Skip to content

Commit

Permalink
"Security history" for organizations and teams (#12360)
Browse files Browse the repository at this point in the history
* Update project role journal entries and events

- Standardize journal entry action to be "add {role_name} {username}"
- Standardize project event tag to be "project:role:create"
- Standardize user event tag to be "account:role:create"
- Relates to #7119.

Cherry-picked commit 1b0ff20 from #11779.

* `EventTagEnum` for enumerating tag values

* Enumerate "project:*" event tags

Replaced "project:*" strings with EventTag.Project.* values:

    rg -l '"project:api_token:added"' | xargs -n 1 sed -i '' 's/"project:api_token:added"/EventTag.Project.APITokenAdded/g'
    rg -l '"project:api_token:removed"' | xargs -n 1 sed -i '' 's/"project:api_token:removed"/EventTag.Project.APITokenRemoved/g'
    rg -l '"project:oidc:provider-added"' | xargs -n 1 sed -i '' 's/"project:oidc:provider-added"/EventTag.Project.OIDCProviderAdded/g'
    rg -l '"project:oidc:provider-removed"' | xargs -n 1 sed -i '' 's/"project:oidc:provider-removed"/EventTag.Project.OIDCProviderRemoved/g'
    rg -l '"project:organization_project:add"' | xargs -n 1 sed -i '' 's/"project:organization_project:add"/EventTag.Project.OrganizationProjectAdd/g'
    rg -l '"project:organization_project:remove"' | xargs -n 1 sed -i '' 's/"project:organization_project:remove"/EventTag.Project.OrganizationProjectRemove/g'
    rg -l '"project:owners_require_2fa:disabled"' | xargs -n 1 sed -i '' 's/"project:owners_require_2fa:disabled"/EventTag.Project.OwnersRequire2FADisabled/g'
    rg -l '"project:owners_require_2fa:enabled"' | xargs -n 1 sed -i '' 's/"project:owners_require_2fa:enabled"/EventTag.Project.OwnersRequire2FAEnabled/g'
    rg -l '"project:create"' | xargs -n 1 sed -i '' 's/"project:create"/EventTag.Project.ProjectCreate/g'
    rg -l '"project:release:add"' | xargs -n 1 sed -i '' 's/"project:release:add"/EventTag.Project.ReleaseAdd/g'
    rg -l '"project:release:file:remove"' | xargs -n 1 sed -i '' 's/"project:release:file:remove"/EventTag.Project.ReleaseFileRemove/g'
    rg -l '"project:release:remove"' | xargs -n 1 sed -i '' 's/"project:release:remove"/EventTag.Project.ReleaseRemove/g'
    rg -l '"project:release:unyank"' | xargs -n 1 sed -i '' 's/"project:release:unyank"/EventTag.Project.ReleaseUnyank/g'
    rg -l '"project:release:yank"' | xargs -n 1 sed -i '' 's/"project:release:yank"/EventTag.Project.ReleaseYank/g'
    rg -l '"project:role:change"' | xargs -n 1 sed -i '' 's/"project:role:change"/EventTag.Project.RoleChange/g'
    rg -l '"project:role:create"' | xargs -n 1 sed -i '' 's/"project:role:create"/EventTag.Project.RoleCreate/g'
    rg -l '"project:role:delete"' | xargs -n 1 sed -i '' 's/"project:role:delete"/EventTag.Project.RoleDelete/g'
    rg -l '"project:role:invite"' | xargs -n 1 sed -i '' 's/"project:role:invite"/EventTag.Project.RoleInvite/g'
    rg -l '"project:role:revoke_invite"' | xargs -n 1 sed -i '' 's/"project:role:revoke_invite"/EventTag.Project.RoleRevokeInvite/g'
    rg -l '"project:team_project_role:change"' | xargs -n 1 sed -i '' 's/"project:team_project_role:change"/EventTag.Project.TeamProjectRoleChange/g'
    rg -l '"project:team_project_role:create"' | xargs -n 1 sed -i '' 's/"project:team_project_role:create"/EventTag.Project.TeamProjectRoleCreate/g'
    rg -l '"project:team_project_role:delete"' | xargs -n 1 sed -i '' 's/"project:team_project_role:delete"/EventTag.Project.TeamProjectRoleDelete/g'

(Remove empty quotes '' if using GNU sed instead of BSD sed.)

