synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-15 22:20:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add workspace build start/stop to audit log (#4744)

Browse Source 
* adding workspace_build resource

* added migration

* fix keyword

* got rid oof diffs for workspace builds

* adding workspace name to string

* renamed migrations

* fixed lint

* pass throough AdditionalFields and fix tests

* no need to pass through each handler

* cleaned up migrations

* generated types; fixed missing cases

* logging error
This commit is contained in:
Kira Pilot
2022-10-25 15:34:48 -04:00
committed by GitHub
parent 9070fcd5e7
commit 3c5e292c5a
13 changed files with 131 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
coderd/audit.go
View File

@ -219,12 +219,26 @@ func convertAuditLog(dblog database.GetAuditLogsOffsetRow) codersdk.AuditLog {
} }
} }
type WorkspaceResourceInfo struct {
WorkspaceName string
}
func auditLogDescription(alog database.GetAuditLogsOffsetRow) string { func auditLogDescription(alog database.GetAuditLogsOffsetRow) string {
str := fmt.Sprintf("{user} %s %s", str := fmt.Sprintf("{user} %s %s",
codersdk.AuditAction(alog.Action).FriendlyString(), codersdk.AuditAction(alog.Action).FriendlyString(),
codersdk.ResourceType(alog.ResourceType).FriendlyString(), codersdk.ResourceType(alog.ResourceType).FriendlyString(),
) )
// Strings for build updates follow the below format:
// "{user} started workspace build for workspace {target}"
// where target is a workspace instead of the workspace build
if alog.ResourceType == database.ResourceTypeWorkspaceBuild {
workspaceBytes := []byte(alog.AdditionalFields)
var workspaceResourceInfo WorkspaceResourceInfo
_ = json.Unmarshal(workspaceBytes, &workspaceResourceInfo)
str += " for workspace " + workspaceResourceInfo.WorkspaceName
}
// We don't display the name for git ssh keys. It's fairly long and doesn't // We don't display the name for git ssh keys. It's fairly long and doesn't
// make too much sense to display. // make too much sense to display.
if alog.ResourceType != database.ResourceTypeGitSshKey { if alog.ResourceType != database.ResourceTypeGitSshKey {
@ -288,6 +302,8 @@ func resourceTypeFromString(resourceTypeString string) string {
return resourceTypeString return resourceTypeString
case codersdk.ResourceTypeWorkspace: case codersdk.ResourceTypeWorkspace:
return resourceTypeString return resourceTypeString
case codersdk.ResourceTypeWorkspaceBuild:
return resourceTypeString
case codersdk.ResourceTypeGitSSHKey: case codersdk.ResourceTypeGitSSHKey:
return resourceTypeString return resourceTypeString
case codersdk.ResourceTypeAPIKey: case codersdk.ResourceTypeAPIKey:

3
coderd/audit/diff.go
View File

@ -16,7 +16,8 @@ type Auditable interface {
database.User | database.User |
database.Workspace | database.Workspace |
database.GitSSHKey | database.GitSSHKey |
database.Group database.Group |
database.WorkspaceBuild
} }
// Map is a map of changed fields in an audited resource. It maps field names to // Map is a map of changed fields in an audited resource. It maps field names to

