8000 feat: add support for workspace app audit by mafredri · Pull Request #16801 · coder/coder · GitHub
[go: up one dir, main page]

Skip to content

feat: add support for workspace app audit #16801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 40 commits into from
Mar 18, 2025
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
d235001
add migrations
mafredri Mar 3, 2025
b18740c
add queries
mafredri Mar 3, 2025
4dfb4fb
make gen
mafredri Mar 3, 2025
7d7922c
add user-agent support to background audit
mafredri Mar 4, 2025
19ca904
add done func support for tracing response writer
mafredri Mar 4, 2025
30bb732
wip auditor
mafredri Mar 3, 2025
94ddbbe
linttt
mafredri Mar 4, 2025
bef7614
dbmem impl
mafredri Mar 4, 2025
d13d3c0
resolve request with middleware
mafredri Mar 4, 2025
9a3a4c8
refactor tracing status writer done func
mafredri Mar 5, 2025
1f4e95b
fix audit mock check
mafredri Mar 5, 2025
bda2d12
mimic http response writer default status 200
mafredri Mar 5, 2025
93784b9
8000 update db tests
mafredri Mar 5, 2025
e38ba0f
dbauthz
mafredri Mar 5, 2025
5f0c141
add app audit session timeout to dbtokenprovider
mafredri Mar 5, 2025
ae06fe4
remove log spam
mafredri Mar 5, 2025
cf1180e
verify audit log
mafredri Mar 5, 2025
623ad6f
add specific test for audit
mafredri Mar 5, 2025
c91024e
cleanup request context hack
mafredri Mar 5, 2025
9608da1
nonlint
mafredri Mar 5, 2025
5bb42c2
add slug or port to support separation of terminal and ports
mafredri Mar 6, 2025
14a1740
make gen
mafredri Mar 6, 2025
4426bcf
improve and reduce boilerplate in tests
mafredri Mar 6, 2025
2c1536e
fixup! add slug or port to support separation of terminal and ports
mafredri Mar 6, 2025
c070d74
move RandomIPv6 to testutil
mafredri Mar 10, 2025
8a61541
commit audit in Issue, revert tracing status writer changes
mafredri Mar 10, 2025
7279b9a
return if tx failed
mafredri Mar 10, 2025
4ff41d4
add fields to audit logger
mafredri Mar 10, 2025
c723b95
comment on WorkspaceAppAuditSessionTimeout use-case
mafredri Mar 17, 2025
217a0d3
update migrations, add status and ua, unique entries
mafredri Mar 17, 2025
336c7b8
rewrite queries, single upsert
mafredri Mar 17, 2025
8d7a763
make gen for db
mafredri Mar 17, 2025
0f162b1
simplify auditInitRequest in workspaceapps
mafredri Mar 17, 2025
22ea58c
update tests
mafredri Mar 17, 2025
119cf03
fix fixtures
mafredri Mar 17, 2025
16ae577
fix dbauthz
mafredri Mar 17, 2025
9003ae0
Merge branch 'main' into mafredri/app-audit
mafredri Mar 17, 2025
c1ae295
fix ip nullability
mafredri Mar 17, 2025
1ee8441
add exception for redirect in audit log
mafredri Mar 17, 2025
5b3b122
unused arg
mafredri Mar 17, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix ip nullability
  • Loading branch information
mafredri committed Mar 17, 2025
commit c1ae295df84e06fa568a6b015a506963344e8c78
1 change: 1 addition & 0 deletions coderd/database/dbauthz/dbauthz_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4075,6 +4075,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {
AgentID: agent.ID,
AppID: app.ID,
UserID: u.ID,
Ip: "127.0.0.1",
}).Asserts(rbac.ResourceSystem, policy.ActionUpdate)
}))
s.Run("InsertWorkspaceAgentScriptTimings", s.Subtest(func(db database.Store, check *expects) {
Expand Down
2 changes: 1 addition & 1 deletion coderd/database/dbmem/dbmem.go
Original file line number Diff line number Diff line change
Expand Up @@ -12265,7 +12265,7 @@
return psl, nil
}

func (q *FakeQuerier) UpsertWorkspaceAppAuditSession(ctx context.Context, arg database.UpsertWorkspaceAppAuditSessionParams) (time.Time, error) {

