NotificationsYou must be signed in to change notification settings
Fork914
Star10.1k

Commit08e728b

authored

chore: implement organization scoped audit log requests (#13663)

* chore: add organization_id filter to audit logs* chore: implement organization scoped audit log requests

1 parent20e59e0 commit08e728bCopy full SHA for 08e728b

File tree

13 files changed

+123

-25

lines changed

coderd
- apidoc
  - docs.go
  - swagger.json
- audit.go
- audit_test.go
- database
  - dbauthz
    - dbauthz.go
  - dbmem
    - dbmem.go
  - queries
    - auditlogs.sql
  - queries.sql.go
- members.go
- searchquery
  - search.go
codersdk
- audit.go
docs/api
- schemas.md
site/src/api
- typesGenerated.ts

13 files changed

+123

-25

lines changed

`‎coderd/apidoc/docs.go`

Lines changed: 4 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json`

Lines changed: 4 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/audit.go`

Lines changed: 9 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ import (`
`18`	`18`	`"github.com/coder/coder/v2/coderd/audit"`
`19`	`19`	`"github.com/coder/coder/v2/coderd/database"`
`20`	`20`	`"github.com/coder/coder/v2/coderd/database/db2sdk"`
	`21`	`+"github.com/coder/coder/v2/coderd/database/dbauthz"`
`21`	`22`	`"github.com/coder/coder/v2/coderd/httpapi"`
`22`	`23`	`"github.com/coder/coder/v2/coderd/httpmw"`
`23`	`24`	`"github.com/coder/coder/v2/coderd/searchquery"`
`@@ -61,6 +62,10 @@ func (api API) auditLogs(rw http.ResponseWriter, r http.Request) {`
`61`	`62`	`}`
`62`	`63`
`63`	`64`	`dblogs,err:=api.Database.GetAuditLogsOffset(ctx,filter)`
	`65`	`+ifdbauthz.IsNotAuthorizedError(err) {`
	`66`	`+httpapi.Forbidden(rw)`
	`67`	`+return`
	`68`	`+}`
`64`	`69`	`iferr!=nil {`
`65`	`70`	`httpapi.InternalServerError(rw,err)`
`66`	`71`	`return`
`@@ -139,6 +144,9 @@ func (api API) generateFakeAuditLog(rw http.ResponseWriter, r http.Request) {`
`139`	`144`	`iflen(params.AdditionalFields)==0 {`
`140`	`145`	`params.AdditionalFields=json.RawMessage("{}")`
`141`	`146`	`}`
	`147`	`+ifparams.OrganizationID==uuid.Nil {`
	`148`	`+params.OrganizationID=uuid.New()`
	`149`	`+}`
`142`	`150`
`143`	`151`	`_,err=api.Database.InsertAuditLog(ctx, database.InsertAuditLogParams{`
`144`	`152`	`ID:uuid.New(),`
`@@ -155,7 +163,7 @@ func (api API) generateFakeAuditLog(rw http.ResponseWriter, r http.Request) {`
`155`	`163`	`AdditionalFields:params.AdditionalFields,`
`156`	`164`	`RequestID:uuid.Nil,// no request ID to attach this to`
`157`	`165`	`ResourceIcon:"",`
`158`		`-OrganizationID:uuid.New(),`
	`166`	`+OrganizationID:params.OrganizationID,`
`159`	`167`	`})`
`160`	`168`	`iferr!=nil {`
`161`	`169`	`httpapi.InternalServerError(rw,err)`

