8000 feat: add support for workspace app audit by mafredri · Pull Request #16801 · coder/coder · GitHub
[go: up one dir, main page]

Skip to content

feat: add support for workspace app audit #16801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 40 commits into from
Mar 18, 2025
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
ae06fe4
remove log spam
mafredri Mar 5, 2025
cf1180e
verify audit log
mafredri Mar 5, 2025
623ad6f
add specific test for audit
mafredri Mar 5, 2025
c91024e
cleanup request context hack
mafredri Mar 5, 2025
9608da1
nonlint
mafredri Mar 5, 2025
5bb42c2
add slug or port to support separation of terminal and ports
mafredri Mar 6, 2025
14a1740
make gen
mafredri Mar 6, 2025
4426bcf
improve and reduce boilerplate in tests
mafredri Mar 6, 2025
2c1536e
fixup! add slug or port to support separation of terminal and ports
mafredri Mar 6, 2025
c070d74
move RandomIPv6 to testutil
mafredri Mar 10, 2025
8a61541
commit audit in Issue, revert tracing status writer changes
mafredri Mar 10, 2025
7279b9a
return if tx failed
mafredri Mar 10, 2025
4ff41d4
add fields to audit logger
mafredri Mar 10, 2025
c723b95
comment on WorkspaceAppAuditSessionTimeout use-case
mafredri Mar 17, 2025
217a0d3
update migrations, add status and ua, unique entries
mafredri Mar 17, 2025
336c7b8
rewrite queries, single upsert
mafredri Mar 17, 2025
8d7a763
make gen for db
mafredri Mar 17, 2025
0f162b1
simplify auditInitRequest in workspaceapps
mafredri Mar 17, 2025
22ea58c
update tests
mafredri Mar 17, 2025
119cf03
fix fixtures
mafredri Mar 17, 2025
16ae577
fix dbauthz
mafredri Mar 17, 2025
9003ae0
Merge branch 'main' into mafredri/app-audit
mafredri Mar 17, 2025
c1ae295
fix ip nullability
mafredri Mar 17, 2025
1ee8441
add exception for redirect in audit log
mafredri Mar 17, 2025
5b3b122
unused arg
mafredri Mar 17, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
wip auditor
  • Loading branch information
mafredri committed Mar 6, 2025
commit 30bb732c860bb9df3a06a51a94ff00f9eea2a73d
6 changes: 3 additions & 3 deletions coderd/audit/request.go
Original file line number Diff line number Diff line change
Expand Up @@ -423,7 +423,7 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
action = req.Action
}

ip := parseIP(p.Request.RemoteAddr)
ip := ParseIP(p.Request.RemoteAddr)
auditLog := database.AuditLog{
ID: uuid.New(),
Time: dbtime.Now(),
Expand Down Expand Up @@ -454,7 +454,7 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
// BackgroundAudit creates an audit log for a background event.
// The audit log is committed upon invocation.
func BackgroundAudit[T Auditable](ctx context.Context, p *BackgroundAuditParams[T]) {
ip := parseIP(p.IP)
ip := ParseIP(p.IP)

diff := Diff(p.Audit, p.Old, p.New)
var err error
Expand Down Expand Up @@ -567,7 +567,7 @@ func either[T Auditable, R any](old, new T, fn func(T) R, auditAction database.A
panic("both old and new are nil")
}

func parseIP(ipStr string) pqtype.Inet {
func ParseIP(ipStr string) pqtype.Inet {
ip := net.ParseIP(ipStr)
ipNet := net.IPNet{}
if ip != nil {
Expand Down
21 changes: 11 additions & 10 deletions coderd/coderd.go
Original file line number Diff line number Diff line change
Expand Up @@ -534,16 +534,6 @@ func New(options *Options) *API {
Authorizer: options.Authorizer,
Logger: options.Logger,
},
WorkspaceAppsProvider: workspaceapps.NewDBTokenProvider(
options.Logger.Named("workspaceapps"),
options.AccessURL,
options.Authorizer,
options.Database,
options.DeploymentValues,
oauthConfigs,
options.AgentInactiveDisconnectTimeout,
options.AppSigningKeyCache,
),
metricsCache: metricsCache,
Auditor: atomic.Pointer[audit.Auditor]{},
TailnetCoordinator: atomic.Pointer[tailnet.Coordinator]{},
Expand All @@ -561,6 +551,17 @@ func New(options *Options) *API {
),
dbRolluper: options.DatabaseRolluper,
}
api.WorkspaceAppsProvider = workspaceapps.NewDBTokenProvider(
options.Logger.Named("workspaceapps"),
options.AccessURL,
options.Authorizer,
&api.Auditor,
options.Database,
options.DeploymentValues,
oauthConfigs,
options.AgentInactiveDisconnectTimeout,
options.AppSigningKeyCache,
)