18
coderd/audit/request.go
View File

@ -20,8 +20,9 @@ type RequestParams struct {
Audit Auditor Audit Auditor
Log slog.Logger Log slog.Logger
Request *http.Request Request *http.Request
Action database.AuditAction Action database.AuditAction
AdditionalFields json.RawMessage
} }
type Request[T Auditable] struct { type Request[T Auditable] struct {
@ -43,6 +44,9 @@ func ResourceTarget[T Auditable](tgt T) string {
return typed.Username return typed.Username
case database.Workspace: case database.Workspace:
return typed.Name return typed.Name
case database.WorkspaceBuild:
// this isn't used
return string(typed.BuildNumber)
case database.GitSSHKey: case database.GitSSHKey:
return typed.PublicKey return typed.PublicKey
case database.Group: case database.Group:
@ -64,6 +68,8 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
return typed.ID return typed.ID
case database.Workspace: case database.Workspace:
return typed.ID return typed.ID
case database.WorkspaceBuild:
return typed.ID
case database.GitSSHKey: case database.GitSSHKey:
return typed.UserID return typed.UserID
case database.Group: case database.Group:
@ -85,6 +91,8 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
return database.ResourceTypeUser return database.ResourceTypeUser
case database.Workspace: case database.Workspace:
return database.ResourceTypeWorkspace return database.ResourceTypeWorkspace
case database.WorkspaceBuild:
return database.ResourceTypeWorkspaceBuild
case database.GitSSHKey: case database.GitSSHKey:
return database.ResourceTypeGitSshKey return database.ResourceTypeGitSshKey
case database.Group: case database.Group:
@ -129,6 +137,10 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
} }
} }
if p.AdditionalFields == nil {
p.AdditionalFields = json.RawMessage("{}")
}
ip := parseIP(p.Request.RemoteAddr) ip := parseIP(p.Request.RemoteAddr)
err := p.Audit.Export(ctx, database.AuditLog{ err := p.Audit.Export(ctx, database.AuditLog{
ID: uuid.New(), ID: uuid.New(),
@ -143,7 +155,7 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
Diff: diffRaw, Diff: diffRaw,
StatusCode: int32(sw.Status), StatusCode: int32(sw.Status),
RequestID: httpmw.RequestID(p.Request), RequestID: httpmw.RequestID(p.Request),
AdditionalFields: json.RawMessage("{}"), AdditionalFields: p.AdditionalFields,
}) })
if err != nil { if err != nil {
p.Log.Error(logCtx, "export audit log", slog.Error(err)) p.Log.Error(logCtx, "export audit log", slog.Error(err))

7
coderd/database/dump.sql generated
View File

@ -14,7 +14,9 @@ CREATE TYPE app_sharing_level AS ENUM (
CREATE TYPE audit_action AS ENUM ( CREATE TYPE audit_action AS ENUM (
'create', 'create',
'write', 'write',
'delete' 'delete',
'start',
'stop'
); );
CREATE TYPE build_reason AS ENUM ( CREATE TYPE build_reason AS ENUM (
@ -88,7 +90,8 @@ CREATE TYPE resource_type AS ENUM (
'workspace', 'workspace',
'git_ssh_key', 'git_ssh_key',
'api_key', 'api_key',
'group' 'group',
'workspace_build'
); );
CREATE TYPE user_status AS ENUM ( CREATE TYPE user_status AS ENUM (

2
coderd/database/migrations/000065_add_audit_enums.down.sql Normal file
View File

@ -0,0 +1,2 @@
-- It's not possible to drop enum values from enum types, so the UP has "IF NOT
-- EXISTS".

4
coderd/database/migrations/000065_add_audit_enums.up.sql Normal file
View File

@ -0,0 +1,4 @@
ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'start';
ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'stop';
ALTER TYPE resource_type ADD VALUE IF NOT EXISTS 'workspace_build';

3
coderd/database/models.go
View File

@ -60,6 +60,8 @@ const (
AuditActionCreate AuditAction = "create" AuditActionCreate AuditAction = "create"
AuditActionWrite AuditAction = "write" AuditActionWrite AuditAction = "write"
AuditActionDelete AuditAction = "delete" AuditActionDelete AuditAction = "delete"
AuditActionStart AuditAction = "start"
AuditActionStop AuditAction = "stop"
) )
func (e *AuditAction) Scan(src interface{}) error { func (e *AuditAction) Scan(src interface{}) error {
@ -302,6 +304,7 @@ const (
ResourceTypeGitSshKey ResourceType = "git_ssh_key" ResourceTypeGitSshKey ResourceType = "git_ssh_key"
ResourceTypeApiKey ResourceType = "api_key" ResourceTypeApiKey ResourceType = "api_key"
ResourceTypeGroup ResourceType = "group" ResourceTypeGroup ResourceType = "group"
ResourceTypeWorkspaceBuild ResourceType = "workspace_build"
) )
func (e *ResourceType) Scan(src interface{}) error { func (e *ResourceType) Scan(src interface{}) error {

