V3 add audit events for route bindings 175228173 (cloudfoundry#1945)

FelisiaM · web-flow · commit 648958def6af · 2020-11-06T15:43:25.000Z
* v3(services) Created generic binding event repository - Should be usable by route bindings, credential bindings of type app and key [#175228173](https://www.pivotaltracker.com/story/show/175228173) * v3(services): Added audit events for service_route_bindings * v3(services) Added audit events for unbind service route bindings * v3(services) Removed audit logging in service instance when binding route service * Formatting fix * Added constants for the event repo type
diff --git a/app/actions/service_credential_binding_create.rb b/app/actions/service_credential_binding_create.rb
@@ -1,4 +1,4 @@
-require 'repositories/service_binding_event_repository'
+require 'repositories/service_generic_binding_event_repository'
 require 'services/service_brokers/service_client_provider'
 require 'actions/v3/service_binding_create'
 
@@ -84,7 +84,8 @@ def all_space_guids(service_instance)
       end
 
       def event_repository
-        Repositories::ServiceBindingEventRepository
+        @event_repository ||= Repositories::ServiceGenericBindingEventRepository.new(
+          Repositories::ServiceGenericBindingEventRepository::SERVICE_APP_CREDENTIAL_BINDING)
       end
 
       def operation_in_progress!
diff --git a/app/actions/service_credential_binding_delete.rb b/app/actions/service_credential_binding_delete.rb
@@ -21,7 +21,8 @@ def perform_start_delete_actions(binding)
       end
 
       def event_repository
-        Repositories::ServiceBindingEventRepository
+        @event_repository ||= Repositories::ServiceGenericBindingEventRepository.new(
+          Repositories::ServiceGenericBindingEventRepository::SERVICE_APP_CREDENTIAL_BINDING)
       end
     end
   end
diff --git a/app/actions/service_route_binding_create.rb b/app/actions/service_route_binding_create.rb
@@ -5,9 +5,10 @@
 module VCAP::CloudController
   module V3
     class ServiceRouteBindingCreate < V3::ServiceBindingCreate
-      def initialize(service_event_repository)
+      def initialize(user_audit_info, audit_hash)
         super()
-        @service_event_repository = service_event_repository
+        @user_audit_info = user_audit_info
+        @audit_hash = audit_hash
       end
 
       def precursor(service_instance, route, message:)
@@ -35,6 +36,11 @@ class RouteBindingAlreadyExists < StandardError; end
 
       private
 
+      def event_repository
+        @event_repository ||= Repositories::ServiceGenericBindingEventRepository.new(
+          Repositories::ServiceGenericBindingEventRepository::SERVICE_ROUTE_BINDING)
+      end
+
       def validate!(service_instance, route)
         not_supported! unless service_instance.route_service?
         not_bindable! unless service_instance.bindable?
@@ -45,8 +51,6 @@ def validate!(service_instance, route)
         operation_in_progress! if service_instance.operation_in_progress?
       end
 
-      attr_reader :service_event_repository
-
       def complete_binding_and_save(binding, binding_details, last_operation)
         binding.save_with_attributes_and_new_operation(
           {
@@ -58,15 +62,32 @@ def complete_binding_and_save(binding, binding_details, last_operation)
             description: last_operation[:description],
           }
         )
+
         binding.notify_diego
-        record_audit_event(binding)
+
+        event_repository.record_create(
+          binding,
+          @user_audit_info,
+          @audit_hash,
+          manifest_triggered: false
+        )
       end
 
