feat(audit): auditing token addition and removal (coder#6649)

Kira-Pilot · web-flow · commit 090e37fc461f · 2023-03-17T10:41:44.000-07:00
* auditing tokens

* adding diffs for token auditing

* added test

* generating docs

* auditing owner field
diff --git a/coderd/apikey.go b/coderd/apikey.go
@@ -18,6 +18,7 @@ import (
 	"github.com/tabbed/pqtype"
 	"golang.org/x/xerrors"
 
+	"github.com/coder/coder/coderd/audit"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
@@ -40,8 +41,19 @@ import (
 // @Success 201 {object} codersdk.GenerateAPIKeyResponse
 // @Router /users/{user}/keys/tokens [post]
 func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	user := httpmw.UserParam(r)
+	var (
+		ctx               = r.Context()
+		user              = httpmw.UserParam(r)
+		auditor           = api.Auditor.Load()
+		aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{
+			Audit:   *auditor,
+			Log:     api.Logger,
+			Request: r,
+			Action:  database.AuditActionCreate,
+		})
+	)
+	aReq.Old = database.APIKey{}
+	defer commitAudit()
 
 	if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceAPIKey.WithOwner(user.ID.String())) {
 		httpapi.ResourceNotFound(rw)
@@ -79,7 +91,7 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	cookie, _, err := api.createAPIKey(ctx, createAPIKeyParams{
+	cookie, key, err := api.createAPIKey(ctx, createAPIKeyParams{
 		UserID:          user.ID,
 		LoginType:       database.LoginTypeToken,
 		ExpiresAt:       database.Now().Add(lifeTime),
@@ -104,7 +116,7 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
-
+	aReq.New = *key
 	httpapi.Write(ctx, rw, http.StatusCreated, codersdk.GenerateAPIKeyResponse{Key: cookie.Value})
 }
 
@@ -314,17 +326,30 @@ func (api *API) tokens(rw http.ResponseWriter, r *http.Request) {
 // @Router /users/{user}/keys/{keyid} [delete]
 func (api *API) deleteAPIKey(rw http.ResponseWriter, r *http.Request) {
 	var (
-		ctx   = r.Context()
-		user  = httpmw.UserParam(r)
-		keyID = chi.URLParam(r, "keyid")
+		ctx               = r.Context()
+		user              = httpmw.UserParam(r)
+		keyID             = chi.URLParam(r, "keyid")
+		auditor           = api.Auditor.Load()
+		aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{
+			Audit:   *auditor,
+			Log:     api.Logger,
+			Request: r,
+			Action:  database.AuditActionDelete,
+		})
+		key, err = api.Database.GetAPIKeyByID(ctx, keyID)
 	)
+	if err != nil {
+		api.Logger.Warn(ctx, "get API Key for audit log")
+	}
+	aReq.Old = key
+	defer commitAudit()
 
 	if !api.Authorize(r, rbac.ActionDelete, rbac.ResourceAPIKey.WithIDString(keyID).WithOwner(user.ID.String())) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}
 
-	err := api.Database.DeleteAPIKeyByID(ctx, keyID)
+	err = api.Database.DeleteAPIKeyByID(ctx, keyID)
 	if errors.Is(err, sql.ErrNoRows) {
 		httpapi.ResourceNotFound(rw)
 		return
diff --git a/coderd/apikey_test.go b/coderd/apikey_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/cli/clibase"
+	"github.com/coder/coder/coderd/audit"
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/database/dbtestutil"
@@ -23,15 +24,20 @@ func TestTokenCRUD(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 	defer cancel()
-	client := coderdtest.New(t, nil)
+	auditor := audit.NewMock()
+	numLogs := len(auditor.AuditLogs)
+	client := coderdtest.New(t, &coderdtest.Options{Auditor: auditor})
 	_ = coderdtest.CreateFirstUser(t, client)
+	numLogs++ // add an audit log for user creation
+
 	keys, err := client.Tokens(ctx, codersdk.Me, codersdk.TokensFilter{})
 	require.NoError(t, err)
 	require.Empty(t, keys)
 
 	res, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{})
 	require.NoError(t, err)
 	require.Greater(t, len(res.Key), 2)
+	numLogs++ // add an audit log for token creation
 
 	keys, err = client.Tokens(ctx, codersdk.Me, codersdk.TokensFilter{})
 	require.NoError(t, err)
@@ -46,9 +52,15 @@ func TestTokenCRUD(t *testing.T) {
 
 	err = client.DeleteAPIKey(ctx, codersdk.Me, keys[0].ID)
 	require.NoError(t, err)
+	numLogs++ // add an audit log for token deletion
 	keys, err = client.Tokens(ctx, codersdk.Me, codersdk.TokensFilter{})
 	require.NoError(t, err)
 	require.Empty(t, keys)
+
+	// ensure audit log count is correct
+	require.Len(t, auditor.AuditLogs, numLogs)
+	require.Equal(t, database.AuditActionCreate, auditor.AuditLogs[numLogs-2].Action)
+	require.Equal(t, database.AuditActionDelete, auditor.AuditLogs[numLogs-1].Action)
 }
 
 func TestTokenScoped(t *testing.T) {
diff --git a/coderd/audit.go b/coderd/audit.go
@@ -254,9 +254,10 @@ func auditLogDescription(alog database.GetAuditLogsOffsetRow) string {
 		codersdk.AuditAction(alog.Action).Friendly(),
 	)
 
-	// API Key resources do not have targets and follow the below format:
+	// API Key resources (used for authentication) do not have targets and follow the below format:
 	// "User {logged in | logged out}"
-	if alog.ResourceType == database.ResourceTypeApiKey {
+	if alog.ResourceType == database.ResourceTypeApiKey &&
+		(alog.Action == database.AuditActionLogin || alog.Action == database.AuditActionLogout) {
 		return str
 	}
 
diff --git a/coderd/audit/request.go b/coderd/audit/request.go
@@ -70,7 +70,11 @@ func ResourceTarget[T Auditable](tgt T) string {
 	case database.AuditableGroup:
 		return typed.Group.Name
 	case database.APIKey:
-		// this isn't used
+		if typed.TokenName != "nil" {
+			return typed.TokenName
+		}
+		// API Keys without names are used for auth
+		// and don't have a target
 		return ""
 	case database.License:
 		return strconv.Itoa(int(typed.ID))
@@ -159,8 +163,10 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
 		}
 
 		diffRaw := []byte("{}")
-		// Only generate diffs if the request succeeded.
-		if sw.Status < 400 {
+		// Only generate diffs if the request succeeded
+		// and only if we aren't auditing authentication actions
+		if sw.Status < 400 &&
+			req.params.Action != database.AuditActionLogin && req.params.Action != database.AuditActionLogout {
 			diff := Diff(p.Audit, req.Old, req.New)
 
 			var err error
diff --git a/codersdk/audit.go b/codersdk/audit.go
@@ -42,7 +42,7 @@ func (r ResourceType) FriendlyString() string {
 	case ResourceTypeGitSSHKey:
 		return "git ssh key"
 	case ResourceTypeAPIKey:
-		return "api key"
+		return "token"
 	case ResourceTypeGroup:
 		return "group"
 	case ResourceTypeLicense:
diff --git a/docs/admin/audit-logs.md b/docs/admin/audit-logs.md
diff --git a/enterprise/audit/table.go b/enterprise/audit/table.go

Original file line number	Diff line number	Diff line change
`@@ -254,9 +254,10 @@ func auditLogDescription(alog database.GetAuditLogsOffsetRow) string {`
`254`	`254`	`codersdk.AuditAction(alog.Action).Friendly(),`
`255`	`255`	`)`
`256`	`256`
`257`		`- // API Key resources do not have targets and follow the below format:`
	`257`	`+ // API Key resources (used for authentication) do not have targets and follow the below format:`
`258`	`258`	`// "User {logged in \| logged out}"`
`259`		`- if alog.ResourceType == database.ResourceTypeApiKey {`
	`259`	`+ if alog.ResourceType == database.ResourceTypeApiKey &&`
	`260`	`+ (alog.Action == database.AuditActionLogin \|\| alog.Action == database.AuditActionLogout) {`
`260`	`261`	`return str`
`261`	`262`	`}`
`262`	`263`