feat(security): record audit metadata on guest token issuance

[rusackas]

SUMMARY

The guest-token issuance endpoint recorded only the coarse action name via @event_logger.log_this, without the metadata needed to scope an investigation if a misissued or over-scoped token were later abused.

This emits an explicit issuance event on successful guest-token creation capturing:

• issuer user id
• source IP
• granted resources (type:id)
• dataset allowlist
• RLS dataset scope and rule count
• a SHA-256 hash of the issued token (never the raw token)

RLS clause text is intentionally omitted since it can carry data values. The metadata is assembled by a small pure helper, build_guest_token_audit_payload, so it is easy to test.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A — audit logging.

TESTING INSTRUCTIONS

Unit tests in tests/unit_tests/security/guest_token_audit_test.py:

• The payload captures issuer/source-IP/resources/datasets/RLS scope.
• The raw token is never present; only its SHA-256 hash is recorded.
• RLS clause text is not included.

Run: pytest tests/unit_tests/security/guest_token_audit_test.py

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[bito-code-review]

Code Review Agent Run #dcfe6c

Actionable Suggestions - 0

Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

• superset/security/guest_token.py - 1

  • Missing return type hint · Line 29-57

Review Details

• Files reviewed - 3 · Commit Range: d6c5621..d6c5621

  • superset/security/api.py
  • superset/security/guest_token.py
  • tests/unit_tests/security/guest_token_audit_test.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

The suggestion to add explicit return type annotations (-> None) to the new test functions is correct, as it aligns with the project's requirement for fully typed Python code. You can resolve this by updating the function definitions in tests/unit_tests/security/guest_token_audit_test.py as follows:

def test_build_guest_token_audit_payload_captures_issuance_metadata() -> None:


def test_build_guest_token_audit_payload_hashes_token_and_omits_raw() -> None:


def test_build_guest_token_audit_payload_omits_rls_clause_text() -> None:

There are no other review comments in this pull request. Would you like me to apply these changes to the test file?

tests/unit_tests/security/guest_token_audit_test.py

def test_build_guest_token_audit_payload_captures_issuance_metadata() -> None:


def test_build_guest_token_audit_payload_hashes_token_and_omits_raw() -> None:


def test_build_guest_token_audit_payload_omits_rls_clause_text() -> None:

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.34%. Comparing base (3b46a5f) to head (a1ec073).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #41305      +/-   ##
==========================================
- Coverage   64.34%   64.34%   -0.01%     
==========================================
  Files        2653     2653              
  Lines      144952   144959       +7     
  Branches    33433    33433              
==========================================
+ Hits        93273    93275       +2     
- Misses      49995    49998       +3     
- Partials     1684     1686       +2     

Flag	Coverage Δ
hive	39.27% <55.55%> (+<0.01%)	⬆️
mysql	58.00% <100.00%> (+<0.01%)	⬆️
postgres	58.07% <100.00%> (-0.01%)	⬇️
presto	40.86% <55.55%> (+<0.01%)	⬆️
python	59.51% <100.00%> (-0.01%)	⬇️
sqlite	57.72% <100.00%> (+<0.01%)	⬆️
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.