-      def record_audit_event(precursor)
-        service_event_repository.record_service_instance_event(
-          :bind_route,
-          precursor.service_instance,
-          { route_guid: precursor.route.guid },
+      def save_incomplete_binding(precursor, operation)
+        precursor.save_with_attributes_and_new_operation(
+          {},
+          {
+            type: 'create',
+            state: 'in progress',
+            broker_provided_operation: operation
+          }
+        )
+
+        event_repository.record_start_create(
+          precursor,
+          @user_audit_info,
+          @audit_hash,
+          manifest_triggered: false
         )
       end
 
diff --git a/app/actions/service_route_binding_delete.rb b/app/actions/service_route_binding_delete.rb
@@ -4,27 +4,30 @@
 module VCAP::CloudController
   module V3
     class ServiceRouteBindingDelete < V3::ServiceBindingDelete
-      def initialize(service_event_repository)
+      def initialize(user_audit_info)
         super()
-        @service_event_repository = service_event_repository
+        @user_audit_info = user_audit_info
       end
 
       private
 
-      attr_reader :service_event_repository
+      def event_repository
+        @event_repository ||= Repositories::ServiceGenericBindingEventRepository.new(
+          Repositories::ServiceGenericBindingEventRepository::SERVICE_ROUTE_BINDING)
+      end
 
       def perform_delete_actions(binding)
-        record_audit_event(binding)
+        event_repository.record_delete(
+          binding,
+          @user_audit_info
+        )
+
         binding.destroy
         binding.notify_diego
       end
 
-      def record_audit_event(binding)
-        service_event_repository.record_service_instance_event(
-          :unbind_route,
-          binding.service_instance,
-          { route_guid: binding.route.guid },
-        )
+      def perform_start_delete_actions(binding)
+        event_repository.record_start_delete(binding, @user_audit_info)
       end
     end
   end
diff --git a/app/actions/v3/service_binding_create.rb b/app/actions/v3/service_binding_create.rb
@@ -76,17 +76,6 @@ def save_last_operation(binding, details)
         )
       end
 
-      def save_incomplete_binding(precursor, operation)
-        precursor.save_with_attributes_and_new_operation(
-          {},
-          {
-            type: 'create',
-            state: 'in progress',
-            broker_provided_operation: operation
-          }
-        )
-      end
-
       def bindings_retrievable?(binding)
         binding.service_instance.service.bindings_retrievable
       end
diff --git a/app/actions/v3/service_binding_delete.rb b/app/actions/v3/service_binding_delete.rb
@@ -63,8 +63,6 @@ class BindingNotRetrievable < StandardError; end
 
       private
 
-      def perform_start_delete_actions(binding); end
-
       def send_unbind_to_client(binding)
         client = VCAP::Services::ServiceClientProvider.provide(instance: binding.service_instance)
         details = client.unbind(binding, nil, true)
diff --git a/app/controllers/v3/service_route_bindings_controller.rb b/app/controllers/v3/service_route_bindings_controller.rb
@@ -45,12 +45,12 @@ def create
     route = fetch_route(message.route_guid)
 
     check_parameters_support(service_instance, message)
-    action = V3::ServiceRouteBindingCreate.new(service_event_repository)
+    action = V3::ServiceRouteBindingCreate.new(user_audit_info, message.audit_hash)
     precursor = action.precursor(service_instance, route, message: message)
 
     case service_instance
     when ManagedServiceInstance
-      pollable_job_guid = enqueue_bind_job(precursor.guid, message.parameters)
+      pollable_job_guid = enqueue_bind_job(precursor.guid, message)
       head :accepted, 'Location' => url_builder.build_url(path: "/v3/jobs/#{pollable_job_guid}")
     when UserProvidedServiceInstance
       action.bind(precursor)
@@ -71,7 +71,7 @@ def destroy
       pollable_job_guid = enqueue_unbind_job(@route_binding.guid)
       head :accepted, 'Location' => url_builder.build_url(path: "/v3/jobs/#{pollable_job_guid}")
     when UserProvidedServiceInstance
-      action = V3::ServiceRouteBindingDelete.new(service_event_repository)
+      action = V3::ServiceRouteBindingDelete.new(user_audit_info)
       action.delete(@route_binding)
       head :no_content
     end
@@ -132,13 +132,13 @@ def valid_message(message_type:)
     end
   end
 
