coder
diff --git a/‎coderd/audit.go
+4-2 b/‎coderd/audit.go
+4-2
diff --git a/‎coderd/audit/request.go
+50-1 b/‎coderd/audit/request.go
+50-1
diff --git a/‎coderd/coderd.go
+1 b/‎coderd/coderd.go
+1
diff --git a/‎coderd/database/dump.sql
+2-2 b/‎coderd/database/dump.sql
+2-2
diff --git a/‎coderd/database/migrations/000082_add_audit_log_nullable_fields.down.sql
+2 b/‎coderd/database/migrations/000082_add_audit_log_nullable_fields.down.sql
+2
diff --git a/‎coderd/database/migrations/000082_add_audit_log_nullable_fields.up.sql
+2 b/‎coderd/database/migrations/000082_add_audit_log_nullable_fields.up.sql
+2
diff --git a/‎coderd/database/models.go
+1-1 b/‎coderd/database/models.go
+1-1
diff --git a/‎coderd/database/queries.sql.go
+2-2 b/‎coderd/database/queries.sql.go
+2-2
diff --git a/‎coderd/provisionerdserver/provisionerdserver.go
+86-2 b/‎coderd/provisionerdserver/provisionerdserver.go
+86-2
diff --git a/‎coderd/provisionerdserver/provisionerdserver_test.go
+11 b/‎coderd/provisionerdserver/provisionerdserver_test.go
+11
@@ -1,6 +1,7 @@
 package coderd
 
 import (
+	"database/sql"
 	"encoding/json"
 	"fmt"
 	"net"
@@ -129,7 +130,7 @@ func (api *API) generateFakeAuditLog(rw http.ResponseWriter, r *http.Request) {
 		Time:             params.Time,
 		UserID:           user.ID,
 		Ip:               ipNet,
-		UserAgent:        r.UserAgent(),
+		UserAgent:        sql.NullString{String: r.UserAgent(), Valid: true},
 		ResourceType:     database.ResourceType(params.ResourceType),
 		ResourceID:       params.ResourceID,
 		ResourceTarget:   user.Username,
@@ -163,6 +164,7 @@ func convertAuditLog(dblog database.GetAuditLogsOffsetRow) codersdk.AuditLog {
 	_ = json.Unmarshal(dblog.Diff, &diff)
 
 	var user *codersdk.User
+
 	if dblog.UserUsername.Valid {
 		user = &codersdk.User{
 			ID:        dblog.UserID,
@@ -186,7 +188,7 @@ func convertAuditLog(dblog database.GetAuditLogsOffsetRow) codersdk.AuditLog {
 		Time:             dblog.Time,
 		OrganizationID:   dblog.OrganizationID,
 		IP:               ip,
-		UserAgent:        dblog.UserAgent,
+		UserAgent:        dblog.UserAgent.String,
 		ResourceType:     codersdk.ResourceType(dblog.ResourceType),
 		ResourceID:       dblog.ResourceID,
 		ResourceTarget:   dblog.ResourceTarget,
 
@@ -2,6 +2,7 @@ package audit
 
 import (
 	"context"
+	"database/sql"
 	"encoding/json"
 	"fmt"
 	"net"
@@ -32,6 +33,20 @@ type Request[T Auditable] struct {
 	New T
 }
 
+type BuildAuditParams[T Auditable] struct {
+	Audit Auditor
+	Log   slog.Logger
+
+	UserID           uuid.UUID
+	JobID            uuid.UUID
+	Status           int
+	Action           database.AuditAction
+	AdditionalFields json.RawMessage
+
+	New T
+	Old T
+}
+
 func ResourceTarget[T Auditable](tgt T) string {
 	switch typed := any(tgt).(type) {
 	case database.Organization:
@@ -147,7 +162,7 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
 			Time:             database.Now(),
 			UserID:           httpmw.APIKey(p.Request).UserID,
 			Ip:               ip,
-			UserAgent:        p.Request.UserAgent(),
+			UserAgent:        sql.NullString{String: p.Request.UserAgent(), Valid: true},
 			ResourceType:     either(req.Old, req.New, ResourceType[T]),
 			ResourceID:       either(req.Old, req.New, ResourceID[T]),
 			ResourceTarget:   either(req.Old, req.New, ResourceTarget[T]),
@@ -164,6 +179,40 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
 	}
 }
 
