Skip to content

feat: Auditing group members as part of group resource #5730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Jan 18, 2023
Merged

feat: Auditing group members as part of group resource #5730

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
6c73cf3
added AuditableGroup type
Kira-Pilot Jan 16, 2023
40842b9
added json tags
Kira-Pilot Jan 17, 2023
f4e5801
Anonymizing gGroup struct
Kira-Pilot Jan 17, 2023
c478e9a
adding support on the FE for nested group diffs
Kira-Pilot Jan 17, 2023
ed17aa8
Merge remote-tracking branch 'origin/main' into audit-group-and-membe…
Kira-Pilot Jan 17, 2023
25bbb3a
added type for GroupMember
Kira-Pilot Jan 17, 2023
6b5f134
Update coderd/database/modelmethods.go
Kira-Pilot Jan 17, 2023
d33b330
Update coderd/database/modelmethods.go
Kira-Pilot Jan 17, 2023
240c004
fetching group members in group.delete
Kira-Pilot Jan 17, 2023
921107c
Merge branch 'audit-group-and-members/kira-pilot' of github.com:coder…
Kira-Pilot Jan 17, 2023
2ffcab8
passing through right error
Kira-Pilot Jan 17, 2023
66acf51
broke out into util function and added tests
Kira-Pilot Jan 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions coderd/audit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -464,6 +464,8 @@ func resourceTypeFromString(resourceTypeString string) string {
return resourceTypeString
case codersdk.ResourceTypeAPIKey:
return resourceTypeString
case codersdk.ResourceTypeGroup:
return resourceTypeString
}
return ""
}
Expand Down
4 changes: 2 additions & 2 deletions coderd/audit/diff.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ type Auditable interface {
database.User |
database.Workspace |
database.GitSSHKey |
database.Group |
database.WorkspaceBuild
database.WorkspaceBuild |
database.AuditableGroup
}

// Map is a map of changed fields in an audited resource. It maps field names to
Expand Down
10 changes: 5 additions & 5 deletions coderd/audit/request.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,8 @@ func ResourceTarget[T Auditable](tgt T) string {
return ""
case database.GitSSHKey:
return typed.PublicKey
case database.Group:
return typed.Name
case database.AuditableGroup:
return typed.Group.Name
default:
panic(fmt.Sprintf("unknown resource %T", tgt))
}
Expand All @@ -87,8 +87,8 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
return typed.ID
case database.GitSSHKey:
return typed.UserID
case database.Group:
return typed.ID
case database.AuditableGroup:
return typed.Group.ID
default:
panic(fmt.Sprintf("unknown resource %T", tgt))
}
Expand All @@ -110,7 +110,7 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
return database.ResourceTypeWorkspaceBuild
case database.GitSSHKey:
return database.ResourceTypeGitSshKey
case database.Group:
case database.AuditableGroup:
return database.ResourceTypeGroup
default:
panic(fmt.Sprintf("unknown resource %T", tgt))
Expand Down
29 changes: 29 additions & 0 deletions coderd/database/modelmethods.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,38 @@
package database

import (
"sort"

"github.com/coder/coder/coderd/rbac"
)

type AuditableGroup struct {
Group
Members []GroupMember `json:"members"`
}

// Auditable returns an object that can be used in audit logs.
// Covers both group and group member changes.
func (g Group) Auditable(users []User) AuditableGroup {
members := make([]GroupMember, 0, len(users))
for _, u := range users {
members = append(members, GroupMember{
UserID: u.ID,
GroupID: g.ID,
})
}

// consistent ordering
sort.Slice(members, func(i, j int) bool {
return members[i].UserID.String() < members[j].UserID.String()
})

return AuditableGroup{
Group: g,
Members: members,
}
}

const AllUsersGroup = "Everyone"

func (s APIKeyScope) ToRBAC() rbac.Scope {
Expand Down
15 changes: 8 additions & 7 deletions enterprise/audit/table.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,13 +105,6 @@ var AuditableResources = auditMap(map[any]map[string]Action{
"ttl": ActionTrack,
"last_used_at": ActionIgnore,
},
&database.Group{}: {
"id": ActionTrack,
"name": ActionTrack,
"organization_id": ActionIgnore, // Never changes.
"avatar_url": ActionTrack,
"quota_allowance": ActionTrack,
},
// We don't show any diff for the WorkspaceBuild resource
&database.WorkspaceBuild{}: {
"id": ActionIgnore,
Expand All @@ -128,6 +121,14 @@ var AuditableResources = auditMap(map[any]map[string]Action{
"reason": ActionIgnore,
"daily_cost": ActionIgnore,
},
&database.AuditableGroup{}: {
"id": ActionTrack,
"name": ActionTrack,
"organization_id": ActionIgnore, // Never changes.
"avatar_url": ActionTrack,
"quota_allowance": ActionTrack,
"members": ActionTrack,
},
})

