add barbican support, tests

Author: auhlig

README.md

@@ -22,34 +22,7 @@ It distinguishes between `initiator` and `target` of an action.
 
 The Cloud Audit Data Federation (CADF) specification defines a model for events within the OpenStack platform.
 This data model is used by the watcher middleware to classify requests.
-More information is provided in the [documentation](./doc/cadf.md).
-
-#### Classification
-
-The following attributes are recorded and passed via the WSGI environment through the pipeline.
-Moreover, this meta data is emitted as Prometheus metrics.  
-Note: The attributes in the environment are capitalized.
-For example: `WATCHER.ACTION`, `WATCHER.INITIATOR_PROJECT_ID`, `WATCHER.TARGET_PROJECT_ID`, etc. .
-
-- `action`:       the CADF action
-- `service`:      the name of the service
-
-**Initiator** attributes:
-- `project_id`:   the initiators project uid. `None` if domain scoped, `Unknown` if not authenticated.
-- `domain_id`:    the initiators domain uid. `None` if project scoped, `Unknown` if not authenticated.
-- `user_id`:      the initiators user id. `Unknown` if not authenticated.
-- `host_address`: the initiators host address
-  
-  
-**Target** attributes:
-- `project_id`:   the targets project uid. `Unknown` if it could not be determined. 
-- `type_uri`:     characterizes the URI of the target resource
-
-
-**Additional service specific attributes**:
-
-- Swift (object-store):
-    - `target.container_id`: the name/id of the swift container. `None` if not relevant. `Unknown` if it could not be determined.
+More information is provided in the [CADF documentation](./doc/cadf.md).
 
 ### Metrics
 
@@ -67,14 +40,16 @@ This middleware currently provides CADF-compliant support for the following Open
 |-----------------------|-----------------------|
 | Service name          | Service type          |
 |-----------------------|-----------------------|
-| Cinder                | volume                |
+| Barbican              | key-manager           |
+| Cinder                | volume                | 
+| Designate             | dns                   |
 | Glance                | image                 | 
+| Ironic                | baremetal             |
+| Keystone              | identity              |
+| Manila                | share                 |
 | Neutron               | network               |
 | Nova                  | compute               |
 | Swift                 | object-store          |
-| Designate             | dns                   |
-| Keystone              | identity              |
-| Ironic                | baremetal             |
 |-----------------------|-----------------------|
 ````
 
@@ -95,75 +70,16 @@ The watcher should be added after the keystone auth_token middleware to be able
 pipeline = .. auth_token watcher ..
 ```
 
-### WSGI configuration
+### Configuration
 
-Configuration options in the paste.ini as shown below
+Mandatory configuration options in the paste.ini as shown below. See the [configuration section](./doc/configuration.md) for more options.
 ```yaml
 [filter:watcher]
 use = egg:watcher-middleware#watcher
 # service_type as defined in service catalog. See supported services.
 # example: object-store, compute, dns, etc.
 service_type = <service_type>
-```
-Optional settings:
-```yaml
+
 # path to configuration file containing customized action definitions
 config_file = /etc/watcher.yaml
-
-# project id can be determined from either request path or service catalog if keystone.auth_token middleware is set to 'include_service_catalog = true'
-# determine the project id from request path
-project_id_from_path = true | false
-# determine the project id from the service catalog
-project_id_from_service_catalog = true | false
-
-# per default the target.type_uri is prefixed by 'service/<service_type>/'
-# if the cadf spec. requires a different prefix, it might be given here 
-# example: swift (object-store)
-# service_type = object-store
-# cadf_service_name = service/storage/object
-cadf_service_name = <service_name>
-
-# metrics are emitted via StatsD
-statsd_host = 127.0.0.1
-statsd_port = 9125
-statsd_namespace = openstack_watcher
-```
-
-#### Configuration file
-
-Additionally, the watcher might require a configuration file.  
-For existing services these can be found in the [examples](./etc).
-More details are provided [here](./doc/cadf.md)
-
-The following snippet provides an overview of configuration options for a service.
-```yaml
-# keywords in a request path are followed by the UUID or name of a resource.
-# in the target type URI the UUID or name of a resource is replaced by the singular of the keyword.
-# a custom value for the singular can also be provided by a mapping <plural>:<singular>
-# moreover, if a path ends with a keyword the action will be 'read/list'
-path_keywords:
-    - users
-    - tokens
-    - availability-zones: zone
-    ..
-
-# per default every word following a path keyword is replaced. 
-# however, exclusions can be configured by this list 
-path_exclusions:
-    - OS-PKI
-    - ..
-
-# some request path' are quite hard to map to their target type URI as the replacements can't be derived from the previous part.
-# thus, in some cases providing a mapping of <path_regex>: <target_type_URI> might be inevitable
-# note: the complete path (including versions, etc. ) needs to be reflected in the regex 
-regex_path_mapping:
-  - '\S+/domains/config/[0-9a-zA-Z_]+/default$': 'domains/config/group/default'
-
-# CADF actions are determined by the request method and their path as outlined in the table in the CADF section of this documentation
-# however, these can be overwritten using the target type URI and the request method with a custom action_type
-custom_actions:
-  tokens:
-    - token:
-        - method: GET
-          action_type: custom_action
 ```

