feat: add activity logs on user actions with authentication, resource… (#6748)

* feat: add activity logs on user actions with authentication, resourceAPI and sessionAPI * feat: add activity logs on user actions with authentication, resourceAPI and sessionAPI * feat: add activity logs on user actions with authentication, resourceAPI and sessionAPI * feat: add activity logs on user actions with authentication, resourceAPI and sessionAPI * feat: add activity logs on user actions with authentication, resourceAPI and sessionAPI * fix: add unit tests to info package for context changes * fix: add activity_interceptor.go suggestion Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * fix: refactoring and fixes through PR review * fix: add auth service to lists of resourceAPIs --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Fabi <fabienne@zitadel.com>
2025-08-12 03:57:32 +00:00 · 2023-10-25 14:09:15 +02:00
parent 385a55bd21
commit 48ae5d58ac
13 changed files with 496 additions and 1 deletions
--- a/internal/api/grpc/admin/server.go
+++ b/internal/api/grpc/admin/server.go
@@ -79,5 +79,9 @@ func (s *Server) RegisterGateway() server.RegisterGatewayFunc {
 }

 func (s *Server) GatewayPathPrefix() string {
+	return GatewayPathPrefix()
+}
+
+func GatewayPathPrefix() string {
 	return "/admin/v1"
 }
--- a/internal/api/grpc/management/server.go
+++ b/internal/api/grpc/management/server.go
@@ -71,5 +71,9 @@ func (s *Server) RegisterGateway() server.RegisterGatewayFunc {
 }

 func (s *Server) GatewayPathPrefix() string {
+	return GatewayPathPrefix()
+}
+
+func GatewayPathPrefix() string {
 	return "/management/v1"
 }
--- a/internal/api/grpc/server/middleware/activity_interceptor.go
+++ b/internal/api/grpc/server/middleware/activity_interceptor.go
@@ -0,0 +1,35 @@
+package middleware
+
+import (
+	"context"
+	"slices"
+	"strings"
+
+	"google.golang.org/grpc"
+
+	"github.com/zitadel/zitadel/internal/activity"
+)
+
+func ActivityInterceptor() grpc.UnaryServerInterceptor {
+	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+		resp, err := handler(ctx, req)
+		if isResourceAPI(info.FullMethod) {
+			activity.TriggerWithContext(ctx, activity.ResourceAPI)
+		}
+		return resp, err
+	}
+}
+
+var resourcePrefixes = []string{
+	"/zitadel.management.v1.ManagementService/",
+	"/zitadel.admin.v1.AdminService/",
+	"/zitadel.user.v2beta.UserService/",
+	"/zitadel.settings.v2beta.SettingsService/",
+	"/zitadel.auth.v1.AuthService/",
+}
+
+func isResourceAPI(method string) bool {
+	return slices.ContainsFunc(resourcePrefixes, func(prefix string) bool {
+		return strings.HasPrefix(method, prefix)
+	})
+}
--- a/internal/api/grpc/server/server.go
+++ b/internal/api/grpc/server/server.go
@@ -58,6 +58,7 @@ func CreateServer(
 				middleware.TranslationHandler(),
 				middleware.ValidationHandler(),
 				middleware.ServiceHandler(),
+				middleware.ActivityInterceptor(),
 			),
 		),
 	}
--- a/internal/api/grpc/session/v2/session.go
+++ b/internal/api/grpc/session/v2/session.go
@@ -9,6 +9,8 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"

