From 6b5bcc580ea9172eec22296cfe123566377b0d36 Mon Sep 17 00:00:00 2001 From: Bruno Quaresma Date: Mon, 3 Oct 2022 17:43:07 +0000 Subject: [PATCH 1/3] fix: Handle invalid resource types and actions --- coderd/audit.go | 30 ++++++++++++++++++++++++++++-- coderd/audit_test.go | 15 +++++++++++++++ 2 files changed, 43 insertions(+), 2 deletions(-) diff --git a/coderd/audit.go b/coderd/audit.go index c9fbb3a9a8fea..5402857bf9793 100644 --- a/coderd/audit.go +++ b/coderd/audit.go @@ -259,12 +259,38 @@ func auditSearchQuery(query string) (database.GetAuditLogsOffsetParams, []coders // other parsing. parser := httpapi.NewQueryParamParser() filter := database.GetAuditLogsOffsetParams{ - ResourceType: parser.String(searchParams, "", "resource_type"), + ResourceType: resourceTypeFromString(parser.String(searchParams, "", "resource_type")), ResourceID: parser.UUID(searchParams, uuid.Nil, "resource_id"), - Action: parser.String(searchParams, "", "action"), + Action: actionFromString(parser.String(searchParams, "", "action")), Username: parser.String(searchParams, "", "username"), Email: parser.String(searchParams, "", "email"), } return filter, parser.Errors } + +func resourceTypeFromString(resourceTypeString string) string { + switch resourceTypeString { + // Resource types from https://github.com/coder/coder/blob/d11d83cc98e04774456217e5388df5211de56fa3/codersdk/audit.go#L14 + case "organization": + case "template": + case "template_version": + case "user": + case "workspace": + case "git_ssh_key": + case "api_key": + return resourceTypeString + } + return "" +} + +func actionFromString(actionString string) string { + switch actionString { + case "create": + case "write": + case "delete": + return actionString + default: + } + return "" +} diff --git a/coderd/audit_test.go b/coderd/audit_test.go index 9368746a88f46..45b19f90475e9 100644 --- a/coderd/audit_test.go +++ b/coderd/audit_test.go @@ -112,6 +112,21 @@ func TestAuditLogsFilter(t *testing.T) { SearchQuery: "resource_id:" + userResourceID.String(), ExpectedResult: 2, }, + { + Name: "FilterInvalidSingleValue", + SearchQuery: "invalid", + ExpectedResult: 0, + }, + { + Name: "FilterWithInvalidResourceType", + SearchQuery: "resource_type:invalid", + ExpectedResult: 0, + }, + { + Name: "FilterWithInvalidAction", + SearchQuery: "action:invalid", + ExpectedResult: 0, + }, } for _, testCase := range testCases { From 8ecee1ab517b969aa70acad5df46417394d3d501 Mon Sep 17 00:00:00 2001 From: Bruno Quaresma Date: Mon, 3 Oct 2022 17:45:17 +0000 Subject: [PATCH 2/3] Return all values if invalid --- coderd/audit_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/coderd/audit_test.go b/coderd/audit_test.go index 45b19f90475e9..be50503c72719 100644 --- a/coderd/audit_test.go +++ b/coderd/audit_test.go @@ -115,17 +115,17 @@ func TestAuditLogsFilter(t *testing.T) { { Name: "FilterInvalidSingleValue", SearchQuery: "invalid", - ExpectedResult: 0, + ExpectedResult: 3, }, { Name: "FilterWithInvalidResourceType", SearchQuery: "resource_type:invalid", - ExpectedResult: 0, + ExpectedResult: 3, }, { Name: "FilterWithInvalidAction", SearchQuery: "action:invalid", - ExpectedResult: 0, + ExpectedResult: 3, }, } From ba6939f333b0b5d457c05d70e2474119bcde0da3 Mon Sep 17 00:00:00 2001 From: Bruno Quaresma Date: Mon, 3 Oct 2022 18:10:25 +0000 Subject: [PATCH 3/3] Use types --- coderd/audit.go | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/coderd/audit.go b/coderd/audit.go index 5402857bf9793..00f1228466a4a 100644 --- a/coderd/audit.go +++ b/coderd/audit.go @@ -270,25 +270,24 @@ func auditSearchQuery(query string) (database.GetAuditLogsOffsetParams, []coders } func resourceTypeFromString(resourceTypeString string) string { - switch resourceTypeString { - // Resource types from https://github.com/coder/coder/blob/d11d83cc98e04774456217e5388df5211de56fa3/codersdk/audit.go#L14 - case "organization": - case "template": - case "template_version": - case "user": - case "workspace": - case "git_ssh_key": - case "api_key": + switch codersdk.ResourceType(resourceTypeString) { + case codersdk.ResourceTypeOrganization: + case codersdk.ResourceTypeTemplate: + case codersdk.ResourceTypeTemplateVersion: + case codersdk.ResourceTypeUser: + case codersdk.ResourceTypeWorkspace: + case codersdk.ResourceTypeGitSSHKey: + case codersdk.ResourceTypeAPIKey: return resourceTypeString } return "" } func actionFromString(actionString string) string { - switch actionString { - case "create": - case "write": - case "delete": + switch codersdk.AuditAction(actionString) { + case codersdk.AuditActionCreate: + case codersdk.AuditActionWrite: + case codersdk.AuditActionDelete: return actionString default: }