Skip to content

"Security history" for organizations and teams #12360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
Oct 19, 2022
Merged

"Security history" for organizations and teams #12360

merged 20 commits into from
Oct 19, 2022

Conversation

divbzero
Copy link
Contributor

@divbzero divbzero commented Oct 14, 2022
edited
Loading

@divbzero divbzero requested a review from a team as a code owner October 14, 2022 19:47
@divbzero divbzero mentioned this pull request Oct 14, 2022
Open
divbzero added 18 commits October 14, 2022 13:06
@divbzero
Update project role journal entries and events
648c6a9 
- Standardize journal entry action to be "add {role_name} {username}"
- Standardize project event tag to be "project:role:create"
- Standardize user event tag to be "account:role:create"
- Relates to pypi#7119.

Cherry-picked commit 1b0ff20 from pypi#11779.
@divbzero
EventTagEnum for enumerating tag values
d411268
@divbzero
Enumerate "project:*" event tags
bd121e8 
Replaced "project:*" strings with EventTag.Project.* values:

    rg -l '"project:api_token:added"' | xargs -n 1 sed -i '' 's/"project:api_token:added"/EventTag.Project.APITokenAdded/g'
    rg -l '"project:api_token:removed"' | xargs -n 1 sed -i '' 's/"project:api_token:removed"/EventTag.Project.APITokenRemoved/g'
    rg -l '"project:oidc:provider-added"' | xargs -n 1 sed -i '' 's/"project:oidc:provider-added"/EventTag.Project.OIDCProviderAdded/g'
    rg -l '"project:oidc:provider-removed"' | xargs -n 1 sed -i '' 's/"project:oidc:provider-removed"/EventTag.Project.OIDCProviderRemoved/g'
    rg -l '"project:organization_project:add"' | xargs -n 1 sed -i '' 's/"project:organization_project:add"/EventTag.Project.OrganizationProjectAdd/g'
    rg -l '"project:organization_project:remove"' | xargs -n 1 sed -i '' 's/"project:organization_project:remove"/EventTag.Project.OrganizationProjectRemove/g'
    rg -l '"project:owners_require_2fa:disabled"' | xargs -n 1 sed -i '' 's/"project:owners_require_2fa:disabled"/EventTag.Project.OwnersRequire2FADisabled/g'
    rg -l '"project:owners_require_2fa:enabled"' | xargs -n 1 sed -i '' 's/"project:owners_require_2fa:enabled"/EventTag.Project.OwnersRequire2FAEnabled/g'
    rg -l '"project:create"' | xargs -n 1 sed -i '' 's/"project:create"/EventTag.Project.ProjectCreate/g'
    rg -l '"project:release:add"' | xargs -n 1 sed -i '' 's/"project:release:add"/EventTag.Project.ReleaseAdd/g'
    rg -l '"project:release:file:remove"' | xargs -n 1 sed -i '' 's/"project:release:file:remove"/EventTag.Project.ReleaseFileRemove/g'
    rg -l '"project:release:remove"' | xargs -n 1 sed -i '' 's/"project:release:remove"/EventTag.Project.ReleaseRemove/g'
    rg -l '"project:release:unyank"' | xargs -n 1 sed -i '' 's/"project:release:unyank"/EventTag.Project.ReleaseUnyank/g'
    rg -l '"project:release:yank"' | xargs -n 1 sed -i '' 's/"project:release:yank"/EventTag.Project.ReleaseYank/g'
    rg -l '"project:role:change"' | xargs -n 1 sed -i '' 's/"project:role:change"/EventTag.Project.RoleChange/g'
    rg -l '"project:role:create"' | xargs -n 1 sed -i '' 's/"project:role:create"/EventTag.Project.RoleCreate/g'
    rg -l '"project:role:delete"' | xargs -n 1 sed -i '' 's/"project:role:delete"/EventTag.Project.RoleDelete/g'
    rg -l '"project:role:invite"' | xargs -n 1 sed -i '' 's/"project:role:invite"/EventTag.Project.RoleInvite/g'
    rg -l '"project:role:revoke_invite"' | xargs -n 1 sed -i '' 's/"project:role:revoke_invite"/EventTag.Project.RoleRevokeInvite/g'
    rg -l '"project:team_project_role:change"' | xargs -n 1 sed -i '' 's/"project:team_project_role:change"/EventTag.Project.TeamProjectRoleChange/g'
    rg -l '"project:team_project_role:create"' | xargs -n 1 sed -i '' 's/"project:team_project_role:create"/EventTag.Project.TeamProjectRoleCreate/g'
    rg -l '"project:team_project_role:delete"' | xargs -n 1 sed -i '' 's/"project:team_project_role:delete"/EventTag.Project.TeamProjectRoleDelete/g'

(Remove empty quotes '' if using GNU sed instead of BSD sed.)

