Skip to content

Commit 5e60879

Browse files
Kira-PilotKira-Pilot
authored
feat: audit addition and removal of licenses (#6125)
* added license audit resource * audit delete licenses * added filtering * remove logs * making the best of the current UUID situation * fixed lint * fix tests * regen docs * PR feedback * PR feedback
1 parent 6e3330a commit 5e60879

File tree

15 files changed

+94
-23
lines changed

15 files changed

+94
-23
lines changed

coderd/apidoc/docs.go

+4-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/apidoc/swagger.json

+4-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/audit.go

+2
Original file line numberDiff line numberDiff line change
@@ -456,6 +456,8 @@ func resourceTypeFromString(resourceTypeString string) string {
456456
return resourceTypeString
457457
case codersdk.ResourceTypeGroup:
458458
return resourceTypeString
459+
case codersdk.ResourceTypeLicense:
460+
return resourceTypeString
459461
}
460462
return ""
461463
}

coderd/audit/diff.go

+2-1
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,8 @@ type Auditable interface {
1515
database.Workspace |
1616
database.GitSSHKey |
1717
database.WorkspaceBuild |
18-
database.AuditableGroup
18+
database.AuditableGroup |
19+
database.License
1920
}
2021

2122
// Map is a map of changed fields in an audited resource. It maps field names to

coderd/audit/request.go

+7
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import (
77
"fmt"
88
"net"
99
"net/http"
10+
"strconv"
1011

1112
"github.com/google/uuid"
1213
"github.com/tabbed/pqtype"
@@ -71,6 +72,8 @@ func ResourceTarget[T Auditable](tgt T) string {
7172
case database.APIKey:
7273
// this isn't used
7374
return ""
75+
case database.License:
76+
return strconv.Itoa(int(typed.ID))
7477
default:
7578
panic(fmt.Sprintf("unknown resource %T", tgt))
7679
}
@@ -94,6 +97,8 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
9497
return typed.Group.ID
9598
case database.APIKey:
9699
return typed.UserID
100+
case database.License:
101+
return typed.UUID
97102
default:
98103
panic(fmt.Sprintf("unknown resource %T", tgt))
99104
}
@@ -117,6 +122,8 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
117122
return database.ResourceTypeGroup
118123
case database.APIKey:
119124
return database.ResourceTypeApiKey
125+
case database.License:
126+
return database.ResourceTypeLicense
120127
default:
121128
panic(fmt.Sprintf("unknown resource %T", tgt))
122129
}

coderd/database/dump.sql

+2-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/migrations/000098_add_resource_type_license.down.sql

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
-- It's not possible to drop enum values from enum types, so the UP has "IF NOT
2+
-- EXISTS".

coderd/database/migrations/000098_add_resource_type_license.up.sql

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
ALTER TYPE resource_type
2+
ADD VALUE IF NOT EXISTS 'license';
3+

coderd/database/models.go

+4-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

codersdk/audit.go

+3
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ const (
2222
ResourceTypeGitSSHKey ResourceType = "git_ssh_key"
2323
ResourceTypeAPIKey ResourceType = "api_key"
2424
ResourceTypeGroup ResourceType = "group"
25+
ResourceTypeLicense ResourceType = "license"
2526
)
2627

2728
func (r ResourceType) FriendlyString() string {
@@ -44,6 +45,8 @@ func (r ResourceType) FriendlyString() string {
4445
return "api key"
4546
case ResourceTypeGroup:
4647
return "group"
48+
case ResourceTypeLicense:
49+
return "license"
4750
default:
4851
return "unknown"
4952
}

