Skip to content

Commit

Permalink
CC-33738 Audit Logs with CloudWatch. (#10986)
Browse files Browse the repository at this point in the history
CC-33738 Audit Logs with CloudWatch
  • Loading branch information
ilyakubanov authored Jul 9, 2024
1 parent aa400df commit 09cc24e
Show file tree
Hide file tree
Showing 10 changed files with 445 additions and 4 deletions.
20 changes: 20 additions & 0 deletions codeception.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
namespace: WarehouseOauthBackendApi
include:
- tests/SprykerTest/Glue/WarehouseOauthBackendApi
actor: Tester
paths:
tests: tests
output: tests/_output
data: tests/_data
support: tests/_support
envs: tests/_envs
settings:
suite_class: \PHPUnit\Framework\TestSuite
colors: true
memory_limit: 1024M
log: true
coverage:
enabled: true
whitelist:
include:
- 'src/*.php'
13 changes: 10 additions & 3 deletions composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
"spryker/glue-application-extension": "^1.10.0",
"spryker/glue-backend-api-application-authorization-connector-extension": "^1.0.0",
"spryker/kernel": "^3.66.0",
"spryker/log": "^3.17.0",
"spryker/oauth": "^2.4.0",
"spryker/oauth-backend-api-extension": "^1.0.0",
"spryker/symfony": "^3.0.0",
Expand All @@ -18,7 +19,8 @@
},
"require-dev": {
"spryker/code-sniffer": "*",
"spryker/glue-application": "^1.30.0"
"spryker/glue-application": "^1.30.0",
"spryker/testify": "*"
},
"suggest": {
"spryker/glue-application": "If you want to use plugins with glue application."
Expand All @@ -28,11 +30,16 @@
"Spryker\\": "src/Spryker/"
}
},
"autoload-dev": {
"psr-4": {
"SprykerTest\\": "tests/SprykerTest/"
}
},
"minimum-stability": "dev",
"prefer-stable": true,
"scripts": {
"cs-check": "phpcs -p -s --standard=vendor/spryker/code-sniffer/SprykerStrict/ruleset.xml src/",
"cs-fix": "phpcbf -p --standard=vendor/spryker/code-sniffer/SprykerStrict/ruleset.xml src/"
"cs-check": "phpcs -p -s --standard=vendor/spryker/code-sniffer/SprykerStrict/ruleset.xml src/ tests/",
"cs-fix": "phpcbf -p --standard=vendor/spryker/code-sniffer/SprykerStrict/ruleset.xml src/ tests/"
},
"extra": {
"branch-alias": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
use Generated\Shared\Transfer\GlueResponseTransfer;
use Generated\Shared\Transfer\OauthRequestTransfer;
use Spryker\Glue\WarehouseOauthBackendApi\Dependency\Facade\WarehouseOauthBackendApiToAuthenticationFacadeInterface;
use Spryker\Glue\WarehouseOauthBackendApi\Processor\Logger\AuditLoggerInterface;
use Spryker\Glue\WarehouseOauthBackendApi\Processor\Reader\WarehouseUserAssignmentReaderInterface;
use Spryker\Glue\WarehouseOauthBackendApi\Processor\ResponseBuilder\WarehouseResponseBuilderInterface;
use Spryker\Glue\WarehouseOauthBackendApi\WarehouseOauthBackendApiConfig;
Expand Down Expand Up @@ -41,19 +42,27 @@ class WarehouseTokenCreator implements WarehouseTokenCreatorInterface
*/
protected WarehouseResponseBuilderInterface $warehouseResponseBuilder;

/**
* @var \Spryker\Glue\WarehouseOauthBackendApi\Processor\Logger\AuditLoggerInterface
*/
protected AuditLoggerInterface $auditLogger;

