Add User Auditing for Resources (#88)

unikorn-cloud · Jun 27, 2024 · f94b6dd · f94b6dd
1 parent ff93673
commit f94b6dd
Show file tree

Hide file tree

Showing 8 changed files with 229 additions and 215 deletions.
diff --git a/charts/identity/Chart.yaml b/charts/identity/Chart.yaml
@@ -4,8 +4,8 @@ description: A Helm chart for deploying Unikorn's IdP
 
 type: application
 
-version: v0.2.16
-appVersion: v0.2.16
+version: v0.2.17
+appVersion: v0.2.17
 
 icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png
 

diff --git a/go.mod b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/oapi-codegen/runtime v1.1.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
-	github.com/unikorn-cloud/core v0.1.49
+	github.com/unikorn-cloud/core v0.1.54
 	go.opentelemetry.io/otel v1.24.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0
 	go.opentelemetry.io/otel/sdk v1.24.0

diff --git a/go.sum b/go.sum
@@ -131,6 +131,8 @@ github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65E
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
 github.com/unikorn-cloud/core v0.1.49 h1:ahAxrzvBnBICi+qN/AmTqKRJHpxl958gKVfBO3lz4G8=
 github.com/unikorn-cloud/core v0.1.49/go.mod h1:cP39UQN7aSmsfjQuSMsworI4oBIwx4oA4u20CbPpfZw=
+github.com/unikorn-cloud/core v0.1.54 h1:e9LYpESifNsQUibem6zqyZP0SIn0zSFaSUwghYx3PeY=
+github.com/unikorn-cloud/core v0.1.54/go.mod h1:cP39UQN7aSmsfjQuSMsworI4oBIwx4oA4u20CbPpfZw=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=

diff --git a/pkg/handler/groups/client.go b/pkg/handler/groups/client.go
@@ -21,6 +21,7 @@ import (
 	"slices"
 	"strings"
 
+	"github.com/unikorn-cloud/core/pkg/authorization/userinfo"
 	coreopenapi "github.com/unikorn-cloud/core/pkg/openapi"
 	"github.com/unikorn-cloud/core/pkg/server/conversion"
 	"github.com/unikorn-cloud/core/pkg/server/errors"
@@ -122,9 +123,11 @@ func (c *Client) Get(ctx context.Context, organizationID, groupID string) (*open
 	return convert(result), nil
 }
 
-func generate(organization *organizations.Meta, in *openapi.GroupWrite) *unikornv1.Group {
+func generate(ctx context.Context, organization *organizations.Meta, in *openapi.GroupWrite) *unikornv1.Group {
+	userinfo := userinfo.FromContext(ctx)
+
 	out := &unikornv1.Group{
-		ObjectMeta: conversion.OrganizationScopedObjectMetadata(&in.Metadata, organization.Namespace, organization.ID),
+		ObjectMeta: conversion.NewObjectMetadata(&in.Metadata, organization.Namespace).WithOrganization(organization.ID).WithUser(userinfo.Subject).Get(),
 		Spec: unikornv1.GroupSpec{
 			Roles: in.Spec.Roles,
 		},
@@ -147,7 +150,7 @@ func (c *Client) Create(ctx context.Context, organizationID string, request *ope
 		return err
 	}
 
-	resource := generate(organization, request)
+	resource := generate(ctx, organization, request)
 
 	if err := c.client.Create(ctx, resource); err != nil {
 		if kerrors.IsAlreadyExists(err) {
@@ -171,7 +174,7 @@ func (c *Client) Update(ctx context.Context, organizationID, groupID string, req
 		return err
 	}
 
-	required := generate(organization, request)
+	required := generate(ctx, organization, request)
 
 	updated := current.DeepCopy()
 	updated.Labels = required.Labels

diff --git a/pkg/handler/oauth2providers/client.go b/pkg/handler/oauth2providers/client.go
@@ -128,9 +128,11 @@ func (c *Client) List(ctx context.Context, organizationID string) (openapi.Oauth
 	return convertList(nil, result), nil
 }
 
-func (c *Client) generate(organization *organizations.Meta, in *openapi.Oauth2ProviderWrite) *unikornv1.OAuth2Provider {
+func (c *Client) generate(ctx context.Context, organization *organizations.Meta, in *openapi.Oauth2ProviderWrite) *unikornv1.OAuth2Provider {
+	userinfo := userinfo.FromContext(ctx)
+
 	out := &unikornv1.OAuth2Provider{
-		ObjectMeta: conversion.OrganizationScopedObjectMetadata(&in.Metadata, organization.Namespace, organization.ID),
+		ObjectMeta: conversion.NewObjectMetadata(&in.Metadata, organization.Namespace).WithOrganization(organization.ID).WithUser(userinfo.Subject).Get(),
 		Spec: unikornv1.OAuth2ProviderSpec{
 			Issuer:       in.Spec.Issuer,
 			ClientID:     in.Spec.ClientID,
@@ -147,7 +149,7 @@ func (c *Client) Create(ctx context.Context, organizationID string, request *ope
 		return err
 	}
 
