Add Audit Trail/Logging

models/asymkey/ssh_key.go

@@ -317,17 +317,17 @@ func PublicKeyIsExternallyManaged(id int64) (bool, error) {
 	return false, nil
 }
 
-// deleteKeysMarkedForDeletion returns true if ssh keys needs update
-func deleteKeysMarkedForDeletion(keys []string) (bool, error) {
+// deleteKeysMarkedForDeletion returns the deleted keys
+func deleteKeysMarkedForDeletion(keys []string) ([]*PublicKey, error) {
 	// Start session
 	ctx, committer, err := db.TxContext(db.DefaultContext)
 	if err != nil {
-		return false, err
+		return nil, err
 	}
 	defer committer.Close()
 
-	// Delete keys marked for deletion
-	var sshKeysNeedUpdate bool
+	deletedKeys := make([]*PublicKey, 0, len(keys))
+
 	for _, KeyToDelete := range keys {
 		key, err := SearchPublicKeyByContent(ctx, KeyToDelete)
 		if err != nil {
@@ -338,19 +338,21 @@ func deleteKeysMarkedForDeletion(keys []string) (bool, error) {
 			log.Error("deletePublicKeys: %v", err)
 			continue
 		}
-		sshKeysNeedUpdate = true
+
+		deletedKeys = append(deletedKeys, key)
 	}
 
 	if err := committer.Commit(); err != nil {
-		return false, err
+		return nil, err
 	}
 
-	return sshKeysNeedUpdate, nil
+	return deletedKeys, nil
 }
 
-// AddPublicKeysBySource add a users public keys. Returns true if there are changes.
-func AddPublicKeysBySource(usr *user_model.User, s *auth.Source, sshPublicKeys []string) bool {
-	var sshKeysNeedUpdate bool
+// AddPublicKeysBySource add a users public keys. Returns the added keys.
+func AddPublicKeysBySource(usr *user_model.User, s *auth.Source, sshPublicKeys []string) []*PublicKey {
+	addedKeys := make([]*PublicKey, 0, len(sshPublicKeys))
+
 	for _, sshKey := range sshPublicKeys {
 		var err error
 		found := false
@@ -368,28 +370,27 @@ func AddPublicKeysBySource(usr *user_model.User, s *auth.Source, sshPublicKeys [
 			marshalled = marshalled[:len(marshalled)-1]
 			sshKeyName := fmt.Sprintf("%s-%s", s.Name, ssh.FingerprintSHA256(out))
 
-			if _, err := AddPublicKey(usr.ID, sshKeyName, marshalled, s.ID); err != nil {
+			if pubKey, err := AddPublicKey(usr.ID, sshKeyName, marshalled, s.ID); err != nil {
 				if IsErrKeyAlreadyExist(err) {
 					log.Trace("AddPublicKeysBySource[%s]: Public SSH Key %s already exists for user", sshKeyName, usr.Name)
 				} else {
 					log.Error("AddPublicKeysBySource[%s]: Error adding Public SSH Key for user %s: %v", sshKeyName, usr.Name, err)
 				}
 			} else {
+				addedKeys = append(addedKeys, pubKey)
+
 				log.Trace("AddPublicKeysBySource[%s]: Added Public SSH Key for user %s", sshKeyName, usr.Name)
-				sshKeysNeedUpdate = true
 			}
 		}
 		if !found && err != nil {
 			log.Warn("AddPublicKeysBySource[%s]: Skipping invalid Public SSH Key for user %s: %v", s.Name, usr.Name, sshKey)
 		}
 	}
-	return sshKeysNeedUpdate
+	return addedKeys
 }
 
 // SynchronizePublicKeys updates a users public keys. Returns true if there are changes.
-func SynchronizePublicKeys(usr *user_model.User, s *auth.Source, sshPublicKeys []string) bool {
-	var sshKeysNeedUpdate bool
-
+func SynchronizePublicKeys(usr *user_model.User, s *auth.Source, sshPublicKeys []string) ([]*PublicKey, []*PublicKey) {
 	log.Trace("synchronizePublicKeys[%s]: Handling Public SSH Key synchronization for user %s", s.Name, usr.Name)
 
 	// Get Public Keys from DB with current LDAP source
@@ -418,7 +419,7 @@ func SynchronizePublicKeys(usr *user_model.User, s *auth.Source, sshPublicKeys [
 	// Check if Public Key sync is needed
 	if util.SliceSortedEqual(giteaKeys, providedKeys) {
 		log.Trace("synchronizePublicKeys[%s]: Public Keys are already in sync for %s (Source:%v/DB:%v)", s.Name, usr.Name, len(providedKeys), len(giteaKeys))
-		return false
+		return nil, nil
 	}
 	log.Trace("synchronizePublicKeys[%s]: Public Key needs update for user %s (Source:%v/DB:%v)", s.Name, usr.Name, len(providedKeys), len(giteaKeys))
 