+// BuildAudit creates an audit log for a workspace build.
+// The audit log is committed upon invocation.
+func BuildAudit[T Auditable](ctx context.Context, p *BuildAuditParams[T]) {
+	// As the audit request has not been initiated directly by a user, we omit
+	// certain user details.
+	ip := parseIP("")
+	// We do not show diffs for build audit logs
+	var diffRaw = []byte("{}")
+
+	if p.AdditionalFields == nil {
+		p.AdditionalFields = json.RawMessage("{}")
+	}
+
+	err := p.Audit.Export(ctx, database.AuditLog{
+		ID:               uuid.New(),
+		Time:             database.Now(),
+		UserID:           p.UserID,
+		Ip:               ip,
+		UserAgent:        sql.NullString{},
+		ResourceType:     either(p.Old, p.New, ResourceType[T]),
+		ResourceID:       either(p.Old, p.New, ResourceID[T]),
+		ResourceTarget:   either(p.Old, p.New, ResourceTarget[T]),
+		Action:           p.Action,
+		Diff:             diffRaw,
+		StatusCode:       int32(p.Status),
+		RequestID:        p.JobID,
+		AdditionalFields: p.AdditionalFields,
+	})
+	if err != nil {
+		p.Log.Error(ctx, "export audit log", slog.Error(err))
+		return
+	}
+}
+
 func either[T Auditable, R any](old, new T, fn func(T) R) R {
 	if ResourceID(new) != uuid.Nil {
 		return fn(new)
 
@@ -681,6 +681,7 @@ func (api *API) CreateInMemoryProvisionerDaemon(ctx context.Context, debounce ti
 		Telemetry:          api.Telemetry,
 		Tags:               tags,
 		QuotaCommitter:     &api.QuotaCommitter,
+		Auditor:            &api.Auditor,
 		AcquireJobDebounce: debounce,
 		Logger:             api.Logger.Named(fmt.Sprintf("provisionerd-%s", daemon.Name)),
 	})
 
@@ -0,0 +1,2 @@
+ALTER TABLE audit_logs ALTER COLUMN ip SET NOT NULL;
+ALTER TABLE audit_logs ALTER COLUMN user_agent SET NOT NULL;
@@ -0,0 +1,2 @@
+ALTER TABLE audit_logs ALTER COLUMN ip DROP NOT NULL;
+ALTER TABLE audit_logs ALTER COLUMN user_agent DROP NOT NULL;
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net/http"
 	"net/url"
 	"reflect"
 	"sync"
@@ -21,6 +22,7 @@ import (
 
 	"cdr.dev/slog"
 
+	"github.com/coder/coder/coderd/audit"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/parameter"
 	"github.com/coder/coder/coderd/telemetry"
@@ -46,6 +48,7 @@ type Server struct {
 	Pubsub         database.Pubsub
 	Telemetry      telemetry.Reporter
 	QuotaCommitter *atomic.Pointer[proto.QuotaCommitter]
+	Auditor        *atomic.Pointer[audit.Auditor]
 
 	AcquireJobDebounce time.Duration
 }
@@ -522,6 +525,43 @@ func (server *Server) FailJob(ctx context.Context, failJob *proto.FailedJob) (*p
 	case *proto.FailedJob_TemplateImport_:
 	}
 
+	// if failed job is a workspace build, audit the outcome
+	if job.Type == database.ProvisionerJobTypeWorkspaceBuild {
+		auditor := server.Auditor.Load()
+		build, getBuildErr := server.Database.GetWorkspaceBuildByJobID(ctx, job.ID)
+		if getBuildErr != nil {
+			server.Logger.Error(ctx, "failed to create audit log - get build err", slog.Error(err))
+		} else {
+			auditAction := auditActionFromTransition(build.Transition)
+			workspace, getWorkspaceErr := server.Database.GetWorkspaceByID(ctx, build.WorkspaceID)
+			if getWorkspaceErr != nil {
+				server.Logger.Error(ctx, "failed to create audit log - get workspace err", slog.Error(err))
+			} else {
+				// We pass the workspace name to the Auditor so that it
+				// can form a friendly string for the user.
+				workspaceResourceInfo := map[string]string{
+					"workspaceName": workspace.Name,
+				}
+
+				wriBytes, err := json.Marshal(workspaceResourceInfo)
+				if err != nil {
+					server.Logger.Error(ctx, "could not marshal workspace name", slog.Error(err))
+				}
+
+				audit.BuildAudit(ctx, &audit.BuildAuditParams[database.WorkspaceBuild]{
+					Audit:            *auditor,
+					Log:              server.Logger,
+					UserID:           job.InitiatorID,
+					JobID:            job.ID,
+					Action:           auditAction,
+					New:              build,
+					Status:           http.StatusInternalServerError,
+					AdditionalFields: wriBytes,
+				})
+			}
+		}
+	}
+
 	data, err := json.Marshal(ProvisionerJobLogsNotifyMessage{EndOfLogs: true})
 	if err != nil {
 		return nil, xerrors.Errorf("marshal job log: %w", err)
@@ -600,11 +640,14 @@ func (server *Server) CompleteJob(ctx context.Context, completed *proto.Complete
 			return nil, xerrors.Errorf("get workspace build: %w", err)
 		}
 
