Add Organizational event logging feature

This PR adds event/audit logging support for organizations. By default this feature is disabled, since it does log a lot and adds extra database transactions. All events are touched except a few, since we do not support those features (yet), like SSO for example. This feature is tested with multiple clients and all database types. Fixes #229
2025-05-24 12:33:58 +00:00 · 2022-11-20 19:15:45 +01:00 · 2022-11-20 19:15:45 +01:00 · 2ea9b66943
commit 2ea9b66943
parent f3beaea9e9
31 changed files with 1887 additions and 240 deletions
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@ -3,8 +3,10 @@ use rocket::serde::json::Json;
 use serde_json::Value;

 use crate::{
-    api::{EmptyResult, JsonResult, JsonUpcase, Notify, NumberOrString, PasswordData, UpdateType},
-    auth::{decode_delete, decode_invite, decode_verify_email, Headers},
+    api::{
+        core::log_user_event, EmptyResult, JsonResult, JsonUpcase, Notify, NumberOrString, PasswordData, UpdateType,
+    },
+    auth::{decode_delete, decode_invite, decode_verify_email, ClientIp, Headers},
    crypto,
    db::{models::*, DbConn},
    mail, CONFIG,
@ -268,7 +270,12 @@ struct ChangePassData {
 }

 #[post("/accounts/password", data = "<data>")]
-async fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, mut conn: DbConn) -> EmptyResult {
+async fn post_password(
+    data: JsonUpcase<ChangePassData>,
+    headers: Headers,
+    mut conn: DbConn,
+    ip: ClientIp,
+) -> EmptyResult {
    let data: ChangePassData = data.into_inner().data;
    let mut user = headers.user;

@ -279,6 +286,8 @@ async fn post_password(data: JsonUpcase<ChangePassData>, headers: Headers, mut c
    user.password_hint = clean_password_hint(&data.MasterPasswordHint);
    enforce_password_hint_setting(&user.password_hint)?;

+    log_user_event(EventType::UserChangedPassword as i32, &user.uuid, headers.device.atype, &ip.ip, &mut conn).await;
+
    user.set_password(
        &data.NewMasterPasswordHash,
        Some(vec![String::from("post_rotatekey"), String::from("get_contacts"), String::from("get_public_keys")]),
@ -334,7 +343,13 @@ struct KeyData {
 }

 #[post("/accounts/key", data = "<data>")]
-async fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
+async fn post_rotatekey(
+    data: JsonUpcase<KeyData>,
+    headers: Headers,
+    mut conn: DbConn,
+    ip: ClientIp,
+    nt: Notify<'_>,
+) -> EmptyResult {
    let data: KeyData = data.into_inner().data;

    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
@ -373,7 +388,7 @@ async fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, mut conn: D

        // Prevent triggering cipher updates via WebSockets by settings UpdateType::None
        // The user sessions are invalidated because all the ciphers were re-encrypted and thus triggering an update could cause issues.
-        update_cipher_from_data(&mut saved_cipher, cipher_data, &headers, false, &mut conn, &nt, UpdateType::None)
+        update_cipher_from_data(&mut saved_cipher, cipher_data, &headers, false, &mut conn, &ip, &nt, UpdateType::None)
            .await?
    }