canvas-lms/app/controllers/authentication_audit_api_co...

#
# Copyright (C) 2013 Instructure, Inc.
#
# This file is part of Canvas.
#
# Canvas is free software: you can redistribute it and/or modify it under
# the terms of the GNU Affero General Public License as published by the Free
# Software Foundation, version 3 of the License.
#
# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#

# @API Authentications Log
#
# Query audit log of authentication events (logins and logouts).
#
# For each endpoint, a compound document is returned. The primary collection of
# event objects is paginated, ordered by date descending. Secondary collections
# of pseudonyms (logins), accounts, and users related to the returned events
# are also included. Refer to the Logins, Accounts, and Users APIs for
# descriptions of the objects in those collections.
#
# @object AuthenticationEvent
#     {
#       // timestamp of the event
#       "created_at": "2012-07-19T15:00:00-06:00",
#
#       // authentication event type ('login' or 'logout')
#       "event_type": "login",
#
#       // ID of the pseudonym (login) associated with the event
#       "pseudonym_id": 9478,
#
#       // ID of the account associated with the event. will match the
#       // account_id in the associated pseudonym.
#       "account_id": 2319,
#
#       // ID of the user associated with the event will match the user_id in
#       // the associated pseudonym.
#       "user_id": 362
#     }
#
class AuthenticationAuditApiController < ApplicationController
  include Api::V1::AuthenticationEvent

  # @API Query by pseudonym.
  #
  # List authentication events for a given pseudonym.
  #
  def for_pseudonym
    @pseudonym = Pseudonym.active.find(params[:pseudonym_id])
    if account_visible(@pseudonym.account) || account_visible(Account.site_admin)
      events = Auditors::Authentication.for_pseudonym(@pseudonym)
      render_events(events, @pseudonym)
    else
      render_unauthorized_action(@pseudonym)
    end
  end

  # @API Query by account.
  #
  # List authentication events for a given account.
  #
  def for_account
    @account = api_find(Account.active, params[:account_id])
    if account_visible(@account) || account_visible(Account.site_admin)
      events = Auditors::Authentication.for_account(@account)
      render_events(events, @account)
    else
      render_unauthorized_action(@account)
    end
  end

  # @API Query by user.
  #
  # List authentication events for a given user.
  #
  def for_user
    @user = api_find(User.active, params[:user_id])
    if @user == @current_user || account_visible(Account.site_admin)
      events = Auditors::Authentication.for_user(@user)
      render_events(events, @user)
    else
      accounts = Shard.with_each_shard(@user.associated_shards) do
        Account.joins(:pseudonyms).where(:pseudonyms => {
          :user_id => @user,
          :workflow_state => 'active'
        }).all
      end
      visible_accounts = accounts.select{ |a| account_visible(a) }
      if visible_accounts == accounts
        events = Auditors::Authentication.for_user(@user)
        render_events(events, @user)
      elsif visible_accounts.present?
        pseudonyms = Shard.partition_by_shard(visible_accounts) do |shard_accounts|
          @user.active_pseudonyms.where(:account_id => shard_accounts).all
        end
        events = Auditors::Authentication.for_pseudonyms(pseudonyms)
        render_events(events, @user)
      else
        render_unauthorized_action(@user)
      end
    end
  end

  private

  def account_visible(account)
    account.grants_rights?(@current_user, nil, :view_statistics, :manage_user_logins).values.any?
  end

  def render_events(events, context)
    route = polymorphic_url([:api_v1, :audit_authentication, context])
    events = Api.paginate(events, self, route)
    render :json => authentication_events_compound_json(events, @current_user, session)
  end
end
Auditors::Authentication fixes CNVS-390 stores and allows querying by user/account/pseudonym of login/logout events. test-plan: [setup] - set up an 'auditors' keyspace in cassandra and run migrations - have shardX and shardY on one database server, and shardZ on a different database server - have accountW and accountX on shardX - have accountY and accountZ on shardY and shardZ, respectively - have userA on shardX with pseudonymAW in accountW and pseudonymAX in accountX (cross-account, single-shard user) - have userB on shardY with pseudonymBY in accountY and pseudonymBX in accountX (cross-shard user) - have userC on shardZ with pseudonymCZ in accountZ and pseudonymCX in accountX (cross-db-server user) - log in and out of each pseudonym above multiple times [index isolation] - /api/v1/audit/authentication/pseudonyms/<pseudonymAX> should include logins and logouts from pseudonymAX only - /api/v1/audit/authentication/accounts/<accountX> should include logins and logouts from pseudonymAX, pseudonymBX, and pseudonymCX but not pseudonymAW - /api/v1/audit/authentication/users/<userA> should include logins and logouts from both pseudonymAW and pseudonymAX but not pseudonymBX or pseudonymCX [permission isolation] (in each of these, either :view_statistics or :manage_user_logins on an account qualifies as "having permission") - /api/v1/audit/authentication/pseudonyms/<pseudonymAX> should be unauthorized if the current user doesn't have permission on accountX - /api/v1/audit/authentication/accounts/<accountX> should be unauthorized if the current user doesn't have permission on accountX - /api/v1/audit/authentication/users/<userA> should be unauthorized if the current user doesn't have permission on either of accountW or accountX - /api/v1/audit/authentication/users/<userA> should include logins and logouts from accountW but not from accountX if the current user has permission on accountW but not on accountX [sharding] - /api/v1/audit/authentication/users/<userB> should include logins and logouts from both pseudonymBY and pseudonymBX - /api/v1/audit/authentication/users/<userB> should not include duplicate logins and logouts from either pseudonymBY and pseudonymBX (potential for bug due to both pseudonyms' shards being on the same database server) - /api/v1/audit/authentication/users/<userC> should include logins and logouts from both pseudonymCZ and pseudonymCX Change-Id: I74b1573b346935f733fe5b07919d2d450cf07592 Reviewed-on: https://gerrit.instructure.com/21829 Reviewed-by: Brian Palmer <brianp@instructure.com> Tested-by: Jenkins <jenkins@instructure.com> QA-Review: Jeremy Putnam <jeremyp@instructure.com> Product-Review: Jacob Fugal <jacob@instructure.com> 2013-06-28 06:43:15 +08:00			`#`
			`# Copyright (C) 2013 Instructure, Inc.`
			`#`
			`# This file is part of Canvas.`
			`#`
			`# Canvas is free software: you can redistribute it and/or modify it under`
			`# the terms of the GNU Affero General Public License as published by the Free`
			`# Software Foundation, version 3 of the License.`
			`#`
			`# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY`
			`# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR`
			`# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more`
			`# details.`
			`#`
			`# You should have received a copy of the GNU Affero General Public License along`
			`# with this program. If not, see <http://www.gnu.org/licenses/>.`
			`#`