docs/admin/audit-logs.md

+1
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ We track the following resources:
1414
| APIKey<br><i>write</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>expires_at</td><td>false</td></tr><tr><td>hashed_secret</td><td>false</td></tr><tr><td>id</td><td>false</td></tr><tr><td>ip_address</td><td>false</td></tr><tr><td>last_used</td><td>false</td></tr><tr><td>lifetime_seconds</td><td>false</td></tr><tr><td>login_type</td><td>false</td></tr><tr><td>scope</td><td>false</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>false</td></tr></tbody></table> |
1515
| Group<br><i>create, write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>avatar_url</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>members</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>quota_allowance</td><td>true</td></tr></tbody></table> |
1616
| GitSSHKey<br><i>create</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>private_key</td><td>true</td></tr><tr><td>public_key</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>true</td></tr></tbody></table> |
17+
| License<br><i>create, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>exp</td><td>true</td></tr><tr><td>id</td><td>false</td></tr><tr><td>jwt</td><td>false</td></tr><tr><td>uploaded_at</td><td>true</td></tr><tr><td>uuid</td><td>true</td></tr></tbody></table> |
1718
| Template<br><i>write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>active_version_id</td><td>true</td></tr><tr><td>allow_user_cancel_workspace_jobs</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>default_ttl</td><td>true</td></tr><tr><td>deleted</td><td>false</td></tr><tr><td>description</td><td>true</td></tr><tr><td>display_name</td><td>true</td></tr><tr><td>group_acl</td><td>true</td></tr><tr><td>icon</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>is_private</td><td>true</td></tr><tr><td>min_autostart_interval</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>provisioner</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_acl</td><td>true</td></tr></tbody></table> |
1819
| TemplateVersion<br><i>create, write</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>job_id</td><td>false</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>readme</td><td>true</td></tr><tr><td>template_id</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr></tbody></table> |
1920
| User<br><i>create, write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>avatar_url</td><td>false</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>deleted</td><td>true</td></tr><tr><td>email</td><td>true</td></tr><tr><td>hashed_password</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>last_seen_at</td><td>false</td></tr><tr><td>login_type</td><td>false</td></tr><tr><td>rbac_roles</td><td>true</td></tr><tr><td>status</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>username</td><td>true</td></tr></tbody></table> |

docs/api/schemas.md

+1
Original file line numberDiff line numberDiff line change
@@ -4054,6 +4054,7 @@ Parameter represents a set value for the scope.
40544054
| `git_ssh_key` |
40554055
| `api_key` |
40564056
| `group` |
4057+
| `license` |
40574058

40584059
## codersdk.Response
40594060

enterprise/audit/table.go

+18-10
Original file line numberDiff line numberDiff line change
@@ -13,16 +13,15 @@ import (
1313
// AuditableResources map (below) as our documentation - generated in scripts/auditdocgen/main.go -
1414
// depends upon it.
1515
var AuditActionMap = map[string][]codersdk.AuditAction{
16-
"GitSSHKey": {codersdk.AuditActionCreate},
17-
"OrganizationMember": {},
18-
"Organization": {},
19-
"Template": {codersdk.AuditActionWrite, codersdk.AuditActionDelete},
20-
"TemplateVersion": {codersdk.AuditActionCreate, codersdk.AuditActionWrite},
21-
"User": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
22-
"Workspace": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
23-
"WorkspaceBuild": {codersdk.AuditActionStart, codersdk.AuditActionStop},
24-
"Group": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
25-
"APIKey": {codersdk.AuditActionWrite},
16+
"GitSSHKey": {codersdk.AuditActionCreate},
17+
"Template": {codersdk.AuditActionWrite, codersdk.AuditActionDelete},
18+
"TemplateVersion": {codersdk.AuditActionCreate, codersdk.AuditActionWrite},
19+
"User": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
20+
"Workspace": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
21+
"WorkspaceBuild": {codersdk.AuditActionStart, codersdk.AuditActionStop},
22+
"Group": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
23+
"APIKey": {codersdk.AuditActionWrite},
24+
"License": {codersdk.AuditActionCreate, codersdk.AuditActionDelete},
2625
}
2726

2827
type Action string
@@ -147,6 +146,15 @@ var AuditableResources = auditMap(map[any]map[string]Action{
147146
"ip_address": ActionIgnore,
148147
"scope": ActionIgnore,
149148
},
149+
// TODO: track an ID here when the below ticket is completed:
150+
// https://github.com/coder/coder/pull/6012
151+
&database.License{}: {
152+
"id": ActionIgnore,
153+
"uploaded_at": ActionTrack,
154+
"jwt": ActionIgnore,
155+
"exp": ActionTrack,
156+
"uuid": ActionTrack,
157+
},
150158
})
151159

