feat: add auditing to user routes

coadler · coadler · commit ef322d4aa45c · 2022-09-08T17:20:31.000-05:00
diff --git a/coderd/audit/request.go b/coderd/audit/request.go
@@ -3,6 +3,7 @@ package audit
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"net"
 	"net/http"
 
@@ -11,20 +12,17 @@ import (
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/features"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
 )
 
 type RequestParams struct {
-	Audit Auditor
-	Log   slog.Logger
-
-	Request        *http.Request
-	ResourceID     uuid.UUID
-	ResourceTarget string
-	Action         database.AuditAction
-	ResourceType   database.ResourceType
-	Actor          uuid.UUID
+	Features features.Service
+	Log      slog.Logger
+
+	Request *http.Request
+	Action  database.AuditAction
 }
 
 type Request[T Auditable] struct {
@@ -34,6 +32,63 @@ type Request[T Auditable] struct {
 	New T
 }
 
+func ResourceTarget[T Auditable](tgt T) string {
+	switch typed := any(tgt).(type) {
+	case database.Organization:
+		return typed.Name
+	case database.Template:
+		return typed.Name
+	case database.TemplateVersion:
+		return typed.Name
+	case database.User:
+		return typed.Username
+	case database.Workspace:
+		return typed.Name
+	case database.GitSSHKey:
+		return typed.PublicKey
+	default:
+		panic(fmt.Sprintf("unknown resource %T", tgt))
+	}
+}
+
+func ResourceID[T Auditable](tgt T) uuid.UUID {
+	switch typed := any(tgt).(type) {
+	case database.Organization:
+		return typed.ID
+	case database.Template:
+		return typed.ID
+	case database.TemplateVersion:
+		return typed.ID
+	case database.User:
+		return typed.ID
+	case database.Workspace:
+		return typed.ID
+	case database.GitSSHKey:
+		return typed.UserID
+	default:
+		panic(fmt.Sprintf("unknown resource %T", tgt))
+	}
+}
+
+func ResourceType[T Auditable](tgt T) database.ResourceType {
+	switch any(tgt).(type) {
+	case database.Organization:
+		return database.ResourceTypeOrganization
+	case database.Template:
+		return database.ResourceTypeTemplate
+	case database.TemplateVersion:
+		return database.ResourceTypeTemplateVersion
+	case database.User:
+		return database.ResourceTypeUser
+	case database.Workspace:
+		return database.ResourceTypeWorkspace
+	case database.GitSSHKey:
+		return database.ResourceTypeGitSshKey
+	default:
+		panic(fmt.Sprintf("unknown resource %T", tgt))
+	}
+}
+
 // InitRequest initializes an audit log for a request. It returns a function
 // that should be deferred, causing the audit log to be committed when the
 // handler returns.
@@ -47,38 +102,64 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
 		params: p,
 	}
 
+	feats := struct {
+		Audit Auditor
+	}{}
+	err := p.Features.Get(&feats)
+	if err != nil {
+		p.Log.Error(p.Request.Context(), "unable to get auditor interface", slog.Error(err))
+		return req, func() {}
+	}
+
 	return req, func() {
 		ctx := context.Background()
+		logCtx := p.Request.Context()
 
-		diff := Diff(p.Audit, req.Old, req.New)
+		if ResourceID(req.Old) == uuid.Nil && ResourceID(req.New) == uuid.Nil {
+			p.Log.Error(logCtx, "both old and new are nil, cannot audit")
+			return
+		}
+
+		diff := Diff(feats.Audit, req.Old, req.New)
 		diffRaw, _ := json.Marshal(diff)
 
 		ip, err := parseIP(p.Request.RemoteAddr)
 		if err != nil {
-			p.Log.Warn(ctx, "parse ip", slog.Error(err))
+			p.Log.Warn(logCtx, "parse ip", slog.Error(err))
 		}
 
-		err = p.Audit.Export(ctx, database.AuditLog{
-			ID:             uuid.New(),
-			Time:           database.Now(),
-			UserID:         p.Actor,
-			Ip:             ip,
-			UserAgent:      p.Request.UserAgent(),
-			ResourceType:   p.ResourceType,
-			ResourceID:     p.ResourceID,
-			ResourceTarget: p.ResourceTarget,
-			Action:         p.Action,
-			Diff:           diffRaw,
-			StatusCode:     int32(sw.Status),
-			RequestID:      httpmw.RequestID(p.Request),
+		err = feats.Audit.Export(ctx, database.AuditLog{
+			ID:               uuid.New(),
+			Time:             database.Now(),
+			UserID:           httpmw.APIKey(p.Request).UserID,
+			Ip:               ip,
+			UserAgent:        p.Request.UserAgent(),
+			ResourceType:     either(req.Old, req.New, ResourceType[T]),
+			ResourceID:       either(req.Old, req.New, ResourceID[T]),
+			ResourceTarget:   either(req.Old, req.New, ResourceTarget[T]),
+			Action:           p.Action,
+			Diff:             diffRaw,
+			StatusCode:       int32(sw.Status),
+			RequestID:        httpmw.RequestID(p.Request),
+			AdditionalFields: json.RawMessage("{}"),
 		})
 		if err != nil {
-			p.Log.Error(ctx, "export audit log", slog.Error(err))
+			p.Log.Error(logCtx, "export audit log", slog.Error(err))
 			return
 		}
 	}
 }
 
