Log request body to audit logs (#5071)

Signed-off-by: Timo Olkkonen <timo.olkkonen@reaktor.com>
Co-authored-by: Timo Olkkonen <timo.olkkonen@reaktor.com>
Co-authored-by: Andrey Pleskach <ples@aiven.io>

Author: 3 people

src/integrationTest/java/org/opensearch/security/InternalAuditLogTest.java

@@ -9,7 +9,7 @@
 */
 package org.opensearch.security;
 
-import java.io.IOException;
+import java.time.Duration;
 
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
 import org.apache.logging.log4j.LogManager;
@@ -48,13 +48,24 @@ public class InternalAuditLogTest {
         .build();
 
     @Test
-    public void testAuditLogShouldBeGreenInSingleNodeCluster() throws IOException {
+    public void testAuditLogShouldBeGreenInSingleNodeCluster() throws InterruptedException {
         try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
             client.get(""); // demo request for insuring audit-log index is created beforehand
-            TestRestClient.HttpResponse indicesResponse = client.get("_cat/indices");
-
-            assertThat(indicesResponse.getBody(), containsString("security-auditlog"));
-            assertThat(indicesResponse.getBody(), containsString("green"));
+            int retriesLeft = 5;
+            while (retriesLeft > 0) {
+                retriesLeft = retriesLeft - 1;
+                try {
+                    TestRestClient.HttpResponse indicesResponse = client.get("_cat/indices");
+                    assertThat(indicesResponse.getBody(), containsString("security-auditlog"));
+                    assertThat(indicesResponse.getBody(), containsString("green"));
+                    break;
+                } catch (AssertionError e) {
+                    if (retriesLeft == 0) {
+                        throw e;
+                    }
+                    Thread.sleep(Duration.ofSeconds(1));
+                }
+            }
         }
     }
 }

src/integrationTest/java/org/opensearch/security/rest/AuthZinRestLayerTests.java

@@ -34,6 +34,7 @@
 import static org.hamcrest.Matchers.equalTo;
 import static org.opensearch.rest.RestRequest.Method.GET;
 import static org.opensearch.rest.RestRequest.Method.POST;
+import static org.opensearch.security.auditlog.impl.AuditCategory.AUTHENTICATED;
 import static org.opensearch.security.auditlog.impl.AuditCategory.FAILED_LOGIN;
 import static org.opensearch.security.auditlog.impl.AuditCategory.GRANTED_PRIVILEGES;
 import static org.opensearch.security.auditlog.impl.AuditCategory.MISSING_PRIVILEGES;
@@ -140,6 +141,17 @@ public void testShouldAllowAtRestAndBlockAtTransport() {
         }
     }
 
+    @Test
+    public void testRequestBodyIsAuditLogged() {
+        try (TestRestClient client = cluster.getRestClient(REST_PLUS_TRANSPORT)) {
+            String dummyBody = "{\"hello\": \"world\"}";
+            client.postJson(PROTECTED_API, dummyBody);
+            auditLogsRule.assertExactlyOne(
+                privilegePredicateRESTLayer(AUTHENTICATED, REST_PLUS_TRANSPORT, POST, "/" + PROTECTED_API).withRequestBody(dummyBody)
+            );
+        }
+    }
+
     @Test
     public void testShouldAllowAtRestAndTransport() {
         try (TestRestClient client = cluster.getRestClient(REST_PLUS_TRANSPORT)) {

src/integrationTest/java/org/opensearch/test/framework/audit/AuditMessagePredicate.java

@@ -44,6 +44,7 @@ public class AuditMessagePredicate implements Predicate<AuditMessage> {
     private final String effectiveUser;
     private final String index;
     private final String privilege;
+    private final String requestBody;
 
     private AuditMessagePredicate(
         AuditCategory category,
@@ -55,7 +56,8 @@ private AuditMessagePredicate(
         String transportRequestType,
         String effectiveUser,
         String index,
-        String privilege
+        String privilege,
+        String requestBody
     ) {
         this.category = category;
         this.requestLayer = requestLayer;
@@ -67,10 +69,11 @@ private AuditMessagePredicate(
         this.effectiveUser = effectiveUser;
         this.index = index;
         this.privilege = privilege;
+        this.requestBody = requestBody;
     }
 
     private AuditMessagePredicate(AuditCategory category) {
-        this(category, null, null, null, null, null, null, null, null, null);
+        this(category, null, null, null, null, null, null, null, null, null, null);
     }
 
     public static AuditMessagePredicate auditPredicate(AuditCategory category) {
@@ -120,7 +123,8 @@ public AuditMessagePredicate withLayer(Origin layer) {
             transportRequestType,
             effectiveUser,
             index,
-            privilege
+            privilege,
+            requestBody
         );
     }
 
@@ -135,7 +139,8 @@ public AuditMessagePredicate withRequestPath(String path) {
             transportRequestType,
             effectiveUser,
             index,
-            privilege
+            privilege,
+            requestBody
         );
     }
 
@@ -150,7 +155,8 @@ public AuditMessagePredicate withRestParams(Map<String, String> params) {
             transportRequestType,
             effectiveUser,
             index,
-            privilege
+            privilege,
+            requestBody
         );
     }
 
@@ -165,7 +171,8 @@ public AuditMessagePredicate withInitiatingUser(String user) {
             transportRequestType,
             effectiveUser,
             index,
-            privilege
+            privilege,
+            requestBody
         );
     }
 
@@ -184,7 +191,8 @@ public AuditMessagePredicate withRestMethod(Method method) {
             transportRequestType,
             effectiveUser,
             index,
-            privilege
+            privilege,
+            requestBody
         );
     }
 
