Skip to content

Commit

Permalink
feat: auditing settings (#33935)
Browse files Browse the repository at this point in the history
  • Loading branch information
ggazzo authored Nov 20, 2024
1 parent de6bd32 commit 79bbbd6
Show file tree
Hide file tree
Showing 39 changed files with 504 additions and 127 deletions.
15 changes: 13 additions & 2 deletions apps/meteor/app/api/server/v1/assets.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { Settings } from '@rocket.chat/models';
import { isAssetsUnsetAssetProps } from '@rocket.chat/rest-typings';

import { updateAuditedByUser } from '../../../../server/settings/lib/auditedSettingUpdates';
import { RocketChatAssets, refreshClients } from '../../../assets/server';
import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
import { settings } from '../../../settings/server';
Expand Down Expand Up @@ -36,7 +37,12 @@ API.v1.addRoute(

const { key, value } = await RocketChatAssets.setAssetWithBuffer(fileBuffer, mimetype, assetName);

const { modifiedCount } = await Settings.updateValueById(key, value);
const { modifiedCount } = await updateAuditedByUser({
_id: this.userId,
username: this.user.username!,

Check warning on line 42 in apps/meteor/app/api/server/v1/assets.ts

View workflow job for this annotation

GitHub Actions / 🔎 Code Check / Code Lint

Forbidden non-null assertion
ip: this.requestIp,
useragent: this.request.headers['user-agent'] || '',
})(Settings.updateValueById, key, value);

if (modifiedCount) {
void notifyOnSettingChangedById(key);
Expand Down Expand Up @@ -68,7 +74,12 @@ API.v1.addRoute(

const { key, value } = await RocketChatAssets.unsetAsset(assetName);

const { modifiedCount } = await Settings.updateValueById(key, value);
const { modifiedCount } = await updateAuditedByUser({
_id: this.userId,
username: this.user.username!,

Check warning on line 79 in apps/meteor/app/api/server/v1/assets.ts

View workflow job for this annotation

GitHub Actions / 🔎 Code Check / Code Lint

Forbidden non-null assertion
ip: this.requestIp,
useragent: this.request.headers['user-agent'] || '',
})(Settings.updateValueById, key, value);

if (modifiedCount) {
void notifyOnSettingChangedById(key);
Expand Down
21 changes: 17 additions & 4 deletions apps/meteor/app/api/server/v1/misc.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import { v4 as uuidv4 } from 'uuid';

import { i18n } from '../../../../server/lib/i18n';
import { SystemLogger } from '../../../../server/lib/logger/system';
import { resetAuditedSettingByUser, updateAuditedByUser } from '../../../../server/settings/lib/auditedSettingUpdates';
import { getLogs } from '../../../../server/stream/stdout';
import { passwordPolicy } from '../../../lib/server';
import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
Expand Down Expand Up @@ -683,20 +684,32 @@ API.v1.addRoute(

settingsIds.push('Deployment_FingerPrint_Verified');

const auditSettingOperation = updateAuditedByUser({
_id: this.userId,
username: this.user.username!,

Check warning on line 689 in apps/meteor/app/api/server/v1/misc.ts

View workflow job for this annotation

GitHub Actions / 🔎 Code Check / Code Lint

Forbidden non-null assertion
ip: this.requestIp,
useragent: this.request.headers['user-agent'] || '',
});

const promises = settingsIds.map((settingId) => {
if (settingId === 'uniqueID') {
return Settings.resetValueById('uniqueID', process.env.DEPLOYMENT_ID || uuidv4());
return auditSettingOperation(Settings.resetValueById, 'uniqueID', process.env.DEPLOYMENT_ID || uuidv4());
}

if (settingId === 'Cloud_Workspace_Access_Token_Expires_At') {
return Settings.resetValueById('Cloud_Workspace_Access_Token_Expires_At', new Date(0));
return auditSettingOperation(Settings.resetValueById, 'Cloud_Workspace_Access_Token_Expires_At', new Date(0));
}

if (settingId === 'Deployment_FingerPrint_Verified') {
return Settings.updateValueById('Deployment_FingerPrint_Verified', true);
return auditSettingOperation(Settings.updateValueById, 'Deployment_FingerPrint_Verified', true);
}

return Settings.resetValueById(settingId);
return resetAuditedSettingByUser({
_id: this.userId,
username: this.user.username!,

Check warning on line 709 in apps/meteor/app/api/server/v1/misc.ts

View workflow job for this annotation

GitHub Actions / 🔎 Code Check / Code Lint

Forbidden non-null assertion
ip: this.requestIp,
useragent: this.request.headers['user-agent'] || '',
})(Settings.resetValueById, settingId);
});

