feat: Audit users.update API endpoint

.changeset/slow-ravens-tie.md

@@ -0,0 +1,8 @@
+---
+"@rocket.chat/meteor": minor
+"@rocket.chat/core-typings": minor
+"@rocket.chat/model-typings": minor
+"@rocket.chat/models": minor
+---
+
+Implements auditing events for `/v1/users.update` API endpoint

apps/meteor/app/api/server/v1/users.ts

@@ -28,6 +28,7 @@ import type { Filter } from 'mongodb';
 import { generatePersonalAccessTokenOfUser } from '../../../../imports/personal-access-tokens/server/api/methods/generateToken';
 import { regeneratePersonalAccessTokenOfUser } from '../../../../imports/personal-access-tokens/server/api/methods/regenerateToken';
 import { removePersonalAccessTokenOfUser } from '../../../../imports/personal-access-tokens/server/api/methods/removeToken';
+import { UserChangedAuditStore } from '../../../../server/lib/auditServerEvents/userChanged';
 import { i18n } from '../../../../server/lib/i18n';
 import { resetUserE2EEncriptionKey } from '../../../../server/lib/resetUserE2EKey';
 import { sendWelcomeEmail } from '../../../../server/lib/sendWelcomeEmail';
@@ -114,18 +115,24 @@ API.v1.addRoute(
 			if (userData.name && !validateNameChars(userData.name)) {
 				return API.v1.failure('Name contains invalid characters');
 			}
+			const auditStore = new UserChangedAuditStore({
+				_id: this.user._id,
+				ip: this.requestIp,
+				useragent: this.request.headers['user-agent'] || '',
+				username: this.user.username || '',
+			});
 
-			await saveUser(this.userId, userData);
+			await saveUser(this.userId, userData, { auditStore });
 
 			if (typeof this.bodyParams.data.active !== 'undefined') {
 				const {
 					userId,
 					data: { active },
 					confirmRelinquish,
 				} = this.bodyParams;
-
 				await executeSetUserActiveStatus(this.userId, userId, active, Boolean(confirmRelinquish));
 			}
+
 			const { fields } = await this.parseJsonQuery();
 
 			const user = await Users.findOneById(this.bodyParams.userId, { projection: fields });

apps/meteor/app/lib/server/functions/saveUser/saveUser.ts

@@ -1,4 +1,5 @@
 import { Apps, AppEvents } from '@rocket.chat/apps';
+import { MeteorError } from '@rocket.chat/core-services';
 import { isUserFederated } from '@rocket.chat/core-typings';
 import type { IUser, IRole, IUserSettings, RequiredField } from '@rocket.chat/core-typings';
 import { Users } from '@rocket.chat/models';
@@ -7,6 +8,7 @@ import type { ClientSession } from 'mongodb';
 
 import { callbacks } from '../../../../../lib/callbacks';
 import { wrapInSessionTransaction, onceTransactionCommitedSuccessfully } from '../../../../../server/database/utils';
+import type { UserChangedAuditStore } from '../../../../../server/lib/auditServerEvents/userChanged';
 import { hasPermissionAsync } from '../../../../authorization/server/functions/hasPermission';
 import { safeGetMeteorUser } from '../../../../utils/server/functions/safeGetMeteorUser';
 import { generatePassword } from '../../lib/generatePassword';
@@ -50,12 +52,17 @@ export type SaveUserData = {
 	sendWelcomeEmail?: boolean;
 
 	customFields?: Record<string, any>;
+	active?: boolean;
 };
 export type UpdateUserData = RequiredField<SaveUserData, '_id'>;
 export const isUpdateUserData = (params: SaveUserData): params is UpdateUserData => '_id' in params && !!params._id;
 
+type SaveUserOptions = {
+	auditStore?: UserChangedAuditStore;
+};
+
 const _saveUser = (session?: ClientSession) =>
-	async function (userId: IUser['_id'], userData: SaveUserData) {
+	async function (userId: IUser['_id'], userData: SaveUserData, options?: SaveUserOptions) {
 		const oldUserData = userData._id && (await Users.findOneById(userData._id));
 		if (oldUserData && isUserFederated(oldUserData)) {
 			throw new Meteor.Error('Edit_Federated_User_Not_Allowed', 'Not possible to edit a federated user');
@@ -81,10 +88,18 @@ const _saveUser = (session?: ClientSession) =>
 		}
 
 		if (!isUpdateUserData(userData)) {
-			// pass session?
+			// TODO audit new users
 			return saveNewUser(userData, sendPassword);
 		}
 
+		if (!oldUserData) {
+			throw new MeteorError('error-user-not-found', 'User not found', {
+				method: 'saveUser',
+			});
+		}
+
+		options?.auditStore?.setOriginalUser(oldUserData);
+
 		await validateUserEditing(userId, userData);
 
 		// update user
@@ -164,6 +179,16 @@ const _saveUser = (session?: ClientSession) =>
 		await Users.updateFromUpdater({ _id: userData._id }, updater, { session });
 
 		await onceTransactionCommitedSuccessfully(async () => {
+			if (session && options?.auditStore) {
+				// setting this inside here to avoid moving `executeSetUserActiveStatus` from the endpoint fn
+				// updater will be commited by this point, so it won't affect the external user activation/deactivation
+				if (userData.active !== undefined) {
+					updater.set('active', userData.active);
+				}
+				options.auditStore.setUpdateFilter(updater.getRawUpdateFilter());
+				void options.auditStore.commitAuditEvent();
+			}
+
 			// App IPostUserUpdated event hook
 			// We need to pass the session here to ensure this record is fetched
 			// with the uncommited transaction data.
@@ -209,5 +234,9 @@ export const saveUser = (() => {
 	if (!process.env.DEBUG_DISABLE_USER_AUDIT) {
 		return wrapInSessionTransaction(_saveUser);
 	}
-	return _saveUser();
+
+	const saveUserNoSession = _saveUser();
+	return function saveUser(userId: IUser['_id'], userData: SaveUserData, _options?: any) {
+		return saveUserNoSession(userId, userData);
+	};
 })();

apps/meteor/jest.config.ts

@@ -38,6 +38,7 @@ export default {
 				'<rootDir>/ee/server/patches/**/*.spec.ts',
 				'<rootDir>/app/cloud/server/functions/supportedVersionsToken/**.spec.ts',
 				'<rootDir>/app/utils/lib/**.spec.ts',
+				'<rootDir>/server/lib/auditServerEvents/**.spec.ts',
 				'<rootDir>/app/api/server/**.spec.ts',
 				'<rootDir>/app/api/server/middlewares/**.spec.ts',
 			],