use audit.BackgroundAudit

2025-03-14 10:09:57 +00:00 · 2025-03-13 16:56:19 +00:00
parent a39a886f92
commit fcc68a4cff
3 changed files with 20 additions and 15 deletions
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@ -1756,7 +1756,7 @@ func (api *API) oauthLogin(rw http.ResponseWriter, r *http.Request, params *oaut
 				LoginType:          params.LoginType,
 				accountCreatorName: "oauth",
 				RBACRoles:          rbacRoles,
-			}, rw, r)
+			}, r)
 			if err != nil {
 				return xerrors.Errorf("create user: %w", err)
 			}
--- a/coderd/users.go
+++ b/coderd/users.go
@ -202,7 +202,7 @@ func (api *API) postFirstUser(rw http.ResponseWriter, r *http.Request) {
 		LoginType:          database.LoginTypePassword,
 		RBACRoles:          []string{rbac.RoleOwner().String()},
 		accountCreatorName: "coder",
-	}, rw, r)
+	}, r)
 	if err != nil {
 		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 			Message: "Internal error creating user.",
@ -485,7 +485,7 @@ func (api *API) postUser(rw http.ResponseWriter, r *http.Request) {
 		CreateUserRequestWithOrgs: req,
 		LoginType:                 loginType,
 		accountCreatorName:        accountCreator.Name,
-	}, rw, r)
+	}, r)

 	if dbauthz.IsNotAuthorizedError(err) {
 		httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
@ -1364,7 +1364,7 @@ type CreateUserRequest struct {
 	RBACRoles          []string
 }

-func (api *API) CreateUser(ctx context.Context, store database.Store, req CreateUserRequest, rw http.ResponseWriter, r *http.Request) (database.User, error) {
+func (api *API) CreateUser(ctx context.Context, store database.Store, req CreateUserRequest, r *http.Request) (database.User, error) {
 	// Ensure the username is valid. It's the caller's responsibility to ensure
 	// the username is valid and unique.
 	if usernameValid := codersdk.NameValid(req.Username); usernameValid != nil {
@ -1379,6 +1379,7 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create
 	}

 	var user database.User
+	var memberships []database.AuditableOrganizationMember
 	err := store.InTx(func(tx database.Store) error {
 		status := ""
 		if req.UserStatus != nil {
@ -1427,16 +1428,7 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create
 		}

 		for _, orgID := range req.OrganizationIDs {
-			aReq, commitAudit := audit.InitRequest[database.AuditableOrganizationMember](rw, &audit.RequestParams{
-				OrganizationID: orgID,
-				Audit:          *api.Auditor.Load(),
-				Log:            api.Logger,
-				Request:        r,
-				Action:         database.AuditActionCreate,
-			})
-			aReq.Old = database.AuditableOrganizationMember{}
-			defer commitAudit()
-			_, err = tx.InsertOrganizationMember(ctx, database.InsertOrganizationMemberParams{
+			member, err := tx.InsertOrganizationMember(ctx, database.InsertOrganizationMemberParams{
 				OrganizationID: orgID,
 				UserID:         user.ID,
 				CreatedAt:      dbtime.Now(),
@ -1446,6 +1438,7 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create
 			if err != nil {
 				return xerrors.Errorf("create organization member for %q: %w", orgID.String(), err)
 			}
+			memberships = append(memberships, member.Auditable(user.Username))
 		}

 		return nil
@ -1454,6 +1447,18 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create
 		return user, err
 	}

+	for _, member := range memberships {
+		audit.BackgroundAudit(ctx, &audit.BackgroundAuditParams[database.AuditableOrganizationMember]{
+			Audit:          *api.Auditor.Load(),
+			Log:            api.Logger,
+			Action:         database.AuditActionCreate,
+			IP:             r.RemoteAddr,
+			OrganizationID: member.OrganizationID,
+			UserID:         member.UserID,
+			New:            member,
+		})
+	}
+
 	userAdmins, err := findUserAdmins(ctx, store)
 	if err != nil {
 		return user, xerrors.Errorf("find user admins: %w", err)
--- a/enterprise/coderd/scim.go
+++ b/enterprise/coderd/scim.go
@ -319,7 +319,7 @@ func (api *API) scimPostUser(rw http.ResponseWriter, r *http.Request) {
 		LoginType: database.LoginTypeOIDC,
 		// Do not send notifications to user admins as SCIM endpoint might be called sequentially to all users.
 		SkipNotifications: true,
-	}, rw, r)
+	}, r)
 	if err != nil {
 		_ = handlerutil.WriteError(rw, scim.NewHTTPError(http.StatusInternalServerError, "internalError", xerrors.Errorf("failed to create user: %w", err)))
 		return