152160
// auditMap converts a map of struct pointers to a map of struct names as

enterprise/coderd/licenses.go

+39-6
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ import (
2020

2121
"cdr.dev/slog"
2222
"github.com/coder/coder/coderd"
23+
"github.com/coder/coder/coderd/audit"
2324
"github.com/coder/coder/coderd/database"
2425
"github.com/coder/coder/coderd/httpapi"
2526
"github.com/coder/coder/coderd/rbac"
@@ -59,7 +60,18 @@ var Keys = map[string]ed25519.PublicKey{"2022-08-12": ed25519.PublicKey(key20220
5960
// @Success 201 {object} codersdk.License
6061
// @Router /licenses [post]
6162
func (api *API) postLicense(rw http.ResponseWriter, r *http.Request) {
62-
ctx := r.Context()
63+
var (
64+
ctx = r.Context()
65+
auditor = api.AGPL.Auditor.Load()
66+
aReq, commitAudit = audit.InitRequest[database.License](rw, &audit.RequestParams{
67+
Audit: *auditor,
68+
Log: api.Logger,
69+
Request: r,
70+
Action: database.AuditActionCreate,
71+
})
72+
)
73+
defer commitAudit()
74+
6375
if !api.AGPL.Authorize(r, rbac.ActionCreate, rbac.ResourceLicense) {
6476
httpapi.Forbidden(rw)
6577
return
@@ -119,6 +131,8 @@ func (api *API) postLicense(rw http.ResponseWriter, r *http.Request) {
119131
})
120132
return
121133
}
134+
aReq.New = dl
135+
122136
err = api.updateEntitlements(ctx)
123137
if err != nil {
124138
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
@@ -186,11 +200,10 @@ func (api *API) licenses(rw http.ResponseWriter, r *http.Request) {
186200
// @Success 200
187201
// @Router /licenses/{id} [delete]
188202
func (api *API) deleteLicense(rw http.ResponseWriter, r *http.Request) {
189-
ctx := r.Context()
190-
if !api.AGPL.Authorize(r, rbac.ActionDelete, rbac.ResourceLicense) {
191-
httpapi.Forbidden(rw)
192-
return
193-
}
203+
var (
204+
ctx = r.Context()
205+
auditor = api.AGPL.Auditor.Load()
206+
)
194207

195208
idStr := chi.URLParam(r, "id")
196209
id, err := strconv.ParseInt(idStr, 10, 32)
@@ -201,6 +214,26 @@ func (api *API) deleteLicense(rw http.ResponseWriter, r *http.Request) {
201214
return
202215
}
203216

217+
dl, err := api.Database.GetLicenseByID(ctx, int32(id))
218+
if err != nil {
219+
// don't fail the HTTP request simply because we cannot audit
220+
api.Logger.Warn(context.Background(), "could not retrieve license; cannot audit", slog.Error(err))
221+
}
222+
223+
aReq, commitAudit := audit.InitRequest[database.License](rw, &audit.RequestParams{
224+
Audit: *auditor,
225+
Log: api.Logger,
226+
Request: r,
227+
Action: database.AuditActionDelete,
228+
})
229+
defer commitAudit()
230+
aReq.Old = dl
231+
232+
if !api.AGPL.Authorize(r, rbac.ActionDelete, rbac.ResourceLicense) {
233+
httpapi.Forbidden(rw)
234+
return
235+
}
236+
204237
_, err = api.Database.DeleteLicense(ctx, int32(id))
205238
if xerrors.Is(err, sql.ErrNoRows) {
206239
httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{

site/src/api/typesGenerated.ts

+2
Original file line numberDiff line numberDiff line change
@@ -1183,6 +1183,7 @@ export type ResourceType =
11831183
| "api_key"
11841184
| "git_ssh_key"
11851185
| "group"
1186+
| "license"
11861187
| "template"
11871188
| "template_version"
11881189
| "user"
@@ -1192,6 +1193,7 @@ export const ResourceTypes: ResourceType[] = [
11921193
"api_key",
11931194
"git_ssh_key",
11941195
"group",
1196+
"license",
11951197
"template",
11961198
"template_version",
11971199
"user",

0 commit comments

Comments
 (0)