Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: Auditing group members as part of group resource#5730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Kira-Pilot merged 12 commits intomainfromaudit-group-and-members/kira-pilot
Jan 18, 2023
Merged
Show file tree
Hide file tree
Changes from10 commits
Commits
Show all changes
12 commits
Select commitHold shift + click to select a range
6c73cf3
added AuditableGroup type
Kira-PilotJan 16, 2023
40842b9
added json tags
Kira-PilotJan 17, 2023
f4e5801
Anonymizing gGroup struct
Kira-PilotJan 17, 2023
c478e9a
adding support on the FE for nested group diffs
Kira-PilotJan 17, 2023
ed17aa8
Merge remote-tracking branch 'origin/main' into audit-group-and-membe…
Kira-PilotJan 17, 2023
25bbb3a
added type for GroupMember
Kira-PilotJan 17, 2023
6b5f134
Update coderd/database/modelmethods.go
Kira-PilotJan 17, 2023
d33b330
Update coderd/database/modelmethods.go
Kira-PilotJan 17, 2023
240c004
fetching group members in group.delete
Kira-PilotJan 17, 2023
921107c
Merge branch 'audit-group-and-members/kira-pilot' of github.com:coder…
Kira-PilotJan 17, 2023
2ffcab8
passing through right error
Kira-PilotJan 17, 2023
66acf51
broke out into util function and added tests
Kira-PilotJan 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletionscoderd/audit.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -464,6 +464,8 @@ func resourceTypeFromString(resourceTypeString string) string {
return resourceTypeString
case codersdk.ResourceTypeAPIKey:
return resourceTypeString
case codersdk.ResourceTypeGroup:
return resourceTypeString
}
return ""
}
Expand Down
4 changes: 2 additions & 2 deletionscoderd/audit/diff.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -16,8 +16,8 @@ type Auditable interface {
database.User |
database.Workspace |
database.GitSSHKey |
database.Group |
database.WorkspaceBuild
database.WorkspaceBuild |
database.AuditableGroup
}

// Map is a map of changed fields in an audited resource. It maps field names to
Expand Down
10 changes: 5 additions & 5 deletionscoderd/audit/request.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -64,8 +64,8 @@ func ResourceTarget[T Auditable](tgt T) string {
return ""
case database.GitSSHKey:
return typed.PublicKey
case database.Group:
return typed.Name
case database.AuditableGroup:
return typed.Group.Name
default:
panic(fmt.Sprintf("unknown resource %T", tgt))
}
Expand All@@ -87,8 +87,8 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
return typed.ID
case database.GitSSHKey:
return typed.UserID
case database.Group:
return typed.ID
case database.AuditableGroup:
return typed.Group.ID
default:
panic(fmt.Sprintf("unknown resource %T", tgt))
}
Expand All@@ -110,7 +110,7 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
return database.ResourceTypeWorkspaceBuild
case database.GitSSHKey:
return database.ResourceTypeGitSshKey
case database.Group:
case database.AuditableGroup:
return database.ResourceTypeGroup
default:
panic(fmt.Sprintf("unknown resource %T", tgt))
Expand Down
29 changes: 29 additions & 0 deletionscoderd/database/modelmethods.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,38 @@
package database

import (
"sort"

"github.com/coder/coder/coderd/rbac"
)

type AuditableGroup struct {
Group
Members []GroupMember `json:"members"`
}

// Auditable returns an object that can be used in audit logs.
// Covers both group and group member changes.
func (g Group) Auditable(users []User) AuditableGroup {
members := make([]GroupMember, 0, len(users))
for _, u := range users {
members = append(members, GroupMember{
UserID: u.ID,
GroupID: g.ID,
})
}

