From 2521976f629db977a85cdc09f2b12c78c9b4872d Mon Sep 17 00:00:00 2001 From: Kira Pilot Date: Thu, 26 Jan 2023 23:19:22 +0000 Subject: [PATCH 1/5] chore: update Audit docs to include Audit Actions --- enterprise/audit/table.go | 18 ++++++++++++++++++ scripts/auditdocgen/main.go | 3 ++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/enterprise/audit/table.go b/enterprise/audit/table.go index a609ec68e80ff..2375460b7979c 100644 --- a/enterprise/audit/table.go +++ b/enterprise/audit/table.go @@ -4,8 +4,26 @@ import ( "reflect" "github.com/coder/coder/coderd/database" + "github.com/coder/coder/codersdk" ) +// This mapping creates a relationship between an Auditable Resource +// and the Audit Actions we track for that resource. +// It is important to maintain this mapping when adding a new Auditable Resource to the +// AuditableResources map (below) as our documentation - generated in scripts/auditdocgen/main.go - +// depends upon it. +var AuditActionMap = map[string][]string{ + "GitSSHKey": {string(codersdk.AuditActionCreate)}, + "OrganizationMember": {}, + "Organization": {}, + "Template": {string(codersdk.AuditActionWrite), string(codersdk.AuditActionDelete)}, + "TemplateVersion": {string(codersdk.AuditActionCreate), string(codersdk.AuditActionWrite)}, + "User": {string(codersdk.AuditActionCreate), string(codersdk.AuditActionWrite), string(codersdk.AuditActionDelete)}, + "Workspace": {string(codersdk.AuditActionCreate), string(codersdk.AuditActionWrite), string(codersdk.AuditActionDelete)}, + "WorkspaceBuild": {string(codersdk.AuditActionStart), string(codersdk.AuditActionStop)}, + "AuditableGroup": {string(codersdk.AuditActionCreate), string(codersdk.AuditActionWrite), string(codersdk.AuditActionDelete)}, +} + type Action string const ( diff --git a/scripts/auditdocgen/main.go b/scripts/auditdocgen/main.go index 4a304ad6645a8..9d39b870f6c9c 100644 --- a/scripts/auditdocgen/main.go +++ b/scripts/auditdocgen/main.go @@ -117,7 +117,8 @@ func updateAuditDoc(doc []byte, auditableResourcesMap AuditableResourcesMap) ([] buffer.WriteString("|--|-----------------|\n") for _, resourceName := range sortedResourceNames { - buffer.WriteString("|" + resourceName + "|") + auditActionsString := strings.Join(audit.AuditActionMap[resourceName], ", ") + buffer.WriteString("|" + resourceName + "
" + auditActionsString + "|
FieldTracked
") // We must sort the field names to ensure sub-table ordering sortedFieldNames := sortKeys(auditableResourcesMap[resourceName]) From 671b41fc5a26a848c2755f01e310ace0afc7479a Mon Sep 17 00:00:00 2001 From: Kira Pilot Date: Thu, 26 Jan 2023 23:37:08 +0000 Subject: [PATCH 2/5] regenerated audit docs --- docs/admin/audit-logs.md | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/docs/admin/audit-logs.md b/docs/admin/audit-logs.md index 892c61114ce81..57ccad2ac2a01 100644 --- a/docs/admin/audit-logs.md +++ b/docs/admin/audit-logs.md @@ -9,17 +9,15 @@ We track the following resources: -| Resource | | -| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| AuditableGroup |
FieldTracked
FieldTracked
avatar_urltrue
idtrue
memberstrue
nametrue
organization_idfalse
quota_allowancetrue
| -| GitSSHKey |
FieldTracked
created_atfalse
private_keytrue
public_keytrue
updated_atfalse
user_idtrue
| -| Organization |
FieldTracked
created_atfalse
descriptiontrue
idtrue
nametrue
updated_atfalse
| -| OrganizationMember |
FieldTracked
created_atfalse
organization_idtrue
rolestrue
updated_atfalse
user_idtrue
| -| Template |
FieldTracked
active_version_idtrue
allow_user_cancel_workspace_jobstrue
created_atfalse
created_bytrue
default_ttltrue
deletedfalse
descriptiontrue
display_nametrue
group_acltrue
icontrue
idtrue
is_privatetrue
min_autostart_intervaltrue
nametrue
organization_idfalse
provisionertrue
updated_atfalse
user_acltrue
| -| TemplateVersion |
FieldTracked
created_atfalse
created_bytrue
idtrue
job_idfalse
nametrue
organization_idfalse
readmetrue
template_idtrue
updated_atfalse
| -| User |
FieldTracked
avatar_urlfalse
created_atfalse
deletedtrue
emailtrue
hashed_passwordtrue
idtrue
last_seen_atfalse
login_typefalse
rbac_rolestrue
statustrue
updated_atfalse
usernametrue
| -| Workspace |
FieldTracked
autostart_scheduletrue
created_atfalse
deletedfalse
idtrue
last_used_atfalse
nametrue
organization_idfalse
owner_idtrue
template_idtrue
ttltrue
updated_atfalse
| -| WorkspaceBuild |
FieldTracked
build_numberfalse
created_atfalse
daily_costfalse
deadlinefalse
idfalse
initiator_idfalse
job_idfalse
provisioner_statefalse
reasonfalse
template_version_idtrue
transitionfalse
updated_atfalse
workspace_idfalse
| +| Resource | | +| ------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AuditableGroup
create, write, delete |
FieldTracked
avatar_urltrue
idtrue
memberstrue
nametrue
organization_idfalse
quota_allowancetrue
| +| GitSSHKey
create |
FieldTracked
created_atfalse
private_keytrue
public_keytrue
updated_atfalse
user_idtrue
| +| Template
write, delete |
FieldTracked
active_version_idtrue
allow_user_cancel_workspace_jobstrue
created_atfalse
created_bytrue
default_ttltrue
deletedfalse
descriptiontrue
display_nametrue
group_acltrue
icontrue
idtrue
is_privatetrue
min_autostart_intervaltrue
nametrue
organization_idfalse
provisionertrue
updated_atfalse
user_acltrue
| +| TemplateVersion
create, write |
FieldTracked
created_atfalse
created_bytrue
idtrue
job_idfalse
nametrue
organization_idfalse
readmetrue
template_idtrue
updated_atfalse
| +| User
create, write, delete |
FieldTracked
avatar_urlfalse
created_atfalse
deletedtrue
emailtrue
hashed_passwordtrue
idtrue
last_seen_atfalse
login_typefalse
rbac_rolestrue
statustrue
updated_atfalse
usernametrue
| +| Workspace
create, write, delete |
FieldTracked
autostart_scheduletrue
created_atfalse
deletedfalse
idtrue
last_used_atfalse
nametrue
organization_idfalse
owner_idtrue
template_idtrue
ttltrue
updated_atfalse
| +| WorkspaceBuild
start, stop |
FieldTracked
build_numberfalse
created_atfalse
daily_costfalse
deadlinefalse
idfalse
initiator_idfalse
job_idfalse
provisioner_statefalse
reasonfalse
template_version_idtrue
transitionfalse
updated_atfalse
workspace_idfalse
| From 987c77409eb4607f9d973848979281c451c91cea Mon Sep 17 00:00:00 2001 From: Kira Pilot Date: Fri, 27 Jan 2023 14:55:41 +0000 Subject: [PATCH 3/5] adjusted check_enterprise_imports.sh --- docs/admin/audit-logs.md | 18 +++++++++--------- scripts/auditdocgen/main.go | 2 +- scripts/check_enterprise_imports.sh | 2 +- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/admin/audit-logs.md b/docs/admin/audit-logs.md index 57ccad2ac2a01..a18a1f4c7398e 100644 --- a/docs/admin/audit-logs.md +++ b/docs/admin/audit-logs.md @@ -9,15 +9,15 @@ We track the following resources: -| Resource | | -| ------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| AuditableGroup
create, write, delete |
FieldTracked
avatar_urltrue
idtrue
memberstrue
nametrue
organization_idfalse
quota_allowancetrue
| -| GitSSHKey
create |
FieldTracked
created_atfalse
private_keytrue
public_keytrue
updated_atfalse
user_idtrue
| -| Template
write, delete |
FieldTracked
active_version_idtrue
allow_user_cancel_workspace_jobstrue
created_atfalse
created_bytrue
default_ttltrue
deletedfalse
descriptiontrue
display_nametrue
group_acltrue
icontrue
idtrue
is_privatetrue
min_autostart_intervaltrue
nametrue
organization_idfalse
provisionertrue
updated_atfalse
user_acltrue
| -| TemplateVersion
create, write |
FieldTracked
created_atfalse
created_bytrue
idtrue
job_idfalse
nametrue
organization_idfalse
readmetrue
template_idtrue
updated_atfalse
| -| User
create, write, delete |
FieldTracked
avatar_urlfalse
created_atfalse
deletedtrue
emailtrue
hashed_passwordtrue
idtrue
last_seen_atfalse
login_typefalse
rbac_rolestrue
statustrue
updated_atfalse
usernametrue
| -| Workspace
create, write, delete |
FieldTracked
autostart_scheduletrue
created_atfalse
deletedfalse
idtrue
last_used_atfalse
nametrue
organization_idfalse
owner_idtrue
template_idtrue
ttltrue
updated_atfalse
| -| WorkspaceBuild
start, stop |
FieldTracked
build_numberfalse
created_atfalse
daily_costfalse
deadlinefalse
idfalse
initiator_idfalse
job_idfalse
provisioner_statefalse
reasonfalse
template_version_idtrue
transitionfalse
updated_atfalse
workspace_idfalse
| +|Resource|| +|--|-----------------| +|AuditableGroup
create, write, delete|
FieldTracked
avatar_urltrue
idtrue
memberstrue
nametrue
organization_idfalse
quota_allowancetrue
+|GitSSHKey
create|
FieldTracked
created_atfalse
private_keytrue
public_keytrue
updated_atfalse
user_idtrue
+|Template
write, delete|
FieldTracked
active_version_idtrue
allow_user_cancel_workspace_jobstrue
created_atfalse
created_bytrue
default_ttltrue
deletedfalse
descriptiontrue
display_nametrue
group_acltrue
icontrue
idtrue
is_privatetrue
min_autostart_intervaltrue
nametrue
organization_idfalse
provisionertrue
updated_atfalse
user_acltrue
+|TemplateVersion
create, write|
FieldTracked
created_atfalse
created_bytrue
idtrue
job_idfalse
nametrue
organization_idfalse
readmetrue
template_idtrue
updated_atfalse
+|User
create, write, delete|
FieldTracked
avatar_urlfalse
created_atfalse
deletedtrue
emailtrue
hashed_passwordtrue
idtrue
last_seen_atfalse
login_typefalse
rbac_rolestrue
statustrue
updated_atfalse
usernametrue
+|Workspace
create, write, delete|
FieldTracked
autostart_scheduletrue
created_atfalse
deletedfalse
idtrue
last_used_atfalse
nametrue
organization_idfalse
owner_idtrue
template_idtrue
ttltrue
updated_atfalse
+|WorkspaceBuild
start, stop|
FieldTracked
build_numberfalse
created_atfalse
daily_costfalse
deadlinefalse
idfalse
initiator_idfalse
job_idfalse
provisioner_statefalse
reasonfalse
template_version_idtrue
transitionfalse
updated_atfalse
workspace_idfalse
diff --git a/scripts/auditdocgen/main.go b/scripts/auditdocgen/main.go index 9d39b870f6c9c..fa8e87a01c53c 100644 --- a/scripts/auditdocgen/main.go +++ b/scripts/auditdocgen/main.go @@ -118,7 +118,7 @@ func updateAuditDoc(doc []byte, auditableResourcesMap AuditableResourcesMap) ([] for _, resourceName := range sortedResourceNames { auditActionsString := strings.Join(audit.AuditActionMap[resourceName], ", ") - buffer.WriteString("|" + resourceName + "
" + auditActionsString + "|") + buffer.WriteString("|" + resourceName + "
" + auditActionsString + "|
FieldTracked
") // We must sort the field names to ensure sub-table ordering sortedFieldNames := sortKeys(auditableResourcesMap[resourceName]) diff --git a/scripts/check_enterprise_imports.sh b/scripts/check_enterprise_imports.sh index 4aacae53ad869..ed7b8559338fb 100755 --- a/scripts/check_enterprise_imports.sh +++ b/scripts/check_enterprise_imports.sh @@ -9,7 +9,7 @@ source "$(dirname "${BASH_SOURCE[0]}")/lib.sh" cdroot set +e -find . -regex ".*\.go" | grep -v "./enterprise" | grep -v "./scripts/auditdocgen/main.go" | xargs grep -n "github.com/coder/coder/enterprise" +find . -regex ".*\.go" | grep -v "./enterprise" | grep -v "./scripts/auditdocgen/*.go" | xargs grep -n "github.com/coder/coder/enterprise" # reverse the exit code because we want this script to fail if grep finds anything. status=$? set -e From 4516686e6f9a23b0c98190b51fb6ee26bc423bb0 Mon Sep 17 00:00:00 2001 From: Kira Pilot Date: Fri, 27 Jan 2023 15:11:21 +0000 Subject: [PATCH 4/5] PR feedback --- docs/admin/audit-logs.md | 18 +++++++++--------- enterprise/audit/table.go | 16 ++++++++-------- scripts/auditdocgen/main.go | 8 +++++++- 3 files changed, 24 insertions(+), 18 deletions(-) diff --git a/docs/admin/audit-logs.md b/docs/admin/audit-logs.md index a18a1f4c7398e..709abb4b38258 100644 --- a/docs/admin/audit-logs.md +++ b/docs/admin/audit-logs.md @@ -9,15 +9,15 @@ We track the following resources: -|Resource|| -|--|-----------------| -|AuditableGroup
create, write, delete|
FieldTracked
FieldTracked
avatar_urltrue
idtrue
memberstrue
nametrue
organization_idfalse
quota_allowancetrue
-|GitSSHKey
create|
FieldTracked
created_atfalse
private_keytrue
public_keytrue
updated_atfalse
user_idtrue
-|Template
write, delete|
FieldTracked
active_version_idtrue
allow_user_cancel_workspace_jobstrue
created_atfalse
created_bytrue
default_ttltrue
deletedfalse
descriptiontrue
display_nametrue
group_acltrue
icontrue
idtrue
is_privatetrue
min_autostart_intervaltrue
nametrue
organization_idfalse
provisionertrue
updated_atfalse
user_acltrue
-|TemplateVersion
create, write|
FieldTracked
created_atfalse
created_bytrue
idtrue
job_idfalse
nametrue
organization_idfalse
readmetrue
template_idtrue
updated_atfalse
-|User
create, write, delete|
FieldTracked
avatar_urlfalse
created_atfalse
deletedtrue
emailtrue
hashed_passwordtrue
idtrue
last_seen_atfalse
login_typefalse
rbac_rolestrue
statustrue
updated_atfalse
usernametrue
-|Workspace
create, write, delete|
FieldTracked
autostart_scheduletrue
created_atfalse
deletedfalse
idtrue
last_used_atfalse
nametrue
organization_idfalse
owner_idtrue
template_idtrue
ttltrue
updated_atfalse
-|WorkspaceBuild
start, stop|
FieldTracked
build_numberfalse
created_atfalse
daily_costfalse
deadlinefalse
idfalse
initiator_idfalse
job_idfalse
provisioner_statefalse
reasonfalse
template_version_idtrue
transitionfalse
updated_atfalse
workspace_idfalse
+| Resource | | +| ---------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AuditableGroup
create, write, delete |
FieldTracked
avatar_urltrue
idtrue
memberstrue
nametrue
organization_idfalse
quota_allowancetrue
| +| GitSSHKey
create |
FieldTracked
created_atfalse
private_keytrue
public_keytrue
updated_atfalse
user_idtrue
| +| Template
write, delete |
FieldTracked
active_version_idtrue
allow_user_cancel_workspace_jobstrue
created_atfalse
created_bytrue
default_ttltrue
deletedfalse
descriptiontrue
display_nametrue
group_acltrue
icontrue
idtrue
is_privatetrue
min_autostart_intervaltrue
nametrue
organization_idfalse
provisionertrue
updated_atfalse
user_acltrue
| +| TemplateVersion
create, write |
FieldTracked
created_atfalse
created_bytrue
idtrue
job_idfalse
nametrue
organization_idfalse
readmetrue
template_idtrue
updated_atfalse
| +| User
create, write, delete |
FieldTracked
avatar_urlfalse
created_atfalse
deletedtrue
emailtrue
hashed_passwordtrue
idtrue
last_seen_atfalse
login_typefalse
rbac_rolestrue
statustrue
updated_atfalse
usernametrue
| +| Workspace
create, write, delete |
FieldTracked
autostart_scheduletrue
created_atfalse
deletedfalse
idtrue
last_used_atfalse
nametrue
organization_idfalse
owner_idtrue
template_idtrue
ttltrue
updated_atfalse
| +| WorkspaceBuild
start, stop |
FieldTracked
build_numberfalse
created_atfalse
daily_costfalse
deadlinefalse
idfalse
initiator_idfalse
job_idfalse
provisioner_statefalse
reasonfalse
template_version_idtrue
transitionfalse
updated_atfalse
workspace_idfalse
| diff --git a/enterprise/audit/table.go b/enterprise/audit/table.go index 2375460b7979c..be58f91410c19 100644 --- a/enterprise/audit/table.go +++ b/enterprise/audit/table.go @@ -12,16 +12,16 @@ import ( // It is important to maintain this mapping when adding a new Auditable Resource to the // AuditableResources map (below) as our documentation - generated in scripts/auditdocgen/main.go - // depends upon it. -var AuditActionMap = map[string][]string{ - "GitSSHKey": {string(codersdk.AuditActionCreate)}, +var AuditActionMap = map[string][]codersdk.AuditAction{ + "GitSSHKey": {codersdk.AuditActionCreate}, "OrganizationMember": {}, "Organization": {}, - "Template": {string(codersdk.AuditActionWrite), string(codersdk.AuditActionDelete)}, - "TemplateVersion": {string(codersdk.AuditActionCreate), string(codersdk.AuditActionWrite)}, - "User": {string(codersdk.AuditActionCreate), string(codersdk.AuditActionWrite), string(codersdk.AuditActionDelete)}, - "Workspace": {string(codersdk.AuditActionCreate), string(codersdk.AuditActionWrite), string(codersdk.AuditActionDelete)}, - "WorkspaceBuild": {string(codersdk.AuditActionStart), string(codersdk.AuditActionStop)}, - "AuditableGroup": {string(codersdk.AuditActionCreate), string(codersdk.AuditActionWrite), string(codersdk.AuditActionDelete)}, + "Template": {codersdk.AuditActionWrite, codersdk.AuditActionDelete}, + "TemplateVersion": {codersdk.AuditActionCreate, codersdk.AuditActionWrite}, + "User": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete}, + "Workspace": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete}, + "WorkspaceBuild": {codersdk.AuditActionStart, codersdk.AuditActionStop}, + "AuditableGroup": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete}, } type Action string diff --git a/scripts/auditdocgen/main.go b/scripts/auditdocgen/main.go index fa8e87a01c53c..67bd81b77ef9c 100644 --- a/scripts/auditdocgen/main.go +++ b/scripts/auditdocgen/main.go @@ -117,7 +117,13 @@ func updateAuditDoc(doc []byte, auditableResourcesMap AuditableResourcesMap) ([] buffer.WriteString("|--|-----------------|\n") for _, resourceName := range sortedResourceNames { - auditActionsString := strings.Join(audit.AuditActionMap[resourceName], ", ") + // Create a string of audit actions for each resource + var auditActions []string + for _, action := range audit.AuditActionMap[resourceName] { + auditActions = append(auditActions, string(action)) + } + auditActionsString := strings.Join(auditActions, ", ") + buffer.WriteString("|" + resourceName + "
" + auditActionsString + "|") // We must sort the field names to ensure sub-table ordering From a5a686c01737c1888cdcc45001d62976b8b3ecb4 Mon Sep 17 00:00:00 2001 From: Kira Pilot Date: Fri, 27 Jan 2023 15:21:37 +0000 Subject: [PATCH 5/5] changing script back for now as CI faiiling --- scripts/check_enterprise_imports.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/check_enterprise_imports.sh b/scripts/check_enterprise_imports.sh index ed7b8559338fb..4aacae53ad869 100755 --- a/scripts/check_enterprise_imports.sh +++ b/scripts/check_enterprise_imports.sh @@ -9,7 +9,7 @@ source "$(dirname "${BASH_SOURCE[0]}")/lib.sh" cdroot set +e -find . -regex ".*\.go" | grep -v "./enterprise" | grep -v "./scripts/auditdocgen/*.go" | xargs grep -n "github.com/coder/coder/enterprise" +find . -regex ".*\.go" | grep -v "./enterprise" | grep -v "./scripts/auditdocgen/main.go" | xargs grep -n "github.com/coder/coder/enterprise" # reverse the exit code because we want this script to fail if grep finds anything. status=$? set -e
FieldTracked