selfhosted
/
coder
mirror of https://github.com/coder/coder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

feat: audit addition and removal of licenses (#6125) 

* added license audit resource

* audit delete licenses

* added filtering

* remove logs

* making the best of the current UUID situation

* fixed lint

* fix tests

* regen docs

* PR feedback

* PR feedback
This commit is contained in:
Kira Pilot 2023-02-14 16:34:13 -05:00 committed by GitHub
parent 6e3330a03f
commit 5e60879fb8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 94 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
coderd/apidoc/docs.go generated
View File

@ -7258,7 +7258,8 @@ const docTemplate = `{
"workspace_build",
"git_ssh_key",
"api_key",
"group"
"group",
"license"
],
"x-enum-varnames": [
"ResourceTypeTemplate",
@ -7268,7 +7269,8 @@ const docTemplate = `{
"ResourceTypeWorkspaceBuild",
"ResourceTypeGitSSHKey",
"ResourceTypeAPIKey",
"ResourceTypeGroup"
"ResourceTypeGroup",
"ResourceTypeLicense"
]
},
"codersdk.Response": {

6
coderd/apidoc/swagger.json generated
View File

@ -6508,7 +6508,8 @@
"workspace_build",
"git_ssh_key",
"api_key",
"group"
"group",
"license"
],
"x-enum-varnames": [
"ResourceTypeTemplate",
@ -6518,7 +6519,8 @@
"ResourceTypeWorkspaceBuild",
"ResourceTypeGitSSHKey",
"ResourceTypeAPIKey",
"ResourceTypeGroup"
"ResourceTypeGroup",
"ResourceTypeLicense"
]
},
"codersdk.Response": {

2
coderd/audit.go
View File

@ -456,6 +456,8 @@ func resourceTypeFromString(resourceTypeString string) string {
return resourceTypeString
case codersdk.ResourceTypeGroup:
return resourceTypeString
case codersdk.ResourceTypeLicense:
return resourceTypeString
}
return ""
}

3
coderd/audit/diff.go
View File

@ -15,7 +15,8 @@ type Auditable interface {
database.Workspace |
database.GitSSHKey |
database.WorkspaceBuild |
database.AuditableGroup
database.AuditableGroup |
database.License
}
// Map is a map of changed fields in an audited resource. It maps field names to

7
coderd/audit/request.go
View File

@ -7,6 +7,7 @@ import (
"fmt"
"net"
"net/http"
"strconv"
"github.com/google/uuid"
"github.com/tabbed/pqtype"
@ -71,6 +72,8 @@ func ResourceTarget[T Auditable](tgt T) string {
case database.APIKey:
// this isn't used
return ""
case database.License:
return strconv.Itoa(int(typed.ID))
default:
panic(fmt.Sprintf("unknown resource %T", tgt))
}
@ -94,6 +97,8 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
return typed.Group.ID
case database.APIKey:
return typed.UserID
case database.License:
return typed.UUID
default:
panic(fmt.Sprintf("unknown resource %T", tgt))
}
@ -117,6 +122,8 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
return database.ResourceTypeGroup
case database.APIKey:
return database.ResourceTypeApiKey
case database.License:
return database.ResourceTypeLicense
default:
panic(fmt.Sprintf("unknown resource %T", tgt))
}

3
coderd/database/dump.sql generated
View File

@ -93,7 +93,8 @@ CREATE TYPE resource_type AS ENUM (
'git_ssh_key',
'api_key',
'group',
'workspace_build'
'workspace_build',
'license'
);
CREATE TYPE user_status AS ENUM (

2
coderd/database/migrations/000098_add_resource_type_license.down.sql Normal file
View File

@ -0,0 +1,2 @@
-- It's not possible to drop enum values from enum types, so the UP has "IF NOT
-- EXISTS".