Check failure on line 12268 in coderd/database/dbmem/dbmem.go

View workflow job for this annotation

GitHub Actions / lint

unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
err := validateDatabaseType(arg)
if err != nil {
return time.Time{}, err
Expand All @@ -12284,7 +12284,7 @@
if s.UserID != arg.UserID {
continue
}
if s.Ip.IPNet.String() != arg.Ip.IPNet.String() {
if s.Ip != arg.Ip {
continue
}
if s.UserAgent != arg.UserAgent {
Expand Down
2 changes: 1 addition & 1 deletion coderd/database/dump.sql

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ CREATE UNLOGGED TABLE workspace_app_audit_sessions (
agent_id UUID NOT NULL,
app_id UUID NOT NULL, -- Can be NULL, but must be uuid.Nil.
user_id UUID NOT NULL, -- Can be NULL, but must be uuid.Nil.
ip inet NOT NULL,
ip TEXT NOT NULL,
user_agent TEXT NOT NULL,
slug_or_port TEXT NOT NULL,
status_code int4 NOT NULL,
Expand Down
2 changes: 1 addition & 1 deletion coderd/database/models.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

20 changes: 10 additions & 10 deletions coderd/database/queries.sql.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 4 additions & 6 deletions coderd/workspaceapps/db.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ import (

"github.com/go-jose/go-jose/v4/jwt"
"github.com/google/uuid"
"github.com/sqlc-dev/pqtype"
"golang.org/x/xerrors"

"cdr.dev/slog"
Expand Down Expand Up @@ -367,7 +366,6 @@ func (p *DBTokenProvider) authorizeRequest(ctx context.Context, roles *rbac.Subj

type auditRequest struct {
time time.Time
ip pqtype.Inet
apiKey *database.APIKey
dbReq *databaseRequest
}
Expand All @@ -389,7 +387,6 @@ func (p *DBTokenProvider) auditInitRequest(ctx context.Context, w http.ResponseW

aReq = &auditRequest{
time: dbtime.Now(),
ip: audit.ParseIP(r.RemoteAddr),
}

// Set the commit function on the status writer to create an audit
Expand All @@ -412,6 +409,7 @@ func (p *DBTokenProvider) auditInitRequest(ctx context.Context, w http.ResponseW
userID = aReq.apiKey.UserID
}
userAgent := r.UserAgent()
ip := r.RemoteAddr

// Approximation of the status code.
statusCode := sw.Status
Expand Down Expand Up @@ -462,7 +460,7 @@ func (p *DBTokenProvider) auditInitRequest(ctx context.Context, w http.ResponseW
AgentID: aReq.dbReq.Agent.ID,
AppID: aReq.dbReq.App.ID, // Can be unset, in which case uuid.Nil is fine.
UserID: userID, // Can be unset, in which case uuid.Nil is fine.
Ip: aReq.ip,
Ip: ip,
UserAgent: userAgent,
SlugOrPort: appInfo.SlugOrPort,
StatusCode: int32(statusCode),
Expand Down Expand Up @@ -512,7 +510,7 @@ func (p *DBTokenProvider) auditInitRequest(ctx context.Context, w http.ResponseW
RequestID: requestID,
Time: aReq.time,
Status: statusCode,
IP: aReq.ip.IPNet.IP.String(),
IP: ip,
UserAgent: userAgent,
New: aReq.dbReq.App,
AdditionalFields: appInfoBytes,
Expand All @@ -529,7 +527,7 @@ func (p *DBTokenProvider) auditInitRequest(ctx context.Context, w http.ResponseW
RequestID: requestID,
Time: aReq.time,
Status: statusCode,
IP: aReq.ip.IPNet.IP.String(),
IP: ip,
UserAgent: userAgent,
New: aReq.dbReq.Agent,
AdditionalFields: appInfoBytes,
Expand Down
Loading
0