# HG changeset patch
# User Marcus Granado <marcus.granado@xxxxxxxxxx>
# Date 1267117896 0
# Node ID aebc9b3ce802446fb51cbdfb793ac970836558af
# Parent 0ad09f688aba02df7bd5d55d8d12781e0c1e2719
CA-38328: improve obj-create parameter reporting in the audit log
Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>
diff -r 0ad09f688aba -r aebc9b3ce802 ocaml/idl/ocaml_backend/rbac_audit.ml
--- a/ocaml/idl/ocaml_backend/rbac_audit.ml Thu Feb 25 16:07:09 2010 +0000
+++ b/ocaml/idl/ocaml_backend/rbac_audit.ml Thu Feb 25 17:11:36 2010 +0000
@@ -104,17 +104,21 @@
let get_obj_of_ref_common obj_ref fn =
let indexrec = Ref_index.lookup obj_ref in
match indexrec with
- | None ->
- if Stringext.String.startswith Ref.ref_prefix
obj_ref
- then Some("") (* it's a ref, just not in the db
cache *)
- else None
+ | None -> None
| Some indexrec -> fn indexrec
+
+let get_obj_of_ref obj_ref =
+ get_obj_of_ref_common obj_ref
+ (fun irec -> Some(irec.Ref_index.name_label,
irec.Ref_index.uuid, irec.Ref_index._ref))
let get_obj_name_of_ref obj_ref =
get_obj_of_ref_common obj_ref (fun irec -> irec.Ref_index.name_label)
let get_obj_uuid_of_ref obj_ref =
get_obj_of_ref_common obj_ref (fun irec -> Some(irec.Ref_index.uuid))
+
+let get_obj_ref_of_ref obj_ref =
+ get_obj_of_ref_common obj_ref (fun irec -> Some(irec.Ref_index._ref))
let get_sexpr_arg name name_of_ref uuid_of_ref ref_value : SExpr.t =
SExpr.Node
@@ -187,6 +191,36 @@
;
line
+(* Map selected xapi call arguments into audit sexpr arguments.
+ Not all parameters are mapped into audit log arguments because
+ some, like passwords, are sensitive and should not be persisted
+ into the audit log. Use heuristics to map non-sensitive parameters.
+*)
+let sexpr_args_of name xml_value =
+ (* heuristic 1: print descriptive arguments in the xapi call *)
+ if (List.mem name
["name";"label";"description";"name_label";"name_description"])
+ then
+ ( match xml_value with
+ | Xml.PCData value -> Some (get_sexpr_arg name value "" "")
+ |_->None
+ )
+ else
+ (* heuristic 2: print uuid/refs arguments in the xapi call *)
+ match xml_value with
+ | Xml.PCData value -> (
+ let name_uuid_ref = get_obj_of_ref value in
+ match name_uuid_ref with
+ | None ->
+ if Stringext.String.startswith Ref.ref_prefix value
+ then (* it's a ref, just not in the db cache *)
+ Some (get_sexpr_arg name "" "" value)
+ else (* ignore values that are not a ref *)
+ None
+ | Some(_name_of_ref_value, uuid_of_ref_value, ref_of_ref_value)
->
+ let name_of_ref_value = (match _name_of_ref_value
with|None->""|Some a -> a) in
+ Some (get_sexpr_arg name name_of_ref_value
uuid_of_ref_value ref_of_ref_value)
+ )
+ |_-> None
(* Given an action and its parameters, *)
(* return the marshalled uuid params and corresponding names *)
@@ -198,29 +232,15 @@
if (List.length str_names) <> (List.length xml_values)
then
( (* debug mode *)
- D.debug "cannot marshall arguments for the action %s: name and
value list lengths don't match" action;
- D.debug "str_names=[%s]" ((List.fold_left (fun ss s->ss^s^",")
"" str_names));
- D.debug "xml_values=[%s]" ((List.fold_left (fun ss
s->ss^(Xml.to_string s)^",") "" xml_values));
+ D.debug "cannot marshall arguments for the action %s: name and
value list lengths don't match. str_names=[%s], xml_values=[%s]" action
((List.fold_left (fun ss s->ss^s^",") "" str_names)) ((List.fold_left (fun ss
s->ss^(Xml.to_string s)^",") "" xml_values));
[]
)
else
- List.fold_left2
- (fun (params:SExpr.t list) str_name xml_value ->
+ List.fold_right2
+ (fun str_name xml_value (params:SExpr.t list) ->
if str_name = "session_id"
then params (* ignore session_id param *)
else
- let sexpr_args_of name xml_value =
- match xml_value with
- | Xml.PCData value -> (
- match (get_obj_name_of_ref value,
get_obj_uuid_of_ref value ) with
- |Some name_of_ref_value, Some
uuid_of_ref_value ->
- let (myparam:SExpr.t) =
- get_sexpr_arg
name name_of_ref_value uuid_of_ref_value value
- in myparam::params
- |_,_ -> params (* ignore values
that are not a ref *)
- )
- |_-> params
- in
(* if it is a constructor structure, need to rewrap
params *)
if str_name = "__structure"
then match xml_value with
@@ -232,26 +252,21 @@
match
xml_arg with
|
Xml.Element ("member",_,
(Xml.Element ("name",_,(Xml.PCData xn)::[])
-
::Xml.Element ("value",_,x)
+
::(Xml.Element ("value",_,x) as xv)
::[]
)
-
) -> (
-
match x with
-
| (Xml.Element ("string",_,xv)::[])
-
| ((Xml.Element ("struct",_,_)::[]) as xv)
-
| ((Xml.Element ("array",_,_)::[]) as xv)
-
-> let xvv = Xml.Element ("value",[],xv) in
-
xn::acc_xn, xvv::acc_xv
-
| _ -> acc_xn,acc_xv
-
)
+
) -> xn::acc_xn, xv::acc_xv
| _ ->
acc_xn,acc_xv
)
iargs
([],[])
)
))
- in params@myparam
- | xml_value -> sexpr_args_of str_name xml_value
+ in myparam@params
+ | xml_value ->
+ (match (sexpr_args_of str_name
xml_value)
+ with None->params|Some p->p::params
+ )
else
(* the expected list of xml arguments *)
begin
@@ -261,18 +276,18 @@
| Xml.Element ("value", _, v::[]) ->
(match v with
| Xml.Element
("string",_,v::[]) -> str_name,v
- | Xml.Element
("struct",_,_) -> str_name,v
- | Xml.Element
("array",_,_) -> str_name,v
| _ -> str_name,v
)
| _ -> str_name,xml_value
in
- sexpr_args_of name filtered_xml_value
+ (match (sexpr_args_of name filtered_xml_value)
+ with None->params|Some p->p::params
+ )
end
)
- []
str_names
xml_values
+ []
end
let has_to_audit action =
1 file changed, 52 insertions(+), 37 deletions(-)
ocaml/idl/ocaml_backend/rbac_audit.ml | 89 +++++++++++++++++++--------------
xen-api.hg.patch
Description: Text Data
_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api
|
Home