@@ -401,27 +401,22 @@ func (p *DBTokenProvider) auditInitRequest(ctx context.Context, w http.ResponseW
401401}
402402committed = true
403403
404- if sw .Status == http .StatusSeeOther {
405- // Redirects aren't interesting as we will capture the audit
406- // log after the redirect.
407- //
408- // There's a case where we call httpmw.RedirectToLogin for
409- // path-based apps the user doesn't have access to, in which
410- // case the dashboard login redirect is used and we end up
411- // not hitting the workspaceapps API again due to dashboard
412- // showing 404. (Bug?)
413- return
414- }
415-
416404if aReq .dbReq == nil {
417405// App doesn't exist, there's information in the Request
418406// struct but we need UUIDs for audit logging.
419407return
420408}
421409
422- userID := uuid.NullUUID {}
410+ userID := uuid .Nil
423411if aReq .apiKey != nil {
424- userID = uuid.NullUUID {Valid :true ,UUID :aReq .apiKey .UserID }
412+ userID = aReq .apiKey .UserID
413+ }
414+ userAgent := r .UserAgent ()
415+
416+ // Approximation of the status code.
417+ statusCode := sw .Status
418+ if statusCode == 0 {
419+ statusCode = http .StatusOK
425420}
426421
427422type additionalFields struct {
@@ -443,50 +438,34 @@ func (p *DBTokenProvider) auditInitRequest(ctx context.Context, w http.ResponseW
443438appInfo .SlugOrPort = aReq .dbReq .AppSlugOrPort
444439}
445440
441+ // If we end up logging, ensure relevant fields are set.
446442logger := p .Logger .With (
447443slog .F ("workspace_id" ,aReq .dbReq .Workspace .ID ),
448444slog .F ("agent_id" ,aReq .dbReq .Agent .ID ),
449445slog .F ("app_id" ,aReq .dbReq .App .ID ),
450- slog .F ("user_id" ,userID .UUID ),
446+ slog .F ("user_id" ,userID ),
447+ slog .F ("user_agent" ,userAgent ),
451448slog .F ("app_slug_or_port" ,appInfo .SlugOrPort ),
449+ slog .F ("status_code" ,statusCode ),
452450)
453451
454- appInfoBytes ,err := json .Marshal (appInfo )
455- if err != nil {
456- logger .Error (ctx ,"marshal additional fields failed" ,slog .Error (err ))
457- }
458-
459- var (
460- updatedIDs []uuid.UUID
461- sessionID = uuid .Nil
462- )
463- err = p .Database .InTx (func (tx database.Store )error {
452+ var startedAt time.Time
453+ err := p .Database .InTx (func (tx database.Store ) (err error ) {
464454// nolint:gocritic // System context is needed to write audit sessions.
465455dangerousSystemCtx := dbauthz .AsSystemRestricted (ctx )
466456
467- updatedIDs ,err = tx .UpdateWorkspaceAppAuditSession (dangerousSystemCtx , database.UpdateWorkspaceAppAuditSessionParams {
468- AgentID :aReq .dbReq .Agent .ID ,
469- AppID : uuid.NullUUID {Valid :aReq .dbReq .App .ID != uuid .Nil ,UUID :aReq .dbReq .App .ID },
470- UserID :userID ,
471- Ip :aReq .ip ,
472- SlugOrPort :appInfo .SlugOrPort ,
473- UpdatedAt :aReq .time ,
457+ startedAt ,err = tx .UpsertWorkspaceAppAuditSession (dangerousSystemCtx , database.UpsertWorkspaceAppAuditSessionParams {
458+ // Config.
474459StaleIntervalMS :p .WorkspaceAppAuditSessionTimeout .Milliseconds (),
475- })
476- if err != nil {
477- return xerrors .Errorf ("update workspace app audit session: %w" ,err )
478- }
479- if len (updatedIDs )> 0 {
480- // Session is valid and got updated, no need to create a new audit log.
481- return nil
482- }
483460
484- sessionID , err = tx . InsertWorkspaceAppAuditSession ( dangerousSystemCtx , database. InsertWorkspaceAppAuditSessionParams {
461+ // Data.
