mirror of https://github.com/coder/coder.git
feat: audit addition and removal of licenses (#6125)
* added license audit resource * audit delete licenses * added filtering * remove logs * making the best of the current UUID situation * fixed lint * fix tests * regen docs * PR feedback * PR feedback
This commit is contained in:
parent
6e3330a03f
commit
5e60879fb8
|
@ -7258,7 +7258,8 @@ const docTemplate = `{
|
|||
"workspace_build",
|
||||
"git_ssh_key",
|
||||
"api_key",
|
||||
"group"
|
||||
"group",
|
||||
"license"
|
||||
],
|
||||
"x-enum-varnames": [
|
||||
"ResourceTypeTemplate",
|
||||
|
@ -7268,7 +7269,8 @@ const docTemplate = `{
|
|||
"ResourceTypeWorkspaceBuild",
|
||||
"ResourceTypeGitSSHKey",
|
||||
"ResourceTypeAPIKey",
|
||||
"ResourceTypeGroup"
|
||||
"ResourceTypeGroup",
|
||||
"ResourceTypeLicense"
|
||||
]
|
||||
},
|
||||
"codersdk.Response": {
|
||||
|
|
|
@ -6508,7 +6508,8 @@
|
|||
"workspace_build",
|
||||
"git_ssh_key",
|
||||
"api_key",
|
||||
"group"
|
||||
"group",
|
||||
"license"
|
||||
],
|
||||
"x-enum-varnames": [
|
||||
"ResourceTypeTemplate",
|
||||
|
@ -6518,7 +6519,8 @@
|
|||
"ResourceTypeWorkspaceBuild",
|
||||
"ResourceTypeGitSSHKey",
|
||||
"ResourceTypeAPIKey",
|
||||
"ResourceTypeGroup"
|
||||
"ResourceTypeGroup",
|
||||
"ResourceTypeLicense"
|
||||
]
|
||||
},
|
||||
"codersdk.Response": {
|
||||
|
|
|
@ -456,6 +456,8 @@ func resourceTypeFromString(resourceTypeString string) string {
|
|||
return resourceTypeString
|
||||
case codersdk.ResourceTypeGroup:
|
||||
return resourceTypeString
|
||||
case codersdk.ResourceTypeLicense:
|
||||
return resourceTypeString
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
|
|
@ -15,7 +15,8 @@ type Auditable interface {
|
|||
database.Workspace |
|
||||
database.GitSSHKey |
|
||||
database.WorkspaceBuild |
|
||||
database.AuditableGroup
|
||||
database.AuditableGroup |
|
||||
database.License
|
||||
}
|
||||
|
||||
// Map is a map of changed fields in an audited resource. It maps field names to
|
||||
|
|
|
@ -7,6 +7,7 @@ import (
|
|||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"strconv"
|
||||
|
||||
"github.com/google/uuid"
|
||||
"github.com/tabbed/pqtype"
|
||||
|
@ -71,6 +72,8 @@ func ResourceTarget[T Auditable](tgt T) string {
|
|||
case database.APIKey:
|
||||
// this isn't used
|
||||
return ""
|
||||
case database.License:
|
||||
return strconv.Itoa(int(typed.ID))
|
||||
default:
|
||||
panic(fmt.Sprintf("unknown resource %T", tgt))
|
||||
}
|
||||
|
@ -94,6 +97,8 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
|
|||
return typed.Group.ID
|
||||
case database.APIKey:
|
||||
return typed.UserID
|
||||
case database.License:
|
||||
return typed.UUID
|
||||
default:
|
||||
panic(fmt.Sprintf("unknown resource %T", tgt))
|
||||
}
|
||||
|
@ -117,6 +122,8 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
|
|||
return database.ResourceTypeGroup
|
||||
case database.APIKey:
|
||||
return database.ResourceTypeApiKey
|
||||
case database.License:
|
||||
return database.ResourceTypeLicense
|
||||
default:
|
||||
panic(fmt.Sprintf("unknown resource %T", tgt))
|
||||
}
|
||||
|
|
|
@ -93,7 +93,8 @@ CREATE TYPE resource_type AS ENUM (
|
|||
'git_ssh_key',
|
||||
'api_key',
|
||||
'group',
|
||||
'workspace_build'
|
||||
'workspace_build',
|
||||
'license'
|
||||
);
|
||||
|
||||
CREATE TYPE user_status AS ENUM (
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
-- It's not possible to drop enum values from enum types, so the UP has "IF NOT
|
||||
-- EXISTS".
|
|
@ -0,0 +1,3 @@
|
|||
ALTER TYPE resource_type
|
||||
ADD VALUE IF NOT EXISTS 'license';
|
||||
|
|
@ -883,6 +883,7 @@ const (
|
|||
ResourceTypeApiKey ResourceType = "api_key"
|
||||
ResourceTypeGroup ResourceType = "group"
|
||||
ResourceTypeWorkspaceBuild ResourceType = "workspace_build"
|
||||
ResourceTypeLicense ResourceType = "license"
|
||||
)
|
||||
|
||||
func (e *ResourceType) Scan(src interface{}) error {
|
||||
|
@ -930,7 +931,8 @@ func (e ResourceType) Valid() bool {
|
|||
ResourceTypeGitSshKey,
|
||||
ResourceTypeApiKey,
|
||||
ResourceTypeGroup,
|
||||
ResourceTypeWorkspaceBuild:
|
||||
ResourceTypeWorkspaceBuild,
|
||||
ResourceTypeLicense:
|
||||
return true
|
||||
}
|
||||
return false
|
||||
|
@ -947,6 +949,7 @@ func AllResourceTypeValues() []ResourceType {
|
|||
ResourceTypeApiKey,
|
||||
ResourceTypeGroup,
|
||||
ResourceTypeWorkspaceBuild,
|
||||
ResourceTypeLicense,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -22,6 +22,7 @@ const (
|
|||
ResourceTypeGitSSHKey ResourceType = "git_ssh_key"
|
||||
ResourceTypeAPIKey ResourceType = "api_key"
|
||||
ResourceTypeGroup ResourceType = "group"
|
||||
ResourceTypeLicense ResourceType = "license"
|
||||
)
|
||||
|
||||
func (r ResourceType) FriendlyString() string {
|
||||
|
@ -44,6 +45,8 @@ func (r ResourceType) FriendlyString() string {
|
|||
return "api key"
|
||||
case ResourceTypeGroup:
|
||||
return "group"
|
||||
case ResourceTypeLicense:
|
||||
return "license"
|
||||
default:
|
||||
return "unknown"
|
||||
}
|
||||
|
|
|
@ -14,6 +14,7 @@ We track the following resources:
|
|||
| APIKey<br><i>write</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>expires_at</td><td>false</td></tr><tr><td>hashed_secret</td><td>false</td></tr><tr><td>id</td><td>false</td></tr><tr><td>ip_address</td><td>false</td></tr><tr><td>last_used</td><td>false</td></tr><tr><td>lifetime_seconds</td><td>false</td></tr><tr><td>login_type</td><td>false</td></tr><tr><td>scope</td><td>false</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>false</td></tr></tbody></table> |
|
||||
| Group<br><i>create, write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>avatar_url</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>members</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>quota_allowance</td><td>true</td></tr></tbody></table> |
|
||||
| GitSSHKey<br><i>create</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>private_key</td><td>true</td></tr><tr><td>public_key</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>true</td></tr></tbody></table> |
|
||||
| License<br><i>create, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>exp</td><td>true</td></tr><tr><td>id</td><td>false</td></tr><tr><td>jwt</td><td>false</td></tr><tr><td>uploaded_at</td><td>true</td></tr><tr><td>uuid</td><td>true</td></tr></tbody></table> |
|
||||
| Template<br><i>write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>active_version_id</td><td>true</td></tr><tr><td>allow_user_cancel_workspace_jobs</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>default_ttl</td><td>true</td></tr><tr><td>deleted</td><td>false</td></tr><tr><td>description</td><td>true</td></tr><tr><td>display_name</td><td>true</td></tr><tr><td>group_acl</td><td>true</td></tr><tr><td>icon</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>is_private</td><td>true</td></tr><tr><td>min_autostart_interval</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>provisioner</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_acl</td><td>true</td></tr></tbody></table> |
|
||||
| TemplateVersion<br><i>create, write</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>job_id</td><td>false</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>readme</td><td>true</td></tr><tr><td>template_id</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr></tbody></table> |
|
||||
| User<br><i>create, write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>avatar_url</td><td>false</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>deleted</td><td>true</td></tr><tr><td>email</td><td>true</td></tr><tr><td>hashed_password</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>last_seen_at</td><td>false</td></tr><tr><td>login_type</td><td>false</td></tr><tr><td>rbac_roles</td><td>true</td></tr><tr><td>status</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>username</td><td>true</td></tr></tbody></table> |
|
||||
|
|
|
@ -4054,6 +4054,7 @@ Parameter represents a set value for the scope.
