feat: add audit logs for dormancy events

coadler · coadler · commit e137e9251e41 · 2024-10-30T21:18:19.000Z
An audit log will now be generated when Coder automatically modifies
user statuses to dormant, or when a user logs in and are automatically
converted to active.
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/users.sql b/coderd/database/queries/users.sql
@@ -286,7 +286,7 @@ SET
 WHERE
     last_seen_at < @last_seen_after :: timestamp
     AND status = 'active'::user_status
-RETURNING id, email, last_seen_at;
+RETURNING id, email, username, last_seen_at;
 
 -- AllUserIDs returns all UserIDs regardless of user status or deletion.
 -- name: AllUserIDs :many
diff --git a/coderd/provisionerdserver/provisionerdserver.go b/coderd/provisionerdserver/provisionerdserver.go
@@ -1063,6 +1063,7 @@ func (s *server) FailJob(ctx context.Context, failJob *proto.FailedJob) (*proto.
 				wriBytes, err := json.Marshal(buildResourceInfo)
 				if err != nil {
 					s.Logger.Error(ctx, "marshal workspace resource info for failed job", slog.Error(err))
+					wriBytes = []byte("{}")
 				}
 
 				bag := audit.BaggageFromContext(ctx)
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -566,6 +566,7 @@ func (api *API) loginRequest(ctx context.Context, rw http.ResponseWriter, req co
 	}
 
 	if user.Status == database.UserStatusDormant {
+		oldUser := user
 		//nolint:gocritic // System needs to update status of the user account (dormant -> active).
 		user, err = api.Database.UpdateUserStatus(dbauthz.AsSystemRestricted(ctx), database.UpdateUserStatusParams{
 			ID:        user.ID,
@@ -579,6 +580,28 @@ func (api *API) loginRequest(ctx context.Context, rw http.ResponseWriter, req co
 			})
 			return user, rbac.Subject{}, false
 		}
+
+		af := map[string]string{
+			"automatic_actor":     "coder",
+			"automatic_subsystem": "dormancy",
+		}
+
+		wriBytes, err := json.Marshal(af)
+		if err != nil {
+			api.Logger.Error(ctx, "marshal additional fields for dormancy audit", slog.Error(err))
+			wriBytes = []byte("{}")
+		}
+
+		audit.BackgroundAudit(ctx, &audit.BackgroundAuditParams[database.User]{
+			Audit:            *api.Auditor.Load(),
+			Log:              api.Logger,
+			UserID:           user.ID,
+			Action:           database.AuditActionWrite,
+			Old:              oldUser,
+			New:              user,
+			Status:           http.StatusOK,
+			AdditionalFields: wriBytes,
+		})
 	}
 
 	subject, userStatus, err := httpmw.UserRBACSubject(ctx, api.Database, user.ID, rbac.ScopeAll)
diff --git a/enterprise/cli/server.go b/enterprise/cli/server.go
@@ -95,7 +95,7 @@ func (r *RootCmd) Server(_ func()) *serpent.Command {
 			DefaultQuietHoursSchedule: options.DeploymentValues.UserQuietHoursSchedule.DefaultSchedule.Value(),
 			ProvisionerDaemonPSK:      options.DeploymentValues.Provisioner.DaemonPSK.Value(),
 
-			CheckInactiveUsersCancelFunc: dormancy.CheckInactiveUsers(ctx, options.Logger, options.Database),
+			CheckInactiveUsersCancelFunc: dormancy.CheckInactiveUsers(ctx, options.Logger, options.Database, options.Auditor),
 		}
 
 		if encKeys := options.DeploymentValues.ExternalTokenEncryptionKeys.Value(); len(encKeys) != 0 {
diff --git a/enterprise/coderd/dormancy/dormantusersjob.go b/enterprise/coderd/dormancy/dormantusersjob.go
@@ -3,12 +3,15 @@ package dormancy
 import (
 	"context"
 	"database/sql"
+	"encoding/json"
+	"net/http"
 	"time"
 
 	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
 
+	"github.com/coder/coder/v2/coderd/audit"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 )
@@ -22,13 +25,13 @@ const (
 
 // CheckInactiveUsers function updates status of inactive users from active to dormant
 // using default parameters.
-func CheckInactiveUsers(ctx context.Context, logger slog.Logger, db database.Store) func() {
-	return CheckInactiveUsersWithOptions(ctx, logger, db, jobInterval, accountDormancyPeriod)
+func CheckInactiveUsers(ctx context.Context, logger slog.Logger, db database.Store, auditor audit.Auditor) func() {
+	return CheckInactiveUsersWithOptions(ctx, logger, db, auditor, jobInterval, accountDormancyPeriod)
 }
 
 // CheckInactiveUsersWithOptions function updates status of inactive users from active to dormant
 // using provided parameters.
-func CheckInactiveUsersWithOptions(ctx context.Context, logger slog.Logger, db database.Store, checkInterval, dormancyPeriod time.Duration) func() {
+func CheckInactiveUsersWithOptions(ctx context.Context, logger slog.Logger, db database.Store, auditor audit.Auditor, checkInterval, dormancyPeriod time.Duration) func() {
 	logger = logger.Named("dormancy")
 
 	ctx, cancelFunc := context.WithCancel(ctx)
@@ -57,8 +60,29 @@ func CheckInactiveUsersWithOptions(ctx context.Context, logger slog.Logger, db d
 				continue
 			}
 
