forked from wrenn/wrenn
Rafeed M. Bhuiyan
52ad21c339
## What's new Compliance, audit, and account lifecycle improvements — admin actions are now fully auditable, user data is properly anonymized on deletion, and OAuth signup flow gives users control over their profile. ### Audit - Added audit logging for all admin actions (user activate/deactivate, team BYOC toggle, team delete, template delete, build create/cancel) - Added admin audit page with infinite scroll and hierarchical filters - Fixed audit log team assignment — admin/host actions now correctly land under PlatformTeamID - Anonymize audit logs on user hard-delete (actor name, IDs, emails stripped) - Deduplicated audit logger internals (665 → 374 lines, no behavior change) ### Authentication - Separated GitHub OAuth login/signup flows — login no longer auto-creates accounts - Added name confirmation dialog for new GitHub signups ### Account Lifecycle - Email notification sent when account is permanently deleted after grace period - Audit log anonymization tied to user purge (per-user transactional) ### UX - Removed accent gradient bars from admin host dialogs (border + shadow only) - Frontend renders deleted users as styled badge in audit log view ### Others - Version bump - Bug fixes Reviewed-on: wrenn/wrenn#36
127 lines
3.5 KiB
Go
127 lines
3.5 KiB
Go
// Code generated by sqlc. DO NOT EDIT.
|
|
// versions:
|
|
// sqlc v1.30.0
|
|
// source: audit.sql
|
|
|
|
package db
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/jackc/pgx/v5/pgtype"
|
|
)
|
|
|
|
const anonymizeAuditLogsByUserID = `-- name: AnonymizeAuditLogsByUserID :exec
|
|
UPDATE audit_logs
|
|
SET actor_name = CASE WHEN actor_id = $1 THEN 'deleted-user' ELSE actor_name END,
|
|
actor_id = CASE WHEN actor_id = $1 THEN NULL ELSE actor_id END,
|
|
resource_id = CASE WHEN resource_type = 'member' AND resource_id = $1 THEN NULL ELSE resource_id END,
|
|
metadata = CASE WHEN resource_type = 'member' AND resource_id = $1 AND metadata ? 'email' THEN metadata - 'email' ELSE metadata END
|
|
WHERE actor_id = $1
|
|
OR (resource_type = 'member' AND resource_id = $1)
|
|
`
|
|
|
|
func (q *Queries) AnonymizeAuditLogsByUserID(ctx context.Context, actorID pgtype.Text) error {
|
|
_, err := q.db.Exec(ctx, anonymizeAuditLogsByUserID, actorID)
|
|
return err
|
|
}
|
|
|
|
const insertAuditLog = `-- name: InsertAuditLog :exec
|
|
INSERT INTO audit_logs (id, team_id, actor_type, actor_id, actor_name, resource_type, resource_id, action, scope, status, metadata)
|
|
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
|
|
`
|
|
|
|
type InsertAuditLogParams struct {
|
|
ID pgtype.UUID `json:"id"`
|
|
TeamID pgtype.UUID `json:"team_id"`
|
|
ActorType string `json:"actor_type"`
|
|
ActorID pgtype.Text `json:"actor_id"`
|
|
ActorName string `json:"actor_name"`
|
|
ResourceType string `json:"resource_type"`
|
|
ResourceID pgtype.Text `json:"resource_id"`
|
|
Action string `json:"action"`
|
|
Scope string `json:"scope"`
|
|
Status string `json:"status"`
|
|
Metadata []byte `json:"metadata"`
|
|
}
|
|
|
|
func (q *Queries) InsertAuditLog(ctx context.Context, arg InsertAuditLogParams) error {
|
|
_, err := q.db.Exec(ctx, insertAuditLog,
|
|
arg.ID,
|
|
arg.TeamID,
|
|
arg.ActorType,
|
|
arg.ActorID,
|
|
arg.ActorName,
|
|
arg.ResourceType,
|
|
arg.ResourceID,
|
|
arg.Action,
|
|
arg.Scope,
|
|
arg.Status,
|
|
arg.Metadata,
|
|
)
|
|
return err
|
|
}
|
|
|
|
const listAuditLogs = `-- name: ListAuditLogs :many
|
|
SELECT id, team_id, actor_type, actor_id, actor_name, resource_type, resource_id, action, scope, status, metadata, created_at FROM audit_logs
|
|
WHERE team_id = $1
|
|
AND scope = ANY($2::text[])
|
|
AND (cardinality($3::text[]) = 0 OR resource_type = ANY($3::text[]))
|
|
AND (cardinality($4::text[]) = 0 OR action = ANY($4::text[]))
|
|
AND ($5::timestamptz IS NULL OR created_at < $5
|
|
OR (created_at = $5 AND id < $6))
|
|
ORDER BY created_at DESC, id DESC
|
|
LIMIT $7
|
|
`
|
|
|
|
type ListAuditLogsParams struct {
|
|
TeamID pgtype.UUID `json:"team_id"`
|
|
Column2 []string `json:"column_2"`
|
|
Column3 []string `json:"column_3"`
|
|
Column4 []string `json:"column_4"`
|
|
Column5 pgtype.Timestamptz `json:"column_5"`
|
|
ID pgtype.UUID `json:"id"`
|
|
Limit int32 `json:"limit"`
|
|
}
|
|
|
|
func (q *Queries) ListAuditLogs(ctx context.Context, arg ListAuditLogsParams) ([]AuditLog, error) {
|
|
rows, err := q.db.Query(ctx, listAuditLogs,
|
|
arg.TeamID,
|
|
arg.Column2,
|
|
arg.Column3,
|
|
arg.Column4,
|
|
arg.Column5,
|
|
arg.ID,
|
|
arg.Limit,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer rows.Close()
|
|
var items []AuditLog
|
|
for rows.Next() {
|
|
var i AuditLog
|
|
if err := rows.Scan(
|
|
&i.ID,
|
|
&i.TeamID,
|
|
&i.ActorType,
|
|
&i.ActorID,
|
|
&i.ActorName,
|
|
&i.ResourceType,
|
|
&i.ResourceID,
|
|
&i.Action,
|
|
&i.Scope,
|
|
&i.Status,
|
|
&i.Metadata,
|
|
&i.CreatedAt,
|
|
); err != nil {
|
|
return nil, err
|
|
}
|
|
items = append(items, i)
|
|
}
|
|
if err := rows.Err(); err != nil {
|
|
return nil, err
|
|
}
|
|
return items, nil
|
|
}
|