Add command-line flag to toggle audit logging

kylecarbs · kylecarbs · commit 1964a64f3d0d · 2022-09-15T05:26:50.000Z
diff --git a/enterprise/cli/root.go b/enterprise/cli/root.go
@@ -1,26 +1,14 @@
 package cli
 
 import (
-	"context"
-
 	"github.com/spf13/cobra"
 
 	agpl "github.com/coder/coder/cli"
-	agplcoderd "github.com/coder/coder/coderd"
-	"github.com/coder/coder/enterprise/coderd"
 )
 
 func enterpriseOnly() []*cobra.Command {
 	return []*cobra.Command{
-		agpl.Server(func(ctx context.Context, options *agplcoderd.Options) (*agplcoderd.API, error) {
-			api, err := coderd.New(ctx, &coderd.Options{
-				Options: options,
-			})
-			if err != nil {
-				return nil, err
-			}
-			return api.AGPL, nil
-		}),
+		server(),
 		features(),
 		licenses(),
 	}
diff --git a/enterprise/cli/server.go b/enterprise/cli/server.go
@@ -0,0 +1,33 @@
+package cli
+
+import (
+	"context"
+
+	"github.com/spf13/cobra"
+
+	"github.com/coder/coder/cli/cliflag"
+	"github.com/coder/coder/enterprise/coderd"
+
+	agpl "github.com/coder/coder/cli"
+	agplcoderd "github.com/coder/coder/coderd"
+)
+
+func server() *cobra.Command {
+	var (
+		auditLogging bool
+	)
+	cmd := agpl.Server(func(ctx context.Context, options *agplcoderd.Options) (*agplcoderd.API, error) {
+		api, err := coderd.New(ctx, &coderd.Options{
+			AuditLogging: auditLogging,
+			Options:      options,
+		})
+		if err != nil {
+			return nil, err
+		}
+		return api.AGPL, nil
+	})
+	cliflag.BoolVarP(cmd.Flags(), &auditLogging, "audit-logging", "", "CODER_AUDIT_LOGGING", true,
+		"Specifies whether audit logging is enabled.")
+
+	return cmd
+}
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -78,6 +78,7 @@ func New(ctx context.Context, options *Options) (*API, error) {
 type Options struct {
 	*coderd.Options
 
+	AuditLogging               bool
 	EntitlementsUpdateInterval time.Duration
 	Keys                       map[string]ed25519.PublicKey
 }
@@ -125,7 +126,14 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 	api.mutex.Lock()
 	defer api.mutex.Unlock()
 	now := time.Now()
-	auditLogs := api.auditLogs
+
+	// Default all entitlements to be disabled.
+	activeUsers := codersdk.Feature{
+		Enabled:     false,
+		Entitlement: codersdk.EntitlementNotEntitled,
+	}
+	auditLogs := codersdk.EntitlementNotEntitled
+
 	for _, l := range licenses {
 		claims, err := validateDBLicense(l, api.Keys)
 		if err != nil {
@@ -141,24 +149,25 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 			entitlement = codersdk.EntitlementGracePeriod
 		}
 		if claims.Features.UserLimit > 0 {
-			api.activeUsers.Enabled = true
-			api.activeUsers.Entitlement = entitlement
+			activeUsers.Enabled = true
+			activeUsers.Entitlement = entitlement
 			currentLimit := int64(0)
-			if api.activeUsers.Limit != nil {
-				currentLimit = *api.activeUsers.Limit
+			if activeUsers.Limit != nil {
+				currentLimit = *activeUsers.Limit
 			}
 			limit := max(currentLimit, claims.Features.UserLimit)
-			api.activeUsers.Limit = &limit
+			activeUsers.Limit = &limit
 		}
 		if claims.Features.AuditLog > 0 {
-			api.auditLogs = entitlement
+			auditLogs = entitlement
 		}
 	}
+
 	if auditLogs != api.auditLogs {
 		auditor := agplaudit.NewNop()
 		// A flag could be added to the options that would allow disabling
 		// enhanced audit logging here!
-		if api.auditLogs == codersdk.EntitlementEntitled {
+		if api.auditLogs == codersdk.EntitlementEntitled && api.AuditLogging {
 			auditor = audit.NewAuditor(
 				audit.DefaultFilter,
 				backends.NewPostgres(api.Database, true),
@@ -167,6 +176,10 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 		}
 		api.AGPL.Auditor.Store(auditor)
 	}
+
+	api.activeUsers = activeUsers
+	api.auditLogs = auditLogs
+
 	return nil
 }
 
@@ -205,9 +218,9 @@ func (api *API) entitlements(rw http.ResponseWriter, r *http.Request) {
 	// Audit logs
 	resp.Features[codersdk.FeatureAuditLog] = codersdk.Feature{
 		Entitlement: auditLogs,
-		Enabled:     true,
+		Enabled:     api.AuditLogging,
 	}
-	if auditLogs == codersdk.EntitlementGracePeriod {
+	if auditLogs == codersdk.EntitlementGracePeriod && api.AuditLogging {
 		resp.Warnings = append(resp.Warnings,
 			"Audit logging is enabled but your license for this feature is expired.")
 	}
diff --git a/enterprise/coderd/coderd_test.go b/enterprise/coderd/coderd_test.go
@@ -59,6 +59,31 @@ func TestEntitlements(t *testing.T) {
 		assert.Nil(t, al.Actual)
 		assert.Empty(t, res.Warnings)
 	})
+	t.Run("FullLicenseToNone", func(t *testing.T) {
+		t.Parallel()
+		client := coderdenttest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+		license := coderdenttest.AddLicense(t, client, coderdenttest.AddLicenseOptions{
+			UserLimit: 100,
+			AuditLog:  true,
+		})
+		res, err := client.Entitlements(context.Background())
+		require.NoError(t, err)
+		assert.True(t, res.HasLicense)
+		al := res.Features[codersdk.FeatureAuditLog]
+		assert.Equal(t, codersdk.EntitlementEntitled, al.Entitlement)
+		assert.True(t, al.Enabled)
+
+		err = client.DeleteLicense(context.Background(), license.ID)
+		require.NoError(t, err)
+
+		res, err = client.Entitlements(context.Background())
+		require.NoError(t, err)
+		assert.True(t, res.HasLicense)
+		al = res.Features[codersdk.FeatureAuditLog]
+		assert.Equal(t, codersdk.EntitlementNotEntitled, al.Entitlement)
+		assert.True(t, al.Enabled)
+	})
 	t.Run("Warnings", func(t *testing.T) {
 		t.Parallel()
 		client := coderdenttest.New(t, nil)
