Add components for generating sec keys

config_app/config_endpoints/api/superuser.py

@@ -5,12 +5,13 @@ import subprocess
 
 from flask import request, jsonify, make_response
 
+from endpoints.exception import NotFound
 from data.database import ServiceKeyApprovalType
 from data.model import ServiceKeyDoesNotExist
 from util.config.validator import EXTRA_CA_DIRECTORY
 
 from config_app.config_endpoints.exception import InvalidRequest
-from config_app.config_endpoints.api import resource, ApiResource, nickname
+from config_app.config_endpoints.api import resource, ApiResource, nickname, log_action, validate_json_request
 from config_app.config_endpoints.api.superuser_models_pre_oci import pre_oci_model
 from config_app.config_util.ssl import load_certificate, CertInvalidException
 from config_app.c_app import app, config_provider, INIT_SCRIPTS_LOCATION
@@ -170,7 +171,6 @@ class SuperUserServiceKeyApproval(ApiResource):
     @validate_json_request('ApproveServiceKey')
     def post(self, kid):
         notes = request.get_json().get('notes', '')
-        approver = app.config.get('SUPER_USERS', [])[0] # get the first superuser created in the config tool
         try:
             key = pre_oci_model.approve_service_key(kid, ServiceKeyApprovalType.SUPERUSER, notes=notes)
 
@@ -182,7 +182,10 @@ class SuperUserServiceKeyApproval(ApiResource):
                 'expiration_date': key.expiration_date,
             }
 
-            log_action('service_key_approve', None, key_log_metadata)
+            # Note: this may not actually be the current person modifying the config, but if they're in the config tool,
+            # they have full access to the DB and could pretend to be any user, so pulling any superuser is likely fine
+            super_user = app.config.get('SUPER_USERS', [None])[0]
+            log_action('service_key_approve', super_user, key_log_metadata)
         except ServiceKeyDoesNotExist:
             raise NotFound()
         except ServiceKeyAlreadyApproved: