Skip to content

feat: add support for workspace app audit #16801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 40 commits into from
Mar 18, 2025
Merged

feat: add support for workspace app audit #16801

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
d235001
add migrations
mafredri Mar 3, 2025
b18740c
add queries
mafredri Mar 3, 2025
4dfb4fb
make gen
mafredri Mar 3, 2025
7d7922c
add user-agent support to background audit
mafredri Mar 4, 2025
19ca904
add done func support for tracing response writer
mafredri Mar 4, 2025
30bb732
wip auditor
mafredri Mar 3, 2025
94ddbbe
linttt
mafredri Mar 4, 2025
bef7614
dbmem impl
mafredri Mar 4, 2025
d13d3c0
resolve request with middleware
mafredri Mar 4, 2025
9a3a4c8
refactor tracing status writer done func
mafredri Mar 5, 2025
1f4e95b
fix audit mock check
mafredri Mar 5, 2025
bda2d12
mimic http response writer default status 200
mafredri Mar 5, 2025
93784b9
update db tests
mafredri Mar 5, 2025
e38ba0f
dbauthz
mafredri Mar 5, 2025
5f0c141
add app audit session timeout to dbtokenprovider
mafredri Mar 5, 2025
ae06fe4
remove log spam
mafredri Mar 5, 2025
cf1180e
verify audit log
mafredri Mar 5, 2025
623ad6f
add specific test for audit
mafredri Mar 5, 2025
c91024e
cleanup request context hack
mafredri Mar 5, 2025
9608da1
nonlint
mafredri Mar 5, 2025
5bb42c2
add slug or port to support separation of terminal and ports
mafredri Mar 6, 2025
14a1740
make gen
mafredri Mar 6, 2025
4426bcf
improve and reduce boilerplate in tests
mafredri Mar 6, 2025
2c1536e
fixup! add slug or port to support separation of terminal and ports
mafredri Mar 6, 2025
c070d74
move RandomIPv6 to testutil
mafredri Mar 10, 2025
8a61541
commit audit in Issue, revert tracing status writer changes
mafredri Mar 10, 2025
7279b9a
return if tx failed
mafredri Mar 10, 2025
4ff41d4
add fields to audit logger
mafredri Mar 10, 2025
c723b95
comment on WorkspaceAppAuditSessionTimeout use-case
mafredri Mar 17, 2025
217a0d3
update migrations, add status and ua, unique entries
mafredri Mar 17, 2025
336c7b8
rewrite queries, single upsert
mafredri Mar 17, 2025
8d7a763
make gen for db
mafredri Mar 17, 2025
0f162b1
simplify auditInitRequest in workspaceapps
mafredri Mar 17, 2025
22ea58c
update tests
mafredri Mar 17, 2025
119cf03
fix fixtures
mafredri Mar 17, 2025
16ae577
fix dbauthz
mafredri Mar 17, 2025
9003ae0
Merge branch 'main' into mafredri/app-audit
mafredri Mar 17, 2025
c1ae295
fix ip nullability
mafredri Mar 17, 2025
1ee8441
add exception for redirect in audit log
mafredri Mar 17, 2025
5b3b122
unused arg
mafredri Mar 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions coderd/audit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,10 +282,14 @@ func auditLogDescription(alog database.GetAuditLogsOffsetRow) string {
_, _ = b.WriteString("{user} ")
}

if alog.AuditLog.StatusCode >= 400 {
switch {
case alog.AuditLog.StatusCode == int32(http.StatusSeeOther):
_, _ = b.WriteString("was redirected attempting to ")
_, _ = b.WriteString(string(alog.AuditLog.Action))
case alog.AuditLog.StatusCode >= 400:
_, _ = b.WriteString("unsuccessfully attempted to ")
_, _ = b.WriteString(string(alog.AuditLog.Action))
} else {
default:
Comment on lines +285 to +292
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

_, _ = b.WriteString(codersdk.AuditAction(alog.AuditLog.Action).Friendly())
}

Expand Down
2 changes: 1 addition & 1 deletion coderd/audit/audit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ func (a *MockAuditor) Contains(t testing.TB, expected database.AuditLog) bool {
t.Logf("audit log %d: expected UserID %s, got %s", idx+1, expected.UserID, al.UserID)
continue
}
if expected.OrganizationID != uuid.Nil && al.UserID != expected.UserID {
if expected.OrganizationID != uuid.Nil && al.OrganizationID != expected.OrganizationID {
t.Logf("audit log %d: expected OrganizationID %s, got %s", idx+1, expected.OrganizationID, al.OrganizationID)
continue
}
Expand Down
9 changes: 5 additions & 4 deletions coderd/audit/request.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ type BackgroundAuditParams[T Auditable] struct {
Action database.AuditAction
OrganizationID uuid.UUID
IP string
UserAgent string
// todo: this should automatically marshal an interface{} instead of accepting a raw message.
AdditionalFields json.RawMessage