f := appearance.NewDefaultFetcher(api.DeploymentValues.DocsURL.String())
api.AppearanceFetcher.Store(&f)
Expand Down
199 changes: 197 additions & 2 deletions coderd/workspaceapps/db.go
F438
Original file line number Diff line number Diff line change
Expand Up @@ -3,27 +3,33 @@ package workspaceapps
import (
"context"
"database/sql"
"encoding/json"
"fmt"
"net/http"
"net/url"
"path"
"slices"
"strings"
"sync/atomic"
"time"

"golang.org/x/xerrors"

"github.com/go-jose/go-jose/v4/jwt"
"github.com/google/uuid"
"github.com/sqlc-dev/pqtype"
"golang.org/x/xerrors"

"cdr.dev/slog"
"github.com/coder/coder/v2/coderd/audit"
"github.com/coder/coder/v2/coderd/cryptokeys"
"github.com/coder/coder/v2/coderd/database"
"github.com/coder/coder/v2/coderd/database/dbauthz"
"github.com/coder/coder/v2/coderd/database/dbtime"
"github.com/coder/coder/v2/coderd/httpapi"
"github.com/coder/coder/v2/coderd/httpmw"
"github.com/coder/coder/v2/coderd/jwtutils"
"github.com/coder/coder/v2/coderd/rbac"
"github.com/coder/coder/v2/coderd/rbac/policy"
"github.com/coder/coder/v2/coderd/tracing"
"github.com/coder/coder/v2/codersdk"
)

Expand All @@ -35,6 +41,7 @@ type DBTokenProvider struct {
// DashboardURL is the main dashboard access URL for error pages.
DashboardURL *url.URL
Authorizer rbac.Authorizer
Auditor *atomic.Pointer[audit.Auditor]
Database database.Store
DeploymentValues *codersdk.DeploymentValues
OAuth2Configs *httpmw.OAuth2Configs
Expand All @@ -47,6 +54,7 @@ var _ SignedTokenProvider = &DBTokenProvider{}
func NewDBTokenProvider(log slog.Logger,
accessURL *url.URL,
authz rbac.Authorizer,
auditor *atomic.Pointer[audit.Auditor],
db database.Store,
cfg *codersdk.DeploymentValues,
oauth2Cfgs *httpmw.OAuth2Configs,
Expand All @@ -61,6 +69,7 @@ func NewDBTokenProvider(log slog.Logger,
Logger: log,
DashboardURL: accessURL,
Authorizer: authz,
Auditor: auditor,
Database: db,
DeploymentValues: cfg,
OAuth2Configs: oauth2Cfgs,
Expand All @@ -81,6 +90,8 @@ func (p *DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *
// // permissions.
dangerousSystemCtx := dbauthz.AsSystemRestricted(ctx)

aReq := p.auditInitAutocommitRequest(ctx, rw, r)

appReq := issueReq.AppRequest.Normalize()
err := appReq.Check()
if err != nil {
Expand Down Expand Up @@ -111,6 +122,8 @@ func (p *DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *
return nil, "", false
}

aReq.apiKey = apiKey // Update audit request.

