def get(self, application_name, cluster_name, key):
"""Get the audit logs of specified instance key.
:param application_name: The name of application.
:param cluster_name: The name of clsuter.
:param key: The key of instance.
:query date: The date specified to search, default is today.
:query start: The offset of pagination. Default is ``0``.
:>header Authorization: Huskar Token (See :ref:`token`)
:status 403: You don't have required authority.
:status 501: The server is in minimal mode.
:status 200: The result is in the response.
(See :ref:`Audit Log Schema <audit_schema>`)
"""
check_application(application_name)
check_cluster_name(cluster_name, application_name)
start = request.args.get('start', type=int, default=0)
application = Application.get_by_name(application_name)
can_view_sensitive_data = AuditLog.can_view_sensitive_data(
g.auth.id, self.instance_type, application.id)
items = AuditLog.get_multi_by_instance_index(self.instance_type,
application.id,
cluster_name, key)
items = items[start:start + 20]
if not can_view_sensitive_data:
items = [item.desensitize() for item in items]
return api_response(audit_log_schema.dump(items, many=True).data)
def test_normal_user_can_not_view_sensitive_data(
user, application, team, target_type):
if target_type == AuditLog.TYPE_SITE:
target_id = 0
elif target_type == AuditLog.TYPE_TEAM:
target_id = team.id
else:
target_id = application.id
assert not AuditLog.can_view_sensitive_data(
user.id, target_type, target_id)
def test_application_auth_can_view_application_sensitive_data(
user, application, team, target_type, can_view, authority):
application.ensure_auth(authority, user.id)
if target_type == AuditLog.TYPE_SITE:
target_id = 0
elif target_type == AuditLog.TYPE_TEAM:
target_id = team.id
else:
target_id = application.id
result = AuditLog.can_view_sensitive_data(user.id, target_type, target_id)
assert result == can_view
def test_application_admin_can_view_team_sensitive_data(
user, application, team, target_type, can_view):
team.grant_admin(user.id)
if target_type == AuditLog.TYPE_SITE:
target_id = 0
elif target_type == AuditLog.TYPE_TEAM:
target_id = team.id
else:
target_id = application.id
result = AuditLog.can_view_sensitive_data(user.id, target_type, target_id)
assert result == can_view
def get(self, name=None):
"""Gets the list of audit log.
:param name: The name of team, application and also.
:query start: The offset of pagination. Default is ``0``.
:query date: The date specified to search.
:<header Authorization: Huskar Token (See :ref:`token`)
:status 403: You don't have required authority.
:status 501: The server is in minimal mode.
:status 200: The result is in the response.
(See :ref:`Audit Log Schema <audit_schema>`)
"""
start = request.args.get('start', type=int, default=0)
start = max(start, 0)
date = request.args.get('date', type=strptime2date)
target_id = self._find_target(name)
can_view_sensitive_data = AuditLog.can_view_sensitive_data(
g.auth.id, self.target_type, target_id)
items = self._get_audit_logs(target_id, start, date)
if not can_view_sensitive_data:
items = [item.desensitize() for item in items]
return api_response(audit_log_schema.dump(items, many=True).data)
def test_site_admin_can_view_all_sensitive_data(user, target_type):
user.grant_admin()
assert AuditLog.can_view_sensitive_data(user.id, target_type, None)