Two legacy "project:*" tags are no longer used when recording events:

- "project:role:accepted"
- "project:role:add"

* Enumerate "account:*" event tags

Replaced "account:*" strings with EventTag.Account.* values:

    rg -l '"account:api_token:added"' | xargs -n 1 sed -i '' 's/"account:api_token:added"/EventTag.Account.APITokenAdded/g'
    rg -l '"account:api_token:removed"' | xargs -n 1 sed -i '' 's/"account:api_token:removed"/EventTag.Account.APITokenRemoved/g'
    rg -l '"account:api_token:removed_leak"' | xargs -n 1 sed -i '' 's/"account:api_token:removed_leak"/EventTag.Account.APITokenRemovedLeak/g'
    rg -l '"account:create"' | xargs -n 1 sed -i '' 's/"account:create"/EventTag.Account.AccountCreate/g'
    rg -l '"account:email:add"' | xargs -n 1 sed -i '' 's/"account:email:add"/EventTag.Account.EmailAdd/g'
    rg -l '"account:email:primary:change"' | xargs -n 1 sed -i '' 's/"account:email:primary:change"/EventTag.Account.EmailPrimaryChange/g'
    rg -l '"account:email:remove"' | xargs -n 1 sed -i '' 's/"account:email:remove"/EventTag.Account.EmailRemove/g'
    rg -l '"account:email:reverify"' | xargs -n 1 sed -i '' 's/"account:email:reverify"/EventTag.Account.EmailReverify/g'
    rg -l '"account:email:verified"' | xargs -n 1 sed -i '' 's/"account:email:verified"/EventTag.Account.EmailVerified/g'
    rg -l '"account:login:failure"' | xargs -n 1 sed -i '' 's/"account:login:failure"/EventTag.Account.LoginFailure/g'
    rg -l '"account:login:success"' | xargs -n 1 sed -i '' 's/"account:login:success"/EventTag.Account.LoginSuccess/g'
    rg -l '"account:organization_role:accepted"' | xargs -n 1 sed -i '' 's/"account:organization_role:accepted"/EventTag.Account.OrganizationRoleAccepted/g'
    rg -l '"account:organization_role:change"' | xargs -n 1 sed -i '' 's/"account:organization_role:change"/EventTag.Account.OrganizationRoleChange/g'
    rg -l '"account:organization_role:declined"' | xargs -n 1 sed -i '' 's/"account:organization_role:declined"/EventTag.Account.OrganizationRoleDeclined/g'
    rg -l '"account:organization_role:delete"' | xargs -n 1 sed -i '' 's/"account:organization_role:delete"/EventTag.Account.OrganizationRoleDelete/g'
    rg -l '"account:password:change"' | xargs -n 1 sed -i '' 's/"account:password:change"/EventTag.Account.PasswordChange/g'
    rg -l '"account:password:reset"' | xargs -n 1 sed -i '' 's/"account:password:reset"/EventTag.Account.PasswordReset/g'
    rg -l '"account:password:reset:attempt"' | xargs -n 1 sed -i '' 's/"account:password:reset:attempt"/EventTag.Account.PasswordResetAttempt/g'
    rg -l '"account:password:reset:request"' | xargs -n 1 sed -i '' 's/"account:password:reset:request"/EventTag.Account.PasswordResetRequest/g'
    rg -l '"account:recovery_codes:generated"' | xargs -n 1 sed -i '' 's/"account:recovery_codes:generated"/EventTag.Account.RecoveryCodesGenerated/g'
    rg -l '"account:recovery_codes:regenerated"' | xargs -n 1 sed -i '' 's/"account:recovery_codes:regenerated"/EventTag.Account.RecoveryCodesRegenerated/g'
    rg -l '"account:recovery_codes:used"' | xargs -n 1 sed -i '' 's/"account:recovery_codes:used"/EventTag.Account.RecoveryCodesUsed/g'
    rg -l '"account:role:create"' | xargs -n 1 sed -i '' 's/"account:role:create"/EventTag.Account.RoleCreate/g'
    rg -l '"account:role:invite"' | xargs -n 1 sed -i '' 's/"account:role:invite"/EventTag.Account.RoleInvite/g'
    rg -l '"account:team_role:add"' | xargs -n 1 sed -i '' 's/"account:team_role:add"/EventTag.Account.TeamRoleAdd/g'
    rg -l '"account:team_role:delete"' | xargs -n 1 sed -i '' 's/"account:team_role:delete"/EventTag.Account.TeamRoleDelete/g'
    rg -l '"account:two_factor:method_added"' | xargs -n 1 sed -i '' 's/"account:two_factor:method_added"/EventTag.Account.TwoFactorMethodAdded/g'
    rg -l '"account:two_factor:method_removed"' | xargs -n 1 sed -i ''
    's/"account:two_factor:method_removed"/EventTag.Account.TwoFactorMethodRemoved/g'

(Remove empty quotes '' if using GNU sed instead of BSD sed.)