@@ -199,7 +207,8 @@ public AuditMessagePredicate withTransportRequestType(String type) {
             type,
             effectiveUser,
             index,
-            privilege
+            privilege,
+            requestBody
         );
     }
 
@@ -214,7 +223,8 @@ public AuditMessagePredicate withEffectiveUser(String user) {
             transportRequestType,
             user,
             index,
-            privilege
+            privilege,
+            requestBody
         );
     }
 
@@ -237,7 +247,8 @@ public AuditMessagePredicate withIndex(String indexName) {
             transportRequestType,
             effectiveUser,
             indexName,
-            privilege
+            privilege,
+            requestBody
         );
     }
 
@@ -252,7 +263,24 @@ public AuditMessagePredicate withPrivilege(String privilegeAction) {
             transportRequestType,
             effectiveUser,
             index,
-            privilegeAction
+            privilegeAction,
+            requestBody
+        );
+    }
+
+    public Predicate<AuditMessage> withRequestBody(String body) {
+        return new AuditMessagePredicate(
+            category,
+            requestLayer,
+            restRequestPath,
+            restParams,
+            initiatingUser,
+            requestMethod,
+            transportRequestType,
+            effectiveUser,
+            index,
+            privilege,
+            body
         );
     }
 
@@ -269,6 +297,7 @@ public boolean test(AuditMessage auditMessage) {
         predicates.add(audit -> Objects.isNull(effectiveUser) || effectiveUser.equals(audit.getEffectiveUser()));
         predicates.add(audit -> Objects.isNull(index) || containIndex(audit, index));
         predicates.add(audit -> Objects.isNull(privilege) || privilege.equals(audit.getPrivilege()));
+        predicates.add(audit -> Objects.isNull(requestBody) || requestBody.equals(audit.getRequestBody()));
         return predicates.stream().reduce(Predicate::and).orElseThrow().test(auditMessage);
     }
 
@@ -303,4 +332,5 @@ public String toString() {
             + '\''
             + '}';
     }
+
 }

src/main/java/org/opensearch/security/auth/BackendRegistry.java

@@ -227,7 +227,6 @@ public boolean authenticate(final SecurityRequestChannel request) {
             UserSubject subject = new UserSubjectImpl(threadPool, superuser);
             threadContext.putPersistent(ConfigConstants.OPENDISTRO_SECURITY_AUTHENTICATED_USER, subject);
             threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, superuser);
-            auditLog.logSucceededLogin(sslPrincipal, true, null, request);
             return true;
         }
 
@@ -392,9 +391,9 @@ public boolean authenticate(final SecurityRequestChannel request) {
             final User impersonatedUser = impersonate(request, authenticatedUser);
             final User effectiveUser = impersonatedUser == null ? authenticatedUser : impersonatedUser;
             threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, effectiveUser);
+            threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_INITIATING_USER, authenticatedUser.getName());
             UserSubject subject = new UserSubjectImpl(threadPool, effectiveUser);
             threadPool.getThreadContext().putPersistent(ConfigConstants.OPENDISTRO_SECURITY_AUTHENTICATED_USER, subject);
-            auditLog.logSucceededLogin(effectiveUser.getName(), false, authenticatedUser.getName(), request);
         } else {
             if (isDebugEnabled) {
                 log.debug("User still not authenticated after checking {} auth domains", restAuthDomains.size());
@@ -425,7 +424,6 @@ public boolean authenticate(final SecurityRequestChannel request) {
 
                 threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, anonymousUser);
                 threadPool.getThreadContext().putPersistent(ConfigConstants.OPENDISTRO_SECURITY_AUTHENTICATED_USER, subject);
-                auditLog.logSucceededLogin(anonymousUser.getName(), false, null, request);
                 if (isDebugEnabled) {
                     log.debug("Anonymous User is authenticated");
                 }

src/main/java/org/opensearch/security/filter/SecurityRestFilter.java

@@ -72,6 +72,7 @@
 
 import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
 import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
+import static org.opensearch.security.support.ConfigConstants.OPENDISTRO_SECURITY_INITIATING_USER;
 
 public class SecurityRestFilter {
 
@@ -168,12 +169,16 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c
 
             // Authorize Request
             final User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
+            String intiatingUser = threadContext.getTransient(OPENDISTRO_SECURITY_INITIATING_USER);
             if (userIsSuperAdmin(user, adminDNs)) {
                 // Super admins are always authorized
+                auditLog.logSucceededLogin(user.getName(), true, intiatingUser, requestChannel);
                 delegate.handleRequest(request, channel, client);
                 return;
             }
-
+            if (user != null) {
+                auditLog.logSucceededLogin(user.getName(), false, intiatingUser, requestChannel);
+            }
             final Optional<SecurityResponse> deniedResponse = whitelistingSettings.checkRequestIsAllowed(requestChannel)
                 .or(() -> allowlistingSettings.checkRequestIsAllowed(requestChannel));
 

src/main/java/org/opensearch/security/support/ConfigConstants.java

@@ -120,6 +120,8 @@ public class ConfigConstants {
 
     public static final String OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT = OPENDISTRO_SECURITY_CONFIG_PREFIX + "user_info";
 
+    public static final String OPENDISTRO_SECURITY_INITIATING_USER = OPENDISTRO_SECURITY_CONFIG_PREFIX + "_initiating_user";
+
     public static final String OPENDISTRO_SECURITY_INJECTED_USER = "injected_user";
     public static final String OPENDISTRO_SECURITY_INJECTED_USER_HEADER = "injected_user_header";