synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-13 21:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: fully implement enterprise audit pkg (#3821)

Browse Source
This commit is contained in:
Colin Adler
2022-09-02 11:42:28 -05:00
committed by GitHub
parent fefdff4946
commit 55c13c8ff9
12 changed files with 164 additions and 177 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
coderd/audit/exporter.go
View File

@ -1,55 +0,0 @@
package audit
import (
"context"
"golang.org/x/xerrors"
"github.com/coder/coder/coderd/database"
)
// Backends can store or send audit logs to arbitrary locations.
type Backend interface {
// Decision determines the FilterDecisions that the backend tolerates.
Decision() FilterDecision
// Export sends an audit log to the backend.
Export(ctx context.Context, alog database.AuditLog) error
}
// Exporter exports audit logs to an arbitrary list of backends.
type Exporter struct {
filter Filter
backends []Backend
}
// NewExporter creates an exporter from the given filter and backends.
func NewExporter(filter Filter, backends ...Backend) *Exporter {
return &Exporter{
filter: filter,
backends: backends,
}
}
// Export exports and audit log. Before exporting to a backend, it uses the
// filter to determine if the backend tolerates the audit log. If not, it is
// dropped.
func (e *Exporter) Export(ctx context.Context, alog database.AuditLog) error {
decision, err := e.filter.Check(ctx, alog)
if err != nil {
return xerrors.Errorf("filter check: %w", err)
}
for _, backend := range e.backends {
if decision&backend.Decision() != backend.Decision() {
continue
}
err = backend.Export(ctx, alog)
if err != nil {
// naively return the first error. should probably make this smarter
// by returning multiple errors.
return xerrors.Errorf("export audit log to backend: %w", err)
}
}
return nil
}

42
coderd/audit/filter.go
View File

@ -1,42 +0,0 @@
package audit
import (
"context"
"github.com/coder/coder/coderd/database"
)
// FilterDecision is a bitwise flag describing the actions a given filter allows
// for a given audit log.
type FilterDecision uint8
const (
// FilterDecisionDrop indicates that the audit log should be dropped. It
// should not be stored or exported anywhere.
FilterDecisionDrop FilterDecision = 0
// FilterDecisionStore indicates that the audit log should be allowed to be
// stored in the Coder database.
FilterDecisionStore FilterDecision = 1 << iota
// FilterDecisionExport indicates that the audit log should be exported
// externally of Coder.
FilterDecisionExport
)
// Filters produce a FilterDecision for a given audit log.
type Filter interface {
Check(ctx context.Context, alog database.AuditLog) (FilterDecision, error)
}
// DefaultFilter is the default filter used when exporting audit logs. It allows
// storage and exporting for all audit logs.
var DefaultFilter Filter = FilterFunc(func(ctx context.Context, alog database.AuditLog) (FilterDecision, error) {
// Store and export all audit logs for now.
return FilterDecisionStore | FilterDecisionExport, nil
})
// FilterFunc constructs a Filter from a simple function.
type FilterFunc func(ctx context.Context, alog database.AuditLog) (FilterDecision, error)
func (f FilterFunc) Check(ctx context.Context, alog database.AuditLog) (FilterDecision, error) {
return f(ctx, alog)
}

