Add userid and appid tracking for audit

claceio · Dec 11, 2024 · 0dcd3ab · 0dcd3ab
1 parent a0fbd96
commit 0dcd3ab
Show file tree

Hide file tree

Showing 12 changed files with 107 additions and 49 deletions.
diff --git a/internal/app/action/action.go b/internal/app/action/action.go
@@ -201,16 +201,18 @@ func (a *Action) execAction(w http.ResponseWriter, r *http.Request, isSuggest, i
 		RequestId:  system.GetContextRequestId(r.Context()),
 		CreateTime: time.Now(),
 		UserId:     system.GetContextUserId(r.Context()),
+		AppId:      system.GetContextAppId(r.Context()),
 		EventType:  types.EventTypeAction,
 		Operation:  op,
 		Target:     a.name,
 		Status:     "Success",
 	}
 
 	customEvent := types.AuditEvent{
-		RequestId:  system.GetContextUserId(r.Context()),
+		RequestId:  system.GetContextRequestId(r.Context()),
 		CreateTime: time.Now(),
 		UserId:     system.GetContextUserId(r.Context()),
+		AppId:      system.GetContextAppId(r.Context()),
 		EventType:  types.EventTypeCustom,
 		Status:     "Success",
 	}
@@ -221,15 +223,12 @@ func (a *Action) execAction(w http.ResponseWriter, r *http.Request, isSuggest, i
 				a.Error().Err(err).Msg("error inserting audit event")
 			}
 
-			op := system.GetThreadLocalKey(thread, types.TL_AUDIT_OPERATION)
-			target := system.GetThreadLocalKey(thread, types.TL_AUDIT_TARGET)
-			detail := system.GetThreadLocalKey(thread, types.TL_AUDIT_DETAIL)
+			customEvent.Operation = system.GetThreadLocalKey(thread, types.TL_AUDIT_OPERATION)
+			customEvent.Target = system.GetThreadLocalKey(thread, types.TL_AUDIT_TARGET)
+			customEvent.Detail = system.GetThreadLocalKey(thread, types.TL_AUDIT_DETAIL)
 
-			if op != "" {
-				// Audit event was set, insert it
-				customEvent.Operation = op
-				customEvent.Target = target
-				customEvent.Detail = detail
+			if customEvent.Operation != "" {
+				// Audit event was set in handler, insert it
 				if err := a.auditInsert(&customEvent); err != nil {
 					a.Error().Err(err).Msg("error inserting custom audit event")
 				}

diff --git a/internal/app/apptype/builtins.go b/internal/app/apptype/builtins.go
@@ -368,13 +368,7 @@ func createAuditBuiltin(thread *starlark.Thread, _ *starlark.Builtin, args starl
 	thread.SetLocal(types.TL_AUDIT_OPERATION, operation.GoString())
 	thread.SetLocal(types.TL_AUDIT_TARGET, target.GoString())
 	thread.SetLocal(types.TL_AUDIT_DETAIL, detail.GoString())
-
-	fields := starlark.StringDict{
-		"operation": operation,
-		"target":    target,
-		"detail":    detail,
-	}
-	return starlarkstruct.FromStringDict(starlark.String(AUDIT), fields), nil
+	return starlark.None, nil
 }
 
 func createProxyBuiltin(_ *starlark.Thread, _ *starlark.Builtin, args starlark.Tuple, kwargs []starlark.Tuple) (starlark.Value, error) {

diff --git a/internal/app/handler.go b/internal/app/handler.go
@@ -129,6 +129,7 @@ func (a *App) createHandlerFunc(fullHtml, fragment string, handler starlark.Call
 				RequestId:  system.GetContextUserId(r.Context()),
 				CreateTime: time.Now(),
 				UserId:     system.GetContextUserId(r.Context()),
+				AppId:      system.GetContextAppId(r.Context()),
 				EventType:  types.EventTypeCustom,
 				Status:     "Success",
 			}

diff --git a/internal/server/app_apis.go b/internal/server/app_apis.go
@@ -454,14 +454,16 @@ func (s *Server) authenticateAndServeApp(w http.ResponseWriter, r *http.Request,
 	// Create a new context with the user ID
 	s.Trace().Msgf("Authenticated user %s", userId)
 	ctx := context.WithValue(r.Context(), types.USER_ID, userId)
-	r = r.WithContext(ctx)
+	ctx = context.WithValue(ctx, types.APP_ID, string(app.Id))
 
-	contextShared := r.Context().Value(types.USER_ID_SHARED)
+	contextShared := ctx.Value(types.SHARED)
 	if contextShared != nil {
 		// allow audit middleware to access the user id
-		userIdShared := contextShared.(*ContextUser)
-		userIdShared.UserId = userId
+		cs := contextShared.(*ContextShared)
+		cs.UserId = userId
+		cs.AppId = string(app.Id)
 	}
+	r = r.WithContext(ctx)
 
