From d31dd11fcf597945cb6b09087592af1cbd85a3ea Mon Sep 17 00:00:00 2001 From: Enver Bisevac Date: Fri, 19 Apr 2024 09:43:51 +0000 Subject: [PATCH] [code-1692] update repo settings audit log (#1231) --- app/api/controller/reposettings/controller.go | 16 ++++++++----- app/api/controller/reposettings/security.go | 2 +- .../reposettings/security_update.go | 24 +++++++++++++++++++ app/api/controller/reposettings/wire.go | 4 +++- audit/audit.go | 9 ++++--- cmd/gitness/wire_gen.go | 2 +- 6 files changed, 45 insertions(+), 12 deletions(-) diff --git a/app/api/controller/reposettings/controller.go b/app/api/controller/reposettings/controller.go index c98e99f43..2c9e2c37b 100644 --- a/app/api/controller/reposettings/controller.go +++ b/app/api/controller/reposettings/controller.go @@ -22,25 +22,29 @@ import ( "github.com/harness/gitness/app/auth/authz" "github.com/harness/gitness/app/services/settings" "github.com/harness/gitness/app/store" + "github.com/harness/gitness/audit" "github.com/harness/gitness/types" "github.com/harness/gitness/types/enum" ) type Controller struct { - authorizer authz.Authorizer - repoStore store.RepoStore - settings *settings.Service + authorizer authz.Authorizer + repoStore store.RepoStore + settings *settings.Service + auditService audit.Service } func NewController( authorizer authz.Authorizer, repoStore store.RepoStore, settings *settings.Service, + auditService audit.Service, ) *Controller { return &Controller{ - authorizer: authorizer, - repoStore: repoStore, - settings: settings, + authorizer: authorizer, + repoStore: repoStore, + settings: settings, + auditService: auditService, } } diff --git a/app/api/controller/reposettings/security.go b/app/api/controller/reposettings/security.go index 1b50104b2..874be0cca 100644 --- a/app/api/controller/reposettings/security.go +++ b/app/api/controller/reposettings/security.go @@ -22,7 +22,7 @@ import ( // SecuritySettings represents the security related part of repository settings as exposed externally. type SecuritySettings struct { - SecretScanningEnabled *bool `json:"secret_scanning_enabled"` + SecretScanningEnabled *bool `json:"secret_scanning_enabled" yaml:"secret_scanning_enabled"` } func GetDefaultSecuritySettings() *SecuritySettings { diff --git a/app/api/controller/reposettings/security_update.go b/app/api/controller/reposettings/security_update.go index 9d9e8cceb..d7d2d5fdc 100644 --- a/app/api/controller/reposettings/security_update.go +++ b/app/api/controller/reposettings/security_update.go @@ -19,7 +19,11 @@ import ( "fmt" "github.com/harness/gitness/app/auth" + "github.com/harness/gitness/app/paths" + "github.com/harness/gitness/audit" "github.com/harness/gitness/types/enum" + + "github.com/rs/zerolog/log" ) // SecurityUpdate updates the security settings of the repo. @@ -34,6 +38,14 @@ func (c *Controller) SecurityUpdate( return nil, err } + // read old settings values + old := GetDefaultSecuritySettings() + oldMappings := GetSecuritySettingsMappings(old) + err = c.settings.RepoMap(ctx, repo.ID, oldMappings...) + if err != nil { + return nil, fmt.Errorf("failed to map settings (old): %w", err) + } + err = c.settings.RepoSetMany(ctx, repo.ID, GetSecuritySettingsAsKeyValues(in)...) if err != nil { return nil, fmt.Errorf("failed to set settings: %w", err) @@ -47,5 +59,17 @@ func (c *Controller) SecurityUpdate( return nil, fmt.Errorf("failed to map settings: %w", err) } + err = c.auditService.Log(ctx, + session.Principal, + audit.NewResource(audit.ResourceTypeRepositorySettings, repo.Identifier), + audit.ActionUpdated, + paths.Parent(repo.Path), + audit.WithOldObject(old), + audit.WithNewObject(out), + ) + if err != nil { + log.Ctx(ctx).Warn().Msgf("failed to insert audit log for update repository settings operation: %s", err) + } + return out, nil } diff --git a/app/api/controller/reposettings/wire.go b/app/api/controller/reposettings/wire.go index 10776c9a3..22c57be2f 100644 --- a/app/api/controller/reposettings/wire.go +++ b/app/api/controller/reposettings/wire.go @@ -18,6 +18,7 @@ import ( "github.com/harness/gitness/app/auth/authz" "github.com/harness/gitness/app/services/settings" "github.com/harness/gitness/app/store" + "github.com/harness/gitness/audit" "github.com/google/wire" ) @@ -31,6 +32,7 @@ func ProvideController( authorizer authz.Authorizer, repoStore store.RepoStore, settings *settings.Service, + auditService audit.Service, ) *Controller { - return NewController(authorizer, repoStore, settings) + return NewController(authorizer, repoStore, settings, auditService) } diff --git a/audit/audit.go b/audit/audit.go index de9952640..3584a919a 100644 --- a/audit/audit.go +++ b/audit/audit.go @@ -50,13 +50,16 @@ func (a Action) Validate() error { type ResourceType string const ( - ResourceTypeRepository ResourceType = "repository" - ResourceTypeBranchRule ResourceType = "branch_rule" + ResourceTypeRepository ResourceType = "repository" + ResourceTypeBranchRule ResourceType = "branch_rule" + ResourceTypeRepositorySettings ResourceType = "repository_settings" ) func (a ResourceType) Validate() error { switch a { - case ResourceTypeRepository, ResourceTypeBranchRule: + case ResourceTypeRepository, + ResourceTypeBranchRule, + ResourceTypeRepositorySettings: return nil default: return ErrResourceTypeUndefined diff --git a/cmd/gitness/wire_gen.go b/cmd/gitness/wire_gen.go index 02585a388..a9b687040 100644 --- a/cmd/gitness/wire_gen.go +++ b/cmd/gitness/wire_gen.go @@ -198,7 +198,7 @@ func initSystem(ctx context.Context, config *types.Config) (*server.System, erro repoIdentifier := check.ProvideRepoIdentifierCheck() repoCheck := repo.ProvideRepoCheck() repoController := repo.ProvideController(config, transactor, provider, authorizer, repoStore, spaceStore, pipelineStore, principalStore, ruleStore, settingsService, principalInfoCache, protectionManager, gitInterface, repository, codeownersService, reporter, indexer, resourceLimiter, lockerLocker, auditService, mutexManager, repoIdentifier, repoCheck) - reposettingsController := reposettings.ProvideController(authorizer, repoStore, settingsService) + reposettingsController := reposettings.ProvideController(authorizer, repoStore, settingsService, auditService) executionStore := database.ProvideExecutionStore(db) checkStore := database.ProvideCheckStore(db, principalInfoCache) stageStore := database.ProvideStageStore(db)