[server] audit log service

Author: svenefftinge

.devcontainer/Dockerfile

@@ -294,19 +294,19 @@ RUN mkdir -p ~/.terraform \
 ## Java
 ENV JAVA_VERSION=11.0.23.fx-zulu
 RUN curl -fsSL "https://get.sdkman.io" | bash \
-&& bash -c ". /root/.sdkman/bin/sdkman-init.sh \
-            && sed -i 's/sdkman_selfupdate_enable=true/sdkman_selfupdate_enable=false/g' /root/.sdkman/etc/config \
-            && sed -i 's/sdkman_selfupdate_feature=true/sdkman_selfupdate_feature=false/g' /root/.sdkman/etc/config \
-            && sdk install java ${JAVA_VERSION} \
-            && sdk default java ${JAVA_VERSION} \
-            && sdk install gradle \
-            && sdk install maven \
-            && sdk flush archives \
-            && sdk flush temp \
-            && mkdir /root/.m2 \
-            && printf '<settings>\n  <localRepository>/workspace/m2-repository/</localRepository>\n</settings>\n' > /root/.m2/settings.xml \
-            && echo 'export SDKMAN_DIR=\"/root/.sdkman\"' >> /root/.bashrc.d/99-java \
-            && echo '[[ -s \"/root/.sdkman/bin/sdkman-init.sh\" ]] && source \"/root/.sdkman/bin/sdkman-init.sh\"' >> /root/.bashrc.d/99-java"
+    && bash -c ". /root/.sdkman/bin/sdkman-init.sh \
+    && sed -i 's/sdkman_selfupdate_enable=true/sdkman_selfupdate_enable=false/g' /root/.sdkman/etc/config \
+    && sed -i 's/sdkman_selfupdate_feature=true/sdkman_selfupdate_feature=false/g' /root/.sdkman/etc/config \
+    && sdk install java ${JAVA_VERSION} \
+    && sdk default java ${JAVA_VERSION} \
+    && sdk install gradle \
+    && sdk install maven \
+    && sdk flush archives \
+    && sdk flush temp \
+    && mkdir /root/.m2 \
+    && printf '<settings>\n  <localRepository>/workspace/m2-repository/</localRepository>\n</settings>\n' > /root/.m2/settings.xml \
+    && echo 'export SDKMAN_DIR=\"/root/.sdkman\"' >> /root/.bashrc.d/99-java \
+    && echo '[[ -s \"/root/.sdkman/bin/sdkman-init.sh\" ]] && source \"/root/.sdkman/bin/sdkman-init.sh\"' >> /root/.bashrc.d/99-java"
 # above, we are adding the sdkman init to .bashrc (executing sdkman-init.sh does that), because one is executed on interactive shells, the other for non-interactive shells (e.g. plugin-host)
 ENV GRADLE_USER_HOME=/workspace/.gradle/
 
@@ -317,12 +317,28 @@ ENV PATH=/root/.nvm/versions/node/v${NODE_VERSION}/bin:/root/.yarn/bin:${PNPM_HO
 ENV HOME=/root
 RUN curl -fsSL https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh | bash \
     && bash -c ". $HOME/.nvm/nvm.sh \
-        && nvm install v${NODE_VERSION} \
-        && nvm alias default v${NODE_VERSION} \
-        && npm install -g typescript yarn pnpm node-gyp"
+    && nvm install v${NODE_VERSION} \
+    && nvm alias default v${NODE_VERSION} \
+    && npm install -g typescript yarn pnpm node-gyp"
 
 ENV PATH=$PATH:/root/.aws-iam:/root/.terraform:/workspace/bin
 
+# install spicedb and dependencies
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    curl \
+    ca-certificates \
+    netcat \
+    gpg
+
+# Add and trust the SpiceDB apt source
+RUN curl https://pkg.authzed.com/apt/gpg.key | apt-key add - && \
+    sh -c 'echo "deb https://pkg.authzed.com/apt/ * *" > /etc/apt/sources.list.d/authzed.list' && \
+    apt-get update
+
+# Install SpiceDB
+RUN apt-get install -y spicedb zed
+
 # Install pre-commit hooks under /workspace during prebuilds
 ENV PRE_COMMIT_HOME=/workspace/.pre-commit
 

.devcontainer/devcontainer.json

@@ -19,6 +19,7 @@
             "installDockerComposeSwitch": false
         }
     },
+    "onCreateCommand": "yarn && yarn build",
     "customizations": {
         "vscode": {
             "extensions": [