/**
* @param \Spryker\Glue\WarehouseOauthBackendApi\Processor\Reader\WarehouseUserAssignmentReaderInterface $warehouseUserAssignmentReader
* @param \Spryker\Glue\WarehouseOauthBackendApi\Dependency\Facade\WarehouseOauthBackendApiToAuthenticationFacadeInterface $authenticationFacade
* @param \Spryker\Glue\WarehouseOauthBackendApi\Processor\ResponseBuilder\WarehouseResponseBuilderInterface $warehouseResponseBuilder
* @param \Spryker\Glue\WarehouseOauthBackendApi\Processor\Logger\AuditLoggerInterface $auditLogger
*/
public function __construct(
WarehouseUserAssignmentReaderInterface $warehouseUserAssignmentReader,
WarehouseOauthBackendApiToAuthenticationFacadeInterface $authenticationFacade,
WarehouseResponseBuilderInterface $warehouseResponseBuilder
WarehouseResponseBuilderInterface $warehouseResponseBuilder,
AuditLoggerInterface $auditLogger
) {
$this->warehouseUserAssignmentReader = $warehouseUserAssignmentReader;
$this->authenticationFacade = $authenticationFacade;
$this->warehouseResponseBuilder = $warehouseResponseBuilder;
$this->auditLogger = $auditLogger;
}

/**
Expand All @@ -66,6 +75,8 @@ public function createWarehouseToken(GlueRequestTransfer $glueRequestTransfer):
$warehouseUserAssignmentTransfer = $this->warehouseUserAssignmentReader->findActiveWarehouseUserAssignment($glueRequestTransfer);

if (!$warehouseUserAssignmentTransfer) {
$this->auditLogger->addWarehouseUserFailedLoginAuditLog($glueRequestTransfer);

return $this->warehouseResponseBuilder->createForbiddenErrorResponse();
}

Expand All @@ -84,9 +95,13 @@ public function createWarehouseToken(GlueRequestTransfer $glueRequestTransfer):
$oauthResponseTransfer = $glueAuthenticationResponseTransfer->getOauthResponseOrFail();

if (!$oauthResponseTransfer->getIsValid()) {
$this->auditLogger->addWarehouseUserFailedLoginAuditLog($glueRequestTransfer);

return $this->warehouseResponseBuilder->createOauthBadRequestErrorResponse($oauthResponseTransfer->getErrorOrFail());
}

$this->auditLogger->addWarehouseUserSuccessfulLoginAuditLog($glueRequestTransfer);

return $this->warehouseResponseBuilder->createWarehouseTokenResponse($oauthResponseTransfer);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
<?php

/**
* Copyright © 2016-present Spryker Systems GmbH. All rights reserved.
* Use of this software requires acceptance of the Evaluation License Agreement. See LICENSE file.
*/

namespace Spryker\Glue\WarehouseOauthBackendApi\Processor\Logger;

use Generated\Shared\Transfer\AuditLoggerConfigCriteriaTransfer;
use Generated\Shared\Transfer\GlueRequestTransfer;
use Spryker\Shared\Log\AuditLoggerTrait;

class AuditLogger implements AuditLoggerInterface
{
use AuditLoggerTrait;

/**
* @uses \Spryker\Shared\Log\LogConfig::AUDIT_LOGGER_CHANNEL_NAME_SECURITY
*
* @var string
*/
protected const AUDIT_LOGGER_CHANNEL_NAME_SECURITY = 'security';

/**
* @uses \Spryker\Shared\Log\Handler\TagFilterBufferedStreamHandler::RECORD_KEY_CONTEXT_TAGS
*
* @var string
*/
protected const AUDIT_LOGGER_RECORD_KEY_CONTEXT_TAGS = 'tags';

/**
* @param \Generated\Shared\Transfer\GlueRequestTransfer $glueRequestTransfer
*
* @return void
*/
public function addWarehouseUserFailedLoginAuditLog(GlueRequestTransfer $glueRequestTransfer): void
{
$context = $this->addGlueRequestContext(
[static::AUDIT_LOGGER_RECORD_KEY_CONTEXT_TAGS => ['warehouse_user_failed_login']],
$glueRequestTransfer,
);

$this->addAuditLog('Failed Login (Warehouse User)', $context);
}

/**
* @param \Generated\Shared\Transfer\GlueRequestTransfer $glueRequestTransfer
*
* @return void
*/
public function addWarehouseUserSuccessfulLoginAuditLog(GlueRequestTransfer $glueRequestTransfer): void
{
$context = $this->addGlueRequestContext(
[static::AUDIT_LOGGER_RECORD_KEY_CONTEXT_TAGS => ['warehouse_user_successful_login']],
$glueRequestTransfer,
);