Three legacy "account:*" tags are no longer used when recording events:

- "account:email:sent"
- "account:reauthenticate:failure"
- "account:role:accepted"

* Enumerate "organization:*" event tags

Replaced "organization:*" strings with EventTag.Organization.* values:

    rg -l '"organization:catalog_entry:add"' | xargs -n 1 sed -i '' 's/"organization:catalog_entry:add"/EventTag.Organization.CatalogEntryAdd/g'
    rg -l '"organization:approve"' | xargs -n 1 sed -i '' 's/"organization:approve"/EventTag.Organization.OrganizationApprove/g'
    rg -l '"organization:create"' | xargs -n 1 sed -i '' 's/"organization:create"/EventTag.Organization.OrganizationCreate/g'
    rg -l '"organization:decline"' | xargs -n 1 sed -i '' 's/"organization:decline"/EventTag.Organization.OrganizationDecline/g'
    rg -l '"organization:delete"' | xargs -n 1 sed -i '' 's/"organization:delete"/EventTag.Organization.OrganizationDelete/g'
    rg -l '"organization:rename"' | xargs -n 1 sed -i '' 's/"organization:rename"/EventTag.Organization.OrganizationRename/g'
    rg -l '"organization:organization_project:add"' | xargs -n 1 sed -i '' 's/"organization:organization_project:add"/EventTag.Organization.OrganizationProjectAdd/g'
    rg -l '"organization:organization_project:remove"' | xargs -n 1 sed -i '' 's/"organization:organization_project:remove"/EventTag.Organization.OrganizationProjectRemove/g'
    rg -l '"organization:organization_role:accepted"' | xargs -n 1 sed -i '' 's/"organization:organization_role:accepted"/EventTag.Organization.OrganizationRoleAccepted/g'
    rg -l '"organization:organization_role:change"' | xargs -n 1 sed -i '' 's/"organization:organization_role:change"/EventTag.Organization.OrganizationRoleChange/g'
    rg -l '"organization:organization_role:declined"' | xargs -n 1 sed -i '' 's/"organization:organization_role:declined"/EventTag.Organization.OrganizationRoleDeclined/g'
    rg -l '"organization:organization_role:delete"' | xargs -n 1 sed -i '' 's/"organization:organization_role:delete"/EventTag.Organization.OrganizationRoleDelete/g'
    rg -l '"organization:organization_role:invite"' | xargs -n 1 sed -i '' 's/"organization:organization_role:invite"/EventTag.Organization.OrganizationRoleInvite/g'
    rg -l '"organization:organization_role:revoke_invite"' | xargs -n 1 sed -i '' 's/"organization:organization_role:revoke_invite"/EventTag.Organization.OrganizationRoleRevokeInvite/g'
    rg -l '"organization:team:create"' | xargs -n 1 sed -i '' 's/"organization:team:create"/EventTag.Organization.TeamCreate/g'
    rg -l '"organization:team:delete"' | xargs -n 1 sed -i '' 's/"organization:team:delete"/EventTag.Organization.TeamDelete/g'
    rg -l '"organization:team_project_role:change"' | xargs -n 1 sed -i '' 's/"organization:team_project_role:change"/EventTag.Organization.TeamProjectRoleChange/g'
    rg -l '"organization:team_project_role:create"' | xargs -n 1 sed -i '' 's/"organization:team_project_role:create"/EventTag.Organization.TeamProjectRoleCreate/g'
    rg -l '"organization:team_project_role:delete"' | xargs -n 1 sed -i '' 's/"organization:team_project_role:delete"/EventTag.Organization.TeamProjectRoleDelete/g'
    rg -l '"organization:team_role:add"' | xargs -n 1 sed -i '' 's/"organization:team_role:add"/EventTag.Organization.TeamRoleAdd/g'
    rg -l '"organization:team_role:delete"' | xargs -n 1 sed -i '' 's/"organization:team_role:delete"/EventTag.Organization.TeamRoleDelete/g'

(Remove empty quotes '' if using GNU sed instead of BSD sed.)

