Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

fix(coderd): add audit log on creating a new session key (#19672)#19684

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
johnstcn merged 1 commit intorelease/2.25fromcj/release/2.25/gh-19672
Sep 3, 2025
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 15 additions & 3 deletionscoderd/apikey.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -131,8 +131,19 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
// @Success 201 {object} codersdk.GenerateAPIKeyResponse
// @Router /users/{user}/keys [post]
func (api *API) postAPIKey(rw http.ResponseWriter, r *http.Request) {
ctx := r.Context()
user := httpmw.UserParam(r)
var (
ctx = r.Context()
user = httpmw.UserParam(r)
auditor = api.Auditor.Load()
aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{
Audit: *auditor,
Log: api.Logger,
Request: r,
Action: database.AuditActionCreate,
})
)
aReq.Old = database.APIKey{}
defer commitAudit()

// TODO(Cian): System users technically just have the 'member' role
// and we don't want to disallow all members from creating API keys.
Expand All@@ -142,7 +153,7 @@ func (api *API) postAPIKey(rw http.ResponseWriter, r *http.Request) {
return
}

cookie,_, err := api.createAPIKey(ctx, apikey.CreateParams{
cookie,key, err := api.createAPIKey(ctx, apikey.CreateParams{
UserID: user.ID,
DefaultLifetime: api.DeploymentValues.Sessions.DefaultTokenDuration.Value(),
LoginType: database.LoginTypePassword,
Expand All@@ -156,6 +167,7 @@ func (api *API) postAPIKey(rw http.ResponseWriter, r *http.Request) {
return
}

aReq.New = *key
// We intentionally do not set the cookie on the response here.
// Setting the cookie will couple the browser session to the API
// key we return here, meaning logging out of the website would
Expand Down
23 changes: 21 additions & 2 deletionscoderd/apikey_test.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -2,6 +2,7 @@ package coderd_test

import (
"context"
"encoding/json"
"net/http"
"strings"
"testing"
Expand DownExpand Up@@ -303,14 +304,32 @@ func TestSessionExpiry(t *testing.T) {

func TestAPIKey_OK(t *testing.T) {
t.Parallel()

// Given: a deployment with auditing enabled
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
defer cancel()
client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
_ = coderdtest.CreateFirstUser(t, client)
auditor := audit.NewMock()
client := coderdtest.New(t, &coderdtest.Options{Auditor: auditor})
owner := coderdtest.CreateFirstUser(t, client)
auditor.ResetLogs()

// When: an API key is created
res, err := client.CreateAPIKey(ctx, codersdk.Me)
require.NoError(t, err)
require.Greater(t, len(res.Key), 2)

// Then: an audit log is generated
als := auditor.AuditLogs()
require.Len(t, als, 1)
al := als[0]
assert.Equal(t, owner.UserID, al.UserID)
assert.Equal(t, database.AuditActionCreate, al.Action)
assert.Equal(t, database.ResourceTypeApiKey, al.ResourceType)

// Then: the diff MUST NOT contain the generated key.
raw, err := json.Marshal(al)
require.NoError(t, err)
require.NotContains(t, res.Key, string(raw))
}

func TestAPIKey_Deleted(t *testing.T) {
Expand Down
Loading
[8]ページ先頭
©2009-2025 Movatter.jp