Skip to content

chore!: route connection logs to new table #18340

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 15, 2025
Merged

chore!: route connection logs to new table #18340

merged 1 commit into from
Jul 15, 2025

Conversation

ethanndickson
Copy link
Member

@ethanndickson ethanndickson commented Jun 12, 2025
edited
Loading

Breaking Change (changelog note):

Connections to workspaces (via SSH, workspace apps, or browser port-forwarding) will no longer create entries in the audit log. Those events will now be included in the 'Connection Log'.
Please see the 'Connection Log' page in the dashboard, and the Connection Log documentation for details. Those with permission to view the Audit Log will also be able to view the Connection Log. The new Connection Log has the same licensing restrictions as the Audit Log, and requires a Premium Coder deployment.

Context

This is the first PR of a few for moving connection events out of the audit log, and into a new database table and web UI page called the 'Connection Log'.

This PR:

  • Creates the new table
  • Adds and tests queries for inserting and reading, including reading with an RBAC filter.
  • Implements the corresponding RBAC changes, such that anyone who can view the audit log can read from the table
  • Implements, under the enterprise package, a ConnectionLogger abstraction to replace the Auditor abstraction for these logs. (No-op'd in AGPL, like the Auditor)
  • Routes SSH connection and Workspace App events into the new ConnectionLogger
  • Updates all existing tests to check the values of the ConnectionLogger instead of the Auditor.

Future PRs:

  • Add filtering to the query
  • Add an enterprise endpoint to query the new table
  • Write a query to delete old events from the audit log, call it from dbpurge.
  • Implement a table in the Web UI for viewing connection logs.

Note

The PRs in this stack obviously won't be (completely) atomic. Whilst they'll each pass CI, the stack is designed to be merged all at once. I'm splitting them up for the sake of those reviewing, and so changes can be reviewed as early as possible. Despite this, it's really hard to make this PR any smaller than it already is. I'll be keeping it in draft until it's actually ready to merge.

@ethanndickson Graphite App
Copy link
Member Author

ethanndickson commented Jun 12, 2025
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ethanndickson ethanndickson requested a review from Copilot June 12, 2025 07:58
Copilot

This comment was marked as resolved.

Sign in to view

@ethanndickson
Copy link
Member Author

Requesting a draft review just to confirm we're happy with the DB schema, the RBAC setup, and the overall direction.

ethanndickson
ethanndickson commented Jun 12, 2025
View reviewed changes
ethanndickson
ethanndickson commented Jun 12, 2025
View reviewed changes
deansheather
deansheather reviewed Jun 12, 2025
View reviewed changes
Emyrk
Emyrk reviewed Jun 12, 2025
View reviewed changes
mafredri
mafredri reviewed Jun 15, 2025
View reviewed changes
Copy link
Member

@mafredri mafredri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! I think this looks great in general, but the upsert part of the logic here doesn't fully make sense to me (see related comment). Could you elaborate on the intent?

@github-actions github-actions bot added the stale This issue is like stale bread. label Jun 24, 2025
@ethanndickson ethanndickson removed the stale This issue is like stale bread. label Jun 24, 2025
@ethanndickson ethanndickson force-pushed the ethan/reroute-connection-logs branch 2 times, most recently from 947ccd1 to 5231bef Compare June 27, 2025 09:13
This was referenced Jun 27, 2025
Merged
Merged
@ethanndickson ethanndickson force-pushed the ethan/reroute-connection-logs branch from e4e1a04 to 1fcd8d7 Compare June 30, 2025 12:03
@ethanndickson ethanndickson mentioned this pull request Jul 2, 2025
Merged
@ethanndickson ethanndickson changed the title chore: route connection logs to new table chore!: route connection logs to new table Jul 2, 2025
@ethanndickson ethanndickson added the release/breaking This label is applied to PRs to detect breaking changes as part of the release process label Jul 2, 2025
This was referenced Jul 3, 2025
Merged
Merged
@ethanndickson ethanndickson marked this pull request as ready for review July 3, 2025 08:23
deansheather
deansheather approved these changes Jul 7, 2025
View reviewed changes
@ethanndickson ethanndickson mentioned this pull request Jul 7, 2025
Merged
@ethanndickson ethanndickson requested a review from Copilot July 8, 2025 05:05
Copilot

This comment was marked as outdated.