59
coderd/audit/request.go
View File

@ -2,19 +2,25 @@ package audit
import ( import (
"context" "context"
"encoding/json"
"net"
"net/http" "net/http"
chimw "github.com/go-chi/chi/v5/middleware"
"github.com/google/uuid" "github.com/google/uuid"
"github.com/tabbed/pqtype"
"cdr.dev/slog" "cdr.dev/slog"
"github.com/coder/coder/coderd/database" "github.com/coder/coder/coderd/database"
"github.com/coder/coder/coderd/httpapi"
) )
type RequestParams struct { type RequestParams struct {
Audit Auditor Audit Auditor
Log slog.Logger Log slog.Logger
Request *http.Request
ResourceID uuid.UUID
ResourceTarget string
Action database.AuditAction Action database.AuditAction
ResourceType database.ResourceType ResourceType database.ResourceType
Actor uuid.UUID Actor uuid.UUID
@ -31,9 +37,9 @@ type Request[T Auditable] struct {
// that should be deferred, causing the audit log to be committed when the // that should be deferred, causing the audit log to be committed when the
// handler returns. // handler returns.
func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request[T], func()) { func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request[T], func()) {
sw, ok := w.(chimw.WrapResponseWriter) sw, ok := w.(*httpapi.StatusWriter)
if !ok { if !ok {
panic("dev error: http.ResponseWriter is not chimw.WrapResponseWriter") panic("dev error: http.ResponseWriter is not *httpapi.StatusWriter")
} }
req := &Request[T]{ req := &Request[T]{
@ -42,11 +48,54 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
return req, func() { return req, func() {
ctx := context.Background() ctx := context.Background()
code := sw.Status()
err := p.Audit.Export(ctx, database.AuditLog{StatusCode: int32(code)}) diff := Diff(p.Audit, req.Old, req.New)
diffRaw, _ := json.Marshal(diff)
ip, err := parseIP(p.Request.RemoteAddr)
if err != nil {
p.Log.Warn(ctx, "parse ip", slog.Error(err))
}
err = p.Audit.Export(ctx, database.AuditLog{
ID: uuid.New(),
Time: database.Now(),
UserID: p.Actor,
Ip: ip,
UserAgent: p.Request.UserAgent(),
ResourceType: p.ResourceType,
ResourceID: p.ResourceID,
ResourceTarget: p.ResourceTarget,
Action: p.Action,
Diff: diffRaw,
StatusCode: int32(sw.Status),
})
if err != nil { if err != nil {
p.Log.Error(ctx, "export audit log", slog.Error(err)) p.Log.Error(ctx, "export audit log", slog.Error(err))
} }
} }
} }
func parseIP(ipStr string) (pqtype.Inet, error) {
var err error
ipStr, _, err = net.SplitHostPort(ipStr)
if err != nil {
return pqtype.Inet{}, err
}
ip := net.ParseIP(ipStr)
ipNet := net.IPNet{}
if ip != nil {
ipNet = net.IPNet{
IP: ip,
Mask: net.CIDRMask(len(ip)*8, len(ip)*8),
}
}
return pqtype.Inet{
IPNet: ipNet,
Valid: ip != nil,
}, nil
}

8
coderd/database/time.go
View File

@ -4,5 +4,11 @@ import "time"
// Now returns a standardized timezone used for database resources. // Now returns a standardized timezone used for database resources.
func Now() time.Time { func Now() time.Time {
return time.Now().UTC() return Time(time.Now().UTC())
}
// Time returns a time compatible with Postgres. Postgres only stores dates with
// microsecond precision.
func Time(t time.Time) time.Time {
return t.Round(time.Microsecond)
} }

31
enterprise/audit/audit.go
View File

@ -3,6 +3,8 @@ package audit
import ( import (
"context" "context"
"golang.org/x/xerrors"
"github.com/coder/coder/coderd/audit" "github.com/coder/coder/coderd/audit"
"github.com/coder/coder/coderd/database" "github.com/coder/coder/coderd/database"
) )
@ -15,8 +17,10 @@ type Backend interface {
Export(ctx context.Context, alog database.AuditLog) error Export(ctx context.Context, alog database.AuditLog) error
} }
func NewAuditor() audit.Auditor { func NewAuditor(filter Filter, backends ...Backend) audit.Auditor {
return &auditor{ return &auditor{
filter: filter,
backends: backends,
Differ: audit.Differ{DiffFn: func(old, new any) audit.Map { Differ: audit.Differ{DiffFn: func(old, new any) audit.Map {
return diffValues(old, new, AuditableResources) return diffValues(old, new, AuditableResources)
}}, }},
@ -25,15 +29,30 @@ func NewAuditor() audit.Auditor {
// auditor is the enterprise implementation of the Auditor interface. // auditor is the enterprise implementation of the Auditor interface.
type auditor struct { type auditor struct {
//nolint:unused
filter Filter filter Filter
//nolint:unused
backends []Backend backends []Backend
audit.Differ audit.Differ
} }
//nolint:unused func (a *auditor) Export(ctx context.Context, alog database.AuditLog) error {
func (*auditor) Export(context.Context, database.AuditLog) error { decision, err := a.filter.Check(ctx, alog)
panic("not implemented") // TODO: Implement if err != nil {
return xerrors.Errorf("filter check: %w", err)
}
for _, backend := range a.backends {
if decision&backend.Decision() != backend.Decision() {
continue
}
err = backend.Export(ctx, alog)
if err != nil {
// naively return the first error. should probably make this smarter
// by returning multiple errors.
return xerrors.Errorf("export audit log to backend: %w", err)
}
}
return nil
} }

