Automatic audit logging using SQLA events

alembic/versions/7958cca588a1_add_view_audit_log_permission.py

@@ -0,0 +1,39 @@
+"""add view_audit_log permission
+
+Revision ID: 7958cca588a1
+Revises: 875841fac207
+Create Date: 2018-09-14 10:20:20.016575
+
+"""
+from alembic import op
+from sqlalchemy.orm.session import Session
+
+from atst.models.role import Role
+from atst.models.permissions import Permissions
+
+
+# revision identifiers, used by Alembic.
+revision = '7958cca588a1'
+down_revision = '875841fac207'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    session = Session(bind=op.get_bind())
+    admin_roles = session.query(Role).filter(Role.name.in_(["ccpo", "security_auditor"])).all()
+    for role in admin_roles:
+        role.add_permission(Permissions.VIEW_AUDIT_LOG)
+        session.add(role)
+
+    session.commit()
+
+
+def downgrade():
+    session = Session(bind=op.get_bind())
+    admin_roles = session.query(Role).filter(Role.name.in_(["ccpo", "security_auditor"])).all()
+    for role in admin_roles:
+        role.remove_permission(Permissions.VIEW_AUDIT_LOG)
+        session.add(role)
+
+    session.commit()

alembic/versions/875841fac207_add_audit_events_table.py

@@ -0,0 +1,44 @@
+"""add audit_events table
+
+Revision ID: 875841fac207
+Revises: 2572be7fb7fc
+Create Date: 2018-09-13 15:34:18.815205
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = '875841fac207'
+down_revision = '359caaf8c5f1'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('audit_events',
+    sa.Column('time_created', sa.TIMESTAMP(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.Column('time_updated', sa.TIMESTAMP(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.Column('id', postgresql.UUID(as_uuid=True), server_default=sa.text('uuid_generate_v4()'), nullable=False),
+    sa.Column('user_id', postgresql.UUID(as_uuid=True), nullable=True),
+    sa.Column('resource_name', sa.String(), nullable=False),
+    sa.Column('resource_id', postgresql.UUID(as_uuid=True), nullable=False),
+    sa.Column('action', sa.String(), nullable=False),
+    sa.Column('workspace_id', postgresql.UUID(as_uuid=True), nullable=True),
+    sa.ForeignKeyConstraint(['user_id'], ['users.id']),
+    sa.ForeignKeyConstraint(['workspace_id'], ['workspaces.id']),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_audit_events_resource_id'), 'audit_events', ['resource_id'], unique=False)
+    op.create_index(op.f('ix_audit_events_user_id'), 'audit_events', ['user_id'], unique=False)
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index(op.f('ix_audit_events_user_id'), table_name='audit_events')
+    op.drop_index(op.f('ix_audit_events_resource_id'), table_name='audit_events')
+    op.drop_table('audit_events')
+    # ### end Alembic commands ###

atst/app.py

@@ -18,6 +18,7 @@ from atst.routes.dev import bp as dev_routes
 from atst.routes.errors import make_error_pages
 from atst.domain.authnid.crl import CRLCache
 from atst.domain.auth import apply_authentication
+from atst.domain.authz import Authorization
 from atst.eda_client import MockEDAClient
 from atst.uploader import Uploader
 
@@ -69,13 +70,12 @@ def make_flask_callbacks(app):
         g.dev = os.getenv("FLASK_ENV", "dev") == "dev"
         g.matchesPath = lambda href: re.match("^" + href, request.path)
         g.modal = request.args.get("modal", None)
-        g.current_user = {
+        g.Authorization = Authorization
-            "id": "cce17030-4109-4719-b958-ed109dbb87c8",
+
-            "first_name": "Amanda",
+    @app.after_request
-            "last_name": "Adamson",
+    def _cleanup(response):
-            "atat_role": "default",
+        g.pop("current_user", None)
-            "atat_permissions": [],
+        return response
-        }
 
 
 def map_config(config):

