Logging args during audit failures

elastic · Jun 1, 2018 · a2b51b5 · a2b51b5
1 parent 762833f
commit a2b51b5
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 6 deletions.
diff --git a/x-pack/plugins/security/server/lib/audit_logger.js b/x-pack/plugins/security/server/lib/audit_logger.js
@@ -10,7 +10,7 @@ export class SecurityAuditLogger {
     this._auditLogger = auditLogger;
   }
 
-  savedObjectsAuthorizationFailure(username, action, types, missing) {
+  savedObjectsAuthorizationFailure(username, action, types, missing, args) {
     if (!this._enabled) {
       return;
     }
@@ -22,7 +22,8 @@ export class SecurityAuditLogger {
         username,
         action,
         types,
-        missing
+        missing,
+        args
       }
     );
   }

diff --git a/x-pack/plugins/security/server/lib/audit_logger.test.js b/x-pack/plugins/security/server/lib/audit_logger.test.js
@@ -49,8 +49,12 @@ describe(`#savedObjectsAuthorizationFailure`, () => {
     const action = 'foo-action';
     const types = [ 'foo-type-1', 'foo-type-2' ];
     const missing = [`action:saved-objects/${types[0]}/foo-action`, `action:saved-objects/${types[1]}/foo-action`];
+    const args = {
+      'foo': 'bar',
+      'baz': 'quz',
+    };
 
-    securityAuditLogger.savedObjectsAuthorizationFailure(username, action, types, missing);
+    securityAuditLogger.savedObjectsAuthorizationFailure(username, action, types, missing, args);
 
     expect(auditLogger.log).toHaveBeenCalledWith(
       'saved_objects_authorization_failure',
@@ -60,6 +64,7 @@ describe(`#savedObjectsAuthorizationFailure`, () => {
         action,
         types,
         missing,
+        args,
       }
     );
   });
@@ -89,8 +94,7 @@ describe(`#savedObjectsAuthorizationSuccess`, () => {
     const types = [ 'foo-type-1', 'foo-type-2' ];
     const args = {
       'foo': 'bar',
-      'dude': 'yup',
-      'women': 'yay!',
+      'baz': 'quz',
     };
 
     securityAuditLogger.savedObjectsAuthorizationSuccess(username, action, types, args);

diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -103,7 +103,7 @@ export class SecureSavedObjectsClient {
     if (result.success) {
       this._auditLogger.savedObjectsAuthorizationSuccess(result.username, action, types, args);
     } else {
-      this._auditLogger.savedObjectsAuthorizationFailure(result.username, action, types, result.missing);
+      this._auditLogger.savedObjectsAuthorizationFailure(result.username, action, types, result.missing, args);
       const msg = `Unable to ${action} ${types.join(',')}, missing ${result.missing.join(',')}`;
       throw this._client.errors.decorateForbiddenError(new Error(msg));
     }