Skip to content

feat: audit addition and removal of licenses #6125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Feb 14, 2023
Merged

feat: audit addition and removal of licenses #6125

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
58258ba
added license audit resource
Kira-Pilot Feb 8, 2023
6c74292
audit delete licenses
Kira-Pilot Feb 8, 2023
7ca3ec5
added filtering
Kira-Pilot Feb 8, 2023
222ab40
remove logs
Kira-Pilot Feb 8, 2023
a96bffc
making the best of the current UUID situation
Kira-Pilot Feb 9, 2023
c3f730e
fixed lint
Kira-Pilot Feb 9, 2023
5ef23bb
fix tests
Kira-Pilot Feb 9, 2023
94aa363
regen docs
Kira-Pilot Feb 9, 2023
e66b9a8
Merge remote-tracking branch 'origin/main' into audit-licenses/kira-p…
Kira-Pilot Feb 14, 2023
5e29a73
PR feedback
Kira-Pilot Feb 14, 2023
e726434
PR feedback
Kira-Pilot Feb 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions coderd/apidoc/docs.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 4 additions & 2 deletions coderd/apidoc/swagger.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions coderd/audit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -456,6 +456,8 @@ func resourceTypeFromString(resourceTypeString string) string {
return resourceTypeString
case codersdk.ResourceTypeGroup:
return resourceTypeString
case codersdk.ResourceTypeLicense:
return resourceTypeString
}
return ""
}
Expand Down
3 changes: 2 additions & 1 deletion coderd/audit/diff.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,8 @@ type Auditable interface {
database.Workspace |
database.GitSSHKey |
database.WorkspaceBuild |
database.AuditableGroup
database.AuditableGroup |
database.License
}

// Map is a map of changed fields in an audited resource. It maps field names to
Expand Down
11 changes: 11 additions & 0 deletions coderd/audit/request.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,11 @@ func ResourceTarget[T Auditable](tgt T) string {
case database.APIKey:
// this isn't used
return ""
case database.License:
// this isn't used
// TODO: return an ID here when the below ticket is completed:
// https://github.com/coder/coder/pull/6012
return ""
default:
panic(fmt.Sprintf("unknown resource %T", tgt))
}
Expand All @@ -94,6 +99,10 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
return typed.Group.ID
case database.APIKey:
return typed.UserID
case database.License:
// TODO: return a valid ID here when the below ticket is completed:
// https://github.com/coder/coder/pull/6012
return uuid.New()
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idk that we can merge this up with this line the way it is.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a reason we can't just use the numerical id?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coadler Do you mean the the License.ID field? That is type int32 - if we used that that, how would we get the AuditLog model to accept it, given it only takes UUIDs?
Another issue: for some reason, License.ID changes. Like if I delete 'license 4' in the CLI, the License.ID will change from 4 to 0. IDK why we're doing this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coadler fixed with the merge of #6012!

default:
panic(fmt.Sprintf("unknown resource %T", tgt))
}
Expand All @@ -117,6 +126,8 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
return database.ResourceTypeGroup
case database.APIKey:
return database.ResourceTypeApiKey
case database.License:
return database.ResourceTypeLicense
default:
panic(fmt.Sprintf("unknown resource %T", tgt))
}
Expand Down
12 changes: 12 additions & 0 deletions coderd/database/dbfake/databasefake.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3808,6 +3808,18 @@ func (q *fakeQuerier) InsertLicense(
return l, nil
}

func (q *fakeQuerier) GetLicense(_ context.Context, id int32) (database.License, error) {
q.mutex.RLock()
defer q.mutex.RUnlock()

for _, l := range q.licenses {
if l.ID == id {
return l, nil
}
}
return database.License{}, sql.ErrNoRows
}

func (q *fakeQuerier) GetLicenses(_ context.Context) ([]database.License, error) {
q.mutex.RLock()
defer q.mutex.RUnlock()
Expand Down
3 changes: 2 additions & 1 deletion coderd/database/dump.sql
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions coderd/database/migrations/000097_add_resource_type_license.down.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
-- It's not possible to drop enum values from enum types, so the UP has "IF NOT
-- EXISTS".
3 changes: 3 additions & 0 deletions coderd/database/migrations/000097_add_resource_type_license.up.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
ALTER TYPE resource_type
ADD VALUE IF NOT EXISTS 'license';

