Role and User update logs

lemur/auth/views.py

@@ -20,6 +20,7 @@ from lemur.common.utils import get_psuedo_random_string
 
 from lemur.users import service as user_service
 from lemur.roles import service as role_service
+from lemur.logs import service as log_service
 from lemur.auth.service import create_token, fetch_token_header, get_rsa_public_key
 from lemur.auth import ldap
 
@@ -184,8 +185,6 @@ def create_user_roles(profile):
                 current_app.config["LEMUR_DEFAULT_ROLE"],
                 description="This is the default Lemur role.",
             )
-        if not default.third_party:
-            role_service.set_third_party(default.id, third_party_status=True)
         roles.append(default)
 
     return roles
@@ -198,7 +197,7 @@ def update_user(user, profile, roles):
     :param profile:
     :param roles:
     """
-
+    log_service.audit_log("TEST", user.name, "Edit role")
     # if we get an sso user create them an account
     if not user:
         user = user_service.create(
@@ -215,6 +214,8 @@ def update_user(user, profile, roles):
         for ur in user.roles:
             if not ur.third_party:
                 roles.append(ur)
+            else:
+                log_service.audit_log("unassign_role", ur.name, f"Un-assigning the role for {user.name}")
 
         # update any changes to the user
         user_service.update(

lemur/logs/service.py

@@ -7,7 +7,7 @@
     :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
-from flask import current_app
+from flask import current_app, g
 
 from lemur import database
 from lemur.logs.models import Log
@@ -34,6 +34,19 @@ def create(user, type, certificate=None):
     database.commit()
 
 
+def audit_log(action, entity, message):
+    """
+    Logs given action
+    :param action: The action being logged e.g. assign_role, create_role etc
+    :param entity: The entity undergoing the action e.g. name of the role
+    :param message: Additional info e.g. Role being assigned to user X
+    :return:
+    """
+    current_app.logger.info(
+        f"[lemur-audit] action: {action}, user: {g.current_user.email}, entity: {entity} [{message}]"
+    )
+
+
 def get_all():
     """
     Retrieve all logs from the database.

lemur/roles/service.py

@@ -12,6 +12,7 @@
 from lemur import database
 from lemur.roles.models import Role
 from lemur.users.models import User
+from lemur.logs import service as log_service
 
 
 def update(role_id, name, description, users):
@@ -29,6 +30,8 @@ def update(role_id, name, description, users):
     role.description = description
     role.users = users
     database.update(role)
+
+    log_service.audit_log("update_role", name, f"Role with id {role_id} updated")
     return role
 
 
@@ -44,6 +47,8 @@ def set_third_party(role_id, third_party_status=False):
     role = get(role_id)
     role.third_party = third_party_status
     database.update(role)
+
+    log_service.audit_log("update_role", role.name, f"Updated third_party_status={third_party_status}")
     return role
 
 
@@ -71,6 +76,7 @@ def create(
     if users:
         role.users = users
 
+    log_service.audit_log("create_role", name, "Creating new role")
     return database.create(role)
 
 
@@ -101,7 +107,10 @@ def delete(role_id):
     :param role_id:
     :return:
     """
-    return database.delete(get(role_id))
+
+    role = get(role_id)
+    log_service.audit_log("delete_role", role.name, "Deleting role")
+    return database.delete(role)
 
 
 def render(args):

lemur/users/service.py

@@ -8,6 +8,7 @@
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
 from lemur import database
+from lemur.logs import service as log_service
 from lemur.users.models import User
 
 
@@ -31,6 +32,7 @@ def create(username, password, email, active, profile_picture, roles):
         profile_picture=profile_picture,
     )
     user.roles = roles
+    log_service.audit_log("create_user", username, f"Creating new user")
     return database.create(user)
 
 
@@ -52,6 +54,8 @@ def update(user_id, username, email, active, profile_picture, roles):
     user.active = active
     user.profile_picture = profile_picture
     update_roles(user, roles)
+
+    log_service.audit_log("update_user", username, f"Updating user with id {user_id}")
     return database.update(user)
 
 
@@ -70,6 +74,7 @@ def update_roles(user, roles):
                 break
         else:
             user.roles.remove(ur)
+            log_service.audit_log("unassign_role", ur.name, f"Un-assigning the role for user {user.username}")
 
     for r in roles:
         for ur in user.roles:
@@ -77,6 +82,7 @@ def update_roles(user, roles):
                 break
         else:
             user.roles.append(r)
+            log_service.audit_log("assign_role", ur.name, f"Assigning the role to user {user.username}")
 
 
 def get(user_id):