`a4f4d82`

audit: thread RealActorID through repo settings + webhook recordings (SR2 H2)

Substitutes (viewer.ID, raw_meta) with viewer.AuditActor(raw_meta)
at every non-admin Audit.Record callsite in repo/settings_*.go and
repo/webhooks.go. During an impersonated session the row is now
attributed to the real admin and the impersonated user_id lands in
meta — uniform with the existing /admin/* trail.

admin/helpers.recordAdminAction also moves to AuditActor for one
canonical substitution point.

Authored by

espadonne 3 days ago

SHA: a4f4d8200bec061c2422b0b34ac3c9828c9fa1ab
Parents: 81e12ae
Tree: a6cc19c

4 changed files

Status	File	+	-
M	`internal/web/handlers/admin/helpers.go`	5	11
M	`internal/web/handlers/repo/settings_branches.go`	12	8
M	`internal/web/handlers/repo/settings_general.go`	18	12
M	`internal/web/handlers/repo/webhooks.go`	9	6

internal/web/handlers/admin/helpers.gomodified

  // recordAdminAction writes an audit row attributed to the current
  // site admin, with optional impersonation-target metadata so post-
  // incident forensics has both the real actor and the impersonated id.
 +//
 +// The (actorID, meta) substitution lives on middleware.CurrentUser
 +// so non-admin handlers can record uniform impersonation trails
 +// (SR2 H2).
  func (h *Handlers) recordAdminAction(r *http.Request, action audit.Action, target audit.Target, targetID int64, meta map[string]any) {
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	actorID := viewer.ID
 -	if viewer.RealActorID != 0 {
 -		// Inside an impersonated session, the "real" admin id was
 -		// stashed before the binding swap. Use that for actor_id and
 -		// keep the impersonated id in meta.
 -		actorID = viewer.RealActorID
 -		if meta == nil {
 -			meta = map[string]any{}
 -		}
 -		meta["impersonated_user_id"] = viewer.ImpersonatedUserID
 -	}
 +	actorID, meta := viewer.AuditActor(meta)
  	if err := h.d.Audit.Record(r.Context(), h.d.Pool, actorID, action, target, targetID, meta); err != nil && h.d.Logger != nil {
  		h.d.Logger.WarnContext(r.Context(), "admin: audit write", "error", err, "action", string(action))
+ 	}

internal/web/handlers/repo/settings_branches.gomodified

  		}); err != nil {
  			h.d.Logger.WarnContext(r.Context(), "branch-protection: check settings", "error", err)
+ 		}
 -		_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,
 +		auditActor, auditMeta := viewer.AuditActor(map[string]any{"branch_protection_rule_id": newID, "pattern": pattern, "action": "create"})
 +		_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
  			audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 -			map[string]any{"branch_protection_rule_id": newID, "pattern": pattern, "action": "create"})
 +			auditMeta)
  	} else {
  		// Update.
  		id, err := strconv.ParseInt(idStr, 10, 64)
  		}); err != nil {
  			h.d.Logger.WarnContext(r.Context(), "branch-protection: check settings", "error", err)
+ 		}
 -		_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,
 +		auditActor, auditMeta := viewer.AuditActor(map[string]any{"branch_protection_rule_id": id, "pattern": pattern, "action": "update"})
 +		_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
  			audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 -			map[string]any{"branch_protection_rule_id": id, "pattern": pattern, "action": "update"})
 +			auditMeta)
+ 	}
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/branches?notice=saved", http.StatusSeeOther)
+ }
  		return
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"branch_protection_rule_id": id, "pattern": existing.Pattern, "action": "delete"})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
  		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 -		map[string]any{"branch_protection_rule_id": id, "pattern": existing.Pattern, "action": "delete"})
 +		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/branches?notice=deleted", http.StatusSeeOther)
+ }
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "default_branch_changed", "from": row.DefaultBranch, "to": newDefault})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
  		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 -		map[string]any{"action": "default_branch_changed", "from": row.DefaultBranch, "to": newDefault})
 +		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/branches?notice=default-changed", http.StatusSeeOther)
+ }

internal/web/handlers/repo/settings_general.gomodified

+ 		}
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "general_settings_updated"})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
  		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 -		map[string]any{"action": "general_settings_updated"})
 +		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/general?notice=saved", http.StatusSeeOther)
+ }
  		return
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "merge_settings_updated"})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
  		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 -		map[string]any{"action": "merge_settings_updated"})
 +		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/general?notice=saved", http.StatusSeeOther)
+ }
  		return
+ 	}
  	policy.InvalidateRepo(r.Context(), row.ID)
 -	_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "collaborator_added", "user": username, "role": string(role)})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
  		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 -		map[string]any{"action": "collaborator_added", "user": username, "role": string(role)})
 +		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/access?notice=saved", http.StatusSeeOther)
+ }
+ 	}
  	policy.InvalidateRepo(r.Context(), row.ID)
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "collaborator_removed", "user_id": uid})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
  		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 -		map[string]any{"action": "collaborator_removed", "user_id": uid})
 +		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/access?notice=saved", http.StatusSeeOther)
+ }
  		return
+ 	}
  	policy.InvalidateRepo(r.Context(), row.ID)
 -	_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "team_grant_added", "team_id": teamID, "role": string(role)})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
  		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 -		map[string]any{"action": "team_grant_added", "team_id": teamID, "role": string(role)})
 +		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/access?notice=saved", http.StatusSeeOther)
+ }
+ 	}
  	policy.InvalidateRepo(r.Context(), row.ID)
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "team_grant_removed", "team_id": teamID})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
  		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 -		map[string]any{"action": "team_grant_removed", "team_id": teamID})
 +		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/access?notice=saved", http.StatusSeeOther)
+ }

internal/web/handlers/repo/webhooks.gomodified

  		}, friendlyWebhookError(err), "")
  		return
+ 	}
 -	_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "webhook_created", "webhook_id": created.ID, "url": params.URL})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
  		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 -		map[string]any{"action": "webhook_created", "webhook_id": created.ID, "url": params.URL})
 +		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/webhooks?notice=saved", http.StatusSeeOther)
+ }
  		return
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "webhook_updated", "webhook_id": hook.ID})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
  		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 -		map[string]any{"action": "webhook_updated", "webhook_id": hook.ID})
 +		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/webhooks/"+strconv.FormatInt(hook.ID, 10)+"?notice=saved", http.StatusSeeOther)
+ }
  		return
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "webhook_deleted", "webhook_id": hook.ID})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
  		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 -		map[string]any{"action": "webhook_deleted", "webhook_id": hook.ID})
 +		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/webhooks?notice=saved", http.StatusSeeOther)
+ }