61
coderd/workspacebuilds.go
View File

@ -15,6 +15,7 @@ import (
"golang.org/x/exp/slices" "golang.org/x/exp/slices"
"golang.org/x/xerrors" "golang.org/x/xerrors"
"cdr.dev/slog"
"github.com/coder/coder/coderd/audit" "github.com/coder/coder/coderd/audit"
"github.com/coder/coder/coderd/database" "github.com/coder/coder/coderd/database"
"github.com/coder/coder/coderd/httpapi" "github.com/coder/coder/coderd/httpapi"
@ -278,28 +279,62 @@ func (api *API) postWorkspaceBuilds(rw http.ResponseWriter, r *http.Request) {
return return
} }
// we only want to create audit logs for delete builds right now auditor := api.Auditor.Load()
// if user deletes a workspace, audit the workspace
if action == rbac.ActionDelete { if action == rbac.ActionDelete {
var ( aReq, commitAudit := audit.InitRequest[database.Workspace](rw, &audit.RequestParams{
auditor = api.Auditor.Load() Audit: *auditor,
aReq, commitAudit = audit.InitRequest[database.Workspace](rw, &audit.RequestParams{ Log: api.Logger,
Audit: *auditor, Request: r,
Log: api.Logger, Action: database.AuditActionDelete,
Request: r, })
Action: database.AuditActionDelete,
})
)
defer commitAudit() defer commitAudit()
aReq.Old = workspace aReq.Old = workspace
} }
if createBuild.TemplateVersionID == uuid.Nil { latestBuild, latestBuildErr := api.Database.GetLatestWorkspaceBuildByWorkspaceID(ctx, workspace.ID)
latestBuild, err := api.Database.GetLatestWorkspaceBuildByWorkspaceID(ctx, workspace.ID)
// if a user starts/stops a workspace, audit the workspace build
if action == rbac.ActionUpdate {
var auditAction database.AuditAction
if createBuild.Transition == codersdk.WorkspaceTransitionStart {
auditAction = database.AuditActionStart
} else if createBuild.Transition == codersdk.WorkspaceTransitionStop {
auditAction = database.AuditActionStop
} else {
auditAction = database.AuditActionWrite
}
// We pass the workspace name to the Auditor so that it
// can form a friendly string for the user.
workspaceResourceInfo := map[string]string{
"workspaceName": workspace.Name,
}
wriBytes, err := json.Marshal(workspaceResourceInfo)
if err != nil { if err != nil {
api.Logger.Error(ctx, "could not marshal workspace name", slog.Error(err))
}
aReq, commitAudit := audit.InitRequest[database.WorkspaceBuild](rw, &audit.RequestParams{
Audit: *auditor,
Log: api.Logger,
Request: r,
Action: auditAction,
AdditionalFields: wriBytes,
})
defer commitAudit()
aReq.Old = latestBuild
}
if createBuild.TemplateVersionID == uuid.Nil {
if latestBuildErr != nil {
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{ httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
Message: "Internal error fetching the latest workspace build.", Message: "Internal error fetching the latest workspace build.",
Detail: err.Error(), Detail: latestBuildErr.Error(),
}) })
return return
} }

4
coderd/workspacebuilds_test.go
View File

@ -579,6 +579,6 @@ func TestWorkspaceBuildStatus(t *testing.T) {
require.EqualValues(t, codersdk.WorkspaceStatusDeleted, workspace.LatestBuild.Status) require.EqualValues(t, codersdk.WorkspaceStatusDeleted, workspace.LatestBuild.Status)
// assert an audit log has been created for deletion // assert an audit log has been created for deletion
require.Len(t, auditor.AuditLogs, 5) require.Len(t, auditor.AuditLogs, 7)
assert.Equal(t, database.AuditActionDelete, auditor.AuditLogs[4].Action) assert.Equal(t, database.AuditActionDelete, auditor.AuditLogs[6].Action)
} }

