feat: audit additional events

api/app/settings/common.py

@@ -924,7 +924,6 @@
 AUTH_CONTROLLER_INSTALLED = importlib.util.find_spec("auth_controller") is not None
 if AUTH_CONTROLLER_INSTALLED:
  INSTALLED_APPS.append("auth_controller")
- AUTHENTICATION_BACKENDS.insert(0, "auth_controller.backends.AuthControllerBackend")
 
 IS_RBAC_INSTALLED = importlib.util.find_spec("rbac") is not None
 if IS_RBAC_INSTALLED:

api/audit/__init__.py

@@ -1 +0,0 @@
-default_app_config = "audit.apps.AuditConfig"

api/audit/apps.py

@@ -1,9 +1,8 @@
-from __future__ import unicode_literals
-
 from django.apps import AppConfig
 
 
 class AuditConfig(AppConfig):
+ default = True
  name = "audit"
 
  def ready(self):

api/audit/constants.py

@@ -1,3 +1,11 @@
+# generic/default audit messages
+
+CREATED_MESSAGE = "New {model_name} created: {identity}"
+DELETED_MESSAGE = "{model_name} deleted: {identity}"
+UPDATED_MESSAGE = "{model_name} {field} {action}: {identity}"
+
+# specific audit messages
+
 FEATURE_CREATED_MESSAGE = "New Flag / Remote Config created: %s"
 FEATURE_DELETED_MESSAGE = "Flag / Remote Config Deleted: %s"
 FEATURE_UPDATED_MESSAGE = "Flag / Remote Config updated: %s"

api/audit/migrations/0014_auditlog__organisation.py

@@ -0,0 +1,20 @@
+# Generated by Django 3.2.23 on 2023-12-14 15:15
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+ dependencies = [
+ ('organisations', '0049_subscription_billing_status'),
+ ('audit', '0013_allow_manual_override_of_created_date'),
+ ]
+
+ operations = [
+ migrations.AddField(
+ model_name='auditlog',
+ name='_organisation',
+ field=models.ForeignKey(db_column='organisation', null=True, on_delete=django.db.models.deletion.DO_NOTHING, related_name='audit_logs', to='organisations.organisation'),
+ ),
+ ]

api/audit/migrations/0015_auditlog_ip_address.py

@@ -0,0 +1,18 @@
+# Generated by Django 3.2.23 on 2023-12-14 15:15
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+ dependencies = [
+ ('audit', '0014_auditlog__organisation'),
+ ]
+
+ operations = [
+ migrations.AddField(
+ model_name='auditlog',
+ name='ip_address',
+ field=models.GenericIPAddressField(blank=True, null=True),
+ ),
+ ]

api/audit/models.py

@@ -15,6 +15,7 @@
 
 from api_keys.models import MasterAPIKey
 from audit.related_object_type import RelatedObjectType
+from organisations.models import Organisation
 from projects.models import Project
 
 RELATED_OBJECT_TYPES = ((tag.name, tag.value) for tag in RelatedObjectType)
@@ -23,15 +24,26 @@
 class AuditLog(LifecycleModel):
  created_date = models.DateTimeField("DateCreated")
 
+ # TODO #2797: data migrate missing organisation values and rename this
+ _organisation = models.ForeignKey(
+ Organisation,
+ db_column="organisation",
+ related_name="audit_logs",
+ null=True,
+ on_delete=models.DO_NOTHING,
+ )
+ _organisation_id: int | None
  project = models.ForeignKey(
  Project, related_name="audit_logs", null=True, on_delete=models.DO_NOTHING
  )
+ project_id: int | None
  environment = models.ForeignKey(
  "environments.Environment",
  related_name="audit_logs",
  null=True,
  on_delete=models.DO_NOTHING,
  )
+ environment_id: int | None
 
  log = models.TextField()
  author = models.ForeignKey(
@@ -41,6 +53,8 @@ class AuditLog(LifecycleModel):
  blank=True,
  on_delete=models.SET_NULL,
  )
+ author_id: int | None
+ ip_address = models.GenericIPAddressField(null=True, blank=True)
  master_api_key = models.ForeignKey(
  MasterAPIKey,
  related_name="audit_logs",
@@ -68,6 +82,28 @@ class Meta:
  verbose_name_plural = "Audit Logs"
  ordering = ("-created_date",)
 
