NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commit514d5b5

committed

feat(enterprise): add auditing to SCIM

1 parenta1db6d8 commit514d5b5Copy full SHA for 514d5b5

File tree

7 files changed

+138

-18

lines changed

coderd
- audit
  - request.go
- workspaces.go
enterprise/coderd
- scim.go
- scim_test.go
site/src
- pages/AuditPage/AuditLogRow/AuditLogDescription
  - AuditLogDescription.stories.tsx
  - AuditLogDescription.tsx
- testHelpers
  - entities.ts

7 files changed

+138

-18

lines changed

`‎coderd/audit/request.go`

Lines changed: 15 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ import (`
`10`	`10`	`"net/http"`
`11`	`11`	`"strconv"`
`12`	`12`
	`13`	`+"github.com/davecgh/go-spew/spew"`
`13`	`14`	`"github.com/google/uuid"`
`14`	`15`	`"github.com/sqlc-dev/pqtype"`
`15`	`16`	`"go.opentelemetry.io/otel/baggage"`
`@@ -31,7 +32,7 @@ type RequestParams struct {`
`31`	`32`	`OrganizationID uuid.UUID`
`32`	`33`	`Request*http.Request`
`33`	`34`	`Action database.AuditAction`
`34`		`-AdditionalFieldsjson.RawMessage`
	`35`	`+AdditionalFieldsinterface{}`
`35`	`36`	`}`
`36`	`37`
`37`	`38`	`typeRequest[TAuditable]struct {`
`@@ -274,6 +275,7 @@ func InitRequest[T Auditable](w http.ResponseWriter, p RequestParams) (Request`
`274`	`275`	`ifsw.Status<400&&`
`275`	`276`	`req.params.Action!=database.AuditActionLogin&&req.params.Action!=database.AuditActionLogout {`
`276`	`277`	`diff:=Diff(p.Audit,req.Old,req.New)`
	`278`	`+fmt.Println("DIFFF",diff)`
`277`	`279`
`278`	`280`	`varerrerror`
`279`	`281`	`diffRaw,err=json.Marshal(diff)`
`@@ -283,8 +285,15 @@ func InitRequest[T Auditable](w http.ResponseWriter, p RequestParams) (Request`
`283`	`285`	`}`
`284`	`286`	`}`
`285`	`287`
`286`		`-ifp.AdditionalFields==nil {`
`287`		`-p.AdditionalFields=json.RawMessage("{}")`
	`288`	`+additionalFieldsRaw:=json.RawMessage("{}")`
	`289`	`+`
	`290`	`+ifp.AdditionalFields!=nil {`
	`291`	`+data,err:=json.Marshal(p.AdditionalFields)`
	`292`	`+iferr!=nil {`
	`293`	`+p.Log.Warn(logCtx,"marshal additional fields",slog.Error(err))`
	`294`	`+}else {`
	`295`	`+additionalFieldsRaw=json.RawMessage(data)`
	`296`	`+}`
`288`	`297`	`}`
`289`	`298`
`290`	`299`	`varuserID uuid.UUID`
`@@ -319,9 +328,11 @@ func InitRequest[T Auditable](w http.ResponseWriter, p RequestParams) (Request`
`319`	`328`	`Diff:diffRaw,`
`320`	`329`	`StatusCode:int32(sw.Status),`
`321`	`330`	`RequestID:httpmw.RequestID(p.Request),`
`322`		`-AdditionalFields:p.AdditionalFields,`
	`331`	`+AdditionalFields:additionalFieldsRaw,`
`323`	`332`	`OrganizationID:requireOrgID[T](logCtx,p.OrganizationID,p.Log),`
`324`	`333`	`}`
	`334`	`+fmt.Println("export")`
	`335`	`+spew.Dump(auditLog)`
`325`	`336`	`err:=p.Audit.Export(ctx,auditLog)`
`326`	`337`	`iferr!=nil {`
`327`	`338`	`p.Log.Error(logCtx,"export audit log",`

`‎coderd/workspaces.go`

Lines changed: 1 addition & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -361,17 +361,12 @@ func (api API) postWorkspacesByOrganization(rw http.ResponseWriter, r http.Req`
`361`	`361`	`}`
`362`	`362`	`)`
`363`	`363`
`364`		`-wriBytes,err:=json.Marshal(workspaceResourceInfo)`
`365`		`-iferr!=nil {`
`366`		`-api.Logger.Warn(ctx,"marshal workspace owner name")`
`367`		`-}`
`368`		`-`
`369`	`364`	`aReq,commitAudit:=audit.InitRequest[database.Workspace](rw,&audit.RequestParams{`
`370`	`365`	`Audit:*auditor,`
`371`	`366`	`Log:api.Logger,`
`372`	`367`	`Request:r,`
`373`	`368`	`Action:database.AuditActionCreate,`
`374`		`-AdditionalFields:wriBytes,`
	`369`	`+AdditionalFields:workspaceResourceInfo,`
`375`	`370`	`OrganizationID:organization.ID,`
`376`	`371`	`})`
`377`	`372`