67
coderd/audit/exporter_test.go → enterprise/audit/audit_test.go
View File

@ -2,26 +2,25 @@ package audit_test
import ( import (
"context" "context"
"net"
"net/http"
"testing" "testing"
"time"
"github.com/google/uuid"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"github.com/tabbed/pqtype" "golang.org/x/xerrors"
"github.com/coder/coder/coderd/audit"
"github.com/coder/coder/coderd/database" "github.com/coder/coder/coderd/database"
"github.com/coder/coder/enterprise/audit"
"github.com/coder/coder/enterprise/audit/audittest"
) )
func TestExporter(t *testing.T) { func TestAuditor(t *testing.T) {
t.Parallel() t.Parallel()
var tests = []struct { var tests = []struct {
name string name string
filterDecision audit.FilterDecision filterDecision audit.FilterDecision
filterError error
backendDecision audit.FilterDecision backendDecision audit.FilterDecision
backendError error
shouldExport bool shouldExport bool
}{ }{
{ {
@ -60,11 +59,22 @@ func TestExporter(t *testing.T) {
backendDecision: audit.FilterDecisionExport, backendDecision: audit.FilterDecisionExport,
shouldExport: true, shouldExport: true,
}, },
{
name: "FilterError",
filterError: xerrors.New("filter errored"),
backendDecision: audit.FilterDecisionExport,
shouldExport: false,
},
{
name: "BackendError",
backendError: xerrors.New("backend errored"),
shouldExport: false,
},
// When more filters are written they should have their own tests. // When more filters are written they should have their own tests.
{ {
name: "DefaultFilter", name: "DefaultFilter",
filterDecision: func() audit.FilterDecision { filterDecision: func() audit.FilterDecision {
decision, _ := audit.DefaultFilter.Check(context.Background(), randomAuditLog()) decision, _ := audit.DefaultFilter.Check(context.Background(), audittest.RandomLog())
return decision return decision
}(), }(),
backendDecision: audit.FilterDecisionExport, backendDecision: audit.FilterDecisionExport,
@ -78,45 +88,30 @@ func TestExporter(t *testing.T) {
t.Parallel() t.Parallel()
var ( var (
backend = &testBackend{decision: test.backendDecision} backend = &testBackend{decision: test.backendDecision, err: test.backendError}
exporter = audit.NewExporter( exporter = audit.NewAuditor(
audit.FilterFunc(func(_ context.Context, _ database.AuditLog) (audit.FilterDecision, error) { audit.FilterFunc(func(_ context.Context, _ database.AuditLog) (audit.FilterDecision, error) {
return test.filterDecision, nil return test.filterDecision, test.filterError
}), }),
backend, backend,
) )
) )
err := exporter.Export(context.Background(), randomAuditLog()) err := exporter.Export(context.Background(), audittest.RandomLog())
require.NoError(t, err) if test.filterError != nil {
require.ErrorIs(t, err, test.filterError)
} else if test.backendError != nil {
require.ErrorIs(t, err, test.backendError)
}
require.Equal(t, len(backend.alogs) > 0, test.shouldExport) require.Equal(t, len(backend.alogs) > 0, test.shouldExport)
}) })
} }
} }
func randomAuditLog() database.AuditLog {
_, inet, _ := net.ParseCIDR("127.0.0.1/32")
return database.AuditLog{
ID: uuid.New(),
Time: time.Now(),
UserID: uuid.New(),
OrganizationID: uuid.New(),
Ip: pqtype.Inet{
IPNet: *inet,
Valid: true,
},
UserAgent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36",
ResourceType: database.ResourceTypeOrganization,
ResourceID: uuid.New(),
ResourceTarget: "colin's organization",
Action: database.AuditActionDelete,
Diff: []byte{},
StatusCode: http.StatusNoContent,
}
}
type testBackend struct { type testBackend struct {
decision audit.FilterDecision decision audit.FilterDecision
err error
alogs []database.AuditLog alogs []database.AuditLog
} }
@ -126,6 +121,10 @@ func (t *testBackend) Decision() audit.FilterDecision {
} }
func (t *testBackend) Export(_ context.Context, alog database.AuditLog) error { func (t *testBackend) Export(_ context.Context, alog database.AuditLog) error {
if t.err != nil {
return t.err
}
t.alogs = append(t.alogs, alog) t.alogs = append(t.alogs, alog)
return nil return nil
} }

