mirror of
https://github.com/fosrl/pangolin.git
synced 2026-01-29 06:10:47 +00:00
324 lines
11 KiB
TypeScript
324 lines
11 KiB
TypeScript
import { db, primaryDb, requestAuditLog, resources } from "@server/db";
|
|
import { registry } from "@server/openApi";
|
|
import { NextFunction } from "express";
|
|
import { Request, Response } from "express";
|
|
import { eq, gt, lt, and, count, desc } from "drizzle-orm";
|
|
import { OpenAPITags } from "@server/openApi";
|
|
import { z } from "zod";
|
|
import createHttpError from "http-errors";
|
|
import HttpCode from "@server/types/HttpCode";
|
|
import { fromError } from "zod-validation-error";
|
|
import { QueryRequestAuditLogResponse } from "@server/routers/auditLogs/types";
|
|
import response from "@server/lib/response";
|
|
import logger from "@server/logger";
|
|
import { getSevenDaysAgo } from "@app/lib/getSevenDaysAgo";
|
|
|
|
export const queryAccessAuditLogsQuery = z.object({
|
|
// iso string just validate its a parseable date
|
|
timeStart: z
|
|
.string()
|
|
.refine((val) => !isNaN(Date.parse(val)), {
|
|
error: "timeStart must be a valid ISO date string"
|
|
})
|
|
.transform((val) => Math.floor(new Date(val).getTime() / 1000))
|
|
.prefault(() => getSevenDaysAgo().toISOString())
|
|
.openapi({
|
|
type: "string",
|
|
format: "date-time",
|
|
description:
|
|
"Start time as ISO date string (defaults to 7 days ago)"
|
|
}),
|
|
timeEnd: z
|
|
.string()
|
|
.refine((val) => !isNaN(Date.parse(val)), {
|
|
error: "timeEnd must be a valid ISO date string"
|
|
})
|
|
.transform((val) => Math.floor(new Date(val).getTime() / 1000))
|
|
.optional()
|
|
.prefault(() => new Date().toISOString())
|
|
.openapi({
|
|
type: "string",
|
|
format: "date-time",
|
|
description:
|
|
"End time as ISO date string (defaults to current time)"
|
|
}),
|
|
action: z
|
|
.union([z.boolean(), z.string()])
|
|
.transform((val) => (typeof val === "string" ? val === "true" : val))
|
|
.optional(),
|
|
method: z.enum(["GET", "POST", "PUT", "DELETE", "PATCH"]).optional(),
|
|
reason: z
|
|
.string()
|
|
.optional()
|
|
.transform(Number)
|
|
.pipe(z.int().positive())
|
|
.optional(),
|
|
resourceId: z
|
|
.string()
|
|
.optional()
|
|
.transform(Number)
|
|
.pipe(z.int().positive())
|
|
.optional(),
|
|
actor: z.string().optional(),
|
|
location: z.string().optional(),
|
|
host: z.string().optional(),
|
|
path: z.string().optional(),
|
|
limit: z
|
|
.string()
|
|
.optional()
|
|
.default("1000")
|
|
.transform(Number)
|
|
.pipe(z.int().positive()),
|
|
offset: z
|
|
.string()
|
|
.optional()
|
|
.default("0")
|
|
.transform(Number)
|
|
.pipe(z.int().nonnegative())
|
|
});
|
|
|
|
export const queryRequestAuditLogsParams = z.object({
|
|
orgId: z.string()
|
|
});
|
|
|
|
export const queryRequestAuditLogsCombined = queryAccessAuditLogsQuery.merge(
|
|
queryRequestAuditLogsParams
|
|
);
|
|