`‎enterprise/coderd/scim.go`

Lines changed: 39 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -15,13 +15,16 @@ import (`
`15`	`15`	`"golang.org/x/xerrors"`
`16`	`16`
`17`	`17`	`agpl"github.com/coder/coder/v2/coderd"`
	`18`	`+"github.com/coder/coder/v2/coderd/audit"`
`18`	`19`	`"github.com/coder/coder/v2/coderd/database"`
`19`	`20`	`"github.com/coder/coder/v2/coderd/database/dbauthz"`
`20`	`21`	`"github.com/coder/coder/v2/coderd/database/dbtime"`
`21`	`22`	`"github.com/coder/coder/v2/coderd/httpapi"`
`22`	`23`	`"github.com/coder/coder/v2/codersdk"`
`23`	`24`	`)`
`24`	`25`
	`26`	`+varSCIMAuditUserID=uuid.MustParse("1f688bd1-8d6a-4a17-ae93-d0761f3b0a09")`
	`27`	`+`
`25`	`28`	`func (api*API)scimEnabledMW(next http.Handler) http.Handler {`
`26`	`29`	`returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {`
`27`	`30`	`api.entitlementsMu.RLock()`
`@@ -118,6 +121,11 @@ type SCIMUser struct {`
`118`	`121`	}`json:"meta"`
`119`	`122`	`}`
`120`	`123`
	`124`	`+varSCIMAuditAdditionalFields=map[string]string{`
	`125`	`+"automatic_actor":"coder",`
	`126`	`+"automatic_subsystem":"scim",`
	`127`	`+}`
	`128`	`+`
`121`	`129`	`// scimPostUser creates a new user, or returns the existing user if it exists.`
`122`	`130`	`//`
`123`	`131`	`// @Summary SCIM 2.0: Create new user`
`@@ -135,6 +143,16 @@ func (api API) scimPostUser(rw http.ResponseWriter, r http.Request) {`
`135`	`143`	`return`
`136`	`144`	`}`
`137`	`145`
	`146`	`+auditor:=*api.AGPL.Auditor.Load()`
	`147`	`+aReq,commitAudit:=audit.InitRequest[database.User](rw,&audit.RequestParams{`
	`148`	`+Audit:auditor,`
	`149`	`+Log:api.Logger,`
	`150`	`+Request:r,`
	`151`	`+Action:database.AuditActionCreate,`
	`152`	`+AdditionalFields:SCIMAuditAdditionalFields,`
	`153`	`+})`
	`154`	`+defercommitAudit()`
	`155`	`+`
`138`	`156`	`varsUserSCIMUser`
`139`	`157`	`err:=json.NewDecoder(r.Body).Decode(&sUser)`
`140`	`158`	`iferr!=nil {`
`@@ -170,7 +188,7 @@ func (api API) scimPostUser(rw http.ResponseWriter, r http.Request) {`
`170`	`188`
`171`	`189`	`ifsUser.Active&&dbUser.Status==database.UserStatusSuspended {`
`172`	`190`	`//nolint:gocritic`
`173`		`-_,err=api.Database.UpdateUserStatus(dbauthz.AsSystemRestricted(r.Context()), database.UpdateUserStatusParams{`
	`191`	`+newUser,err:=api.Database.UpdateUserStatus(dbauthz.AsSystemRestricted(r.Context()), database.UpdateUserStatusParams{`
`174`	`192`	`ID:dbUser.ID,`
`175`	`193`	`// The user will get transitioned to Active after logging in.`
