add audit logging to app registry endpoints

data/interfaces/appr.py

@@ -10,8 +10,11 @@ from six import add_metaclass
 from app import storage, authentication
 from data import model, oci_model
 from data.database import Tag, Manifest, MediaType, Blob, Repository, Channel
+from util.audit import track_and_log
+from util.morecollections import AttrDict
 from util.names import parse_robot_username
 
+
 class BlobDescriptor(namedtuple('Blob', ['mediaType', 'size', 'digest', 'urls'])):
   """ BlobDescriptor describes a blob with its mediatype, size and digest.
       A BlobDescriptor is used to retrieves the actual blob.
@@ -55,10 +58,6 @@ class AppRegistryDataInterface(object):
   """ Interface that represents all data store interactions required by a App Registry.
   """
 
-  @abstractmethod
-  def _application(self, package_name):
-    pass
-
   @abstractmethod
   def list_applications(self, namespace=None, media_type=None, search=None, username=None,
                         with_channels=False):
@@ -175,6 +174,11 @@ class AppRegistryDataInterface(object):
     Raises: ChannelNotFound, PackageNotFound
     """
 
+  @abstractmethod
+  def log_action(self, event_name, namespace_name, repo_name=None, analytics_name=None,
+                 analytics_sample=1, **kwargs):
+    """ Logs an action to the audit log. """
+
 
 def _split_package_name(package):
   """ Returns the namespace and package-name """
@@ -200,6 +204,22 @@ class OCIAppModel(AppRegistryDataInterface):
       raise_package_not_found(package)
     return repo
 
+  def log_action(self, event_name, namespace_name, repo_name=None, analytics_name=None,
+                 analytics_sample=1, metadata=None):
+    metadata = {} if metadata is None else metadata
+
+    repo = None
+    if repo_name is not None:
+      db_repo = model.repository.get_repository(namespace_name, repo_name,
+                                                kind_filter='application')
+      repo = AttrDict({
+        'id': db_repo.id,
+        'name': db_repo.name,
+        'namespace_name': db_repo.namespace_user.username,
+      })
+    track_and_log(event_name, repo, analytics_name=analytics_name,
+                  analytics_sample=analytics_sample, **metadata)
+
   def list_applications(self, namespace=None, media_type=None, search=None, username=None,
                         with_channels=False):
     """ Lists all repositories that contain applications, with optional filtering to a specific
@@ -248,7 +268,7 @@ class OCIAppModel(AppRegistryDataInterface):
   def create_application(self, package_name, visibility, owner):
     """ Create a new app repository, owner is the user who creates it """
     ns, name = _split_package_name(package_name)
-    model.repository.create_repository(ns, name, owner, visibility, "application")
+    model.repository.create_repository(ns, name, owner, visibility, 'application')
 
   def application_exists(self, package_name):
     """ Create a new app repository, owner is the user who creates it """

endpoints/appr/registry.py

@@ -13,6 +13,7 @@ from flask import jsonify, request
 from auth.auth_context import get_authenticated_user
 from auth.decorators import process_auth
 from auth.permissions import (CreateRepositoryPermission, ModifyRepositoryPermission)
+from data.interfaces.appr import oci_app_model as model
 from endpoints.appr import (appr_bp, require_app_repo_read, require_app_repo_write)
 from endpoints.appr.cnr_backend import Blob, Channel, Package, User
 from endpoints.appr.decorators import disallow_for_image_repository
@@ -102,6 +103,8 @@ def list_packages():
 def delete_package(namespace, package_name, release, media_type):
   reponame = repo_name(namespace, package_name)
   result = cnr_registry.delete_package(reponame, release, media_type, package_class=Package)
+  model.log_action('delete_tag', namespace, repo_name=package_name,
+                   metadata={'release': release, 'mediatype': media_type})
   return jsonify(result)
 
 
@@ -136,7 +139,7 @@ def show_package_releases(namespace, package_name):
 @process_auth
 @require_app_repo_read
 @anon_protect
-def show_package_releasse_manifests(namespace, package_name, release):
+def show_package_release_manifests(namespace, package_name, release):
   reponame = repo_name(namespace, package_name)
   result = cnr_registry.show_package_manifests(reponame, release, package_class=Package)
   return jsonify(result)
@@ -153,6 +156,8 @@ def pull(namespace, package_name, release, media_type):
   reponame = repo_name(namespace, package_name)
   logger.info("pull %s", reponame)
   data = cnr_registry.pull(reponame, release, media_type, Package, blob_class=Blob)
+  model.log_action('pull_repo', namespace, repo_name=package_name,
+                   metadata={'release': release, 'mediatype': media_type})
   return _pull(data)
 
 
@@ -178,6 +183,7 @@ def push(namespace, package_name):
                       {"package": reponame,
                        "scopes": ['create']})
     Package.create_repository(reponame, private, owner)
+    model.log_action('create_repo', namespace, repo_name=package_name)
 
   if not ModifyRepositoryPermission(namespace, package_name).can():
     raise Forbidden("Unauthorized access for: %s" % reponame,
@@ -194,6 +200,8 @@ def push(namespace, package_name):
   blob = Blob(reponame, values['blob'])
   app_release = cnr_registry.push(reponame, release_version, media_type, blob, force,
                                   package_class=Package, user=owner, visibility=private)
+  model.log_action('push_repo', namespace, repo_name=package_name,
+                   metadata={'release': release_version})
   return jsonify(app_release)
 
 
@@ -246,6 +254,8 @@ def add_channel_release(namespace, package_name, channel_name, release):
   reponame = repo_name(namespace, package_name)
   result = cnr_registry.add_channel_release(reponame, channel_name, release, channel_class=Channel,
                                             package_class=Package)
+  model.log_action('create_tag', namespace, repo_name=package_name,
+                   metadata={'channel': channel_name, 'release': release})
   return jsonify(result)
 
