Skip to content

CASBIN_USER_NAME_HEADERS configuration for audit logging with user name #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 11, 2020
Merged

CASBIN_USER_NAME_HEADERS configuration for audit logging with user name #16

merged 5 commits into from
Nov 11, 2020

Conversation

@jessecooper
Copy link
Collaborator

CASBIN_USER_NAME_HEADERS configuration for audit logging with user name

This enables auditing logging with user name when a user is trying to access resources they do not have access to.

Flask Application Configuration Example:

...
# Set up Casbin model config
app.config['CASBIN_MODEL'] = 'casbinmodel.conf'
# Set headers where owner for enforcement policy should be located
app.config['CASBIN_OWNER_HEADERS'] = {'X-User', 'X-Group'}
# Add User Audit Logging with user name associated to log
app.config['CASBIN_USER_NAME_HEADERS'] = {'X-User'}
...

Output Example:

[2020-11-10 12:55:06,060] ERROR in casbin_enforcer: Unauthorized attempt: method: GET resource: /api/v1/resources by user: janedoe@example.com

Requirement:
The requirement comes from APPLICATION SECURITY AND DEVELOPMENT (ASD) SRG-APP-000492:

SRG-APP-000492 - The application must generate audit records when successful/unsuccessful attempts to access security objects occur.

marchingphoenix
marchingphoenix approved these changes Nov 10, 2020
View reviewed changes
Copy link

@marchingphoenix marchingphoenix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me

dfresh613
dfresh613 reviewed Nov 10, 2020
View reviewed changes
flask_authz/casbin_enforcer.py
)
continue

if self.user_name_headers and header in self.user_name_headers:
Copy link
Contributor

@dfresh613 dfresh613 Nov 10, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per http protocol headers are not case sensitive, perhaps we should ensure we support that here, or when we load by forcing everything .lower()?

Should we also include a unit test matching this same path?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call out. Let me look into what flask is doing with the headers in the request. They might be doing a .upper() on it.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added changes to remove case sensitivity

@jessecooper jessecooper merged commit 145f1bf into master Nov 11, 2020
@jessecooper jessecooper deleted the audit-logging branch November 11, 2020 14:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

3 more reviewers

@favipcj favipcj favipcj approved these changes

@marchingphoenix marchingphoenix marchingphoenix approved these changes

@dfresh613 dfresh613 dfresh613 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jessecooper @favipcj @marchingphoenix @dfresh613