.gitignore

@@ -31,6 +31,8 @@ components/versions/versions.json
 .helm-chart-release
 *.tgz
 
+components/public-api/java/bin
+
 # Symbolic links created by scripts for building docker images
 /.dockerignore
 

components/gitpod-db/src/audit-log-db.ts

@@ -0,0 +1,46 @@
+/**
+ * Copyright (c) 2024 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { AuditLog } from "@gitpod/gitpod-protocol/lib/audit-log";
+
+export const AuditLogDB = Symbol("AuditLogDB");
+
+export interface AuditLogDB {
+    /**
+     *  Records an audit log entry.
+     *
+     * @param logEntry
+     */
+    recordAuditLog(logEntry: AuditLog): Promise<void>;
+
+    /**
+     * Lists audit logs.
+     *
+     * @param organizationId
+     * @param params
+     */
+    listAuditLogs(
+        organizationId: string,
+        params?: {
+            from?: string;
+            to?: string;
+            actorId?: string;
+            action?: string;
+            pagination?: {
+                offset?: number;
+                // must not be larger than 250, default is 100
+                limit?: number;
+            };
+        },
+    ): Promise<AuditLog[]>;
+
+    /**
+     * Purges audit logs older than the given date.
+     *
+     * @param before ISO 8601 date string
+     */
+    purgeAuditLogs(before: string, organizationId?: string): Promise<number>;
+}

components/gitpod-db/src/container-module.ts

@@ -45,6 +45,8 @@ import { LinkedInProfileDB } from "./linked-in-profile-db";
 import { DataCache, DataCacheNoop } from "./data-cache";
 import { TracingManager } from "@gitpod/gitpod-protocol/lib/util/tracing";
 import { EncryptionService, GlobalEncryptionService } from "@gitpod/gitpod-protocol/lib/encryption/encryption-service";
+import { AuditLogDB } from "./audit-log-db";
+import { AuditLogDBImpl } from "./typeorm/audit-log-db-impl";
 
 // THE DB container module that contains all DB implementations
 export const dbContainerModule = (cacheClass = DataCacheNoop) =>
@@ -112,6 +114,9 @@ export const dbContainerModule = (cacheClass = DataCacheNoop) =>
         bind(PersonalAccessTokenDBImpl).toSelf().inSingletonScope();
         bind(PersonalAccessTokenDB).toService(PersonalAccessTokenDBImpl);
 
+        bind(AuditLogDBImpl).toSelf().inSingletonScope();
+        bind(AuditLogDB).toService(AuditLogDBImpl);
+
         // com concerns
         bind(EmailDomainFilterDB).to(EmailDomainFilterDBImpl).inSingletonScope();
         bind(LinkedInProfileDBImpl).toSelf().inSingletonScope();

components/gitpod-db/src/typeorm/audit-log-db-impl.ts

@@ -0,0 +1,75 @@
+/**
+ * Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { inject, injectable } from "inversify";
+import { TypeORM } from "./typeorm";
+
+import { AuditLog } from "@gitpod/gitpod-protocol/lib/audit-log";
+import { Between, FindConditions, LessThan, Repository } from "typeorm";
+import { AuditLogDB } from "../audit-log-db";
+import { DBAuditLog } from "./entity/db-audit-log";
+
+@injectable()
+export class AuditLogDBImpl implements AuditLogDB {
+    @inject(TypeORM) typeORM: TypeORM;
+
+    private async getEntityManager() {
+        return (await this.typeORM.getConnection()).manager;
+    }
+
+    private async getRepo(): Promise<Repository<DBAuditLog>> {
+        return (await this.getEntityManager()).getRepository(DBAuditLog);
+    }
+
+    async recordAuditLog(logEntry: AuditLog): Promise<void> {
+        const repo = await this.getRepo();
+        await repo.insert(logEntry);
+    }
+
+    async listAuditLogs(
+        organizationId: string,
+        params?:
+            | {
+                  from?: string | undefined;
+                  to?: string | undefined;
+                  actorId?: string | undefined;
+                  action?: string | undefined;
+                  pagination?: { offset?: number | undefined; limit?: number | undefined };
+              }
+            | undefined,
+    ): Promise<AuditLog[]> {
+        const repo = await this.getRepo();
+        const where: FindConditions<DBAuditLog> = {
+            organizationId,
+        };
+        if (params?.from && params?.to) {
+            where.timestamp = Between(params.from, params.to);
+        }
+        if (params?.actorId) {
+            where.actorId = params.actorId;
+        }
+        if (params?.action) {
+            where.action = params.action;
+        }
+        return repo.find({
+            where,
+            skip: params?.pagination?.offset,
+            take: params?.pagination?.limit,
+        });
+    }
+
+    async purgeAuditLogs(before: string, organizationId?: string): Promise<number> {
+        const repo = await this.getRepo();
+        const findConditions: FindConditions<DBAuditLog> = {
+            timestamp: LessThan(before),
+        };
+        if (organizationId) {
+            findConditions.organizationId = organizationId;
+        }
+        const result = await repo.delete(findConditions);
+        return result.affected ?? 0;
+    }
+}

components/gitpod-db/src/typeorm/entity/db-audit-log.ts

@@ -0,0 +1,30 @@
+/**
+ * Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { Entity, Column, PrimaryColumn } from "typeorm";
+import { TypeORM } from "../typeorm";
+import { AuditLog } from "@gitpod/gitpod-protocol/lib/audit-log";
+
+@Entity()
+export class DBAuditLog implements AuditLog {
+    @PrimaryColumn(TypeORM.UUID_COLUMN_TYPE)
+    id: string;
+
+    @Column("varchar")
+    timestamp: string;
+
+    @Column("varchar")
+    organizationId: string;
+
+    @Column("varchar")
+    actorId: string;
+
+    @Column("varchar")
+    action: string;
+
+    @Column("simple-json")
+    args: object[];
+}

components/gitpod-db/src/typeorm/migration/1718628014741-AddAuditLogs.ts

@@ -0,0 +1,31 @@
+/**
+ * Copyright (c) 2024 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { MigrationInterface, QueryRunner } from "typeorm";
+import { tableExists } from "./helper/helper";
+
+export class AddAuditLogs1718628014741 implements MigrationInterface {
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        if (!(await tableExists(queryRunner, "d_b_audit_log"))) {
+            await queryRunner.query(
+                `CREATE TABLE d_b_audit_log (
+                    id VARCHAR(36) PRIMARY KEY NOT NULL,
+                    timestamp VARCHAR(30) NOT NULL,
+                    organizationId VARCHAR(36) NOT NULL,
+                    actorId VARCHAR(36) NOT NULL,
+                    action VARCHAR(128) NOT NULL,
+                    args JSON NOT NULL
+                )`,
+            );
+            await queryRunner.query("CREATE INDEX `ind_organizationId` ON `d_b_audit_log` (organizationId)");
+            await queryRunner.query("CREATE INDEX `ind_timestamp` ON `d_b_audit_log` (timestamp)");
+            await queryRunner.query("CREATE INDEX `ind_actorId` ON `d_b_audit_log` (actorId)");
+            await queryRunner.query("CREATE INDEX `ind_action` ON `d_b_audit_log` (action)");
+        }
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {}
+}

components/gitpod-protocol/src/audit-log.ts

@@ -0,0 +1,14 @@
+/**
+ * Copyright (c) 2024 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+export interface AuditLog {
+    id: string;
+    timestamp: string;
+    action: string;
+    organizationId: string;
+    actorId: string;
+    args: object[];
+}

components/server/src/api/server.ts

@@ -62,6 +62,7 @@ import { InstallationService } from "@gitpod/public-api/lib/gitpod/v1/installati
 import { RateLimitter } from "../rate-limitter";
 import { TokenServiceAPI } from "./token-service-api";
 import { TokenService } from "@gitpod/public-api/lib/gitpod/v1/token_connect";
+import { AuditLogService } from "../audit/AuditLogService";
 
 decorate(injectable(), PublicAPIConverter);
 
@@ -92,6 +93,7 @@ export class API {
     @inject(VerificationServiceAPI) private readonly verificationServiceApi: VerificationServiceAPI;
     @inject(InstallationServiceAPI) private readonly installationServiceApi: InstallationServiceAPI;
     @inject(RateLimitter) private readonly rateLimitter: RateLimitter;
+    @inject(AuditLogService) private readonly auditLogService: AuditLogService;
 
     listenPrivate(): http.Server {
         const app = express();
@@ -299,6 +301,17 @@ export class API {
                                 try {
                                     const promise = await apply<Promise<any>>();
                                     const result = await promise;
+                                    if (subjectId) {
+                                        try {
+                                            self.auditLogService.recordAuditLog(
+                                                subjectId!.userId()!,
+                                                requestContext.requestMethod,
+                                                args,
+                                            );
+                                        } catch (error) {
+                                            log.error("Failed to record audit log", error);
+                                        }
+                                    }
                                     done();
                                     return result;
                                 } catch (e) {