From 127866ce97ce74479ceba1d9826300be8b277a77 Mon Sep 17 00:00:00 2001 From: Kevin Aleman Date: Mon, 12 Aug 2024 09:55:58 -0600 Subject: [PATCH] feat(audit): New endpoint for listing members of any room (#32916) --- .changeset/funny-boats-guess.md | 6 + .../audit/components/AuditFiltersDisplay.tsx | 16 +- .../views/audit/components/AuditLogEntry.tsx | 8 +- apps/meteor/ee/server/api/audit.ts | 95 ++++++ apps/meteor/ee/server/lib/audit/startup.ts | 1 + apps/meteor/ee/server/startup/audit.ts | 1 + apps/meteor/tests/end-to-end/api/audit.ts | 301 ++++++++++++++++++ packages/core-typings/src/ee/IAuditLog.ts | 5 +- packages/i18n/src/locales/en.i18n.json | 3 + 9 files changed, 425 insertions(+), 11 deletions(-) create mode 100644 .changeset/funny-boats-guess.md create mode 100644 apps/meteor/ee/server/api/audit.ts create mode 100644 apps/meteor/tests/end-to-end/api/audit.ts diff --git a/.changeset/funny-boats-guess.md b/.changeset/funny-boats-guess.md new file mode 100644 index 000000000000..076acff98329 --- /dev/null +++ b/.changeset/funny-boats-guess.md @@ -0,0 +1,6 @@ +--- +"@rocket.chat/meteor": minor +"@rocket.chat/i18n": minor +--- + +Added a new Audit endpoint `audit/rooms.members` that allows users with `view-members-list-all-rooms` to fetch a list of the members of any room even if the user is not part of it. diff --git a/apps/meteor/client/views/audit/components/AuditFiltersDisplay.tsx b/apps/meteor/client/views/audit/components/AuditFiltersDisplay.tsx index dadb59b04777..276d8c355c9b 100644 --- a/apps/meteor/client/views/audit/components/AuditFiltersDisplay.tsx +++ b/apps/meteor/client/views/audit/components/AuditFiltersDisplay.tsx @@ -9,20 +9,24 @@ import { useFormatDate } from '../../../hooks/useFormatDate'; type AuditFiltersDisplayProps = { users?: IUser['username'][]; room?: IRoom['name']; - startDate: Date; - endDate: Date; + startDate?: Date; + endDate?: Date; + filters?: string; }; -const AuditFiltersDisplay = ({ users, room, startDate, endDate }: AuditFiltersDisplayProps): ReactElement => { +const AuditFiltersDisplay = ({ users, room, startDate, endDate, filters }: AuditFiltersDisplayProps): ReactElement => { const formatDate = useFormatDate(); const t = useTranslation(); return ( {users?.length ? users.map((user) => `@${user}`).join(' : ') : `#${room}`} - - {formatDate(startDate)} {t('Date_to')} {formatDate(endDate)} {/* TODO: fix this translation */} - + {startDate && endDate ? ( + + {formatDate(startDate)} {t('Date_to')} {formatDate(endDate)} {/* TODO: fix this translation */} + + ) : null} + {filters ? {filters} : null} ); }; diff --git a/apps/meteor/client/views/audit/components/AuditLogEntry.tsx b/apps/meteor/client/views/audit/components/AuditLogEntry.tsx index 0ec56c1e5652..8e3f9788880b 100644 --- a/apps/meteor/client/views/audit/components/AuditLogEntry.tsx +++ b/apps/meteor/client/views/audit/components/AuditLogEntry.tsx @@ -2,6 +2,7 @@ import type { IAuditLog } from '@rocket.chat/core-typings'; import { Box } from '@rocket.chat/fuselage'; import { useMediaQuery } from '@rocket.chat/fuselage-hooks'; import { UserAvatar } from '@rocket.chat/ui-avatar'; +import { useTranslation } from '@rocket.chat/ui-contexts'; import type { ReactElement } from 'react'; import React, { memo, useMemo } from 'react'; @@ -13,10 +14,11 @@ type AuditLogEntryProps = { value: IAuditLog }; const AuditLogEntry = ({ value: { u, results, ts, _id, fields } }: AuditLogEntryProps): ReactElement => { const formatDateAndTime = useFormatDateAndTime(); + const t = useTranslation(); const { username, name, avatarETag } = u; - const { msg, users, room, startDate, endDate } = fields; + const { msg, users, room, startDate, endDate, type, filters } = fields; const when = useMemo(() => formatDateAndTime(ts), [formatDateAndTime, ts]); @@ -43,12 +45,12 @@ const AuditLogEntry = ({ value: { u, results, ts, _id, fields } }: AuditLogEntry - {msg} + {type === 'room_member_list' ? t('Room_members_list') : msg} {when} {results} - + ); diff --git a/apps/meteor/ee/server/api/audit.ts b/apps/meteor/ee/server/api/audit.ts new file mode 100644 index 000000000000..748368f0d569 --- /dev/null +++ b/apps/meteor/ee/server/api/audit.ts @@ -0,0 +1,95 @@ +import type { IUser, IRoom } from '@rocket.chat/core-typings'; +import { Rooms, AuditLog } from '@rocket.chat/models'; +import type { PaginatedRequest, PaginatedResult } from '@rocket.chat/rest-typings'; +import Ajv from 'ajv'; + +import { API } from '../../../app/api/server/api'; +import { getPaginationItems } from '../../../app/api/server/helpers/getPaginationItems'; +import { findUsersOfRoom } from '../../../server/lib/findUsersOfRoom'; + +const ajv = new Ajv({ + coerceTypes: true, +}); + +type AuditRoomMembersParams = PaginatedRequest<{ + roomId: string; + filter: string; +}>; + +const auditRoomMembersSchema = { + type: 'object', + properties: { + roomId: { type: 'string', minLength: 1 }, + filter: { type: 'string' }, + count: { type: 'number' }, + offset: { type: 'number' }, + sort: { type: 'string' }, + }, + required: ['roomId'], + additionalProperties: false, +}; + +export const isAuditRoomMembersProps = ajv.compile(auditRoomMembersSchema); + +declare module '@rocket.chat/rest-typings' { + // eslint-disable-next-line @typescript-eslint/naming-convention + interface Endpoints { + '/v1/audit/rooms.members': { + GET: ( + params: AuditRoomMembersParams, + ) => PaginatedResult<{ members: Pick[] }>; + }; + } +} + +API.v1.addRoute( + 'audit/rooms.members', + { authRequired: true, permissionsRequired: ['view-members-list-all-rooms'], validateParams: isAuditRoomMembersProps }, + { + async get() { + const { roomId, filter } = this.queryParams; + const { count: limit, offset: skip } = await getPaginationItems(this.queryParams); + const { sort } = await this.parseJsonQuery(); + + const room = await Rooms.findOneById>(roomId, { projection: { _id: 1, name: 1, fname: 1 } }); + if (!room) { + return API.v1.notFound(); + } + + const { cursor, totalCount } = findUsersOfRoom({ + rid: room._id, + filter, + skip, + limit, + ...(sort?.username && { sort: { username: sort.username } }), + }); + + const [members, total] = await Promise.all([cursor.toArray(), totalCount]); + + await AuditLog.insertOne({ + ts: new Date(), + results: total, + u: { + _id: this.user._id, + username: this.user.username, + name: this.user.name, + avatarETag: this.user.avatarETag, + }, + fields: { + msg: 'Room_members_list', + rids: [room._id], + type: 'room_member_list', + room: room.name || room.fname, + filters: filter, + }, + }); + + return API.v1.success({ + members, + count: members.length, + offset: skip, + total, + }); + }, + }, +); diff --git a/apps/meteor/ee/server/lib/audit/startup.ts b/apps/meteor/ee/server/lib/audit/startup.ts index ba50eb48e244..076336b50fe6 100644 --- a/apps/meteor/ee/server/lib/audit/startup.ts +++ b/apps/meteor/ee/server/lib/audit/startup.ts @@ -6,6 +6,7 @@ export const createPermissions = async () => { const permissions = [ { _id: 'can-audit', roles: ['admin', 'auditor'] }, { _id: 'can-audit-log', roles: ['admin', 'auditor-log'] }, + { _id: 'view-members-list-all-rooms', roles: ['admin', 'auditor'] }, ]; const defaultRoles = [ diff --git a/apps/meteor/ee/server/startup/audit.ts b/apps/meteor/ee/server/startup/audit.ts index c38794a7582e..9f8135a16a65 100644 --- a/apps/meteor/ee/server/startup/audit.ts +++ b/apps/meteor/ee/server/startup/audit.ts @@ -4,6 +4,7 @@ import { createPermissions } from '../lib/audit/startup'; await License.onLicense('auditing', async () => { await import('../lib/audit/methods'); + await import('../api/audit'); await createPermissions(); }); diff --git a/apps/meteor/tests/end-to-end/api/audit.ts b/apps/meteor/tests/end-to-end/api/audit.ts new file mode 100644 index 000000000000..ba62caf621b8 --- /dev/null +++ b/apps/meteor/tests/end-to-end/api/audit.ts @@ -0,0 +1,301 @@ +import type { Credentials } from '@rocket.chat/api-client'; +import type { IRoom, IUser } from '@rocket.chat/core-typings'; +import { Random } from '@rocket.chat/random'; +import { expect } from 'chai'; +import EJSON from 'ejson'; +import { before, describe, it, after } from 'mocha'; + +import { getCredentials, api, request, credentials, methodCall } from '../../data/api-data'; +import { updatePermission } from '../../data/permissions.helper'; +import { createRoom, deleteRoom } from '../../data/rooms.helper'; +import { password } from '../../data/user'; +import { createUser, deleteUser, login } from '../../data/users.helper'; +import { IS_EE } from '../../e2e/config/constants'; + +(IS_EE ? describe : describe.skip)('Audit Panel', () => { + let testChannel: IRoom; + let testPrivateChannel: IRoom; + let dummyUser: IUser; + let auditor: IUser; + let auditorCredentials: Credentials; + before((done) => getCredentials(done)); + before(async () => { + testChannel = (await createRoom({ type: 'c', name: `chat.api-test-${Date.now()}` })).body.channel; + testPrivateChannel = (await createRoom({ type: 'p', name: `chat.api-test-${Date.now()}` })).body.group; + dummyUser = await createUser(); + auditor = await createUser({ roles: ['user', 'auditor'] }); + + auditorCredentials = await login(auditor.username, password); + }); + after(async () => { + await deleteRoom({ type: 'c', roomId: testChannel._id }); + await deleteUser({ _id: dummyUser._id }); + await deleteUser({ _id: auditor._id }); + await deleteRoom({ type: 'p', roomId: testPrivateChannel._id }); + }); + + describe('audit/rooms.members [no permissions]', () => { + before(async () => { + await updatePermission('view-members-list-all-rooms', []); + }); + after(async () => { + await updatePermission('view-members-list-all-rooms', ['admin', 'auditor']); + }); + it('should fail if user does not have view-members-list-all-rooms permission', async () => { + await request + .get(api('audit/rooms.members')) + .set(credentials) + .query({ + roomId: 'GENERAL', + }) + .expect(403); + await request + .get(api('audit/rooms.members')) + .set(auditorCredentials) + .query({ + roomId: 'GENERAL', + }) + .expect(403); + }); + }); + + describe('audit/rooms.members', () => { + it('should fail if user is not logged in', async () => { + await request + .get(api('audit/rooms.members')) + .query({ + roomId: 'GENERAL', + }) + .expect(401); + }); + it('should fail if roomId is invalid', async () => { + await request + .get(api('audit/rooms.members')) + .set(credentials) + .query({ + roomId: Random.id(), + }) + .expect(404); + }); + it('should fail if roomId is not present', async () => { + await request.get(api('audit/rooms.members')).set(credentials).query({}).expect(400); + }); + it('should fail if roomId is an empty string', async () => { + await request + .get(api('audit/rooms.members')) + .set(credentials) + .query({ + roomId: '', + }) + .expect(400); + }); + it('should fetch the members of a room', async () => { + await request + .get(api('audit/rooms.members')) + .set(credentials) + .query({ + roomId: