Skip to content
This repository was archived by the owner on Sep 30, 2024. It is now read-only.

Add GitHub/GitLab logins (fail/success) to security events#43886

Merged
vrto merged 8 commits into
mainfrom
mv/auditlog/security-events/github-gitlub-login
Nov 7, 2022
Merged

Add GitHub/GitLab logins (fail/success) to security events#43886
vrto merged 8 commits into
mainfrom
mv/auditlog/security-events/github-gitlub-login

Conversation

@vrto

@vrto vrto commented Nov 3, 2022

Copy link
Copy Markdown
Contributor

Description

Add GitHub and GitLab logins to the security events (so that they automatically appear in the audit log as well).

The following events are added:

  • GithubAuthSucceeded
  • GithubAuthFailed
  • GitlabAuthSucceeded
  • GitlabAuthFailed

I decided not to add GitHubAuthAttempted/GitLabAuthAttempted because these can’t be tied to a specific actor, and we don’t want to log the only bit of identity (the access token) to the logs.

Test plan

  • GitHub/GitLab-specific logic was not expanded
  • the generic OAuth session code is a large untested monster component; I attempted to write a nice meaningful test but gave up after a couple of hours; similar to some work done before (tracing), the security events are not interfering with the main logic flow, they’re merely decorating known states with additional I/O
  • attaching GIFs proving the local testing went well

GitHub successful login:
GitHub_Success

GitHub failed login
GitHub_Fail

GitLab works, too
Gitlab_Succcess

@cla-bot cla-bot Bot added the cla-signed label Nov 3, 2022
@sourcegraph-bot

sourcegraph-bot commented Nov 3, 2022
edited
Loading

Copy link
Copy Markdown
Contributor

Codenotify: Notifying subscribers in CODENOTIFY files for diff 79ed283...fe7899b.

Notify File(s)
@unknwon enterprise/cmd/frontend/internal/auth/githuboauth/session.go
enterprise/cmd/frontend/internal/auth/gitlaboauth/session.go
enterprise/cmd/frontend/internal/auth/oauth/session.go

@vrto vrto requested a review from a team November 3, 2022 17:07
vrto
vrto commented Nov 3, 2022
View reviewed changes
Comment thread enterprise/cmd/frontend/internal/auth/oauth/session.go
vrto
vrto commented Nov 3, 2022
View reviewed changes
Comment thread enterprise/cmd/frontend/internal/auth/oauth/session.go Outdated
http.Error(w, safeErrMsg, http.StatusInternalServerError)
db.SecurityEventLogs().LogEvent(ctx, &database.SecurityEvent{
Name: s.AuthFailedEventName(),
URL: r.URL.Path,

@vrto vrto Nov 3, 2022

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that we don't want the entire URL as it contains sensitive OAuth query parameters

@unknwon unknwon Nov 4, 2022

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you put the above as a code comment, I can imagine someone unaware of this making a PR to "fix missing full URL" and approved by someone who is also unware of this 🤣

unknwon
unknwon approved these changes Nov 4, 2022
View reviewed changes

@unknwon unknwon left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approve to unblock 👍

(Please also remove the period (.) in the PR title, as it would probably become the commit title 😄 )

Comment thread enterprise/cmd/frontend/internal/auth/oauth/session.go Outdated
http.Error(w, safeErrMsg, http.StatusInternalServerError)
db.SecurityEventLogs().LogEvent(ctx, &database.SecurityEvent{
Name: s.AuthFailedEventName(),
URL: r.URL.Path,

@unknwon unknwon Nov 4, 2022

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you put the above as a code comment, I can imagine someone unaware of this making a PR to "fix missing full URL" and approved by someone who is also unware of this 🤣

Comment thread enterprise/cmd/frontend/internal/auth/oauth/session.go
Name: s.AuthFailedEventName(),
URL: r.URL.Path,
AnonymousUserID: anonymousId,
Source: "BACKEND",

@unknwon unknwon Nov 4, 2022

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have lost context on how we define our source, but this one seems to be "WEB"?

@vrto vrto Nov 7, 2022

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually tried to dig it up, and it all seems just "BACKEND". We only use "WEB" in the tests. I agree that "WEB" actually sounds reasonable, though 🤔 I'll leave it be but if you have any additional context I'm happy to follow up with additional PR.

Comment thread enterprise/cmd/frontend/internal/auth/oauth/session.go Outdated
Comment thread enterprise/cmd/frontend/internal/auth/oauth/session.go
Comment thread internal/database/security_event_logs.go Outdated
@vrto vrto changed the title Add GitHub/GitLab logins (fail/success) to security events. Add GitHub/GitLab logins (fail/success) to security events Nov 7, 2022
@vrto vrto merged commit d811747 into main Nov 7, 2022
@vrto vrto deleted the mv/auditlog/security-events/github-gitlub-login branch November 7, 2022 19:16
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@bobheadxi bobheadxi bobheadxi left review comments

@unknwon unknwon unknwon approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vrto @sourcegraph-bot @unknwon @bobheadxi