NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commit25e92fd

authored

fix(audit): audit login/logout for new 3rd-party auth (#6733)

* fix(audit): audit login/logout for new 3rd-party auth* no longer auditing unknown users

1 parentdf31636 commit25e92fdCopy full SHA for 25e92fd

File tree

7 files changed

+15

-94

lines changed

coderd
- audit
  - request.go
- userauth.go
- userauth_test.go
- users_test.go
site/src
- components/AuditLogRow/AuditLogDescription
  - AuditLogDescription.test.tsx
  - AuditLogDescription.tsx
- testHelpers
  - entities.ts

7 files changed

+15

-94

lines changed

`‎coderd/audit/request.go`

Lines changed: 7 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -154,9 +154,7 @@ func InitRequest[T Auditable](w http.ResponseWriter, p RequestParams) (Request`
`154`	`154`	`ifResourceID(req.Old)==uuid.Nil&&ResourceID(req.New)==uuid.Nil {`
`155`	`155`	`// If the request action is a login or logout, we always want to audit it even if`
`156`	`156`	`// there is no diff. This is so we can capture events where an API Key is never created`
`157`		`-// because an unknown user fails to login.`
`158`		`-// TODO: introduce the concept of an anonymous user so we always have a userID even`
`159`		`-// when dealing with a mystery user. https://github.com/coder/coder/issues/6054`
	`157`	`+// because a known user fails to login.`
`160`	`158`	`ifreq.params.Action!=database.AuditActionLogin&&req.params.Action!=database.AuditActionLogout {`
`161`	`159`	`return`
`162`	`160`	`}`
`@@ -185,8 +183,13 @@ func InitRequest[T Auditable](w http.ResponseWriter, p RequestParams) (Request`
`185`	`183`	`key,ok:=httpmw.APIKeyOptional(p.Request)`
`186`	`184`	`ifok {`
`187`	`185`	`userID=key.UserID`
`188`		`-}else {`
	`186`	`+}elseifreq.UserID!=uuid.Nil{`
`189`	`187`	`userID=req.UserID`
	`188`	`+}else {`
	`189`	`+// if we do not have a user associated with the audit action`
	`190`	`+// we do not want to audit`
	`191`	`+// (this pertains to logins; we don't want to capture non-user login attempts)`
	`192`	`+return`
`190`	`193`	`}`
`191`	`194`
`192`	`195`	`ip:=parseIP(p.Request.RemoteAddr)`

`‎coderd/userauth.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -424,7 +424,6 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`424`	`424`	`})`
`425`	`425`	`return`
`426`	`426`	`}`
`427`		`-aReq.UserID=user.ID`
`428`	`427`
`429`	`428`	`cookie,key,err:=api.oauthLogin(r,oauthLoginParams{`
`430`	`429`	`User:user,`
`@@ -453,6 +452,7 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`453`	`452`	`return`
`454`	`453`	`}`
`455`	`454`	`aReq.New=key`
	`455`	`+aReq.UserID=key.UserID`
`456`	`456`
`457`	`457`	`http.SetCookie(rw,cookie)`
`458`	`458`
`@@ -714,7 +714,6 @@ func (api API) userOIDC(rw http.ResponseWriter, r http.Request) {`
`714`	`714`	`})`
`715`	`715`	`return`
`716`	`716`	`}`
`717`		`-aReq.UserID=user.ID`
`718`	`717`
`719`	`718`	`cookie,key,err:=api.oauthLogin(r,oauthLoginParams{`
`720`	`719`	`User:user,`
`@@ -745,6 +744,7 @@ func (api API) userOIDC(rw http.ResponseWriter, r http.Request) {`
`745`	`744`	`return`
`746`	`745`	`}`
`747`	`746`	`aReq.New=key`
	`747`	`+aReq.UserID=key.UserID`
`748`	`748`
`749`	`749`	`http.SetCookie(rw,cookie)`
`750`	`750`