5 changes: 4 additions & 1 deletion coderd/database/models.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions coderd/database/querier.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 19 additions & 0 deletions coderd/database/queries.sql.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions coderd/database/queries/licenses.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,11 @@ INSERT INTO
VALUES
($1, $2, $3, $4) RETURNING *;

-- name: GetLicense :one
SELECT *
FROM licenses
WHERE id = $1;

-- name: GetLicenses :many
SELECT *
FROM licenses
Expand Down
3 changes: 3 additions & 0 deletions codersdk/audit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ const (
ResourceTypeGitSSHKey ResourceType = "git_ssh_key"
ResourceTypeAPIKey ResourceType = "api_key"
ResourceTypeGroup ResourceType = "group"
ResourceTypeLicense ResourceType = "license"
)

func (r ResourceType) FriendlyString() string {
Expand All @@ -44,6 +45,8 @@ func (r ResourceType) FriendlyString() string {
return "api key"
case ResourceTypeGroup:
return "group"
case ResourceTypeLicense:
return "license"
default:
return "unknown"
}
Expand Down
1 change: 1 addition & 0 deletions docs/admin/audit-logs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ We track the following resources:
| APIKey<br><i>write</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>expires_at</td><td>false</td></tr><tr><td>hashed_secret</td><td>false</td></tr><tr><td>id</td><td>false</td></tr><tr><td>ip_address</td><td>false</td></tr><tr><td>last_used</td><td>false</td></tr><tr><td>lifetime_seconds</td><td>false</td></tr><tr><td>login_type</td><td>false</td></tr><tr><td>scope</td><td>false</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>false</td></tr></tbody></table> |
| Group<br><i>create, write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>avatar_url</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>members</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>quota_allowance</td><td>true</td></tr></tbody></table> |
| GitSSHKey<br><i>create</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>private_key</td><td>true</td></tr><tr><td>public_key</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>true</td></tr></tbody></table> |
| License<br><i>create, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>exp</td><td>true</td></tr><tr><td>id</td><td>false</td></tr><tr><td>jwt</td><td>false</td></tr><tr><td>uploaded_at</td><td>false</td></tr><tr><td>uuid</td><td>false</td></tr></tbody></table> |
| Template<br><i>write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>active_version_id</td><td>true</td></tr><tr><td>allow_user_cancel_workspace_jobs</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>default_ttl</td><td>true</td></tr><tr><td>deleted</td><td>false</td></tr><tr><td>description</td><td>true</td></tr><tr><td>display_name</td><td>true</td></tr><tr><td>group_acl</td><td>true</td></tr><tr><td>icon</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>is_private</td><td>true</td></tr><tr><td>min_autostart_interval</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>provisioner</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_acl</td><td>true</td></tr></tbody></table> |
| TemplateVersion<br><i>create, write</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>job_id</td><td>false</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>readme</td><td>true</td></tr><tr><td>template_id</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr></tbody></table> |
| User<br><i>create, write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>avatar_url</td><td>false</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>deleted</td><td>true</td></tr><tr><td>email</td><td>true</td></tr><tr><td>hashed_password</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>last_seen_at</td><td>false</td></tr><tr><td>login_type</td><td>false</td></tr><tr><td>rbac_roles</td><td>true</td></tr><tr><td>status</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>username</td><td>true</td></tr></tbody></table> |
Expand Down
1 change: 1 addition & 0 deletions docs/api/schemas.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3991,6 +3991,7 @@ Parameter represents a set value for the scope.
| `git_ssh_key` |
| `api_key` |
| `group` |
| `license` |

## codersdk.Response

Expand Down
28 changes: 18 additions & 10 deletions enterprise/audit/table.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,16 +13,15 @@ import (
// AuditableResources map (below) as our documentation - generated in scripts/auditdocgen/main.go -
// depends upon it.
var AuditActionMap = map[string][]codersdk.AuditAction{
"GitSSHKey": {codersdk.AuditActionCreate},
"OrganizationMember": {},
"Organization": {},
"Template": {codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"TemplateVersion": {codersdk.AuditActionCreate, codersdk.AuditActionWrite},
"User": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"Workspace": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"WorkspaceBuild": {codersdk.AuditActionStart, codersdk.AuditActionStop},
"Group": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"APIKey": {codersdk.AuditActionWrite},
"GitSSHKey": {codersdk.AuditActionCreate},
"Template": {codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"TemplateVersion": {codersdk.AuditActionCreate, codersdk.AuditActionWrite},
"User": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"Workspace": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"WorkspaceBuild": {codersdk.AuditActionStart, codersdk.AuditActionStop},
"Group": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"APIKey": {codersdk.AuditActionWrite},
"License": {codersdk.AuditActionCreate, codersdk.AuditActionDelete},
}

