Skip to content

Commit 55c13c8

Browse files
coadlercoadler
authored
chore: fully implement enterprise audit pkg (#3821)
1 parent fefdff4 commit 55c13c8

File tree

12 files changed

+164
-177
lines changed

12 files changed

+164
-177
lines changed

coderd/audit/exporter.go

-55
This file was deleted.

coderd/audit/filter.go

-42
This file was deleted.

coderd/audit/request.go

+57-8
Original file line numberDiff line numberDiff line change
@@ -2,22 +2,28 @@ package audit
22

33
import (
44
"context"
5+
"encoding/json"
6+
"net"
57
"net/http"
68

7-
chimw "github.com/go-chi/chi/v5/middleware"
89
"github.com/google/uuid"
10+
"github.com/tabbed/pqtype"
911

1012
"cdr.dev/slog"
1113
"github.com/coder/coder/coderd/database"
14+
"github.com/coder/coder/coderd/httpapi"
1215
)
1316

1417
type RequestParams struct {
1518
Audit Auditor
1619
Log slog.Logger
1720

18-
Action database.AuditAction
19-
ResourceType database.ResourceType
20-
Actor uuid.UUID
21+
Request *http.Request
22+
ResourceID uuid.UUID
23+
ResourceTarget string
24+
Action database.AuditAction
25+
ResourceType database.ResourceType
26+
Actor uuid.UUID
2127
}
2228

2329
type Request[T Auditable] struct {
@@ -31,9 +37,9 @@ type Request[T Auditable] struct {
3137
// that should be deferred, causing the audit log to be committed when the
3238
// handler returns.
3339
func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request[T], func()) {
34-
sw, ok := w.(chimw.WrapResponseWriter)
40+
sw, ok := w.(*httpapi.StatusWriter)
3541
if !ok {
36-
panic("dev error: http.ResponseWriter is not chimw.WrapResponseWriter")
42+
panic("dev error: http.ResponseWriter is not *httpapi.StatusWriter")
3743
}
3844

3945
req := &Request[T]{
@@ -42,11 +48,54 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
4248

4349
return req, func() {
4450
ctx := context.Background()
45-
code := sw.Status()
4651

47-
err := p.Audit.Export(ctx, database.AuditLog{StatusCode: int32(code)})
52+
diff := Diff(p.Audit, req.Old, req.New)
53+
diffRaw, _ := json.Marshal(diff)
54+
55+
ip, err := parseIP(p.Request.RemoteAddr)
56+
if err != nil {
57+
p.Log.Warn(ctx, "parse ip", slog.Error(err))
58+
}
59+
60+
err = p.Audit.Export(ctx, database.AuditLog{
61+
ID: uuid.New(),
62+
Time: database.Now(),
63+
UserID: p.Actor,
64+
Ip: ip,
65+
UserAgent: p.Request.UserAgent(),
66+
ResourceType: p.ResourceType,
67+
ResourceID: p.ResourceID,
68+
ResourceTarget: p.ResourceTarget,
69+
Action: p.Action,
70+
Diff: diffRaw,
71+
StatusCode: int32(sw.Status),
72+
})
4873
if err != nil {
4974
p.Log.Error(ctx, "export audit log", slog.Error(err))
5075
}
5176
}
5277
}
78+
79+
func parseIP(ipStr string) (pqtype.Inet, error) {
80+
var err error
81+
82+
ipStr, _, err = net.SplitHostPort(ipStr)
83+
if err != nil {
84+
return pqtype.Inet{}, err
85+
}
86+
87+
ip := net.ParseIP(ipStr)
88+
89+
ipNet := net.IPNet{}
90+
if ip != nil {
91+
ipNet = net.IPNet{
92+
IP: ip,
93+
Mask: net.CIDRMask(len(ip)*8, len(ip)*8),
94+
}
95+
}
96+
97+
return pqtype.Inet{
98+
IPNet: ipNet,
99+
Valid: ip != nil,
100+
}, nil
101+
}

coderd/database/time.go

+7-1
Original file line numberDiff line numberDiff line change
@@ -4,5 +4,11 @@ import "time"
44

55
// Now returns a standardized timezone used for database resources.
66
func Now() time.Time {
7-
return time.Now().UTC()
7+
return Time(time.Now().UTC())
8+
}
9+
10+
// Time returns a time compatible with Postgres. Postgres only stores dates with
11+
// microsecond precision.
12+
func Time(t time.Time) time.Time {
13+
return t.Round(time.Microsecond)
814
}

enterprise/audit/audit.go

+26-7
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,8 @@ package audit
33
import (
44
"context"
55

6+
"golang.org/x/xerrors"
7+
68
"github.com/coder/coder/coderd/audit"
79
"github.com/coder/coder/coderd/database"
810
)
@@ -15,8 +17,10 @@ type Backend interface {
1517
Export(ctx context.Context, alog database.AuditLog) error
1618
}
1719

18-
func NewAuditor() audit.Auditor {
20+
func NewAuditor(filter Filter, backends ...Backend) audit.Auditor {
1921
return &auditor{
22+
filter: filter,
23+
backends: backends,
2024
Differ: audit.Differ{DiffFn: func(old, new any) audit.Map {
2125
return diffValues(old, new, AuditableResources)
2226
}},
@@ -25,15 +29,30 @@ func NewAuditor() audit.Auditor {
2529

2630
// auditor is the enterprise implementation of the Auditor interface.
2731
type auditor struct {
28-
//nolint:unused
29-
filter Filter
30-
//nolint:unused
32+
filter Filter
3133
backends []Backend
3234

