Merge pull request #4554 from Infisical/misc/added-audit-logs-for-role-ops

misc: added audit logs for project and org role management operations

Author: sheensantoscapadngan

backend/src/ee/routes/v1/deprecated-project-role-router.ts

@@ -2,6 +2,7 @@ import { packRules } from "@casl/ability/extra";
 import { z } from "zod";
 
 import { ProjectMembershipRole, ProjectRolesSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import {
   backfillPermissionV1SchemaToV2Schema,
   ProjectPermissionV1Schema
@@ -50,6 +51,10 @@ export const registerDeprecatedProjectRoleRouter = async (server: FastifyZodProv
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const stringifiedPermissions = JSON.stringify(
+        packRules(backfillPermissionV1SchemaToV2Schema(req.body.permissions, true))
+      );
+
       const role = await server.services.projectRole.createRole({
         actorAuthMethod: req.permission.authMethod,
         actorId: req.permission.id,
@@ -61,7 +66,23 @@ export const registerDeprecatedProjectRoleRouter = async (server: FastifyZodProv
         },
         data: {
           ...req.body,
-          permissions: JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(req.body.permissions, true)))
+          permissions: stringifiedPermissions
+        }
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: role.projectId,
+        event: {
+          type: EventType.CREATE_PROJECT_ROLE,
+          metadata: {
+            roleId: role.id,
+            slug: req.body.slug,
+            name: req.body.name,
+            description: req.body.description,
+            permissions: stringifiedPermissions
+          }
         }
       });
 
@@ -106,6 +127,10 @@ export const registerDeprecatedProjectRoleRouter = async (server: FastifyZodProv
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const stringifiedPermissions = req.body.permissions
+        ? JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(req.body.permissions, true)))
+        : undefined;
+
       const role = await server.services.projectRole.updateRole({
         actorAuthMethod: req.permission.authMethod,
         actorId: req.permission.id,
@@ -114,11 +139,26 @@ export const registerDeprecatedProjectRoleRouter = async (server: FastifyZodProv
         roleId: req.params.roleId,
         data: {
           ...req.body,
-          permissions: req.body.permissions
-            ? JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(req.body.permissions, true)))
-            : undefined
+          permissions: stringifiedPermissions
+        }
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: role.projectId,
+        event: {
+          type: EventType.UPDATE_PROJECT_ROLE,
+          metadata: {
+            roleId: role.id,
+            slug: req.body.slug,
+            name: req.body.name,
+            description: req.body.description,
+            permissions: stringifiedPermissions
+          }
         }
       });
+
       return { role };
     }
   });
@@ -155,6 +195,21 @@ export const registerDeprecatedProjectRoleRouter = async (server: FastifyZodProv
         actor: req.permission.type,
         roleId: req.params.roleId
       });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: role.projectId,
+        event: {
+          type: EventType.DELETE_PROJECT_ROLE,
+          metadata: {
+            roleId: role.id,
+            slug: role.slug,
+            name: role.name
+          }
+        }
+      });
+
       return { role };
     }
   });

backend/src/ee/routes/v1/org-role-router.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 import { OrgMembershipRole, OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -42,6 +43,22 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
         req.permission.authMethod,
         req.permission.orgId
       );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.CREATE_ORG_ROLE,
+          metadata: {
+            roleId: role.id,
+            slug: req.body.slug,
+            name: req.body.name,
+            description: req.body.description,
+            permissions: JSON.stringify(req.body.permissions)
+          }
+        }
+      });
+
       return { role };
     }
   });
@@ -116,6 +133,22 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
         req.permission.authMethod,
         req.permission.orgId
       );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.UPDATE_ORG_ROLE,
+          metadata: {
+            roleId: role.id,
+            slug: req.body.slug,
+            name: req.body.name,
+            description: req.body.description,
+            permissions: req.body.permissions ? JSON.stringify(req.body.permissions) : undefined
+          }
+        }
+      });
+
       return { role };
     }
   });
@@ -146,6 +179,16 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
         req.permission.authMethod,
         req.permission.orgId
       );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.DELETE_ORG_ROLE,
+          metadata: { roleId: role.id, slug: role.slug, name: role.name }
+        }
+      });
+
       return { role };
     }
   });

backend/src/ee/routes/v1/project-role-router.ts

@@ -2,6 +2,7 @@ import { packRules } from "@casl/ability/extra";
 import { z } from "zod";
 
