Improve auditing
This commit is contained in:
@@ -8,6 +8,8 @@ from gatehouse_app.utils.decorators import login_required, require_admin, full_a
|
||||
from gatehouse_app.models.organization import OrganizationApiKey
|
||||
from gatehouse_app.services.organization_service import OrganizationService
|
||||
from gatehouse_app.extensions import db
|
||||
from gatehouse_app.utils.constants import AuditAction
|
||||
from gatehouse_app.services.audit_service import AuditService
|
||||
|
||||
|
||||
class ApiKeyCreateSchema(Schema):
|
||||
@@ -130,7 +132,16 @@ def create_api_key(org_id):
|
||||
name=data["name"],
|
||||
description=data.get("description"),
|
||||
)
|
||||
|
||||
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_API_KEY_CREATED,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org_id,
|
||||
resource_type="api_key",
|
||||
resource_id=str(api_key.id),
|
||||
description=f"API key '{api_key.name}' created",
|
||||
)
|
||||
|
||||
# Return the key data with the plain text key (only on creation)
|
||||
key_dict = api_key.to_dict()
|
||||
key_dict["key"] = plain_key # Include plain text only on creation
|
||||
@@ -219,9 +230,18 @@ def update_api_key(org_id, key_id):
|
||||
api_key.name = data["name"]
|
||||
if "description" in data:
|
||||
api_key.description = data["description"]
|
||||
|
||||
|
||||
api_key.save()
|
||||
|
||||
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_API_KEY_UPDATED,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org_id,
|
||||
resource_type="api_key",
|
||||
resource_id=str(api_key.id),
|
||||
description=f"API key '{api_key.name}' updated",
|
||||
)
|
||||
|
||||
return api_response(
|
||||
data={"api_key": api_key.to_dict()},
|
||||
message="API key updated successfully",
|
||||
@@ -293,7 +313,16 @@ def delete_api_key(org_id, key_id):
|
||||
|
||||
# Soft delete the API key
|
||||
api_key.delete(soft=True)
|
||||
|
||||
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_API_KEY_DELETED,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org_id,
|
||||
resource_type="api_key",
|
||||
resource_id=str(api_key.id),
|
||||
description=f"API key '{api_key.name}' deleted",
|
||||
)
|
||||
|
||||
return api_response(
|
||||
message="API key deleted successfully",
|
||||
)
|
||||
|
||||
@@ -6,6 +6,8 @@ from gatehouse_app.utils.response import api_response
|
||||
from gatehouse_app.utils.decorators import login_required, require_admin
|
||||
from gatehouse_app.extensions import db
|
||||
from gatehouse_app.api.v1.organizations._helpers import _get_system_ca_dict
|
||||
from gatehouse_app.utils.constants import AuditAction
|
||||
from gatehouse_app.services.audit_service import AuditService
|
||||
|
||||
|
||||
@api_v1_bp.route("/organizations/<org_id>/cas", methods=["GET"])
|
||||
@@ -66,6 +68,16 @@ def update_org_ca(org_id, ca_id):
|
||||
ca.max_cert_validity_hours = data["max_cert_validity_hours"]
|
||||
|
||||
db.session.commit()
|
||||
|
||||
AuditService.log_action(
|
||||
action=AuditAction.CA_UPDATED,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org_id,
|
||||
resource_type="CA",
|
||||
resource_id=ca_id,
|
||||
description=f"CA '{ca.name}' updated",
|
||||
)
|
||||
|
||||
return api_response(data={"ca": ca.to_dict()}, message="CA updated successfully")
|
||||
except ValidationError as e:
|
||||
return api_response(success=False, message="Validation failed", status=400, error_type="VALIDATION_ERROR", error_details=e.messages)
|
||||
@@ -150,6 +162,15 @@ def create_org_ca(org_id):
|
||||
return api_response(success=False, message="A CA with that name already exists in this organization (it may have been recently deleted — choose a different name).", status=400, error_type="DUPLICATE_NAME")
|
||||
raise
|
||||
|
||||
AuditService.log_action(
|
||||
action=AuditAction.CA_CREATED,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org_id,
|
||||
resource_type="CA",
|
||||
resource_id=str(ca.id),
|
||||
description=f"CA '{ca.name}' created",
|
||||
)
|
||||
|
||||
return api_response(data={"ca": ca.to_dict()}, message="CA created successfully", status=201)
|
||||
except MaValidationError as e:
|
||||
return api_response(success=False, message="Validation failed", status=400, error_type="VALIDATION_ERROR", error_details=e.messages)
|
||||
|
||||
@@ -5,6 +5,8 @@ from gatehouse_app.api.v1 import api_v1_bp
|
||||
from gatehouse_app.utils.response import api_response
|
||||
from gatehouse_app.utils.decorators import login_required, require_admin, full_access_required
|
||||
from gatehouse_app.extensions import db, bcrypt
|
||||
from gatehouse_app.utils.constants import AuditAction
|
||||
from gatehouse_app.services.audit_service import AuditService
|
||||
|
||||
|
||||
@api_v1_bp.route("/organizations/<org_id>/clients", methods=["GET"])
|
||||
@@ -79,6 +81,15 @@ def create_org_client(org_id):
|
||||
