fix(kas): populate rewrap audit log #2861
Conversation
Summary of ChangesHello @c-r33d, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly improves the audit logging capabilities for rewrap operations within the KAS service. By populating the rewrap audit messages with specific policy attributes and the "keyID" in the "eventMetaData", it provides a more comprehensive and actionable record of key access events. This enhancement is particularly valuable for understanding the context of rewrap operations, especially for Nano TDFs where policy details are not directly visible in the audit log, thereby aiding in debugging, compliance, and security analysis. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Logs flow, a stream of truth,KeyID now shines so bright,Audit's eye, clear and keen. Footnotes
|
c-r33d
changed the title
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request successfully enhances the rewrap audit logs by populating them with data attributes and the key ID. The changes are implemented for both TDF3 and NanoTDF formats, and the corresponding tests have been updated to validate the new log structure. The implementation is clean and correct. I have one suggestion to improve the maintainability of the tests.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
| EphemeralPublicKey []byte | ||
| RequiredObligations []string | ||
|
|
||
| // Only populated for Nano auditing, since policy is encrypted |
There was a problem hiding this comment.
policy is not always encrypted. We have a option to use plain text for policy?
Proposed Changes
1.) Populate kas rewrap audit message with attributes.
2.) Add keyID to
eventmetadataExample Nano failure
{ "time": "2025-10-30T10:13:30.270403-05:00", "level": "AUDIT", "msg": "rewrap", "namespace": "kas", "audit": { "object": { "type": "key_object", "id": "ff1a2fe2-a942-11f0-9751-a6a754e79d24", "name": "", "attributes": { "assertions": [], "attrs": [ "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger" ], "permissions": [] } }, "action": { "type": "rewrap", "result": "error" }, "actor": { "id": "031fe452-ddbb-4d36-b82f-c6b3dd4d122a", "attributes": [] }, "eventMetaData": { "algorithm": "ec:secp256r1", "keyID": "e1", "policyBinding": "", "tdfFormat": "Nano" }, "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.6)", "platform": "kas", "requestIP": "None" }, "original": null, "updated": null, "requestID": "d56da397-3387-4a14-9955-73681e627e37", "timestamp": "2025-10-30T10:13:30-05:00" } }Example ztdf success
{ "time": "2025-10-31T11:58:40.892713-05:00", "level": "AUDIT", "msg": "rewrap", "namespace": "kas", "audit": { "object": { "type": "key_object", "id": "cd2f0354-a942-11f0-b197-a6a754e79d24", "name": "", "attributes": { "assertions": [], "attrs": [ "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger" ], "permissions": [] } }, "action": { "type": "rewrap", "result": "success" }, "actor": { "id": "031fe452-ddbb-4d36-b82f-c6b3dd4d122a", "attributes": [] }, "eventMetaData": { "algorithm": "rsa:2048", "keyID": "r1", "policyBinding": "YjEwNWMwZGVhMjkzYjBhZjU4MWNkOTE1MmU4N2NkNjkzNzQ2ODM5NDI0MGRjYjhmNjRiZjlhNmY0OWEzZjJlNw==", "tdfFormat": "tdf3" }, "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.6)", "platform": "kas", "requestIP": "None" }, "original": null, "updated": null, "requestID": "73f131ae-cc21-490c-868d-260e58b8664d", "timestamp": "2025-10-31T11:58:40-05:00" } }Checklist
Testing Instructions