diff --git a/backend/src/ee/services/audit-log/audit-log-types.ts b/backend/src/ee/services/audit-log/audit-log-types.ts index 0c6ff51c8e..2e3df3eda5 100644 --- a/backend/src/ee/services/audit-log/audit-log-types.ts +++ b/backend/src/ee/services/audit-log/audit-log-types.ts @@ -71,6 +71,11 @@ export enum EventType { UPDATE_IDENTITY_KUBENETES_AUTH = "update-identity-kubernetes-auth", GET_IDENTITY_KUBERNETES_AUTH = "get-identity-kubernetes-auth", REVOKE_IDENTITY_KUBERNETES_AUTH = "revoke-identity-kubernetes-auth", + LOGIN_IDENTITY_OIDC_AUTH = "login-identity-oidc-auth", + ADD_IDENTITY_OIDC_AUTH = "add-identity-oidc-auth", + UPDATE_IDENTITY_OIDC_AUTH = "update-identity-oidc-auth", + GET_IDENTITY_OIDC_AUTH = "get-identity-oidc-auth", + REVOKE_IDENTITY_OIDC_AUTH = "revoke-identity-oidc-auth", CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret", REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret", GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret", @@ -682,6 +687,63 @@ interface GetIdentityAzureAuthEvent { }; } +interface LoginIdentityOidcAuthEvent { + type: EventType.LOGIN_IDENTITY_OIDC_AUTH; + metadata: { + identityId: string; + identityOidcAuthId: string; + identityAccessTokenId: string; + }; +} + +interface AddIdentityOidcAuthEvent { + type: EventType.ADD_IDENTITY_OIDC_AUTH; + metadata: { + identityId: string; + oidcDiscoveryUrl: string; + caCert: string; + boundIssuer: string; + boundAudiences: string; + boundClaims: Record; + boundSubject: string; + accessTokenTTL: number; + accessTokenMaxTTL: number; + accessTokenNumUsesLimit: number; + accessTokenTrustedIps: Array; + }; +} + +interface DeleteIdentityOidcAuthEvent { + type: EventType.REVOKE_IDENTITY_OIDC_AUTH; + metadata: { + identityId: string; + }; +} + +interface UpdateIdentityOidcAuthEvent { + type: EventType.UPDATE_IDENTITY_OIDC_AUTH; + metadata: { + identityId: string; + oidcDiscoveryUrl?: string; + caCert?: string; + boundIssuer?: string; + boundAudiences?: string; + boundClaims?: Record; + boundSubject?: string; + accessTokenTTL?: number; + accessTokenMaxTTL?: number; + accessTokenNumUsesLimit?: number; + accessTokenTrustedIps?: Array; + }; +} + +interface GetIdentityOidcAuthEvent { + type: EventType.GET_IDENTITY_OIDC_AUTH; + metadata: { + identityId: string; + }; +} + interface CreateEnvironmentEvent { type: EventType.CREATE_ENVIRONMENT; metadata: { @@ -1078,6 +1140,11 @@ export type Event = | DeleteIdentityAzureAuthEvent | UpdateIdentityAzureAuthEvent | GetIdentityAzureAuthEvent + | LoginIdentityOidcAuthEvent + | AddIdentityOidcAuthEvent + | DeleteIdentityOidcAuthEvent + | UpdateIdentityOidcAuthEvent + | GetIdentityOidcAuthEvent | CreateEnvironmentEvent | UpdateEnvironmentEvent | DeleteEnvironmentEvent diff --git a/backend/src/server/routes/v1/identity-oidc-auth-router.ts b/backend/src/server/routes/v1/identity-oidc-auth-router.ts index c6bf1db6a6..d5f64148b1 100644 --- a/backend/src/server/routes/v1/identity-oidc-auth-router.ts +++ b/backend/src/server/routes/v1/identity-oidc-auth-router.ts @@ -1,9 +1,11 @@ import { z } from "zod"; import { IdentityOidcAuthsSchema } from "@app/db/schemas"; +import { EventType } from "@app/ee/services/audit-log/audit-log-types"; import { readLimit, writeLimit } from "@app/server/config/rateLimiter"; import { verifyAuth } from "@app/server/plugins/auth/verify-auth"; import { AuthMode } from "@app/services/auth/auth-type"; +import { TIdentityTrustedIp } from "@app/services/identity/identity-types"; import { validateOidcAuthAudiencesField } from "@app/services/identity-oidc-auth/identity-oidc-auth-validators"; const IdentityOidcAuthResponseSchema = IdentityOidcAuthsSchema.omit({ @@ -79,6 +81,27 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider) identityId: req.params.identityId }); + await server.services.auditLog.createAuditLog({ + ...req.auditLogInfo, + orgId: identityOidcAuth.orgId, + event: { + type: EventType.ADD_IDENTITY_OIDC_AUTH, + metadata: { + identityId: identityOidcAuth.identityId, + oidcDiscoveryUrl: identityOidcAuth.oidcDiscoveryUrl, + caCert: identityOidcAuth.caCert, + boundIssuer: identityOidcAuth.boundIssuer, + boundAudiences: identityOidcAuth.boundAudiences, + boundClaims: identityOidcAuth.boundClaims as Record, + boundSubject: identityOidcAuth.boundSubject as string, + accessTokenTTL: identityOidcAuth.accessTokenTTL, + accessTokenMaxTTL: identityOidcAuth.accessTokenMaxTTL, + accessTokenTrustedIps: identityOidcAuth.accessTokenTrustedIps as TIdentityTrustedIp[], + accessTokenNumUsesLimit: identityOidcAuth.accessTokenNumUsesLimit + } + } + }); + return { identityOidcAuth }; @@ -151,6 +174,27 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider) identityId: req.params.identityId }); + await server.services.auditLog.createAuditLog({ + ...req.auditLogInfo, + orgId: identityOidcAuth.orgId, + event: { + type: EventType.UPDATE_IDENTITY_OIDC_AUTH, + metadata: { + identityId: identityOidcAuth.identityId, + oidcDiscoveryUrl: identityOidcAuth.oidcDiscoveryUrl, + caCert: identityOidcAuth.caCert, + boundIssuer: identityOidcAuth.boundIssuer, + boundAudiences: identityOidcAuth.boundAudiences, + boundClaims: identityOidcAuth.boundClaims as Record, + boundSubject: identityOidcAuth.boundSubject as string, + accessTokenTTL: identityOidcAuth.accessTokenTTL, + accessTokenMaxTTL: identityOidcAuth.accessTokenMaxTTL, + accessTokenTrustedIps: identityOidcAuth.accessTokenTrustedIps as TIdentityTrustedIp[], + accessTokenNumUsesLimit: identityOidcAuth.accessTokenNumUsesLimit + } + } + }); + return { identityOidcAuth }; } }); @@ -187,6 +231,17 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider) actorAuthMethod: req.permission.authMethod }); + await server.services.auditLog.createAuditLog({ + ...req.auditLogInfo, + orgId: identityOidcAuth.orgId, + event: { + type: EventType.GET_IDENTITY_OIDC_AUTH, + metadata: { + identityId: identityOidcAuth.identityId + } + } + }); + return { identityOidcAuth }; } });