testChannel._id, + }) + .expect(200) + .expect((res) => { + expect(res.body).to.have.property('success', true); + expect(res.body.members).to.be.an('array'); + expect(res.body.members).to.have.lengthOf(1); + }); + }); + it('should persist a log entry', async () => { + await request + .get(api('audit/rooms.members')) + .set(credentials) + .query({ + roomId: testChannel._id, + }) + .expect(200) + .expect((res) => { + expect(res.body).to.have.property('success', true); + expect(res.body.members).to.be.an('array'); + expect(res.body.members).to.have.lengthOf(1); + }); + + await request + .post(methodCall('auditGetAuditions')) + .set(credentials) + .send({ + message: EJSON.stringify({ + method: 'auditGetAuditions', + params: [{ startDate: new Date(Date.now() - 86400000), endDate: new Date() }], + id: 'id', + msg: 'method', + }), + }) + .expect('Content-Type', 'application/json') + .expect(200) + .expect((res) => { + expect(res.body).to.have.property('success', true); + const message = JSON.parse(res.body.message); + + expect(message.result).to.be.an('array').with.lengthOf.greaterThan(1); + const entry = message.result.find((audition: any) => { + return audition.fields.rids.includes(testChannel._id); + }); + expect(entry).to.have.property('u').that.is.an('object').deep.equal({ + _id: 'rocketchat.internal.admin.test', + username: 'rocketchat.internal.admin.test', + name: 'RocketChat Internal Admin Test', + }); + expect(entry).to.have.property('fields').that.is.an('object'); + const { fields } = entry; + + expect(fields).to.have.property('msg', 'Room_members_list'); + expect(fields).to.have.property('rids').that.is.an('array').with.lengthOf(1); + }); + }); + it('should fetch the members of a room with offset and count', async () => { + await request + .post(methodCall('addUsersToRoom')) + .set(credentials) + .send({ + message: JSON.stringify({ + method: 'addUsersToRoom', + params: [{ rid: testChannel._id, users: [dummyUser.username] }], + id: 'id', + msg: 'method', + }), + }) + .expect('Content-Type', 'application/json') + .expect(200) + .expect((res) => { + expect(res.body).to.have.property('success', true); + }); + + await request + .get(api('audit/rooms.members')) + .set(credentials) + .query({ + roomId: testChannel._id, + offset: 1, + count: 1, + }) + .expect(200) + .expect((res) => { + expect(res.body).to.have.property('success', true); + expect(res.body.members).to.be.an('array'); + expect(res.body.members).to.have.lengthOf(1); + expect(res.body.members[0].username).to.be.equal(dummyUser.username); + expect(res.body.total).to.be.equal(2); + expect(res.body.offset).to.be.equal(1); + expect(res.body.count).to.be.equal(1); + }); + }); + + it('should filter by username', async () => { + await request + .get(api('audit/rooms.members')) + .set(credentials) + .query({ + roomId: testChannel._id, + filter: dummyUser.username, + }) + .expect(200) + .expect((res) => { + expect(res.body).to.have.property('success', true); + expect(res.body.members).to.be.an('array'); + expect(res.body.members).to.have.lengthOf(1); + expect(res.body.members[0].username).to.be.equal(dummyUser.username); + }); + }); + + it('should filter by user name', async () => { + await request + .get(api('audit/rooms.members')) + .set(credentials) + .query({ + roomId: testChannel._id, + filter: dummyUser.name, + }) + .expect(200) + .expect((res) => { + expect(res.body).to.have.property('success', true); + expect(res.body.members).to.be.an('array'); + expect(res.body.members).to.have.lengthOf(1); + expect(res.body.members[0].name).to.be.equal(dummyUser.name); + }); + }); + + it('should sort by username', async () => { + await