Introduce single source of truth for audit events

Audit events are generated in multiple modules and classes within ccng. This makes it difficult to get an overview of the available audit events. This refactoring introduces a new event_types class which contains all audit events. This allows to list all types in the docs.
cloudfoundry · Nov 6, 2023 · 7c99761 · 7c99761
1 parent 5c6c640
commit 7c99761
Show file tree

Hide file tree

Showing 31 changed files with 721 additions and 238 deletions.
diff --git a/app/actions/role_create.rb b/app/actions/role_create.rb
@@ -19,13 +19,13 @@ def create_space_role(type:, user:, space:)
 
       case type
       when RoleTypes::SPACE_AUDITOR
-        create_space_auditor(user, space)
+        create_space_auditor(user, space, type)
       when RoleTypes::SPACE_DEVELOPER
-        create_space_developer(user, space)
+        create_space_developer(user, space, type)
       when RoleTypes::SPACE_MANAGER
-        create_space_manager(user, space)
+        create_space_manager(user, space, type)
       when RoleTypes::SPACE_SUPPORTER
-        create_space_supporter(user, space)
+        create_space_supporter(user, space, type)
       else
         error!("Role type '#{type}' is invalid.")
       end
@@ -39,13 +39,13 @@ def create_organization_role(type:, user:, organization:)
 
       case type
       when RoleTypes::ORGANIZATION_USER
-        create_organization_user(user, organization)
+        create_organization_user(user, organization, type)
       when RoleTypes::ORGANIZATION_AUDITOR
-        create_organization_auditor(user, organization)
+        create_organization_auditor(user, organization, type)
       when RoleTypes::ORGANIZATION_MANAGER
-        create_organization_manager(user, organization)
+        create_organization_manager(user, organization, type)
       when RoleTypes::ORGANIZATION_BILLING_MANAGER
-        create_organization_billing_manager(user, organization)
+        create_organization_billing_manager(user, organization, type)
       else
         error!("Role type '#{type}' is invalid.")
       end
@@ -59,54 +59,46 @@ def event_repo
       @event_repo ||= Repositories::UserEventRepository.new
     end
 
-    def create_space_auditor(user, space)
-      record_space_event(space, user, 'auditor')
+    def create_space_auditor(user, space, role_type)
+      event_repo.record_space_role_add(space, user, role_type, @user_audit_info, @message.audit_hash)
       SpaceAuditor.create(user_id: user.id, space_id: space.id)
     end
 
-    def create_space_developer(user, space)
-      record_space_event(space, user, 'developer')
+    def create_space_developer(user, space, role_type)
+      event_repo.record_space_role_add(space, user, role_type, @user_audit_info, @message.audit_hash)
       SpaceDeveloper.create(user_id: user.id, space_id: space.id)
     end
 
-    def create_space_manager(user, space)
-      record_space_event(space, user, 'manager')
+    def create_space_manager(user, space, role_type)
+      event_repo.record_space_role_add(space, user, role_type, @user_audit_info, @message.audit_hash)
       SpaceManager.create(user_id: user.id, space_id: space.id)
     end
 
-    def create_space_supporter(user, space)
-      record_space_event(space, user, 'supporter')
+    def create_space_supporter(user, space, role_type)
+      event_repo.record_space_role_add(space, user, role_type, @user_audit_info, @message.audit_hash)
       SpaceSupporter.create(user_id: user.id, space_id: space.id)
     end
 
-    def create_organization_user(user, organization)
-      record_organization_event(organization, user, 'user')
+    def create_organization_user(user, organization, role_type)
+      event_repo.record_organization_role_add(organization, user, role_type, @user_audit_info, @message.audit_hash)
       OrganizationUser.create(user_id: user.id, organization_id: organization.id)
     end
 
-    def create_organization_auditor(user, organization)
-      record_organization_event(organization, user, 'auditor')
+    def create_organization_auditor(user, organization, role_type)
+      event_repo.record_organization_role_add(organization, user, role_type, @user_audit_info, @message.audit_hash)
       OrganizationAuditor.create(user_id: user.id, organization_id: organization.id)
     end
 
-    def create_organization_manager(user, organization)
-      record_organization_event(organization, user, 'manager')
+    def create_organization_manager(user, organization, role_type)
+      event_repo.record_organization_role_add(organization, user, role_type, @user_audit_info, @message.audit_hash)
       OrganizationManager.create(user_id: user.id, organization_id: organization.id)
     end
 
