Add api authorization logging
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/tag Build is passing

This commit is contained in:
Garrett Mills 2020-10-18 21:07:42 -05:00
parent 7c8a05aa4f
commit fac3431375
Signed by: garrettmills
GPG Key ID: D2BF5FBA8298F246
3 changed files with 25 additions and 2 deletions

View File

@ -8,23 +8,30 @@ class PermissionMiddleware extends Middleware {
async test(req, res, next, { check }) { async test(req, res, next, { check }) {
const Policy = this.models.get('iam:Policy') const Policy = this.models.get('iam:Policy')
req.additional_api_log_data.permission_check = check
// If the request was authorized using an OAuth2 bearer token, // If the request was authorized using an OAuth2 bearer token,
// make sure the associated client has permission to access this endpoint. // make sure the associated client has permission to access this endpoint.
if ( req?.oauth?.client ) { if ( req?.oauth?.client ) {
if ( !req.oauth.client.can(check) ) { if ( !req.oauth.client.can(check) ) {
const reason = 'oauth-permission-fail' const reason = 'oauth-permission-fail'
await this.activity.api_access_denial({ const fail_activity = await this.activity.api_access_denial({
req, req,
reason, reason,
check, check,
oauth_client_id: req.oauth.client.uuid, oauth_client_id: req.oauth.client.uuid,
}) })
req.additional_api_log_data.permission_check_succeeded = false
req.additional_api_log_data.permission_check_activity_id = fail_activity.id
return res.status(401) return res.status(401)
.message('Insufficient permissions (OAuth2 Client).') .message('Insufficient permissions (OAuth2 Client).')
.api() .api()
} }
req.additional_api_log_data.permission_check_succeeded = true
// If the oauth2 client has this permission, then allow the request to continue, // If the oauth2 client has this permission, then allow the request to continue,
// even if the user does not. // even if the user does not.
// OAuth2Clients need to be able to query users via the API. // OAuth2Clients need to be able to query users via the API.
@ -38,13 +45,18 @@ class PermissionMiddleware extends Middleware {
if ( policy_denied || (!req.user.can(check) && !policy_access) ) { if ( policy_denied || (!req.user.can(check) && !policy_access) ) {
// Record the failed API access // Record the failed API access
const reason = policy_denied ? 'iam-denial' : (!req.user.can(check) ? 'user-permission-fail' : 'iam-not-granted') const reason = policy_denied ? 'iam-denial' : (!req.user.can(check) ? 'user-permission-fail' : 'iam-not-granted')
await this.activity.api_access_denial({ req, reason, check }) const fail_activity = await this.activity.api_access_denial({ req, reason, check })
req.additional_api_log_data.permission_check_succeeded = false
req.additional_api_log_data.permission_check_reason = reason
req.additional_api_log_data.permission_check_activity_id = fail_activity.id
return res.status(401) return res.status(401)
.message('Insufficient permissions.') .message('Insufficient permissions.')
.api() .api()
} }
req.additional_api_log_data.permission_check_succeeded = true
return next() return next()
} }
} }

View File

@ -6,14 +6,21 @@ class APIRouteMiddleware extends Middleware {
} }
async test(req, res, next, { allow_token = true, allow_user = true }) { async test(req, res, next, { allow_token = true, allow_user = true }) {
if ( !req.additional_api_log_data ) req.additional_api_log_data = {}
// First, check if there is a user in the session. // First, check if there is a user in the session.
if ( allow_user && req.user ) { if ( allow_user && req.user ) {
req.additional_api_log_data.authorized_by = 'user'
return next() return next()
} else if ( allow_token ) { } else if ( allow_token ) {
if ( !req.oauth ) req.oauth = {} if ( !req.oauth ) req.oauth = {}
req.additional_api_log_data.attempted_token_auth = true
return req.app.oauth2.authorise()(req, res, async e => { return req.app.oauth2.authorise()(req, res, async e => {
if ( e ) return next(e) if ( e ) return next(e)
req.additional_api_log_data.authorized_by = 'token'
// Look up the OAuth2 client an inject it into the route // Look up the OAuth2 client an inject it into the route
if ( req.user && req.user.id ) { if ( req.user && req.user.id ) {
const User = this.models.get('auth:User') const User = this.models.get('auth:User')
@ -44,6 +51,9 @@ class APIRouteMiddleware extends Middleware {
.message('This OAuth2 client is no longer authorized.') .message('This OAuth2 client is no longer authorized.')
.api() .api()
req.additional_api_log_data.token_client_id = client.uuid
req.additional_api_log_data.token = bearer
req.oauth.token = token req.oauth.token = token
req.oauth.client = client req.oauth.client = client
} else } else

View File

@ -36,6 +36,7 @@ class ActivityService extends Service {
} }
await activity.save() await activity.save()
return activity
} }
async mfa_enable({ req }) { async mfa_enable({ req }) {