 	// Authentication successful, serve the app
 	app.ServeHTTP(w, r)
@@ -593,7 +595,7 @@ func (s *Server) auditApp(ctx context.Context, tx types.Transaction, app *app.Ap
 	return auditResult, nil
 }
 
-func (s *Server) CompleteTransaction(ctx context.Context, tx types.Transaction, entries []types.AppPathDomain, dryRun bool) error {
+func (s *Server) CompleteTransaction(ctx context.Context, tx types.Transaction, entries []types.AppPathDomain, dryRun bool, op string) error {
 	if dryRun {
 		return nil
 	}
@@ -604,8 +606,11 @@ func (s *Server) CompleteTransaction(ctx context.Context, tx types.Transaction,
 
 	// Update the in memory cache
 	if entries != nil {
-		s.apps.DeleteApps(entries)
+		if err := s.apps.DeleteAppsAudit(ctx, entries, op); err != nil {
+			return err
+		}
 	}
+
 	return nil
 }
 

diff --git a/internal/server/app_updates.go b/internal/server/app_updates.go
@@ -165,7 +165,7 @@ func (s *Server) ReloadApps(ctx context.Context, appPathGlob string, approve, dr
 	}
 
 	// Commit the transaction if not dry run and update the in memory app store
-	if err := s.CompleteTransaction(ctx, tx, reloadResults, dryRun); err != nil {
+	if err := s.CompleteTransaction(ctx, tx, reloadResults, dryRun, "reload"); err != nil {
 		return nil, err
 	}
 
@@ -197,7 +197,7 @@ func (s *Server) loadAppCode(ctx context.Context, tx types.Transaction, appEntry
 	return nil
 }
 
-func (s *Server) StagedUpdate(ctx context.Context, appPathGlob string, dryRun, promote bool, handler stagedUpdateHandler, args map[string]any) (*types.AppStagedUpdateResponse, error) {
+func (s *Server) StagedUpdate(ctx context.Context, appPathGlob string, dryRun, promote bool, handler stagedUpdateHandler, args map[string]any, op string) (*types.AppStagedUpdateResponse, error) {
 	tx, err := s.db.BeginTransaction(ctx)
 	if err != nil {
 		return nil, err
@@ -215,7 +215,7 @@ func (s *Server) StagedUpdate(ctx context.Context, appPathGlob string, dryRun, p
 		PromoteResults:      promoteResults,
 	}
 
-	if err := s.CompleteTransaction(ctx, tx, entries, dryRun); err != nil {
+	if err := s.CompleteTransaction(ctx, tx, entries, dryRun, op); err != nil {
 		return nil, err
 	}
 
@@ -342,7 +342,7 @@ func (s *Server) PromoteApps(ctx context.Context, appPathGlob string, dryRun boo
 		result = append(result, appInfo.AppPathDomain)
 	}
 
-	if err = s.CompleteTransaction(ctx, tx, result, dryRun); err != nil {
+	if err = s.CompleteTransaction(ctx, tx, result, dryRun, "promote"); err != nil {
 		return nil, err
 	}
 
@@ -419,7 +419,7 @@ func (s *Server) UpdateAppSettings(ctx context.Context, appPathGlob string, dryR
 		return nil, err
 	}
 
-	s.apps.DeleteApps(results) // Delete instead of update to avoid having to initialize all the linked apps
+	s.apps.DeleteAppsAudit(ctx, results, "update-settings") // Delete instead of update to avoid having to initialize all the linked apps
 	// Apps will get reloaded on the next request
 	return ret, nil
 }

diff --git a/internal/server/apps.go b/internal/server/apps.go
@@ -4,11 +4,14 @@
 package server
 
 import (
+	"context"
 	"fmt"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/claceio/clace/internal/app"
+	"github.com/claceio/clace/internal/system"
 	"github.com/claceio/clace/internal/types"
 )
 
@@ -169,6 +172,54 @@ func (a *AppStore) DeleteApps(pathDomain []types.AppPathDomain) {
 	a.allDomains = nil
 }
 