 import { ProjectMembershipRole, ProjectRolesSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { ApiDocsTags, PROJECT_ROLE } from "@app/lib/api-docs";
@@ -52,6 +53,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const stringifiedPermissions = JSON.stringify(packRules(req.body.permissions));
+
       const role = await server.services.projectRole.createRole({
         actorAuthMethod: req.permission.authMethod,
         actorId: req.permission.id,
@@ -63,9 +66,26 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         },
         data: {
           ...req.body,
-          permissions: JSON.stringify(packRules(req.body.permissions))
+          permissions: stringifiedPermissions
+        }
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: role.projectId,
+        event: {
+          type: EventType.CREATE_PROJECT_ROLE,
+          metadata: {
+            roleId: role.id,
+            slug: req.body.slug,
+            name: req.body.name,
+            description: req.body.description,
+            permissions: stringifiedPermissions
+          }
         }
       });
+
       return { role };
     }
   });
@@ -112,6 +132,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const stringifiedPermissions = req.body.permissions ? JSON.stringify(packRules(req.body.permissions)) : undefined;
       const role = await server.services.projectRole.updateRole({
         actorAuthMethod: req.permission.authMethod,
         actorId: req.permission.id,
@@ -120,9 +141,26 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         roleId: req.params.roleId,
         data: {
           ...req.body,
-          permissions: req.body.permissions ? JSON.stringify(packRules(req.body.permissions)) : undefined
+          permissions: stringifiedPermissions
         }
       });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: role.projectId,
+        event: {
+          type: EventType.UPDATE_PROJECT_ROLE,
+          metadata: {
+            roleId: role.id,
+            slug: req.body.slug,
+            name: req.body.name,
+            description: req.body.description,
+            permissions: stringifiedPermissions
+          }
+        }
+      });
+
       return { role };
     }
   });
@@ -161,6 +199,21 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         actor: req.permission.type,
         roleId: req.params.roleId
       });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: role.projectId,
+        event: {
+          type: EventType.DELETE_PROJECT_ROLE,
+          metadata: {
+            roleId: role.id,
+            slug: role.slug,
+            name: role.name
+          }
+        }
+      });
+
       return { role };
     }
   });

backend/src/ee/routes/v2/deprecated-project-role-router.ts

@@ -2,6 +2,7 @@ import { packRules } from "@casl/ability/extra";
 import { z } from "zod";
 
 import { ProjectMembershipRole, ProjectRolesSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { ApiDocsTags, PROJECT_ROLE } from "@app/lib/api-docs";
@@ -52,6 +53,8 @@ export const registerDeprecatedProjectRoleRouter = async (server: FastifyZodProv
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const stringifiedPermissions = JSON.stringify(packRules(req.body.permissions));
+
       const role = await server.services.projectRole.createRole({
         actorAuthMethod: req.permission.authMethod,
         actorId: req.permission.id,
@@ -63,9 +66,26 @@ export const registerDeprecatedProjectRoleRouter = async (server: FastifyZodProv
         },
         data: {
           ...req.body,
-          permissions: JSON.stringify(packRules(req.body.permissions))
+          permissions: stringifiedPermissions
+        }
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: role.projectId,
+        event: {
+          type: EventType.CREATE_PROJECT_ROLE,
+          metadata: {
+            roleId: role.id,
+            slug: req.body.slug,
+            name: req.body.name,
+            description: req.body.description,
+            permissions: stringifiedPermissions
+          }
         }
       });
+
       return { role };
     }
   });
@@ -112,6 +132,7 @@ export const registerDeprecatedProjectRoleRouter = async (server: FastifyZodProv
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const stringifiedPermissions = req.body.permissions ? JSON.stringify(packRules(req.body.permissions)) : undefined;
       const role = await server.services.projectRole.updateRole({
         actorAuthMethod: req.permission.authMethod,
         actorId: req.permission.id,
@@ -120,9 +141,26 @@ export const registerDeprecatedProjectRoleRouter = async (server: FastifyZodProv
         roleId: req.params.roleId,
         data: {
           ...req.body,
-          permissions: req.body.permissions ? JSON.stringify(packRules(req.body.permissions)) : undefined
+          permissions: stringifiedPermissions
         }
       });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: role.projectId,
+        event: {
+          type: EventType.UPDATE_PROJECT_ROLE,
+          metadata: {
+            roleId: role.id,
+            slug: req.body.slug,
+            name: req.body.name,
+            description: req.body.description,
+            permissions: stringifiedPermissions
+          }
+        }
+      });
+
       return { role };
     }
   });
@@ -161,6 +199,21 @@ export const registerDeprecatedProjectRoleRouter = async (server: FastifyZodProv
         actor: req.permission.type,
         roleId: req.params.roleId
       });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: role.projectId,
+        event: {
+          type: EventType.DELETE_PROJECT_ROLE,
+          metadata: {
+            roleId: role.id,
+            slug: role.slug,
+            name: role.name
+          }
+        }
+      });
+
       return { role };
     }
   });