			`# @API Authentications Log`
			`#`
			`# Query audit log of authentication events (logins and logouts).`
			`#`
			`# For each endpoint, a compound document is returned. The primary collection of`
			`# event objects is paginated, ordered by date descending. Secondary collections`
			`# of pseudonyms (logins), accounts, and users related to the returned events`
			`# are also included. Refer to the Logins, Accounts, and Users APIs for`
			`# descriptions of the objects in those collections.`
			`#`
			`# @object AuthenticationEvent`
			`# {`
			`# // timestamp of the event`
			`# "created_at": "2012-07-19T15:00:00-06:00",`
			`#`
			`# // authentication event type ('login' or 'logout')`
			`# "event_type": "login",`
			`#`
			`# // ID of the pseudonym (login) associated with the event`
			`# "pseudonym_id": 9478,`
			`#`
			`# // ID of the account associated with the event. will match the`
			`# // account_id in the associated pseudonym.`
			`# "account_id": 2319,`
			`#`
			`# // ID of the user associated with the event will match the user_id in`
			`# // the associated pseudonym.`
			`# "user_id": 362`
			`# }`
			`#`
			`class AuthenticationAuditApiController < ApplicationController`
			`include Api::V1::AuthenticationEvent`

			`# @API Query by pseudonym.`
			`#`
			`# List authentication events for a given pseudonym.`
			`#`
			`def for_pseudonym`
			`@pseudonym = Pseudonym.active.find(params[:pseudonym_id])`
			`if account_visible(@pseudonym.account) \|\| account_visible(Account.site_admin)`
			`events = Auditors::Authentication.for_pseudonym(@pseudonym)`
			`render_events(events, @pseudonym)`
			`else`
			`render_unauthorized_action(@pseudonym)`
			`end`
			`end`

			`# @API Query by account.`
			`#`
			`# List authentication events for a given account.`
			`#`
			`def for_account`
			`@account = api_find(Account.active, params[:account_id])`
			`if account_visible(@account) \|\| account_visible(Account.site_admin)`
			`events = Auditors::Authentication.for_account(@account)`
			`render_events(events, @account)`
			`else`
			`render_unauthorized_action(@account)`
			`end`
			`end`

			`# @API Query by user.`
			`#`
			`# List authentication events for a given user.`
			`#`
			`def for_user`
			`@user = api_find(User.active, params[:user_id])`
			`if @user == @current_user \|\| account_visible(Account.site_admin)`
			`events = Auditors::Authentication.for_user(@user)`
			`render_events(events, @user)`
			`else`
			`accounts = Shard.with_each_shard(@user.associated_shards) do`
			`Account.joins(:pseudonyms).where(:pseudonyms => {`
			`:user_id => @user,`
			`:workflow_state => 'active'`
			`}).all`
			`end`
			`visible_accounts = accounts.select{ \|a\| account_visible(a) }`
			`if visible_accounts == accounts`
			`events = Auditors::Authentication.for_user(@user)`
			`render_events(events, @user)`
			`elsif visible_accounts.present?`
			`pseudonyms = Shard.partition_by_shard(visible_accounts) do \|shard_accounts\|`
			`@user.active_pseudonyms.where(:account_id => shard_accounts).all`
			`end`
			`events = Auditors::Authentication.for_pseudonyms(pseudonyms)`
			`render_events(events, @user)`
			`else`
			`render_unauthorized_action(@user)`
			`end`
			`end`
			`end`

			`private`

			`def account_visible(account)`
			`account.grants_rights?(@current_user, nil, :view_statistics, :manage_user_logins).values.any?`
			`end`

			`def render_events(events, context)`
			`route = polymorphic_url([:api_v1, :audit_authentication, context])`
			`events = Api.paginate(events, self, route)`
			`render :json => authentication_events_compound_json(events, @current_user, session)`
			`end`
			`end`