type Action string
Expand Down Expand Up @@ -147,6 +146,15 @@ var AuditableResources = auditMap(map[any]map[string]Action{
"ip_address": ActionIgnore,
"scope": ActionIgnore,
},
// TODO: track an ID here when the below ticket is completed:
// https://github.com/coder/coder/pull/6012
&database.License{}: {
"id": ActionIgnore,
"uploaded_at": ActionIgnore,
"jwt": ActionIgnore,
"exp": ActionTrack,
"uuid": ActionIgnore,
},
})

// auditMap converts a map of struct pointers to a map of struct names as
Expand Down
45 changes: 39 additions & 6 deletions enterprise/coderd/licenses.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (

"cdr.dev/slog"
"github.com/coder/coder/coderd"
"github.com/coder/coder/coderd/audit"
"github.com/coder/coder/coderd/database"
"github.com/coder/coder/coderd/httpapi"
"github.com/coder/coder/coderd/rbac"
Expand Down Expand Up @@ -59,7 +60,18 @@ var Keys = map[string]ed25519.PublicKey{"2022-08-12": ed25519.PublicKey(key20220
// @Success 201 {object} codersdk.License
// @Router /licenses [post]
func (api *API) postLicense(rw http.ResponseWriter, r *http.Request) {
ctx := r.Context()
var (
ctx = r.Context()
auditor = api.AGPL.Auditor.Load()
aReq, commitAudit = audit.InitRequest[database.License](rw, &audit.RequestParams{
Audit: *auditor,
Log: api.Logger,
Request: r,
Action: database.AuditActionCreate,
})
)
defer commitAudit()

if !api.AGPL.Authorize(r, rbac.ActionCreate, rbac.ResourceLicense) {
httpapi.Forbidden(rw)
return
Expand Down Expand Up @@ -114,6 +126,8 @@ func (api *API) postLicense(rw http.ResponseWriter, r *http.Request) {
})
return
}
aReq.New = dl

err = api.updateEntitlements(ctx)
if err != nil {
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
Expand Down Expand Up @@ -181,11 +195,10 @@ func (api *API) licenses(rw http.ResponseWriter, r *http.Request) {
// @Success 200
// @Router /licenses/{id} [delete]
func (api *API) deleteLicense(rw http.ResponseWriter, r *http.Request) {
ctx := r.Context()
if !api.AGPL.Authorize(r, rbac.ActionDelete, rbac.ResourceLicense) {
httpapi.Forbidden(rw)
return
}
var (
ctx = r.Context()
auditor = api.AGPL.Auditor.Load()
)

idStr := chi.URLParam(r, "id")
id, err := strconv.ParseInt(idStr, 10, 32)
Expand All @@ -196,6 +209,26 @@ func (api *API) deleteLicense(rw http.ResponseWriter, r *http.Request) {
return
}

dl, err := api.Database.GetLicense(ctx, int32(id))
if err != nil {
// don't fail the HTTP request simply because we cannot audit
api.Logger.Warn(context.Background(), "could not retrieve license; cannot audit", slog.Error(err))
}

aReq, commitAudit := audit.InitRequest[database.License](rw, &audit.RequestParams{
Audit: *auditor,
Log: api.Logger,
Request: r,
Action: database.AuditActionDelete,
})
defer commitAudit()
aReq.Old = dl

if !api.AGPL.Authorize(r, rbac.ActionDelete, rbac.ResourceLicense) {
httpapi.Forbidden(rw)
return
}

_, err = api.Database.DeleteLicense(ctx, int32(id))
if xerrors.Is(err, sql.ErrNoRows) {
httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{
Expand Down
2 changes: 2 additions & 0 deletions site/src/api/typesGenerated.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1180,6 +1180,7 @@ export type ResourceType =
| "api_key"
| "git_ssh_key"
| "group"
| "license"
| "template"
| "template_version"
| "user"
Expand All @@ -1189,6 +1190,7 @@ export const ResourceTypes: ResourceType[] = [
"api_key",
"git_ssh_key",
"group",
"license",
"template",
"template_version",
"user",
Expand Down