3
coderd/database/migrations/000098_add_resource_type_license.up.sql Normal file
View File

@ -0,0 +1,3 @@
ALTER TYPE resource_type
ADD VALUE IF NOT EXISTS 'license';

5
coderd/database/models.go
View File

@ -883,6 +883,7 @@ const (
ResourceTypeApiKey ResourceType = "api_key"
ResourceTypeGroup ResourceType = "group"
ResourceTypeWorkspaceBuild ResourceType = "workspace_build"
ResourceTypeLicense ResourceType = "license"
)
func (e *ResourceType) Scan(src interface{}) error {
@ -930,7 +931,8 @@ func (e ResourceType) Valid() bool {
ResourceTypeGitSshKey,
ResourceTypeApiKey,
ResourceTypeGroup,
ResourceTypeWorkspaceBuild:
ResourceTypeWorkspaceBuild,
ResourceTypeLicense:
return true
}
return false
@ -947,6 +949,7 @@ func AllResourceTypeValues() []ResourceType {
ResourceTypeApiKey,
ResourceTypeGroup,
ResourceTypeWorkspaceBuild,
ResourceTypeLicense,
}
}

3
codersdk/audit.go
View File

@ -22,6 +22,7 @@ const (
ResourceTypeGitSSHKey ResourceType = "git_ssh_key"
ResourceTypeAPIKey ResourceType = "api_key"
ResourceTypeGroup ResourceType = "group"
ResourceTypeLicense ResourceType = "license"
)
func (r ResourceType) FriendlyString() string {
@ -44,6 +45,8 @@ func (r ResourceType) FriendlyString() string {
return "api key"
case ResourceTypeGroup:
return "group"
case ResourceTypeLicense:
return "license"
default:
return "unknown"
}

1
docs/admin/audit-logs.md
View File

@ -14,6 +14,7 @@ We track the following resources:
| APIKey<br><i>write</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>expires_at</td><td>false</td></tr><tr><td>hashed_secret</td><td>false</td></tr><tr><td>id</td><td>false</td></tr><tr><td>ip_address</td><td>false</td></tr><tr><td>last_used</td><td>false</td></tr><tr><td>lifetime_seconds</td><td>false</td></tr><tr><td>login_type</td><td>false</td></tr><tr><td>scope</td><td>false</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>false</td></tr></tbody></table> |
| Group<br><i>create, write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>avatar_url</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>members</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>quota_allowance</td><td>true</td></tr></tbody></table> |
| GitSSHKey<br><i>create</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>private_key</td><td>true</td></tr><tr><td>public_key</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>true</td></tr></tbody></table> |
| License<br><i>create, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>exp</td><td>true</td></tr><tr><td>id</td><td>false</td></tr><tr><td>jwt</td><td>false</td></tr><tr><td>uploaded_at</td><td>true</td></tr><tr><td>uuid</td><td>true</td></tr></tbody></table> |
| Template<br><i>write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>active_version_id</td><td>true</td></tr><tr><td>allow_user_cancel_workspace_jobs</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>default_ttl</td><td>true</td></tr><tr><td>deleted</td><td>false</td></tr><tr><td>description</td><td>true</td></tr><tr><td>display_name</td><td>true</td></tr><tr><td>group_acl</td><td>true</td></tr><tr><td>icon</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>is_private</td><td>true</td></tr><tr><td>min_autostart_interval</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>provisioner</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_acl</td><td>true</td></tr></tbody></table> |
| TemplateVersion<br><i>create, write</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>job_id</td><td>false</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>readme</td><td>true</td></tr><tr><td>template_id</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr></tbody></table> |
| User<br><i>create, write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>avatar_url</td><td>false</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>deleted</td><td>true</td></tr><tr><td>email</td><td>true</td></tr><tr><td>hashed_password</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>last_seen_at</td><td>false</td></tr><tr><td>login_type</td><td>false</td></tr><tr><td>rbac_roles</td><td>true</td></tr><tr><td>status</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>username</td><td>true</td></tr></tbody></table> |

1
docs/api/schemas.md
View File

@ -4054,6 +4054,7 @@ Parameter represents a set value for the scope.
| `git_ssh_key` |
| `api_key` |
| `group` |
| `license` |
## codersdk.Response

28
enterprise/audit/table.go
View File

@ -13,16 +13,15 @@ import (
// AuditableResources map (below) as our documentation - generated in scripts/auditdocgen/main.go -
// depends upon it.
var AuditActionMap = map[string][]codersdk.AuditAction{
"GitSSHKey": {codersdk.AuditActionCreate},
"OrganizationMember": {},
"Organization": {},
"Template": {codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"TemplateVersion": {codersdk.AuditActionCreate, codersdk.AuditActionWrite},
"User": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"Workspace": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"WorkspaceBuild": {codersdk.AuditActionStart, codersdk.AuditActionStop},
"Group": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"APIKey": {codersdk.AuditActionWrite},
"GitSSHKey": {codersdk.AuditActionCreate},
"Template": {codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"TemplateVersion": {codersdk.AuditActionCreate, codersdk.AuditActionWrite},
"User": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"Workspace": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"WorkspaceBuild": {codersdk.AuditActionStart, codersdk.AuditActionStop},
"Group": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"APIKey": {codersdk.AuditActionWrite},
"License": {codersdk.AuditActionCreate, codersdk.AuditActionDelete},
}
type Action string
@ -147,6 +146,15 @@ var AuditableResources = auditMap(map[any]map[string]Action{
"ip_address": ActionIgnore,
"scope": ActionIgnore,
},
// TODO: track an ID here when the below ticket is completed:
// https://github.com/coder/coder/pull/6012
&database.License{}: {
"id": ActionIgnore,
"uploaded_at": ActionTrack,
"jwt": ActionIgnore,
"exp": ActionTrack,
"uuid": ActionTrack,
},
})
// auditMap converts a map of struct pointers to a map of struct names as

45
enterprise/coderd/licenses.go
View File

@ -20,6 +20,7 @@ import (
"cdr.dev/slog"
"github.com/coder/coder/coderd"
"github.com/coder/coder/coderd/audit"
"github.com/coder/coder/coderd/database"
"github.com/coder/coder/coderd/httpapi"
"github.com/coder/coder/coderd/rbac"
@ -59,7 +60,18 @@ var Keys = map[string]ed25519.PublicKey{"2022-08-12": ed25519.PublicKey(key20220
// @Success 201 {object} codersdk.License
// @Router /licenses [post]
func (api *API) postLicense(rw http.ResponseWriter, r *http.Request) {
ctx := r.Context()
var (
ctx = r.Context()
auditor = api.AGPL.Auditor.Load()
aReq, commitAudit = audit.InitRequest[database.License](rw, &audit.RequestParams{
Audit: *auditor,
Log: api.Logger,
Request: r,
Action: database.AuditActionCreate,
})
)
defer commitAudit()
if !api.AGPL.Authorize(r, rbac.ActionCreate, rbac.ResourceLicense) {
httpapi.Forbidden(rw)
return
@ -119,6 +131,8 @@ func (api *API) postLicense(rw http.ResponseWriter, r *http.Request) {
})
return
}
aReq.New = dl
err = api.updateEntitlements(ctx)
if err != nil {
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
@ -186,11 +200,10 @@ func (api *API) licenses(rw http.ResponseWriter, r *http.Request) {
// @Success 200
// @Router /licenses/{id} [delete]
func (api *API) deleteLicense(rw http.ResponseWriter, r *http.Request) {
ctx := r.Context()
if !api.AGPL.Authorize(r, rbac.ActionDelete, rbac.ResourceLicense) {
httpapi.Forbidden(rw)
return
}
var (
ctx = r.Context()
auditor = api.AGPL.Auditor.Load()
)
idStr := chi.URLParam(r, "id")
id, err := strconv.ParseInt(idStr, 10, 32)
@ -201,6 +214,26 @@ func (api *API) deleteLicense(rw http.ResponseWriter, r *http.Request) {
return
}
dl, err := api.Database.GetLicenseByID(ctx, int32(id))
if err != nil {
// don't fail the HTTP request simply because we cannot audit
api.Logger.Warn(context.Background(), "could not retrieve license; cannot audit", slog.Error(err))
}
aReq, commitAudit := audit.InitRequest[database.License](rw, &audit.RequestParams{
Audit: *auditor,
Log: api.Logger,
Request: r,
Action: database.AuditActionDelete,
})
defer commitAudit()
aReq.Old = dl
if !api.AGPL.Authorize(r, rbac.ActionDelete, rbac.ResourceLicense) {
httpapi.Forbidden(rw)
return
}
_, err = api.Database.DeleteLicense(ctx, int32(id))
if xerrors.Is(err, sql.ErrNoRows) {
httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{

2
site/src/api/typesGenerated.ts
View File

@ -1183,6 +1183,7 @@ export type ResourceType =
| "api_key"
| "git_ssh_key"
| "group"
| "license"
| "template"
| "template_version"
| "user"
@ -1192,6 +1193,7 @@ export const ResourceTypes: ResourceType[] = [
"api_key",
"git_ssh_key",
"group",
"license",
"template",
"template_version",
"user",