33
enterprise/audit/audittest/rand.go Normal file
View File

@ -0,0 +1,33 @@
package audittest
import (
"net"
"net/http"
"time"
"github.com/google/uuid"
"github.com/tabbed/pqtype"
"github.com/coder/coder/coderd/database"
)
func RandomLog() database.AuditLog {
_, inet, _ := net.ParseCIDR("127.0.0.1/32")
return database.AuditLog{
ID: uuid.New(),
Time: time.Now(),
UserID: uuid.New(),
OrganizationID: uuid.New(),
Ip: pqtype.Inet{
IPNet: *inet,
Valid: true,
},
UserAgent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36",
ResourceType: database.ResourceTypeOrganization,
ResourceID: uuid.New(),
ResourceTarget: "colin's organization",
Action: database.AuditActionDelete,
Diff: []byte("{}"),
StatusCode: http.StatusNoContent,
}
}

2
coderd/audit/backends/postgres.go → enterprise/audit/backends/postgres.go
View File

@ -5,8 +5,8 @@ import (
"golang.org/x/xerrors" "golang.org/x/xerrors"
"github.com/coder/coder/coderd/audit"
"github.com/coder/coder/coderd/database" "github.com/coder/coder/coderd/database"
"github.com/coder/coder/enterprise/audit"
) )
type postgresBackend struct { type postgresBackend struct {

29
coderd/audit/backends/postgres_test.go → enterprise/audit/backends/postgres_test.go
View File

@ -2,18 +2,16 @@ package backends_test
import ( import (
"context" "context"
"net"
"net/http"
"testing" "testing"
"time" "time"
"github.com/google/uuid" "github.com/google/uuid"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"github.com/tabbed/pqtype"
"github.com/coder/coder/coderd/audit/backends"
"github.com/coder/coder/coderd/database" "github.com/coder/coder/coderd/database"
"github.com/coder/coder/coderd/database/databasefake" "github.com/coder/coder/coderd/database/databasefake"
"github.com/coder/coder/enterprise/audit/audittest"
"github.com/coder/coder/enterprise/audit/backends"
) )
func TestPostgresBackend(t *testing.T) { func TestPostgresBackend(t *testing.T) {
@ -25,7 +23,7 @@ func TestPostgresBackend(t *testing.T) {
ctx, cancel = context.WithCancel(context.Background()) ctx, cancel = context.WithCancel(context.Background())
db = databasefake.New() db = databasefake.New()
pgb = backends.NewPostgres(db, true) pgb = backends.NewPostgres(db, true)
alog = randomAuditLog() alog = audittest.RandomLog()
) )
defer cancel() defer cancel()
@ -42,24 +40,3 @@ func TestPostgresBackend(t *testing.T) {
require.Equal(t, alog, got[0]) require.Equal(t, alog, got[0])
}) })
} }
func randomAuditLog() database.AuditLog {
_, inet, _ := net.ParseCIDR("127.0.0.1/32")
return database.AuditLog{
ID: uuid.New(),
Time: time.Now(),
UserID: uuid.New(),
OrganizationID: uuid.New(),
Ip: pqtype.Inet{
IPNet: *inet,
Valid: true,
},
UserAgent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36",
ResourceType: database.ResourceTypeOrganization,
ResourceID: uuid.New(),
ResourceTarget: "colin's organization",
Action: database.AuditActionDelete,
Diff: []byte{},
StatusCode: http.StatusNoContent,
}
}

2
coderd/audit/backends/slog.go → enterprise/audit/backends/slog.go
View File

@ -6,8 +6,8 @@ import (
"github.com/fatih/structs" "github.com/fatih/structs"
"cdr.dev/slog" "cdr.dev/slog"
"github.com/coder/coder/coderd/audit"
"github.com/coder/coder/coderd/database" "github.com/coder/coder/coderd/database"
"github.com/coder/coder/enterprise/audit"
) )
type slogBackend struct { type slogBackend struct {

5
coderd/audit/backends/slog_test.go → enterprise/audit/backends/slog_test.go
View File

@ -8,7 +8,8 @@ import (
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"cdr.dev/slog" "cdr.dev/slog"
"github.com/coder/coder/coderd/audit/backends" "github.com/coder/coder/enterprise/audit/audittest"
"github.com/coder/coder/enterprise/audit/backends"
) )
func TestSlogBackend(t *testing.T) { func TestSlogBackend(t *testing.T) {
@ -23,7 +24,7 @@ func TestSlogBackend(t *testing.T) {
logger = slog.Make(sink) logger = slog.Make(sink)
backend = backends.NewSlog(logger) backend = backends.NewSlog(logger)
alog = randomAuditLog() alog = audittest.RandomLog()
) )
defer cancel() defer cancel()

0
coderd/audit/generate.sh → enterprise/audit/generate.sh
View File