@@ -429,9 +430,8 @@ func SynchronizePublicKeys(usr *user_model.User, s *auth.Source, sshPublicKeys [
 			newKeys = append(newKeys, key)
 		}
 	}
-	if AddPublicKeysBySource(usr, s, newKeys) {
-		sshKeysNeedUpdate = true
-	}
+
+	addedKeys := AddPublicKeysBySource(usr, s, newKeys) // ToDo Audit
 
 	// Mark keys from DB that no longer exist in the source for deletion
 	var giteaKeysToDelete []string
@@ -443,13 +443,10 @@ func SynchronizePublicKeys(usr *user_model.User, s *auth.Source, sshPublicKeys [
 	}
 
 	// Delete keys from DB that no longer exist in the source
-	needUpd, err := deleteKeysMarkedForDeletion(giteaKeysToDelete)
+	deletedKeys, err := deleteKeysMarkedForDeletion(giteaKeysToDelete)
 	if err != nil {
 		log.Error("synchronizePublicKeys[%s]: Error deleting Public Keys marked for deletion for user %s: %v", s.Name, usr.Name, err)
 	}
-	if needUpd {
-		sshKeysNeedUpdate = true
-	}
 
-	return sshKeysNeedUpdate
+	return addedKeys, deletedKeys
 }

models/db/context.go

@@ -179,6 +179,11 @@ func GetByBean(ctx context.Context, bean interface{}) (bool, error) {
 	return GetEngine(ctx).Get(bean)
 }
 
+// GetBeanByID
+func GetBeanByID(ctx context.Context, id, bean interface{}) (bool, error) {
+	return GetEngine(ctx).ID(id).Get(bean)
+}
+
 // DeleteByBean deletes all records according non-empty fields of the bean as conditions.
 func DeleteByBean(ctx context.Context, bean interface{}) (int64, error) {
 	return GetEngine(ctx).Delete(bean)

models/org_team.go

@@ -55,36 +55,39 @@ func AddRepository(ctx context.Context, t *organization.Team, repo *repo_model.R
 
 // addAllRepositories adds all repositories to the team.
 // If the team already has some repositories they will be left unchanged.
-func addAllRepositories(ctx context.Context, t *organization.Team) error {
+func addAllRepositories(ctx context.Context, t *organization.Team) ([]*repo_model.Repository, error) {
 	orgRepos, err := organization.GetOrgRepositories(ctx, t.OrgID)
 	if err != nil {
-		return fmt.Errorf("get org repos: %w", err)
+		return nil, fmt.Errorf("get org repos: %w", err)
 	}
 
+	added := make([]*repo_model.Repository, 0, len(orgRepos))
 	for _, repo := range orgRepos {
 		if !organization.HasTeamRepo(ctx, t.OrgID, t.ID, repo.ID) {
 			if err := AddRepository(ctx, t, repo); err != nil {
-				return fmt.Errorf("AddRepository: %w", err)
+				return nil, fmt.Errorf("AddRepository: %w", err)
 			}
+			added = append(added, repo)
 		}
 	}
 
-	return nil
+	return added, nil
 }
 
 // AddAllRepositories adds all repositories to the team
-func AddAllRepositories(t *organization.Team) (err error) {
+func AddAllRepositories(t *organization.Team) ([]*repo_model.Repository, error) {
 	ctx, committer, err := db.TxContext(db.DefaultContext)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	defer committer.Close()
 
-	if err = addAllRepositories(ctx, t); err != nil {
-		return err
+	added, err := addAllRepositories(ctx, t)
+	if err != nil {
+		return nil, err
 	}
 
-	return committer.Commit()
+	return added, committer.Commit()
 }
 
 // RemoveAllRepositories removes all repositories from team and recalculates access
@@ -283,7 +286,7 @@ func NewTeam(t *organization.Team) (err error) {
 
 	// Add all repositories to the team if it has access to all of them.
 	if t.IncludesAllRepositories {
-		err = addAllRepositories(ctx, t)
+		_, err = addAllRepositories(ctx, t)
 		if err != nil {
 			return fmt.Errorf("addAllRepositories: %w", err)
 		}
@@ -361,7 +364,7 @@ func UpdateTeam(t *organization.Team, authChanged, includeAllChanged bool) (err
 
