WIP on compliance auditlog fix

Signed-off-by: Craig Perkins <[email protected]>
opensearch-project · Oct 21, 2024 · 7b4a49a · 7b4a49a
1 parent 1b24f8e
commit 7b4a49a
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 11 deletions.
diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java
@@ -639,17 +639,19 @@ public void logDocumentWritten(ShardId shardId, GetResult originalResult, Index
                         XContentType.JSON
                     )
                 ) {
-                    Object base64 = parser.map().values().iterator().next();
-                    if (base64 instanceof String) {
-                        msg.addSecurityConfigContentToRequestBody(
-                            new String(BaseEncoding.base64().decode((String) base64), StandardCharsets.UTF_8),
-                            id
-                        );
-                    } else {
-                        msg.addSecurityConfigTupleToRequestBody(
-                            new Tuple<XContentType, BytesReference>(XContentType.JSON, currentIndex.source()),
-                            id
-                        );
+                    if (auditConfigFilter.shouldLogRequestBody() || originalResult == null) {
+                        Object base64 = parser.map().values().iterator().next();
+                        if (base64 instanceof String) {
+                            msg.addSecurityConfigContentToRequestBody(
+                                new String(BaseEncoding.base64().decode((String) base64), StandardCharsets.UTF_8),
+                                id
+                            );
+                        } else {
+                            msg.addSecurityConfigTupleToRequestBody(
+                                new Tuple<XContentType, BytesReference>(XContentType.JSON, currentIndex.source()),
+                                id
+                            );
+                        }
                     }
                 } catch (Exception e) {
                     log.error(e.toString());

diff --git a/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java
@@ -14,6 +14,7 @@
 import java.io.IOException;
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 import java.util.stream.Collectors;
 
 import com.google.common.collect.ImmutableMap;
@@ -443,4 +444,65 @@ public void testWriteHistory() throws Exception {
         });
         Assert.assertTrue(TestAuditlogImpl.sb.toString().split(".*audit_compliance_diff_content.*replace.*").length == 1);
     }
+
+    @Test
+    public void testWriteLogDiffsEnabledAndLogRequestBodyDisabled() throws Exception {
+        Settings additionalSettings = Settings.builder().put("plugins.security.audit.type", TestAuditlogImpl.class.getName()).build();
+
+        setup(additionalSettings);
+
+        rh.sendAdminCertificate = true;
+        rh.keystore = "auditlog/kirk-keystore.jks";
+
+        // watch emp for write
+        AuditConfig auditConfig = new AuditConfig(
+            true,
+            AuditConfig.Filter.from(Settings.builder().put("plugins.security.audit.config.log_request_body", false).build()),
+            ComplianceConfig.from(
+                ImmutableMap.of(
+                    "enabled",
+                    true,
+                    "write_watched_indices",
+                    Collections.singletonList("emp"),
+                    "write_log_diffs",
+                    true,
+                    "write_metadata_only",
+                    false
+                ),
+                additionalSettings
+            )
+        );
+        updateAuditConfig(AuditTestUtils.createAuditPayload(auditConfig));
+
+        // TODO Write a request to emp. i.e.
+        // curl -XPUT -kv -H 'Content-Type: application/json' https://localhost:9200/emp/_doc/4 -u 'admin:xx' -d '{
+        // "name": "Criag",
+        // "title": "Software Engineer
+        // }'
+        List<AuditMessage> messages;
+        try {
+            messages = TestAuditlogImpl.doThenWaitForMessages(() -> {
+                try (Client tc = getClient()) {
+                    tc.prepareIndex("emp")
+                        .setRefreshPolicy(RefreshPolicy.IMMEDIATE)
+                        .setSource(Map.of("name", "Criag", "title", "Software Engineer"))
+                        .execute()
+                        .actionGet();
+                }
+            }, 1);
+        } catch (final MessagesNotFoundException ex) {
+            // indices:admin/mapping/auto_put can be logged twice, this handles if they were not found
+            assertThat("Too many missing audit log messages", ex.getMissingCount(), equalTo(2));
+            messages = ex.getFoundMessages();
+        }
+
+        // Then write another request to update the misspelled name:
+
+        // curl -XPUT -kv -H 'Content-Type: application/json' https://localhost:9200/emp/_doc/4 -u 'admin:xx' -d '{
+        // "name": "Craig",
+        // "title": "Software Engineer"
+        // }'
+
+        // Then wait for the audit messages
+    }
 }