(await Promise.all(promises)).forEach((value, index) => {
Expand Down
17 changes: 15 additions & 2 deletions apps/meteor/app/api/server/v1/settings.ts
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import { Meteor } from 'meteor/meteor';
import type { FindOptions } from 'mongodb';
import _ from 'underscore';

import { updateAuditedByUser } from '../../../../server/settings/lib/auditedSettingUpdates';
import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
import { disableCustomScripts } from '../../../lib/server/functions/disableCustomScripts';
import { notifyOnSettingChanged, notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
Expand Down Expand Up @@ -200,9 +201,16 @@ API.v1.addRoute(
return API.v1.success();
}

const auditSettingOperation = updateAuditedByUser({
_id: this.userId,
username: this.user.username!,

Check warning on line 206 in apps/meteor/app/api/server/v1/settings.ts

View workflow job for this annotation

GitHub Actions / 🔎 Code Check / Code Lint

Forbidden non-null assertion
ip: this.requestIp,
useragent: this.request.headers['user-agent'] || '',
});

if (isSettingColor(setting) && isSettingsUpdatePropsColor(this.bodyParams)) {
const updateOptionsPromise = Settings.updateOptionsById<ISettingColor>(this.urlParams._id, { editor: this.bodyParams.editor });
const updateValuePromise = Settings.updateValueNotHiddenById(this.urlParams._id, this.bodyParams.value);
const updateValuePromise = auditSettingOperation(Settings.updateValueNotHiddenById, this.urlParams._id, this.bodyParams.value);

const [updateOptionsResult, updateValueResult] = await Promise.all([updateOptionsPromise, updateValuePromise]);

Expand All @@ -214,7 +222,12 @@ API.v1.addRoute(
}

if (isSettingsUpdatePropDefault(this.bodyParams)) {
const { matchedCount } = await Settings.updateValueNotHiddenById(this.urlParams._id, this.bodyParams.value);
const { matchedCount } = await auditSettingOperation(
Settings.updateValueNotHiddenById,
this.urlParams._id,
this.bodyParams.value,
);

if (!matchedCount) {
return API.v1.failure();
}
Expand Down
11 changes: 10 additions & 1 deletion apps/meteor/app/apps/server/bridges/settings.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import type { ISetting } from '@rocket.chat/apps-engine/definition/settings';
import { ServerSettingBridge } from '@rocket.chat/apps-engine/server/bridges/ServerSettingBridge';
import { Settings } from '@rocket.chat/models';

import { updateAuditedByApp } from '../../../../server/settings/lib/auditedSettingUpdates';
import { notifyOnSettingChanged, notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';

export class AppSettingBridge extends ServerSettingBridge {
Expand Down Expand Up @@ -56,7 +57,15 @@ export class AppSettingBridge extends ServerSettingBridge {
throw new Error(`The setting "${setting.id}" is not readable.`);
}

(await Settings.updateValueById(setting.id, setting.value)).modifiedCount && void notifyOnSettingChangedById(setting.id);
if (
(
await updateAuditedByApp({
_id: appId,
})(Settings.updateValueById, setting.id, setting.value)
).modifiedCount
) {
void notifyOnSettingChangedById(setting.id);
}
}

protected async incrementValue(id: string, value: number, appId: string): Promise<void> {
Expand Down
1 change: 1 addition & 0 deletions apps/meteor/app/authentication/server/startup/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -338,6 +338,7 @@ Accounts.insertUserDoc = async function (options, user) {
if (!roles.includes('admin') && !hasAdmin) {
roles.push('admin');
if (settings.get('Show_Setup_Wizard') === 'pending') {
// TODO: audit
(await Settings.updateValueById('Show_Setup_Wizard', 'in_progress')).modifiedCount &&
void notifyOnSettingChangedById('Show_Setup_Wizard');
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { Settings } from '@rocket.chat/models';
import { Random } from '@rocket.chat/random';

import { updateAuditedBySystem } from '../../../../server/settings/lib/auditedSettingUpdates';
import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
import { settings } from '../../../settings/server';
import { userScopes } from '../oauthScopes';
Expand All @@ -9,7 +10,9 @@ import { getRedirectUri } from './getRedirectUri';
export async function getOAuthAuthorizationUrl() {
const state = Random.id();

await Settings.updateValueById('Cloud_Workspace_Registration_State', state);
await updateAuditedBySystem({
reason: 'getOAuthAuthorizationUrl',
})(Settings.updateValueById, 'Cloud_Workspace_Registration_State', state);

void notifyOnSettingChangedById('Cloud_Workspace_Registration_State');

