Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitbd6e91e

Browse files
authored
fix(coderd): add audit log on creating a new session key (#19672)
Fixes#19671(re-?)Adds an audit log entry when an API key is created via `coderlogin`.NOTE: This does _not_ backfill audit logs.<img width="1354" height="207" alt="Screenshot 2025-09-02 at 14 16 24"src="https://github.com/user-attachments/assets/921e85c1-eced-4a19-9d37-8f84f4af1e73"/>
1 parent12bce12 commitbd6e91e

File tree

2 files changed

+36
-5
lines changed

2 files changed

+36
-5
lines changed

‎coderd/apikey.go‎

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -131,8 +131,19 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
131131
// @Success 201 {object} codersdk.GenerateAPIKeyResponse
132132
// @Router /users/{user}/keys [post]
133133
func (api*API)postAPIKey(rw http.ResponseWriter,r*http.Request) {
134-
ctx:=r.Context()
135-
user:=httpmw.UserParam(r)
134+
var (
135+
ctx=r.Context()
136+
user=httpmw.UserParam(r)
137+
auditor=api.Auditor.Load()
138+
aReq,commitAudit=audit.InitRequest[database.APIKey](rw,&audit.RequestParams{
139+
Audit:*auditor,
140+
Log:api.Logger,
141+
Request:r,
142+
Action:database.AuditActionCreate,
143+
})
144+
)
145+
aReq.Old= database.APIKey{}
146+
defercommitAudit()
136147

137148
// TODO(Cian): System users technically just have the 'member' role
138149
// and we don't want to disallow all members from creating API keys.
@@ -142,7 +153,7 @@ func (api *API) postAPIKey(rw http.ResponseWriter, r *http.Request) {
142153
return
143154
}
144155

145-
cookie,_,err:=api.createAPIKey(ctx, apikey.CreateParams{
156+
cookie,key,err:=api.createAPIKey(ctx, apikey.CreateParams{
146157
UserID:user.ID,
147158
DefaultLifetime:api.DeploymentValues.Sessions.DefaultTokenDuration.Value(),
148159
LoginType:database.LoginTypePassword,
@@ -156,6 +167,7 @@ func (api *API) postAPIKey(rw http.ResponseWriter, r *http.Request) {
156167
return
157168
}
158169

170+
aReq.New=*key
159171
// We intentionally do not set the cookie on the response here.
160172
// Setting the cookie will couple the browser session to the API
161173
// key we return here, meaning logging out of the website would

‎coderd/apikey_test.go‎

Lines changed: 21 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ package coderd_test
22

33
import (
44
"context"
5+
"encoding/json"
56
"net/http"
67
"strings"
78
"testing"
@@ -303,14 +304,32 @@ func TestSessionExpiry(t *testing.T) {
303304

304305
funcTestAPIKey_OK(t*testing.T) {
305306
t.Parallel()
307+
308+
// Given: a deployment with auditing enabled
306309
ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitLong)
307310
defercancel()
308-
client:=coderdtest.New(t,&coderdtest.Options{IncludeProvisionerDaemon:true})
309-
_=coderdtest.CreateFirstUser(t,client)
311+
auditor:=audit.NewMock()
312+
client:=coderdtest.New(t,&coderdtest.Options{Auditor:auditor})
313+
owner:=coderdtest.CreateFirstUser(t,client)
314+
auditor.ResetLogs()
310315

316+
// When: an API key is created
311317
res,err:=client.CreateAPIKey(ctx,codersdk.Me)
312318
require.NoError(t,err)
313319
require.Greater(t,len(res.Key),2)
320+
321+
// Then: an audit log is generated
322+
als:=auditor.AuditLogs()
323+
require.Len(t,als,1)
324+
al:=als[0]
325+
assert.Equal(t,owner.UserID,al.UserID)
326+
assert.Equal(t,database.AuditActionCreate,al.Action)
327+
assert.Equal(t,database.ResourceTypeApiKey,al.ResourceType)
328+
329+
// Then: the diff MUST NOT contain the generated key.
330+
raw,err:=json.Marshal(al)
331+
require.NoError(t,err)
332+
require.NotContains(t,res.Key,string(raw))
314333
}
315334

316335
funcTestAPIKey_Deleted(t*testing.T) {

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp