Skip to content

feat: audit addition and removal of licenses #6125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Feb 14, 2023
Merged

feat: audit addition and removal of licenses #6125

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
58258ba
added license audit resource
Kira-Pilot Feb 8, 2023
6c74292
audit delete licenses
Kira-Pilot Feb 8, 2023
7ca3ec5
added filtering
Kira-Pilot Feb 8, 2023
222ab40
remove logs
Kira-Pilot Feb 8, 2023
a96bffc
making the best of the current UUID situation
Kira-Pilot Feb 9, 2023
c3f730e
fixed lint
Kira-Pilot Feb 9, 2023
5ef23bb
fix tests
Kira-Pilot Feb 9, 2023
94aa363
regen docs
Kira-Pilot Feb 9, 2023
e66b9a8
Merge remote-tracking branch 'origin/main' into audit-licenses/kira-p…
Kira-Pilot Feb 14, 2023
5e29a73
PR feedback
Kira-Pilot Feb 14, 2023
e726434
PR feedback
Kira-Pilot Feb 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
audit delete licenses
  • Loading branch information
@Kira-Pilot
Kira-Pilot committed Feb 8, 2023
commit 6c7429243b45a7025d85be85250f77edfa4b764f
3 changes: 2 additions & 1 deletion coderd/audit/diff.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,8 @@ type Auditable interface {
database.Workspace |
database.GitSSHKey |
database.WorkspaceBuild |
database.AuditableGroup
database.AuditableGroup |
database.License
}

// Map is a map of changed fields in an audited resource. It maps field names to
Expand Down
7 changes: 6 additions & 1 deletion coderd/audit/request.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
return typed.UserID
case database.License:
// this isn't right
return uuid.Nil
return uuid.New()
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idk that we can merge this up with this line the way it is.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a reason we can't just use the numerical id?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coadler Do you mean the the License.ID field? That is type int32 - if we used that that, how would we get the AuditLog model to accept it, given it only takes UUIDs?
Another issue: for some reason, License.ID changes. Like if I delete 'license 4' in the CLI, the License.ID will change from 4 to 0. IDK why we're doing this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coadler fixed with the merge of #6012!

default:
panic(fmt.Sprintf("unknown resource %T", tgt))
}
Expand Down Expand Up @@ -134,6 +134,7 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
// that should be deferred, causing the audit log to be committed when the
// handler returns.
func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request[T], func()) {
fmt.Println("im in the init request")
sw, ok := w.(*tracing.StatusWriter)
if !ok {
panic("dev error: http.ResponseWriter is not *tracing.StatusWriter")
Expand All @@ -144,6 +145,8 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
}

return req, func() {
fmt.Println("im in the init request callback")

ctx := context.Background()
logCtx := p.Request.Context()

Expand All @@ -155,6 +158,8 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
// TODO: introduce the concept of an anonymous user so we always have a userID even
// when dealing with a mystery user. https://github.com/coder/coder/issues/6054
if req.params.Action != database.AuditActionLogin && req.params.Action != database.AuditActionLogout {
fmt.Println("im silently bailing")

return
}
}
Expand Down
12 changes: 12 additions & 0 deletions coderd/database/dbfake/databasefake.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3808,6 +3808,18 @@ func (q *fakeQuerier) InsertLicense(
return l, nil
}

func (q *fakeQuerier) GetLicense(_ context.Context, id int32) (database.License, error) {
q.mutex.RLock()
defer q.mutex.RUnlock()

for _, l := range q.licenses {
if l.ID == id {
return l, nil
}
}
return database.License{}, sql.ErrNoRows
}

func (q *fakeQuerier) GetLicenses(_ context.Context) ([]database.License, error) {
q.mutex.RLock()
defer q.mutex.RUnlock()
Expand Down
1 change: 1 addition & 0 deletions coderd/database/querier.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 19 additions & 0 deletions coderd/database/queries.sql.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions coderd/database/queries/licenses.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,11 @@ INSERT INTO
VALUES
($1, $2, $3, $4) RETURNING *;

-- name: GetLicense :one
SELECT *
FROM licenses
WHERE id = $1;

-- name: GetLicenses :many
SELECT *
FROM licenses
Expand Down
2 changes: 2 additions & 0 deletions codersdk/audit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ func (r ResourceType) FriendlyString() string {
return "api key"
case ResourceTypeGroup:
return "group"
case ResourceTypeLicense:
return "license"
default:
return "unknown"
}
Expand Down
48 changes: 42 additions & 6 deletions enterprise/coderd/licenses.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
_ "embed"
"encoding/base64"
"encoding/json"
"fmt"
"net/http"
"strconv"
"strings"
Expand All @@ -20,6 +21,7 @@ import (

"cdr.dev/slog"
"github.com/coder/coder/coderd"
"github.com/coder/coder/coderd/audit"
"github.com/coder/coder/coderd/database"
"github.com/coder/coder/coderd/httpapi"
"github.com/coder/coder/coderd/rbac"
Expand Down Expand Up @@ -59,7 +61,19 @@ var Keys = map[string]ed25519.PublicKey{"2022-08-12": ed25519.PublicKey(key20220
// @Success 201 {object} codersdk.License
// @Router /licenses [post]
func (api *API) postLicense(rw http.ResponseWriter, r *http.Request) {
ctx := r.Context()
fmt.Println("im in postLicense")
var (
ctx = r.Context()
auditor = api.AGPL.Auditor.Load()
aReq, commitAudit = audit.InitRequest[database.License](rw, &audit.RequestParams{
Audit: *auditor,
Log: api.Logger,
Request: r,
Action: database.AuditActionCreate,
})
)
defer commitAudit()

if !api.AGPL.Authorize(r, rbac.ActionCreate, rbac.ResourceLicense) {
httpapi.Forbidden(rw)
return
Expand Down Expand Up @@ -114,6 +128,8 @@ func (api *API) postLicense(rw http.ResponseWriter, r *http.Request) {
})
return
}
aReq.New = dl

err = api.updateEntitlements(ctx)
if err != nil {
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
Expand Down Expand Up @@ -181,11 +197,10 @@ func (api *API) licenses(rw http.ResponseWriter, r *http.Request) {
// @Success 200
// @Router /licenses/{id} [delete]
func (api *API) deleteLicense(rw http.ResponseWriter, r *http.Request) {
ctx := r.Context()
if !api.AGPL.Authorize(r, rbac.ActionDelete, rbac.ResourceLicense) {
httpapi.Forbidden(rw)
return
}
var (
ctx = r.Context()
auditor = api.AGPL.Auditor.Load()
)

idStr := chi.URLParam(r, "id")
id, err := strconv.ParseInt(idStr, 10, 32)
Expand All @@ -196,6 +211,27 @@ func (api *API) deleteLicense(rw http.ResponseWriter, r *http.Request) {
return
}

license, err := api.Database.GetLicense(ctx, int32(id))
if err != nil {
httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{
Message: "Could not retrieve license; cannot audit",
})
}

aReq, commitAudit := audit.InitRequest[database.License](rw, &audit.RequestParams{
Audit: *auditor,
Log: api.Logger,
Request: r,
Action: database.AuditActionDelete,
})
defer commitAudit()
aReq.Old = license

if !api.AGPL.Authorize(r, rbac.ActionDelete, rbac.ResourceLicense) {
httpapi.Forbidden(rw)
return
}

_, err = api.Database.DeleteLicense(ctx, int32(id))
if xerrors.Is(err, sql.ErrNoRows) {
httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{
Expand Down