request + .get(api('audit/rooms.members')) + .set(credentials) + .query({ + roomId: testChannel._id, + sort: '{ "username": -1 }', + }) + .expect(200) + .expect((res) => { + expect(res.body).to.have.property('success', true); + expect(res.body.members).to.be.an('array'); + expect(res.body.members).to.have.lengthOf(2); + expect(res.body.members[1].username).to.be.equal('rocketchat.internal.admin.test'); + expect(res.body.members[0].username).to.be.equal(dummyUser.username); + }); + }); + + it('should not allow nosqlinjection on filter param', async () => { + await request + .get(api('audit/rooms.members')) + .set(credentials) + .query({ + roomId: testChannel._id, + filter: '{ "$ne": "rocketchat.internal.admin.test" }', + }) + .expect(200) + .expect((res) => { + expect(res.body).to.have.property('success', true); + expect(res.body.members).to.be.an('array'); + expect(res.body.members).to.have.lengthOf(0); + }); + + await request + .get(api('audit/rooms.members')) + .set(credentials) + .query({ + roomId: testChannel._id, + filter: { username: 'rocketchat.internal.admin.test' }, + }) + .expect(400); + }); + + it('should allow to fetch info even if user is not in the room', async () => { + await request + .get(api('audit/rooms.members')) + .set(auditorCredentials) + .query({ + roomId: testChannel._id, + }) + .expect(200) + .expect((res) => { + expect(res.body).to.have.property('success', true); + expect(res.body.members).to.be.an('array'); + expect(res.body.members[0].username).to.be.equal('rocketchat.internal.admin.test'); + expect(res.body.members[1].username).to.be.equal(dummyUser.username); + expect(res.body.total).to.be.equal(2); + }); + }); + + it('should allow to fetch info from private rooms', async () => { + await request + .get(api('audit/rooms.members')) + .set(auditorCredentials) + .query({ + roomId: testPrivateChannel._id, + }) + .expect(200) + .expect((res) => { + expect(res.body).to.have.property('success', true); + expect(res.body.members).to.be.an('array'); + expect(res.body.members[0].username).to.be.equal('rocketchat.internal.admin.test'); + expect(res.body.total).to.be.equal(1); + }); + }); + }); +}); diff --git a/packages/core-typings/src/ee/IAuditLog.ts b/packages/core-typings/src/ee/IAuditLog.ts index de1c6ff5213f..4618400d8017 100644 --- a/packages/core-typings/src/ee/IAuditLog.ts +++ b/packages/core-typings/src/ee/IAuditLog.ts @@ -12,12 +12,13 @@ export interface IAuditLog extends IRocketChatRecord { fields: { type: string; msg: IMessage['msg']; - startDate: Date; - endDate: Date; + startDate?: Date; + endDate?: Date; rids?: IRoom['_id'][]; room: IRoom['name']; users?: IUser['username'][]; visitor?: ILivechatVisitor['_id']; agent?: ILivechatAgent['_id']; + filters?: string; }; } diff --git a/packages/i18n/src/locales/en.i18n.json b/packages/i18n/src/locales/en.i18n.json index 12f0dbf628c5..c270bb9bffb1 100644 --- a/packages/i18n/src/locales/en.i18n.json +++ b/packages/i18n/src/locales/en.i18n.json @@ -5791,6 +5791,9 @@ "view-all-teams_description": "Permission to view all teams", "view-all-team-channels": "View All Team Channels", "view-all-team-channels_description": "Permission to view all team's channels", + "view-members-list-all-rooms": "Can view members in all rooms", + "view-members-list-all-rooms_description": "Gives the ability to see the members list in all rooms, even those the user is not part of", + "Room_members_list": "Members list", "view-broadcast-member-list": "View Members List in Broadcast Room", "view-broadcast-member-list_description": "Permission to view list of users in broadcast channel", "view-c-room": "View Public Channel",