+func either[T Auditable, R any](old, new T, fn func(T) R) R {
+	if ResourceID(new) != uuid.Nil {
+		return fn(new)
+	} else if ResourceID(old) != uuid.Nil {
+		return fn(old)
+	} else {
+		panic("both old and new are nil")
+	}
+}
+
 func parseIP(ipStr string) (pqtype.Inet, error) {
 	var err error
 
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -27,6 +27,7 @@ import (
 	"github.com/coder/coder/buildinfo"
 	"github.com/coder/coder/coderd/awsidentity"
 	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/features"
 	"github.com/coder/coder/coderd/gitsshkey"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
@@ -72,7 +73,7 @@ type Options struct {
 	TracerProvider       *sdktrace.TracerProvider
 	AutoImportTemplates  []AutoImportTemplate
 	LicenseHandler       http.Handler
-	FeaturesService      FeaturesService
+	FeaturesService      features.Service
 
 	TailscaleEnable    bool
 	TailnetCoordinator *tailnet.Coordinator
diff --git a/coderd/features.go b/coderd/features.go
@@ -11,16 +11,6 @@ import (
 	"github.com/coder/coder/codersdk"
 )
 
-// FeaturesService is the interface for interacting with enterprise features.
-type FeaturesService interface {
-	EntitlementsAPI(w http.ResponseWriter, r *http.Request)
-
-	// Get returns the implementations for feature interfaces. Parameter `s` must be a pointer to a
-	// struct type containing feature interfaces as fields.  The FeatureService sets all fields to
-	// the correct implementations depending on whether the features are turned on.
-	Get(s any) error
-}
-
 type featuresService struct{}
 
 func (featuresService) EntitlementsAPI(rw http.ResponseWriter, _ *http.Request) {
diff --git a/coderd/features/features.go b/coderd/features/features.go
@@ -0,0 +1,13 @@
+package features
+
+import "net/http"
+
+// Service is the interface for interacting with enterprise features.
+type Service interface {
+	EntitlementsAPI(w http.ResponseWriter, r *http.Request)
+
+	// Get returns the implementations for feature interfaces. Parameter `s` must be a pointer to a
+	// struct type containing feature interfaces as fields.  The FeatureService sets all fields to
+	// the correct implementations depending on whether the features are turned on.
+	Get(s any) error
+}
diff --git a/coderd/users.go b/coderd/users.go
@@ -21,6 +21,7 @@ import (
 	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
+	"github.com/coder/coder/coderd/audit"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/gitsshkey"
 	"github.com/coder/coder/coderd/httpapi"
@@ -254,6 +255,14 @@ func (api *API) users(rw http.ResponseWriter, r *http.Request) {
 
 // Creates a new user.
 func (api *API) postUser(rw http.ResponseWriter, r *http.Request) {
+	aReq, commitAudit := audit.InitRequest[database.User](rw, &audit.RequestParams{
+		Features: api.FeaturesService,
+		Log:      api.Logger,
+		Request:  r,
+		Action:   database.AuditActionCreate,
+	})
+	defer commitAudit()
+
 	// Create the user on the site.
 	if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceUser) {
 		httpapi.Forbidden(rw)
@@ -319,6 +328,8 @@ func (api *API) postUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	aReq.New = user
+
 	// Report when users are added!
 	api.Telemetry.Report(&telemetry.Snapshot{
 		Users: []telemetry.User{telemetry.ConvertUser(user)},
@@ -350,7 +361,17 @@ func (api *API) userByName(rw http.ResponseWriter, r *http.Request) {
 }
 
 func (api *API) putUserProfile(rw http.ResponseWriter, r *http.Request) {
-	user := httpmw.UserParam(r)
+	var (
+		user              = httpmw.UserParam(r)
+		aReq, commitAudit = audit.InitRequest[database.User](rw, &audit.RequestParams{
+			Features: api.FeaturesService,
+			Log:      api.Logger,
+			Request:  r,
+			Action:   database.AuditActionWrite,
+		})
+	)
+	defer commitAudit()
+	aReq.Old = user
 
