Add cadf auditing to credentials

added audit logging to credentials.

This backport is a bit different than the original patch,
since we don't have the adds caching of credentials
patch find on commit 479a2a0afaeb505c371ee97a1f2fbc1b11e3cef1
and we were not able to backport it.

Also, since there was no flask support on stable/queens we needed
to backport the audit initiator on keystone/api/credentials.py

stable/rocky: https://review.opendev.org/#/c/711547
stable/stein: https://review.opendev.org/#/c/711545
master: https://review.opendev.org/#/c/664618
Change-Id: I028a86f44e049bcc7c54e844bfc91aa0b11cd541
(cherry picked from commit abf5cb6a55b78afceade692dceba7542e06736b4)

3 files changed, 26 insertions, 3 deletions

diff --git a/keystone/credential/controllers.py b/keystone/credential/controllers.py
index 95cc7d023..f64495e09 100644
--- a/keystone/credential/controllers.py
+++ b/keystone/credential/controllers.py
@@ -86,7 +86,8 @@ class CredentialV3(controller.V3Controller):
                                      trust_id=trust_id,
                                      app_cred_id=app_cred_id,
                                      access_token_id=access_token_id)
-        ref = PROVIDERS.credential_api.create_credential(ref['id'], ref)
+        ref = PROVIDERS.credential_api.create_credential(
+            ref['id'], ref, initiator=request.audit_initiator)
         return CredentialV3.wrap_member(request.context_dict, ref)
 
     @staticmethod
@@ -147,4 +148,5 @@ class CredentialV3(controller.V3Controller):
 
     @controller.protected()
     def delete_credential(self, request, credential_id):
-        return PROVIDERS.credential_api.delete_credential(credential_id)
+        return (PROVIDERS.credential_api.delete_credential(credential_id,
+                initiator=request.audit_initiator))
diff --git a/keystone/credential/core.py b/keystone/credential/core.py
index cb28b314e..d6c48ff16 100644
--- a/keystone/credential/core.py
+++ b/keystone/credential/core.py
@@ -21,6 +21,7 @@ from keystone.common import manager
 from keystone.common import provider_api
 import keystone.conf
 from keystone import exception
+from keystone import notifications
 
 
 CONF = keystone.conf.CONF
@@ -38,6 +39,8 @@ class Manager(manager.Manager):
     driver_namespace = 'keystone.credential'
     _provides_api = 'credential_api'
 
+    _CRED = 'credential'
+
     def __init__(self):
         super(Manager, self).__init__(CONF.credential.driver)
 
@@ -102,13 +105,18 @@ class Manager(manager.Manager):
         credential = self.driver.get_credential(credential_id)
         return self._decrypt_credential(credential)
 
-    def create_credential(self, credential_id, credential):
+    def create_credential(self, credential_id, credential,
+                          initiator=None):
         """Create a credential."""
         credential_copy = self._encrypt_credential(credential)
         ref = self.driver.create_credential(credential_id, credential_copy)
         ref.pop('key_hash', None)
         ref.pop('encrypted_blob', None)
         ref['blob'] = credential['blob']
+        notifications.Audit.created(
+            self._CRED,
+            credential_id,
+            initiator)
         return ref
 
     def _validate_credential_update(self, credential_id, credential):
@@ -143,3 +151,10 @@ class Manager(manager.Manager):
         else:
             ref['blob'] = existing_blob
         return ref
+
+    def delete_credential(self, credential_id,
+                          initiator=None):
+        """Delete a credential."""
+        self.driver.delete_credential(credential_id)
+        notifications.Audit.deleted(
+            self._CRED, credential_id, initiator)
diff --git a/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml b/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml
new file mode 100644
index 000000000..33a355cc5
--- /dev/null
+++ b/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    [`bug 1831918 <https://bugs.launchpad.net/keystone/+bug/1831918>`_]
+    Credentials now logs cadf audit messages.
+