Log when User/SA/Roles is added to a group

[Ellen-Yi-Dong]

Link(s) to Jira

• https://issues.redhat.com/browse/RHCLOUD-34891

Description of Intent of Change(s)

The what, why and how.

Log when a user/principal, service account, or role is added to a group

Local Testing

How can the feature be exercised?
How can the bug be exploited and fix confirmed?
Is any special local setup required?

• Added unit tests to test changes

Checklist

• if API spec changes are required, is the spec updated?
• are there any pre/post merge actions required? if so, document here.
• are theses changes covered by unit tests?
• if warranted, are documentation changes accounted for?
• does this require migration changes?
  • if yes, are they backwards compatible?
• is there known, direct impact to dependent teams/components?
  • if yes, how will this be handled?

Secure Coding Practices Checklist Link

• https://github.com/RedHatInsights/secure-coding-checklist

Secure Coding Practices Checklist

• Input Validation
• Output Encoding
• Authentication and Password Management
• Session Management
• Access Control
• Cryptographic Practices
• Error Handling and Logging
• Data Protection
• Communication Security
• System Configuration
• Database Security
• File Management
• Memory Management
• General Coding Practices

[petracihalova]

nice job 👍 I have few comments

[astrozzc]

Let's use TYPE_SERVICE_ACCOUNT for this, I have a PR ongoing to replace these random type names with enums. So I can remember replacing this in my PR too

[astrozzc]

LGTM

[lpichler]

@astrozzc we should discuss when this PR can be merged as it conflicts with some dual write PR as #1198,..

[lpichler]

maybe better name ? it is not visible difference between log_add and log_create.
something like "log_role_or_user_added_to_group" or log_group_membership or log_group_assigment.

[Ellen-Yi-Dong]

Oh! There's another task to add permissions to a role, so I was thinking of having this log_add function do that as well! I just have it for now grouped this way to split the prs. Do you think that's alright...?

[astrozzc]

@astrozzc we should discuss when this PR can be merged as it conflicts with some dual write PR as #1198,..

Oh, good point. That one is about to be merged, right? Let's merge that one first before we merge this one. That one is too big to do a rebase

[lpichler]

@astrozzc we should discuss when this PR can be merged as it conflicts with some dual write PR as #1198,..

Oh, good point. That one is about to be merged, right? Let's merge that one first before we merge this one. That one is too big to do a rebase

yes it is merged now but into #1198, this PR also contains migration. I am not sure what it is the best approach here.

if we will merge this, we would need to solve conflicts in #1198 and also change names of migrations.

[astrozzc]

Nit: can we use a more meaningful name to replace these "i" here?
Such as principal_data, role_data, etc.

[vbelchio]

LGTM

But we need to solve the related bug below to have the best behavior of the audit logs and the process to add a non-existent role to a group.

JIRA Bug: https://issues.redhat.com/browse/RHCLOUD-35765

[Ellen-Yi-Dong]

/retest

[lpichler]

this should be part of transaction block which start on 715.
you can put audit log creation under those related conditions (len(service_accounts|principals) > 0).

if operation fails, transaction is rolled back and record into audit log is not created.

[lpichler]

resource and object names are confusing

it looks that resource is rather resource_type and then object can be resource :)

Does it make sense ?

[lpichler]

user_type could be user, service or role. What about name target_resource_type or assigned_resource_type ? or something like that

[lpichler]

what about to pass just values for description ? Something like:
[response_data.data["uuid"] for role in response_data.data]

then type_dict could be renamed to something like values_for_description
and it will allow to remove method self.find_specific_list_of_users and it is possible to join(",") in log assignment method.