Merge pull request #813 from clojars/tobias/audit-on-membership-change

clojars · Oct 9, 2021 · 5144fc8 · 5144fc8
2 parents c4e6b20 + b3e529f
commit 5144fc8
Show file tree

Hide file tree

Showing 5 changed files with 137 additions and 109 deletions.
diff --git a/src/clojars/routes/group.clj b/src/clojars/routes/group.clj
@@ -22,6 +22,7 @@
                         (map :user))
         handler-fn (fn [account admin? group-users]
                      #(log/with-context {:tag :toggle-or-add-group-member
+                                         :group groupname
                                          :username account
                                          :username-to-add username
                                          :admin? admin?}
@@ -44,6 +45,8 @@
                           (do
                             (db/add-admin db groupname username account)
                             (log/info {:status :success})
+                            (log/audit db {:tag :member-added
+                                           :message (format "user '%s' added" username)})
                             (view/show-group db account groupname
                                              (into (remove (fn [active]
                                                              (= username (:user active))) actives)
@@ -92,6 +95,8 @@
                (do
                  (db/inactivate-member db groupname username account)
                  (log/info {:status :success})
+                 (log/audit db {:tag :member-removed
+                                :message (format "user '%s' removed" username)})
                  (view/show-group db account groupname
                                   (remove (fn [active] (= username (:user active))) actives)))
 

diff --git a/src/clojars/web/common.clj b/src/clojars/web/common.clj
@@ -399,7 +399,7 @@
 (defn audit-table
   [db subject lookup]
   [:div
-   [:h2 (format "Audit Log for %s (for last 30 days)" subject)]
+   [:h2 (format "Audit Log for %s" subject)]
     [:table.audit
      [:tr
       [:th "Tag"]

diff --git a/test/clojars/integration/uploads_test.clj b/test/clojars/integration/uploads_test.clj
@@ -18,7 +18,6 @@
    [clojure.test :refer [are deftest is testing use-fixtures]]
    [kerodon.core :refer [fill-in follow press session visit within]]
    [kerodon.test :refer [has status? text?]]
-   [matcher-combinators.test]
    [net.cgrand.enlive-html :as enlive]))
 
 (use-fixtures :each
@@ -40,12 +39,6 @@
   (doto (fu/create-checksum-file f type)
     .deleteOnExit))
 
-(defmacro match-audit
-  [params m]
-  `(let [db# (:db (config))
-         audit# (first (db/find-audit db# ~params))]
-     (is (~'match? ~m audit#))))
-
 (deftest user-can-register-and-deploy
   (-> (session (help/app-from-system))
       (register-as "dantheman" "[email protected]" "password"))
@@ -73,12 +66,12 @@
         (is (.exists (io/file repo base-path "0.0.1" (str "test-0.0.1." suffix))))
         (is (s3/object-exists? repo-bucket (str base-path "0.0.1/test-0.0.1." suffix)))))
 
-    (match-audit {:username "dantheman"}
-                 {:tag "deployed"
-                  :user "dantheman"
-                  :group_name "org.clojars.dantheman"
-                  :jar_name "test"
-                  :version "0.0.1"})
+    (help/match-audit {:username "dantheman"}
+                      {:tag "deployed"
+                       :user "dantheman"
+                       :group_name "org.clojars.dantheman"
+                       :jar_name "test"
+                       :version "0.0.1"})
 
     (-> (session (help/app-from-system))
         (visit "/groups/org.clojars.dantheman")
@@ -222,10 +215,10 @@
                                 :password token}}
            :local-repo help/local-repo)))
 
-    (match-audit {:username "dantheman"}
-                 {:user "dantheman"
-                  :tag "invalid-token"
-                  :message "The given token either doesn't exist, isn't yours, or is disabled"})))
+    (help/match-audit {:username "dantheman"}
+                      {:user "dantheman"
+                       :tag "invalid-token"
+                       :message "The given token either doesn't exist, isn't yours, or is disabled"})))
 