+func (a *AppStore) DeleteAppsAudit(ctx context.Context, pathDomain []types.AppPathDomain, op string) error {
+	appInfo, error := a.GetAllApps()
+	if error != nil {
+		return error
+	}
+	appMap := getAppInfoMap(appInfo)
+
+	event := types.AuditEvent{
+		RequestId:  system.GetContextRequestId(ctx),
+		CreateTime: time.Now(),
+		UserId:     system.GetContextUserId(ctx),
+		EventType:  types.EventTypeSystem,
+		Operation:  op,
+		Status:     "Success",
+	}
+
+	for _, pd := range pathDomain {
+		appInfo, ok := appMap[pd.String()]
+		if !ok {
+			return fmt.Errorf("app not found: %s", pd)
+		}
+
+		event.Target = pd.String()
+		event.AppId = appInfo.Id
+
+		if err := a.server.InsertAuditEvent(&event); err != nil {
+			return err
+		}
+	}
+
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	for _, pd := range pathDomain {
+		a.clearApp(pd)
+	}
+	a.allApps = nil
+	a.allDomains = nil
+	return nil
+}
+
+func getAppInfoMap(appInfo []types.AppInfo) map[string]types.AppInfo {
+	ret := make(map[string]types.AppInfo)
+	for _, info := range appInfo {
+		ret[info.AppPathDomain.String()] = info
+	}
+	return ret
+}
+
 func (a *AppStore) UpdateApps(apps []*app.App) {
 	a.mu.Lock()
 	defer a.mu.Unlock()

diff --git a/internal/server/audit_middleware.go b/internal/server/audit_middleware.go
@@ -52,6 +52,13 @@ func (s *Server) insertAuditEvent(event *types.AuditEvent) error {
 	return err
 }
 
+func (s *Server) InsertAuditEvent(event *types.AuditEvent) error {
+	_, err := s.auditDB.Exec(`insert into audit (rid, app_id, create_time, user_id, event_type, operation, target, status, detail) `+
+		`values (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+		event.RequestId, event.AppId, event.CreateTime, event.UserId, event.EventType, event.Operation, event.Target, event.Status, event.Detail)
+	return err
+}
+
 func (s *Server) cleanupEvents() error {
 	// TODO: Implement cleanup
 	return nil
@@ -74,8 +81,9 @@ func (s *Server) auditCleanup(cleanupTicker *time.Ticker) {
 	fmt.Fprintf(os.Stderr, "background audit cleanup stopped")
 }
 
-type ContextUser struct {
+type ContextShared struct {
 	UserId string
+	AppId  string
 }
 
 func (server *Server) handleStatus(next http.Handler) http.Handler {
@@ -88,12 +96,15 @@ func (server *Server) handleStatus(next http.Handler) http.Handler {
 			return
 		}
 
-		contextShared := ContextUser{}
+		contextShared := ContextShared{
+			UserId: types.ADMIN_USER,
+		}
 
 		rid := "rid_" + id.String()
 		ctx := r.Context()
 		ctx = context.WithValue(ctx, types.REQUEST_ID, rid)
-		ctx = context.WithValue(ctx, types.USER_ID_SHARED, &contextShared)
+		ctx = context.WithValue(ctx, types.USER_ID, types.ADMIN_USER)
+		ctx = context.WithValue(ctx, types.SHARED, &contextShared)
 		r = r.WithContext(ctx)
 
 		// Wrap the ResponseWriter
@@ -116,6 +127,7 @@ func (server *Server) handleStatus(next http.Handler) http.Handler {
 			RequestId:  rid,
 			CreateTime: time.Now(),
 			UserId:     contextShared.UserId,
+			AppId:      types.AppId(contextShared.AppId),
 			EventType:  types.EventTypeHTTP,
 			Operation:  r.Method,
 			Target:     r.Host + ":" + r.URL.Path,

diff --git a/internal/server/router.go b/internal/server/router.go
@@ -4,7 +4,6 @@
 package server
 
 import (
-	"context"
 	"crypto/hmac"
 	"crypto/sha256"
 	"crypto/subtle"
@@ -199,11 +198,6 @@ func (h *Handler) callApp(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	// Add app id to the context
-	ctx := r.Context()
-	ctx = context.WithValue(ctx, types.APP_ID, serveApp.Id)
-	r = r.WithContext(ctx)
-
 	h.server.authenticateAndServeApp(w, r, serveApp)
 }
 
@@ -242,6 +236,7 @@ func (h *Handler) apiHandler(w http.ResponseWriter, r *http.Request, enableBasic
 		RequestId:  system.GetContextRequestId(r.Context()),
 		CreateTime: time.Now(),
 		UserId:     system.GetContextUserId(r.Context()),
+		AppId:      system.GetContextAppId(r.Context()),
 		EventType:  types.EventTypeSystem,
 		Operation:  operation,
 		Status:     "Success",
@@ -413,6 +408,7 @@ func (h *Handler) webhookHandler(w http.ResponseWriter, r *http.Request, webhook
 		RequestId:  system.GetContextRequestId(r.Context()),
 		CreateTime: time.Now(),
 		UserId:     system.GetContextUserId(r.Context()),
+		AppId:      system.GetContextAppId(r.Context()),
 		EventType:  types.EventTypeSystem,
 		Operation:  fmt.Sprintf("webhook_%s", webhookType),
 		Status:     "Success",
@@ -576,7 +572,7 @@ func (h *Handler) approveApps(r *http.Request) (any, error) {
 		return nil, types.CreateRequestError("appPathGlob is required", http.StatusBadRequest)
 	}
 
