Send select logs to Panther

lyft · Oct 31, 2024 · b28d200 · b28d200
1 parent 3152758
commit b28d200
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 1 deletion.
diff --git a/confidant/authnz/userauth.py b/confidant/authnz/userauth.py
@@ -23,6 +23,7 @@
 from confidant.lib import cryptolib
 from confidant.utils.misc import dict_deep_update
 from confidant.authnz import errors
+from confidant.services.panther import panther_client
 
 logger = logging.getLogger(__name__)
 
@@ -586,7 +587,11 @@ def consume_saml_assertion(self):
 
         attributes = auth.get_attributes()
         logger.info('SAML attributes: {!r}'.format(attributes))
-
+        panther_client.send_event({
+            'event_type': 'saml_user_authenticated',
+            'id': nameid,
+            'attributes': attributes,
+        })
         # normalize attributes by flattening single-item arrays
         for key, val in attributes.items():
             if isinstance(val, list) and len(val) == 1:

diff --git a/confidant/routes/credentials.py b/confidant/routes/credentials.py
@@ -27,6 +27,7 @@
 from confidant.services.ciphermanager import CipherManager
 from confidant.utils import maintenance, misc, stats
 from confidant.utils.dynamodb import decode_last_evaluated_key
+from confidant.services.panther import panther_client
 
 logger = logging.getLogger(__name__)
 blueprint = blueprints.Blueprint('credentials', __name__)
@@ -255,6 +256,12 @@ def get_credential(id):
                 id
             )
             logger.info(log_line)
+            panther_client.send_event({
+                'event_type': 'get_credential',
+                'user': authnz.get_logged_in_user(),
+                'credential': id,
+            })
+
 
         credential_response = CredentialResponse.from_credential(
             credential,
@@ -363,6 +370,10 @@ def diff_credential(id, old_revision, new_revision):
         logger.warning(
             'Item with id {0} does not exist.'.format(id)
         )
+        panther_client.send_event({
+            'event_type': 'get_credential',
+            'credential': id,
+        })
         return jsonify({}), 404
     if new_credential.data_type != 'archive-credential':
         msg = 'id provided is not a credential.'

diff --git a/confidant/routes/services.py b/confidant/routes/services.py
@@ -22,6 +22,7 @@
 )
 from confidant.utils import maintenance, misc, stats
 from confidant.utils.dynamodb import decode_last_evaluated_key
+from confidant.services.panther import panther_client
 
 logger = logging.getLogger(__name__)
 blueprint = blueprints.Blueprint('services', __name__)
@@ -272,6 +273,11 @@ def get_service(id):
                 f'get_service called on id={id} by '
                 f'user={logged_in_user} metadata_only={metadata_only}'
             )
+            panther_client.send_event({
+                'event_type': 'get_service_called',
+                'user': logged_in_user,
+                'metadata_only': metadata_only,
+            })
 
         with stats.timer('get_service_by_id.db_get_service'):
             try:

diff --git a/confidant/services/panther.py b/confidant/services/panther.py
@@ -0,0 +1,13 @@
+from lyft_lumos_common.services.panther import PantherClient
+
+from confidant.settings import PANTHER_BASE_URL
+from confidant.settings import PANTHER_BEARER_TOKEN
+
+
+def get_panther_client() -> PantherClient:
+    return PantherClient(
+        bearer_token=PANTHER_BEARER_TOKEN,
+        base_url=PANTHER_BASE_URL)
+
+
+panther_client = get_panther_client()
diff --git a/confidant/settings.py b/confidant/settings.py
@@ -743,3 +743,7 @@ def get(name, default=None):
 
 # Module that will perform an external ACL check on API endpoints
 ACL_MODULE = str_env('ACL_MODULE', 'confidant.authnz.rbac:default_acl')
+
+# Panther settings
+PANTHER_BASE_URL = str_env('CREDENTIALS_PANTHER_BASE_URL', default='')
+PANTHER_BEARER_TOKEN = str_env('CREDENTIALS_PANTHER_BEARER_TOKEN', default='')
diff --git a/requirements.in b/requirements.in
@@ -216,3 +216,6 @@ mypy
 # Upstream url: https://pypi.org/project/fakeredis/
 # Use: To mock redis in unit tests
 fakeredis
+
+# For persisting to Panther
+lyft-lumos-common==0.1.3