 (deftest user-can-deploy-artifacts-after-maven-metadata
   (-> (session (help/app-from-system))
@@ -289,13 +282,13 @@
                                 :username "dantheman"
                                 :password token}}
            :local-repo help/local-repo)))
-    (match-audit {:username "dantheman"}
-                 {:user "dantheman"
-                  :tag "deploy-forbidden"
-                  :group_name "org.clojars.fixture"
-                  :jar_name "test"
-                  :version "0.0.1"
-                  :message "You don't have access to the 'org.clojars.fixture' group"})))
+    (help/match-audit {:username "dantheman"}
+                      {:user "dantheman"
+                       :tag "deploy-forbidden"
+                       :group_name "org.clojars.fixture"
+                       :jar_name "test"
+                       :version "0.0.1"
+                       :message "You don't have access to the 'org.clojars.fixture' group"})))
 
 (deftest user-can-deploy-to-group-when-not-admin
   (-> (session (help/app-from-system))
@@ -332,13 +325,13 @@
                                 :password token}}
            :local-repo help/local-repo)))
 
-    (match-audit {:username "dantheman"}
-                 {:user "dantheman"
-                  :group_name "new-group"
-                  :jar_name "test"
-                  :version "0.0.1"
-                  :message "Group 'new-group' doesn't exist (see https://git.io/JOs8J)"
-                  :tag "deploy-forbidden"})))
+    (help/match-audit {:username "dantheman"}
+                      {:user "dantheman"
+                       :group_name "new-group"
+                       :jar_name "test"
+                       :version "0.0.1"
+                       :message "Group 'new-group' doesn't exist (see https://git.io/JOs8J)"
+                       :tag "deploy-forbidden"})))
 
 (deftest user-can-deploy-a-new-version-to-an-existing-project-in-a-non-verified-group
   (-> (session (help/app-from-system))
@@ -364,12 +357,12 @@
                           :password token}}
      :local-repo help/local-repo)
 
-    (match-audit {:username "dantheman"}
-                 {:tag "deployed"
-                  :user "dantheman"
-                  :group_name "legacy-group"
-                  :jar_name "test"
-                  :version "0.0.1"})
+    (help/match-audit {:username "dantheman"}
+                      {:tag "deployed"
+                       :user "dantheman"
+                       :group_name "legacy-group"
+                       :jar_name "test"
+                       :version "0.0.1"})
 
     (-> (session (help/app-from-system))
         (visit "/")
@@ -398,13 +391,13 @@
                                 :password token}}
            :local-repo help/local-repo)))
 
-    (match-audit {:username "dantheman"}
-                 {:user "dantheman"
-                  :group_name "legacy-group"
-                  :jar_name "test"
-                  :version "0.0.1"
-                  :message "Group 'legacy-group' isn't verified, so can't contain new projects (see https://git.io/JOs8J)"
-                  :tag "deploy-forbidden"})))
+    (help/match-audit {:username "dantheman"}
+                      {:user "dantheman"
+                       :group_name "legacy-group"
+                       :jar_name "test"
+                       :version "0.0.1"
+                       :message "Group 'legacy-group' isn't verified, so can't contain new projects (see https://git.io/JOs8J)"
+                       :tag "deploy-forbidden"})))
 
 (deftest user-cannot-redeploy
   (-> (session (help/app-from-system))
@@ -429,13 +422,13 @@
                                 :username "dantheman"
                                 :password token}}
            :local-repo help/local-repo)))
-    (match-audit {:username "dantheman"}
-                 {:user "dantheman"
-                  :group_name "org.clojars.dantheman"
-                  :jar_name "test"
-                  :version "0.0.1"
-                  :message "redeploying non-snapshots is not allowed (see https://git.io/v1IAs)"
-                  :tag "non-snapshot-redeploy"})))
+    (help/match-audit {:username "dantheman"}
+                      {:user "dantheman"
+                       :group_name "org.clojars.dantheman"
+                       :jar_name "test"
+                       :version "0.0.1"
+                       :message "redeploying non-snapshots is not allowed (see https://git.io/v1IAs)"
+                       :tag "non-snapshot-redeploy"})))
 
 (deftest deploy-cannot-shadow-central
   (-> (session (help/app-from-system))
@@ -456,13 +449,13 @@
                                 :password token}}
            :local-repo help/local-repo)))
 