+		var workspace database.Workspace
+		var getWorkspaceError error
+
 		err = server.Database.InTx(func(db database.Store) error {
 			now := database.Now()
 			var workspaceDeadline time.Time
-			workspace, err := db.GetWorkspaceByID(ctx, workspaceBuild.WorkspaceID)
-			if err == nil {
+			workspace, getWorkspaceError = db.GetWorkspaceByID(ctx, workspaceBuild.WorkspaceID)
+			if getWorkspaceError == nil {
 				if workspace.Ttl.Valid {
 					workspaceDeadline = now.Add(time.Duration(workspace.Ttl.Int64))
 				}
@@ -704,6 +747,34 @@ func (server *Server) CompleteJob(ctx context.Context, completed *proto.Complete
 			return nil, xerrors.Errorf("complete job: %w", err)
 		}
 
+		// audit the outcome of the workspace build
+		if getWorkspaceError == nil {
+			auditor := server.Auditor.Load()
+			auditAction := auditActionFromTransition(workspaceBuild.Transition)
+
+			// We pass the workspace name to the Auditor so that it
+			// can form a friendly string for the user.
+			workspaceResourceInfo := map[string]string{
+				"workspaceName": workspace.Name,
+			}
+
+			wriBytes, err := json.Marshal(workspaceResourceInfo)
+			if err != nil {
+				server.Logger.Error(ctx, "marshal resource info", slog.Error(err))
+			}
+
+			audit.BuildAudit(ctx, &audit.BuildAuditParams[database.WorkspaceBuild]{
+				Audit:            *auditor,
+				Log:              server.Logger,
+				UserID:           job.InitiatorID,
+				JobID:            job.ID,
+				Action:           auditAction,
+				New:              workspaceBuild,
+				Status:           http.StatusOK,
+				AdditionalFields: wriBytes,
+			})
+		}
+
 		err = server.Pubsub.Publish(codersdk.WorkspaceNotifyChannel(workspaceBuild.WorkspaceID), []byte{})
 		if err != nil {
 			return nil, xerrors.Errorf("update workspace: %w", err)
@@ -1015,6 +1086,19 @@ func convertWorkspaceTransition(transition database.WorkspaceTransition) (sdkpro
 	}
 }
 
+func auditActionFromTransition(transition database.WorkspaceTransition) database.AuditAction {
+	switch transition {
+	case database.WorkspaceTransitionStart:
+		return database.AuditActionStart
+	case database.WorkspaceTransitionStop:
+		return database.AuditActionStop
+	case database.WorkspaceTransitionDelete:
+		return database.AuditActionDelete
+	default:
+		return database.AuditActionWrite
+	}
+}
+
 // WorkspaceProvisionJob is the payload for the "workspace_provision" job type.
 type WorkspaceProvisionJob struct {
 	WorkspaceBuildID uuid.UUID `json:"workspace_build_id"`
 
@@ -5,13 +5,15 @@ import (
 	"database/sql"
 	"encoding/json"
 	"net/url"
+	"sync/atomic"
 	"testing"
 	"time"
 
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 
 	"cdr.dev/slog/sloggers/slogtest"
+	"github.com/coder/coder/coderd/audit"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/database/databasefake"
 	"github.com/coder/coder/coderd/provisionerdserver"
@@ -21,6 +23,13 @@ import (
 	sdkproto "github.com/coder/coder/provisionersdk/proto"
 )
 
+func mockAuditor() *atomic.Pointer[audit.Auditor] {
+	ptr := &atomic.Pointer[audit.Auditor]{}
+	mock := audit.Auditor(audit.NewMock())
+	ptr.Store(&mock)
+	return ptr
+}
+
 func TestAcquireJob(t *testing.T) {
 	t.Parallel()
 	t.Run("Debounce", func(t *testing.T) {
@@ -36,6 +45,7 @@ func TestAcquireJob(t *testing.T) {
 			Pubsub:             pubsub,
 			Telemetry:          telemetry.NewNoop(),
 			AcquireJobDebounce: time.Hour,
+			Auditor:            mockAuditor(),
 		}
 		job, err := srv.AcquireJob(context.Background(), nil)
 		require.NoError(t, err)
@@ -799,5 +809,6 @@ func setup(t *testing.T) *provisionerdserver.Server {
 		Database:     db,
 		Pubsub:       pubsub,
 		Telemetry:    telemetry.NewNoop(),
+		Auditor:      mockAuditor(),
 	}
 }
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+ALTER TABLE audit_logs ALTER COLUMN ip SET NOT NULL;`
	`2`	`+ALTER TABLE audit_logs ALTER COLUMN user_agent SET NOT NULL;`