// consistent ordering
sort.Slice(members, func(i, j int) bool {
return members[i].UserID.String() < members[j].UserID.String()
})

return AuditableGroup{
Group: g,
Members: members,
}
}

const AllUsersGroup = "Everyone"

func (s APIKeyScope) ToRBAC() rbac.Scope {
Expand Down
15 changes: 8 additions & 7 deletionsenterprise/audit/table.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -105,13 +105,6 @@ var AuditableResources = auditMap(map[any]map[string]Action{
"ttl": ActionTrack,
"last_used_at": ActionIgnore,
},
&database.Group{}: {
"id": ActionTrack,
"name": ActionTrack,
"organization_id": ActionIgnore, // Never changes.
"avatar_url": ActionTrack,
"quota_allowance": ActionTrack,
},
// We don't show any diff for the WorkspaceBuild resource
&database.WorkspaceBuild{}: {
"id": ActionIgnore,
Expand All@@ -128,6 +121,14 @@ var AuditableResources = auditMap(map[any]map[string]Action{
"reason": ActionIgnore,
"daily_cost": ActionIgnore,
},
&database.AuditableGroup{}: {
"id": ActionTrack,
"name": ActionTrack,
"organization_id": ActionIgnore, // Never changes.
"avatar_url": ActionTrack,
"quota_allowance": ActionTrack,
"members": ActionTrack,
},
})

// auditMap converts a map of struct pointers to a map of struct names as
Expand Down
36 changes: 26 additions & 10 deletionsenterprise/coderd/groups.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -32,7 +32,7 @@ func (api *API) postGroupByOrganization(rw http.ResponseWriter, r *http.Request)
ctx = r.Context()
org = httpmw.OrganizationParam(r)
auditor = api.AGPL.Auditor.Load()
aReq, commitAudit = audit.InitRequest[database.Group](rw, &audit.RequestParams{
aReq, commitAudit = audit.InitRequest[database.AuditableGroup](rw, &audit.RequestParams{
Audit: *auditor,
Log: api.Logger,
Request: r,
Expand DownExpand Up@@ -75,7 +75,9 @@ func (api *API) postGroupByOrganization(rw http.ResponseWriter, r *http.Request)
httpapi.InternalServerError(rw, err)
return
}
aReq.New = group

var emptyUsers []database.User
aReq.New = group.Auditable(emptyUsers)

httpapi.Write(ctx, rw, http.StatusCreated, convertGroup(group, nil))
}
Expand All@@ -93,15 +95,22 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) {
ctx = r.Context()
group = httpmw.GroupParam(r)
auditor = api.AGPL.Auditor.Load()
aReq, commitAudit = audit.InitRequest[database.Group](rw, &audit.RequestParams{
aReq, commitAudit = audit.InitRequest[database.AuditableGroup](rw, &audit.RequestParams{
Audit: *auditor,
Log: api.Logger,
Request: r,
Action: database.AuditActionWrite,
})
)
defer commitAudit()
aReq.Old = group

currentMembers, currentMembersErr := api.Database.GetGroupMembers(ctx, group.ID)
if currentMembersErr != nil {
httpapi.InternalServerError(rw, currentMembersErr)
return
}

aReq.Old = group.Auditable(currentMembers)

if !api.Authorize(r, rbac.ActionUpdate, group) {
http.NotFound(rw, r)
Expand DownExpand Up@@ -233,15 +242,15 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) {
return
}

members, err := api.Database.GetGroupMembers(ctx, group.ID)
iferr != nil {
patchedMembers, patchedMembersErr := api.Database.GetGroupMembers(ctx, group.ID)
ifpatchedMembersErr != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Do these errors need to be named differently? It seems like the wrong error is being passed below.

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Oops! Will fix. What convention do you like for naming errors? Just call themerr until there's a scoping conflict?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Unless you need multiple errors in scope at once, I would always just name themerr!