$this->addAuditLog('Successful Login (Warehouse User)', $context);
}

/**
* @param array<string, mixed> $context
* @param \Generated\Shared\Transfer\GlueRequestTransfer $glueRequestTransfer
*
* @return array<string, mixed>
*/
protected function addGlueRequestContext(array $context, GlueRequestTransfer $glueRequestTransfer): array
{
$context['user_uuid'] = $glueRequestTransfer->getRequestUserOrFail()->getNaturalIdentifier();

return $context;
}

/**
* @param string $action
* @param array<string, mixed> $context
*
* @return void
*/
protected function addAuditLog(string $action, array $context): void
{
$this->getAuditLogger(
(new AuditLoggerConfigCriteriaTransfer())->setChannelName(static::AUDIT_LOGGER_CHANNEL_NAME_SECURITY),
)->info($action, $context);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
<?php

/**
* Copyright © 2016-present Spryker Systems GmbH. All rights reserved.
* Use of this software requires acceptance of the Evaluation License Agreement. See LICENSE file.
*/

namespace Spryker\Glue\WarehouseOauthBackendApi\Processor\Logger;

use Generated\Shared\Transfer\GlueRequestTransfer;

interface AuditLoggerInterface
{
/**
* @param \Generated\Shared\Transfer\GlueRequestTransfer $glueRequestTransfer
*
* @return void
*/
public function addWarehouseUserFailedLoginAuditLog(GlueRequestTransfer $glueRequestTransfer): void;

/**
* @param \Generated\Shared\Transfer\GlueRequestTransfer $glueRequestTransfer
*
* @return void
*/
public function addWarehouseUserSuccessfulLoginAuditLog(GlueRequestTransfer $glueRequestTransfer): void;
}
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@
use Spryker\Glue\WarehouseOauthBackendApi\Processor\Creator\WarehouseTokenCreator;
use Spryker\Glue\WarehouseOauthBackendApi\Processor\Creator\WarehouseTokenCreatorInterface;
use Spryker\Glue\WarehouseOauthBackendApi\Processor\Expander\WarehouseAuthorizationRequestExpander;
use Spryker\Glue\WarehouseOauthBackendApi\Processor\Logger\AuditLogger;
use Spryker\Glue\WarehouseOauthBackendApi\Processor\Logger\AuditLoggerInterface;
use Spryker\Glue\WarehouseOauthBackendApi\Processor\Reader\GlueRequestReader;
use Spryker\Glue\WarehouseOauthBackendApi\Processor\Reader\GlueRequestReaderInterface;
use Spryker\Glue\WarehouseOauthBackendApi\Processor\Reader\WarehouseUserAssignmentReader;
Expand Down Expand Up @@ -42,6 +44,7 @@ public function createWarehouseTokenCreator(): WarehouseTokenCreatorInterface
$this->createWarehouseUserAssignmentReader(),
$this->getAuthenticationFacade(),
$this->createWarehouseResponseBuilder(),
$this->createAuditLogger(),
);
}

Expand Down Expand Up @@ -108,6 +111,14 @@ public function createWarehouseUserAssignmentReader(): WarehouseUserAssignmentRe
);
}

/**
* @return \Spryker\Glue\WarehouseOauthBackendApi\Processor\Logger\AuditLoggerInterface
*/
public function createAuditLogger(): AuditLoggerInterface
{
return new AuditLogger();
}

/**
* @return \Spryker\Glue\WarehouseOauthBackendApi\Dependency\Facade\WarehouseOauthBackendApiToAuthenticationFacadeInterface
*/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -112,4 +112,9 @@
<transfer name="GlueRequestUser">
<property name="naturalIdentifier" type="string"/>
</transfer>

<transfer name="AuditLoggerConfigCriteria" strict="true">
<property name="channelName" type="string"/>
</transfer>

</transfers>
Loading

0 comments on commit 09cc24e

Please sign in to comment.