mirror of
https://github.com/penpot/penpot.git
synced 2025-03-12 07:41:43 -05:00
✨ Add source ip to the audit-log.
This commit is contained in:
Andrey Antukh
Alonso Torres
parent
ff3caec36c
commit
f95705d2d6
4 changed files with 51 additions and 22 deletions
|
|
@ -101,12 +101,13 @@
|
||||||
(:name event)
|
(:name event)
|
||||||
(:type event)
|
(:type event)
|
||||||
(:profile-id event)
|
(:profile-id event)
|
||||||
|
(some-> (:ip-addr event) db/inet)
|
||||||
(db/tjson (:props event))])]
|
(db/tjson (:props event))])]
|
||||||
|
|
||||||
(aa/with-thread executor
|
(aa/with-thread executor
|
||||||
(db/with-atomic [conn pool]
|
(db/with-atomic [conn pool]
|
||||||
(db/insert-multi! conn :audit-log
|
(db/insert-multi! conn :audit-log
|
||||||
[:id :name :type :profile-id :props]
|
[:id :name :type :profile-id :ip-addr :props]
|
||||||
(sequence (map event->row) events))))))
|
(sequence (map event->row) events))))))
|
||||||
|
|
||||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
|
@ -147,17 +148,22 @@
|
||||||
|
|
||||||
(defn archive-events
|
(defn archive-events
|
||||||
[{:keys [pool uri tokens] :as cfg}]
|
[{:keys [pool uri tokens] :as cfg}]
|
||||||
(letfn [(decode-row [{:keys [props] :as row}]
|
(letfn [(decode-row [{:keys [props ip-addr] :as row}]
|
||||||
(cond-> row
|
(cond-> row
|
||||||
(db/pgobject? props)
|
(db/pgobject? props)
|
||||||
(assoc :props (db/decode-transit-pgobject props))))
|
(assoc :props (db/decode-transit-pgobject props))
|
||||||
|
|
||||||
(row->event [{:keys [name type created-at profile-id props]}]
|
(db/pgobject? ip-addr "inet")
|
||||||
{:type type
|
(assoc :ip-addr (db/decode-inet ip-addr))))
|
||||||
:name name
|
|
||||||
:timestamp created-at
|
(row->event [{:keys [name type created-at profile-id props ip-addr]}]
|
||||||
:profile-id profile-id
|
(cond-> {:type type
|
||||||
:props props})
|
:name name
|
||||||
|
:timestamp created-at
|
||||||
|
:profile-id profile-id
|
||||||
|
:props props}
|
||||||
|
(some? ip-addr)
|
||||||
|
(update :context assoc :source-ip ip-addr)))
|
||||||
|
|
||||||
(send [events]
|
(send [events]
|
||||||
(let [token (tokens :generate {:iss "authentication"
|
(let [token (tokens :generate {:iss "authentication"
|
||||||
|
|
@ -168,7 +174,7 @@
|
||||||
"origin" (cf/get :public-uri)
|
"origin" (cf/get :public-uri)
|
||||||
"cookie" (u/map->query-string {:auth-token token})}
|
"cookie" (u/map->query-string {:auth-token token})}
|
||||||
params {:uri uri
|
params {:uri uri
|
||||||
:timeout 5000
|
:timeout 6000
|
||||||
:method :post
|
:method :post
|
||||||
:headers headers
|
:headers headers
|
||||||
:body body}
|
:body body}
|
||||||
|
|
@ -187,7 +193,6 @@
|
||||||
|
|
||||||
(db/with-atomic [conn pool]
|
(db/with-atomic [conn pool]
|
||||||
(let [rows (db/exec! conn [sql:retrieve-batch-of-audit-log])
|
(let [rows (db/exec! conn [sql:retrieve-batch-of-audit-log])
|
||||||
|
|
||||||
xform (comp (map decode-row)
|
xform (comp (map decode-row)
|
||||||
(map row->event))
|
(map row->event))
|
||||||
events (into [] xform rows)]
|
events (into [] xform rows)]
|
||||||
|
|
|
||||||
|
|
@ -184,6 +184,9 @@
|
||||||
|
|
||||||
{:name "0058-del-team-on-delete-trigger"
|
{:name "0058-del-team-on-delete-trigger"
|
||||||
:fn (mg/resource "app/migrations/sql/0058-del-team-on-delete-trigger.sql")}
|
:fn (mg/resource "app/migrations/sql/0058-del-team-on-delete-trigger.sql")}
|
||||||
|
|
||||||
|
{:name "0059-mod-audit-log-table"
|
||||||
|
:fn (mg/resource "app/migrations/sql/0059-mod-audit-log-table.sql")}
|
||||||
])
|
])
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,2 @@
|
||||||
|
ALTER TABLE audit_log
|
||||||
|
ADD COLUMN ip_addr inet NULL;
|
||||||
|
|
@ -32,9 +32,10 @@
|
||||||
[methods {:keys [profile-id] :as request}]
|
[methods {:keys [profile-id] :as request}]
|
||||||
(let [type (keyword (get-in request [:path-params :type]))
|
