Put in hacks to create audit log entries for now

Signed-off-by: Derek Ho <[email protected]>
derek-ho · Dec 13, 2024 · 3fb4137 · 3fb4137
1 parent 3beed86
commit 3fb4137
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 3 deletions.
diff --git a/src/main/java/org/opensearch/security/action/apitokens/ApiTokenIndexHandler.java b/src/main/java/org/opensearch/security/action/apitokens/ApiTokenIndexHandler.java
@@ -41,6 +41,7 @@
 import org.opensearch.index.reindex.DeleteByQueryRequest;
 import org.opensearch.search.SearchHit;
 import org.opensearch.search.builder.SearchSourceBuilder;
+import org.opensearch.security.dlic.rest.support.Utils;
 import org.opensearch.security.support.ConfigConstants;
 
 import static org.opensearch.security.action.apitokens.ApiToken.NAME_FIELD;
@@ -57,7 +58,13 @@ public ApiTokenIndexHandler(Client client, ClusterService clusterService) {
     }
 
     public String indexTokenMetadata(ApiToken token) {
+        // TODO: move this out of index handler class, potentially create a layer in between baseresthandler and abstractapiaction which can
+        // abstract this complexity away
+        final var originalUserAndRemoteAddress = Utils.userAndRemoteAddressFrom(client.threadPool().getThreadContext());
         try (final ThreadContext.StoredContext ctx = client.threadPool().getThreadContext().stashContext()) {
+            client.threadPool()
+                .getThreadContext()
+                .putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, originalUserAndRemoteAddress.getLeft());
 
             XContentBuilder builder = XContentFactory.jsonBuilder();
             String jsonString = token.toXContent(builder, ToXContent.EMPTY_PARAMS).toString();
@@ -81,7 +88,11 @@ public String indexTokenMetadata(ApiToken token) {
     }
 
     public void deleteToken(String name) throws ApiTokenException {
+        final var originalUserAndRemoteAddress = Utils.userAndRemoteAddressFrom(client.threadPool().getThreadContext());
         try (final ThreadContext.StoredContext ctx = client.threadPool().getThreadContext().stashContext()) {
+            client.threadPool()
+                .getThreadContext()
+                .putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, originalUserAndRemoteAddress.getLeft());
             DeleteByQueryRequest request = new DeleteByQueryRequest(ConfigConstants.OPENSEARCH_API_TOKENS_INDEX).setQuery(
                 QueryBuilders.matchQuery(NAME_FIELD, name)
             ).setRefresh(true);
@@ -98,7 +109,11 @@ public void deleteToken(String name) throws ApiTokenException {
     }
 
     public Map<String, ApiToken> getTokenMetadatas() {
+        final var originalUserAndRemoteAddress = Utils.userAndRemoteAddressFrom(client.threadPool().getThreadContext());
         try (final ThreadContext.StoredContext ctx = client.threadPool().getThreadContext().stashContext()) {
+            client.threadPool()
+                .getThreadContext()
+                .putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, originalUserAndRemoteAddress.getLeft());
             SearchRequest searchRequest = new SearchRequest(ConfigConstants.OPENSEARCH_API_TOKENS_INDEX);
             searchRequest.source(new SearchSourceBuilder());
 
@@ -131,7 +146,11 @@ public Boolean apiTokenIndexExists() {
 
     public void createApiTokenIndexIfAbsent() {
         if (!apiTokenIndexExists()) {
+            final var originalUserAndRemoteAddress = Utils.userAndRemoteAddressFrom(client.threadPool().getThreadContext());
             try (final ThreadContext.StoredContext ctx = client.threadPool().getThreadContext().stashContext()) {
+                client.threadPool()
+                    .getThreadContext()
+                    .putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, originalUserAndRemoteAddress.getLeft());
                 final Map<String, Object> indexSettings = ImmutableMap.of(
                     "index.number_of_shards",
                     1,

diff --git a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java
@@ -509,7 +509,7 @@ public boolean writeHistoryEnabledForIndex(String index) {
         }
         // if security index (internal index) check if internal config logging is enabled
         // TODO: Add support for custom api token index?
-        if (securityIndex.equals(index) || securityIndex.equals(ConfigConstants.OPENSEARCH_API_TOKENS_INDEX)) {
+        if (securityIndex.equals(index) || ConfigConstants.OPENSEARCH_API_TOKENS_INDEX.equals(index)) {
             return logInternalConfig;
         }
         // if the index is used for audit logging, return false
@@ -537,7 +537,7 @@ public boolean readHistoryEnabledForIndex(String index) {
             return false;
         }
         // if security index (internal index) check if internal config logging is enabled
-        if (securityIndex.equals(index)) {
+        if (securityIndex.equals(index) || ConfigConstants.OPENSEARCH_API_TOKENS_INDEX.equals(index)) {
             return logInternalConfig;
         }
         try {
@@ -559,7 +559,7 @@ public boolean readHistoryEnabledForField(String index, String field) {
             return false;
         }
         // if security index (internal index) check if internal config logging is enabled
-        if (securityIndex.equals(index)) {
+        if (securityIndex.equals(index) || ConfigConstants.OPENSEARCH_API_TOKENS_INDEX.equals(index)) {
             return logInternalConfig;
         }
         WildcardMatcher matcher;