3335
audit.Differ
3436
}
3537

36-
//nolint:unused
37-
func (*auditor) Export(context.Context, database.AuditLog) error {
38-
panic("not implemented") // TODO: Implement
38+
func (a *auditor) Export(ctx context.Context, alog database.AuditLog) error {
39+
decision, err := a.filter.Check(ctx, alog)
40+
if err != nil {
41+
return xerrors.Errorf("filter check: %w", err)
42+
}
43+
44+
for _, backend := range a.backends {
45+
if decision&backend.Decision() != backend.Decision() {
46+
continue
47+
}
48+
49+
err = backend.Export(ctx, alog)
50+
if err != nil {
51+
// naively return the first error. should probably make this smarter
52+
// by returning multiple errors.
53+
return xerrors.Errorf("export audit log to backend: %w", err)
54+
}
55+
}
56+
57+
return nil
3958
}

coderd/audit/exporter_test.go renamed to enterprise/audit/audit_test.go

+33-34
Original file line numberDiff line numberDiff line change
@@ -2,26 +2,25 @@ package audit_test
22

33
import (
44
"context"
5-
"net"
6-
"net/http"
75
"testing"
8-
"time"
96

10-
"github.com/google/uuid"
117
"github.com/stretchr/testify/require"
12-
"github.com/tabbed/pqtype"
8+
"golang.org/x/xerrors"
139

14-
"github.com/coder/coder/coderd/audit"
1510
"github.com/coder/coder/coderd/database"
11+
"github.com/coder/coder/enterprise/audit"
12+
"github.com/coder/coder/enterprise/audit/audittest"
1613
)
1714

18-
func TestExporter(t *testing.T) {
15+
func TestAuditor(t *testing.T) {
1916
t.Parallel()
2017

2118
var tests = []struct {
2219
name string
2320
filterDecision audit.FilterDecision
21+
filterError error
2422
backendDecision audit.FilterDecision
23+
backendError error
2524
shouldExport bool
2625
}{
2726
{
@@ -60,11 +59,22 @@ func TestExporter(t *testing.T) {
6059
backendDecision: audit.FilterDecisionExport,
6160
shouldExport: true,
6261
},
62+
{
63+
name: "FilterError",
64+
filterError: xerrors.New("filter errored"),
65+
backendDecision: audit.FilterDecisionExport,
66+
shouldExport: false,
67+
},
68+
{
69+
name: "BackendError",
70+
backendError: xerrors.New("backend errored"),
71+
shouldExport: false,
72+
},
6373
// When more filters are written they should have their own tests.
6474
{
6575
name: "DefaultFilter",
6676
filterDecision: func() audit.FilterDecision {
67-
decision, _ := audit.DefaultFilter.Check(context.Background(), randomAuditLog())
77+
decision, _ := audit.DefaultFilter.Check(context.Background(), audittest.RandomLog())
6878
return decision
6979
}(),
7080
backendDecision: audit.FilterDecisionExport,
@@ -78,45 +88,30 @@ func TestExporter(t *testing.T) {
7888
t.Parallel()
7989

8090
var (
81-
backend = &testBackend{decision: test.backendDecision}
82-
exporter = audit.NewExporter(
91+
backend = &testBackend{decision: test.backendDecision, err: test.backendError}
92+
exporter = audit.NewAuditor(
8393
audit.FilterFunc(func(_ context.Context, _ database.AuditLog) (audit.FilterDecision, error) {
84-
return test.filterDecision, nil
94+
return test.filterDecision, test.filterError
8595
}),
8696
backend,
8797
)
8898
)
8999

90-
err := exporter.Export(context.Background(), randomAuditLog())
91-
require.NoError(t, err)
100+
err := exporter.Export(context.Background(), audittest.RandomLog())
101+
if test.filterError != nil {
102+
require.ErrorIs(t, err, test.filterError)
103+
} else if test.backendError != nil {
104+
require.ErrorIs(t, err, test.backendError)
105+
}
106+
92107
require.Equal(t, len(backend.alogs) > 0, test.shouldExport)
93108
})
94109
}
95110
}
96111

97-
func randomAuditLog() database.AuditLog {
98-
_, inet, _ := net.ParseCIDR("127.0.0.1/32")
99-
return database.AuditLog{
100-
ID: uuid.New(),
101-
Time: time.Now(),
102-
UserID: uuid.New(),
103-
OrganizationID: uuid.New(),
104-
Ip: pqtype.Inet{
105-
IPNet: *inet,
106-
Valid: true,
107-
},
108-
UserAgent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36",
109-
ResourceType: database.ResourceTypeOrganization,
110-
ResourceID: uuid.New(),
111-
ResourceTarget: "colin's organization",
112-
Action: database.AuditActionDelete,
113-
Diff: []byte{},
114-
StatusCode: http.StatusNoContent,
115-
}
116-
}
117-
118112
type testBackend struct {
119113
decision audit.FilterDecision
114+
err error
120115

121116
alogs []database.AuditLog
122117
}
@@ -126,6 +121,10 @@ func (t *testBackend) Decision() audit.FilterDecision {
126121
}
127122

128123
func (t *testBackend) Export(_ context.Context, alog database.AuditLog) error {
124+
if t.err != nil {
125+
return t.err
126+
}
127+
129128
t.alogs = append(t.alogs, alog)
130129
return nil
131130
}

0 commit comments

Comments
 (0)