-    def create_organization_billing_manager(user, organization)
-      record_organization_event(organization, user, 'billing_manager')
+    def create_organization_billing_manager(user, organization, role_type)
+      event_repo.record_organization_role_add(organization, user, role_type, @user_audit_info, @message.audit_hash)
       OrganizationBillingManager.create(user_id: user.id, organization_id: organization.id)
     end
 
-    def record_space_event(space, user, short_event_type)
-      event_repo.record_space_role_add(space, user, short_event_type, @user_audit_info, @message.audit_hash)
-    end
-
-    def record_organization_event(org, user, short_event_type)
-      event_repo.record_organization_role_add(org, user, short_event_type, @user_audit_info, @message.audit_hash)
-    end
-
     def space_validation_error!(type, error, user, space)
       error!("User '#{user.presentation_name}' already has '#{type}' role in space '#{space.name}'.") if error.errors.on(%i[space_id user_id])&.any? { |e| [:unique].include?(e) }
 

diff --git a/app/actions/role_delete.rb b/app/actions/role_delete.rb
@@ -28,36 +28,13 @@ def event_repo
     end
 
     def record_event(role)
-      case role.type
-      when VCAP::CloudController::RoleTypes::SPACE_MANAGER
-        record_space_event(role, 'manager')
-      when VCAP::CloudController::RoleTypes::SPACE_AUDITOR
-        record_space_event(role, 'auditor')
-      when VCAP::CloudController::RoleTypes::SPACE_DEVELOPER
-        record_space_event(role, 'developer')
-      when VCAP::CloudController::RoleTypes::SPACE_SUPPORTER
-        record_space_event(role, 'supporter')
-      when VCAP::CloudController::RoleTypes::ORGANIZATION_USER
-        record_organization_event(role, 'user')
-      when VCAP::CloudController::RoleTypes::ORGANIZATION_AUDITOR
-        record_organization_event(role, 'auditor')
-      when VCAP::CloudController::RoleTypes::ORGANIZATION_BILLING_MANAGER
-        record_organization_event(role, 'billing_manager')
-      when VCAP::CloudController::RoleTypes::ORGANIZATION_MANAGER
-        record_organization_event(role, 'manager')
+      if role.type.in?(RoleTypes::SPACE_ROLES)
+        event_repo.record_space_role_remove(Space.first(id: role.space_id), @role_owner, role.type, @user_audit_info)
+      elsif role.type.in?(RoleTypes::ORGANIZATION_ROLES)
+        event_repo.record_organization_role_remove(Organization.first(id: role.organization_id), @role_owner, role.type, @user_audit_info)
       else
         raise RoleDeleteError.new("Invalid role type: #{role.type}")
       end
     end
-
-    def record_space_event(role, short_event_type)
-      space = Space.first(id: role.space_id)
-      event_repo.record_space_role_remove(space, @role_owner, short_event_type, @user_audit_info)
-    end
-
-    def record_organization_event(role, short_event_type)
-      organization = Organization.first(id: role.organization_id)
-      event_repo.record_organization_role_remove(organization, @role_owner, short_event_type, @user_audit_info)
-    end
   end
 end
diff --git a/app/controllers/runtime/organizations_controller.rb b/app/controllers/runtime/organizations_controller.rb
@@ -248,7 +248,7 @@ def get_memory_usage(guid)
         @user_event_repository.record_organization_role_remove(
           org,
           user,
-          role,
+          "organization_#{role}",
           UserAuditInfo.from_context(SecurityContext),
           request_attrs
         )
@@ -334,7 +334,7 @@ def add_role(guid, role, user_id, username)
       org = find_guid_and_validate_access(:update, guid)
       org.send("add_#{role}", user)
 
-      @user_event_repository.record_organization_role_add(org, user, role, UserAuditInfo.from_context(SecurityContext), request_attrs)
+      @user_event_repository.record_organization_role_add(org, user, "organization_#{role}", UserAuditInfo.from_context(SecurityContext), request_attrs)
 
