Create new Account/Login Audit Log

The API should provide for an audit log when a user creates a new account or logs into the system.

Create new Account/Login Audit Log
The API should provide for an audit log when a user creates a new account or logs into the system.
7bb0a649 · Zia Fazal · Chris Dodge · 8772a67f · 7bb0a649 · 7bb0a649
Commit 7bb0a649 authored Apr 28, 2014 by Zia Fazal Committed by Chris Dodge May 01, 2014
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 1 deletions

lms/djangoapps/api_manager/sessions_views.py
+12 -0

lms/djangoapps/api_manager/tests/test_sessions_security.py
+0 -0

lms/djangoapps/api_manager/users_views.py
+5 -1

No files found.
--- a/lms/djangoapps/api_manager/sessions_views.py
+++ b/lms/djangoapps/api_manager/sessions_views.py
 # pylint: disable=E1101

 """ API implementation for session-oriented interactions. """
+import logging

 from django.conf import settings
 from django.contrib.auth import authenticate, login
@@ -21,6 +22,8 @@ from api_manager.permissions import ApiKeyHeaderPermission
 from api_manager.serializers import UserSerializer
 from student.models import LoginFailures

+AUDIT_LOG = logging.getLogger("audit")
+

 def _generate_base_uri(request):
    """
@@ -82,6 +85,9 @@ class SessionsList(APIView):
                    response_data['user'] = user_dto.data
                    response_data['uri'] = '{}/{}'.format(base_uri, request.session.session_key)
                    response_status = status.HTTP_201_CREATED
+
+                    # add to audit log
+                    AUDIT_LOG.info(u"API::User logged in successfully with user-id - {0}".format(user.id))
                else:
                    response_status = status.HTTP_401_UNAUTHORIZED
            else:
@@ -91,7 +97,9 @@ class SessionsList(APIView):
                    LoginFailures.increment_lockout_counter(existing_user)

                response_status = status.HTTP_401_UNAUTHORIZED
+                AUDIT_LOG.warn(u"API::User authentication failed with user-id - {0}".format(existing_user.id))
        else:
+            AUDIT_LOG.warn(u"API::Failed login attempt with unknown email/username")
            response_status = status.HTTP_404_NOT_FOUND
        return Response(response_data, status=response_status)

@@ -131,5 +139,9 @@ class SessionsDetail(APIView):
        base_uri = _generate_base_uri(request)
        engine = import_module(settings.SESSION_ENGINE)
        session = engine.SessionStore(session_id)
+        user_id = session[SESSION_KEY]
+        AUDIT_LOG.info(u"API::User session terminated for user-id - {0}".format(user_id))
        session.flush()
        return Response(response_data, status=status.HTTP_204_NO_CONTENT)
+
+        return Response(response_data, status=status.HTTP_204_NO_CONTENT)
--- a/lms/djangoapps/api_manager/tests/test_sessions_security.py
+++ b/lms/djangoapps/api_manager/tests/test_sessions_security.py
--- a/lms/djangoapps/api_manager/users_views.py
+++ b/lms/djangoapps/api_manager/users_views.py
@@ -27,7 +27,7 @@ from util.password_policy_validators import (
 )

 log = logging.getLogger(__name__)
-
+AUDIT_LOG = logging.getLogger("audit")

 def _generate_base_uri(request):
    """
@@ -144,6 +144,9 @@ class UsersList(APIView):
            password_history_entry = PasswordHistory()
            password_history_entry.create(user)

+            # add to audit log
+            AUDIT_LOG.info(u"API::New account created with user-id - {0}".format(user.id))
+
            # CDODGE:  @TODO: We will have to extend this to look in the CourseEnrollmentAllowed table and
            # auto-enroll students when they create a new account. Also be sure to remove from
            # the CourseEnrollmentAllow table after the auto-registration has taken place
@@ -155,6 +158,7 @@ class UsersList(APIView):
            status_code = status.HTTP_409_CONFLICT
            response_data['message'] = "User '%s' already exists", username
            response_data['field_conflict'] = "username"
+
        return Response(response_data, status=status_code)