atst/domain/audit_log.py

@@ -0,0 +1,53 @@
+from atst.database import db
+from atst.domain.common import Query
+from atst.domain.authz import Authorization, Permissions
+from atst.models.audit_event import AuditEvent
+
+
+class AuditEventQuery(Query):
+    model = AuditEvent
+
+    @classmethod
+    def get_all(cls):
+        return db.session.query(cls.model).order_by(cls.model.time_created.desc()).all()
+
+
+class AuditLog(object):
+    @classmethod
+    def log_event(cls, user, resource, action):
+        return cls._log(user=user, resource=resource, action=action)
+
+    @classmethod
+    def log_workspace_event(cls, user, workspace, resource, action):
+        return cls._log(
+            user=user, workspace_id=workspace.id, resource=resource, action=action
+        )
+
+    @classmethod
+    def log_system_event(cls, resource, action):
+        return cls._log(resource=resource, action=action)
+
+    @classmethod
+    def get_all_events(cls, user):
+        Authorization.check_atat_permission(
+            user, Permissions.VIEW_AUDIT_LOG, "view audit log"
+        )
+        return AuditEventQuery.get_all()
+
+    @classmethod
+    def _resource_name(cls, resource):
+        return type(resource).__name__.lower()
+
+    @classmethod
+    def _log(cls, user=None, workspace_id=None, resource=None, action=None):
+        resource_id = resource.id if resource else None
+        resource_name = cls._resource_name(resource) if resource else None
+
+        audit_event = AuditEventQuery.create(
+            user=user,
+            workspace_id=workspace_id,
+            resource_id=resource_id,
+            resource_name=resource_name,
+            action=action,
+        )
+        return AuditEventQuery.add_and_commit(audit_event)

atst/domain/auth.py

@@ -34,6 +34,10 @@ def get_current_user():
     else:
         return False
 
+def logout():
+    if session.get("user_id"):
+        del (session["user_id"])
+
 
 def _unprotected_route(request):
     if request.endpoint in UNPROTECTED_ROUTES:

atst/domain/authz.py

@@ -43,3 +43,12 @@ class Authorization(object):
     def check_workspace_permission(cls, user, workspace, permission, message):
         if not Authorization.has_workspace_permission(user, workspace, permission):
             raise UnauthorizedError(user, message)
+
+    @classmethod
+    def check_atat_permission(cls, user, permission, message):
+        if not Authorization.has_atat_permission(user, permission):
+            raise UnauthorizedError(user, message)
+
+    @classmethod
+    def can_view_audit_log(cls, user):
+        return Authorization.has_atat_permission(user, Permissions.VIEW_AUDIT_LOG)

atst/models/__init__.py

@@ -17,3 +17,4 @@ from .attachment import Attachment
 from .request_revision import RequestRevision
 from .request_review import RequestReview
 from .request_internal_comment import RequestInternalComment
+from .audit_event import AuditEvent

atst/models/audit_event.py

@@ -0,0 +1,44 @@
+from sqlalchemy import String, Column, ForeignKey, inspect
+from sqlalchemy.dialects.postgresql import UUID
+from sqlalchemy.orm import relationship
+
+from atst.models import Base, types
+from atst.models.mixins.timestamps import TimestampsMixin
+
+
+class AuditEvent(Base, TimestampsMixin):
+    __tablename__ = "audit_events"
+
+    id = types.Id()
+
+    user_id = Column(UUID(as_uuid=True), ForeignKey("users.id"), index=True)
+    user = relationship("User", backref="audit_events")
+
+    workspace_id = Column(UUID(as_uuid=True), ForeignKey("workspaces.id"), index=True)
+    workspace = relationship("Workspace", backref="audit_events")
+
+    resource_name = Column(String(), nullable=False)
+    resource_id = Column(UUID(as_uuid=True), index=True, nullable=False)
+    action = Column(String(), nullable=False)
+
+    def __str__(self):
+        full_action = "{} on {} {}".format(
+            self.action, self.resource_name, self.resource_id
+        )
+
+        if self.user and self.workspace:
+            return "{} performed {} in workspace {}".format(
+                self.user.full_name, full_action, self.workspace_id
+            )
+        if self.user:
+            return "{} performed {}".format(self.user.full_name, full_action)
+        else:
+            return "ATAT System performed {}".format(full_action)
+
+    def save(self, connection):
+        attrs = inspect(self).dict
+
+        connection.execute(
+            self.__table__.insert(),
+            **attrs
+        )

atst/models/environment.py

@@ -3,10 +3,10 @@ from sqlalchemy.orm import relationship
 
 from atst.models import Base
 from atst.models.types import Id
-from atst.models.mixins import TimestampsMixin
+from atst.models import mixins
 
 
-class Environment(Base, TimestampsMixin):
+class Environment(Base, mixins.TimestampsMixin, mixins.AuditableMixin):
     __tablename__ = "environments"
 
     id = Id()

atst/models/mixins/__init__.py

@@ -0,0 +1,2 @@
+from .timestamps import TimestampsMixin
+from .auditable import AuditableMixin