-  def enqueue_bind_job(binding_guid, parameters)
+  def enqueue_bind_job(binding_guid, message)
     bind_job = VCAP::CloudController::V3::CreateBindingAsyncJob.new(
       :route,
       binding_guid,
       user_audit_info: user_audit_info,
-      audit_hash: {},
-      parameters: parameters,
+      audit_hash: message.audit_hash,
+      parameters: message.parameters,
     )
     pollable_job = Jobs::Enqueuer.new(bind_job, queue: Jobs::Queues.generic).enqueue_pollable
     pollable_job.guid
diff --git a/app/jobs/v3/create_service_binding_job_factory.rb b/app/jobs/v3/create_service_binding_job_factory.rb
@@ -21,8 +21,7 @@ def self.for(type)
       def self.action(type, user_audit_info, audit_hash)
         case type
         when :route
-          service_event_repository = VCAP::CloudController::Repositories::ServiceEventRepository::WithUserActor.new(user_audit_info)
-          V3::ServiceRouteBindingCreate.new(service_event_repository)
+          V3::ServiceRouteBindingCreate.new(user_audit_info, audit_hash)
         when :credential
           V3::ServiceCredentialBindingCreate.new(user_audit_info, audit_hash)
         else
diff --git a/app/jobs/v3/delete_service_binding_job_factory.rb b/app/jobs/v3/delete_service_binding_job_factory.rb
@@ -23,8 +23,7 @@ def self.for(type)
       def self.action(type, user_audit_info)
         case type
         when :route
-          service_event_repository = VCAP::CloudController::Repositories::ServiceEventRepository::WithUserActor.new(user_audit_info)
-          V3::ServiceRouteBindingDelete.new(service_event_repository)
+          V3::ServiceRouteBindingDelete.new(user_audit_info)
         when :credential
           V3::ServiceCredentialBindingDelete.new(user_audit_info)
         else
diff --git a/app/repositories/service_generic_binding_event_repository.rb b/app/repositories/service_generic_binding_event_repository.rb
@@ -0,0 +1,102 @@
+require 'repositories/mixins/app_manifest_event_mixins'
+
+module VCAP::CloudController
+  module Repositories
+    class ServiceGenericBindingEventRepository
+      include AppManifestEventMixins
+
+      SERVICE_APP_CREDENTIAL_BINDING = 'service_binding'.freeze
+      SERVICE_KEY_CREDENTIAL_BINDING = 'service_key'.freeze
+      SERVICE_ROUTE_BINDING = 'service_route_binding'.freeze
+
+      def initialize(actee_name)
+        @actee_name = actee_name
+      end
+
+      def record_start_create(service_binding, user_audit_info, request, manifest_triggered: false)
+        attrs = censor_request_attributes(request)
+
+        record_event(
+          type:            "audit.#{@actee_name}.start_create",
+          service_binding: service_binding,
+          user_audit_info: user_audit_info,
+          metadata:        add_manifest_triggered(manifest_triggered, { request: attrs })
+        )
+      end
+
+      def record_create(service_binding, user_audit_info, request, manifest_triggered: false)
+        attrs = censor_request_attributes(request)
+
+        record_event(
+          type:            "audit.#{@actee_name}.create",
+          service_binding: service_binding,
+          user_audit_info: user_audit_info,
+          metadata:        add_manifest_triggered(manifest_triggered, { request: attrs })
+        )
+      end
+
+      def record_start_delete(service_binding, user_audit_info)
+        record_event(
+          type: "audit.#{@actee_name}.start_delete",
+          service_binding: service_binding,
+          user_audit_info: user_audit_info,
+          metadata: {
+            request: {
+              app_guid: service_binding.try(:app_guid),
+              route_guid: service_binding.try(:route_guid),
+              service_instance_guid: service_binding.service_instance_guid,
+            }
+          }
+        )
+      end
+
+      def record_delete(service_binding, user_audit_info)
+        record_event(
+          type: "audit.#{@actee_name}.delete",
+          service_binding: service_binding,
+          user_audit_info: user_audit_info,
+          metadata: {
+            request: {
+              app_guid: service_binding.try(:app_guid),
+              route_guid: service_binding.try(:route_guid),
+              service_instance_guid: service_binding.service_instance_guid,
+            }
+          }
+        )
+      end
+
+      private
+
+      def censor_request_attributes(request)
+        attrs         = request.dup.stringify_keys
+        attrs['data'] = Presenters::Censorship::PRIVATE_DATA_HIDDEN if attrs.key?('data')
+        attrs
+      end
+
+      def record_event(type:, service_binding:, user_audit_info:, metadata: {})
+        space_guid = service_binding.service_instance.space.guid
+        org_guid = service_binding.service_instance.space.organization.guid
+
+        if service_binding.try(:space)
+          space_guid = service_binding.space.guid
+          org_guid = service_binding.space.organization.guid
+        end
+
+        Event.create(
+          type:              type,
+          actor:             user_audit_info.user_guid,
+          actor_type:        'user',
+          actor_name:        user_audit_info.user_email,
+          actor_username:    user_audit_info.user_name,
+          actee:             service_binding.guid,
+          actee_type:        @actee_name,
+          actee_name:        service_binding.try(:name) || '',
+          space_guid:        space_guid,
+          organization_guid: org_guid,
+          timestamp:         Sequel::CURRENT_TIMESTAMP,
+          metadata:          metadata
+        )
+      end
+    end
+  end
+end
diff --git a/spec/request/service_credential_bindings_spec.rb b/spec/request/service_credential_bindings_spec.rb
@@ -1459,6 +1459,17 @@ def check_filtered_bindings(*bindings)
 
