Add audit logs to pulls, still need to refactor

Infisical · Dec 27, 2022 · 16f2405 · 16f2405
1 parent 9497a26
commit 16f2405
Show file tree

Hide file tree

Showing 5 changed files with 100 additions and 13 deletions.
diff --git a/backend/src/controllers/v1/secretController.ts b/backend/src/controllers/v1/secretController.ts
@@ -123,7 +123,9 @@ export const pullSecrets = async (req: Request, res: Response) => {
 		secrets = await pull({
 			userId: req.user._id.toString(),
 			workspaceId,
-			environment
+			environment,
+			channel: channel ? channel : 'cli',
+			ipAddress: req.ip
 		});
 
 		key = await Key.findOne({
@@ -188,7 +190,9 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 		secrets = await pull({
 			userId: req.serviceToken.user._id.toString(),
 			workspaceId,
-			environment
+			environment,
+			channel: 'cli',
+			ipAddress: req.ip
 		});
 
 		key = {

diff --git a/backend/src/controllers/v2/workspaceController.ts b/backend/src/controllers/v2/workspaceController.ts
@@ -459,7 +459,9 @@ export const pullSecrets = async (req: Request, res: Response) => {
 		secrets = await pull({
 			userId: req.user._id.toString(),
 			workspaceId,
-			environment
+			environment,
+			channel,
+			ipAddress: req.ip
 		});
 
 		key = await Key.findOne({
@@ -526,7 +528,9 @@ export const pullSecrets = async (req: Request, res: Response) => {
 		secrets = await pull({
 			userId: req.serviceToken.user._id.toString(),
 			workspaceId,
-			environment
+			environment,
+			channel: 'cli',
+			ipAddress: req.ip
 		});
 
 		key = {

diff --git a/backend/src/helpers/secret.ts b/backend/src/helpers/secret.ts
@@ -22,7 +22,8 @@ import {
 	SECRET_PERSONAL,
 	ACTION_ADD_SECRETS,
 	ACTION_UPDATE_SECRETS,
-	ACTION_DELETE_SECRETS
+	ACTION_DELETE_SECRETS,
+	ACTION_READ_SECRETS
 } from '../variables';
 
 interface V1PushSecret {
@@ -78,7 +79,7 @@ const v1PushSecrets = async ({
 	userId,
 	workspaceId,
 	environment,
-	secrets
+	secrets,
 }: {
 	userId: string;
 	workspaceId: string;
@@ -88,7 +89,7 @@ const v1PushSecrets = async ({
 	// TODO: clean up function and fix up types
 	try {
 		// construct useful data structures
-		const oldSecrets = await pullSecrets({
+		const oldSecrets = await getSecrets({
 			userId,
 			workspaceId,
 			environment
@@ -317,7 +318,7 @@ const v1PushSecrets = async ({
 		const actions: IAction[] = [];
 
 		// construct useful data structures
-		const oldSecrets = await pullSecrets({
+		const oldSecrets = await getSecrets({
 			userId,
 			workspaceId,
 			environment
@@ -642,9 +643,8 @@ const v1PushSecrets = async ({
  * @param {String} obj.userId -id of user to pull secrets for
  * @param {String} obj.workspaceId - id of workspace to pull from
  * @param {String} obj.environment - environment for secrets
- *
  */
-const pullSecrets = async ({
+ const getSecrets = async ({
 	userId,
 	workspaceId,
 	environment
@@ -681,9 +681,84 @@ const pullSecrets = async ({
 	return secrets;
 };
 
+/**
+ * Pull secrets for user with id [userId] for workspace
+ * with id [workspaceId] with environment [environment]
+ * @param {Object} obj
+ * @param {String} obj.userId -id of user to pull secrets for
+ * @param {String} obj.workspaceId - id of workspace to pull from
+ * @param {String} obj.environment - environment for secrets
+ * @param {String} obj.channel - channel (web/cli/auto)
+ * @param {String} obj.ipAddress - ip address of request to push secrets
+ */
+const pullSecrets = async ({
+	userId,
+	workspaceId,
+	environment,
+	channel,
+	ipAddress
+}: {
+	userId: string;
+	workspaceId: string;
+	environment: string;
+	channel: string;
+	ipAddress: string;
+}): Promise<ISecret[]> => {
+	let secrets: any; // TODO: FIX any
+
+	try {
+		secrets = await getSecrets({
+			userId,
+			workspaceId,
+			environment
+		})
+
+		// add audit log for new secrets
+		const readLatestSecretVersions = (await SecretVersion.aggregate([
+			{
+				$match: { secret: { $in: secrets.map((n: any) => n._id) } }
+			},
+			{
+			$group: {
+				_id: '$secret',
+				version: { $max: '$version' }
+			}
+			},
+			{
+			$sort: { version: -1 }
+			}
+		])
+		.exec())
+		.map((s) => s._id);
+
+		const readAction = await new Action({
+			name: ACTION_READ_SECRETS,
+			user: new Types.ObjectId(userId),
+			workspace: new Types.ObjectId(workspaceId),
+			payload: {
+				secretVersions: readLatestSecretVersions
+			}
+		}).save();
+
+		await EELogService.createLog({
+			userId,
+			workspaceId,
+			actions: [readAction],
+			channel,
+			ipAddress
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to pull shared and personal secrets');
+	}
+
+	return secrets;
+};
+
 /**
  * Reformat output of pullSecrets() to be compatible with how existing
- * clients handle secrets
+ * web client handle secrets
  * @param {Object} obj
  * @param {Object} obj.secrets
  */

diff --git a/backend/src/variables/action.ts b/backend/src/variables/action.ts
@@ -1,9 +1,11 @@
 const ACTION_ADD_SECRETS = 'addSecrets';
 const ACTION_DELETE_SECRETS = 'deleteSecrets';
 const ACTION_UPDATE_SECRETS = 'updateSecrets';
+const ACTION_READ_SECRETS = 'readSecrets';
 
 export {
     ACTION_ADD_SECRETS,
     ACTION_DELETE_SECRETS,
-    ACTION_UPDATE_SECRETS
+    ACTION_UPDATE_SECRETS,
+    ACTION_READ_SECRETS
 }
diff --git a/backend/src/variables/index.ts b/backend/src/variables/index.ts
@@ -36,7 +36,8 @@ import { EVENT_PUSH_SECRETS, EVENT_PULL_SECRETS } from './event';
 import {
   ACTION_ADD_SECRETS,
   ACTION_UPDATE_SECRETS,
-  ACTION_DELETE_SECRETS
+  ACTION_DELETE_SECRETS,
+  ACTION_READ_SECRETS
 } from './action';
 import { SMTP_HOST_SENDGRID, SMTP_HOST_MAILGUN } from './smtp';
 import { PLAN_STARTER, PLAN_PRO } from './stripe';
@@ -75,6 +76,7 @@ export {
   ACTION_ADD_SECRETS,
   ACTION_UPDATE_SECRETS,
   ACTION_DELETE_SECRETS,
+  ACTION_READ_SECRETS,
   INTEGRATION_OPTIONS,
   SMTP_HOST_SENDGRID,
   SMTP_HOST_MAILGUN,