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Sounds good! Will update now.

httpapi.InternalServerError(rw, err)
return
}

aReq.New = group
aReq.New = group.Auditable(patchedMembers)

httpapi.Write(ctx, rw, http.StatusOK, convertGroup(group,members))
httpapi.Write(ctx, rw, http.StatusOK, convertGroup(group,patchedMembers))
}

// @Summary Delete group by name
Expand All@@ -257,15 +266,22 @@ func (api *API) deleteGroup(rw http.ResponseWriter, r *http.Request) {
ctx = r.Context()
group = httpmw.GroupParam(r)
auditor = api.AGPL.Auditor.Load()
aReq, commitAudit = audit.InitRequest[database.Group](rw, &audit.RequestParams{
aReq, commitAudit = audit.InitRequest[database.AuditableGroup](rw, &audit.RequestParams{
Audit: *auditor,
Log: api.Logger,
Request: r,
Action: database.AuditActionDelete,
})
)
defer commitAudit()
aReq.Old = group

groupMembers, getGroupMembersErr := api.Database.GetGroupMembers(ctx, group.ID)
if getGroupMembersErr != nil {
httpapi.InternalServerError(rw, getGroupMembersErr)
return
}

aReq.Old = group.Auditable(groupMembers)

if !api.Authorize(r, rbac.ActionDelete, group) {
httpapi.ResourceNotFound(rw)
Expand Down
5 changes: 2 additions & 3 deletionssite/src/components/AuditLogRow/AuditLogDiff.tsx
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -3,6 +3,7 @@ import { AuditLog } from "api/typesGenerated"
import { colors } from "theme/colors"
import { MONOSPACE_FONT_FAMILY } from "theme/constants"
import { combineClasses } from "util/combineClasses"
import { FC } from "react"

const getDiffValue = (value: unknown): string => {
if (typeof value === "string") {
Expand All@@ -21,9 +22,7 @@ const getDiffValue = (value: unknown): string => {
return value.toString()
}

export const AuditLogDiff: React.FC<{ diff: AuditLog["diff"] }> = ({
diff,
}) => {
export const AuditLogDiff: FC<{ diff: AuditLog["diff"] }> = ({ diff }) => {
const styles = useStyles()
const diffEntries = Object.entries(diff)

Expand Down
26 changes: 25 additions & 1 deletionsite/src/components/AuditLogRow/AuditLogRow.tsx
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -35,6 +35,11 @@ export interface AuditLogRowProps {
defaultIsDiffOpen?: boolean
}

interface GroupMember {
user_id: string
group_id: string
}

export const AuditLogRow: React.FC<AuditLogRowProps> = ({
auditLog,
defaultIsDiffOpen = false,
Expand All@@ -49,6 +54,25 @@ export const AuditLogRow: React.FC<AuditLogRowProps> = ({
? `${browser.name} ${browser.version}`
: t("auditLog:table.logRow.notAvailable")

let auditDiff = auditLog.diff
// groups have nested diffs (group members)
// so we overwrite the member diff such that
// only the user_id is shown.
if (auditLog.resource_type === "group") {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Could you pull this out into a util function, maybe with a unit test?

Kira-Pilot reacted with thumbs up emoji
auditDiff = {
...auditLog.diff,
members: {
old: auditLog.diff.members.old?.map(
(groupMember: GroupMember) => groupMember.user_id,
),
new: auditLog.diff.members.new?.map(
(groupMember: GroupMember) => groupMember.user_id,
),
secret: auditLog.diff.members.secret,
},
}
}

const toggle = () => {
if (shouldDisplayDiff) {
setIsDiffOpen((v) => !v)
Expand DownExpand Up@@ -153,7 +177,7 @@ export const AuditLogRow: React.FC<AuditLogRowProps> = ({

{shouldDisplayDiff && (
<Collapse in={isDiffOpen}>
<AuditLogDiff diff={auditLog.diff} />
<AuditLogDiff diff={auditDiff} />
</Collapse>
)}
</TableCell>
Expand Down
[8]ページ先頭
©2009-2025 Movatter.jp