fix: extract UUID from HATEOAS resource refs in custom_id fields

[rajivmucheli]

Problem

Services like Barbican return full HATEOAS URLs in response fields configured as custom_id (e.g. secret_ref, container_ref):

POST /v1/secrets -> {"secret_ref": "https://keymanager-3.eu-de-1.cloud.sap:443/v1/secrets/9cb9ac0b-..."}

The barbican_audit_map.yaml maps custom_id: secret_ref and custom_id: container_ref, so _create_target_resource extracts the full URL as rid. This flows into _make_uuid unchanged and is set as the CADF target.id.

pycadf then emits:

pycadf/identifier.py:70: UserWarning: Invalid uuid: https://keymanager-3.eu-de-1.cloud.sap:443/v1/secrets/9cb9ac0b-...
To ensure interoperability, identifiers should be a valid uuid.

Root cause

_make_uuid only handled integer-string IDs; everything else was passed through verbatim, including full URLs.

Fix

Strip the URL prefix in _make_uuid: if the value contains /, take the last path segment (the bare UUID):

if '/' in s:
    s = s.rstrip('/').rsplit('/', 1)[-1]

Safe for all existing cases: bare UUIDs pass through unchanged, integer strings are handled before this check, full URLs yield just the trailing UUID.

Tests

Added BarbicanAuditMappingTest with two cases:

• test_post_create_secret_extracts_uuid_from_ref - verifies secret_ref URL strips to bare UUID and no pycadf warnings fire
• test_post_create_container_extracts_uuid_from_ref - same for container_ref

[notque]

Thanks @rajivmucheli — this is a real problem and I want to get it merged.

I'd been considering a mapping-driven approach (something like an id_transform directive in the YAML spec), but that's a larger effort and shouldn't block this fix. Let's get this in.

One change needed:

Replace if '/' in s with if '://' in s (line 62)

The bare / check is too broad — it would strip path segments from any custom_id value containing a slash (e.g. Swift object names can legitimately contain /). The :// check targets actual HATEOAS URLs specifically, which is what we want.

if '://' in s:
    s = s.rstrip('/').rsplit('/', 1)[-1]

Everything else looks good — tests are solid and the pycadf warning assertion is a nice verification technique.

Longer-term, I think an id_transform directive in the mapping spec is the right architectural solution (so services declare their own ID extraction rules declaratively). But this fix is correct and pragmatic for now.

[notque]

LGTM thanks, please mention in team core the open stack audit middleware is updated with the PR link just so people are aware when they see it in their diffs. Thanks!