 	"github.com/muhlemmer/gu"
+
+	"github.com/zitadel/zitadel/internal/activity"
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
 	"github.com/zitadel/zitadel/internal/command"
@@ -57,6 +59,7 @@ func (s *Server) CreateSession(ctx context.Context, req *session.CreateSessionRe
 	if err != nil {
 		return nil, err
 	}
+
 	return &session.CreateSessionResponse{
 		Details:      object.DomainToDetailsPb(set.ObjectDetails),
 		SessionId:    set.ID,
@@ -310,6 +313,9 @@ func (s *Server) checksToCommand(ctx context.Context, checks *session.Checks) ([
 		if err != nil {
 			return nil, err
 		}
+
+		// trigger activity log for session for user
+		activity.Trigger(ctx, user.ResourceOwner, user.ID, activity.SessionAPI)
 		sessionChecks = append(sessionChecks, command.CheckUser(user.ID))
 	}
 	if password := checks.GetPassword(); password != nil {
--- a/internal/api/http/middleware/activity_interceptor.go
+++ b/internal/api/http/middleware/activity_interceptor.go
@@ -0,0 +1,32 @@
+package middleware
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/zitadel/zitadel/internal/api/info"
+)
+
+func ActivityHandler(handlerPrefixes []string) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+			activityInfo := info.ActivityInfoFromContext(ctx)
+			hasPrefix := false
+			// only add path to context if handler is called
+			for _, prefix := range handlerPrefixes {
+				if strings.HasPrefix(r.URL.Path, prefix) {
+					activityInfo.SetPath(r.URL.Path)
+					hasPrefix = true
+					break
+				}
+			}
+			// last call is with grpc method as path
+			if !hasPrefix {
+				activityInfo.SetMethod(r.URL.Path)
+			}
+			ctx = activityInfo.SetRequestMethod(r.Method).IntoContext(ctx)
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
--- a/internal/api/info/info.go
+++ b/internal/api/info/info.go
@@ -0,0 +1,43 @@
+package info
+
+import (
+	"context"
+)
+
+type activityInfoKey struct{}
+
+type ActivityInfo struct {
+	Method        string
+	Path          string
+	RequestMethod string
+}
+
+func (a *ActivityInfo) IntoContext(ctx context.Context) context.Context {
+	return context.WithValue(ctx, activityInfoKey{}, a)
+}
+
+func ActivityInfoFromContext(ctx context.Context) *ActivityInfo {
+	m := ctx.Value(activityInfoKey{})
+	if m == nil {
+		return &ActivityInfo{}
+	}
+	ai, ok := m.(*ActivityInfo)
+	if !ok {
+		return &ActivityInfo{}
+	}
+	return ai
+}
+
+func (a *ActivityInfo) SetMethod(method string) *ActivityInfo {
+	a.Method = method
+	return a
+}
+func (a *ActivityInfo) SetPath(path string) *ActivityInfo {
+	a.Path = path
+	return a
+}
+
+func (a *ActivityInfo) SetRequestMethod(method string) *ActivityInfo {
+	a.RequestMethod = method
+	return a
+}
--- a/internal/api/info/info_test.go
+++ b/internal/api/info/info_test.go
@@ -0,0 +1,117 @@
+package info
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_ActivityInfo(t *testing.T) {
+	type args struct {
+		ctx           context.Context
+		ok            bool
+		path          string
+		method        string
+		requestMethod string
+	}
+	type want struct {
+		ok            bool
+		path          string
+		method        string
+		requestMethod string
+	}
+	tests := []struct {
+		name string
+		args args
+		want want
+	}{
+		{
+			"already set",
+			args{
+				ctx: ctxWithActivityInfo(context.Background(), "set", "set", "set"),
+				ok:  false,
+			},
+			want{
+				ok:            true,
+				path:          "set",
+				method:        "set",
+				requestMethod: "set",
+			},
+		},
+		{
+			"not set, empty",
+			args{
+				ctx: context.Background(),
+				ok:  false,
+			},
+			want{
+				ok: true,
+			},
+		},
+		{
+			"set empty",
+			args{
+				ctx: context.Background(),
+				ok:  true,
+			},
+			want{
+				ok: true,
+			},
+		},
+		{
+			"set",
+			args{
+				ctx:           context.Background(),
+				ok:            true,
+				path:          "set",
+				method:        "set",
+				requestMethod: "set",
+			},
+			want{
+				ok:            true,
+				path:          "set",
+				method:        "set",
+				requestMethod: "set",
+			},
+		},
+		{
+			"reset",
+			args{
+				ctx:           ctxWithActivityInfo(context.Background(), "set", "set", "set"),
+				ok:            true,
+				path:          "set2",
+				method:        "set2",
+				requestMethod: "set2",
+			},
+			want{
+				ok:            true,
+				path:          "set2",
+				method:        "set2",
+				requestMethod: "set2",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ai := &ActivityInfo{}
+			ai.SetMethod(tt.args.method).SetPath(tt.args.path).SetRequestMethod(tt.args.requestMethod)
+			if tt.args.ok {
+				tt.args.ctx = ai.IntoContext(tt.args.ctx)
+			}
+
+			res := ActivityInfoFromContext(tt.args.ctx)
+			if tt.want.ok {
+				assert.NotNil(t, res)
+			}
+			assert.Equal(t, tt.want.path, res.Path)
+			assert.Equal(t, tt.want.method, res.Method)
+			assert.Equal(t, tt.want.requestMethod, res.RequestMethod)
+		})
+	}
+}
+
+func ctxWithActivityInfo(ctx context.Context, method, path, requestMethod string) context.Context {
+	ai := &ActivityInfo{}
+	return ai.SetPath(path).SetRequestMethod(requestMethod).SetMethod(method).IntoContext(ctx)
+}
--- a/internal/api/oidc/auth_request.go
+++ b/internal/api/oidc/auth_request.go
@@ -10,6 +10,7 @@ import (
 	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"github.com/zitadel/oidc/v3/pkg/op"

+	"github.com/zitadel/zitadel/internal/activity"
 	"github.com/zitadel/zitadel/internal/api/authz"
 	http_utils "github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/api/http/middleware"
@@ -196,6 +197,8 @@ func (o *OPStorage) CreateAccessToken(ctx context.Context, req op.TokenRequest)
 		applicationID = authReq.ApplicationID
 		userOrgID = authReq.UserOrgID
 	case *AuthRequestV2:
+		// trigger activity log for authentication for user
+		activity.Trigger(ctx, "", authReq.CurrentAuthRequest.UserID, activity.OIDCAccessToken)
 		return o.command.AddOIDCSessionAccessToken(setContextUserSystem(ctx), authReq.GetID())
 	}

@@ -208,6 +211,9 @@ func (o *OPStorage) CreateAccessToken(ctx context.Context, req op.TokenRequest)
 	if err != nil {
 		return "", time.Time{}, err
 	}
+
+	// trigger activity log for authentication for user
+	activity.Trigger(ctx, userOrgID, req.GetSubject(), activity.OIDCAccessToken)
 	return resp.TokenID, resp.Expiration, nil
 }

@@ -218,8 +224,12 @@ func (o *OPStorage) CreateAccessAndRefreshTokens(ctx context.Context, req op.Tok
 	// handle V2 request directly
 	switch tokenReq := req.(type) {
 	case *AuthRequestV2:
+		// trigger activity log for authentication for user
+		activity.Trigger(ctx, "", tokenReq.GetSubject(), activity.OIDCRefreshToken)
 		return o.command.AddOIDCSessionRefreshAndAccessToken(setContextUserSystem(ctx), tokenReq.GetID())
 	case *RefreshTokenRequestV2:
+		// trigger activity log for authentication for user
+		activity.Trigger(ctx, "", tokenReq.GetSubject(), activity.OIDCRefreshToken)
 		return o.command.ExchangeOIDCSessionRefreshAndAccessToken(setContextUserSystem(ctx), tokenReq.OIDCSessionWriteModel.AggregateID, refreshToken, tokenReq.RequestedScopes)
 	}

@@ -246,6 +256,9 @@ func (o *OPStorage) CreateAccessAndRefreshTokens(ctx context.Context, req op.Tok
 		}
 		return "", "", time.Time{}, err
 	}
+
+	// trigger activity log for authentication for user
+	activity.Trigger(ctx, userOrgID, req.GetSubject(), activity.OIDCRefreshToken)
 	return resp.TokenID, token, resp.Expiration, nil
 }

@@ -274,6 +287,8 @@ func (o *OPStorage) TokenRequestByRefreshToken(ctx context.Context, refreshToken
 		if err != nil {
 			return nil, err
 		}
+		// trigger activity log for authentication for user
+		activity.Trigger(ctx, "", oidcSession.UserID, activity.OIDCRefreshToken)
 		return &RefreshTokenRequestV2{OIDCSessionWriteModel: oidcSession}, nil
 	}

@@ -281,6 +296,9 @@ func (o *OPStorage) TokenRequestByRefreshToken(ctx context.Context, refreshToken
 	if err != nil {
 		return nil, err
 	}
+
+	// trigger activity log for use of refresh token for user
+	activity.Trigger(ctx, tokenView.ResourceOwner, tokenView.UserID, activity.OIDCRefreshToken)
 	return RefreshTokenRequestFromBusiness(tokenView), nil
 }

--- a/internal/api/saml/storage.go
+++ b/internal/api/saml/storage.go
@@ -15,6 +15,7 @@ import (

 	"github.com/zitadel/zitadel/internal/actions"
 	"github.com/zitadel/zitadel/internal/actions/object"
+	"github.com/zitadel/zitadel/internal/activity"
 	"github.com/zitadel/zitadel/internal/api/http/middleware"
 	"github.com/zitadel/zitadel/internal/auth/repository"
 	"github.com/zitadel/zitadel/internal/command"
@@ -148,6 +149,9 @@ func (p *Storage) SetUserinfoWithUserID(ctx context.Context, applicationID strin
 	}

 	setUserinfo(user, userinfo, attributes, customAttributes)
+
+	// trigger activity log for authentication for user
+	activity.Trigger(ctx, user.ResourceOwner, user.ID, activity.SAMLResponse)
 	return nil
 }