`‎coderd/userauth_test.go`

Lines changed: 3 additions & 52 deletions

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ import (`
`12`	`12`	`"github.com/coreos/go-oidc/v3/oidc"`
`13`	`13`	`"github.com/golang-jwt/jwt"`
`14`	`14`	`"github.com/google/go-github/v43/github"`
	`15`	`+"github.com/google/uuid"`
`15`	`16`	`"github.com/stretchr/testify/assert"`
`16`	`17`	`"github.com/stretchr/testify/require"`
`17`	`18`	`"golang.org/x/oauth2"`
`@@ -64,9 +65,7 @@ func TestUserOAuth2Github(t *testing.T) {`
`64`	`65`
`65`	`66`	`t.Run("NotInAllowedOrganization",func(t*testing.T) {`
`66`	`67`	`t.Parallel()`
`67`		`-auditor:=audit.NewMock()`
`68`	`68`	`client:=coderdtest.New(t,&coderdtest.Options{`
`69`		`-Auditor:auditor,`
`70`	`69`	`GithubOAuth2Config:&coderd.GithubOAuth2Config{`
`71`	`70`	`OAuth2Config:&testutil.OAuth2Config{},`
`72`	`71`	`ListOrganizationMemberships:func(ctx context.Context,clienthttp.Client) ([]github.Membership,error) {`
`@@ -79,19 +78,13 @@ func TestUserOAuth2Github(t *testing.T) {`
`79`	`78`	`},`
`80`	`79`	`},`
`81`	`80`	`})`
`82`		`-numLogs:=len(auditor.AuditLogs)`
`83`	`81`
`84`	`82`	`resp:=oauth2Callback(t,client)`
`85`		`-numLogs++// add an audit log for login`
`86`	`83`	`require.Equal(t,http.StatusUnauthorized,resp.StatusCode)`
`87`		`-require.Len(t,auditor.AuditLogs,numLogs)`
`88`		`-require.Equal(t,database.AuditActionLogin,auditor.AuditLogs[numLogs-1].Action)`
`89`	`84`	`})`
`90`	`85`	`t.Run("NotInAllowedTeam",func(t*testing.T) {`
`91`	`86`	`t.Parallel()`
`92`		`-auditor:=audit.NewMock()`
`93`	`87`	`client:=coderdtest.New(t,&coderdtest.Options{`
`94`		`-Auditor:auditor,`
`95`	`88`	`GithubOAuth2Config:&coderd.GithubOAuth2Config{`
`96`	`89`	`AllowOrganizations: []string{"coder"},`
`97`	`90`	`AllowTeams: []coderd.GithubOAuth2Team{{"another","something"}, {"coder","frontend"}},`
`@@ -114,20 +107,13 @@ func TestUserOAuth2Github(t *testing.T) {`
`114`	`107`	`},`
`115`	`108`	`},`
`116`	`109`	`})`
`117`		`-numLogs:=len(auditor.AuditLogs)`
`118`	`110`
`119`	`111`	`resp:=oauth2Callback(t,client)`
`120`		`-numLogs++// add an audit log for login`
`121`		`-`
`122`	`112`	`require.Equal(t,http.StatusUnauthorized,resp.StatusCode)`
`123`		`-require.Len(t,auditor.AuditLogs,numLogs)`
`124`		`-require.Equal(t,database.AuditActionLogin,auditor.AuditLogs[numLogs-1].Action)`
`125`	`113`	`})`
`126`	`114`	`t.Run("UnverifiedEmail",func(t*testing.T) {`
`127`	`115`	`t.Parallel()`
`128`		`-auditor:=audit.NewMock()`
`129`	`116`	`client:=coderdtest.New(t,&coderdtest.Options{`
`130`		`-Auditor:auditor,`
`131`	`117`	`GithubOAuth2Config:&coderd.GithubOAuth2Config{`
`132`	`118`	`OAuth2Config:&testutil.OAuth2Config{},`
`133`	`119`	`AllowOrganizations: []string{"coder"},`
`@@ -150,23 +136,16 @@ func TestUserOAuth2Github(t *testing.T) {`
`150`	`136`	`},`
`151`	`137`	`},`
`152`	`138`	`})`
`153`		`-numLogs:=len(auditor.AuditLogs)`
`154`	`139`
`155`	`140`	`_=coderdtest.CreateFirstUser(t,client)`
`156`		`-numLogs++// add an audit log for user create`
`157`	`141`
`158`	`142`	`resp:=oauth2Callback(t,client)`