|
|||
| `git_ssh_key` |
|
||||
| `api_key` |
|
||||
| `group` |
|
||||
| `license` |
|
||||
|
||||
## codersdk.Response
|
||||
|
||||
|
|
|
@ -13,16 +13,15 @@ import (
|
|||
// AuditableResources map (below) as our documentation - generated in scripts/auditdocgen/main.go -
|
||||
// depends upon it.
|
||||
var AuditActionMap = map[string][]codersdk.AuditAction{
|
||||
"GitSSHKey": {codersdk.AuditActionCreate},
|
||||
"OrganizationMember": {},
|
||||
"Organization": {},
|
||||
"Template": {codersdk.AuditActionWrite, codersdk.AuditActionDelete},
|
||||
"TemplateVersion": {codersdk.AuditActionCreate, codersdk.AuditActionWrite},
|
||||
"User": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
|
||||
"Workspace": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
|
||||
"WorkspaceBuild": {codersdk.AuditActionStart, codersdk.AuditActionStop},
|
||||
"Group": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
|
||||
"APIKey": {codersdk.AuditActionWrite},
|
||||
"GitSSHKey": {codersdk.AuditActionCreate},
|
||||
"Template": {codersdk.AuditActionWrite, codersdk.AuditActionDelete},
|
||||
"TemplateVersion": {codersdk.AuditActionCreate, codersdk.AuditActionWrite},
|
||||
"User": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
|
||||
"Workspace": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
|
||||
"WorkspaceBuild": {codersdk.AuditActionStart, codersdk.AuditActionStop},
|
||||
"Group": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
|
||||
"APIKey": {codersdk.AuditActionWrite},
|
||||
"License": {codersdk.AuditActionCreate, codersdk.AuditActionDelete},
|
||||
}
|
||||
|
||||
type Action string
|
||||
|
@ -147,6 +146,15 @@ var AuditableResources = auditMap(map[any]map[string]Action{
|
|||
"ip_address": ActionIgnore,
|
||||
"scope": ActionIgnore,
|
||||
},
|
||||
// TODO: track an ID here when the below ticket is completed:
|
||||
// https://github.com/coder/coder/pull/6012
|
||||
&database.License{}: {
|
||||
"id": ActionIgnore,
|
||||
"uploaded_at": ActionTrack,
|
||||
"jwt": ActionIgnore,
|
||||
"exp": ActionTrack,
|
||||
"uuid": ActionTrack,
|
||||
},
|
||||
})
|
||||
|
||||
// auditMap converts a map of struct pointers to a map of struct names as
|
||||
|
|
|
@ -20,6 +20,7 @@ import (
|
|||
|
||||
"cdr.dev/slog"
|
||||
"github.com/coder/coder/coderd"
|
||||
"github.com/coder/coder/coderd/audit"
|
||||
"github.com/coder/coder/coderd/database"
|
||||
"github.com/coder/coder/coderd/httpapi"
|
||||
"github.com/coder/coder/coderd/rbac"
|
||||
|
@ -59,7 +60,18 @@ var Keys = map[string]ed25519.PublicKey{"2022-08-12": ed25519.PublicKey(key20220
|
|||
// @Success 201 {object} codersdk.License
|
||||
// @Router /licenses [post]
|
||||
func (api *API) postLicense(rw http.ResponseWriter, r *http.Request) {