Two legacy "project:*" tags are no longer used when recording events:

- "project:role:accepted"
- "project:role:add"
@divbzero
Enumerate "account:*" event tags
fd9a556 
Replaced "account:*" strings with EventTag.Account.* values:

    rg -l '"account:api_token:added"' | xargs -n 1 sed -i '' 's/"account:api_token:added"/EventTag.Account.APITokenAdded/g'
    rg -l '"account:api_token:removed"' | xargs -n 1 sed -i '' 's/"account:api_token:removed"/EventTag.Account.APITokenRemoved/g'
    rg -l '"account:api_token:removed_leak"' | xargs -n 1 sed -i '' 's/"account:api_token:removed_leak"/EventTag.Account.APITokenRemovedLeak/g'
    rg -l '"account:create"' | xargs -n 1 sed -i '' 's/"account:create"/EventTag.Account.AccountCreate/g'
    rg -l '"account:email:add"' | xargs -n 1 sed -i '' 's/"account:email:add"/EventTag.Account.EmailAdd/g'
    rg -l '"account:email:primary:change"' | xargs -n 1 sed -i '' 's/"account:email:primary:change"/EventTag.Account.EmailPrimaryChange/g'
    rg -l '"account:email:remove"' | xargs -n 1 sed -i '' 's/"account:email:remove"/EventTag.Account.EmailRemove/g'
    rg -l '"account:email:reverify"' | xargs -n 1 sed -i '' 's/"account:email:reverify"/EventTag.Account.EmailReverify/g'
    rg -l '"account:email:verified"' | xargs -n 1 sed -i '' 's/"account:email:verified"/EventTag.Account.EmailVerified/g'
    rg -l '"account:login:failure"' | xargs -n 1 sed -i '' 's/"account:login:failure"/EventTag.Account.LoginFailure/g'
    rg -l '"account:login:success"' | xargs -n 1 sed -i '' 's/"account:login:success"/EventTag.Account.LoginSuccess/g'
    rg -l '"account:organization_role:accepted"' | xargs -n 1 sed -i '' 's/"account:organization_role:accepted"/EventTag.Account.OrganizationRoleAccepted/g'
    rg -l '"account:organization_role:change"' | xargs -n 1 sed -i '' 's/"account:organization_role:change"/EventTag.Account.OrganizationRoleChange/g'
    rg -l '"account:organization_role:declined"' | xargs -n 1 sed -i '' 's/"account:organization_role:declined"/EventTag.Account.OrganizationRoleDeclined/g'
    rg -l '"account:organization_role:delete"' | xargs -n 1 sed -i '' 's/"account:organization_role:delete"/EventTag.Account.OrganizationRoleDelete/g'
    rg -l '"account:password:change"' | xargs -n 1 sed -i '' 's/"account:password:change"/EventTag.Account.PasswordChange/g'
    rg -l '"account:password:reset"' | xargs -n 1 sed -i '' 's/"account:password:reset"/EventTag.Account.PasswordReset/g'
    rg -l '"account:password:reset:attempt"' | xargs -n 1 sed -i '' 's/"account:password:reset:attempt"/EventTag.Account.PasswordResetAttempt/g'
    rg -l '"account:password:reset:request"' | xargs -n 1 sed -i '' 's/"account:password:reset:request"/EventTag.Account.PasswordResetRequest/g'
    rg -l '"account:recovery_codes:generated"' | xargs -n 1 sed -i '' 's/"account:recovery_codes:generated"/EventTag.Account.RecoveryCodesGenerated/g'
    rg -l '"account:recovery_codes:regenerated"' | xargs -n 1 sed -i '' 's/"account:recovery_codes:regenerated"/EventTag.Account.RecoveryCodesRegenerated/g'
    rg -l '"account:recovery_codes:used"' | xargs -n 1 sed -i '' 's/"account:recovery_codes:used"/EventTag.Account.RecoveryCodesUsed/g'
    rg -l '"account:role:create"' | xargs -n 1 sed -i '' 's/"account:role:create"/EventTag.Account.RoleCreate/g'
    rg -l '"account:role:invite"' | xargs -n 1 sed -i '' 's/"account:role:invite"/EventTag.Account.RoleInvite/g'
    rg -l '"account:team_role:add"' | xargs -n 1 sed -i '' 's/"account:team_role:add"/EventTag.Account.TeamRoleAdd/g'
    rg -l '"account:team_role:delete"' | xargs -n 1 sed -i '' 's/"account:team_role:delete"/EventTag.Account.TeamRoleDelete/g'
    rg -l '"account:two_factor:method_added"' | xargs -n 1 sed -i '' 's/"account:two_factor:method_added"/EventTag.Account.TwoFactorMethodAdded/g'
    rg -l '"account:two_factor:method_removed"' | xargs -n 1 sed -i ''
    's/"account:two_factor:method_removed"/EventTag.Account.TwoFactorMethodRemoved/g'

(Remove empty quotes '' if using GNU sed instead of BSD sed.)