atst/models/mixins/auditable.py

@@ -0,0 +1,66 @@
+from sqlalchemy import event
+from flask import g
+import re
+
+from atst.models.audit_event import AuditEvent
+
+ACTION_CREATE = "create"
+ACTION_UPDATE = "update"
+ACTION_DELETE = "delete"
+
+
+def getattr_path(obj, path, default=None):
+    _obj = obj
+    for item in path.split('.'):
+        _obj = getattr(_obj, item, default)
+    return _obj
+
+
+def camel_to_snake(camel_cased):
+    s1 = re.sub('(.)([A-Z][a-z]+)', r'\1_\2', camel_cased)
+    return re.sub('([a-z0-9])([A-Z])', r'\1_\2', s1).lower()
+
+
+class AuditableMixin(object):
+
+    @staticmethod
+    def create_audit_event(connection, resource, action):
+        user_id = getattr_path(g, "current_user.id")
+        workspace_id = resource.auditable_workspace_id()
+        resource_name = resource.auditable_resource_name()
+
+        audit_event = AuditEvent(
+            user_id=user_id,
+            workspace_id=workspace_id,
+            resource_name=resource_name,
+            resource_id=resource.id,
+            action=action,
+        )
+
+        audit_event.save(connection)
+
+    @classmethod
+    def __declare_last__(cls):
+        event.listen(cls, 'after_insert', cls.audit_insert)
+        event.listen(cls, 'after_delete', cls.audit_delete)
+        event.listen(cls, 'after_update', cls.audit_update)
+
+    @staticmethod
+    def audit_insert(mapper, connection, target):
+        """Listen for the `after_insert` event and create an AuditLog entry"""
+        target.create_audit_event(connection, target, ACTION_CREATE)
+
+    @staticmethod
+    def audit_delete(mapper, connection, target):
+        """Listen for the `after_delete` event and create an AuditLog entry"""
+        target.create_audit_event(connection, target, ACTION_DELETE)
+
+    @staticmethod
+    def audit_update(mapper, connection, target):
+        target.create_audit_event(connection, target, ACTION_UPDATE)
+
+    def auditable_resource_name(self):
+        return camel_to_snake(type(self).__name__)
+
+    def auditable_workspace_id(self):
+        return getattr_path(self, "workspace.id")

atst/models/permissions.py

@@ -1,4 +1,5 @@
 class Permissions(object):
+    VIEW_AUDIT_LOG = "view_audit_log"
     REQUEST_JEDI_WORKSPACE = "request_jedi_workspace"
     VIEW_ORIGINAL_JEDI_REQEUST = "view_original_jedi_request"
     REVIEW_AND_APPROVE_JEDI_WORKSPACE_REQUEST = (

atst/models/project.py

@@ -3,10 +3,10 @@ from sqlalchemy.orm import relationship
 
 from atst.models import Base
 from atst.models.types import Id
-from atst.models.mixins import TimestampsMixin
+from atst.models import mixins
 
 
-class Project(Base, TimestampsMixin):
+class Project(Base, mixins.TimestampsMixin, mixins.AuditableMixin):
     __tablename__ = "projects"
 
     id = Id()

atst/models/request.py

@@ -24,7 +24,7 @@ def update_dict_with_properties(instance, body, top_level_key, properties):
     return body
 
 
-class Request(Base, mixins.TimestampsMixin):
+class Request(Base, mixins.TimestampsMixin, mixins.AuditableMixin):
     __tablename__ = "requests"
 
     id = types.Id()

atst/models/request_review.py

@@ -4,7 +4,7 @@ from sqlalchemy.orm import relationship
 from atst.models import Base, mixins, types
 
 
-class RequestReview(Base, mixins.TimestampsMixin):
+class RequestReview(Base, mixins.TimestampsMixin, mixins.AuditableMixin):
     __tablename__ = "request_reviews"
 
     id = types.Id()

atst/models/request_revision.py

@@ -12,11 +12,11 @@ from sqlalchemy.orm import relationship
 from sqlalchemy.dialects.postgresql import ARRAY
 
 from atst.models import Base
-from atst.models.mixins import TimestampsMixin
+from atst.models import mixins
 from atst.models.types import Id
 
 
-class RequestRevision(Base, TimestampsMixin):
+class RequestRevision(Base, mixins.TimestampsMixin, mixins.AuditableMixin):
     __tablename__ = "request_revisions"
 
     id = Id()

atst/models/request_status_event.py

@@ -22,7 +22,7 @@ class RequestStatus(Enum):
     DELETED = "Deleted"
 
 
-class RequestStatusEvent(Base, mixins.TimestampsMixin):
+class RequestStatusEvent(Base, mixins.TimestampsMixin, mixins.AuditableMixin):
     __tablename__ = "request_status_events"
 
     id = Id()

atst/models/workspace.py

@@ -3,12 +3,12 @@ from sqlalchemy.orm import relationship
 
 from atst.models import Base
 from atst.models.types import Id
-from atst.models.mixins import TimestampsMixin
+from atst.models import mixins
 from atst.models.workspace_user import WorkspaceUser
 from atst.utils import first_or_none
 
