Skip to content

chore: enforce orgid in audit logs where required #12283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Feb 26, 2024
Merged

chore: enforce orgid in audit logs where required #12283

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4bc53bb
chore: enforce orgid in audit logs where required
Emyrk Feb 23, 2024
af7f056
Fix lint
Emyrk Feb 23, 2024
1bd5788
log vs panic in prod
Emyrk Feb 23, 2024
d6b34ee
Drop panic
Emyrk Feb 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
chore: enforce orgid in audit logs where required
  • Loading branch information
@Emyrk
Emyrk committed Feb 23, 2024
commit 4bc53bb2071544b1f8f51c6266a1a8ae8b74d278
52 changes: 49 additions & 3 deletions coderd/audit/request.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ type RequestParams struct {
Audit Auditor
Log slog.Logger

// OrganizationID is only provided when possible. If an audit resource extends
// beyond the org scope, leave this as the nil uuid.
OrganizationID uuid.UUID
Request *http.Request
Action database.AuditAction
AdditionalFields json.RawMessage
Expand Down Expand Up @@ -96,7 +99,7 @@ func ResourceTarget[T Auditable](tgt T) string {
case database.HealthSettings:
return "" // no target?
default:
panic(fmt.Sprintf("unknown resource %T", tgt))
panic(fmt.Sprintf("unknown resource %T for ResourceTarget", tgt))
}
}

Expand Down Expand Up @@ -129,7 +132,7 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
// Artificial ID for auditing purposes
return typed.ID
default:
panic(fmt.Sprintf("unknown resource %T", tgt))
panic(fmt.Sprintf("unknown resource %T for ResourceID", tgt))
}
}

Expand Down Expand Up @@ -160,7 +163,39 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
case database.HealthSettings:
return database.ResourceTypeHealthSettings
default:
panic(fmt.Sprintf("unknown resource %T", typed))
panic(fmt.Sprintf("unknown resource %T for ResourceType", typed))
}
}

// ResourceRequiresOrgID will ensure given resources are always audited with an
// organization ID.
func ResourceRequiresOrgID[T Auditable]() bool {
var tgt T
switch any(tgt).(type) {
case database.Template, database.TemplateVersion:
return true
case database.Workspace, database.WorkspaceBuild:
return true
case database.AuditableGroup:
return true
case database.User:
return false
case database.GitSSHKey:
return false
case database.APIKey:
return false
case database.License:
return false
case database.WorkspaceProxy:
return false
case database.AuditOAuthConvertState:
// The merge state is for the given user
return false
case database.HealthSettings:
// Artificial ID for auditing purposes
return false
default:
panic(fmt.Sprintf("unknown resource %T for ResourceRequiresOrgID", tgt))
}
}

Expand Down Expand Up @@ -228,6 +263,11 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
action = req.Action
}

if ResourceRequiresOrgID[T]() && p.OrganizationID == uuid.Nil {
// We panic as this is a developer error and should never happen.
panic(fmt.Sprintf("missing required organization ID for resource %s", either(req.Old, req.New, ResourceType[T], req.params.Action)))
}

ip := parseIP(p.Request.RemoteAddr)
auditLog := database.AuditLog{
ID: uuid.New(),
Expand All @@ -243,6 +283,7 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
StatusCode: int32(sw.Status),
RequestID: httpmw.RequestID(p.Request),
AdditionalFields: p.AdditionalFields,
OrganizationID: p.OrganizationID,
}
err := p.Audit.Export(ctx, auditLog)
if err != nil {
Expand Down Expand Up @@ -272,6 +313,11 @@ func BackgroundAudit[T Auditable](ctx context.Context, p *BackgroundAuditParams[
p.AdditionalFields = json.RawMessage("{}")
}

if ResourceRequiresOrgID[T]() && p.OrganizationID == uuid.Nil {
// We panic as this is a developer error and should never happen.
panic(fmt.Sprintf("missing required organization ID for resource %s", either(p.Old, p.New, ResourceType[T], p.Action))
}

auditLog := database.AuditLog{
ID: uuid.New(),
Time: dbtime.Now(),
Expand Down