From e909569b772f151da67bd201133e558aaa8ff729 Mon Sep 17 00:00:00 2001 From: Zac Bergquist Date: Mon, 21 Oct 2024 17:18:15 -0600 Subject: [PATCH] Add extra metadata to the join_token.create audit event (#47766) Include the [potentially redacted] token name, expiry, and the name of the user who performed the create/update operation. Closes #44017 --- lib/auth/auth_with_roles.go | 20 ++++++++++---------- lib/auth/tls_test.go | 20 ++++++++++++++++++++ 2 files changed, 30 insertions(+), 10 deletions(-) diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go index aaed327623036..531f6039cd1dc 100644 --- a/lib/auth/auth_with_roles.go +++ b/lib/auth/auth_with_roles.go @@ -2137,11 +2137,7 @@ func enforceEnterpriseJoinMethodCreation(token types.ProvisionToken) error { // emitTokenEvent is called by Create/Upsert Token in order to emit any relevant // events. -func emitTokenEvent( - ctx context.Context, - e apievents.Emitter, - roles types.SystemRoles, - joinMethod types.JoinMethod, +func emitTokenEvent(ctx context.Context, e apievents.Emitter, token types.ProvisionToken, ) { userMetadata := authz.ClientUserMetadata(ctx) if err := e.EmitAuditEvent(ctx, &apievents.ProvisionTokenCreate{ @@ -2149,9 +2145,14 @@ func emitTokenEvent( Type: events.ProvisionTokenCreateEvent, Code: events.ProvisionTokenCreateCode, }, + ResourceMetadata: apievents.ResourceMetadata{ + Name: token.GetSafeName(), + Expires: token.Expiry(), + UpdatedBy: userMetadata.GetUser(), + }, UserMetadata: userMetadata, - Roles: roles, - JoinMethod: joinMethod, + Roles: token.GetRoles(), + JoinMethod: token.GetJoinMethod(), }); err != nil { log.WithError(err).Warn("Failed to emit join token create event.") } @@ -2175,12 +2176,11 @@ func (a *ServerWithRoles) UpsertToken(ctx context.Context, token types.Provision return trace.Wrap(err) } - emitTokenEvent(ctx, a.authServer.emitter, token.GetRoles(), token.GetJoinMethod()) + emitTokenEvent(ctx, a.authServer.emitter, token) return nil } func (a *ServerWithRoles) CreateToken(ctx context.Context, token types.ProvisionToken) error { - jm := token.GetJoinMethod() if err := a.action(apidefaults.Namespace, types.KindToken, types.VerbCreate); err != nil { return trace.Wrap(err) } @@ -2197,7 +2197,7 @@ func (a *ServerWithRoles) CreateToken(ctx context.Context, token types.Provision return trace.Wrap(err) } - emitTokenEvent(ctx, a.authServer.emitter, token.GetRoles(), jm) + emitTokenEvent(ctx, a.authServer.emitter, token) return nil } diff --git a/lib/auth/tls_test.go b/lib/auth/tls_test.go index dd12035a2a2e1..266bfce970ee7 100644 --- a/lib/auth/tls_test.go +++ b/lib/auth/tls_test.go @@ -4303,6 +4303,10 @@ func TestGRPCServer_CreateTokenV2(t *testing.T) { Type: events.ProvisionTokenCreateEvent, Code: events.ProvisionTokenCreateCode, }, + ResourceMetadata: eventtypes.ResourceMetadata{ + Name: "*******", + UpdatedBy: "token-creator", + }, UserMetadata: eventtypes.UserMetadata{ User: "token-creator", UserKind: eventtypes.UserKind_USER_KIND_HUMAN, @@ -4332,6 +4336,10 @@ func TestGRPCServer_CreateTokenV2(t *testing.T) { Type: events.ProvisionTokenCreateEvent, Code: events.ProvisionTokenCreateCode, }, + ResourceMetadata: eventtypes.ResourceMetadata{ + Name: "*****************luster", + UpdatedBy: "token-creator", + }, UserMetadata: eventtypes.UserMetadata{ User: "token-creator", UserKind: eventtypes.UserKind_USER_KIND_HUMAN, @@ -4454,6 +4462,10 @@ func TestGRPCServer_UpsertTokenV2(t *testing.T) { Type: events.ProvisionTokenCreateEvent, Code: events.ProvisionTokenCreateCode, }, + ResourceMetadata: eventtypes.ResourceMetadata{ + Name: "*******", + UpdatedBy: "token-upserter", + }, UserMetadata: eventtypes.UserMetadata{ User: "token-upserter", UserKind: eventtypes.UserKind_USER_KIND_HUMAN, @@ -4483,6 +4495,10 @@ func TestGRPCServer_UpsertTokenV2(t *testing.T) { Type: events.ProvisionTokenCreateEvent, Code: events.ProvisionTokenCreateCode, }, + ResourceMetadata: eventtypes.ResourceMetadata{ + Name: "*****************luster", + UpdatedBy: "token-upserter", + }, UserMetadata: eventtypes.UserMetadata{ User: "token-upserter", UserKind: eventtypes.UserKind_USER_KIND_HUMAN, @@ -4514,6 +4530,10 @@ func TestGRPCServer_UpsertTokenV2(t *testing.T) { Type: events.ProvisionTokenCreateEvent, Code: events.ProvisionTokenCreateCode, }, + ResourceMetadata: eventtypes.ResourceMetadata{ + Name: "**************", + UpdatedBy: "token-upserter", + }, UserMetadata: eventtypes.UserMetadata{ User: "token-upserter", UserKind: eventtypes.UserKind_USER_KIND_HUMAN,