doc/cadf.md

@@ -4,6 +4,34 @@ The Cloud Audit Data Federation (CADF) specification defines a model for events
 A comprehensive overview of OpenStack requests and their CADF representation can be found here: [Cloud Audit Data Federation - OpenStack Profile (CADF-OpenStack)](https://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf).  
 The openstack-watcher-middleware follows DMTF specification DSP2038, version 1.1.0 as of 27 April 2015.
 
+#### Classification
+
+The following attributes are recorded and passed via the WSGI environment through the pipeline.
+Moreover, this meta data is emitted as Prometheus metrics.  
+Note: The attributes in the environment are capitalized.
+For example: `WATCHER.ACTION`, `WATCHER.INITIATOR_PROJECT_ID`, `WATCHER.TARGET_PROJECT_ID`, etc. .
+
+- `action`:       the CADF action
+- `service`:      the name of the service
+
+**Initiator** attributes:
+- `project_id`:   the initiators project uid. `None` if domain scoped, `Unknown` if not authenticated.
+- `domain_id`:    the initiators domain uid. `None` if project scoped, `Unknown` if not authenticated.
+- `user_id`:      the initiators user id. `Unknown` if not authenticated.
+- `host_address`: the initiators host address
+  
+  
+**Target** attributes:
+- `project_id`:   the targets project uid. `Unknown` if it could not be determined. 
+- `type_uri`:     characterizes the URI of the target resource
+
+
+**Additional service specific attributes**:
+
+- Swift (object-store):
+    - `target.container_id`: the name/id of the swift container. `None` if not relevant. `Unknown` if it could not be determined.
+
+
 #### CADF actions
 
 Actions characterize the operation performed by the initiator of a request against a target. 

doc/configuration.md

@@ -0,0 +1,72 @@
+### WSGI configuration
+
+Configuration options in the paste.ini as shown below
+```yaml
+[filter:watcher]
+use = egg:watcher-middleware#watcher
+# service_type as defined in service catalog. See supported services.
+# example: object-store, compute, dns, etc.
+service_type = <service_type>
+```
+Optional settings:
+```yaml
+# path to configuration file containing customized action definitions
+config_file = /etc/watcher.yaml
+
+# project id can be determined from either request path or service catalog if keystone.auth_token middleware is set to 'include_service_catalog = true'
+# determine the project id from request path
+project_id_from_path = true | false
+# determine the project id from the service catalog
+project_id_from_service_catalog = true | false
+
+# per default the target.type_uri is prefixed by 'service/<service_type>/'
+# if the cadf spec. requires a different prefix, it might be given here 
+# example: swift (object-store)
+# service_type = object-store
+# cadf_service_name = service/storage/object
+cadf_service_name = <service_name>
+
+# metrics are emitted via StatsD
+statsd_host = 127.0.0.1
+statsd_port = 9125
+statsd_namespace = openstack_watcher
+```
+
+#### Configuration file
+
+Additionally, the watcher might require a configuration file.  
+For existing services these can be found in the [examples](./etc).
+More details are provided [here](./doc/cadf.md)
+
+The following snippet provides an overview of configuration options for a service.
+```yaml
+# keywords in a request path are followed by the UUID or name of a resource.
+# in the target type URI the UUID or name of a resource is replaced by the singular of the keyword.
+# a custom value for the singular can also be provided by a mapping <plural>:<singular>
+# moreover, if a path ends with a keyword the action will be 'read/list'
+path_keywords:
+    - users
+    - tokens
+    - availability-zones: zone
+    ..
+
+# per default every word following a path keyword is replaced. 
+# however, exclusions can be configured by this list 
+path_exclusions:
+    - OS-PKI
+    - ..
+
+# some request path' are quite hard to map to their target type URI as the replacements can't be derived from the previous part.
+# thus, in some cases providing a mapping of <path_regex>: <target_type_URI> might be inevitable
+# note: the complete path (including versions, etc. ) needs to be reflected in the regex 
+regex_path_mapping:
+  - '\S+/domains/config/[0-9a-zA-Z_]+/default$': 'domains/config/group/default'
+
+# CADF actions are determined by the request method and their path as outlined in the table in the CADF section of this documentation
+# however, these can be overwritten using the target type URI and the request method with a custom action_type
+custom_actions:
+  tokens:
+    - token:
+        - method: GET
+          action_type: custom_action
+```