`159`		`-numLogs++// add an audit log for login`
`160`	`143`
`161`	`144`	`require.Equal(t,http.StatusBadRequest,resp.StatusCode)`
`162`		`-require.Len(t,auditor.AuditLogs,numLogs)`
`163`		`-require.Equal(t,database.AuditActionLogin,auditor.AuditLogs[numLogs-1].Action)`
`164`	`145`	`})`
`165`	`146`	`t.Run("BlockSignups",func(t*testing.T) {`
`166`	`147`	`t.Parallel()`
`167`		`-auditor:=audit.NewMock()`
`168`	`148`	`client:=coderdtest.New(t,&coderdtest.Options{`
`169`		`-Auditor:auditor,`
`170`	`149`	`GithubOAuth2Config:&coderd.GithubOAuth2Config{`
`171`	`150`	`OAuth2Config:&testutil.OAuth2Config{},`
`172`	`151`	`AllowOrganizations: []string{"coder"},`
`@@ -190,20 +169,14 @@ func TestUserOAuth2Github(t *testing.T) {`
`190`	`169`	`},`
`191`	`170`	`},`
`192`	`171`	`})`
`193`		`-numLogs:=len(auditor.AuditLogs)`
`194`	`172`
`195`	`173`	`resp:=oauth2Callback(t,client)`
`196`		`-numLogs++// add an audit log for login`
`197`	`174`
`198`	`175`	`require.Equal(t,http.StatusForbidden,resp.StatusCode)`
`199`		`-require.Len(t,auditor.AuditLogs,numLogs)`
`200`		`-require.Equal(t,database.AuditActionLogin,auditor.AuditLogs[numLogs-1].Action)`
`201`	`176`	`})`
`202`	`177`	`t.Run("MultiLoginNotAllowed",func(t*testing.T) {`
`203`	`178`	`t.Parallel()`
`204`		`-auditor:=audit.NewMock()`
`205`	`179`	`client:=coderdtest.New(t,&coderdtest.Options{`
`206`		`-Auditor:auditor,`
`207`	`180`	`GithubOAuth2Config:&coderd.GithubOAuth2Config{`
`208`	`181`	`OAuth2Config:&testutil.OAuth2Config{},`
`209`	`182`	`AllowOrganizations: []string{"coder"},`
`@@ -227,20 +200,15 @@ func TestUserOAuth2Github(t *testing.T) {`
`227`	`200`	`},`
`228`	`201`	`},`
`229`	`202`	`})`
`230`		`-numLogs:=len(auditor.AuditLogs)`
`231`	`203`
`232`	`204`	`// Creates the first user with login_type 'password'.`
`233`	`205`	`_=coderdtest.CreateFirstUser(t,client)`
`234`		`-numLogs++// add an audit log for user create`
`235`	`206`
`236`	`207`	`// Attempting to login should give us a 403 since the user`
`237`	`208`	`// already has a login_type of 'password'.`
`238`	`209`	`resp:=oauth2Callback(t,client)`
`239`		`-numLogs++// add an audit log for login`
`240`	`210`
`241`	`211`	`require.Equal(t,http.StatusForbidden,resp.StatusCode)`
`242`		`-require.Len(t,auditor.AuditLogs,numLogs)`
`243`		`-require.Equal(t,database.AuditActionLogin,auditor.AuditLogs[numLogs-1].Action)`
`244`	`212`	`})`
`245`	`213`	`t.Run("Signup",func(t*testing.T) {`
`246`	`214`	`t.Parallel()`
`@@ -290,6 +258,7 @@ func TestUserOAuth2Github(t *testing.T) {`
`290`	`258`	`require.Equal(t,"/hello-world",user.AvatarURL)`
`291`	`259`
`292`	`260`	`require.Len(t,auditor.AuditLogs,numLogs)`
	`261`	`+require.NotEqual(t,auditor.AuditLogs[numLogs-1].UserID,uuid.Nil)`
`293`	`262`	`require.Equal(t,database.AuditActionLogin,auditor.AuditLogs[numLogs-1].Action)`
`294`	`263`	`})`
`295`	`264`	`t.Run("SignupAllowedTeam",func(t*testing.T) {`
`@@ -480,9 +449,7 @@ func TestUserOAuth2Github(t *testing.T) {`
`480`	`449`	`})`
`481`	`450`	`t.Run("SignupFailedInactiveInOrg",func(t*testing.T) {`
`482`	`451`	`t.Parallel()`
