@@ -3,6 +3,7 @@ package workspaceapps_test
33import (
44 "context"
55 "crypto/rand"
6+ "database/sql"
67 "fmt"
78 "io"
89 "net"
@@ -24,6 +25,7 @@ import (
2425 "github.com/coder/coder/v2/coderd/audit"
2526 "github.com/coder/coder/v2/coderd/coderdtest"
2627 "github.com/coder/coder/v2/coderd/database"
28+ "github.com/coder/coder/v2/coderd/database/dbauthz"
2729 "github.com/coder/coder/v2/coderd/httpmw"
2830 "github.com/coder/coder/v2/coderd/jwtutils"
2931 "github.com/coder/coder/v2/coderd/tracing"
@@ -83,6 +85,9 @@ func Test_ResolveRequest(t *testing.T) {
8385
8486 auditor := audit .NewMock ()
8587 t .Cleanup (func () {
88+ if t .Failed () {
89+ return
90+ }
8691 assert .Len (t , auditor .AuditLogs (), 0 , "one or more test cases produced unexpected audit logs, did you replace the auditor or forget to call ResetLogs?" )
8792 })
8893 client , closer , api := coderdtest .NewWithAPI (t , & coderdtest.Options {
@@ -220,11 +225,24 @@ func Test_ResolveRequest(t *testing.T) {
220225 for _ , agnt := range resource .Agents {
221226 if agnt .Name == agentName {
222227 agentID = agnt .ID
228+ break
223229 }
224230 }
225231 }
226232 require .NotEqual (t , uuid .Nil , agentID )
227233
234+ //nonlint:gocritic // This is a test, allow dbauthz.AsSystemRestricted.
235+ agent , err := api .Database .GetWorkspaceAgentByID (dbauthz .AsSystemRestricted (ctx ), agentID )
236+ require .NoError (t , err )
237+
238+ //nolint:gocritic // This is a test, allow dbauthz.AsSystemRestricted.
239+ apps , err := api .Database .GetWorkspaceAppsByAgentID (dbauthz .AsSystemRestricted (ctx ), agentID )
240+ require .NoError (t , err )
241+ appsBySlug := make (map [string ]database.WorkspaceApp , len (apps ))
242+ for _ , app := range apps {
243+ appsBySlug [app .Slug ] = app
244+ }
245+
228246 // Reset audit logs so cleanup check can pass.
229247 auditor .ResetLogs ()
230248
@@ -268,12 +286,14 @@ func Test_ResolveRequest(t *testing.T) {
268286
269287 auditor := audit .NewMock ()
270288 auditableIP := randomIPv6 (t )
289+ auditableUA := "Tidua"
271290
272291 t .Log ("app" , app )
273292 rw := httptest .NewRecorder ()
274293 r := httptest .NewRequest ("GET" , "/app" , nil )
275294 r .Header .Set (codersdk .SessionTokenHeader , client .SessionToken ())
276295 r = requestWithAuditorAndRemoteAddr (r , auditor , auditableIP )
296+ r .Header .Set ("User-Agent" , auditableUA )
277297
278298 // Try resolving the request without a token.
279299 token , ok := workspaceappsResolveRequest (t , rw , r , workspaceapps.ResolveRequestOptions {
@@ -314,7 +334,12 @@ func Test_ResolveRequest(t *testing.T) {
314334
315335 require .True (t , auditor .Contains (t , database.AuditLog {
316336 OrganizationID : workspace .OrganizationID ,
337+ Action : database .AuditActionOpen ,
338+ ResourceType : audit .ResourceType (appsBySlug [app ]),
339+ ResourceID : audit .ResourceID (appsBySlug [app ]),
340+ ResourceTarget : audit .ResourceTarget (appsBySlug [app ]),
317341 UserID : me .ID ,
342+ UserAgent : sql.NullString {Valid : true , String : auditableUA },
318343 Ip : audit .ParseIP (auditableIP ),
319344 StatusCode : int32 (w .StatusCode ), //nolint:gosec
320345 }), "audit log" )
@@ -399,6 +424,10 @@ func Test_ResolveRequest(t *testing.T) {
399424
400425 require .True (t , auditor .Contains (t , database.AuditLog {
401426 OrganizationID : workspace .OrganizationID ,
427+ Action : database .AuditActionOpen ,
428+ ResourceType : audit .ResourceType (appsBySlug [app ]),
429+ ResourceID : audit .ResourceID (appsBySlug [app ]),
430+ ResourceTarget : audit .ResourceTarget (appsBySlug [app ]),
402431 UserID : secondUser .ID ,
403432 Ip : audit .ParseIP (auditableIP ),
404433 StatusCode : int32 (w .StatusCode ), //nolint:gosec
@@ -457,6 +486,10 @@ func Test_ResolveRequest(t *testing.T) {
457486
458487 require .True (t , auditor .Contains (t , database.AuditLog {
459488 OrganizationID : workspace .OrganizationID ,
489+ ResourceType : audit .ResourceType (appsBySlug [app ]),
490+ ResourceID : audit .ResourceID (appsBySlug [app ]),
491+ ResourceTarget : audit .ResourceTarget (appsBySlug [app ]),
492+ UserID : uuid .Nil , // Nil is not verified by Contains, see below.
