Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
"Security history" for organizations and teams (#12360)
* Update project role journal entries and events - Standardize journal entry action to be "add {role_name} {username}" - Standardize project event tag to be "project:role:create" - Standardize user event tag to be "account:role:create" - Relates to #7119. Cherry-picked commit 1b0ff20 from #11779. * `EventTagEnum` for enumerating tag values * Enumerate "project:*" event tags Replaced "project:*" strings with EventTag.Project.* values: rg -l '"project:api_token:added"' | xargs -n 1 sed -i '' 's/"project:api_token:added"/EventTag.Project.APITokenAdded/g' rg -l '"project:api_token:removed"' | xargs -n 1 sed -i '' 's/"project:api_token:removed"/EventTag.Project.APITokenRemoved/g' rg -l '"project:oidc:provider-added"' | xargs -n 1 sed -i '' 's/"project:oidc:provider-added"/EventTag.Project.OIDCProviderAdded/g' rg -l '"project:oidc:provider-removed"' | xargs -n 1 sed -i '' 's/"project:oidc:provider-removed"/EventTag.Project.OIDCProviderRemoved/g' rg -l '"project:organization_project:add"' | xargs -n 1 sed -i '' 's/"project:organization_project:add"/EventTag.Project.OrganizationProjectAdd/g' rg -l '"project:organization_project:remove"' | xargs -n 1 sed -i '' 's/"project:organization_project:remove"/EventTag.Project.OrganizationProjectRemove/g' rg -l '"project:owners_require_2fa:disabled"' | xargs -n 1 sed -i '' 's/"project:owners_require_2fa:disabled"/EventTag.Project.OwnersRequire2FADisabled/g' rg -l '"project:owners_require_2fa:enabled"' | xargs -n 1 sed -i '' 's/"project:owners_require_2fa:enabled"/EventTag.Project.OwnersRequire2FAEnabled/g' rg -l '"project:create"' | xargs -n 1 sed -i '' 's/"project:create"/EventTag.Project.ProjectCreate/g' rg -l '"project:release:add"' | xargs -n 1 sed -i '' 's/"project:release:add"/EventTag.Project.ReleaseAdd/g' rg -l '"project:release:file:remove"' | xargs -n 1 sed -i '' 's/"project:release:file:remove"/EventTag.Project.ReleaseFileRemove/g' rg -l '"project:release:remove"' | xargs -n 1 sed -i '' 's/"project:release:remove"/EventTag.Project.ReleaseRemove/g' rg -l '"project:release:unyank"' | xargs -n 1 sed -i '' 's/"project:release:unyank"/EventTag.Project.ReleaseUnyank/g' rg -l '"project:release:yank"' | xargs -n 1 sed -i '' 's/"project:release:yank"/EventTag.Project.ReleaseYank/g' rg -l '"project:role:change"' | xargs -n 1 sed -i '' 's/"project:role:change"/EventTag.Project.RoleChange/g' rg -l '"project:role:create"' | xargs -n 1 sed -i '' 's/"project:role:create"/EventTag.Project.RoleCreate/g' rg -l '"project:role:delete"' | xargs -n 1 sed -i '' 's/"project:role:delete"/EventTag.Project.RoleDelete/g' rg -l '"project:role:invite"' | xargs -n 1 sed -i '' 's/"project:role:invite"/EventTag.Project.RoleInvite/g' rg -l '"project:role:revoke_invite"' | xargs -n 1 sed -i '' 's/"project:role:revoke_invite"/EventTag.Project.RoleRevokeInvite/g' rg -l '"project:team_project_role:change"' | xargs -n 1 sed -i '' 's/"project:team_project_role:change"/EventTag.Project.TeamProjectRoleChange/g' rg -l '"project:team_project_role:create"' | xargs -n 1 sed -i '' 's/"project:team_project_role:create"/EventTag.Project.TeamProjectRoleCreate/g' rg -l '"project:team_project_role:delete"' | xargs -n 1 sed -i '' 's/"project:team_project_role:delete"/EventTag.Project.TeamProjectRoleDelete/g' (Remove empty quotes '' if using GNU sed instead of BSD sed.) Two legacy "project:*" tags are no longer used when recording events: - "project:role:accepted" - "project:role:add" * Enumerate "account:*" event tags Replaced "account:*" strings with EventTag.Account.* values: rg -l '"account:api_token:added"' | xargs -n 1 sed -i '' 's/"account:api_token:added"/EventTag.Account.APITokenAdded/g' rg -l '"account:api_token:removed"' | xargs -n 1 sed -i '' 's/"account:api_token:removed"/EventTag.Account.APITokenRemoved/g' rg -l '"account:api_token:removed_leak"' | xargs -n 1 sed -i '' 's/"account:api_token:removed_leak"/EventTag.Account.APITokenRemovedLeak/g' rg -l '"account:create"' | xargs -n 1 sed -i '' 's/"account:create"/EventTag.Account.AccountCreate/g' rg -l '"account:email:add"' | xargs -n 1 sed -i '' 's/"account:email:add"/EventTag.Account.EmailAdd/g' rg -l '"account:email:primary:change"' | xargs -n 1 sed -i '' 's/"account:email:primary:change"/EventTag.Account.EmailPrimaryChange/g' rg -l '"account:email:remove"' | xargs -n 1 sed -i '' 's/"account:email:remove"/EventTag.Account.EmailRemove/g' rg -l '"account:email:reverify"' | xargs -n 1 sed -i '' 's/"account:email:reverify"/EventTag.Account.EmailReverify/g' rg -l '"account:email:verified"' | xargs -n 1 sed -i '' 's/"account:email:verified"/EventTag.Account.EmailVerified/g' rg -l '"account:login:failure"' | xargs -n 1 sed -i '' 's/"account:login:failure"/EventTag.Account.LoginFailure/g' rg -l '"account:login:success"' | xargs -n 1 sed -i '' 's/"account:login:success"/EventTag.Account.LoginSuccess/g' rg -l '"account:organization_role:accepted"' | xargs -n 1 sed -i '' 's/"account:organization_role:accepted"/EventTag.Account.OrganizationRoleAccepted/g' rg -l '"account:organization_role:change"' | xargs -n 1 sed -i '' 's/"account:organization_role:change"/EventTag.Account.OrganizationRoleChange/g' rg -l '"account:organization_role:declined"' | xargs -n 1 sed -i '' 's/"account:organization_role:declined"/EventTag.Account.OrganizationRoleDeclined/g' rg -l '"account:organization_role:delete"' | xargs -n 1 sed -i '' 's/"account:organization_role:delete"/EventTag.Account.OrganizationRoleDelete/g' rg -l '"account:password:change"' | xargs -n 1 sed -i '' 's/"account:password:change"/EventTag.Account.PasswordChange/g' rg -l '"account:password:reset"' | xargs -n 1 sed -i '' 's/"account:password:reset"/EventTag.Account.PasswordReset/g' rg -l '"account:password:reset:attempt"' | xargs -n 1 sed -i '' 's/"account:password:reset:attempt"/EventTag.Account.PasswordResetAttempt/g' rg -l '"account:password:reset:request"' | xargs -n 1 sed -i '' 's/"account:password:reset:request"/EventTag.Account.PasswordResetRequest/g' rg -l '"account:recovery_codes:generated"' | xargs -n 1 sed -i '' 's/"account:recovery_codes:generated"/EventTag.Account.RecoveryCodesGenerated/g' rg -l '"account:recovery_codes:regenerated"' | xargs -n 1 sed -i '' 's/"account:recovery_codes:regenerated"/EventTag.Account.RecoveryCodesRegenerated/g' rg -l '"account:recovery_codes:used"' | xargs -n 1 sed -i '' 's/"account:recovery_codes:used"/EventTag.Account.RecoveryCodesUsed/g' rg -l '"account:role:create"' | xargs -n 1 sed -i '' 's/"account:role:create"/EventTag.Account.RoleCreate/g' rg -l '"account:role:invite"' | xargs -n 1 sed -i '' 's/"account:role:invite"/EventTag.Account.RoleInvite/g' rg -l '"account:team_role:add"' | xargs -n 1 sed -i '' 's/"account:team_role:add"/EventTag.Account.TeamRoleAdd/g' rg -l '"account:team_role:delete"' | xargs -n 1 sed -i '' 's/"account:team_role:delete"/EventTag.Account.TeamRoleDelete/g' rg -l '"account:two_factor:method_added"' | xargs -n 1 sed -i '' 's/"account:two_factor:method_added"/EventTag.Account.TwoFactorMethodAdded/g' rg -l '"account:two_factor:method_removed"' | xargs -n 1 sed -i '' 's/"account:two_factor:method_removed"/EventTag.Account.TwoFactorMethodRemoved/g' (Remove empty quotes '' if using GNU sed instead of BSD sed.) Three legacy "account:*" tags are no longer used when recording events: - "account:email:sent" - "account:reauthenticate:failure" - "account:role:accepted" * Enumerate "organization:*" event tags Replaced "organization:*" strings with EventTag.Organization.