`176`	`194`	`Status:database.UserStatusDormant,`
`@@ -180,8 +198,13 @@ func (api API) scimPostUser(rw http.ResponseWriter, r http.Request) {`
`180`	`198`	`_=handlerutil.WriteError(rw,err)`
`181`	`199`	`return`
`182`	`200`	`}`
	`201`	`+aReq.New=newUser`
	`202`	`+}else {`
	`203`	`+aReq.New=dbUser`
`183`	`204`	`}`
`184`	`205`
	`206`	`+aReq.Old=dbUser`
	`207`	`+`
`185`	`208`	`httpapi.Write(ctx,rw,http.StatusOK,sUser)`
`186`	`209`	`return`
`187`	`210`	`}`
`@@ -223,6 +246,8 @@ func (api API) scimPostUser(rw http.ResponseWriter, r http.Request) {`
`223`	`246`	`_=handlerutil.WriteError(rw,err)`
`224`	`247`	`return`
`225`	`248`	`}`
	`249`	`+aReq.New=dbUser`
	`250`	`+aReq.UserID=dbUser.ID`
`226`	`251`
`227`	`252`	`sUser.ID=dbUser.ID.String()`
`228`	`253`	`sUser.UserName=dbUser.Username`
`@@ -248,6 +273,15 @@ func (api API) scimPatchUser(rw http.ResponseWriter, r http.Request) {`
`248`	`273`	`return`
`249`	`274`	`}`
`250`	`275`
	`276`	`+auditor:=*api.AGPL.Auditor.Load()`
	`277`	`+aReq,commitAudit:=audit.InitRequest[database.User](rw,&audit.RequestParams{`
	`278`	`+Audit:auditor,`
	`279`	`+Log:api.Logger,`
	`280`	`+Request:r,`
	`281`	`+Action:database.AuditActionWrite,`
	`282`	`+})`
	`283`	`+defercommitAudit()`
	`284`	`+`
`251`	`285`	`id:=chi.URLParam(r,"id")`
`252`	`286`
`253`	`287`	`varsUserSCIMUser`
`@@ -270,6 +304,8 @@ func (api API) scimPatchUser(rw http.ResponseWriter, r http.Request) {`
`270`	`304`	`_=handlerutil.WriteError(rw,err)`
`271`	`305`	`return`
`272`	`306`	`}`
	`307`	`+aReq.Old=dbUser`
	`308`	`+aReq.UserID=dbUser.ID`
`273`	`309`
`274`	`310`	`varstatus database.UserStatus`
`275`	`311`	`ifsUser.Active {`
`@@ -280,7 +316,7 @@ func (api API) scimPatchUser(rw http.ResponseWriter, r http.Request) {`
`280`	`316`	`}`
`281`	`317`
`282`	`318`	`//nolint:gocritic // needed for SCIM`
`283`		`-_,err=api.Database.UpdateUserStatus(dbauthz.AsSystemRestricted(r.Context()), database.UpdateUserStatusParams{`
	`319`	`+userNew,err:=api.Database.UpdateUserStatus(dbauthz.AsSystemRestricted(r.Context()), database.UpdateUserStatusParams{`
`284`	`320`	`ID:dbUser.ID,`
`285`	`321`	`Status:status,`
`286`	`322`	`UpdatedAt:dbtime.Now(),`
`@@ -289,6 +325,7 @@ func (api API) scimPatchUser(rw http.ResponseWriter, r http.Request) {`
`289`	`325`	`_=handlerutil.WriteError(rw,err)`
`290`	`326`	`return`
`291`	`327`	`}`
	`328`	`+aReq.New=userNew`
`292`	`329`
`293`	`330`	`httpapi.Write(ctx,rw,http.StatusOK,sUser)`
`294`	`331`	`}`