-	resource := c.generate(organization, request)
+	resource := c.generate(ctx, organization, request)
 
 	if err := c.client.Create(ctx, resource); err != nil {
 		if kerrors.IsAlreadyExists(err) {
@@ -171,7 +173,7 @@ func (c *Client) Update(ctx context.Context, organizationID, providerID string,
 		return err
 	}
 
-	required := c.generate(organization, request)
+	required := c.generate(ctx, organization, request)
 
 	updated := current.DeepCopy()
 	updated.Labels = required.Labels

diff --git a/pkg/handler/organizations/client.go b/pkg/handler/organizations/client.go
@@ -184,9 +184,11 @@ func (c *Client) Get(ctx context.Context, organizationID string) (*openapi.Organ
 	return convert(result), nil
 }
 
-func (c *Client) generate(in *openapi.OrganizationWrite) *unikornv1.Organization {
+func (c *Client) generate(ctx context.Context, in *openapi.OrganizationWrite) *unikornv1.Organization {
+	userinfo := userinfo.FromContext(ctx)
+
 	out := &unikornv1.Organization{
-		ObjectMeta: conversion.ObjectMetadata(&in.Metadata, c.namespace),
+		ObjectMeta: conversion.NewObjectMetadata(&in.Metadata, c.namespace).WithUser(userinfo.Subject).Get(),
 	}
 
 	if in.Spec.OrganizationType == openapi.Domain {
@@ -214,7 +216,7 @@ func (c *Client) Update(ctx context.Context, organizationID string, request *ope
 		return err
 	}
 
-	required := c.generate(request)
+	required := c.generate(ctx, request)
 
 	updated := current.DeepCopy()
 	updated.Labels = required.Labels

diff --git a/pkg/handler/projects/client.go b/pkg/handler/projects/client.go
@@ -23,6 +23,7 @@ import (
 	"strings"
 
 	unikornv1core "github.com/unikorn-cloud/core/pkg/apis/unikorn/v1alpha1"
+	"github.com/unikorn-cloud/core/pkg/authorization/userinfo"
 	coreopenapi "github.com/unikorn-cloud/core/pkg/openapi"
 	"github.com/unikorn-cloud/core/pkg/server/conversion"
 	"github.com/unikorn-cloud/core/pkg/server/errors"
@@ -122,16 +123,18 @@ func (c *Client) Get(ctx context.Context, organizationID, projectID string) (*op
 	return convert(result), nil
 }
 
-func generate(organization *organizations.Meta, request *openapi.ProjectWrite) *unikornv1.Project {
-	resource := &unikornv1.Project{
-		ObjectMeta: conversion.OrganizationScopedObjectMetadata(&request.Metadata, organization.Namespace, organization.ID),
+func generate(ctx context.Context, organization *organizations.Meta, in *openapi.ProjectWrite) *unikornv1.Project {
+	userinfo := userinfo.FromContext(ctx)
+
+	out := &unikornv1.Project{
+		ObjectMeta: conversion.NewObjectMetadata(&in.Metadata, organization.Namespace).WithOrganization(organization.ID).WithUser(userinfo.Subject).Get(),
 	}
 
-	if request.Spec.GroupIDs != nil {
-		resource.Spec.GroupIDs = *request.Spec.GroupIDs
+	if in.Spec.GroupIDs != nil {
+		out.Spec.GroupIDs = *in.Spec.GroupIDs
 	}
 
-	return resource
+	return out
 }
 
 // Create creates the implicit project indentified by the JTW claims.
@@ -141,7 +144,7 @@ func (c *Client) Create(ctx context.Context, organizationID string, request *ope
 		return err
 	}
 
-	resource := generate(organization, request)
+	resource := generate(ctx, organization, request)
 
 	if err := c.client.Create(ctx, resource); err != nil {
 		// TODO: we can do a cached lookup to save the API traffic.
@@ -166,7 +169,7 @@ func (c *Client) Update(ctx context.Context, organizationID, projectID string, r
 		return err
 	}
 
-	required := generate(organization, request)
+	required := generate(ctx, organization, request)
 
 	updated := current.DeepCopy()
 	updated.Labels = required.Labels