Merge pull request #412 from sapcc/delete-account-audit

Create audit event when deleting account via account management
sapcc · Aug 1, 2024 · 333ccd7 · 333ccd7
2 parents 3c01c75 + 953f7b0
commit 333ccd7
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 5 deletions.
diff --git a/internal/api/keppel/accounts.go b/internal/api/keppel/accounts.go
@@ -156,7 +156,10 @@ func (a *API) handleDeleteAccount(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	resp, err := a.processor().DeleteAccount(r.Context(), *account)
+	resp, err := a.processor().DeleteAccount(r.Context(), *account, keppel.AuditContext{
+		UserIdentity: authz.UserIdentity,
+		Request:      r,
+	})
 	if respondwith.ErrorText(w, err) {
 		return
 	}

diff --git a/internal/processor/accounts.go b/internal/processor/accounts.go
@@ -369,7 +369,7 @@ var (
 	deleteAccountMarkAllBlobsForDeletionQuery = `UPDATE blobs SET can_be_deleted_at = $2 WHERE account_name = $1`
 )
 
-func (p *Processor) DeleteAccount(ctx context.Context, account models.Account) (*DeleteAccountResponse, error) {
+func (p *Processor) DeleteAccount(ctx context.Context, account models.Account, actx keppel.AuditContext) (*DeleteAccountResponse, error) {
 	if !account.InMaintenance {
 		return &DeleteAccountResponse{
 			Error: "account must be set in maintenance first",
@@ -448,5 +448,23 @@ func (p *Processor) DeleteAccount(ctx context.Context, account models.Account) (
 		return nil, fmt.Errorf("while cleaning up name claim for account: %w", err)
 	}
 
-	return nil, tx.Commit()
+	err = tx.Commit()
+	if err != nil {
+		return nil, err
+	}
+
+	if userInfo := actx.UserIdentity.UserInfo(); userInfo != nil {
+		p.auditor.Record(audittools.EventParameters{
+			Time:       p.timeNow(),
+			Request:    actx.Request,
+			User:       userInfo,
+			ReasonCode: http.StatusOK,
+			Action:     cadf.DeleteAction,
+			Target: auditManifest{
+				Account: account,
+			},
+		})
+	}
+
+	return nil, nil
 }
diff --git a/internal/tasks/account_management.go b/internal/tasks/account_management.go
@@ -149,10 +149,10 @@ func (j *Janitor) tryDeleteManagedAccount(ctx context.Context, accountName strin
 
 	proc := j.processor()
 	actx := keppel.AuditContext{
-		UserIdentity: janitorUserIdentity{TaskName: "tag-sync"},
+		UserIdentity: janitorUserIdentity{TaskName: "account-sync"},
 		Request:      janitorDummyRequest,
 	}
-	resp, err := proc.DeleteAccount(ctx, *accountModel) // TODO: should take `actx` and produce an audit event
+	resp, err := proc.DeleteAccount(ctx, *accountModel, actx)
 	if err != nil {
 		return false, err
 	}