Expand Down Expand Up @@ -422,7 +423,7 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
action = req.Action
}

ip := parseIP(p.Request.RemoteAddr)
ip := ParseIP(p.Request.RemoteAddr)
auditLog := database.AuditLog{
ID: uuid.New(),
Time: dbtime.Now(),
Expand Down Expand Up @@ -453,7 +454,7 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
// BackgroundAudit creates an audit log for a background event.
// The audit log is committed upon invocation.
func BackgroundAudit[T Auditable](ctx context.Context, p *BackgroundAuditParams[T]) {
ip := parseIP(p.IP)
ip := ParseIP(p.IP)

diff := Diff(p.Audit, p.Old, p.New)
var err error
Expand All @@ -479,7 +480,7 @@ func BackgroundAudit[T Auditable](ctx context.Context, p *BackgroundAuditParams[
UserID: p.UserID,
OrganizationID: requireOrgID[T](ctx, p.OrganizationID, p.Log),
Ip: ip,
UserAgent: sql.NullString{},
UserAgent: sql.NullString{Valid: p.UserAgent != "", String: p.UserAgent},
ResourceType: either(p.Old, p.New, ResourceType[T], p.Action),
ResourceID: either(p.Old, p.New, ResourceID[T], p.Action),
ResourceTarget: either(p.Old, p.New, ResourceTarget[T], p.Action),
Expand Down Expand Up @@ -566,7 +567,7 @@ func either[T Auditable, R any](old, new T, fn func(T) R, auditAction database.A
panic("both old and new are nil")
}

func parseIP(ipStr string) pqtype.Inet {
func ParseIP(ipStr string) pqtype.Inet {
ip := net.ParseIP(ipStr)
ipNet := net.IPNet{}
if ip != nil {
Expand Down
26 changes: 16 additions & 10 deletions coderd/coderd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,6 +226,10 @@ type Options struct {
UpdateAgentMetrics func(ctx context.Context, labels prometheusmetrics.AgentMetricLabels, metrics []*agentproto.Stats_Metric)
StatsBatcher workspacestats.Batcher

// WorkspaceAppAuditSessionTimeout allows changing the timeout for audit
// sessions. Raising or lowering this value will directly affect the write
// load of the audit log table. This is used for testing. Default 1 hour.
WorkspaceAppAuditSessionTimeout time.Duration
WorkspaceAppsStatsCollectorOptions workspaceapps.StatsCollectorOptions

// This janky function is used in telemetry to parse fields out of the raw
Expand Down Expand Up @@ -534,16 +538,6 @@ func New(options *Options) *API {
Authorizer: options.Authorizer,
Logger: options.Logger,
},
WorkspaceAppsProvider: workspaceapps.NewDBTokenProvider(
options.Logger.Named("workspaceapps"),
options.AccessURL,
options.Authorizer,
options.Database,
options.DeploymentValues,
oauthConfigs,
options.AgentInactiveDisconnectTimeout,
options.AppSigningKeyCache,
),
metricsCache: metricsCache,
Auditor: atomic.Pointer[audit.Auditor]{},
TailnetCoordinator: atomic.Pointer[tailnet.Coordinator]{},
Expand All @@ -561,6 +555,18 @@ func New(options *Options) *API {
),
dbRolluper: options.DatabaseRolluper,
}
api.WorkspaceAppsProvider = workspaceapps.NewDBTokenProvider(
options.Logger.Named("workspaceapps"),
options.AccessURL,
options.Authorizer,
&api.Auditor,
options.Database,
options.DeploymentValues,
oauthConfigs,
options.AgentInactiveDisconnectTimeout,
options.WorkspaceAppAuditSessionTimeout,
options.AppSigningKeyCache,
)

f := appearance.NewDefaultFetcher(api.DeploymentValues.DocsURL.String())
api.AppearanceFetcher.Store(&f)
Expand Down
7 changes: 7 additions & 0 deletions coderd/database/dbauthz/dbauthz.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4615,6 +4615,13 @@ func (q *querier) UpsertWorkspaceAgentPortShare(ctx context.Context, arg databas
return q.db.UpsertWorkspaceAgentPortShare(ctx, arg)
}

func (q *querier) UpsertWorkspaceAppAuditSession(ctx context.Context, arg database.UpsertWorkspaceAppAuditSessionParams) (time.Time, error) {
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
return time.Time{}, err
}
return q.db.UpsertWorkspaceAppAuditSession(ctx, arg)
}