 
@@ -254,13 +264,13 @@ def _check_channel_name(channel_name, release=None):
     logger.debug('Found invalid channel name CNR add channel release: %s', channel_name)
     raise InvalidUsage("Found invalid channelname %s" % release,
                        {'name': channel_name,
-                        "release": release})
+                        'release': release})
 
   if release is not None and not TAG_REGEX.match(release):
     logger.debug('Found invalid release name CNR add channel release: %s', release)
-    raise InvalidUsage("Found invalid channel release name %s" % release,
+    raise InvalidUsage('Found invalid channel release name %s' % release,
                        {'name': channel_name,
-                        "release": release})
+                        'release': release})
 
 
 @appr_bp.route(
@@ -275,6 +285,8 @@ def delete_channel_release(namespace, package_name, channel_name, release):
   reponame = repo_name(namespace, package_name)
   result = cnr_registry.delete_channel_release(reponame, channel_name, release,
                                                channel_class=Channel, package_class=Package)
+  model.log_action('delete_tag', namespace, repo_name=package_name,
+                   metadata={'channel': channel_name, 'release': release})
   return jsonify(result)
 
 
@@ -289,4 +301,6 @@ def delete_channel(namespace, package_name, channel_name):
   _check_channel_name(channel_name)
   reponame = repo_name(namespace, package_name)
   result = cnr_registry.delete_channel(reponame, channel_name, channel_class=Channel)
+  model.log_action('delete_tag', namespace, repo_name=package_name,
+                   metadata={'channel': channel_name})
   return jsonify(result)

endpoints/v1/index.py

@@ -6,7 +6,6 @@ from functools import wraps
 
 from flask import request, make_response, jsonify, session
 
-from data.interfaces.v1 import pre_oci_model as model
 from app import authentication, userevents, metric_queue
 from auth.auth_context import get_authenticated_user, get_validated_token, get_validated_oauth_token
 from auth.decorators import process_auth
@@ -14,13 +13,14 @@ from auth.permissions import (ModifyRepositoryPermission, UserAdminPermission,
                               ReadRepositoryPermission, CreateRepositoryPermission,
                               repository_read_grant, repository_write_grant)
 from auth.signedgrant import generate_signed_token
+from data.interfaces.v1 import pre_oci_model as model
+from endpoints.common import parse_repository_name
+from endpoints.decorators import anon_protect, anon_allowed
+from endpoints.notificationhelper import spawn_notification
+from endpoints.v1 import v1_bp
+from util.audit import track_and_log
 from util.http import abort
 from util.names import REPOSITORY_NAME_REGEX
-from endpoints.common import parse_repository_name
-from endpoints.v1 import v1_bp
-from endpoints.trackhelper import track_and_log
-from endpoints.notificationhelper import spawn_notification
-from endpoints.decorators import anon_protect, anon_allowed
 
 
 logger = logging.getLogger(__name__)

endpoints/v1/tag.py

@@ -4,7 +4,6 @@ import json
 from flask import abort, request, jsonify, make_response, session
 
 
-from util.names import TAG_ERROR, TAG_REGEX
 from auth.decorators import process_auth
 from auth.permissions import (ReadRepositoryPermission,
                               ModifyRepositoryPermission)
@@ -13,7 +12,8 @@ from data.interfaces.v1 import pre_oci_model as model
 from endpoints.common import parse_repository_name
 from endpoints.decorators import anon_protect
 from endpoints.v1 import v1_bp
-from endpoints.trackhelper import track_and_log
+from util.audit import track_and_log
+from util.names import TAG_ERROR, TAG_REGEX
 
 
 logger = logging.getLogger(__name__)

endpoints/v2/manifest.py

@@ -15,11 +15,11 @@ from endpoints.decorators import anon_protect
 from endpoints.v2 import v2_bp, require_repo_read, require_repo_write
 from endpoints.v2.errors import (BlobUnknown, ManifestInvalid, ManifestUnknown, TagInvalid,
                                  NameInvalid)
-from endpoints.trackhelper import track_and_log
 from endpoints.notificationhelper import spawn_notification
 from image.docker import ManifestException
 from image.docker.schema1 import DockerSchema1Manifest, DockerSchema1ManifestBuilder
 from image.docker.schema2 import DOCKER_SCHEMA2_CONTENT_TYPES
+from util.audit import track_and_log
 from util.names import VALID_TAG_PATTERN
 from util.registry.replication import queue_replication_batch
 from util.validation import is_json

endpoints/verbs/__init__.py

@@ -13,11 +13,11 @@ from data import database
 from data.interfaces.verbs import pre_oci_model as model
 from endpoints.common import route_show_if, parse_repository_name
 from endpoints.decorators import anon_protect
-from endpoints.trackhelper import track_and_log
 from endpoints.v2.blob import BLOB_DIGEST_ROUTE
 from image.appc import AppCImageFormatter
 from image.docker.squashed import SquashedDockerImageFormatter
 from storage import Storage
+from util.audit import track_and_log
 from util.http import exact_abort
 from util.registry.filelike import wrap_with_handler
 from util.registry.queuefile import QueueFile

util/audit.py

@@ -15,7 +15,7 @@ logger = logging.getLogger(__name__)
 
 def track_and_log(event_name, repo_obj, analytics_name=None, analytics_sample=1, **kwargs):
   repo_name = repo_obj.name
-  namespace_name = repo_obj.namespace_name,
+  namespace_name = repo_obj.namespace_name
   metadata = {
     'repo': repo_name,
     'namespace': namespace_name,