9
codersdk/audit.go
View File

@ -19,6 +19,7 @@ const (
ResourceTypeTemplateVersion ResourceType = "template_version" ResourceTypeTemplateVersion ResourceType = "template_version"
ResourceTypeUser ResourceType = "user" ResourceTypeUser ResourceType = "user"
ResourceTypeWorkspace ResourceType = "workspace" ResourceTypeWorkspace ResourceType = "workspace"
ResourceTypeWorkspaceBuild ResourceType = "workspace_build"
ResourceTypeGitSSHKey ResourceType = "git_ssh_key" ResourceTypeGitSSHKey ResourceType = "git_ssh_key"
ResourceTypeAPIKey ResourceType = "api_key" ResourceTypeAPIKey ResourceType = "api_key"
ResourceTypeGroup ResourceType = "group" ResourceTypeGroup ResourceType = "group"
@ -36,6 +37,8 @@ func (r ResourceType) FriendlyString() string {
return "user" return "user"
case ResourceTypeWorkspace: case ResourceTypeWorkspace:
return "workspace" return "workspace"
case ResourceTypeWorkspaceBuild:
return "workspace build"
case ResourceTypeGitSSHKey: case ResourceTypeGitSSHKey:
return "git ssh key" return "git ssh key"
case ResourceTypeAPIKey: case ResourceTypeAPIKey:
@ -53,6 +56,8 @@ const (
AuditActionCreate AuditAction = "create" AuditActionCreate AuditAction = "create"
AuditActionWrite AuditAction = "write" AuditActionWrite AuditAction = "write"
AuditActionDelete AuditAction = "delete" AuditActionDelete AuditAction = "delete"
AuditActionStart AuditAction = "start"
AuditActionStop AuditAction = "stop"
) )
func (a AuditAction) FriendlyString() string { func (a AuditAction) FriendlyString() string {
@ -63,6 +68,10 @@ func (a AuditAction) FriendlyString() string {
return "updated" return "updated"
case AuditActionDelete: case AuditActionDelete:
return "deleted" return "deleted"
case AuditActionStart:
return "started"
case AuditActionStop:
return "stopped"
default: default:
return "unknown" return "unknown"
} }

15
enterprise/audit/table.go
View File

@ -109,6 +109,21 @@ var AuditableResources = auditMap(map[any]map[string]Action{
"organization_id": ActionIgnore, // Never changes. "organization_id": ActionIgnore, // Never changes.
"avatar_url": ActionTrack, "avatar_url": ActionTrack,
}, },
// We don't show any diff for the WorkspaceBuild resource
&database.WorkspaceBuild{}: {
"id": ActionIgnore,
"created_at": ActionIgnore,
"updated_at": ActionIgnore,
"workspace_id": ActionIgnore,
"template_version_id": ActionIgnore,
"build_number": ActionIgnore,
"transition": ActionIgnore,
"initiator_id": ActionIgnore,
"provisioner_state": ActionIgnore,
"job_id": ActionIgnore,
"deadline": ActionIgnore,
"reason": ActionIgnore,
},
}) })
// auditMap converts a map of struct pointers to a map of struct names as // auditMap converts a map of struct pointers to a map of struct names as

3
site/src/api/typesGenerated.ts
View File

@ -915,7 +915,7 @@ export interface WorkspacesRequest extends Pagination {
export type APIKeyScope = "all" | "application_connect" export type APIKeyScope = "all" | "application_connect"
// From codersdk/audit.go // From codersdk/audit.go
export type AuditAction = "create" | "delete" | "write" export type AuditAction = "create" | "delete" | "start" | "stop" | "write"
// From codersdk/workspacebuilds.go // From codersdk/workspacebuilds.go
export type BuildReason = "autostart" | "autostop" | "initiator" export type BuildReason = "autostart" | "autostop" | "initiator"
@ -975,6 +975,7 @@ export type ResourceType =
| "template_version" | "template_version"
| "user" | "user"
| "workspace" | "workspace"
| "workspace_build"
// From codersdk/sse.go // From codersdk/sse.go
export type ServerSentEventType = "data" | "error" | "ping" export type ServerSentEventType = "data" | "error" | "ping"

18
site/src/components/AuditLogRow/AuditLogRow.tsx
View File

@ -130,13 +130,11 @@ export const AuditLogRow: React.FC<AuditLogRowProps> = ({
</Stack> </Stack>
</Stack> </Stack>
<div {shouldDisplayDiff ? (
className={ <div> {isDiffOpen ? <CloseDropdown /> : <OpenDropdown />}</div>
shouldDisplayDiff ? undefined : styles.disabledDropdownIcon ) : (
} <div className={styles.columnWithoutDiff}></div>
> )}
{isDiffOpen ? <CloseDropdown /> : <OpenDropdown />}
</div>
</Stack> </Stack>
{shouldDisplayDiff && ( {shouldDisplayDiff && (
@ -190,8 +188,8 @@ const useStyles = makeStyles((theme) => ({
color: theme.palette.text.secondary, color: theme.palette.text.secondary,
whiteSpace: "nowrap", whiteSpace: "nowrap",
}, },
// offset the absence of the arrow icon on diff-less logs
disabledDropdownIcon: { columnWithoutDiff: {
opacity: 0.5, marginLeft: "24px",
}, },
})) }))