// auditMap converts a map of struct pointers to a map of struct names as
Expand Down
34 changes: 25 additions & 9 deletions enterprise/coderd/groups.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ func (api *API) postGroupByOrganization(rw http.ResponseWriter, r *http.Request)
ctx = r.Context()
org = httpmw.OrganizationParam(r)
auditor = api.AGPL.Auditor.Load()
aReq, commitAudit = audit.InitRequest[database.Group](rw, &audit.RequestParams{
aReq, commitAudit = audit.InitRequest[database.AuditableGroup](rw, &audit.RequestParams{
Audit: *auditor,
Log: api.Logger,
Request: r,
Expand Down Expand Up @@ -75,7 +75,9 @@ func (api *API) postGroupByOrganization(rw http.ResponseWriter, r *http.Request)
httpapi.InternalServerError(rw, err)
return
}
aReq.New = group

var emptyUsers []database.User
aReq.New = group.Auditable(emptyUsers)

httpapi.Write(ctx, rw, http.StatusCreated, convertGroup(group, nil))
}
Expand All @@ -93,15 +95,22 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) {
ctx = r.Context()
group = httpmw.GroupParam(r)
auditor = api.AGPL.Auditor.Load()
aReq, commitAudit = audit.InitRequest[database.Group](rw, &audit.RequestParams{
aReq, commitAudit = audit.InitRequest[database.AuditableGroup](rw, &audit.RequestParams{
Audit: *auditor,
Log: api.Logger,
Request: r,
Action: database.AuditActionWrite,
})
)
defer commitAudit()
aReq.Old = group

currentMembers, currentMembersErr := api.Database.GetGroupMembers(ctx, group.ID)
if currentMembersErr != nil {
httpapi.InternalServerError(rw, currentMembersErr)
return
}

aReq.Old = group.Auditable(currentMembers)

if !api.Authorize(r, rbac.ActionUpdate, group) {
http.NotFound(rw, r)
Expand Down Expand Up @@ -233,15 +242,15 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) {
return
}

members, err := api.Database.GetGroupMembers(ctx, group.ID)
patchedMembers, err := api.Database.GetGroupMembers(ctx, group.ID)
if err != nil {
httpapi.InternalServerError(rw, err)
return
}

aReq.New = group
aReq.New = group.Auditable(patchedMembers)

httpapi.Write(ctx, rw, http.StatusOK, convertGroup(group, members))
httpapi.Write(ctx, rw, http.StatusOK, convertGroup(group, patchedMembers))
}

// @Summary Delete group by name
Expand All @@ -257,15 +266,22 @@ func (api *API) deleteGroup(rw http.ResponseWriter, r *http.Request) {
ctx = r.Context()
group = httpmw.GroupParam(r)
auditor = api.AGPL.Auditor.Load()
aReq, commitAudit = audit.InitRequest[database.Group](rw, &audit.RequestParams{
aReq, commitAudit = audit.InitRequest[database.AuditableGroup](rw, &audit.RequestParams{
Audit: *auditor,
Log: api.Logger,
Request: r,
Action: database.AuditActionDelete,
})
)
defer commitAudit()
aReq.Old = group

groupMembers, getMembersErr := api.Database.GetGroupMembers(ctx, group.ID)
if getMembersErr != nil {
httpapi.InternalServerError(rw, getMembersErr)
return
}

aReq.Old = group.Auditable(groupMembers)

if !api.Authorize(r, rbac.ActionDelete, group) {
httpapi.ResourceNotFound(rw)
Expand Down
5 changes: 2 additions & 3 deletions site/src/components/AuditLogRow/AuditLogDiff.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import { AuditLog } from "api/typesGenerated"
import { colors } from "theme/colors"
import { MONOSPACE_FONT_FAMILY } from "theme/constants"
import { combineClasses } from "util/combineClasses"
import { FC } from "react"

const getDiffValue = (value: unknown): string => {
if (typeof value === "string") {
Expand All @@ -21,9 +22,7 @@ const getDiffValue = (value: unknown): string => {
return value.toString()
}

export const AuditLogDiff: React.FC<{ diff: AuditLog["diff"] }> = ({
diff,
}) => {
export const AuditLogDiff: FC<{ diff: AuditLog["diff"] }> = ({ diff }) => {
const styles = useStyles()
const diffEntries = Object.entries(diff)