* values: rg -l '"organization:catalog_entry:add"' | xargs -n 1 sed -i '' 's/"organization:catalog_entry:add"/EventTag.Organization.CatalogEntryAdd/g' rg -l '"organization:approve"' | xargs -n 1 sed -i '' 's/"organization:approve"/EventTag.Organization.OrganizationApprove/g' rg -l '"organization:create"' | xargs -n 1 sed -i '' 's/"organization:create"/EventTag.Organization.OrganizationCreate/g' rg -l '"organization:decline"' | xargs -n 1 sed -i '' 's/"organization:decline"/EventTag.Organization.OrganizationDecline/g' rg -l '"organization:delete"' | xargs -n 1 sed -i '' 's/"organization:delete"/EventTag.Organization.OrganizationDelete/g' rg -l '"organization:rename"' | xargs -n 1 sed -i '' 's/"organization:rename"/EventTag.Organization.OrganizationRename/g' rg -l '"organization:organization_project:add"' | xargs -n 1 sed -i '' 's/"organization:organization_project:add"/EventTag.Organization.OrganizationProjectAdd/g' rg -l '"organization:organization_project:remove"' | xargs -n 1 sed -i '' 's/"organization:organization_project:remove"/EventTag.Organization.OrganizationProjectRemove/g' rg -l '"organization:organization_role:accepted"' | xargs -n 1 sed -i '' 's/"organization:organization_role:accepted"/EventTag.Organization.OrganizationRoleAccepted/g' rg -l '"organization:organization_role:change"' | xargs -n 1 sed -i '' 's/"organization:organization_role:change"/EventTag.Organization.OrganizationRoleChange/g' rg -l '"organization:organization_role:declined"' | xargs -n 1 sed -i '' 's/"organization:organization_role:declined"/EventTag.Organization.OrganizationRoleDeclined/g' rg -l '"organization:organization_role:delete"' | xargs -n 1 sed -i '' 's/"organization:organization_role:delete"/EventTag.Organization.OrganizationRoleDelete/g' rg -l '"organization:organization_role:invite"' | xargs -n 1 sed -i '' 's/"organization:organization_role:invite"/EventTag.Organization.OrganizationRoleInvite/g' rg -l '"organization:organization_role:revoke_invite"' | xargs -n 1 sed -i '' 's/"organization:organization_role:revoke_invite"/EventTag.Organization.OrganizationRoleRevokeInvite/g' rg -l '"organization:team:create"' | xargs -n 1 sed -i '' 's/"organization:team:create"/EventTag.Organization.TeamCreate/g' rg -l '"organization:team:delete"' | xargs -n 1 sed -i '' 's/"organization:team:delete"/EventTag.Organization.TeamDelete/g' rg -l '"organization:team_project_role:change"' | xargs -n 1 sed -i '' 's/"organization:team_project_role:change"/EventTag.Organization.TeamProjectRoleChange/g' rg -l '"organization:team_project_role:create"' | xargs -n 1 sed -i '' 's/"organization:team_project_role:create"/EventTag.Organization.TeamProjectRoleCreate/g' rg -l '"organization:team_project_role:delete"' | xargs -n 1 sed -i '' 's/"organization:team_project_role:delete"/EventTag.Organization.TeamProjectRoleDelete/g' rg -l '"organization:team_role:add"' | xargs -n 1 sed -i '' 's/"organization:team_role:add"/EventTag.Organization.TeamRoleAdd/g' rg -l '"organization:team_role:delete"' | xargs -n 1 sed -i '' 's/"organization:team_role:delete"/EventTag.Organization.TeamRoleDelete/g' (Remove empty quotes '' if using GNU sed instead of BSD sed.) * Enumerate "team:*" event tags Replaced "team:*" strings with EventTag.Team.