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { Settings, WorkspaceCredentials } from '@rocket.chat/models';

import { retrieveRegistrationStatus } from './retrieveRegistrationStatus';
import { updateAuditedBySystem } from '../../../../server/settings/lib/auditedSettingUpdates';
import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';

export async function removeWorkspaceRegistrationInfo() {
Expand All @@ -24,10 +25,12 @@ export async function removeWorkspaceRegistrationInfo() {

const promises = settingsIds.map((settingId) => {
if (settingId === 'Show_Setup_Wizard') {
return Settings.updateValueById('Show_Setup_Wizard', 'in_progress');
return updateAuditedBySystem({
reason: 'removeWorkspaceRegistrationInfo',
})(Settings.updateValueById, 'Show_Setup_Wizard', 'in_progress');
}

return Settings.resetValueById(settingId, null);
return updateAuditedBySystem({ reason: 'removeWorkspaceRegistrationInfo' })(Settings.resetValueById, settingId, null);
});

(await Promise.all(promises)).forEach((value, index) => {
Expand Down
14 changes: 12 additions & 2 deletions apps/meteor/app/cloud/server/functions/saveRegistrationData.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import { applyLicense } from '@rocket.chat/license';
import { Settings } from '@rocket.chat/models';

import { syncCloudData } from './syncWorkspace/syncCloudData';
import { updateAuditedBySystem } from '../../../../server/settings/lib/auditedSettingUpdates';
import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
import { settings } from '../../../settings/server';

Expand Down Expand Up @@ -59,15 +60,24 @@ async function saveRegistrationDataBase({
{ _id: 'Cloud_Workspace_Registration_Client_Uri', value: registration_client_uri },
];

const promises = [...settingsData.map(({ _id, value }) => Settings.updateValueById(_id, value))];
const promises = [
...settingsData.map(({ _id, value }) =>
updateAuditedBySystem({
reason: 'saveRegistrationDataBase',
})(Settings.updateValueById, _id, value),
),
];

(await Promise.all(promises)).forEach((value, index) => {
if (value?.modifiedCount) {
void notifyOnSettingChangedById(settingsData[index]._id);
}
});

// TODO: Why is this taking so long that needs a timeout?
// Question: Why is this taking so long that needs a timeout?
// Answer: we use cache that requires a 'roundtrip' through the db and the application
// we need to make sure that the cache is updated before we continue the procedures
// we don't actually need to wait a whole second for this, but look this is just a retry mechanism it doesn't mean that actually takes all this time
for await (const retry of Array.from({ length: 10 })) {
const isSettingsUpdated =
settings.get('Register_Server') === true &&
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import { buildWorkspaceRegistrationData } from './buildRegistrationData';
import { retrieveRegistrationStatus } from './retrieveRegistrationStatus';
import { syncWorkspace } from './syncWorkspace';
import { SystemLogger } from '../../../../server/lib/logger/system';
import { updateAuditedBySystem } from '../../../../server/settings/lib/auditedSettingUpdates';
import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
import { settings } from '../../../settings/server';

Expand All @@ -15,7 +16,6 @@ export async function startRegisterWorkspace(resend = false) {

return true;
}

(await Settings.updateValueById('Register_Server', true)).modifiedCount && void notifyOnSettingChangedById('Register_Server');

const regInfo = await buildWorkspaceRegistrationData(undefined);
Expand Down Expand Up @@ -48,7 +48,9 @@ export async function startRegisterWorkspace(resend = false) {
return false;
}

await Settings.updateValueById('Cloud_Workspace_Id', payload.id);
await updateAuditedBySystem({
reason: 'startRegisterWorkspace',
})(Settings.updateValueById, 'Cloud_Workspace_Id', payload.id);

return true;
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import { supportedVersions as supportedVersionsFromBuild } from '../../../../uti
import { buildVersionUpdateMessage } from '../../../../version-check/server/functions/buildVersionUpdateMessage';
import { generateWorkspaceBearerHttpHeader } from '../getWorkspaceAccessToken';
import { supportedVersionsChooseLatest } from './supportedVersionsChooseLatest';
import { updateAuditedBySystem } from '../../../../../server/settings/lib/auditedSettingUpdates';

declare module '@rocket.chat/core-typings' {
interface ILicenseV3 {
Expand Down Expand Up @@ -66,7 +67,15 @@ const cacheValueInSettings = <T extends SettingValue>(
SystemLogger.debug(`Resetting cached value ${key} in settings`);
const value = await fn();