// Lookup workspace app details from DB.
dbReq, err := appReq.getDatabase(dangerousSystemCtx, p.Database)
if xerrors.Is(err, sql.ErrNoRows) {
Expand All @@ -123,6 +136,9 @@ func (p *DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *
WriteWorkspaceApp500(p.Logger, p.DashboardURL, rw, r, &appReq, err, "get app details from database")
return nil, "", false
}

aReq.dbReq = dbReq // Update audit request.

token.UserID = dbReq.User.ID
token.WorkspaceID = dbReq.Workspace.ID
token.AgentID = dbReq.Agent.ID
Expand All @@ -133,6 +149,7 @@ func (p *DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *
// Verify the user has access to the app.
authed, warnings, err := p.authorizeRequest(r.Context(), authz, dbReq)
if err != nil {
// TODO(mafredri): Audit?
WriteWorkspaceApp500(p.Logger, p.DashboardURL, rw, r, &appReq, err, "verify authz")
return nil, "", false
}
Expand Down Expand Up @@ -341,3 +358,181 @@ func (p *DBTokenProvider) authorizeRequest(ctx context.Context, roles *rbac.Subj
// No checks were successful.
return false, warnings, nil
}

type auditRequest struct {
time time.Time
ip pqtype.Inet
apiKey *database.APIKey
dbReq *databaseRequest
}

// auditInitAutocommitRequest creates a new audit session and audit log for the
// given request, if one does not already exist. If an audit session already
// exists, it will be updated with the current timestamp. A session is used to
// reduce the number of audit logs created.
//
// A session is unique to the agent, app, user and users IP. If any of these
// values change, a new session and audit log is created.
func (p *DBTokenProvider) auditInitAutocommitRequest(ctx context.Context, w http.ResponseWriter, r *http.Request) (aReq *auditRequest) {
// Get the status writer from the request context so we can figure
// out the HTTP status and autocommit the audit log.
sw, ok := w.(*tracing.StatusWriter)
if !ok {
panic("dev error: http.ResponseWriter is not *tracing.StatusWriter")
}

aReq = &auditRequest{
time: dbtime.Now(),
ip: audit.ParseIP(r.RemoteAddr),
}

// Set the commit function on the status writer to create an audit
// log, this ensures that the status and response body are available.
sw.Done = append(sw.Done, func() {
p.Logger.Info(ctx, "workspace app audit session", slog.F("status", sw.Status), slog.F("body", string(sw.ResponseBody())), slog.F("api_key", aReq.apiKey), slog.F("db_req", aReq.dbReq))

if sw.Status == http.StatusSeeOther {
// Redirects aren't interesting as we will capture the audit
// log after the redirect.
//
// There's a case where we call httpmw.RedirectToLogin for
// path-based apps the user doesn't have access to, in which
// case the dashboard login redirect is used and we end up
// not hitting the workspaceapps API again due to dashboard
// showing 404. (Bug?)
return
}

if aReq.dbReq == nil {
// App doesn't exist, there's information in the Request
// struct but we need UUIDs for audit logging.
return
}

type additionalFields struct {
audit.AdditionalFields
App string `json:"app"`
}
appInfo := additionalFields{
AdditionalFields: audit.AdditionalFields{
WorkspaceOwner: aReq.dbReq.Workspace.OwnerUsername,
WorkspaceName: aReq.dbReq.Workspace.Name,
WorkspaceID: aReq.dbReq.Workspace.ID,
},
App: aReq.dbReq.AppSlugOrPort,
}

appInfoBytes, err := json.Marshal(appInfo)
if err != nil {
p.Logger.Error(ctx, "marshal additional fields failed", slog.Error(err))
}

userID := uuid.NullUUID{}
if aReq.apiKey != nil {
userID = uuid.NullUUID{Valid: true, UUID: aReq.apiKey.UserID}
}

var (
updatedIDs []uuid.UUID
sessionID = uuid.Nil
)
err = p.Database.InTx(func(tx database.Store) error {
// nolint:gocritic // System context is needed to write audit sessions.
dangerousSystemCtx := dbauthz.AsSystemRestricted(ctx)

updatedIDs, err = tx.UpdateWorkspaceAppAuditSession(dangerousSystemCtx, database.UpdateWorkspaceAppAuditSessionParams{
AgentID: aReq.dbReq.Agent.ID,
AppID: uuid.NullUUID{Valid: aReq.dbReq.App.ID != uuid.Nil, UUID: aReq.dbReq.App.ID},
UserID: userID,
Ip: aReq.ip,
UpdatedAt: aReq.time,
StaleIntervalMS: (2 * time.Hour).Milliseconds(),
})
if err != nil {
return xerrors.Errorf("update workspace app audit session: %w", err)
}
if len(updatedIDs) > 0 {
// Session is valid and got updated, no need to create a new audit log.
return nil
}