* Enumerate "team:*" event tags

Replaced "team:*" strings with EventTag.Team.* values:

    rg -l '"team:create"' | xargs -n 1 sed -i '' 's/"team:create"/EventTag.Team.TeamCreate/g'
    rg -l '"team:delete"' | xargs -n 1 sed -i '' 's/"team:delete"/EventTag.Team.TeamDelete/g'
    rg -l '"team:team_project_role:change"' | xargs -n 1 sed -i '' 's/"team:team_project_role:change"/EventTag.Team.TeamProjectRoleChange/g'
    rg -l '"team:team_project_role:create"' | xargs -n 1 sed -i '' 's/"team:team_project_role:create"/EventTag.Team.TeamProjectRoleCreate/g'
    rg -l '"team:team_project_role:delete"' | xargs -n 1 sed -i '' 's/"team:team_project_role:delete"/EventTag.Team.TeamProjectRoleDelete/g'
    rg -l '"team:team_role:add"' | xargs -n 1 sed -i '' 's/"team:team_role:add"/EventTag.Team.TeamRoleAdd/g'
    rg -l '"team:team_role:delete"' | xargs -n 1 sed -i '' 's/"team:team_role:delete"/EventTag.Team.TeamRoleDelete/g'

(Remove empty quotes '' if using GNU sed instead of BSD sed.)

* Standardize use of "*:add" and "*:remove" for role events

"*:add" was already being used in "project:role:add" but there was also
inconsistent use of "project:role:accepted". Standardizing role events
to "*:add" and "*:remove" seemed to fit best with other events.

    rg -l RoleAccepted | xargs -n 1 sed -i '' 's/RoleAccepted/RoleAdd/g'
    rg -l RoleCreate | xargs -n 1 sed -i '' 's/RoleCreate/RoleAdd/g'
    rg -l RoleDelete | xargs -n 1 sed -i '' 's/RoleDelete/RoleRemove/g'

(Remove empty quotes '' if using GNU sed instead of BSD sed.)

* Standardize use of "*:decline_invite" for role events

"*:decline_invite" seems to fit better with existing "*:revoke_invite"
tags for role events.

    rg -l RoleDeclined | xargs -n 1 sed -i '' 's/RoleDeclined/RoleDeclineInvite/g'

(Remove empty quotes '' if using GNU sed instead of BSD sed.)

* Record missing role events

There were several missing tags for role events:

- "account:organization_role:invite"
- "account:organization_role:revoke_invite"
- "account:role:change"
- "account:role:decline_invite"
- "account:role:remove"
- "account:role:revoke_invite"
- "project:role:decline_invite"

`Role` and `OrganizationRole` should have the following 6 event tags:

- "*:invite"
- "*:decline_invite"
- "*:revoke_invite"
- "*:add"
- "*:change"
- "*:remove"

`TeamProjectRole` should only have the following 3 event tags because
there are no invitations with for `TeamProjectRole`:

- "*:add"
- "*:change"
- "*:remove"

`TeamRole` should only have the following 2 event tags because there are
no invitations for `TeamRole` and only one `TeamRoleType`:

- "*:add"
- "*:remove"

* Record missing rename events

There were a couple missing rename events:

- "organization:team:rename"
- "team:rename"

* Do not record owner invite event when creating org

* NFC: {<br> => display: block} in security logs

* Add "Security history" for organizations

* Align left <th> in security logs

* Add "Security history" for teams

* Graceful fail if additional event field is missing

Allowing `user_service.get_user` to accept `None` as input results in an
empty string instead of a hard error in the Jinja template.

* Update "Security history" for projects

Added missing event formatters for:

- "project:release:unyank"
- "project:role:invite"
- "project:role:decline_invite"
- "project:role:revoke_invite"
- "project:team_project_role:add"
- "project:team_project_role:remove"
- "project:team_project_role:change"
- "project:organization_project:add"
- "project:organization_project:remove"
- "project:oidc_provider:added"
- "project:oidc_provider:removed"

Also added links to release versions for all release events.

* NFC: Comments reminding us to keep tags in sync

* Update warehouse/accounts/views.py

Co-authored-by: Ee Durbin <ewdurbin@gmail.com>
  • Loading branch information
divbzero and ewdurbin authored Oct 19, 2022
1 parent 8eeae12 commit 6b0d913
Show file tree
Hide file tree
Showing 16 changed files with 1,319 additions and 145 deletions.
7 changes: 7 additions & 0 deletions tests/common/db/organizations.py
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,13 @@ class Meta:
organization = factory.SubFactory(OrganizationFactory)


class TeamEventFactory(WarehouseFactory):
class Meta:
model = Team.Event

source = factory.SubFactory(TeamFactory)


class TeamRoleFactory(WarehouseFactory):
class Meta:
model = TeamRole
Expand Down
Loading

0 comments on commit 6b0d913

Please sign in to comment.