[code-1692] update repo settings audit log (#1231)

2025-05-31 11:43:15 +00:00 · 2024-04-19 09:43:51 +00:00 · 2024-04-19 09:43:51 +00:00 · d31dd11fcf
commit d31dd11fcf
parent aacc1b88cf
6 changed files with 45 additions and 12 deletions
--- a/app/api/controller/reposettings/controller.go
+++ b/app/api/controller/reposettings/controller.go
@ -22,25 +22,29 @@ import (
 	"github.com/harness/gitness/app/auth/authz"
 	"github.com/harness/gitness/app/services/settings"
 	"github.com/harness/gitness/app/store"
+	"github.com/harness/gitness/audit"
 	"github.com/harness/gitness/types"
 	"github.com/harness/gitness/types/enum"
 )

 type Controller struct {
-	authorizer authz.Authorizer
-	repoStore  store.RepoStore
-	settings   *settings.Service
+	authorizer   authz.Authorizer
+	repoStore    store.RepoStore
+	settings     *settings.Service
+	auditService audit.Service
 }

 func NewController(
 	authorizer authz.Authorizer,
 	repoStore store.RepoStore,
 	settings *settings.Service,
+	auditService audit.Service,
 ) *Controller {
 	return &Controller{
-		authorizer: authorizer,
-		repoStore:  repoStore,
-		settings:   settings,
+		authorizer:   authorizer,
+		repoStore:    repoStore,
+		settings:     settings,
+		auditService: auditService,
 	}
 }

--- a/app/api/controller/reposettings/security.go
+++ b/app/api/controller/reposettings/security.go
@ -22,7 +22,7 @@ import (

 // SecuritySettings represents the security related part of repository settings as exposed externally.
 type SecuritySettings struct {
-	SecretScanningEnabled *bool `json:"secret_scanning_enabled"`
+	SecretScanningEnabled *bool `json:"secret_scanning_enabled" yaml:"secret_scanning_enabled"`
 }

 func GetDefaultSecuritySettings() *SecuritySettings {
--- a/app/api/controller/reposettings/security_update.go
+++ b/app/api/controller/reposettings/security_update.go
@ -19,7 +19,11 @@ import (
 	"fmt"

 	"github.com/harness/gitness/app/auth"
+	"github.com/harness/gitness/app/paths"
+	"github.com/harness/gitness/audit"
 	"github.com/harness/gitness/types/enum"
+
+	"github.com/rs/zerolog/log"
 )

 // SecurityUpdate updates the security settings of the repo.
@ -34,6 +38,14 @@ func (c *Controller) SecurityUpdate(
 		return nil, err
 	}

+	// read old settings values
+	old := GetDefaultSecuritySettings()
+	oldMappings := GetSecuritySettingsMappings(old)
+	err = c.settings.RepoMap(ctx, repo.ID, oldMappings...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to map settings (old): %w", err)
+	}
+
 	err = c.settings.RepoSetMany(ctx, repo.ID, GetSecuritySettingsAsKeyValues(in)...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to set settings: %w", err)
@ -47,5 +59,17 @@ func (c *Controller) SecurityUpdate(
 		return nil, fmt.Errorf("failed to map settings: %w", err)
 	}

+	err = c.auditService.Log(ctx,
+		session.Principal,
+		audit.NewResource(audit.ResourceTypeRepositorySettings, repo.Identifier),
+		audit.ActionUpdated,
+		paths.Parent(repo.Path),
+		audit.WithOldObject(old),
+		audit.WithNewObject(out),
+	)
+	if err != nil {
+		log.Ctx(ctx).Warn().Msgf("failed to insert audit log for update repository settings operation: %s", err)
+	}
+
 	return out, nil
 }
--- a/app/api/controller/reposettings/wire.go
+++ b/app/api/controller/reposettings/wire.go
@ -18,6 +18,7 @@ import (
 	"github.com/harness/gitness/app/auth/authz"
 	"github.com/harness/gitness/app/services/settings"
 	"github.com/harness/gitness/app/store"
+	"github.com/harness/gitness/audit"

 	"github.com/google/wire"
 )
@ -31,6 +32,7 @@ func ProvideController(
 	authorizer authz.Authorizer,
 	repoStore store.RepoStore,
 	settings *settings.Service,
+	auditService audit.Service,
 ) *Controller {
-	return NewController(authorizer, repoStore, settings)
+	return NewController(authorizer, repoStore, settings, auditService)
 }
--- a/audit/audit.go
+++ b/audit/audit.go
@ -50,13 +50,16 @@ func (a Action) Validate() error {
 type ResourceType string

 const (
-	ResourceTypeRepository ResourceType = "repository"
-	ResourceTypeBranchRule ResourceType = "branch_rule"
+	ResourceTypeRepository         ResourceType = "repository"
+	ResourceTypeBranchRule         ResourceType = "branch_rule"
+	ResourceTypeRepositorySettings ResourceType = "repository_settings"
 )

 func (a ResourceType) Validate() error {
 	switch a {
-	case ResourceTypeRepository, ResourceTypeBranchRule:
+	case ResourceTypeRepository,
+		ResourceTypeBranchRule,
+		ResourceTypeRepositorySettings:
 		return nil
 	default:
 		return ErrResourceTypeUndefined
--- a/cmd/gitness/wire_gen.go
+++ b/cmd/gitness/wire_gen.go
@ -198,7 +198,7 @@ func initSystem(ctx context.Context, config *types.Config) (*server.System, erro
 	repoIdentifier := check.ProvideRepoIdentifierCheck()
 	repoCheck := repo.ProvideRepoCheck()
 	repoController := repo.ProvideController(config, transactor, provider, authorizer, repoStore, spaceStore, pipelineStore, principalStore, ruleStore, settingsService, principalInfoCache, protectionManager, gitInterface, repository, codeownersService, reporter, indexer, resourceLimiter, lockerLocker, auditService, mutexManager, repoIdentifier, repoCheck)
-	reposettingsController := reposettings.ProvideController(authorizer, repoStore, settingsService)
+	reposettingsController := reposettings.ProvideController(authorizer, repoStore, settingsService, auditService)
 	executionStore := database.ProvideExecutionStore(db)
 	checkStore := database.ProvideCheckStore(db, principalInfoCache)
 	stageStore := database.ProvideStageStore(db)