Expand Down
10 changes: 9 additions & 1 deletion site/src/components/AuditLogRow/AuditLogRow.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import userAgentParser from "ua-parser-js"
import { AuditLogDiff } from "./AuditLogDiff"
import i18next from "i18next"
import { AuditLogDescription } from "./AuditLogDescription"
import { determineGroupDiff } from "./auditUtils"

const httpStatusColor = (httpStatus: number): PaletteIndex => {
if (httpStatus >= 300 && httpStatus < 500) {
Expand Down Expand Up @@ -49,6 +50,13 @@ export const AuditLogRow: React.FC<AuditLogRowProps> = ({
? `${browser.name} ${browser.version}`
: t("auditLog:table.logRow.notAvailable")

let auditDiff = auditLog.diff

// groups have nested diffs (group members)
if (auditLog.resource_type === "group") {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you pull this out into a util function, maybe with a unit test?

auditDiff = determineGroupDiff(auditLog.diff)
}

const toggle = () => {
if (shouldDisplayDiff) {
setIsDiffOpen((v) => !v)
Expand Down Expand Up @@ -153,7 +161,7 @@ export const AuditLogRow: React.FC<AuditLogRowProps> = ({

{shouldDisplayDiff && (
<Collapse in={isDiffOpen}>
<AuditLogDiff diff={auditLog.diff} />
<AuditLogDiff diff={auditDiff} />
</Collapse>
)}
</TableCell>
Expand Down
122 changes: 122 additions & 0 deletions site/src/components/AuditLogRow/auditUtils.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
import { determineGroupDiff } from "./auditUtils"

const auditDiffForNewGroup = {
id: {
old: "",
new: "e22e0eb9-625a-468b-b962-269b19473789",
secret: false,
},
members: {
new: [],
secret: false,
},
name: {
old: "",
new: "another-test-group",
secret: false,
},
}

const auditDiffForAddedGroupMember = {
members: {
old: [],
new: [
{
group_id: "e22e0eb9-625a-468b-b962-269b19473789",
user_id: "cea4c2b0-6373-4858-b26a-df3cbfce8845",
},
],
secret: false,
},
}

const auditDiffForRemovedGroupMember = {
members: {
old: [
{
group_id: "25793395-b093-4a3c-a473-9ecf9b243478",
user_id: "84d1cd5a-17e1-4022-898c-52e64256e737",
},
{
group_id: "25793395-b093-4a3c-a473-9ecf9b243478",
user_id: "cea4c2b0-6373-4858-b26a-df3cbfce8845",
},
],
new: [
{
group_id: "25793395-b093-4a3c-a473-9ecf9b243478",
user_id: "84d1cd5a-17e1-4022-898c-52e64256e737",
},
],
secret: false,
},
}

const AuditDiffForDeletedGroup = {
id: {
old: "25793395-b093-4a3c-a473-9ecf9b243478",
new: "",
secret: false,
},
members: {
old: [
{
group_id: "25793395-b093-4a3c-a473-9ecf9b243478",
user_id: "84d1cd5a-17e1-4022-898c-52e64256e737",
},
],
secret: false,
},
name: {
old: "test-group",
new: "",
secret: false,
},
}

describe("determineAuditDiff", () => {
it("auditDiffForNewGroup", () => {
// there should be no change as members are not added when a group is created
expect(determineGroupDiff(auditDiffForNewGroup)).toEqual(
auditDiffForNewGroup,
)
})

it("auditDiffForAddedGroupMember", () => {
const result = {
members: {
...auditDiffForAddedGroupMember.members,
new: ["cea4c2b0-6373-4858-b26a-df3cbfce8845"],
},
}

expect(determineGroupDiff(auditDiffForAddedGroupMember)).toEqual(result)
})

it("auditDiffForRemovedGroupMember", () => {
const result = {
members: {
...auditDiffForRemovedGroupMember.members,
old: [
"84d1cd5a-17e1-4022-898c-52e64256e737",
"cea4c2b0-6373-4858-b26a-df3cbfce8845",
],
new: ["84d1cd5a-17e1-4022-898c-52e64256e737"],
},
}

expect(determineGroupDiff(auditDiffForRemovedGroupMember)).toEqual(result)
})

it("AuditDiffForDeletedGroup", () => {
const result = {
...AuditDiffForDeletedGroup,
members: {
...AuditDiffForDeletedGroup.members,
old: ["84d1cd5a-17e1-4022-898c-52e64256e737"],
},
}

expect(determineGroupDiff(AuditDiffForDeletedGroup)).toEqual(result)
})
})
Loading
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy