Audit logs for saas app + admin portal

.env.example

@@ -95,4 +95,9 @@ DSYNC_WEBHOOK_BATCH_SIZE=
 # Google workspace directory sync
 DSYNC_GOOGLE_CLIENT_ID=
 DSYNC_GOOGLE_CLIENT_SECRET=
-DSYNC_GOOGLE_REDIRECT_URI=
+DSYNC_GOOGLE_REDIRECT_URI=
+
+# Retraced
+RETRACED_HOST_URL=
+RETRACED_API_KEY=
+RETRACED_PROJECT_ID=

ee/branding/api/admin/index.ts

@@ -1,6 +1,7 @@
 import type { NextApiRequest, NextApiResponse } from 'next';
 
 import jackson from '@lib/jackson';
+import retraced from '@ee/retraced';
 
 const handler = async (req: NextApiRequest, res: NextApiResponse) => {
   const { method } = req;
@@ -25,10 +26,16 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
 const handlePOST = async (req: NextApiRequest, res: NextApiResponse) => {
   const { brandingController } = await jackson();
 
-  const { logoUrl, faviconUrl, companyName, primaryColor } = req.body;
+  const brandingUpdated = await brandingController.update(req.body);
+
+  retraced.reportAdminPortalEvent({
+    action: 'portal.branding.update',
+    crud: 'u',
+    req,
+  });
 
   return res.json({
-    data: await brandingController.update({ logoUrl, faviconUrl, companyName, primaryColor }),
+    data: brandingUpdated,
   });
 };
 

ee/federated-saml/api/admin/[id]/index.ts

@@ -1,6 +1,7 @@
 import type { NextApiRequest, NextApiResponse } from 'next';
 
 import jackson from '@lib/jackson';
+import retraced from '@ee/retraced';
 
 const handler = async (req: NextApiRequest, res: NextApiResponse) => {
   const { method } = req;
@@ -49,6 +50,15 @@ const handlePUT = async (req: NextApiRequest, res: NextApiResponse) => {
 
   const updatedApp = await samlFederatedController.app.update(req.body);
 
+  retraced.reportAdminPortalEvent({
+    action: 'federation.app.update',
+    crud: 'u',
+    req,
+    target: {
+      id: updatedApp.id,
+    },
+  });
+
   return res.status(200).json({ data: updatedApp });
 };
 
@@ -60,6 +70,15 @@ const handleDELETE = async (req: NextApiRequest, res: NextApiResponse) => {
 
   await samlFederatedController.app.delete({ id });
 
+  retraced.reportAdminPortalEvent({
+    action: 'federation.app.delete',
+    crud: 'd',
+    req,
+    target: {
+      id,
+    },
+  });
+
   return res.status(200).json({ data: {} });
 };
 

ee/federated-saml/api/admin/index.ts

@@ -1,6 +1,7 @@
 import type { NextApiRequest, NextApiResponse } from 'next';
 
 import jackson from '@lib/jackson';
+import retraced from '@ee/retraced';
 
 const handler = async (req: NextApiRequest, res: NextApiResponse) => {
   const { method } = req;
@@ -28,6 +29,15 @@ const handlePOST = async (req: NextApiRequest, res: NextApiResponse) => {
 
   const app = await samlFederatedController.app.create(req.body);
 
+  retraced.reportAdminPortalEvent({
+    action: 'federation.app.create',
+    crud: 'c',
+    req,
+    target: {
+      id: app.id,
+    },
+  });
+
   return res.status(201).json({ data: app });
 };
 

ee/retraced/index.ts

@@ -0,0 +1,214 @@
+import * as Retraced from '@retracedhq/retraced';
+import type { Event } from '@retracedhq/retraced';
+import type { NextApiRequest } from 'next';
+import { getToken as getNextAuthToken } from 'next-auth/jwt';
+import requestIp from 'request-ip';
+
+import jackson from '@lib/jackson';
+import { retracedOptions } from '@lib/env';
+import { sessionName } from '@lib/constants';
+
+type AuditEventType =
+  | 'sso.user.login'
+
+  // Single Sign On
+  | 'sso.connection.create'
+  | 'sso.connection.update'
+  | 'sso.connection.delete'
+
+  // Directory Sync
+  | 'dsync.connection.create'
+  | 'dsync.connection.update'
+  | 'dsync.connection.delete'
+  | 'dsync.webhook_event.delete'
+
+  // Setup Link
+  | 'sso.setuplink.create'
+  | 'sso.setuplink.update'
+  | 'sso.setuplink.delete'
+  | 'dsync.setuplink.create'
+  | 'dsync.setuplink.update'
+  | 'dsync.setuplink.delete'
+
+  // Federated SAML
+  | 'federation.app.create'
+  | 'federation.app.update'
+  | 'federation.app.delete'
+
+  // Retraced
+  | 'retraced.project.create'
+
+  // Admin settings
+  | 'portal.branding.update'
+  | 'portal.user.login';
+
+interface ReportAdminEventParams {
+  action: AuditEventType;
+  crud: Retraced.CRUD;
+  target?: Retraced.Target;
+  req?: NextApiRequest;
+  actor?: Retraced.Actor;
+}
+
+interface ReportEventParams {
+  action: AuditEventType;
+  crud: Retraced.CRUD;
+  actor: Retraced.Actor;
+  req: NextApiRequest;
+  group?: Retraced.Group;
+  target?: Retraced.Target;
+  productId?: string;
+}
+
+const adminPortalGroup = {
+  id: 'boxyhq-admin-portal',
+  name: 'BoxyHQ Admin Portal',
+};
+
+let client: Retraced.Client | null = null;
+
+// Create a Retraced client
+const getClient = async () => {
+  const { checkLicense } = await jackson();
+
+  if (!(await checkLicense())) {
+    return;
+  }
+
+  if (!retracedOptions.hostUrl || !retracedOptions.apiKey || !retracedOptions.projectId) {
+    return;
+  }
+
+  if (client) {
+    return client;
+  }
+
+  client = new Retraced.Client({
+    endpoint: retracedOptions.hostUrl,
+    apiKey: retracedOptions.apiKey,
+    projectId: retracedOptions.projectId,
+  });
+
+  return client;
+};
+
+// Report events to Retraced
+const reportEvent = async (params: ReportEventParams) => {
+  const { action, crud, actor, req } = params;
+
+  try {
+    const retracedClient = await getClient();
+
+    if (!retracedClient) {
+      return;
+    }
+
+    const retracedEvent: Event = {
+      action,
+      crud,
+      actor,
+      created: new Date(),
+      source_ip: getClientIp(req),
+    };
+
+    if ('group' in params && params.group) {
+      retracedEvent.group = params.group;
+    }
+
+    if ('target' in params && params.target) {
+      retracedEvent.target = params.target;
+    }
+
+    // Find team info if productId is provided
+    if ('productId' in params && params.productId) {
+      const { productController } = await jackson();
+
+      const product = await productController.get(params.productId);
+
+      retracedEvent.group = {
+        id: product.teamId,
+        name: product.teamName,
+      };
+
+      retracedEvent.target = {
+        id: product.id,
+        name: product.name,
+      };
+    }
+
+    await retracedClient.reportEvent(retracedEvent);
+  } catch (error: any) {
+    console.error('Error reporting event to Retraced', error);
+  }
+};
+
+// Report Admin portal events to Retraced
+export const reportAdminPortalEvent = async (params: ReportAdminEventParams) => {
+  const { action, crud, target, actor, req } = params;
+
+  try {
+    const retracedClient = await getClient();
+
+    if (!retracedClient) {
+      return;
+    }
+
+    const retracedEvent: Event = {
+      action,
+      crud,
+      target,
+      actor: actor ?? (await getAdminUser(req)),
+      group: adminPortalGroup,
+      created: new Date(),
+      source_ip: getClientIp(req),
+    };
+
+    await retracedClient.reportEvent(retracedEvent);
+  } catch (error: any) {
+    console.error('Error reporting event to Retraced', error);
+  }
+};
+
+// Find admin actor info from NextAuth token
+const getAdminUser = async (req: NextApiRequest | undefined) => {
+  if (!req) {
+    throw new Error(`NextApiRequest is required to get actor info for Retraced event.`);
+  }
+
+  const user = await getNextAuthToken({
+    req,
+    cookieName: sessionName,
+  });
+
+  if (!user || !user.email || !user.name) {
+    throw new Error(`Can't find actor info from the NextAuth token.`);
+  }
+
+  return {
+    id: user.email,
+    name: user.name,
+  };
+};
+
+// Find Ip from request
+const getClientIp = (req: NextApiRequest | undefined) => {
+  if (!req) {
+    return undefined;
+  }
+
+  const sourceIp = requestIp.getClientIp(req);
+
+  // TODO: Verify this is the correct way to check
+  if (!sourceIp.startsWith('::')) {
+    return sourceIp as string;
+  }
+
+  return undefined;
+};
+
+const retraced = {
+  reportEvent,
+  reportAdminPortalEvent,
+};
+
+export default retraced;

lib/env.ts

@@ -21,6 +21,8 @@ const retraced = {
   hostUrl: process.env.RETRACED_HOST_URL,
   externalUrl: process.env.RETRACED_EXTERNAL_URL || process.env.RETRACED_HOST_URL,
   adminToken: process.env.RETRACED_ADMIN_ROOT_TOKEN,
+  apiKey: process.env.RETRACED_API_KEY,
+  projectId: process.env.RETRACED_PROJECT_ID,
 };
 
 // Terminus