 	// Add all repositories to the team if it has access to all of them.
 	if includeAllChanged && t.IncludesAllRepositories {
-		err = addAllRepositories(ctx, t)
+		_, err = addAllRepositories(ctx, t)
 		if err != nil {
 			return fmt.Errorf("addAllRepositories: %w", err)
 		}

models/organization/org.go

@@ -90,6 +90,11 @@ func OrgFromUser(user *user_model.User) *Organization {
 	return (*Organization)(user)
 }
 
+// UserFromOrg converts organization to user
+func UserFromOrg(org *Organization) *user_model.User {
+	return (*user_model.User)(org)
+}
+
 // TableName represents the real table name of Organization
 func (Organization) TableName() string {
 	return "user"

models/system/notice.go

@@ -23,6 +23,7 @@ const (
 	NoticeRepository NoticeType = iota + 1
 	// NoticeTask type
 	NoticeTask
+	NoticeAudit
 )
 
 // Notice represents a system notice for admin.

models/user/email_address.go

@@ -400,7 +400,7 @@ func MakeEmailPrimary(email *EmailAddress) error {
 }
 
 // VerifyActiveEmailCode verifies active email code when active account
-func VerifyActiveEmailCode(code, email string) *EmailAddress {
+func VerifyActiveEmailCode(code, email string) (*User, *EmailAddress) {
 	minutes := setting.Service.ActiveCodeLives
 
 	if user := GetVerifyUser(code); user != nil {
@@ -411,11 +411,11 @@ func VerifyActiveEmailCode(code, email string) *EmailAddress {
 		if base.VerifyTimeLimitCode(data, minutes, prefix) {
 			emailAddress := &EmailAddress{UID: user.ID, Email: email}
 			if has, _ := db.GetEngine(db.DefaultContext).Get(emailAddress); has {
-				return emailAddress
+				return user, emailAddress
 			}
 		}
 	}
-	return nil
+	return nil, nil
 }
 
 // SearchEmailOrderBy is used to sort the results from SearchEmails()

modules/context/api.go

@@ -19,6 +19,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web/middleware"
+	"code.gitea.io/gitea/services/audit"
 )
 
 // APIContext is a specific context for API service
@@ -209,6 +210,8 @@ func (ctx *APIContext) CheckForOTP() {
 		return
 	}
 	if !ok {
+		audit.Record(audit.UserAuthenticationFailTwoFactor, ctx.Context.Doer, ctx.Context.Doer, twofa, "Failed two-factor authentication for user %s.", ctx.Context.Doer.Name)
+
 		ctx.Context.Error(http.StatusUnauthorized)
 		return
 	}

modules/context/auth.go

@@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web/middleware"
+	"code.gitea.io/gitea/services/audit"
 )
 
 // ToggleOptions contains required or check options
@@ -173,6 +174,8 @@ func ToggleAPI(options *ToggleOptions) func(ctx *APIContext) {
 					return
 				}
 				if !ok {
+					audit.Record(audit.UserAuthenticationFailTwoFactor, ctx.Doer, ctx.Doer, twofa, "Failed two-factor authentication for user %s.", ctx.Doer.Name)
+
 					ctx.JSON(http.StatusForbidden, map[string]string{
 						"message": "Only signed in user is allowed to call APIs.",
 					})

modules/context/org.go

@@ -95,7 +95,7 @@ func HandleOrgAssignment(ctx *Context, args ...bool) {
 		if ctx.Org == nil {
 			ctx.Org = &Organization{}
 		}
-		ctx.Org.Organization = (*organization.Organization)(ctx.ContextUser)
+		ctx.Org.Organization = organization.OrgFromUser(ctx.ContextUser)
 	} else {
 		// ContextUser is an individual User
 		return

options/locale/locale_en-US.ini

@@ -3065,6 +3065,7 @@ notices.delete_all = Delete All Notices
 notices.type = Type
 notices.type_1 = Repository
 notices.type_2 = Task
+notices.type_3 = Audit
 notices.desc = Description
 notices.op = Op.
 notices.delete_success = The system notices have been deleted.

routers/api/v1/admin/org.go

@@ -14,6 +14,7 @@ import (
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
+	"code.gitea.io/gitea/services/audit"
 	"code.gitea.io/gitea/services/convert"
 )
 
@@ -74,6 +75,8 @@ func CreateOrg(ctx *context.APIContext) {
 		return
 	}
 
+	audit.Record(audit.OrganizationCreate, ctx.Doer, org, org, "Organization %s was created.", org.Name)
+
 	ctx.JSON(http.StatusCreated, convert.ToOrganization(ctx, org))
 }