+ # TODO #2797: data migrate missing organisation values and remove these
+
+ @property
+ def organisation(self) -> Organisation | None:
+ return self._organisation or (
+ self.project.organisation if self.project else None
+ )
+
+ @organisation.setter
+ def organisation(self, value):
+ self._organisation = value
+
+ @property
+ def organisation_id(self) -> int | None:
+ return self._organisation_id or (
+ self.project.organisation_id if self.project else None
+ )
+
+ @organisation_id.setter
+ def organisation_id(self, value):
+ self._organisation_id = value
+
  @property
  def environment_document_updated(self) -> bool:
  if self.related_object_type == RelatedObjectType.CHANGE_REQUEST.name:
@@ -107,9 +143,12 @@ def get_history_record_model_class(
  return getattr(module, class_name)
 
  @hook(BEFORE_CREATE)
- def add_project(self):
- if self.environment and self.project is None:
- self.project = self.environment.project
+ def add_project_organisation(self):
+ """Ensure dependent fields are present"""
+ if self.project_id is None and self.environment:
+ self.project_id = self.environment.project_id
+ if self.organisation_id is None and self.project:
+ self.organisation_id = self.project.organisation_id
 
  @hook(BEFORE_CREATE)
  def add_created_date(self) -> None:
@@ -126,6 +165,10 @@ def process_environment_update(self):
  from environments.models import Environment
  from environments.tasks import process_environment_update
 
+ # Some logs do not relate to projects/environments
+ if not self.project:
+ return
+
  environments_filter = Q()
  if self.environment_id:
  environments_filter = Q(id=self.environment_id)

api/audit/related_object_type.py

@@ -2,10 +2,16 @@
 
 
 class RelatedObjectType(enum.Enum):
+ CHANGE_REQUEST = "Change request"
+ EDGE_IDENTITY = "Edge identity"
+ ENVIRONMENT = "Environment"
  FEATURE = "Feature"
  FEATURE_STATE = "Feature state"
- SEGMENT = "Segment"
- ENVIRONMENT = "Environment"
- CHANGE_REQUEST = "Change request"
- EDGE_IDENTITY = "Edge Identity"
+ GRANT = "Grant"
+ GROUP = "Group"
  IMPORT_REQUEST = "Import request"
+ PROJECT = "Project"
+ ROLE = "Role"
+ SEGMENT = "Segment"
+ USER = "User"
+ USER_MFA_METHOD = "User MFA method"

api/audit/serializers.py

@@ -5,12 +5,14 @@
 
 from audit.models import AuditLog
 from environments.serializers import EnvironmentSerializerLight
+from organisations.serializers import OrganisationSerializerBasic
 from projects.serializers import ProjectListSerializer
 from users.serializers import UserListSerializer
 
 
 class AuditLogListSerializer(serializers.ModelSerializer):
  author = UserListSerializer()
+ organisation = OrganisationSerializerBasic()
  environment = EnvironmentSerializerLight()
  project = ProjectListSerializer()
 
@@ -21,6 +23,7 @@ class Meta:
  "created_date",
  "log",
  "author",
+ "organisation",
  "environment",
  "project",
  "related_object_id",
@@ -83,6 +86,7 @@ def get_change_type(self, instance: AuditLog) -> str:
 
 
 class AuditLogsQueryParamSerializer(serializers.Serializer):
+ organisation = serializers.IntegerField(required=False)
  project = serializers.IntegerField(required=False)
  environments = serializers.ListField(
  child=serializers.IntegerField(min_value=0), required=False

api/audit/signals.py

@@ -17,26 +17,20 @@
 
 
 @receiver(post_save, sender=AuditLog)
-def call_webhooks(sender, instance, **kwargs):
+def call_webhooks(sender, instance: AuditLog, **kwargs):
  if settings.DISABLE_WEBHOOKS:
  return
 
- if not (instance.project_id or instance.environment_id):
- logger.warning("Audit log without project or environment. Not sending webhook.")
+ if not (organisation := instance.organisation):
+ logger.warning("Audit log without organisation. Not sending webhook.")
  return
 
- organisation_id = (
- instance.project.organisation_id
- if instance.project
- else instance.environment.project.organisation_id
- )
-
  if OrganisationWebhook.objects.filter(
- organisation_id=organisation_id, enabled=True
+ organisation=organisation, enabled=True
  ).exists():
  data = AuditLogListSerializer(instance=instance).data
  call_organisation_webhooks.delay(
- args=(organisation_id, data, WebhookEventType.AUDIT_LOG_CREATED.value)
+ args=(organisation.id, data, WebhookEventType.AUDIT_LOG_CREATED.value)
  )