`‎coderd/audit_test.go`

Lines changed: 50 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -4,13 +4,15 @@ import (`
`4`	`4`	`"context"`
`5`	`5`	`"encoding/json"`
`6`	`6`	`"fmt"`
	`7`	`+"net/http"`
`7`	`8`	`"strconv"`
`8`	`9`	`"testing"`
`9`	`10`	`"time"`
`10`	`11`
`11`	`12`	`"github.com/google/uuid"`
`12`	`13`	`"github.com/stretchr/testify/require"`
`13`	`14`
	`15`	`+"cdr.dev/slog/sloggers/slogtest"`
`14`	`16`	`"github.com/coder/coder/v2/coderd/audit"`
`15`	`17`	`"github.com/coder/coder/v2/coderd/coderdtest"`
`16`	`18`	`"github.com/coder/coder/v2/coderd/database"`
`@@ -135,6 +137,54 @@ func TestAuditLogs(t *testing.T) {`
`135`	`137`	`require.Equal(t,auditLogs.AuditLogs[0].ResourceLink,fmt.Sprintf("/@%s/%s/builds/%s",`
`136`	`138`	`workspace.OwnerName,workspace.Name,buildNumberString))`
`137`	`139`	`})`
	`140`	`+`
	`141`	`+t.Run("Organization",func(t*testing.T) {`
	`142`	`+t.Parallel()`
	`143`	`+`
	`144`	`+logger:=slogtest.Make(t,&slogtest.Options{`
	`145`	`+IgnoreErrors:true,`
	`146`	`+})`
	`147`	`+ctx:=context.Background()`
	`148`	`+client:=coderdtest.New(t,&coderdtest.Options{`
	`149`	`+Logger:&logger,`
	`150`	`+})`
	`151`	`+owner:=coderdtest.CreateFirstUser(t,client)`
	`152`	`+orgAdmin,_:=coderdtest.CreateAnotherUser(t,client,owner.OrganizationID,rbac.ScopedRoleOrgAdmin(owner.OrganizationID))`
	`153`	`+`
	`154`	`+err:=client.CreateTestAuditLog(ctx, codersdk.CreateTestAuditLogRequest{`
	`155`	`+ResourceID:owner.UserID,`
	`156`	`+OrganizationID:owner.OrganizationID,`
	`157`	`+})`
	`158`	`+require.NoError(t,err)`
	`159`	`+`
	`160`	`+// Add an extra audit log in another organization`
	`161`	`+err=client.CreateTestAuditLog(ctx, codersdk.CreateTestAuditLogRequest{`
	`162`	`+ResourceID:owner.UserID,`
	`163`	`+OrganizationID:uuid.New(),`
	`164`	`+})`
	`165`	`+require.NoError(t,err)`
	`166`	`+`
	`167`	`+// Fetching audit logs without an organization selector should fail`
	`168`	`+_,err=orgAdmin.AuditLogs(ctx, codersdk.AuditLogsRequest{`
	`169`	`+Pagination: codersdk.Pagination{`
	`170`	`+Limit:5,`
	`171`	`+},`
	`172`	`+})`
	`173`	`+varsdkError*codersdk.Error`
	`174`	`+require.Error(t,err)`
	`175`	`+require.ErrorAsf(t,err,&sdkError,"error should be of type *codersdk.Error")`
	`176`	`+require.Equal(t,http.StatusForbidden,sdkError.StatusCode())`
	`177`	`+`
	`178`	`+// Using the organization selector allows the org admin to fetch audit logs`
	`179`	`+alogs,err:=orgAdmin.AuditLogs(ctx, codersdk.AuditLogsRequest{`
	`180`	`+SearchQuery:fmt.Sprintf("organization_id:%s",owner.OrganizationID.String()),`
	`181`	`+Pagination: codersdk.Pagination{`
	`182`	`+Limit:5,`
	`183`	`+},`
	`184`	`+})`
	`185`	`+require.NoError(t,err)`
	`186`	`+require.Len(t,alogs.AuditLogs,1)`
	`187`	`+})`
`138`	`188`	`}`
`139`	`189`
`140`	`190`	`funcTestAuditLogsFilter(t*testing.T) {`

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 13 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1200,12 +1200,21 @@ func (q *querier) GetApplicationName(ctx context.Context) (string, error) {`
`1200`	`1200`	`}`
`1201`	`1201`
`1202`	`1202`	`func (q*querier)GetAuditLogsOffset(ctx context.Context,arg database.GetAuditLogsOffsetParams) ([]database.GetAuditLogsOffsetRow,error) {`
`1203`		`-// To optimize audit logs, we only check the global audit log permission once.`
`1204`		`-// This is because we expect a large unbounded set of audit logs, and applying a SQL`
`1205`		`-// filter would slow down the query for no benefit.`
`1206`		`-iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceAuditLog);err!=nil {`
	`1203`	`+// To optimize the authz checks for audit logs, do not run an authorize`
	`1204`	`+// check on each individual audit log row. In practice, audit logs are either`
	`1205`	`+// fetched from a global or an organization scope.`
	`1206`	`+// Applying a SQL filter would slow down the query for no benefit on how this query is`
	`1207`	`+// actually used.`
	`1208`	`+`
	`1209`	`+object:=rbac.ResourceAuditLog`
	`1210`	`+ifarg.OrganizationID!=uuid.Nil {`
	`1211`	`+object=object.InOrg(arg.OrganizationID)`
	`1212`	`+}`
	`1213`	`+`
	`1214`	`+iferr:=q.authorizeContext(ctx,policy.ActionRead,object);err!=nil {`
`1207`	`1215`	`returnnil,err`
`1208`	`1216`	`}`
	`1217`	`+`
`1209`	`1218`	`returnq.db.GetAuditLogsOffset(ctx,arg)`
`1210`	`1219`	`}`
`1211`	`1220`