(await Settings.updateValueById(key, value)).modifiedCount && void notifyOnSettingChangedById(key);
if (
(
await updateAuditedBySystem({
reason: 'cacheValueInSettings reset',
})(Settings.updateValueById, key, value)
).modifiedCount
) {
void notifyOnSettingChangedById(key);
}

return value;
};
Expand Down
5 changes: 4 additions & 1 deletion apps/meteor/app/irc/server/irc-bridge/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import { callbacks } from '../../../../lib/callbacks';
import { afterLeaveRoomCallback } from '../../../../lib/callbacks/afterLeaveRoomCallback';
import { afterLogoutCleanUpCallback } from '../../../../lib/callbacks/afterLogoutCleanUpCallback';
import { withThrottling } from '../../../../lib/utils/highOrderFunctions';
import { updateAuditedBySystem } from '../../../../server/settings/lib/auditedSettingUpdates';
import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
import * as servers from '../servers';
import * as localCommandHandlers from './localHandlers';
Expand All @@ -22,7 +23,9 @@ const updateLastPing = withThrottling({ wait: 10_000 })(() => {
}

void (async () => {
const updatedValue = await Settings.updateValueById('IRC_Bridge_Last_Ping', new Date(), { upsert: true });
const updatedValue = await updateAuditedBySystem({
reason: 'updateLastPing',
})(Settings.updateValueById, 'IRC_Bridge_Last_Ping', new Date(), { upsert: true });
if (updatedValue.modifiedCount || updatedValue.upsertedCount) {
void notifyOnSettingChangedById('IRC_Bridge_Last_Ping');
}
Expand Down
15 changes: 13 additions & 2 deletions apps/meteor/app/irc/server/methods/resetIrcConnection.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import type { ServerMethods } from '@rocket.chat/ddp-client';
import { Settings } from '@rocket.chat/models';
import { Meteor } from 'meteor/meteor';

import { updateAuditedByUser } from '../../../../server/settings/lib/auditedSettingUpdates';
import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
import { settings } from '../../../settings/server';
Expand All @@ -27,13 +28,23 @@ Meteor.methods<ServerMethods>({
throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'resetIrcConnection' });
}

const updatedLastPingValue = await Settings.updateValueById('IRC_Bridge_Last_Ping', new Date(0), { upsert: true });
const auditSettingOperation = updateAuditedByUser({
_id: uid,
username: (await Meteor.userAsync())!.username!,
ip: this.connection?.clientAddress || '',
useragent: this.connection?.httpHeaders['user-agent'] || '',
});

const updatedLastPingValue = await auditSettingOperation(Settings.updateValueById, 'IRC_Bridge_Last_Ping', new Date(0), {
upsert: true,
});
if (updatedLastPingValue.modifiedCount || updatedLastPingValue.upsertedCount) {
void notifyOnSettingChangedById('IRC_Bridge_Last_Ping');
}

const updatedResetTimeValue = await Settings.updateValueById('IRC_Bridge_Reset_Time', new Date(), { upsert: true });
const updatedResetTimeValue = await auditSettingOperation(Settings.updateValueById, 'IRC_Bridge_Reset_Time', new Date(), {
upsert: true,
});
if (updatedResetTimeValue.modifiedCount || updatedResetTimeValue.upsertedCount) {
void notifyOnSettingChangedById('IRC_Bridge_Last_Ping');
}
Expand Down
12 changes: 10 additions & 2 deletions apps/meteor/app/lib/server/methods/saveSetting.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import { Settings } from '@rocket.chat/models';
import { Match, check } from 'meteor/check';
import { Meteor } from 'meteor/meteor';

import { updateAuditedByUser } from '../../../../server/settings/lib/auditedSettingUpdates';
import { twoFactorRequired } from '../../../2fa/server/twoFactorRequired';
import { getSettingPermissionId } from '../../../authorization/lib';
import { hasPermissionAsync, hasAllPermissionAsync } from '../../../authorization/server/functions/hasPermission';
Expand All @@ -18,7 +19,7 @@ declare module '@rocket.chat/ddp-client' {
}

Meteor.methods<ServerMethods>({
saveSetting: twoFactorRequired(async (_id, value, editor) => {
saveSetting: twoFactorRequired(async function (_id, value, editor) {
const uid = Meteor.userId();
if (!uid) {
throw new Meteor.Error('error-action-not-allowed', 'Editing settings is not allowed', {
Expand Down Expand Up @@ -66,7 +67,14 @@ Meteor.methods<ServerMethods>({
break;
}

(await Settings.updateValueAndEditorById(_id, value as SettingValue, editor)).modifiedCount &&
const auditSettingOperation = updateAuditedByUser({
_id: uid,
username: (await Meteor.userAsync())!.username!,
ip: this.connection?.clientAddress || '',
useragent: this.connection?.httpHeaders['user-agent'] || '',
});

(await auditSettingOperation(Settings.updateValueAndEditorById, _id, value as SettingValue, editor)).modifiedCount &&
setting &&
void notifyOnSettingChanged({ ...setting, editor, value: value as SettingValue });

Expand Down
Loading

0 comments on commit 79bbbd6

Please sign in to comment.