`483`		`-auditor:=audit.NewMock()`
`484`	`452`	`client:=coderdtest.New(t,&coderdtest.Options{`
`485`		`-Auditor:auditor,`
`486`	`453`	`GithubOAuth2Config:&coderd.GithubOAuth2Config{`
`487`	`454`	`AllowSignups:true,`
`488`	`455`	`AllowOrganizations: []string{"coder"},`
`@@ -513,14 +480,10 @@ func TestUserOAuth2Github(t *testing.T) {`
`513`	`480`	`},`
`514`	`481`	`},`
`515`	`482`	`})`
`516`		`-numLogs:=len(auditor.AuditLogs)`
`517`	`483`
`518`	`484`	`resp:=oauth2Callback(t,client)`
`519`		`-numLogs++// add an audit log for login`
`520`	`485`
`521`	`486`	`require.Equal(t,http.StatusUnauthorized,resp.StatusCode)`
`522`		`-require.Len(t,auditor.AuditLogs,numLogs)`
`523`		`-require.Equal(t,database.AuditActionLogin,auditor.AuditLogs[numLogs-1].Action)`
`524`	`487`	`})`
`525`	`488`	`}`
`526`	`489`
`@@ -711,6 +674,7 @@ func TestUserOIDC(t *testing.T) {`
`711`	`674`	`require.Equal(t,tc.Username,user.Username)`
`712`	`675`
`713`	`676`	`require.Len(t,auditor.AuditLogs,numLogs)`
	`677`	`+require.NotEqual(t,auditor.AuditLogs[numLogs-1].UserID,uuid.Nil)`
`714`	`678`	`require.Equal(t,database.AuditActionLogin,auditor.AuditLogs[numLogs-1].Action)`
`715`	`679`	`}`
`716`	`680`
`@@ -784,33 +748,24 @@ func TestUserOIDC(t *testing.T) {`
`784`	`748`
`785`	`749`	`t.Run("NoIDToken",func(t*testing.T) {`
`786`	`750`	`t.Parallel()`
`787`		`-auditor:=audit.NewMock()`
`788`	`751`	`client:=coderdtest.New(t,&coderdtest.Options{`
`789`		`-Auditor:auditor,`
`790`	`752`	`OIDCConfig:&coderd.OIDCConfig{`
`791`	`753`	`OAuth2Config:&testutil.OAuth2Config{},`
`792`	`754`	`},`
`793`	`755`	`})`
`794`		`-numLogs:=len(auditor.AuditLogs)`
`795`	`756`
`796`	`757`	`resp:=oidcCallback(t,client,"asdf")`
`797`		`-numLogs++// add an audit log for login`
`798`		`-`
`799`	`758`	`require.Equal(t,http.StatusBadRequest,resp.StatusCode)`
`800`		`-require.Len(t,auditor.AuditLogs,numLogs)`
`801`		`-require.Equal(t,database.AuditActionLogin,auditor.AuditLogs[numLogs-1].Action)`
`802`	`759`	`})`
`803`	`760`
`804`	`761`	`t.Run("BadVerify",func(t*testing.T) {`
`805`	`762`	`t.Parallel()`
`806`		`-auditor:=audit.NewMock()`
`807`	`763`	`verifier:=oidc.NewVerifier("",&oidc.StaticKeySet{`
`808`	`764`	`PublicKeys: []crypto.PublicKey{},`
`809`	`765`	`},&oidc.Config{})`
`810`	`766`	`provider:=&oidc.Provider{}`
`811`	`767`
`812`	`768`	`client:=coderdtest.New(t,&coderdtest.Options{`
`813`		`-Auditor:auditor,`
`814`	`769`	`OIDCConfig:&coderd.OIDCConfig{`
`815`	`770`	`OAuth2Config:&testutil.OAuth2Config{`
`816`	`771`	`Token: (&oauth2.Token{`
`@@ -823,14 +778,10 @@ func TestUserOIDC(t *testing.T) {`
`823`	`778`	`Verifier:verifier,`
`824`	`779`	`},`
`825`	`780`	`})`
`826`		`-numLogs:=len(auditor.AuditLogs)`
`827`	`781`
`828`	`782`	`resp:=oidcCallback(t,client,"asdf")`
`829`		`-numLogs++// add an audit log for login`
`830`	`783`
`831`	`784`	`require.Equal(t,http.StatusBadRequest,resp.StatusCode)`
`832`		`-require.Len(t,auditor.AuditLogs,numLogs)`
`833`		`-require.Equal(t,database.AuditActionLogin,auditor.AuditLogs[numLogs-1].Action)`
`834`	`785`	`})`
`835`	`786`	`}`
`836`	`787`

