAIL
"AUDIT FAILURE 13",
]
class AuditLog(object):
def __init__(self, config):
if config is None:
config = {}
self.logfile = config.get('auditlog', 'custodia.audit.log')
def _log(self, message):
with open(self.logfile, 'a+') as f:
f.write('%s: %s\n' % (get_time(), message))
f.flush()
def key_access(self, action, client, keyname):
if action <= AUDIT_NONE or action >= AUDIT_LAST:
action = AUDIT_NONE
self._log(AUDIT_MESSAGES[action].format(client=client, key=keyname))
def svc_access(self, action, client, tag, name):
if action <= AUDIT_SVC_NONE or action >= AUDIT_SVC_LAST:
action = AUDIT_NONE
self._log(AUDIT_MESSAGES[action].format(cli=str(client), tag=tag,
name=name))
|