485462AgentID :aReq .dbReq .Agent .ID ,
486- AppID :uuid. NullUUID { Valid : aReq .dbReq .App .ID != uuid .Nil , UUID : aReq . dbReq . App . ID },
487- UserID :userID ,
463+ AppID :aReq .dbReq .App .ID , // Can be unset, in which case uuid.Nil is fine.
464+ UserID :userID ,// Can be unset, in which case uuid.Nil is fine.
488465Ip :aReq .ip ,
466+ UserAgent :userAgent ,
489467SlugOrPort :appInfo .SlugOrPort ,
468+ StatusCode :int32 (statusCode ),
490469StartedAt :aReq .time ,
491470UpdatedAt :aReq .time ,
492471})
@@ -504,34 +483,23 @@ func (p *DBTokenProvider) auditInitRequest(ctx context.Context, w http.ResponseW
504483return
505484}
506485
507- if sessionID == uuid .Nil {
508- if sw .Status < 400 {
509- // Session was updated and no error occurred, no need to
510- // create a new audit log.
511- return
512- }
513- if len (updatedIDs )> 0 {
514- // Session was updated but an error occurred, we need to
515- // create a new audit log.
516- sessionID = updatedIDs [0 ]
517- }else {
518- // This shouldn't happen, but fall-back to request so it
519- // can be correlated to _something_.
520- sessionID = httpmw .RequestID (r )
521- }
486+ if ! startedAt .Equal (aReq .time ) {
487+ // If the unique session wasn't renewed, we don't want to log a new
488+ // audit event for it.
489+ return
522490}
523491
524- // Mimic the behavior of a HTTP status writer
525- // by defaulting to 200 if the status is 0.
526- status := sw .Status
527- if status == 0 {
528- status = http .StatusOK
492+ // Marshal additional fields only if we're writing an audit log entry.
493+ appInfoBytes ,err := json .Marshal (appInfo )
494+ if err != nil {
495+ logger .Error (ctx ,"marshal additional fields failed" ,slog .Error (err ))
529496}
530497
531498// We use the background audit function instead of init request
532499// here because we don't know the resource type ahead of time.
533500// This also allows us to log unauthenticated access.
534501auditor := * p .Auditor .Load ()
502+ requestID := httpmw .RequestID (r )
535503switch {
536504case aReq .dbReq .App .ID != uuid .Nil :
537505audit .BackgroundAudit (ctx ,& audit.BackgroundAuditParams [database.WorkspaceApp ]{
@@ -540,12 +508,12 @@ func (p *DBTokenProvider) auditInitRequest(ctx context.Context, w http.ResponseW
540508
541509Action :database .AuditActionOpen ,
542510OrganizationID :aReq .dbReq .Workspace .OrganizationID ,
543- UserID :userID . UUID ,
544- RequestID :sessionID ,
511+ UserID :userID ,
512+ RequestID :requestID ,
545513Time :aReq .time ,
546- Status :status ,
514+ Status :statusCode ,
547515IP :aReq .ip .IPNet .IP .String (),
548- UserAgent :r . UserAgent () ,
516+ UserAgent :userAgent ,
549517New :aReq .dbReq .App ,
550518AdditionalFields :appInfoBytes ,
551519})
@@ -557,12 +525,12 @@ func (p *DBTokenProvider) auditInitRequest(ctx context.Context, w http.ResponseW
557525
558526Action :database .AuditActionOpen ,
559527OrganizationID :aReq .dbReq .Workspace .OrganizationID ,
560- UserID :userID . UUID ,
561- RequestID :sessionID ,
528+ UserID :userID ,
529+ RequestID :requestID ,
562530Time :aReq .time ,
563- Status :status ,
531+ Status :statusCode ,
564532IP :aReq .ip .IPNet .IP .String (),
565- UserAgent :r . UserAgent () ,
533+ UserAgent :userAgent ,
566534New :aReq .dbReq .Agent ,
567535AdditionalFields :appInfoBytes ,
568536})