`‎coderd/users_test.go`

Lines changed: 1 addition & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -92,24 +92,17 @@ func TestPostLogin(t *testing.T) {`
`92`	`92`	`t.Parallel()`
`93`	`93`	`t.Run("InvalidUser",func(t*testing.T) {`
`94`	`94`	`t.Parallel()`
`95`		`-auditor:=audit.NewMock()`
`96`		`-client:=coderdtest.New(t,&coderdtest.Options{Auditor:auditor})`
`97`		`-numLogs:=len(auditor.AuditLogs)`
`98`		`-`
	`95`	`+client:=coderdtest.New(t,nil)`
`99`	`96`	`ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitLong)`
`100`	`97`	`defercancel()`
`101`	`98`
`102`	`99`	`_,err:=client.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{`
`103`	`100`	`Email:"my@email.org",`
`104`	`101`	`Password:"password",`
`105`	`102`	`})`
`106`		`-numLogs++// add an audit log for login`
`107`	`103`	`varapiErr*codersdk.Error`
`108`	`104`	`require.ErrorAs(t,err,&apiErr)`
`109`	`105`	`require.Equal(t,http.StatusUnauthorized,apiErr.StatusCode())`
`110`		`-`
`111`		`-require.Len(t,auditor.AuditLogs,numLogs)`
`112`		`-require.Equal(t,database.AuditActionLogin,auditor.AuditLogs[numLogs-1].Action)`
`113`	`106`	`})`
`114`	`107`
`115`	`108`	`t.Run("BadPassword",func(t*testing.T) {`

`‎site/src/components/AuditLogRow/AuditLogDescription/AuditLogDescription.test.tsx`