type Q = z.infer<typeof queryRequestAuditLogsCombined>;
|
|
|
|
function getWhere(data: Q) {
|
|
return and(
|
|
gt(requestAuditLog.timestamp, data.timeStart),
|
|
lt(requestAuditLog.timestamp, data.timeEnd),
|
|
eq(requestAuditLog.orgId, data.orgId),
|
|
data.resourceId
|
|
? eq(requestAuditLog.resourceId, data.resourceId)
|
|
: undefined,
|
|
data.actor ? eq(requestAuditLog.actor, data.actor) : undefined,
|
|
data.method ? eq(requestAuditLog.method, data.method) : undefined,
|
|
data.reason ? eq(requestAuditLog.reason, data.reason) : undefined,
|
|
data.host ? eq(requestAuditLog.host, data.host) : undefined,
|
|
data.location ? eq(requestAuditLog.location, data.location) : undefined,
|
|
data.path ? eq(requestAuditLog.path, data.path) : undefined,
|
|
data.action !== undefined
|
|
? eq(requestAuditLog.action, data.action)
|
|
: undefined
|
|
);
|
|
}
|
|
|
|
export function queryRequest(data: Q) {
|
|
return primaryDb
|
|
.select({
|
|
id: requestAuditLog.id,
|
|
timestamp: requestAuditLog.timestamp,
|
|
orgId: requestAuditLog.orgId,
|
|
action: requestAuditLog.action,
|
|
reason: requestAuditLog.reason,
|
|
actorType: requestAuditLog.actorType,
|
|
actor: requestAuditLog.actor,
|
|
actorId: requestAuditLog.actorId,
|
|
resourceId: requestAuditLog.resourceId,
|
|
ip: requestAuditLog.ip,
|
|
location: requestAuditLog.location,
|
|
userAgent: requestAuditLog.userAgent,
|
|
metadata: requestAuditLog.metadata,
|
|
headers: requestAuditLog.headers,
|
|
query: requestAuditLog.query,
|
|
originalRequestURL: requestAuditLog.originalRequestURL,
|
|
scheme: requestAuditLog.scheme,
|
|
host: requestAuditLog.host,
|
|
path: requestAuditLog.path,
|
|
method: requestAuditLog.method,
|
|
tls: requestAuditLog.tls,
|
|
resourceName: resources.name,
|
|
resourceNiceId: resources.niceId
|
|
})
|
|
.from(requestAuditLog)
|
|
.leftJoin(
|
|
resources,
|
|
eq(requestAuditLog.resourceId, resources.resourceId)
|
|
) // TODO: Is this efficient?
|
|
.where(getWhere(data))
|
|
.orderBy(desc(requestAuditLog.timestamp));
|
|
}
|
|
|
|
export function countRequestQuery(data: Q) {
|
|
const countQuery = primaryDb
|
|
.select({ count: count() })
|
|
.from(requestAuditLog)
|
|
.where(getWhere(data));
|
|
return countQuery;
|
|
}
|
|
|
|
registry.registerPath({
|
|
method: "get",
|
|
path: "/org/{orgId}/logs/request",
|
|
description: "Query the request audit log for an organization",
|
|
tags: [OpenAPITags.Org],
|
|
request: {
|
|
query: queryAccessAuditLogsQuery,
|
|
params: queryRequestAuditLogsParams
|
|
},
|
|
responses: {}
|
|
});
|
|
|
|
async function queryUniqueFilterAttributes(
|
|
timeStart: number,
|
|
timeEnd: number,
|
|
orgId: string
|
|
) {
|
|
const baseConditions = and(
|
|
gt(requestAuditLog.timestamp, timeStart),
|
|
lt(requestAuditLog.timestamp, timeEnd),
|
|
eq(requestAuditLog.orgId, orgId)
|
|
);
|
|
|
|
const DISTINCT_LIMIT = 500;
|
|
|
|
// TODO: SOMEONE PLEASE OPTIMIZE THIS!!!!!
|
|
|
|
// Run all queries in parallel
|
|
const [
|
|
uniqueActors,
|
|
uniqueLocations,
|
|
uniqueHosts,
|
|
uniquePaths,
|
|
uniqueResources
|
|
] = await Promise.all([
|
|
primaryDb
|
|
.selectDistinct({ actor: requestAuditLog.actor })
|
|
.from(requestAuditLog)
|
|
.where(baseConditions)
|
|
.limit(DISTINCT_LIMIT + 1),
|
|
primaryDb
|
|
.selectDistinct({ locations: requestAuditLog.location })
|
|
.from(requestAuditLog)
|
|
.where(baseConditions)
|
|
.limit(DISTINCT_LIMIT + 1),
|
|
primaryDb
|
|
.selectDistinct({ hosts: requestAuditLog.host })
|
|
.from(requestAuditLog)
|
|
.where(baseConditions)
|
|
.limit(DISTINCT_LIMIT + 1),
|
|
primaryDb
|
|
.selectDistinct({ paths: requestAuditLog.path })
|
|
.from(requestAuditLog)
|
|
.where(baseConditions)
|
|
.limit(DISTINCT_LIMIT + 1),
|
|
primaryDb
|
|
.selectDistinct({
|
|
id: requestAuditLog.resourceId,
|
|
name: resources.name
|
|
})
|
|
.from(requestAuditLog)
|
|
.leftJoin(
|
|
resources,
|
|
eq(requestAuditLog.resourceId, resources.resourceId)
|
|
)
|
|
.where(baseConditions)
|
|
.limit(DISTINCT_LIMIT + 1)
|
|
]);
|
|
|
|
// TODO: for stuff like the paths this is too restrictive so lets just show some of the paths and the user needs to
|
|
// refine the time range to see what they need to see
|
|
// if (
|
|
// uniqueActors.length > DISTINCT_LIMIT ||
|
|
// uniqueLocations.length > DISTINCT_LIMIT ||
|
|
// uniqueHosts.length > DISTINCT_LIMIT ||
|
|
// uniquePaths.length > DISTINCT_LIMIT ||
|
|
// uniqueResources.length > DISTINCT_LIMIT
|
|
// ) {
|
|
// throw new Error("Too many distinct filter attributes to retrieve. Please refine your time range.");
|
|
// }
|
|
|
|
return {
|
|
actors: uniqueActors
|
|
.map((row) => row.actor)
|
|
.filter((actor): actor is string => actor !== null),
|
|
resources: uniqueResources.filter(
|
|
(row): row is { id: number; name: string | null } => row.id !== null
|
|
),
|
|
locations: uniqueLocations
|
|
.map((row) => row.locations)
|
|
.filter((location): location is string => location !== null),
|
|
hosts: uniqueHosts
|
|
.map((row) => row.hosts)
|
|
.filter((host): host is string => host !== null),
|
|
paths: uniquePaths
|
|
.map((row) => row.paths)
|
|
.filter((path): path is string => path !== null)
|
|
};
|
|
}
|
|
|
|
export async function queryRequestAuditLogs(
|
|
req: Request,
|
|
res: Response,
|
|
next: NextFunction
|
|
): Promise<any> {
|
|
try {
|
|
const parsedQuery = queryAccessAuditLogsQuery.safeParse(req.query);
|
|
if (!parsedQuery.success) {
|
|
return next(
|
|
createHttpError(
|
|
HttpCode.BAD_REQUEST,
|
|
fromError(parsedQuery.error)
|
|
)
|
|
);
|
|
}
|
|
|
|
const parsedParams = queryRequestAuditLogsParams.safeParse(req.params);
|
|
if (!parsedParams.success) {
|
|
return next(
|
|
createHttpError(
|
|
HttpCode.BAD_REQUEST,
|
|
fromError(parsedParams.error)
|
|
)
|
|
);
|
|
}
|
|
|
|
const data = { ...parsedQuery.data, ...parsedParams.data };
|
|
|
|
const baseQuery = queryRequest(data);
|
|
|
|
const log = await baseQuery.limit(data.limit).offset(data.offset);
|
|
|
|
const totalCountResult = await countRequestQuery(data);
|
|
const totalCount = totalCountResult[0].count;
|
|
|
|
const filterAttributes = await queryUniqueFilterAttributes(
|
|
data.timeStart,
|
|
data.timeEnd,
|
|
data.orgId
|
|
);
|
|
|
|
return response<QueryRequestAuditLogResponse>(res, {
|
|
data: {
|
|
log: log,
|
|
pagination: {
|
|
total: totalCount,
|
|
limit: data.limit,
|
|
offset: data.offset
|
|
},
|
|
filterAttributes
|
|
},
|
|
success: true,
|
|
error: false,
|
|
message: "Request audit logs retrieved successfully",
|
|
status: HttpCode.OK
|
|
});
|
|
} catch (error) {
|
|
logger.error(error);
|
|
// if the message is "Too many distinct filter attributes to retrieve. Please refine your time range.", return a 400 and the message
|
|
if (
|
|
error instanceof Error &&
|
|
error.message ===
|
|
"Too many distinct filter attributes to retrieve. Please refine your time range."
|
|
) {
|
|
return next(createHttpError(HttpCode.BAD_REQUEST, error.message));
|
|
}
|
|
return next(
|
|
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
|
);
|
|
}
|
|
}
|