`cad7ad5`

audit: webhook actions get their own enums + missing trails (SR2 H1+M4)

Pre-fix: webhook create/update overloaded ActionRepoCreated with
a meta.action discriminator. Webhook delete/toggle/ping/redeliver
were not audited at all — admin had no forensic record of who
disabled, deleted, or replayed a hook.

Post-fix:
- New audit actions: ActionWebhook{Created,Updated,Deleted,
ActiveSet,ActiveUnset,Pinged,Redelivered}.
- All 7 webhook handlers now audit, all attributed via
viewer.AuditActor so impersonation trails carry.
- Bonus: ActionAdminRepoForceUnarchived added in preparation for
SR2 H8 (split repoForceArchive into archive/unarchive).

Authored by

espadonne 3 days ago

SHA: cad7ad5e52c51035dd871b333d96ce7f2ab2f587
Parents: 03475a3
Tree: be99bf4

2 changed files

Status	File	+	-
M	`internal/auth/audit/audit.go`	25	13
M	`internal/web/handlers/repo/webhooks.go`	31	7

internal/auth/audit/audit.gomodified

  	ActionRepoForked            Action = "repo_forked"
  	ActionRepoForkSynced        Action = "repo_fork_synced"
++	// S33 / SR2 H1 — webhook lifecycle. Pre-SR2 webhook create/update
++	// overloaded ActionRepoCreated; delete/toggle/ping/redeliver were
++	// not audited at all. Each event now has its own enum.
++	ActionWebhookCreated     Action = "webhook_created"
++	ActionWebhookUpdated     Action = "webhook_updated"
++	ActionWebhookDeleted     Action = "webhook_deleted"
++	ActionWebhookActiveSet   Action = "webhook_active_set"
++	ActionWebhookActiveUnset Action = "webhook_active_unset"
++	ActionWebhookPinged      Action = "webhook_pinged"
++	ActionWebhookRedelivered Action = "webhook_redelivered"
++
  	// S34 — site admin actions. Always recorded with the real admin's
  	// id in actor_id; impersonation flows additionally carry the
  	// impersonated user's id in meta.impersonated_user_id.
--	ActionAdminSiteAdminGranted   Action = "admin_site_admin_granted"
++	ActionAdminSiteAdminGranted    Action = "admin_site_admin_granted"
--	ActionAdminSiteAdminRevoked   Action = "admin_site_admin_revoked"
++	ActionAdminSiteAdminRevoked    Action = "admin_site_admin_revoked"
--	ActionAdminUserSuspended      Action = "admin_user_suspended"
++	ActionAdminUserSuspended       Action = "admin_user_suspended"
--	ActionAdminUserUnsuspended    Action = "admin_user_unsuspended"
++	ActionAdminUserUnsuspended     Action = "admin_user_unsuspended"
--	ActionAdminUserForceDeleted   Action = "admin_user_force_deleted"
++	ActionAdminUserForceDeleted    Action = "admin_user_force_deleted"
--	ActionAdminUserPasswordReset  Action = "admin_user_password_reset"
++	ActionAdminUserPasswordReset   Action = "admin_user_password_reset"
--	ActionAdminRepoForceArchived  Action = "admin_repo_force_archived"
++	ActionAdminRepoForceArchived   Action = "admin_repo_force_archived"
--	ActionAdminRepoForceDeleted   Action = "admin_repo_force_deleted"
++	ActionAdminRepoForceUnarchived Action = "admin_repo_force_unarchived"
--	ActionAdminJobRetried         Action = "admin_job_retried"
++	ActionAdminRepoForceDeleted    Action = "admin_repo_force_deleted"
--	ActionAdminJobDiscarded       Action = "admin_job_discarded"
++	ActionAdminJobRetried          Action = "admin_job_retried"
--	ActionAdminImpersonateStarted Action = "admin_impersonate_started"
++	ActionAdminJobDiscarded        Action = "admin_job_discarded"
--	ActionAdminImpersonateStopped Action = "admin_impersonate_stopped"
++	ActionAdminImpersonateStarted  Action = "admin_impersonate_started"
--	ActionAdminImpersonateWriteOn Action = "admin_impersonate_write_on"
++	ActionAdminImpersonateStopped  Action = "admin_impersonate_stopped"
++	ActionAdminImpersonateWriteOn  Action = "admin_impersonate_write_on"
+ )
  // Target is a typed target-type constant.

