security: Insert events for role change attempts
Created by: indradhanush
This commit adds two new security event types:
- RoleChangeDenied
- RoleChangeGranted
At the moment, if a user sends an API request to change a user's role to admin for example, while they are already an admin, we will still end up recording an event for RoleChangeGranted (provided that all checks pass and the write to the database is successful). This is because we make no initial checks for current state before writing the new expected state to the database. The fact that we want to add this check or not remains outside the scope of this commit and subject to further deliberation.
Test Results
Following are the database entries in the security_event_logs
table from using the SiteUserIsSiteAdmin
API locally:
localhost sourcegraph@sourcegraph=# select * from security_event_logs order by id DESC limit 3;
┌─────┬───────────────────┬─────┬─────────┬───────────────────┬─────────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬───────────┬──────────────────────────────────┐
│ id │ name │ url │ user_id │ anonymous_user_id │ source │ argument │ version │ timestamp │
├─────┼───────────────────┼─────┼─────────┼───────────────────┼─────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────┼──────────────────────────────────┤
│ 129 │ RoleChangeDenied │ │ 1 │ │ BACKEND │ {"by": 1, "to": "role_user", "for": 1, "from": "role_site_admin", "reason": "refusing to set current user site admin status"} │ 0.0.0+dev │ 2021-07-14 13:12:15.650317+05:30 │
│ 128 │ RoleChangeGranted │ │ 1 │ │ BACKEND │ {"by": 1, "to": "role_user", "for": 2, "from": "role_site_admin", "reason": ""} │ 0.0.0+dev │ 2021-07-14 13:11:53.84756+05:30 │
│ 127 │ RoleChangeGranted │ │ 1 │ │ BACKEND │ {"by": 1, "to": "role_site_admin", "for": 2, "from": "role_user", "reason": ""} │ 0.0.0+dev │ 2021-07-14 13:11:35.156653+05:30 │
└─────┴───────────────────┴─────┴─────────┴───────────────────┴─────────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴───────────┴──────────────────────────────────┘
(3 rows)
Time: 0.193 ms
And the local timestamp when this was tested:
$ date
Wed Jul 14 01:12:34 PM IST 2021
COREAPP-100 COREAPP-140