func (q *querier) GetAuthorizedTemplates(ctx context.Context, arg database.GetTemplatesWithFilterParams, _ rbac.PreparedAuthorized) ([]database.Template, error) {
// TODO Delete this function, all GetTemplates should be authorized. For now just call getTemplates on the authz querier.
return q.GetTemplatesWithFilter(ctx, arg)
Expand Down
13 changes: 13 additions & 0 deletions coderd/database/dbauthz/dbauthz_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4065,6 +4065,19 @@ func (s *MethodTestSuite) TestSystemFunctions() {
s.Run("InsertWorkspaceAppStats", s.Subtest(func(db database.Store, check *expects) {
check.Args(database.InsertWorkspaceAppStatsParams{}).Asserts(rbac.ResourceSystem, policy.ActionCreate)
}))
s.Run("UpsertWorkspaceAppAuditSession", s.Subtest(func(db database.Store, check *expects) {
u := dbgen.User(s.T(), db, database.User{})
pj := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
res := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: pj.ID})
agent := dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{ResourceID: res.ID})
app := dbgen.WorkspaceApp(s.T(), db, database.WorkspaceApp{AgentID: agent.ID})
check.Args(database.UpsertWorkspaceAppAuditSessionParams{
AgentID: agent.ID,
AppID: app.ID,
UserID: u.ID,
Ip: "127.0.0.1",
}).Asserts(rbac.ResourceSystem, policy.ActionUpdate)
}))
s.Run("InsertWorkspaceAgentScriptTimings", s.Subtest(func(db database.Store, check *expects) {
dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
check.Args(database.InsertWorkspaceAgentScriptTimingsParams{
Expand Down
59 changes: 59 additions & 0 deletions coderd/database/dbmem/dbmem.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ func New() database.Store {
workspaceAgentLogs: make([]database.WorkspaceAgentLog, 0),
workspaceBuilds: make([]database.WorkspaceBuild, 0),
workspaceApps: make([]database.WorkspaceApp, 0),
workspaceAppAuditSessions: make([]database.WorkspaceAppAuditSession, 0),
workspaces: make([]database.WorkspaceTable, 0),
workspaceProxies: make([]database.WorkspaceProxy, 0),
},
Expand Down Expand Up @@ -237,6 +238,7 @@ type data struct {
workspaceAgentMemoryResourceMonitors []database.WorkspaceAgentMemoryResourceMonitor
workspaceAgentVolumeResourceMonitors []database.WorkspaceAgentVolumeResourceMonitor
workspaceApps []database.WorkspaceApp
workspaceAppAuditSessions []database.WorkspaceAppAuditSession
workspaceAppStatsLastInsertID int64
workspaceAppStats []database.WorkspaceAppStat
workspaceBuilds []database.WorkspaceBuild
Expand Down Expand Up @@ -12263,6 +12265,63 @@ func (q *FakeQuerier) UpsertWorkspaceAgentPortShare(_ context.Context, arg datab
return psl, nil
}

func (q *FakeQuerier) UpsertWorkspaceAppAuditSession(_ context.Context, arg database.UpsertWorkspaceAppAuditSessionParams) (time.Time, error) {
err := validateDatabaseType(arg)
if err != nil {
return time.Time{}, err
}

q.mutex.Lock()
defer q.mutex.Unlock()

for i, s := range q.workspaceAppAuditSessions {
if s.AgentID != arg.AgentID {
continue
}
if s.AppID != arg.AppID {
continue
}
if s.UserID != arg.UserID {
continue
}
if s.Ip != arg.Ip {
continue
}
if s.UserAgent != arg.UserAgent {
continue
}
if s.SlugOrPort != arg.SlugOrPort {
continue
}
if s.StatusCode != arg.StatusCode {
continue
}

staleTime := dbtime.Now().Add(-(time.Duration(arg.StaleIntervalMS) * time.Millisecond))
fresh := s.UpdatedAt.After(staleTime)

q.workspaceAppAuditSessions[i].UpdatedAt = arg.UpdatedAt
if !fresh {
q.workspaceAppAuditSessions[i].StartedAt = arg.StartedAt
return arg.StartedAt, nil
}
return s.StartedAt, nil
}

q.workspaceAppAuditSessions = append(q.workspaceAppAuditSessions, database.WorkspaceAppAuditSession{
AgentID: arg.AgentID,
AppID: arg.AppID,
UserID: arg.UserID,
Ip: arg.Ip,
UserAgent: arg.UserAgent,
SlugOrPort: arg.SlugOrPort,
StatusCode: arg.StatusCode,
StartedAt: arg.StartedAt,
UpdatedAt: arg.UpdatedAt,
})
return arg.StartedAt, nil
}

func (q *FakeQuerier) GetAuthorizedTemplates(ctx context.Context, arg database.GetTemplatesWithFilterParams, prepared rbac.PreparedAuthorized) ([]database.Template, error) {
if err := validateDatabaseType(arg); err != nil {
return nil, err
Expand Down
7 changes: 7 additions & 0 deletions coderd/database/dbmetrics/querymetrics.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 15 additions & 0 deletions coderd/database/dbmock/dbmock.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

42 changes: 42 additions & 0 deletions coderd/database/dump.sql
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions coderd/database/foreign_key_constraint.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions coderd/database/migrations/000301_add_workspace_app_audit_sessions.down.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
DROP TABLE workspace_app_audit_sessions;
Loading
Loading