-	approveResult, err := h.server.StagedUpdate(r.Context(), appPathGlob, dryRun, promote, h.server.auditHandler, map[string]any{})
+	approveResult, err := h.server.StagedUpdate(r.Context(), appPathGlob, dryRun, promote, h.server.auditHandler, map[string]any{}, "approve")
 	return approveResult, err
 }
 
@@ -600,7 +596,7 @@ func (h *Handler) accountLink(r *http.Request) (any, error) {
 		"account": r.URL.Query().Get("account"),
 	}
 
-	linkResult, err := h.server.StagedUpdate(r.Context(), appPathGlob, dryRun, promote, h.server.accountLinkHandler, args)
+	linkResult, err := h.server.StagedUpdate(r.Context(), appPathGlob, dryRun, promote, h.server.accountLinkHandler, args, "account-link")
 	return linkResult, err
 }
 
@@ -624,7 +620,7 @@ func (h *Handler) updateParam(r *http.Request) (any, error) {
 		"paramValue": r.URL.Query().Get("paramValue"),
 	}
 
-	updateResult, err := h.server.StagedUpdate(r.Context(), appPathGlob, dryRun, promote, h.server.updateParamHandler, args)
+	updateResult, err := h.server.StagedUpdate(r.Context(), appPathGlob, dryRun, promote, h.server.updateParamHandler, args, "update-param")
 	return updateResult, err
 }
 
@@ -780,7 +776,7 @@ func (h *Handler) updateAppMetadata(r *http.Request) (any, error) {
 		"metadata": updateAppRequest,
 	}
 
-	updateResult, err := h.server.StagedUpdate(r.Context(), appPathGlob, dryRun, promote, h.server.updateMetadataHandler, args)
+	updateResult, err := h.server.StagedUpdate(r.Context(), appPathGlob, dryRun, promote, h.server.updateMetadataHandler, args, "update-metadata")
 	return updateResult, err
 
 }

diff --git a/internal/server/version_apis.go b/internal/server/version_apis.go
@@ -187,6 +187,6 @@ func (s *Server) VersionSwitch(ctx context.Context, mainAppPath string, dryRun b
 		return nil, err
 	}
 
-	s.apps.DeleteApps([]types.AppPathDomain{appPathDomain})
+	s.apps.DeleteAppsAudit(ctx, []types.AppPathDomain{appPathDomain}, "version-switch")
 	return ret, nil
 }
diff --git a/internal/server/webhook_apis.go b/internal/server/webhook_apis.go
@@ -122,7 +122,7 @@ func (s *Server) TokenCreate(ctx context.Context, appPath string, webhookType ty
 		return nil, err
 	}
 
-	if err = s.CompleteTransaction(ctx, tx, []types.AppPathDomain{appPathDomain}, dryRun); err != nil {
+	if err = s.CompleteTransaction(ctx, tx, []types.AppPathDomain{appPathDomain}, dryRun, "webhook-create"); err != nil {
 		return nil, err
 	}
 
@@ -170,7 +170,7 @@ func (s *Server) TokenDelete(ctx context.Context, appPath string, webhookType ty
 		return nil, err
 	}
 
-	if err = s.CompleteTransaction(ctx, tx, []types.AppPathDomain{appPathDomain}, dryRun); err != nil {
+	if err = s.CompleteTransaction(ctx, tx, []types.AppPathDomain{appPathDomain}, dryRun, "webhook-delete"); err != nil {
 		return nil, err
 	}
 

diff --git a/internal/system/thread_local.go b/internal/system/thread_local.go
@@ -57,6 +57,6 @@ func GetContextRequestId(ctx context.Context) string {
 	return GetContextValue(ctx, types.REQUEST_ID)
 }
 
-func GetContextAppId(ctx context.Context) string {
-	return GetContextValue(ctx, types.APP_ID)
+func GetContextAppId(ctx context.Context) types.AppId {
+	return types.AppId(GetContextValue(ctx, types.APP_ID))
 }
diff --git a/internal/types/types.go b/internal/types/types.go
@@ -30,10 +30,10 @@ const (
 type ContextKey string
 
 const (
-	USER_ID        ContextKey = "user_id"
-	USER_ID_SHARED ContextKey = "user_id_shared"
-	REQUEST_ID     ContextKey = "request_id"
-	APP_ID         ContextKey = "app_id"
+	USER_ID    ContextKey = "user_id"
+	SHARED     ContextKey = "shared"
+	REQUEST_ID ContextKey = "request_id"
+	APP_ID     ContextKey = "app_id"
 )
 
 const (