Three legacy "account:*" tags are no longer used when recording events:

- "account:email:sent"
- "account:reauthenticate:failure"
- "account:role:accepted"
@divbzero
Enumerate "organization:*" event tags
84c8656 
Replaced "organization:*" strings with EventTag.Organization.* values:

    rg -l '"organization:catalog_entry:add"' | xargs -n 1 sed -i '' 's/"organization:catalog_entry:add"/EventTag.Organization.CatalogEntryAdd/g'
    rg -l '"organization:approve"' | xargs -n 1 sed -i '' 's/"organization:approve"/EventTag.Organization.OrganizationApprove/g'
    rg -l '"organization:create"' | xargs -n 1 sed -i '' 's/"organization:create"/EventTag.Organization.OrganizationCreate/g'
    rg -l '"organization:decline"' | xargs -n 1 sed -i '' 's/"organization:decline"/EventTag.Organization.OrganizationDecline/g'
    rg -l '"organization:delete"' | xargs -n 1 sed -i '' 's/"organization:delete"/EventTag.Organization.OrganizationDelete/g'
    rg -l '"organization:rename"' | xargs -n 1 sed -i '' 's/"organization:rename"/EventTag.Organization.OrganizationRename/g'
    rg -l '"organization:organization_project:add"' | xargs -n 1 sed -i '' 's/"organization:organization_project:add"/EventTag.Organization.OrganizationProjectAdd/g'
    rg -l '"organization:organization_project:remove"' | xargs -n 1 sed -i '' 's/"organization:organization_project:remove"/EventTag.Organization.OrganizationProjectRemove/g'
    rg -l '"organization:organization_role:accepted"' | xargs -n 1 sed -i '' 's/"organization:organization_role:accepted"/EventTag.Organization.OrganizationRoleAccepted/g'
    rg -l '"organization:organization_role:change"' | xargs -n 1 sed -i '' 's/"organization:organization_role:change"/EventTag.Organization.OrganizationRoleChange/g'
    rg -l '"organization:organization_role:declined"' | xargs -n 1 sed -i '' 's/"organization:organization_role:declined"/EventTag.Organization.OrganizationRoleDeclined/g'
    rg -l '"organization:organization_role:delete"' | xargs -n 1 sed -i '' 's/"organization:organization_role:delete"/EventTag.Organization.OrganizationRoleDelete/g'
    rg -l '"organization:organization_role:invite"' | xargs -n 1 sed -i '' 's/"organization:organization_role:invite"/EventTag.Organization.OrganizationRoleInvite/g'
    rg -l '"organization:organization_role:revoke_invite"' | xargs -n 1 sed -i '' 's/"organization:organization_role:revoke_invite"/EventTag.Organization.OrganizationRoleRevokeInvite/g'
    rg -l '"organization:team:create"' | xargs -n 1 sed -i '' 's/"organization:team:create"/EventTag.Organization.TeamCreate/g'
    rg -l '"organization:team:delete"' | xargs -n 1 sed -i '' 's/"organization:team:delete"/EventTag.Organization.TeamDelete/g'
    rg -l '"organization:team_project_role:change"' | xargs -n 1 sed -i '' 's/"organization:team_project_role:change"/EventTag.Organization.TeamProjectRoleChange/g'
    rg -l '"organization:team_project_role:create"' | xargs -n 1 sed -i '' 's/"organization:team_project_role:create"/EventTag.Organization.TeamProjectRoleCreate/g'
    rg -l '"organization:team_project_role:delete"' | xargs -n 1 sed -i '' 's/"organization:team_project_role:delete"/EventTag.Organization.TeamProjectRoleDelete/g'
    rg -l '"organization:team_role:add"' | xargs -n 1 sed -i '' 's/"organization:team_role:add"/EventTag.Organization.TeamRoleAdd/g'
    rg -l '"organization:team_role:delete"' | xargs -n 1 sed -i '' 's/"organization:team_role:delete"/EventTag.Organization.TeamRoleDelete/g'