|
||||
ctx := r.Context()
|
||||
var (
|
||||
ctx = r.Context()
|
||||
auditor = api.AGPL.Auditor.Load()
|
||||
aReq, commitAudit = audit.InitRequest[database.License](rw, &audit.RequestParams{
|
||||
Audit: *auditor,
|
||||
Log: api.Logger,
|
||||
Request: r,
|
||||
Action: database.AuditActionCreate,
|
||||
})
|
||||
)
|
||||
defer commitAudit()
|
||||
|
||||
if !api.AGPL.Authorize(r, rbac.ActionCreate, rbac.ResourceLicense) {
|
||||
httpapi.Forbidden(rw)
|
||||
return
|
||||
|
@ -119,6 +131,8 @@ func (api *API) postLicense(rw http.ResponseWriter, r *http.Request) {
|
|||
})
|
||||
return
|
||||
}
|
||||
aReq.New = dl
|
||||
|
||||
err = api.updateEntitlements(ctx)
|
||||
if err != nil {
|
||||
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
|
||||
|
@ -186,11 +200,10 @@ func (api *API) licenses(rw http.ResponseWriter, r *http.Request) {
|
|||
// @Success 200
|
||||
// @Router /licenses/{id} [delete]
|
||||
func (api *API) deleteLicense(rw http.ResponseWriter, r *http.Request) {
|
||||
ctx := r.Context()
|
||||
if !api.AGPL.Authorize(r, rbac.ActionDelete, rbac.ResourceLicense) {
|
||||
httpapi.Forbidden(rw)
|
||||
return
|
||||
}
|
||||
var (
|
||||
ctx = r.Context()
|
||||
auditor = api.AGPL.Auditor.Load()
|
||||
)
|
||||
|
||||
idStr := chi.URLParam(r, "id")
|
||||
id, err := strconv.ParseInt(idStr, 10, 32)
|
||||
|
@ -201,6 +214,26 @@ func (api *API) deleteLicense(rw http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
dl, err := api.Database.GetLicenseByID(ctx, int32(id))
|
||||
if err != nil {
|
||||
// don't fail the HTTP request simply because we cannot audit
|
||||
api.Logger.Warn(context.Background(), "could not retrieve license; cannot audit", slog.Error(err))
|
||||
}
|
||||
|
||||
aReq, commitAudit := audit.InitRequest[database.License](rw, &audit.RequestParams{
|
||||
Audit: *auditor,
|
||||
Log: api.Logger,
|
||||
Request: r,
|
||||
Action: database.AuditActionDelete,
|
||||
})
|
||||
defer commitAudit()
|
||||
aReq.Old = dl
|
||||
|
||||
if !api.AGPL.Authorize(r, rbac.ActionDelete, rbac.ResourceLicense) {
|
||||
httpapi.Forbidden(rw)
|
||||
return
|
||||
}
|
||||
|
||||
_, err = api.Database.DeleteLicense(ctx, int32(id))
|
||||
if xerrors.Is(err, sql.ErrNoRows) {
|
||||
httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{
|
||||
|
|
|
@ -1183,6 +1183,7 @@ export type ResourceType =
|
|||
| "api_key"
|
||||
| "git_ssh_key"
|
||||
| "group"
|
||||
| "license"
|
||||
| "template"
|
||||
| "template_version"
|
||||
| "user"
|
||||
|
@ -1192,6 +1193,7 @@ export const ResourceTypes: ResourceType[] = [
|
|||
"api_key",
|
||||
"git_ssh_key",
|
||||
"group",
|
||||
"license",
|
||||
"template",
|
||||
"template_version",
|
||||
"user",
|
||||
|
|
Loading…
Reference in New Issue