Lines changed: 0 additions & 20 deletions

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,6 @@ import {`
`4`	`4`	`MockWorkspaceCreateAuditLogForDifferentOwner,`
`5`	`5`	`MockAuditLogSuccessfulLogin,`
`6`	`6`	`MockAuditLogUnsuccessfulLoginKnownUser,`
`7`		`-MockAuditLogUnsuccessfulLoginUnknownUser,`
`8`	`7`	`}from"testHelpers/entities"`
`9`	`8`	`import{AuditLogDescription}from"./AuditLogDescription"`
`10`	`9`	`import{AuditLogRow}from"../AuditLogRow"`
`@@ -101,25 +100,6 @@ describe("AuditLogDescription", () => {`
`101`	`100`	`),`
`102`	`101`	`).toBeInTheDocument()`
`103`	`102`
`104`		`-conststatusPill=screen.getByRole("status")`
`105`		`-expect(statusPill).toHaveTextContent("401")`
`106`		`-})`
`107`		`-it("renders the correct string for unsuccessful login for an unknown user",async()=>{`
`108`		`-render(<AuditLogRowauditLog={MockAuditLogUnsuccessfulLoginUnknownUser}/>)`
`109`		`-`
`110`		`-expect(`
`111`		`-screen.getByText(`
`112`		`-t("auditLog:table.logRow.description.unlinkedAuditDescription",{`
`113`		`-truncatedDescription:"an unknown user logged in",`
`114`		`-target:"",`
`115`		`-onBehalfOf:undefined,`
`116`		`-})`
`117`		`-.replace(/<[^>]*>/g," ")`
`118`		`-.replace(/\s{2,}/g," ")`
`119`		`-.trim(),`
`120`		`-),`
`121`		`-).toBeInTheDocument()`
`122`		`-`
`123`	`103`	`conststatusPill=screen.getByRole("status")`
`124`	`104`	`expect(statusPill).toHaveTextContent("401")`
`125`	`105`	`})`

`‎site/src/components/AuditLogRow/AuditLogDescription/AuditLogDescription.tsx`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ export const AuditLogDescription: FC<{ auditLog: AuditLog }> = ({`
`11`	`11`	`const{ t}=useTranslation("auditLog")`
`12`	`12`
`13`	`13`	`lettarget=auditLog.resource_target.trim()`
`14`		`-constuser=auditLog.user ?auditLog.user.username.trim() :"an unknown user"`
	`14`	`+constuser=auditLog.user?.username.trim()`
`15`	`15`
`16`	`16`	`if(auditLog.resource_type==="workspace_build"){`
`17`	`17`	`return<BuildAuditDescriptionauditLog={auditLog}/>`
`@@ -30,7 +30,7 @@ export const AuditLogDescription: FC<{ auditLog: AuditLog }> = ({`
`30`	`30`	`constonBehalfOf=`
`31`	`31`	`auditLog.additional_fields.workspace_owner&&`
`32`	`32`	`auditLog.additional_fields.workspace_owner!=="unknown"&&`
`33`		`-auditLog.additional_fields.workspace_owner!==auditLog.user?.username`
	`33`	`+auditLog.additional_fields.workspace_owner.trim()!==user`
`34`	`34`	?`on behalf of${auditLog.additional_fields.workspace_owner}`
`35`	`35`	`:""`
`36`	`36`

`‎site/src/testHelpers/entities.ts`

Lines changed: 0 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -1384,12 +1384,6 @@ export const MockAuditLogUnsuccessfulLoginKnownUser: TypesGen.AuditLog = {`
`1384`	`1384`	`status_code:401,`
`1385`	`1385`	`}`
`1386`	`1386`
`1387`		`-exportconstMockAuditLogUnsuccessfulLoginUnknownUser:TypesGen.AuditLog={`
`1388`		`- ...MockAuditLogSuccessfulLogin,`
`1389`		`-status_code:401,`
`1390`		`-user:undefined,`
`1391`		`-}`
`1392`		`-`
`1393`	`1387`	`exportconstMockWorkspaceQuota:TypesGen.WorkspaceQuota={`
`1394`	`1388`	`credits_consumed:0,`
`1395`	`1389`	`budget:100,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit25e92fd

File tree

7 files changed

7 files changed

`‎coderd/audit/request.go`

`‎coderd/userauth.go`

`‎coderd/userauth_test.go`

`‎coderd/users_test.go`

`‎site/src/components/AuditLogRow/AuditLogDescription/AuditLogDescription.test.tsx`

`‎site/src/components/AuditLogRow/AuditLogDescription/AuditLogDescription.tsx`

`‎site/src/testHelpers/entities.ts`

0 commit comments