 	if !api.Authorize(r, rbac.ActionUpdate, rbac.ResourceUser) {
 		httpapi.ResourceNotFound(rw)
@@ -395,6 +416,7 @@ func (api *API) putUserProfile(rw http.ResponseWriter, r *http.Request) {
 		Username:  params.Username,
 		UpdatedAt: database.Now(),
 	})
+	aReq.New = updatedUserProfile
 
 	if err != nil {
 		httpapi.Write(rw, http.StatusInternalServerError, codersdk.Response{
@@ -418,8 +440,18 @@ func (api *API) putUserProfile(rw http.ResponseWriter, r *http.Request) {
 
 func (api *API) putUserStatus(status database.UserStatus) func(rw http.ResponseWriter, r *http.Request) {
 	return func(rw http.ResponseWriter, r *http.Request) {
-		user := httpmw.UserParam(r)
-		apiKey := httpmw.APIKey(r)
+		var (
+			user              = httpmw.UserParam(r)
+			apiKey            = httpmw.APIKey(r)
+			aReq, commitAudit = audit.InitRequest[database.User](rw, &audit.RequestParams{
+				Features: api.FeaturesService,
+				Log:      api.Logger,
+				Request:  r,
+				Action:   database.AuditActionWrite,
+			})
+		)
+		defer commitAudit()
+		aReq.Old = user
 
 		if !api.Authorize(r, rbac.ActionDelete, rbac.ResourceUser) {
 			httpapi.ResourceNotFound(rw)
@@ -451,14 +483,14 @@ func (api *API) putUserStatus(status database.UserStatus) func(rw http.ResponseW
 			Status:    status,
 			UpdatedAt: database.Now(),
 		})
-
 		if err != nil {
 			httpapi.Write(rw, http.StatusInternalServerError, codersdk.Response{
 				Message: fmt.Sprintf("Internal error updating user's status to %q.", status),
 				Detail:  err.Error(),
 			})
 			return
 		}
+		aReq.New = suspendedUser
 
 		organizations, err := userOrganizationIDs(r.Context(), api, user)
 		if err != nil {
@@ -475,9 +507,17 @@ func (api *API) putUserStatus(status database.UserStatus) func(rw http.ResponseW
 
 func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {
 	var (
-		user   = httpmw.UserParam(r)
-		params codersdk.UpdateUserPasswordRequest
+		user              = httpmw.UserParam(r)
+		params            codersdk.UpdateUserPasswordRequest
+		aReq, commitAudit = audit.InitRequest[database.User](rw, &audit.RequestParams{
+			Features: api.FeaturesService,
+			Log:      api.Logger,
+			Request:  r,
+			Action:   database.AuditActionWrite,
+		})
 	)
+	defer commitAudit()
+	aReq.Old = user
 
 	if !api.Authorize(r, rbac.ActionUpdate, rbac.ResourceUserData.WithOwner(user.ID.String())) {
 		httpapi.ResourceNotFound(rw)
@@ -552,6 +592,10 @@ func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	newUser := user
+	newUser.HashedPassword = []byte(hashedPassword)
+	aReq.New = newUser
+
 	httpapi.Write(rw, http.StatusNoContent, nil)
 }
 
@@ -598,10 +642,20 @@ func (api *API) userRoles(rw http.ResponseWriter, r *http.Request) {
 }
 
 func (api *API) putUserRoles(rw http.ResponseWriter, r *http.Request) {
-	// User is the user to modify.
-	user := httpmw.UserParam(r)
-	actorRoles := httpmw.AuthorizationUserRoles(r)
-	apiKey := httpmw.APIKey(r)
+	var (
+		// User is the user to modify.
+		user              = httpmw.UserParam(r)
+		actorRoles        = httpmw.AuthorizationUserRoles(r)
+		apiKey            = httpmw.APIKey(r)
+		aReq, commitAudit = audit.InitRequest[database.User](rw, &audit.RequestParams{
+			Features: api.FeaturesService,
+			Log:      api.Logger,
+			Request:  r,
+			Action:   database.AuditActionWrite,
+		})
+	)
+	defer commitAudit()
+	aReq.Old = user
 
 	if apiKey.UserID == user.ID {
 		httpapi.Write(rw, http.StatusBadRequest, codersdk.Response{
@@ -654,6 +708,7 @@ func (api *API) putUserRoles(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
+	aReq.New = updatedUser
 
 	organizationIDs, err := userOrganizationIDs(r.Context(), api, user)
 	if err != nil {
diff --git a/enterprise/coderd/features.go b/enterprise/coderd/features.go
diff --git a/enterprise/coderd/features_internal_test.go b/enterprise/coderd/features_internal_test.go
