`cad7ad5`

audit: webhook actions get their own enums + missing trails (SR2 H1+M4)

Pre-fix: webhook create/update overloaded ActionRepoCreated with
a meta.action discriminator. Webhook delete/toggle/ping/redeliver
were not audited at all — admin had no forensic record of who
disabled, deleted, or replayed a hook.

Post-fix:
- New audit actions: ActionWebhook{Created,Updated,Deleted,
ActiveSet,ActiveUnset,Pinged,Redelivered}.
- All 7 webhook handlers now audit, all attributed via
viewer.AuditActor so impersonation trails carry.
- Bonus: ActionAdminRepoForceUnarchived added in preparation for
SR2 H8 (split repoForceArchive into archive/unarchive).

Authored by

espadonne 3 days ago

SHA: cad7ad5e52c51035dd871b333d96ce7f2ab2f587
Parents: 03475a3
Tree: be99bf4

2 changed files

Status	File	+	-
M	`internal/auth/audit/audit.go`	25	13
M	`internal/web/handlers/repo/webhooks.go`	31	7

internal/auth/audit/audit.gomodified

  	ActionRepoForked            Action = "repo_forked"
  	ActionRepoForkSynced        Action = "repo_fork_synced"
 +	// S33 / SR2 H1 — webhook lifecycle. Pre-SR2 webhook create/update
 +	// overloaded ActionRepoCreated; delete/toggle/ping/redeliver were
 +	// not audited at all. Each event now has its own enum.
 +	ActionWebhookCreated     Action = "webhook_created"
 +	ActionWebhookUpdated     Action = "webhook_updated"
 +	ActionWebhookDeleted     Action = "webhook_deleted"
 +	ActionWebhookActiveSet   Action = "webhook_active_set"
 +	ActionWebhookActiveUnset Action = "webhook_active_unset"
 +	ActionWebhookPinged      Action = "webhook_pinged"
 +	ActionWebhookRedelivered Action = "webhook_redelivered"
++
  	// S34 — site admin actions. Always recorded with the real admin's
  	// id in actor_id; impersonation flows additionally carry the
  	// impersonated user's id in meta.impersonated_user_id.
 -	ActionAdminSiteAdminGranted   Action = "admin_site_admin_granted"
 -	ActionAdminSiteAdminRevoked   Action = "admin_site_admin_revoked"
 -	ActionAdminUserSuspended      Action = "admin_user_suspended"
 -	ActionAdminUserUnsuspended    Action = "admin_user_unsuspended"
 -	ActionAdminUserForceDeleted   Action = "admin_user_force_deleted"
 -	ActionAdminUserPasswordReset  Action = "admin_user_password_reset"
 -	ActionAdminRepoForceArchived  Action = "admin_repo_force_archived"
 -	ActionAdminRepoForceDeleted   Action = "admin_repo_force_deleted"
 -	ActionAdminJobRetried         Action = "admin_job_retried"
 -	ActionAdminJobDiscarded       Action = "admin_job_discarded"
 -	ActionAdminImpersonateStarted Action = "admin_impersonate_started"
 -	ActionAdminImpersonateStopped Action = "admin_impersonate_stopped"
 -	ActionAdminImpersonateWriteOn Action = "admin_impersonate_write_on"
 +	ActionAdminSiteAdminGranted    Action = "admin_site_admin_granted"
 +	ActionAdminSiteAdminRevoked    Action = "admin_site_admin_revoked"
 +	ActionAdminUserSuspended       Action = "admin_user_suspended"
 +	ActionAdminUserUnsuspended     Action = "admin_user_unsuspended"
 +	ActionAdminUserForceDeleted    Action = "admin_user_force_deleted"
 +	ActionAdminUserPasswordReset   Action = "admin_user_password_reset"
 +	ActionAdminRepoForceArchived   Action = "admin_repo_force_archived"
 +	ActionAdminRepoForceUnarchived Action = "admin_repo_force_unarchived"
 +	ActionAdminRepoForceDeleted    Action = "admin_repo_force_deleted"
 +	ActionAdminJobRetried          Action = "admin_job_retried"
 +	ActionAdminJobDiscarded        Action = "admin_job_discarded"
 +	ActionAdminImpersonateStarted  Action = "admin_impersonate_started"
 +	ActionAdminImpersonateStopped  Action = "admin_impersonate_stopped"
 +	ActionAdminImpersonateWriteOn  Action = "admin_impersonate_write_on"
+ )
  // Target is a typed target-type constant.

internal/web/handlers/repo/webhooks.gomodified

  		}, friendlyWebhookError(err), "")
  		return
+ 	}
 -	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "webhook_created", "webhook_id": created.ID, "url": params.URL})
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"webhook_id": created.ID, "url": params.URL})
  	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
 -		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 +		audit.ActionWebhookCreated, audit.TargetRepo, row.ID,
  		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/webhooks?notice=saved", http.StatusSeeOther)
  		return
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "webhook_updated", "webhook_id": hook.ID})
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"webhook_id": hook.ID})
  	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
 -		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 +		audit.ActionWebhookUpdated, audit.TargetRepo, row.ID,
  		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/webhooks/"+strconv.FormatInt(hook.ID, 10)+"?notice=saved", http.StatusSeeOther)
+ }
  		return
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "webhook_deleted", "webhook_id": hook.ID})
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"webhook_id": hook.ID, "url": hook.Url})
  	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
 -		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
 +		audit.ActionWebhookDeleted, audit.TargetRepo, row.ID,
  		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/webhooks?notice=saved", http.StatusSeeOther)
+ }
  	if !ok {
  		return
+ 	}
 +	newActive := !hook.Active
  	if err := webhook.SetActive(r.Context(), webhook.ManageDeps{
  		Pool: h.d.Pool, SecretBox: h.d.SecretBox,
 -	}, hook.ID, !hook.Active); err != nil {
 +	}, hook.ID, newActive); err != nil {
  		http.Error(w, "toggle failed", http.StatusInternalServerError)
  		return
+ 	}
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	action := audit.ActionWebhookActiveSet
 +	if !newActive {
 +		action = audit.ActionWebhookActiveUnset
 +	}
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"webhook_id": hook.ID})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
 +		action, audit.TargetRepo, row.ID,
 +		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/webhooks/"+strconv.FormatInt(hook.ID, 10)+"?notice=saved", http.StatusSeeOther)
+ }
  	}, hook.ID); err != nil {
  		h.d.Logger.WarnContext(r.Context(), "webhook ping", "error", err)
+ 	}
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{"webhook_id": hook.ID})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
 +		audit.ActionWebhookPinged, audit.TargetRepo, row.ID,
 +		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/webhooks/"+strconv.FormatInt(hook.ID, 10)+"?notice=saved", http.StatusSeeOther)
+ }
  		http.Error(w, "redeliver failed", http.StatusInternalServerError)
  		return
+ 	}
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	auditActor, auditMeta := viewer.AuditActor(map[string]any{
 +		"webhook_id":           hook.ID,
 +		"original_delivery_id": originalID,
 +		"new_delivery_id":      newID,
 +	})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
 +		audit.ActionWebhookRedelivered, audit.TargetRepo, row.ID,
 +		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/webhooks/"+strconv.FormatInt(hook.ID, 10)+"/deliveries/"+strconv.FormatInt(newID, 10), http.StatusSeeOther)
+ }