 
-class Workspace(Base, TimestampsMixin):
+class Workspace(Base, mixins.TimestampsMixin, mixins.AuditableMixin):
     __tablename__ = "workspaces"
 
     id = Id()
@@ -40,3 +40,6 @@ class Workspace(Base, TimestampsMixin):
     @property
     def members(self):
         return [WorkspaceUser(role.user, role) for role in self.roles]
+
+    def auditable_workspace_id(self):
+        return self.id

atst/models/workspace_role.py

@@ -6,7 +6,7 @@ from atst.models import Base, mixins
 from .types import Id
 
 
-class WorkspaceRole(Base, mixins.TimestampsMixin):
+class WorkspaceRole(Base, mixins.TimestampsMixin, mixins.AuditableMixin):
     __tablename__ = "workspace_roles"
 
     id = Id()

atst/routes/__init__.py

@@ -5,6 +5,8 @@ import pendulum
 from atst.domain.requests import Requests
 from atst.domain.users import Users
 from atst.domain.authnid import AuthenticationContext
+from atst.domain.audit_log import AuditLog
+from atst.domain.auth import logout as _logout
 
 
 bp = Blueprint("atst", __name__)
@@ -79,7 +81,11 @@ def login_redirect():
 
 @bp.route("/logout")
 def logout():
-    if session.get("user_id"):
+    _logout()
-        del (session["user_id"])
-
     return redirect(url_for(".home"))
+
+
+@bp.route("/activity-history")
+def activity_history():
+    audit_events = AuditLog.get_all_events(g.current_user)
+    return render_template("audit_log.html", audit_events=audit_events)

templates/audit_log.html

@@ -0,0 +1,22 @@
+{% extends "base.html" %}
+
+{% block content %}
+
+
+  <div class="panel">
+    <section class="block-list">
+      <header class="block-list__header">
+        <h1 class="block-list__title">Acitivity History</h1>
+      </header>
+
+      <ul>
+        {% for event in audit_events %}
+          <li class="block-list__item">{{ event }}</li>
+        {% endfor %}
+      </ul>
+
+    </section>
+
+  </div>
+
+{% endblock %}

templates/navigation/global_navigation.html

@@ -25,5 +25,9 @@
     {% if g.current_user.has_workspaces %}
       {{ SidenavItem("Workspaces", href="/workspaces", icon="cloud", active=g.matchesPath('/workspaces')) }}
     {% endif %}
+
+    {% if g.Authorization.can_view_audit_log(g.current_user) %}
+      {{ SidenavItem("Activity History", url_for('atst.activity_history'), icon="document", active=g.matchesPath('/activity-history')) }}
+    {% endif %}
   </ul>
 </div>

tests/conftest.py

@@ -9,6 +9,7 @@ from tempfile import TemporaryDirectory
 
 from atst.app import make_app, make_config
 from atst.database import db as _db
+from atst.domain.auth import logout
 import tests.factories as factories
 from tests.mocks import PDF_FILENAME
 
@@ -108,7 +109,7 @@ def user_session(monkeypatch, session):
     def set_user_session(user=None):
         monkeypatch.setattr(
             "atst.domain.auth.get_current_user",
-            lambda *args: user or factories.UserFactory.build(),
+            lambda *args: user or factories.UserFactory.create(),
         )
 
     return set_user_session

tests/domain/test_audit_log.py

@@ -0,0 +1,20 @@
+import pytest
+
+from atst.domain.audit_log import AuditLog
+from atst.domain.exceptions import UnauthorizedError
+from tests.factories import UserFactory
+
+
+@pytest.fixture(scope="function")
+def ccpo():
+    return UserFactory.from_atat_role("ccpo")
+
+
+@pytest.fixture(scope="function")
+def developer():
+    return UserFactory.from_atat_role("default")
+
+
+def test_non_admin_cannot_view_audit_log(developer):
+    with pytest.raises(UnauthorizedError):
+        AuditLog.get_all_events(developer)

tests/domain/test_projects.py

@@ -1,10 +1,11 @@
 from atst.domain.projects import Projects
-from atst.domain.workspaces import Workspaces
 from tests.factories import RequestFactory
+from atst.domain.workspaces import Workspaces
 
 
 def test_create_project_with_multiple_environments():
-    workspace = Workspaces.create(RequestFactory.create())
+    request = RequestFactory.create()
+    workspace = Workspaces.create(request)
     project = Projects.create(
         workspace.owner, workspace, "My Test Project", "Test", ["dev", "prod"]
     )

tests/routes/test_financial_verification.py

@@ -133,7 +133,7 @@ class TestPENumberInForm:
         request = RequestFactory.create(creator=user)
         monkeypatch.setattr("atst.domain.requests.Requests.get", lambda *args: request)
         monkeypatch.setattr("atst.forms.financial.validate_pe_id", lambda *args: True)
-        user_session()
+        user_session(user)
         data = {**self.required_data, **extended_financial_verification_data}
         data["task_order_number"] = "1234567"