Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 32 additions & 7 deletions core/membership/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -801,14 +801,39 @@ func (s *Service) createRelation(ctx context.Context, resourceID, resourceType,
return nil
}

// createAuditRecord writes the audit record and, when the write fails, logs
// every detail of the record so it can be recreated manually.
func (s *Service) createAuditRecord(ctx context.Context, record auditrecord.AuditRecord) {
if _, err := s.auditRecordRepository.Create(ctx, record); err != nil {
args := []any{
"error", err,
"event", record.Event,
"org_id", record.OrgID,
"resource_id", record.Resource.ID,
"resource_type", record.Resource.Type,
"resource_name", record.Resource.Name,
"occurred_at", record.OccurredAt,
}
Comment on lines +808 to +816

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the relevant service code and nearby helpers.
sed -n '760,860p' core/membership/service.go

printf '\n--- search for actor enrichment and audit record creation ---\n'
rg -n "enrichActorFromContext|Actor|WarnContext|createAuditRecord|auditRecordRepository.Create|auditOrgMemberAdded|metadata|email" core/membership -S

printf '\n--- search for logger middleware or context enrichment ---\n'
rg -n "actor.*context|context.*actor|middleware.*actor|With.*Actor|enrich.*Actor|logger.*actor" -S .

Repository: raystack/frontier

Length of output: 10010


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '60,110p' internal/store/postgres/audit_record_repository.go
printf '\n---\n'
sed -n '190,260p' internal/store/postgres/audit_record.go
printf '\n---\n'
sed -n '220,280p' core/auditrecord/service.go
printf '\n---\n'
sed -n '1,120p' pkg/server/connect_interceptors/authentication.go
printf '\n---\n'
sed -n '1,120p' core/audit/context.go

Repository: raystack/frontier

Length of output: 10862


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the audit logger implementation to see whether WarnContext adds actor data automatically.
sed -n '1,240p' core/audit/logger.go
printf '\n---\n'
rg -n "type Logger|func \(.*WarnContext|WithAttrs|extractActorFromContext|AuditActorContextKey|AuditRecordActorContextKey" core/audit internal/store/postgres pkg/server -S

Repository: raystack/frontier

Length of output: 2831


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' pkg/server/connect_interceptors/logger.go
printf '\n---\n'
rg -n "WarnContext|WithContext|context.*logger|actor.*log|AuditActorContextKey|AuditRecordActorContextKey" pkg/server/connect_interceptors core -S

Repository: raystack/frontier

Length of output: 4954


Include the actor ID in the fallback log
WarnContext only carries request-scoped attrs here, and this path still logs an empty actor because the repository fills it in later. Add the actor ID from context so a failed audit write can be recreated fully.

Source: Learnings

if record.Target != nil {
args = append(args,
"target_id", record.Target.ID,
"target_type", record.Target.Type,
"target_name", record.Target.Name,
"target_metadata", record.Target.Metadata,
)
}
Comment on lines +817 to +824

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Redact PII from the fallback audit logs.

Logging record.Target.Name and record.Target.Metadata directly writes Personally Identifiable Information (PII) — such as user names and email addresses (which are added to the metadata in methods like auditOrgMemberAdded) — to the standard application logs. While your secure audit database is designed to store this, standard log aggregators often lack the same strict data retention and compliance controls, risking GDPR/CCPA violations.

Consider redacting or hashing PII fields from the log arguments before logging.

s.log.WarnContext(ctx, "failed to create audit record", args...)
}
}

func (s *Service) auditOrgMemberRoleChanged(ctx context.Context, org organization.Organization, p principalInfo, roleID string) {
targetType, _ := principalTypeToAuditType(p.Type)
meta := map[string]any{"role_id": roleID}
if p.Email != "" {
meta["email"] = p.Email
}

s.auditRecordRepository.Create(ctx, auditrecord.AuditRecord{
s.createAuditRecord(ctx, auditrecord.AuditRecord{
Event: pkgAuditRecord.OrganizationMemberRoleChangedEvent,
Resource: auditrecord.Resource{
ID: org.ID,
Expand Down Expand Up @@ -840,7 +865,7 @@ func (s *Service) auditOrgMemberAdded(ctx context.Context, org organization.Orga
meta["email"] = p.Email
}