(let [type (keyword (get-in request [:path-params :type]))
|
||||||
|
|
||||||
data (d/merge (:params request)
|
data (merge (:params request)
|
||||||
(:body-params request)
|
(:body-params request)
|
||||||
(:uploads request))
|
(:uploads request)
|
||||||
|
{::request request})
|
||||||
|
|
||||||
data (if profile-id
|
data (if profile-id
|
||||||
(assoc data :profile-id profile-id)
|
(assoc data :profile-id profile-id)
|
||||||
|
|
@ -50,12 +51,15 @@
|
||||||
(defn- rpc-mutation-handler
|
(defn- rpc-mutation-handler
|
||||||
[methods {:keys [profile-id] :as request}]
|
[methods {:keys [profile-id] :as request}]
|
||||||
(let [type (keyword (get-in request [:path-params :type]))
|
(let [type (keyword (get-in request [:path-params :type]))
|
||||||
data (d/merge (:params request)
|
data (merge (:params request)
|
||||||
(:body-params request)
|
(:body-params request)
|
||||||
(:uploads request))
|
(:uploads request)
|
||||||
|
{::request request})
|
||||||
|
|
||||||
data (if profile-id
|
data (if profile-id
|
||||||
(assoc data :profile-id profile-id)
|
(assoc data :profile-id profile-id)
|
||||||
(dissoc data :profile-id))
|
(dissoc data :profile-id))
|
||||||
|
|
||||||
result ((get methods type default-handler) data)
|
result ((get methods type default-handler) data)
|
||||||
mdata (meta result)]
|
mdata (meta result)]
|
||||||
(cond->> {:status 200 :body result}
|
(cond->> {:status 200 :body result}
|
||||||
|
|
@ -85,6 +89,11 @@
|
||||||
(rlm/execute rlinst (f cfg params))))
|
(rlm/execute rlinst (f cfg params))))
|
||||||
f))
|
f))
|
||||||
|
|
||||||
|
(defn- parse-client-ip
|
||||||
|
[{:keys [headers] :as request}]
|
||||||
|
(or (some-> (get headers "x-forwarded-for") (str/split ",") first)
|
||||||
|
(get headers "x-real-ip")
|
||||||
|
(get request :remote-addr)))
|
||||||
|
|
||||||
(defn- wrap-impl
|
(defn- wrap-impl
|
||||||
[{:keys [audit] :as cfg} f mdata]
|
[{:keys [audit] :as cfg} f mdata]
|
||||||
|
|
@ -95,15 +104,23 @@
|
||||||
|
|
||||||
(l/trace :action "register" :name (::sv/name mdata))
|
(l/trace :action "register" :name (::sv/name mdata))
|
||||||
(fn [params]
|
(fn [params]
|
||||||
|
|
||||||
|
;; Raise authentication error when rpc method requires auth but
|
||||||
|
;; no profile-id is found in the request.
|
||||||
(when (and auth? (not (uuid? (:profile-id params))))
|
(when (and auth? (not (uuid? (:profile-id params))))
|
||||||
(ex/raise :type :authentication
|
(ex/raise :type :authentication
|
||||||
:code :authentication-required
|
:code :authentication-required
|
||||||
:hint "authentication required for this endpoint"))
|
:hint "authentication required for this endpoint"))
|
||||||
(let [params (us/conform spec params)
|
|
||||||
result (f cfg params)
|
(let [params' (dissoc params ::request)
|
||||||
resultm (meta result)]
|
params' (us/conform spec params')
|
||||||
(when (and (::type cfg) (fn? audit))
|
result (f cfg params')]
|
||||||
(let [profile-id (or (:profile-id params)
|
|
||||||
|
;; When audit log is enabled (default false).
|
||||||
|
(when (fn? audit)
|
||||||
|
(let [resultm (meta result)
|
||||||
|
request (::request params)
|
||||||
|
profile-id (or (:profile-id params')
|
||||||
(:profile-id result)
|
(:profile-id result)
|
||||||
(::audit/profile-id resultm))
|
(::audit/profile-id resultm))
|
||||||
props (d/merge params (::audit/props resultm))]
|
props (d/merge params (::audit/props resultm))]
|
||||||
|
|
@ -111,7 +128,9 @@
|
||||||
:name (or (::audit/name resultm)
|
:name (or (::audit/name resultm)
|
||||||
(::sv/name mdata))
|
(::sv/name mdata))
|
||||||
:profile-id profile-id
|
:profile-id profile-id
|
||||||
|
:ip-addr (parse-client-ip request)
|
||||||
:props props})))
|
:props props})))
|
||||||
|
|
||||||
result))))
|
result))))
|
||||||
|
|
||||||
(defn- process-method
|
(defn- process-method
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue