Add audit log for kubeconfig revoke

2026-04-20 16:46:49 +00:00 · 2022-06-08 19:21:07 +05:30
parent 38f937bfcf
commit 5274a5861c
4 changed files with 48 additions and 12 deletions
--- a/main.go
+++ b/main.go
@@ -344,7 +344,7 @@ func setup() {

 	//sentry related services
 	bs = service.NewBootstrapService(db)
-	krs = service.NewKubeconfigRevocationService(db)
+	krs = service.NewKubeconfigRevocationService(db, auditLogger)
 	kss = service.NewKubeconfigSettingService(db)
 	ns = service.NewNamespaceService(db)
 	kcs = service.NewkubectlClusterSettingsService(db)
--- a/pkg/service/audit_utils.go
+++ b/pkg/service/audit_utils.go
@@ -389,6 +389,24 @@ func CreateApiKeyAuditEvent(ctx context.Context, al *zap.Logger, action string,
 	}
 }

+func RevokeKubeconfigAuditEvent(ctx context.Context, al *zap.Logger, user string) {
+	sd, ok := GetSessionDataFromContext(ctx)
+	if !ok {
+		_log.Warn("unable to create audit event: could not fetch info from context")
+		return
+	}
+
+	detail := &audit.EventDetail{
+		Message: fmt.Sprintf("User %s kubeconfig revoked", user),
+		Meta: map[string]string{
+			"user": user,
+		},
+	}
+	if err := audit.CreateV1Event(al, sd, detail, "user.kubeconfig.revoke", ""); err != nil {
+		_log.Warn("unable to create audit event", err)
+	}
+}
+
 func CreateClusterAuditEvent(ctx context.Context, al *zap.Logger, action string, name string, id uuid.UUID) {
 	sd, ok := GetSessionDataFromContext(ctx)
 	if !ok {
--- a/pkg/service/kubeconfig_revocation.go
+++ b/pkg/service/kubeconfig_revocation.go
@@ -3,6 +3,7 @@ package service
 import (
 	"context"
 	"database/sql"
+	"fmt"
 	"time"

 	"github.com/RafayLabs/rcloud-base/internal/constants"
@@ -11,6 +12,7 @@ import (
 	"github.com/RafayLabs/rcloud-base/proto/types/sentry"
 	"github.com/google/uuid"
 	"github.com/uptrace/bun"
+	"go.uber.org/zap"
 	"google.golang.org/protobuf/types/known/timestamppb"
 )

@@ -23,11 +25,12 @@ type KubeconfigRevocationService interface {
 // bootstrapService implements BootstrapService
 type kubeconfigRevocationService struct {
 	db *bun.DB
+	al *zap.Logger
 }

 // NewKubeconfigRevocation return new kubeconfig revocation service
-func NewKubeconfigRevocationService(db *bun.DB) KubeconfigRevocationService {
-	return &kubeconfigRevocationService{db}
+func NewKubeconfigRevocationService(db *bun.DB, al *zap.Logger) KubeconfigRevocationService {
+	return &kubeconfigRevocationService{db, al}
 }

 func (krs *kubeconfigRevocationService) Get(ctx context.Context, orgID string, accountID string, isSSOUser bool) (*sentry.KubeconfigRevocation, error) {
@@ -52,15 +55,30 @@ func prepareKubeCfgRevocationResponse(kr *models.KubeconfigRevocation) *sentry.K
 }

 func (krs *kubeconfigRevocationService) Patch(ctx context.Context, kr *sentry.KubeconfigRevocation) error {
-	return krs.db.RunInTx(ctx, &sql.TxOptions{}, func(ctx context.Context, tx bun.Tx) error {
-		_, err := dao.GetKubeconfigRevocation(ctx, tx, uuid.MustParse(kr.OrganizationID), uuid.MustParse(kr.AccountID), kr.IsSSOUser)
-		if err != nil && err == sql.ErrNoRows {
-			kcr := convertToModel(kr)
-			kcr.CreatedAt = time.Now()
-			return dao.CreateKubeconfigRevocation(ctx, tx, kcr)
+	accId := uuid.MustParse(kr.AccountID)
+	entity, err := dao.GetM(ctx, krs.db, map[string]interface{}{"id": accId}, &models.KratosIdentities{})
+	if err != nil {
+		return err
+	}
+	if usr, ok := entity.(*models.KratosIdentities); ok {
+		// We need user info inorder to add the audit log
+		err = krs.db.RunInTx(ctx, &sql.TxOptions{}, func(ctx context.Context, tx bun.Tx) error {
+			_, err := dao.GetKubeconfigRevocation(ctx, tx, uuid.MustParse(kr.OrganizationID), accId, kr.IsSSOUser)
+			if err != nil && err == sql.ErrNoRows {
+				kcr := convertToModel(kr)
+				kcr.CreatedAt = time.Now()
+				return dao.CreateKubeconfigRevocation(ctx, tx, kcr)
+			}
+			return dao.UpdateKubeconfigRevocation(ctx, tx, convertToModel(kr))
+		})
+		if err != nil {
+			return err
 		}
-		return dao.UpdateKubeconfigRevocation(ctx, tx, convertToModel(kr))
-	})
+		RevokeKubeconfigAuditEvent(ctx, krs.al, getUserTraits(usr.Traits).Email)
+		return nil
+	}
+
+	return fmt.Errorf("unable to fetch user")
 }

 func convertToModel(kr *sentry.KubeconfigRevocation) *models.KubeconfigRevocation {
--- a/pkg/service/kubeconfig_revocation_test.go
+++ b/pkg/service/kubeconfig_revocation_test.go
@@ -12,7 +12,7 @@ func TestGetKubeconfigRevocation(t *testing.T) {
 	db, mock := getDB(t)
 	defer db.Close()

-	ps := NewKubeconfigRevocationService(db)
+	ps := NewKubeconfigRevocationService(db, getLogger())

 	ouuid := uuid.New().String()
 	cuuid := uuid.New().String()