`‎enterprise/coderd/scim_test.go`

Lines changed: 31 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,9 @@ import (`
`11`	`11`	`"github.com/stretchr/testify/assert"`
`12`	`12`	`"github.com/stretchr/testify/require"`
`13`	`13`
	`14`	`+"github.com/coder/coder/v2/coderd/audit"`
	`15`	`+"github.com/coder/coder/v2/coderd/coderdtest"`
	`16`	`+"github.com/coder/coder/v2/coderd/database"`
`14`	`17`	`"github.com/coder/coder/v2/codersdk"`
`15`	`18`	`"github.com/coder/coder/v2/cryptorand"`
`16`	`19`	`"github.com/coder/coder/v2/enterprise/coderd"`
`@@ -109,21 +112,34 @@ func TestScim(t *testing.T) {`
`109`	`112`	`defercancel()`
`110`	`113`
`111`	`114`	`scimAPIKey:= []byte("hi")`
	`115`	`+mockAudit:=audit.NewMock()`
`112`	`116`	`client,_:=coderdenttest.New(t,&coderdenttest.Options{`
`113`		`-SCIMAPIKey:scimAPIKey,`
	`117`	`+Options:&coderdtest.Options{Auditor:mockAudit},`
	`118`	`+SCIMAPIKey:scimAPIKey,`
	`119`	`+AuditLogging:true,`
`114`	`120`	`LicenseOptions:&coderdenttest.LicenseOptions{`
`115`	`121`	`AccountID:"coolin",`
`116`	`122`	`Features: license.Features{`
`117`		`-codersdk.FeatureSCIM:1,`
	`123`	`+codersdk.FeatureSCIM:1,`
	`124`	`+codersdk.FeatureAuditLog:1,`
`118`	`125`	`},`
`119`	`126`	`},`
`120`	`127`	`})`
	`128`	`+mockAudit.ResetLogs()`
`121`	`129`
`122`	`130`	`sUser:=makeScimUser(t)`
`123`	`131`	`res,err:=client.Request(ctx,"POST","/scim/v2/Users",sUser,setScimAuth(scimAPIKey))`
`124`	`132`	`require.NoError(t,err)`
`125`	`133`	`deferres.Body.Close()`
`126`		`-assert.Equal(t,http.StatusOK,res.StatusCode)`
	`134`	`+require.Equal(t,http.StatusOK,res.StatusCode)`
	`135`	`+`
	`136`	`+aLogs:=mockAudit.AuditLogs()`
	`137`	`+require.Len(t,aLogs,1)`
	`138`	`+af:=map[string]string{}`
	`139`	`+err=json.Unmarshal([]byte(aLogs[0].AdditionalFields),&af)`
	`140`	`+require.NoError(t,err)`
	`141`	`+assert.Equal(t,coderd.SCIMAuditAdditionalFields,af)`
	`142`	`+assert.Equal(t,database.AuditActionCreate,aLogs[0].Action)`
`127`	`143`
`128`	`144`	`userRes,err:=client.Users(ctx, codersdk.UsersRequest{Search:sUser.Emails[0].Value})`
`129`	`145`	`require.NoError(t,err)`
`@@ -306,21 +322,27 @@ func TestScim(t *testing.T) {`
`306`	`322`	`defercancel()`
`307`	`323`
`308`	`324`	`scimAPIKey:= []byte("hi")`
	`325`	`+mockAudit:=audit.NewMock()`
`309`	`326`	`client,_:=coderdenttest.New(t,&coderdenttest.Options{`
`310`		`-SCIMAPIKey:scimAPIKey,`
	`327`	`+Options:&coderdtest.Options{Auditor:mockAudit},`
	`328`	`+SCIMAPIKey:scimAPIKey,`
	`329`	`+AuditLogging:true,`
`311`	`330`	`LicenseOptions:&coderdenttest.LicenseOptions{`
`312`	`331`	`AccountID:"coolin",`
`313`	`332`	`Features: license.Features{`
`314`		`-codersdk.FeatureSCIM:1,`
	`333`	`+codersdk.FeatureSCIM:1,`
	`334`	`+codersdk.FeatureAuditLog:1,`
`315`	`335`	`},`
`316`	`336`	`},`
`317`	`337`	`})`
	`338`	`+mockAudit.ResetLogs()`
`318`	`339`
`319`	`340`	`sUser:=makeScimUser(t)`
`320`	`341`	`res,err:=client.Request(ctx,"POST","/scim/v2/Users",sUser,setScimAuth(scimAPIKey))`
`321`	`342`	`require.NoError(t,err)`
`322`	`343`	`deferres.Body.Close()`
`323`	`344`	`assert.Equal(t,http.StatusOK,res.StatusCode)`
	`345`	`+mockAudit.ResetLogs()`
`324`	`346`
`325`	`347`	`err=json.NewDecoder(res.Body).Decode(&sUser)`
`326`	`348`	`require.NoError(t,err)`
`@@ -333,6 +355,10 @@ func TestScim(t *testing.T) {`
`333`	`355`	`_=res.Body.Close()`
`334`	`356`	`assert.Equal(t,http.StatusOK,res.StatusCode)`
`335`	`357`
	`358`	`+aLogs:=mockAudit.AuditLogs()`
	`359`	`+require.Len(t,aLogs,1)`
	`360`	`+assert.Equal(t,database.AuditActionWrite,aLogs[0].Action)`
	`361`	`+`
`336`	`362`	`userRes,err:=client.Users(ctx, codersdk.UsersRequest{Search:sUser.Emails[0].Value})`
`337`	`363`	`require.NoError(t,err)`
`338`	`364`	`require.Len(t,userRes.Users,1)`

`‎site/src/pages/AuditPage/AuditLogRow/AuditLogDescription/AuditLogDescription.stories.tsx`

Lines changed: 42 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -56,3 +56,45 @@ export const UnsuccessfulLoginForUnknownUser: Story = {`
`56`	`56`	`auditLog:MockAuditLogUnsuccessfulLoginKnownUser,`
`57`	`57`	`},`
`58`	`58`	`};`
	`59`	`+`
	`60`	`+exportconstCreateUser:Story={`
	`61`	`+args:{`
	`62`	`+auditLog:{`
	`63`	`+ ...MockAuditLog,`
	`64`	`+resource_type:"user",`
	`65`	`+resource_target:"colin",`
	`66`	`+description:"{user} created user {target}",`
	`67`	`+},`
	`68`	`+},`
	`69`	`+};`
	`70`	`+`
	`71`	`+exportconstSCIMCreateUser:Story={`
	`72`	`+args:{`
	`73`	`+auditLog:{`
	`74`	`+ ...MockAuditLog,`
	`75`	`+resource_type:"user",`
	`76`	`+resource_target:"colin",`
	`77`	`+description:"{user} created user {target}",`
	`78`	`+additional_fields:{`
	`79`	`+automatic_actor:"coder",`
	`80`	`+automatic_subsystem:"scim",`
	`81`	`+},`
	`82`	`+},`
	`83`	`+},`
	`84`	`+};`
	`85`	`+`
	`86`	`+exportconstSCIMUpdateUser:Story={`
	`87`	`+args:{`
	`88`	`+auditLog:{`
	`89`	`+ ...MockAuditLog,`
	`90`	`+action:"write",`
	`91`	`+resource_type:"user",`
	`92`	`+resource_target:"colin",`
	`93`	`+description:"{user} updated user {target}",`
	`94`	`+additional_fields:{`
	`95`	`+automatic_actor:"coder",`
	`96`	`+automatic_subsystem:"scim",`
	`97`	`+},`
	`98`	`+},`
	`99`	`+},`
	`100`	`+};`

`‎site/src/pages/AuditPage/AuditLogRow/AuditLogDescription/AuditLogDescription.tsx`

Lines changed: 9 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ export const AuditLogDescription: FC<AuditLogDescriptionProps> = ({`
`12`	`12`	`auditLog,`
`13`	`13`	`})=>{`
`14`	`14`	`lettarget=auditLog.resource_target.trim();`
`15`		`-constuser=auditLog.user?.username.trim();`
	`15`	`+letuser=auditLog.user?.username.trim();`
`16`	`16`
`17`	`17`	`if(auditLog.resource_type==="workspace_build"){`
`18`	`18`	`return<BuildAuditDescriptionauditLog={auditLog}/>;`
`@@ -23,6 +23,14 @@ export const AuditLogDescription: FC<AuditLogDescriptionProps> = ({`
`23`	`23`	`target="";`
`24`	`24`	`}`
`25`	`25`
	`26`	`+// This occurs when SCIM creates a user.`
	`27`	`+if(`
	`28`	`+auditLog.resource_type==="user"&&`
	`29`	`+auditLog.additional_fields?.automatic_actor==="coder"`
	`30`	`+){`
	`31`	`+user="Coder automatically";`
	`32`	`+}`
	`33`	`+`
`26`	`34`	`consttruncatedDescription=auditLog.description`
`27`	`35`	.replace("{user}",`${user}`)
`28`	`36`	`.replace("{target}","");`

`‎site/src/testHelpers/entities.ts`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2285,6 +2285,7 @@ export const MockWorkspaceQuota: TypesGen.WorkspaceQuota = {`
`2285`	`2285`	`budget:100,`
`2286`	`2286`	`};`
`2287`	`2287`
	`2288`	`+`
`2288`	`2289`	`exportconstMockGroup:TypesGen.Group={`
`2289`	`2290`	`id:"fbd2116a-8961-4954-87ae-e4575bd29ce0",`
`2290`	`2291`	`name:"Front-End",`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit514d5b5

File tree

7 files changed

7 files changed

`‎coderd/audit/request.go`

`‎coderd/workspaces.go`

`‎enterprise/coderd/scim.go`

`‎enterprise/coderd/scim_test.go`

`‎site/src/pages/AuditPage/AuditLogRow/AuditLogDescription/AuditLogDescription.stories.tsx`

`‎site/src/pages/AuditPage/AuditLogRow/AuditLogDescription/AuditLogDescription.tsx`

`‎site/src/testHelpers/entities.ts`

0 commit comments