sessionID, err = tx.InsertWorkspaceAppAuditSession(dangerousSystemCtx, database.InsertWorkspaceAppAuditSessionParams{
AgentID: aReq.dbReq.Agent.ID,
AppID: uuid.NullUUID{Valid: aReq.dbReq.App.ID != uuid.Nil, UUID: aReq.dbReq.App.ID},
UserID: userID,
Ip: aReq.ip,
StartedAt: aReq.time,
UpdatedAt: aReq.time,
})
if err != nil {
return xerrors.Errorf("insert workspace app audit session: %w", err)
}

return nil
}, nil)
if err != nil {
p.Logger.Error(ctx, "update workspace app audit session failed", slog.Error(err))
}

p.Logger.Info(ctx, "workspace app audit session", slog.F("session_id", sessionID), slog.F("status", sw.Status), slog.F("body", string(sw.ResponseBody())))

if sessionID == uuid.Nil {
if sw.Status < 400 {
// Session was updated and no error occurred, no need to
// create a new audit log.
return
}
if len(updatedIDs) > 0 {
// Session was updated but an error occurred, we need to
// create a new audit log.
sessionID = updatedIDs[0]
} else {
// This shouldn't happen, but fall-back to request so it
// can be correlated to _something_.
sessionID = httpmw.RequestID(r)
}
}

// We use the background audit function instead of init request
// here because we don't know the resource type ahead of time.
// This also allows us to log unauthenticated access.
auditor := *p.Auditor.Load()
switch {
case aReq.dbReq.App.ID != uuid.Nil:
audit.BackgroundAudit(ctx, &audit.BackgroundAuditParams[database.WorkspaceApp]{
Audit: auditor,
Log: p.Logger,

Action: database.AuditActionOpen,
OrganizationID: aReq.dbReq.Workspace.OrganizationID,
UserID: userID.UUID,
RequestID: sessionID,
Time: aReq.time,
Status: sw.Status,
IP: aReq.ip.IPNet.IP.String(),
UserAgent: r.UserAgent(),
New: aReq.dbReq.App,
AdditionalFields: appInfoBytes,
})
default:
// Web terminal, port app, etc.
audit.BackgroundAudit(ctx, &audit.BackgroundAuditParams[database.WorkspaceAgent]{
Audit: auditor,
Log: p.Logger,

Action: database.AuditActionOpen,
OrganizationID: aReq.dbReq.Workspace.OrganizationID,
UserID: userID.UUID,
RequestID: sessionID,
Time: aReq.time,
Status: sw.Status,
IP: aReq.ip.IPNet.IP.String(),
UserAgent: r.UserAgent(),
New: aReq.dbReq.Agent,
AdditionalFields: appInfoBytes,
})
}
})

return aReq
}
9 changes: 7 additions & 2 deletions coderd/workspaceapps/request.go
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,8 @@ type databaseRequest struct {
Workspace database.Workspace
// Agent is the agent that the app is running on.
Agent database.WorkspaceAgent
// App is the app that the user is trying to access.
App database.WorkspaceApp

// AppURL is the resolved URL to the workspace app. This is only set for non
// terminal requests.
Expand Down Expand Up @@ -288,6 +290,7 @@ func (r Request) getDatabase(ctx context.Context, db database.Store) (*databaseR
// in the workspace or not.
var (
agentNameOrID = r.AgentNameOrID
app database.WorkspaceApp
appURL string
appSharingLevel database.AppSharingLevel
// First check if it's a port-based URL with an optional "s" suffix for HTTPS.
Expand Down Expand Up @@ -353,8 +356,9 @@ func (r Request) getDatabase(ctx context.Context, db database.Store) (*databaseR
appSharingLevel = ps.ShareLevel
}
} else {
for _, app := range apps {
if app.Slug == r.AppSlugOrPort {
for _, a := range apps {
if a.Slug == r.AppSlugOrPort {
app = a
if !app.Url.Valid {
return nil, xerrors.Errorf("app URL is not valid")
}
Expand Down Expand Up @@ -410,6 +414,7 @@ func (r Request) getDatabase(ctx context.Context, db database.Store) (*databaseR
User: user,
Workspace: workspace,
Agent: agent,
App: app,
AppURL: appURLParsed,
AppSharingLevel: appSharingLevel,
}, nil
Expand Down
0