           get "/v3/service_credential_bindings/#{guid}", {}, admin_headers
           expect(last_response).to have_status_code(404)
+
+          event = VCAP::CloudController::Event.find(type: 'audit.service_binding.delete')
+          expect(event).to be
+          expect(event.actee).to eq(binding.guid)
+          expect(event.data).to include({
+            'request' => {
+              'app_guid' => bound_app.guid,
+              'route_guid' => nil,
+              'service_instance_guid' => service_instance.guid
+            }
+          })
         end
       end
 
@@ -1607,6 +1618,21 @@ def check_filtered_bindings(*bindings)
 
               expect(job.state).to eq(VCAP::CloudController::PollableJobModel::COMPLETE_STATE)
             end
+
+            it 'logs an audit event' do
+              execute_all_jobs(expected_successes: 1, expected_failures: 0)
+
+              event = VCAP::CloudController::Event.find(type: 'audit.service_binding.delete')
+              expect(event).to be
+              expect(event.actee).to eq(binding.guid)
+              expect(event.data).to include({
+                'request' => {
+                  'app_guid' => bound_app.guid,
+                  'route_guid' => nil,
+                  'service_instance_guid' => service_instance.guid
+                }
+              })
+            end
           end
 
           context 'when the unbind completes asynchronously' do
@@ -1656,6 +1682,21 @@ def check_filtered_bindings(*bindings)
               expect(job.state).to eq(VCAP::CloudController::PollableJobModel::POLLING_STATE)
             end
 
+            it 'logs an audit event' do
+              execute_all_jobs(expected_successes: 1, expected_failures: 0)
+
+              event = VCAP::CloudController::Event.find(type: 'audit.service_binding.start_delete')
+              expect(event).to be
+              expect(event.actee).to eq(binding.guid)
+              expect(event.data).to include({
+                'request' => {
+                  'app_guid' => bound_app.guid,
+                  'route_guid' => nil,
+              'service_instance_guid' => service_instance.guid
+                }
+              })
+            end
+
             it 'enqueues the next fetch last operation job' do
               execute_all_jobs(expected_successes: 1, expected_failures: 0)
               expect(Delayed::Job.count).to eq(1)
diff --git a/spec/request/service_route_bindings_spec.rb b/spec/request/service_route_bindings_spec.rb
diff --git a/spec/unit/actions/service_credential_binding_create_spec.rb b/spec/unit/actions/service_credential_binding_create_spec.rb
diff --git a/spec/unit/actions/service_credential_binding_delete_spec.rb b/spec/unit/actions/service_credential_binding_delete_spec.rb
diff --git a/spec/unit/actions/service_route_binding_create_spec.rb b/spec/unit/actions/service_route_binding_create_spec.rb
diff --git a/spec/unit/actions/service_route_binding_delete_spec.rb b/spec/unit/actions/service_route_binding_delete_spec.rb
