From 953f7b07f91e1a252c9266432d8dd1f1ccef4192 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Wed, 31 Jul 2024 17:23:58 +0200 Subject: [PATCH] Create audit event when deleting account via account management --- internal/api/keppel/accounts.go | 5 ++++- internal/processor/accounts.go | 22 ++++++++++++++++++++-- internal/tasks/account_management.go | 4 ++-- 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/internal/api/keppel/accounts.go b/internal/api/keppel/accounts.go index e1bcf1e08..5e569be98 100644 --- a/internal/api/keppel/accounts.go +++ b/internal/api/keppel/accounts.go @@ -156,7 +156,10 @@ func (a *API) handleDeleteAccount(w http.ResponseWriter, r *http.Request) { return } - resp, err := a.processor().DeleteAccount(r.Context(), *account) + resp, err := a.processor().DeleteAccount(r.Context(), *account, keppel.AuditContext{ + UserIdentity: authz.UserIdentity, + Request: r, + }) if respondwith.ErrorText(w, err) { return } diff --git a/internal/processor/accounts.go b/internal/processor/accounts.go index f38e5608c..cf83efb62 100644 --- a/internal/processor/accounts.go +++ b/internal/processor/accounts.go @@ -369,7 +369,7 @@ var ( deleteAccountMarkAllBlobsForDeletionQuery = `UPDATE blobs SET can_be_deleted_at = $2 WHERE account_name = $1` ) -func (p *Processor) DeleteAccount(ctx context.Context, account models.Account) (*DeleteAccountResponse, error) { +func (p *Processor) DeleteAccount(ctx context.Context, account models.Account, actx keppel.AuditContext) (*DeleteAccountResponse, error) { if !account.InMaintenance { return &DeleteAccountResponse{ Error: "account must be set in maintenance first", @@ -448,5 +448,23 @@ func (p *Processor) DeleteAccount(ctx context.Context, account models.Account) ( return nil, fmt.Errorf("while cleaning up name claim for account: %w", err) } - return nil, tx.Commit() + err = tx.Commit() + if err != nil { + return nil, err + } + + if userInfo := actx.UserIdentity.UserInfo(); userInfo != nil { + p.auditor.Record(audittools.EventParameters{ + Time: p.timeNow(), + Request: actx.Request, + User: userInfo, + ReasonCode: http.StatusOK, + Action: cadf.DeleteAction, + Target: auditManifest{ + Account: account, + }, + }) + } + + return nil, nil } diff --git a/internal/tasks/account_management.go b/internal/tasks/account_management.go index aae92ef6a..e61ea0c46 100644 --- a/internal/tasks/account_management.go +++ b/internal/tasks/account_management.go @@ -149,10 +149,10 @@ func (j *Janitor) tryDeleteManagedAccount(ctx context.Context, accountName strin proc := j.processor() actx := keppel.AuditContext{ - UserIdentity: janitorUserIdentity{TaskName: "tag-sync"}, + UserIdentity: janitorUserIdentity{TaskName: "account-sync"}, Request: janitorDummyRequest, } - resp, err := proc.DeleteAccount(ctx, *accountModel) // TODO: should take `actx` and produce an audit event + resp, err := proc.DeleteAccount(ctx, *accountModel, actx) if err != nil { return false, err }