       [HTTP::CREATED, object_renderer.render_json(self.class, org, @opts)]
     end
@@ -348,7 +348,7 @@ def remove_role(guid, role, user_id)
       @user_event_repository.record_organization_role_remove(
         Organization.first(guid:),
         user,
-        role.to_s,
+        "organization_#{role}",
         UserAuditInfo.from_context(SecurityContext),
         {}
       )
@@ -370,19 +370,19 @@ def after_create(organization)
       end
 
       organization.users.each do |user|
-        @user_event_repository.record_organization_role_add(organization, user, 'user', user_audit_info, request_attrs)
+        @user_event_repository.record_organization_role_add(organization, user, RoleTypes::ORGANIZATION_USER, user_audit_info, request_attrs)
       end
 
       organization.auditors.each do |auditor|
-        @user_event_repository.record_organization_role_add(organization, auditor, 'auditor', user_audit_info, request_attrs)
+        @user_event_repository.record_organization_role_add(organization, auditor, RoleTypes::ORGANIZATION_AUDITOR, user_audit_info, request_attrs)
       end
 
       organization.billing_managers.each do |billing_manager|
-        @user_event_repository.record_organization_role_add(organization, billing_manager, 'billing_manager', user_audit_info, request_attrs)
+        @user_event_repository.record_organization_role_add(organization, billing_manager, RoleTypes::ORGANIZATION_BILLING_MANAGER, user_audit_info, request_attrs)
       end
 
       organization.managers.each do |manager|
-        @user_event_repository.record_organization_role_add(organization, manager, 'manager', user_audit_info, request_attrs)
+        @user_event_repository.record_organization_role_add(organization, manager, RoleTypes::ORGANIZATION_MANAGER, user_audit_info, request_attrs)
       end
     end
 
@@ -432,7 +432,7 @@ def generate_role_events_on_update(organization, current_role_guids)
           @user_event_repository.record_organization_role_add(
             organization,
             user,
-            role,
+            "organization_#{role}",
             user_audit_info,
             request_attrs
           )
@@ -445,7 +445,7 @@ def generate_role_events_on_update(organization, current_role_guids)
           @user_event_repository.record_organization_role_remove(
             organization,
             user,
-            role,
+            "organization_#{role}",
             user_audit_info,
             request_attrs
           )

diff --git a/app/controllers/runtime/spaces_controller.rb b/app/controllers/runtime/spaces_controller.rb
@@ -323,7 +323,7 @@ def add_role(guid, role, user_id, username)
 
       space.send("add_#{role}", user)
 
-      @user_event_repository.record_space_role_add(space, user, role, UserAuditInfo.from_context(SecurityContext), request_attrs)
+      @user_event_repository.record_space_role_add(space, user, "space_#{role}", UserAuditInfo.from_context(SecurityContext), request_attrs)
 
       [HTTP::CREATED, object_renderer.render_json(self.class, space, @opts)]
     end
@@ -336,7 +336,7 @@ def remove_role(space, role, user_id, username)
 
       space.send("remove_#{role}", user)
 
-      @user_event_repository.record_space_role_remove(space, user, role, UserAuditInfo.from_context(SecurityContext), request_attrs)
+      @user_event_repository.record_space_role_remove(space, user, "space_#{role}", UserAuditInfo.from_context(SecurityContext), request_attrs)
     end
 
     def after_create(space)
@@ -345,15 +345,15 @@ def after_create(space)
       @space_event_repository.record_space_create(space, user_audit_info, request_attrs)
 
       space.managers.each do |mgr|
-        @user_event_repository.record_space_role_add(space, mgr, 'manager', user_audit_info, request_attrs)
+        @user_event_repository.record_space_role_add(space, mgr, RoleTypes::SPACE_MANAGER, user_audit_info, request_attrs)
       end
 
       space.auditors.each do |auditor|
-        @user_event_repository.record_space_role_add(space, auditor, 'auditor', user_audit_info, request_attrs)
+        @user_event_repository.record_space_role_add(space, auditor, RoleTypes::SPACE_AUDITOR, user_audit_info, request_attrs)
       end
 
       space.developers.each do |developer|
-        @user_event_repository.record_space_role_add(space, developer, 'developer', user_audit_info, request_attrs)
+        @user_event_repository.record_space_role_add(space, developer, RoleTypes::SPACE_DEVELOPER, user_audit_info, request_attrs)
       end
     end
 