+			af := map[string]string{
+				"automatic_actor":     "coder",
+				"automatic_subsystem": "dormancy",
+			}
+
+			wriBytes, err := json.Marshal(af)
+			if err != nil {
+				logger.Error(ctx, "marshal additional fields", slog.Error(err))
+				wriBytes = []byte("{}")
+			}
+
 			for _, u := range updatedUsers {
 				logger.Info(ctx, "account has been marked as dormant", slog.F("email", u.Email), slog.F("last_seen_at", u.LastSeenAt))
+				audit.BackgroundAudit(ctx, &audit.BackgroundAuditParams[database.User]{
+					Audit:            auditor,
+					Log:              logger,
+					UserID:           u.ID,
+					Action:           database.AuditActionWrite,
+					Old:              database.User{ID: u.ID, Username: u.Username, Status: database.UserStatusActive},
+					New:              database.User{ID: u.ID, Username: u.Username, Status: database.UserStatusDormant},
+					Status:           http.StatusOK,
+					AdditionalFields: wriBytes,
+				})
 			}
 			logger.Debug(ctx, "checking user accounts is done", slog.F("num_dormant_accounts", len(updatedUsers)), slog.F("execution_time", time.Since(startTime)))
 		}
diff --git a/enterprise/coderd/dormancy/dormantusersjob_test.go b/enterprise/coderd/dormancy/dormantusersjob_test.go
@@ -10,6 +10,7 @@ import (
 
 	"cdr.dev/slog/sloggers/slogtest"
 
+	"github.com/coder/coder/v2/coderd/audit"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbmem"
 	"github.com/coder/coder/v2/enterprise/coderd/dormancy"
@@ -42,8 +43,9 @@ func TestCheckInactiveUsers(t *testing.T) {
 	suspendedUser2 := setupUser(ctx, t, db, "suspended-user-2@coder.com", database.UserStatusSuspended, time.Now().Add(-dormancyPeriod).Add(-time.Hour))
 	suspendedUser3 := setupUser(ctx, t, db, "suspended-user-3@coder.com", database.UserStatusSuspended, time.Now().Add(-dormancyPeriod).Add(-6*time.Hour))
 
+	mAudit := audit.NewMock()
 	// Run the periodic job
-	closeFunc := dormancy.CheckInactiveUsersWithOptions(ctx, logger, db, interval, dormancyPeriod)
+	closeFunc := dormancy.CheckInactiveUsersWithOptions(ctx, logger, db, mAudit, interval, dormancyPeriod)
 	t.Cleanup(closeFunc)
 
 	var rows []database.GetUsersRow
@@ -66,6 +68,8 @@ func TestCheckInactiveUsers(t *testing.T) {
 		return len(rows) == 9 && dormant == 3 && suspended == 3
 	}, testutil.WaitShort, testutil.IntervalMedium)
 
+	require.Len(t, mAudit.AuditLogs(), 3)
+
 	allUsers := ignoreUpdatedAt(database.ConvertUserRows(rows))
 
 	// Verify user status
diff --git a/site/src/pages/AuditPage/AuditLogRow/AuditLogDescription/AuditLogDescription.tsx b/site/src/pages/AuditPage/AuditLogRow/AuditLogDescription/AuditLogDescription.tsx
@@ -23,7 +23,7 @@ export const AuditLogDescription: FC<AuditLogDescriptionProps> = ({
 		target = "";
 	}
 
-	// This occurs when SCIM creates a user.
+	// This occurs when SCIM creates a user, or dormancy changes a users status.
 	if (
 		auditLog.resource_type === "user" &&
 		auditLog.additional_fields?.automatic_actor === "coder"

Original file line number	Diff line number	Diff line change
`@@ -1063,6 +1063,7 @@ func (s server) FailJob(ctx context.Context, failJob proto.FailedJob) (*proto.`
`1063`	`1063`	`wriBytes, err := json.Marshal(buildResourceInfo)`
`1064`	`1064`	`if err != nil {`
`1065`	`1065`	`s.Logger.Error(ctx, "marshal workspace resource info for failed job", slog.Error(err))`
	`1066`	`+ wriBytes = []byte("{}")`
`1066`	`1067`	`}`
`1067`	`1068`
`1068`	`1069`	`bag := audit.BaggageFromContext(ctx)`
Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,7 @@ func (r RootCmd) Server(_ func()) serpent.Command {`
`95`	`95`	`DefaultQuietHoursSchedule: options.DeploymentValues.UserQuietHoursSchedule.DefaultSchedule.Value(),`
`96`	`96`	`ProvisionerDaemonPSK: options.DeploymentValues.Provisioner.DaemonPSK.Value(),`
`97`	`97`
`98`		`- CheckInactiveUsersCancelFunc: dormancy.CheckInactiveUsers(ctx, options.Logger, options.Database),`
	`98`	`+ CheckInactiveUsersCancelFunc: dormancy.CheckInactiveUsers(ctx, options.Logger, options.Database, options.Auditor),`
`99`	`99`	`}`
`100`	`100`
`101`	`101`	`if encKeys := options.DeploymentValues.ExternalTokenEncryptionKeys.Value(); len(encKeys) != 0 {`
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ export const AuditLogDescription: FC<AuditLogDescriptionProps> = ({`
`23`	`23`	`target = "";`
`24`	`24`	`}`
`25`	`25`
`26`		`- // This occurs when SCIM creates a user.`
	`26`	`+ // This occurs when SCIM creates a user, or dormancy changes a users status.`
`27`	`27`	`if (`
`28`	`28`	`auditLog.resource_type === "user" &&`
`29`	`29`	`auditLog.additional_fields?.automatic_actor === "coder"`