db.session.add(client)
|
||||
db.session.commit()
|
||||
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_CLIENT_CREATED,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org_id,
|
||||
resource_type="oidc_client",
|
||||
resource_id=str(client.id),
|
||||
description=f"OIDC client '{client.name}' created",
|
||||
)
|
||||
|
||||
return api_response(
|
||||
data={
|
||||
"client": {
|
||||
@@ -126,6 +137,15 @@ def update_org_client(org_id, client_id):
|
||||
|
||||
db.session.commit()
|
||||
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_CLIENT_UPDATED,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org_id,
|
||||
resource_type="oidc_client",
|
||||
resource_id=str(client.id),
|
||||
description=f"OIDC client '{client.name}' updated",
|
||||
)
|
||||
|
||||
return api_response(
|
||||
data={
|
||||
"client": {
|
||||
@@ -155,4 +175,14 @@ def delete_org_client(org_id, client_id):
|
||||
|
||||
client.is_active = False
|
||||
db.session.commit()
|
||||
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_CLIENT_DEACTIVATED,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org_id,
|
||||
resource_type="oidc_client",
|
||||
resource_id=str(client.id),
|
||||
description=f"OIDC client '{client.name}' deactivated",
|
||||
)
|
||||
|
||||
return api_response(data={}, message="Client deactivated successfully")
|
||||
|
||||
@@ -7,6 +7,8 @@ from gatehouse_app.utils.response import api_response
|
||||
from gatehouse_app.utils.decorators import login_required, require_admin, full_access_required
|
||||
from gatehouse_app.schemas.organization_schema import OrganizationCreateSchema, OrganizationUpdateSchema
|
||||
from gatehouse_app.services.organization_service import OrganizationService
|
||||
from gatehouse_app.utils.constants import AuditAction
|
||||
from gatehouse_app.services.audit_service import AuditService
|
||||
|
||||
|
||||
@api_v1_bp.route("/organizations", methods=["POST"])
|
||||
@@ -32,6 +34,14 @@ def create_organization():
|
||||
description=data.get("description"),
|
||||
logo_url=data.get("logo_url"),
|
||||
)
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_CREATE,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org.id,
|
||||
resource_type="organization",
|
||||
resource_id=str(org.id),
|
||||
description=f"Organization '{org.name}' created",
|
||||
)
|
||||
return api_response(data={"organization": org.to_dict()}, message="Organization created successfully", status=201)
|
||||
except ValidationError as e:
|
||||
return api_response(success=False, message="Validation failed", status=400, error_type="VALIDATION_ERROR", error_details=e.messages)
|
||||
@@ -60,6 +70,14 @@ def update_organization(org_id):
|
||||
data = schema.load(request.json)
|
||||
org = OrganizationService.get_organization_by_id(org_id)
|
||||
org = OrganizationService.update_organization(org=org, user_id=g.current_user.id, **data)
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_UPDATE,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org.id,
|
||||
resource_type="organization",
|
||||
resource_id=str(org.id),
|
||||
description=f"Organization '{org.name}' updated",
|
||||
)
|
||||
return api_response(data={"organization": org.to_dict()}, message="Organization updated successfully")
|
||||
except ValidationError as e:
|
||||
return api_response(success=False, message="Validation failed", status=400, error_type="VALIDATION_ERROR", error_details=e.messages)
|
||||
@@ -92,4 +110,12 @@ def delete_organization(org_id):
|
||||
)
|
||||
|
||||
OrganizationService.force_delete_organization(org=org, user_id=caller.id)
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_DELETE,
|
||||
user_id=caller.id,
|
||||
organization_id=org.id,
|
||||
resource_type="organization",
|
||||
resource_id=str(org.id),
|
||||
description=f"Organization '{org.name}' deleted",
|
||||
)
|
||||
return api_response(message="Organization deleted successfully")
|
||||
|
||||
@@ -136,6 +136,15 @@ def cancel_org_invite(org_id, invite_id):
|
||||
return api_response(success=False, message="Invite not found", status=404)
|
||||
|
||||
invite.delete(soft=True)
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_INVITE_CANCELLED,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org_id,
|
||||
resource_type="org_invite",
|
||||
resource_id=invite.id,
|
||||
metadata={"invited_email": invite.email, "role": invite.role},
|
||||
description=f"Invitation for {invite.email} cancelled",
|
||||
)
|
||||
return api_response(data={}, message="Invite cancelled")
|
||||
|
||||
|
||||
|
||||
@@ -7,7 +7,8 @@ from gatehouse_app.utils.decorators import login_required, require_admin, full_a
|
||||
from gatehouse_app.schemas.organization_schema import InviteMemberSchema, UpdateMemberRoleSchema
|
||||
from gatehouse_app.services.organization_service import OrganizationService
|
||||
