Project

General

Profile

Refactor #21920

Refactor password auditing

Added by Michael Moll about 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Tomer Brisker
Category:
Rails
Target version:
1.18.0
Difficulty:
Triaged:
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman/pull/5162
Fixed in Releases:
Found in Releases:

Description

Starting with Rails 5.1:

- message: password_changed is not an attribute known to Active Record. This behavior
    is deprecated and will be removed in the next version of Rails. If you'd like
    password_changed to be managed by Active Record, add `attribute :password_changed
    to your class.
  callstack: app/models/image.rb:31:in `set_password_changed'
- message: password_changed is not an attribute known to Active Record. This behavior
    is deprecated and will be removed in the next version of Rails. If you'd like
    password_changed to be managed by Active Record, add `attribute :password_changed
    to your class.
  callstack: app/models/user.rb:527:in `set_password_changed'

Related issues

Related to Foreman - Bug #16850: Password change activity does not show in Audit logClosed2016-10-10
Related to Foreman - Tracker #20948: Rails 5.1 upgrade tasksClosed2017-09-16

Related to Foreman - Bug #19169: CVE-2017-2672 - audit trail leaks sensitive data for Image eventsClosed2017-04-04
Related to Foreman - Refactor #20116: Redact sensitive information from audit logsNew2017-06-27
Related to Foreman - Bug #22280: User Audits: False entry of "password changed" every time a user is updatedNew2018-01-16
Blocks Foreman - Tracker #21834: Rails 5.2 upgrade tasksClosed

Associated revisions

Revision 59f0a945 (diff)
Added by Tomer Brisker about 2 years ago

Fixes #22208, #21920 - Refactor password auditing (#5162)

Recent changes in Rails 5.1 and audited gem cause our method of auditing
passwords to break. This PR refactors password auditing, so that instead
of recording a change to attribute `password_changed`, we will now
record the string `[redacted]` instead of any actual password.
The change is done currently in our audit extensions, which mean that it
will now apply to all resources that have a `password` attribute instead
of just those that have defined the workaround.
The next step will be to move this to the audited gem in a more
generalized method that can be defined in the model when initializing
audited, so that the workaround can be removed.

History

#1 Updated by Michael Moll about 2 years ago

  • Related to Bug #16850: Password change activity does not show in Audit log added

#2 Updated by Michael Moll about 2 years ago

#3 Updated by Michael Moll about 2 years ago

#4 Updated by Michael Moll about 2 years ago

  • Related to Bug #19169: CVE-2017-2672 - audit trail leaks sensitive data for Image events added

#5 Updated by Michael Moll about 2 years ago

#6 Updated by Michael Moll about 2 years ago

#7 Updated by Michael Moll about 2 years ago

this indeed leads to test errrors with Rails 5.1

#8 Updated by Tomer Brisker about 2 years ago

  • Related to Refactor #20116: Redact sensitive information from audit logs added

#9 Updated by The Foreman Bot about 2 years ago

  • Assignee set to Tomer Brisker
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/5162 added

#10 Updated by Marek Hulán about 2 years ago

  • Legacy Backlogs Release (now unused) set to 330

#11 Updated by Anonymous about 2 years ago

  • % Done changed from 0 to 100
  • Status changed from Ready For Testing to Closed

#12 Updated by Marek Hulán about 2 years ago

  • Related to Bug #22280: User Audits: False entry of "password changed" every time a user is updated added

Also available in: Atom PDF