s.auditRecordRepository.Create(ctx, auditrecord.AuditRecord{
s.createAuditRecord(ctx, auditrecord.AuditRecord{
Event: pkgAuditRecord.OrganizationMemberAddedEvent,
Resource: auditrecord.Resource{
ID: org.ID,
Expand All @@ -866,7 +891,7 @@ func (s *Service) auditOrgMemberAdded(ctx context.Context, org organization.Orga
}

func (s *Service) auditOrgMemberRemoved(ctx context.Context, org organization.Organization, targetID string, targetType pkgAuditRecord.EntityType) {
s.auditRecordRepository.Create(ctx, auditrecord.AuditRecord{
s.createAuditRecord(ctx, auditrecord.AuditRecord{
Event: pkgAuditRecord.OrganizationMemberRemovedEvent,
Resource: auditrecord.Resource{
ID: org.ID,
Expand Down Expand Up @@ -1103,7 +1128,7 @@ func (s *Service) auditProjectMember(ctx context.Context, event pkgAuditRecord.E
meta = map[string]any{}
}
meta["principal_type"] = principalType
s.auditRecordRepository.Create(ctx, auditrecord.AuditRecord{
s.createAuditRecord(ctx, auditrecord.AuditRecord{
Event: event,
Resource: auditrecord.Resource{
ID: prj.ID,
Expand Down Expand Up @@ -1708,7 +1733,7 @@ func (s *Service) auditGroupMemberAdded(ctx context.Context, grp group.Group, p
meta["email"] = p.Email
}

s.auditRecordRepository.Create(ctx, auditrecord.AuditRecord{
s.createAuditRecord(ctx, auditrecord.AuditRecord{
Event: pkgAuditRecord.GroupMemberAddedEvent,
Resource: auditrecord.Resource{
ID: grp.ID,
Expand Down Expand Up @@ -1741,7 +1766,7 @@ func (s *Service) auditGroupMemberRoleChanged(ctx context.Context, grp group.Gro
meta["email"] = p.Email
}

s.auditRecordRepository.Create(ctx, auditrecord.AuditRecord{
s.createAuditRecord(ctx, auditrecord.AuditRecord{
Event: pkgAuditRecord.GroupMemberRoleChangedEvent,
Resource: auditrecord.Resource{
ID: grp.ID,
Expand Down Expand Up @@ -1774,7 +1799,7 @@ func (s *Service) auditGroupMemberRemoved(ctx context.Context, grp group.Group,
meta["email"] = p.Email
}

s.auditRecordRepository.Create(ctx, auditrecord.AuditRecord{
s.createAuditRecord(ctx, auditrecord.AuditRecord{
Event: pkgAuditRecord.GroupMemberRemovedEvent,
Resource: auditrecord.Resource{
ID: grp.ID,
Expand Down
16 changes: 16 additions & 0 deletions core/membership/service_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,22 @@ func TestService_AddOrganizationMember(t *testing.T) {
roleID: viewerRoleID,
wantErr: nil,
},
{
name: "should succeed even when the audit record write fails",
setup: func(policySvc *mocks.PolicyService, relSvc *mocks.RelationService, roleSvc *mocks.RoleService, orgSvc *mocks.OrgService, userSvc *mocks.UserService, auditRepo *mocks.AuditRecordRepository) {
orgSvc.EXPECT().Get(ctx, orgID).Return(enabledOrg, nil)
userSvc.EXPECT().GetByID(ctx, userID).Return(enabledUser, nil)
roleSvc.EXPECT().Get(ctx, viewerRoleID).Return(role.Role{ID: viewerRoleID, Scopes: []string{schema.OrganizationNamespace}}, nil)
policySvc.EXPECT().List(ctx, policy.Filter{OrgID: orgID, PrincipalID: userID, PrincipalType: schema.UserPrincipal}).Return([]policy.Policy{}, nil)
policySvc.EXPECT().Create(ctx, mock.Anything).Return(policy.Policy{}, nil)
relSvc.EXPECT().Create(ctx, mock.Anything).Return(relation.Relation{}, nil)
auditRepo.EXPECT().Create(ctx, mock.Anything).Return(auditrecord.AuditRecord{}, errors.New("audit store unavailable"))
},
orgID: orgID,
userID: userID,
roleID: viewerRoleID,
wantErr: nil,
},
{
name: "should succeed adding a new member with owner role and create owner relation",
setup: func(policySvc *mocks.PolicyService, relSvc *mocks.RelationService, roleSvc *mocks.RoleService, orgSvc *mocks.OrgService, userSvc *mocks.UserService, auditRepo *mocks.AuditRecordRepository) {
Expand Down
Loading