etc/barbican.yaml

@@ -0,0 +1,16 @@
+path_keywords:
+  - consumers
+  - containers
+  - metadata: key
+  - orders
+  - quotas
+  - project-quotas
+  - secrets
+  - secret-stores
+
+keyword_exclusions:
+  - global-default
+  - preferred
+
+regex_path_mapping:
+    - '\S+/consumers$': 'container/consumers'

etc/ironic.yaml

@@ -1,77 +1,20 @@
-custom_actions:
-  nodes:
-    - method: GET
-      action_type: read/list
-
-    - portgroups:
-        - method: GET
-          action_type: read/list
-
-    - ports:
-        - method: GET
-          action_type: read/list
-
-    - node:
-        - vendor_passthru:
-            - methods:
-                - method: GET
-                  action_type: read/list
-
-        - traits:
-            - method: GET
-              action_type: read/list
-
-        - vifs:
-            - method: GET
-              action_type: read/list
-
-        - portgroups:
-            - method: GET
-              action_type: read/list
-
-        - ports:
-            - method: GET
-              action_type: read/list
-
-        - bios:
-            - method: GET
-              action_type: read/list
-
-  portgroups:
-    - method: GET
-      action_type: read/list
+path_keywords:
+  - bios: setting
+  - chassis: chassis
+  - connectors
+  - drivers
+  - heartbeat: node
+  - methods
+  - nodes
+  - ports
+  - portgroups
+  - targets
+  - traits
+  - volume
+  - vifs
 
-    - portgroup:
-        - ports:
-          - method: GET
-            action_type: read/list
-
-  ports:
-    - method: GET
-      action_type: read/list
-
-  volume:
-    - method: GET
-      action_type: read/list
-
-    - connectors:
-        - method: GET
-          action_type: read/list
-
-    - targets:
-        - method: GET
-          action_type: read/list
-
-  - drivers:
-      - method: GET
-        action_type: read/list
-
-      - driver:
-          - vendor_passthru:
-              - methods:
-                  - method: GET
-                    action_type: read/list
-
-  - chassis:
+custom_actions:
+  chassis:
+    chassis:
       - method: GET
-        action_type: read/list
+        action_type: read

watcher/cadf_strategy.py

@@ -87,6 +87,16 @@ def __init__(
         else:
             self.keyword_exclusions = default_keyword_exclusions
 
+    def get_cadf_service_name(self):
+        """
+        get the service name according to the CADF spec
+
+        :return: the cadf service name or unknown
+        """
+        if common.is_none_or_unknown(self.target_type_uri_prefix):
+            return taxonomy.UNKNOWN
+        return self.target_type_uri_prefix
+
     def determine_target_type_uri(self, req):
         """
         determines the target.type_uri of a request by its path in the following order:

watcher/common.py

@@ -40,7 +40,8 @@
     'volume': 'service/storage/block',
     'identity': 'data/security',
     'share': 'service/storage/share',
-    'baremetal': 'service/compute/baremetal'
+    'baremetal': 'service/compute/baremetal',
+    'key-manager': 'service/security/keymanager'
 }