(Remove empty quotes '' if using GNU sed instead of BSD sed.)
@divbzero
Enumerate "team:*" event tags
718fe8c 
Replaced "team:*" strings with EventTag.Team.* values:

    rg -l '"team:create"' | xargs -n 1 sed -i '' 's/"team:create"/EventTag.Team.TeamCreate/g'
    rg -l '"team:delete"' | xargs -n 1 sed -i '' 's/"team:delete"/EventTag.Team.TeamDelete/g'
    rg -l '"team:team_project_role:change"' | xargs -n 1 sed -i '' 's/"team:team_project_role:change"/EventTag.Team.TeamProjectRoleChange/g'
    rg -l '"team:team_project_role:create"' | xargs -n 1 sed -i '' 's/"team:team_project_role:create"/EventTag.Team.TeamProjectRoleCreate/g'
    rg -l '"team:team_project_role:delete"' | xargs -n 1 sed -i '' 's/"team:team_project_role:delete"/EventTag.Team.TeamProjectRoleDelete/g'
    rg -l '"team:team_role:add"' | xargs -n 1 sed -i '' 's/"team:team_role:add"/EventTag.Team.TeamRoleAdd/g'
    rg -l '"team:team_role:delete"' | xargs -n 1 sed -i '' 's/"team:team_role:delete"/EventTag.Team.TeamRoleDelete/g'

(Remove empty quotes '' if using GNU sed instead of BSD sed.)
@divbzero
Standardize use of "*:add" and "*:remove" for role events
4424fca 
"*:add" was already being used in "project:role:add" but there was also
inconsistent use of "project:role:accepted". Standardizing role events
to "*:add" and "*:remove" seemed to fit best with other events.

    rg -l RoleAccepted | xargs -n 1 sed -i '' 's/RoleAccepted/RoleAdd/g'
    rg -l RoleCreate | xargs -n 1 sed -i '' 's/RoleCreate/RoleAdd/g'
    rg -l RoleDelete | xargs -n 1 sed -i '' 's/RoleDelete/RoleRemove/g'

(Remove empty quotes '' if using GNU sed instead of BSD sed.)
@divbzero
Standardize use of "*:decline_invite" for role events
369b1d4 
"*:decline_invite" seems to fit better with existing "*:revoke_invite"
tags for role events.

    rg -l RoleDeclined | xargs -n 1 sed -i '' 's/RoleDeclined/RoleDeclineInvite/g'

(Remove empty quotes '' if using GNU sed instead of BSD sed.)
@divbzero
Record missing role events
8923725 
There were several missing tags for role events:

- "account:organization_role:invite"
- "account:organization_role:revoke_invite"
- "account:role:change"
- "account:role:decline_invite"
- "account:role:remove"
- "account:role:revoke_invite"
- "project:role:decline_invite"

`Role` and `OrganizationRole` should have the following 6 event tags:

- "*:invite"
- "*:decline_invite"
- "*:revoke_invite"
- "*:add"
- "*:change"
- "*:remove"

`TeamProjectRole` should only have the following 3 event tags because
there are no invitations with for `TeamProjectRole`:

- "*:add"
- "*:change"
- "*:remove"

`TeamRole` should only have the following 2 event tags because there are
no invitations for `TeamRole` and only one `TeamRoleType`:

- "*:add"
- "*:remove"
@divbzero
Record missing rename events
0f7013e 
There were a couple missing rename events:

- "organization:team:rename"
- "team:rename"
@divbzero
Do not record owner invite event when creating org
7c42eeb
@divbzero
NFC: {<br> => display: block} in security logs
48cc17b
@divbzero
Add "Security history" for organizations
861a98a
@divbzero
Align left <th> in security logs
99786be
@divbzero
Add "Security history" for teams
7bdfd1c
@divbzero
Graceful fail if additional event field is missing
e940884 
Allowing `user_service.get_user` to accept `None` as input results in an
empty string instead of a hard error in the Jinja template.
@divbzero
Update "Security history" for projects
f253bb3 
Added missing event formatters for:

- "project:release:unyank"
- "project:role:invite"
- "project:role:decline_invite"
- "project:role:revoke_invite"
- "project:team_project_role:add"
- "project:team_project_role:remove"
- "project:team_project_role:change"
- "project:organization_project:add"
- "project:organization_project:remove"
- "project:oidc_provider:added"
- "project:oidc_provider:removed"

Also added links to release versions for all release events.
@divbzero
NFC: Comments reminding us to keep tags in sync
5367297
@divbzero divbzero force-pushed the feature/organization-event-history branch from 3825668 to 5367297 Compare October 14, 2022 20:21
@divbzero
Copy link
Contributor Author

This pull request should be reviewed second, after #12351 has been merged.

@divbzero divbzero requested a review from ewdurbin October 14, 2022 20:28
ewdurbin
ewdurbin approved these changes Oct 19, 2022
View reviewed changes
@ewdurbin ewdurbin merged commit 6b0d913 into pypi:main Oct 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ewdurbin ewdurbin ewdurbin approved these changes

Assignees
No one assigned
Labels
organizations
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Expose audit log of operations performed in an organization
2 participants
@divbzero @ewdurbin