* values: rg -l '"team:create"' | xargs -n 1 sed -i '' 's/"team:create"/EventTag.Team.TeamCreate/g' rg -l '"team:delete"' | xargs -n 1 sed -i '' 's/"team:delete"/EventTag.Team.TeamDelete/g' rg -l '"team:team_project_role:change"' | xargs -n 1 sed -i '' 's/"team:team_project_role:change"/EventTag.Team.TeamProjectRoleChange/g' rg -l '"team:team_project_role:create"' | xargs -n 1 sed -i '' 's/"team:team_project_role:create"/EventTag.Team.TeamProjectRoleCreate/g' rg -l '"team:team_project_role:delete"' | xargs -n 1 sed -i '' 's/"team:team_project_role:delete"/EventTag.Team.TeamProjectRoleDelete/g' rg -l '"team:team_role:add"' | xargs -n 1 sed -i '' 's/"team:team_role:add"/EventTag.Team.TeamRoleAdd/g' rg -l '"team:team_role:delete"' | xargs -n 1 sed -i '' 's/"team:team_role:delete"/EventTag.Team.TeamRoleDelete/g' (Remove empty quotes '' if using GNU sed instead of BSD sed.) * Standardize use of "*:add" and "*:remove" for role events "*:add" was already being used in "project:role:add" but there was also inconsistent use of "project:role:accepted". Standardizing role events to "*:add" and "*:remove" seemed to fit best with other events. rg -l RoleAccepted | xargs -n 1 sed -i '' 's/RoleAccepted/RoleAdd/g' rg -l RoleCreate | xargs -n 1 sed -i '' 's/RoleCreate/RoleAdd/g' rg -l RoleDelete | xargs -n 1 sed -i '' 's/RoleDelete/RoleRemove/g' (Remove empty quotes '' if using GNU sed instead of BSD sed.) * Standardize use of "*:decline_invite" for role events "*:decline_invite" seems to fit better with existing "*:revoke_invite" tags for role events. rg -l RoleDeclined | xargs -n 1 sed -i '' 's/RoleDeclined/RoleDeclineInvite/g' (Remove empty quotes '' if using GNU sed instead of BSD sed.) * Record missing role events There were several missing tags for role events: - "account:organization_role:invite" - "account:organization_role:revoke_invite" - "account:role:change" - "account:role:decline_invite" - "account:role:remove" - "account:role:revoke_invite" - "project:role:decline_invite" `Role` and `OrganizationRole` should have the following 6 event tags: - "*:invite" - "*:decline_invite" - "*:revoke_invite" - "*:add" - "*:change" - "*:remove" `TeamProjectRole` should only have the following 3 event tags because there are no invitations with for `TeamProjectRole`: - "*:add" - "*:change" - "*:remove" `TeamRole` should only have the following 2 event tags because there are no invitations for `TeamRole` and only one `TeamRoleType`: - "*:add" - "*:remove" * Record missing rename events There were a couple missing rename events: - "organization:team:rename" - "team:rename" * Do not record owner invite event when creating org * NFC: {<br> => display: block} in security logs * Add "Security history" for organizations * Align left <th> in security logs * Add "Security history" for teams * Graceful fail if additional event field is missing Allowing `user_service.get_user` to accept `None` as input results in an empty string instead of a hard error in the Jinja template. * Update "Security history" for projects Added missing event formatters for: - "project:release:unyank" - "project:role:invite" - "project:role:decline_invite" - "project:role:revoke_invite" - "project:team_project_role:add" - "project:team_project_role:remove" - "project:team_project_role:change" - "project:organization_project:add" - "project:organization_project:remove" - "project:oidc_provider:added" - "project:oidc_provider:removed" Also added links to release versions for all release events. * NFC: Comments reminding us to keep tags in sync * Update warehouse/accounts/views.py Co-authored-by: Ee Durbin <ewdurbin@gmail.com>
- Loading branch information