internal/web/handlers/repo/webhooks.gomodified

  		}, friendlyWebhookError(err), "")
  		return
+ 	}
--	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "webhook_created", "webhook_id": created.ID, "url": params.URL})
++	auditActor, auditMeta := viewer.AuditActor(map[string]any{"webhook_id": created.ID, "url": params.URL})
  	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
--		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
++		audit.ActionWebhookCreated, audit.TargetRepo, row.ID,
  		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/webhooks?notice=saved", http.StatusSeeOther)
  		return
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
--	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "webhook_updated", "webhook_id": hook.ID})
++	auditActor, auditMeta := viewer.AuditActor(map[string]any{"webhook_id": hook.ID})
  	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
--		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
++		audit.ActionWebhookUpdated, audit.TargetRepo, row.ID,
  		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/webhooks/"+strconv.FormatInt(hook.ID, 10)+"?notice=saved", http.StatusSeeOther)
+ }
  		return
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
--	auditActor, auditMeta := viewer.AuditActor(map[string]any{"action": "webhook_deleted", "webhook_id": hook.ID})
++	auditActor, auditMeta := viewer.AuditActor(map[string]any{"webhook_id": hook.ID, "url": hook.Url})
  	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
--		audit.ActionRepoCreated, audit.TargetRepo, row.ID,
++		audit.ActionWebhookDeleted, audit.TargetRepo, row.ID,
  		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/webhooks?notice=saved", http.StatusSeeOther)
+ }
  	if !ok {
  		return
+ 	}
++	newActive := !hook.Active
  	if err := webhook.SetActive(r.Context(), webhook.ManageDeps{
  		Pool: h.d.Pool, SecretBox: h.d.SecretBox,
--	}, hook.ID, !hook.Active); err != nil {
++	}, hook.ID, newActive); err != nil {
  		http.Error(w, "toggle failed", http.StatusInternalServerError)
  		return
+ 	}
++	viewer := middleware.CurrentUserFromContext(r.Context())
++	action := audit.ActionWebhookActiveSet
++	if !newActive {
++		action = audit.ActionWebhookActiveUnset
++	}
++	auditActor, auditMeta := viewer.AuditActor(map[string]any{"webhook_id": hook.ID})
++	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
++		action, audit.TargetRepo, row.ID,
++		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/webhooks/"+strconv.FormatInt(hook.ID, 10)+"?notice=saved", http.StatusSeeOther)
+ }
  	}, hook.ID); err != nil {
  		h.d.Logger.WarnContext(r.Context(), "webhook ping", "error", err)
+ 	}
++	viewer := middleware.CurrentUserFromContext(r.Context())
++	auditActor, auditMeta := viewer.AuditActor(map[string]any{"webhook_id": hook.ID})
++	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
++		audit.ActionWebhookPinged, audit.TargetRepo, row.ID,
++		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/webhooks/"+strconv.FormatInt(hook.ID, 10)+"?notice=saved", http.StatusSeeOther)
+ }
  		http.Error(w, "redeliver failed", http.StatusInternalServerError)
  		return
+ 	}
++	viewer := middleware.CurrentUserFromContext(r.Context())
++	auditActor, auditMeta := viewer.AuditActor(map[string]any{
++		"webhook_id":           hook.ID,
++		"original_delivery_id": originalID,
++		"new_delivery_id":      newID,
++	})
++	_ = h.d.Audit.Record(r.Context(), h.d.Pool, auditActor,
++		audit.ActionWebhookRedelivered, audit.TargetRepo, row.ID,
++		auditMeta)
  	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/webhooks/"+strconv.FormatInt(hook.ID, 10)+"/deliveries/"+strconv.FormatInt(newID, 10), http.StatusSeeOther)
+ }