@@ -415,7 +415,7 @@ def generate_role_events_on_update(space, current_role_guids)
           @user_event_repository.record_space_role_add(
             space,
             user,
-            role,
+            "space_#{role}",
             user_audit_info,
             request_attrs
           )
@@ -428,7 +428,7 @@ def generate_role_events_on_update(space, current_role_guids)
           @user_event_repository.record_space_role_remove(
             space,
             user,
-            role,
+            "space_#{role}",
             user_audit_info,
             request_attrs
           )

diff --git a/app/controllers/runtime/users_controller.rb b/app/controllers/runtime/users_controller.rb
@@ -116,21 +116,11 @@ def remove_related(related_guid, name, user_guid, find_model=model)
       user.username = @uaa_client.usernames_for_ids([user.guid])[user.guid] || ''
 
       if find_model == Space
-        @user_event_repository.record_space_role_remove(
-          Space.first(guid: related_guid),
-          user,
-          name.to_s.singularize,
-          UserAuditInfo.from_context(SecurityContext),
-          {}
-        )
+        @user_event_repository.record_space_role_remove(Space.first(guid: related_guid), user, "space_#{name.to_s.singularize}", UserAuditInfo.from_context(SecurityContext))
+
       elsif find_model == Organization
-        @user_event_repository.record_organization_role_remove(
-          Organization.first(guid: related_guid),
-          user,
-          name.to_s.singularize,
-          UserAuditInfo.from_context(SecurityContext),
-          {}
-        )
+        @user_event_repository.record_organization_role_remove(Organization.first(guid: related_guid), user, "organization_#{name.to_s.singularize}",
+                                                               UserAuditInfo.from_context(SecurityContext))
       end
 
       response
@@ -160,15 +150,13 @@ def add_space_role(user_guid, relationship, space_guid)
 
       after_update(user)
 
-      role = if relationship.eql?(:audited_spaces)
-               'auditor'
-             elsif relationship.eql?(:managed_spaces)
-               'manager'
-             else
-               'developer'
-             end
-
-      @user_event_repository.record_space_role_add(space, user, role, UserAuditInfo.from_context(SecurityContext))
+      if relationship.eql?(:audited_spaces)
+        @user_event_repository.record_space_role_add(space, user, RoleTypes::SPACE_AUDITOR, UserAuditInfo.from_context(SecurityContext))
+      elsif relationship.eql?(:managed_spaces)
+        @user_event_repository.record_space_role_add(space, user, RoleTypes::SPACE_MANAGER, UserAuditInfo.from_context(SecurityContext))
+      else
+        @user_event_repository.record_space_role_add(space, user, RoleTypes::SPACE_DEVELOPER, UserAuditInfo.from_context(SecurityContext))
+      end
 
       [HTTP::CREATED, object_renderer.render_json(self.class, user, @opts)]
     end
@@ -199,17 +187,16 @@ def add_organization_role(user_guid, relationship, org_guid)
 
       after_update(user)
 
-      role = if relationship.eql?(:billing_managed_organizations)
-               'billing_manager'
-             elsif relationship.eql?(:audited_organizations)
-               'auditor'
-             elsif relationship.eql?(:managed_organizations)
-               'manager'
-             else
-               'user'
-             end
-
-      @user_event_repository.record_organization_role_add(Organization.first(guid: org_guid), user, role, UserAuditInfo.from_context(SecurityContext))
+      if relationship.eql?(:billing_managed_organizations)
+        @user_event_repository.record_organization_role_add(Organization.first(guid: org_guid), user, RoleTypes::ORGANIZATION_BILLING_MANAGER,
+                                                            UserAuditInfo.from_context(SecurityContext))
+      elsif relationship.eql?(:audited_organizations)
+        @user_event_repository.record_organization_role_add(Organization.first(guid: org_guid), user, RoleTypes::ORGANIZATION_AUDITOR, UserAuditInfo.from_context(SecurityContext))
+      elsif relationship.eql?(:managed_organizations)
+        @user_event_repository.record_organization_role_add(Organization.first(guid: org_guid), user, RoleTypes::ORGANIZATION_MANAGER, UserAuditInfo.from_context(SecurityContext))
+      else
+        @user_event_repository.record_organization_role_add(Organization.first(guid: org_guid), user, RoleTypes::ORGANIZATION_USER, UserAuditInfo.from_context(SecurityContext))
+      end
 
       [HTTP::CREATED, object_renderer.render_json(self.class, user, @opts)]
     end