Sign in to view

@ethanndickson ethanndickson mentioned this pull request Jul 9, 2025
Merged
mafredri
mafredri reviewed Jul 9, 2025
View reviewed changes
Copy link
Member

@mafredri mafredri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor nits and suggestions but largely looks alright to me, nice work! 👍🏻

Also, obligatory: ./coderd/database/migrations/fix_migration_numbers.sh.

@ethanndickson ethanndickson force-pushed the ethan/reroute-connection-logs branch 2 times, most recently from f47a3f7 to 0346609 Compare July 10, 2025 10:28
@ethanndickson ethanndickson requested a review from Copilot July 10, 2025 10:51
Copilot
Copilot AI reviewed Jul 10, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces a dedicated connection_logs table and replaces audit-based connection events with a new ConnectionLogger abstraction, ensuring SSH and Workspace App connections are recorded in their own table and UI. Key changes include:

  • Schema and SQL migrations for connection_logs, plus generated Go query methods and RBAC filters.
  • New ConnectionLogger abstraction in both enterprise and open core, replacing audit calls for connection events.
  • Updates across CLI, API server, agent API, and tests to route connection events through ConnectionLogger.

Reviewed Changes

Copilot reviewed 54 out of 54 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
enterprise/coderd/connectionlog/connectionlog.go Implements Backend and ConnectionLogger types
coderd/database/migrations/000349_connection_logs.up.sql Creates connection_logs table and types
coderd/database/queries/connectionlogs.sql SQL for reading and upserting connection logs
coderd/workspaceapps/db.go Replaces audit logic with connection logging
coderd/agentapi/connectionlog.go New agent API endpoint for reporting connections
coderd/database/types.go Adds ParseIP helper for inet type
coderd/database/queries.sql.go Adds generated GetConnectionLogsOffset and UpsertConnectionLog methods
Comments suppressed due to low confidence (2)

coderd/workspaceapps/db.go:97

  • [nitpick] The variable name commitAudit is misleading since this sets up connection logging, not audit logging. Consider renaming it to commitConnLog or commitConnectionLog for clarity.
	aReq, commitAudit := p.connLogInitRequest(ctx, rw, r)

coderd/workspaceapps/db.go:394

  • [nitpick] The comment uses “connect log” where “connection log” would match the terminology used elsewhere. Consider updating for consistency.
// connLogInitRequest creates a new connection log session and connect log for the

@ethanndickson ethanndickson force-pushed the ethan/reroute-connection-logs branch 3 times, most recently from 7d13236 to bea35a3 Compare July 15, 2025 03:33
@ethanndickson ethanndickson force-pushed the ethan/reroute-connection-logs branch from bea35a3 to 3164ea2 Compare July 15, 2025 04:00
@ethanndickson Graphite App
Copy link
Member Author

ethanndickson commented Jul 15, 2025
edited
Loading

Merge activity

  • Jul 15, 4:35 AM UTC: A user started a stack merge that includes this pull request via Graphite.
  • Jul 15, 4:36 AM UTC: @ethanndickson merged this pull request with Graphite.

@ethanndickson ethanndickson merged commit 08e17a0 into main Jul 15, 2025
34 of 36 checks passed
@ethanndickson ethanndickson deleted the ethan/reroute-connection-logs branch July 15, 2025 04:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mafredri mafredri mafredri left review comments

@Emyrk Emyrk Emyrk left review comments

Copilot code review Copilot Copilot left review comments

@deansheather deansheather deansheather approved these changes

Assignees

@ethanndickson ethanndickson

Labels
release/breaking This label is applied to PRs to detect breaking changes as part of the release process
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ethanndickson @mafredri @Emyrk @deansheather