460493 Ip : audit .ParseIP (auditableIP ),
461494 StatusCode : int32 (w .StatusCode ), //nolint:gosec
462495 }), "audit log" )
@@ -587,6 +620,9 @@ func Test_ResolveRequest(t *testing.T) {
587620 require .Equal (t , token .AgentID , agentID )
588621 require .True (t , auditor .Contains (t , database.AuditLog {
589622 OrganizationID : workspace .OrganizationID ,
623+ ResourceType : audit .ResourceType (appsBySlug [token .AppSlugOrPort ]),
624+ ResourceID : audit .ResourceID (appsBySlug [token .AppSlugOrPort ]),
625+ ResourceTarget : audit .ResourceTarget (appsBySlug [token .AppSlugOrPort ]),
590626 UserID : me .ID ,
591627 Ip : audit .ParseIP (auditableIP ),
592628 StatusCode : int32 (w .StatusCode ), //nolint:gosec
@@ -677,6 +713,9 @@ func Test_ResolveRequest(t *testing.T) {
677713
678714 require .True (t , auditor .Contains (t , database.AuditLog {
679715 OrganizationID : workspace .OrganizationID ,
716+ ResourceType : audit .ResourceType (appsBySlug [token .AppSlugOrPort ]),
717+ ResourceID : audit .ResourceID (appsBySlug [token .AppSlugOrPort ]),
718+ ResourceTarget : audit .ResourceTarget (appsBySlug [token .AppSlugOrPort ]),
680719 UserID : me .ID ,
681720 Ip : audit .ParseIP (auditableIP ),
682721 StatusCode : int32 (w .StatusCode ), //nolint:gosec
@@ -759,10 +798,13 @@ func Test_ResolveRequest(t *testing.T) {
759798 require .Equal (t , http .StatusOK , w .StatusCode )
760799 require .True (t , auditor .Contains (t , database.AuditLog {
761800 OrganizationID : workspace .OrganizationID ,
801+ ResourceType : audit .ResourceType (agent ),
802+ ResourceID : audit .ResourceID (agent ),
803+ ResourceTarget : audit .ResourceTarget (agent ),
762804 UserID : me .ID ,
763805 Ip : audit .ParseIP (auditableIP ),
764806 StatusCode : int32 (w .StatusCode ), //nolint:gosec
765- }), "audit log" )
807+ }), "audit log for agent, not app " )
766808 require .Len (t , auditor .AuditLogs (), 1 , "single audit log" )
767809 })
768810
@@ -839,6 +881,9 @@ func Test_ResolveRequest(t *testing.T) {
839881 _ = w .Body .Close ()
840882 require .True (t , auditor .Contains (t , database.AuditLog {
841883 OrganizationID : workspace .OrganizationID ,
884+ ResourceType : audit .ResourceType (appsBySlug [token .AppSlugOrPort ]),
885+ ResourceID : audit .ResourceID (appsBySlug [token .AppSlugOrPort ]),
886+ ResourceTarget : audit .ResourceTarget (appsBySlug [token .AppSlugOrPort ]),
842887 UserID : me .ID ,
843888 Ip : audit .ParseIP (auditableIP ),
844889 StatusCode : int32 (w .StatusCode ), //nolint:gosec
@@ -883,10 +928,13 @@ func Test_ResolveRequest(t *testing.T) {
883928 _ = w .Body .Close ()
884929 require .True (t , auditor .Contains (t , database.AuditLog {
885930 OrganizationID : workspace .OrganizationID ,
931+ ResourceType : audit .ResourceType (agent ),
932+ ResourceID : audit .ResourceID (agent ),
933+ ResourceTarget : audit .ResourceTarget (agent ),
886934 UserID : me .ID ,
887935 Ip : audit .ParseIP (auditableIP ),
888936 StatusCode : int32 (w .StatusCode ), //nolint:gosec
889- }), "audit log" )
937+ }), "audit log for agent, not app " )
890938 require .Len (t , auditor .AuditLogs (), 1 , "single audit log" )
891939 })
892940
0 commit comments