`‎coderd/database/dbmem/dbmem.go`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1928,6 +1928,9 @@ func (q *FakeQuerier) GetAuditLogsOffset(_ context.Context, arg database.GetAudi`
`1928`	`1928`	`arg.Offset--`
`1929`	`1929`	`continue`
`1930`	`1930`	`}`
	`1931`	`+ifarg.OrganizationID!=uuid.Nil&&arg.OrganizationID!=alog.OrganizationID {`
	`1932`	`+continue`
	`1933`	`+}`
`1931`	`1934`	`ifarg.Action!=""&&!strings.Contains(string(alog.Action),arg.Action) {`
`1932`	`1935`	`continue`
`1933`	`1936`	`}`

`‎coderd/database/queries.sql.go`

Lines changed: 24 additions & 16 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/queries/auditlogs.sql`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,12 @@ WHERE`
`59`	`59`	`resource_id= @resource_id`
`60`	`60`	`ELSE true`
`61`	`61`	`END`
	`62`	`+-- Filter organization_id`
	`63`	`+AND CASE`
	`64`	`+WHEN @organization_id :: uuid!='00000000-0000-0000-0000-000000000000'::uuid THEN`
	`65`	`+audit_logs.organization_id= @organization_id`
	`66`	`+ELSE true`
	`67`	`+END`
`62`	`68`	`-- Filter by resource_target`
`63`	`69`	`AND CASE`
`64`	`70`	`WHEN @resource_target ::text!='' THEN`

`‎coderd/members.go`

Lines changed: 5 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -176,10 +176,11 @@ func (api API) putMemberRoles(rw http.ResponseWriter, r http.Request) {`
`176`	`176`	`apiKey=httpmw.APIKey(r)`
`177`	`177`	`auditor=api.Auditor.Load()`
`178`	`178`	`aReq,commitAudit=audit.InitRequest[database.AuditableOrganizationMember](rw,&audit.RequestParams{`
`179`		`-Audit:*auditor,`
`180`		`-Log:api.Logger,`
`181`		`-Request:r,`
`182`		`-Action:database.AuditActionWrite,`
	`179`	`+OrganizationID:organization.ID,`
	`180`	`+Audit:*auditor,`
	`181`	`+Log:api.Logger,`
	`182`	`+Request:r,`
	`183`	`+Action:database.AuditActionWrite,`
`183`	`184`	`})`
`184`	`185`	`)`
`185`	`186`	`aReq.Old=member.OrganizationMember.Auditable(member.Username)`

`‎coderd/searchquery/search.go`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ func AuditLogs(query string) (database.GetAuditLogsOffsetParams, []codersdk.Vali`
`30`	`30`	`constdateLayout="2006-01-02"`
`31`	`31`	`parser:=httpapi.NewQueryParamParser()`
`32`	`32`	`filter:= database.GetAuditLogsOffsetParams{`
	`33`	`+OrganizationID:parser.UUID(values,uuid.Nil,"organization_id"),`
`33`	`34`	`ResourceID:parser.UUID(values,uuid.Nil,"resource_id"),`
`34`	`35`	`ResourceTarget:parser.String(values,"","resource_target"),`
`35`	`36`	`Username:parser.String(values,"","username"),`

`‎codersdk/audit.go`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -161,6 +161,7 @@ type CreateTestAuditLogRequest struct {`
`161`	`161`	AdditionalFields json.RawMessage`json:"additional_fields,omitempty"`
`162`	`162`	Time time.Time`json:"time,omitempty" format:"date-time"`
`163`	`163`	BuildReasonBuildReason`json:"build_reason,omitempty" enums:"autostart,autostop,initiator"`
	`164`	+OrganizationID uuid.UUID`json:"organization_id,omitempty" format:"uuid"`
`164`	`165`	`}`
`165`	`166`
`166`	`167`	`// AuditLogs retrieves audit logs from the given page.`

`‎docs/api/schemas.md`

Lines changed: 2 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎site/src/api/typesGenerated.ts`

Lines changed: 1 addition & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit08e728b

File tree

13 files changed

13 files changed

`‎coderd/apidoc/docs.go`

`‎coderd/apidoc/swagger.json`

`‎coderd/audit.go`

`‎coderd/audit_test.go`

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/database/dbmem/dbmem.go`

`‎coderd/database/queries.sql.go`

`‎coderd/database/queries/auditlogs.sql`

`‎coderd/members.go`

`‎coderd/searchquery/search.go`

`‎codersdk/audit.go`

`‎docs/api/schemas.md`

`‎site/src/api/typesGenerated.ts`

0 commit comments