from gatehouse_app.services.user_service import UserService
|
||||
from gatehouse_app.utils.constants import OrganizationRole
|
||||
from gatehouse_app.utils.constants import AuditAction, OrganizationRole
|
||||
from gatehouse_app.services.audit_service import AuditService
|
||||
|
||||
|
||||
@api_v1_bp.route("/organizations/<org_id>/members", methods=["GET"])
|
||||
@@ -43,6 +44,14 @@ def add_organization_member(org_id):
|
||||
|
||||
role = OrganizationRole(data["role"])
|
||||
member = OrganizationService.add_member(org=org, user_id=user.id, role=role, inviter_id=g.current_user.id)
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_MEMBER_ADD,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org.id,
|
||||
resource_type="user",
|
||||
resource_id=str(user.id),
|
||||
description=f"Added user {user.email} to organization with role {role.value}",
|
||||
)
|
||||
member_dict = member.to_dict()
|
||||
member_dict["user"] = user.to_dict()
|
||||
return api_response(data={"member": member_dict}, message="Member added successfully", status=201)
|
||||
@@ -60,6 +69,14 @@ def remove_organization_member(org_id, user_id):
|
||||
OrganizationService.remove_member(org=org, user_id=user_id, remover_id=g.current_user.id)
|
||||
except ValueError as e:
|
||||
return api_response(success=False, message=str(e), status=403, error_type="OWNER_PROTECTION")
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_MEMBER_REMOVE,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org.id,
|
||||
resource_type="user",
|
||||
resource_id=str(user_id),
|
||||
description=f"Removed user {user_id} from organization",
|
||||
)
|
||||
return api_response(message="Member removed successfully")
|
||||
|
||||
|
||||
@@ -74,6 +91,14 @@ def update_member_role(org_id, user_id):
|
||||
org = OrganizationService.get_organization_by_id(org_id)
|
||||
new_role = OrganizationRole(data["role"])
|
||||
member = OrganizationService.update_member_role(org=org, user_id=user_id, new_role=new_role, updater_id=g.current_user.id)
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_MEMBER_ROLE_CHANGE,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org.id,
|
||||
resource_type="user",
|
||||
resource_id=str(user_id),
|
||||
description=f"Changed role for user {user_id} to {new_role.value}",
|
||||
)
|
||||
member_dict = member.to_dict()
|
||||
member_dict["user"] = member.user.to_dict()
|
||||
return api_response(data={"member": member_dict}, message="Member role updated successfully")
|
||||
@@ -180,4 +205,13 @@ def send_mfa_reminder(org_id, user_id):
|
||||
html_body=html_body,
|
||||
)
|
||||
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_MFA_REMINDER_SENT,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org_id,
|
||||
resource_type="user",
|
||||
resource_id=str(user_id),
|
||||
description=f"MFA reminder sent to {user.email}",
|
||||
)
|
||||
|
||||
return api_response(data={}, message="Reminder sent successfully")
|
||||
|
||||
@@ -3,8 +3,9 @@ from flask import g, request
|
||||
from gatehouse_app.api.v1 import api_v1_bp
|
||||
from gatehouse_app.utils.response import api_response
|
||||
from gatehouse_app.utils.decorators import login_required, require_admin, full_access_required
|
||||
from gatehouse_app.utils.constants import OrganizationRole
|
||||
from gatehouse_app.utils.constants import AuditAction, OrganizationRole
|
||||
from gatehouse_app.extensions import db
|
||||
from gatehouse_app.services.audit_service import AuditService
|
||||
|
||||
|
||||
@api_v1_bp.route("/organizations/<org_id>/roles", methods=["GET"])
|
||||
@@ -59,6 +60,16 @@ def assign_role_to_member(org_id, role_name):
|
||||
|
||||
membership.role = new_role
|
||||
db.session.commit()
|
||||
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_MEMBER_ROLE_CHANGE,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org_id,
|
||||
resource_type="user",
|
||||
resource_id=str(target_user_id),
|
||||
description=f"Role changed to {new_role.value} for user {target_user_id}",
|
||||
)
|
||||
|
||||
return api_response(data={"user_id": target_user_id, "role": new_role.value}, message=f"Role updated to {new_role.value}")
|
||||
|
||||
|
||||
@@ -82,4 +93,14 @@ def remove_role_from_member(org_id, role_name, user_id):
|
||||
|
||||
org = OrganizationService.get_organization_by_id(org_id)
|
||||
OrganizationService.remove_member(org=org, user_id=user_id, remover_id=g.current_user.id)
|
||||
|
||||
AuditService.log_action(
|
||||
action=AuditAction.ORG_MEMBER_REMOVE,
|
||||
user_id=g.current_user.id,
|
||||
organization_id=org_id,
|
||||
resource_type="user",
|
||||
resource_id=str(user_id),
|
||||
description=f"Member {user_id} removed from organization via role removal",
|
||||
)
|
||||
|
||||
return api_response(data={"user_id": user_id}, message="Member removed from organization")
|
||||
|
||||
Reference in New Issue
Block a user