-    (match-audit {:username "dantheman"}
-                 {:user "dantheman"
-                  :group_name "org.tcrawley"
-                  :jar_name "dynapath"
-                  :version "0.0.1"
-                  :message "shadowing Maven Central artifacts is not allowed (see https://git.io/vMUHN)"
-                  :tag "central-shadow"})))
+    (help/match-audit {:username "dantheman"}
+                      {:user "dantheman"
+                       :group_name "org.tcrawley"
+                       :jar_name "dynapath"
+                       :version "0.0.1"
+                       :message "shadowing Maven Central artifacts is not allowed (see https://git.io/vMUHN)"
+                       :tag "central-shadow"})))
 
 (deftest deploy-cannot-shadow-central-unless-allowlisted
   (-> (session (help/app-from-system))
@@ -620,7 +613,7 @@
      :coordinates '[org.clojars.dantheman/test "0.0.1"]
      :artifact-map {[:extension "jar"] (io/file (io/resource "test.jar"))
                     [:extension "pom"] pom
-                     ;; any content will do since we don't validate signatures
+                    ;; any content will do since we don't validate signatures
                     [:extension "jar.asc"] pom
                     [:extension "pom.asc"] pom}
      :repository {"test" {:url (repo-url)
@@ -639,20 +632,20 @@
            :coordinates '[org.clojars.dantheman/test "0.0.1"]
            :artifact-map {[:extension "jar"] (io/file (io/resource "test.jar"))
                           [:extension "pom"] pom
-                                           ;; any content will do since we don't validate signatures
+                          ;; any content will do since we don't validate signatures
                           [:extension "jar.asc"] pom}
            :repository {"test" {:url (repo-url)
                                 :username "dantheman"
                                 :password token}}
            :local-repo help/local-repo)))
 
-    (match-audit {:username "dantheman"}
-                 {:user "dantheman"
-                  :group_name "org.clojars.dantheman"
-                  :jar_name "test"
-                  :version "0.0.1"
-                  :message "test-0.0.1.pom has no signature"
-                  :tag "file-missing-signature"})))
+    (help/match-audit {:username "dantheman"}
+                      {:user "dantheman"
+                       :group_name "org.clojars.dantheman"
+                       :jar_name "test"
+                       :version "0.0.1"
+                       :message "test-0.0.1.pom has no signature"
+                       :tag "file-missing-signature"})))
 
 (deftest anonymous-cannot-deploy
   (is (thrown-with-msg?
@@ -678,10 +671,10 @@
                               :password "password"}}
          :local-repo help/local-repo)))
 
-  (match-audit {:username "guest"}
-               {:user    "guest"
-                :message "a deploy token is required to deploy (see https://git.io/JfwjM)"
-                :tag     "deploy-password-rejection"}))
+  (help/match-audit {:username "guest"}
+                    {:user    "guest"
+                     :message "a deploy token is required to deploy (see https://git.io/JfwjM)"
+                     :tag     "deploy-password-rejection"}))
 
 (deftest deploy-requires-path-to-match-pom
   (-> (session (help/app-from-system))
@@ -699,13 +692,13 @@
                                 :password token}}
            :local-repo help/local-repo)))
 
-    (match-audit {:username "dantheman"}
-                 {:user "dantheman"
-                  :group_name "net.clojars.dantheman"
-                  :jar_name "test"
-                  :version "0.0.1"
-                  :message "the group in the pom (org.clojars.dantheman) does not match the group you are deploying to (net.clojars.dantheman)"
-                  :tag "pom-entry-mismatch"})
+    (help/match-audit {:username "dantheman"}
+                      {:user "dantheman"
+                       :group_name "net.clojars.dantheman"
+                       :jar_name "test"
+                       :version "0.0.1"
+                       :message "the group in the pom (org.clojars.dantheman) does not match the group you are deploying to (net.clojars.dantheman)"
+                       :tag "pom-entry-mismatch"})
 
     (is (thrown-with-msg?
          org.sonatype.aether.deployment.DeploymentException
@@ -719,13 +712,13 @@
                                 :password token}}
            :local-repo help/local-repo)))
 
-    (match-audit {:username "dantheman"}
-                 {:user "dantheman"
-                  :group_name "org.clojars.dantheman"
-                  :jar_name "toast"
-                  :version "0.0.1"
-                  :message "the name in the pom (test) does not match the name you are deploying to (toast)"
-                  :tag "pom-entry-mismatch"})
+    (help/match-audit {:username "dantheman"}
+                      {:user "dantheman"
+                       :group_name "org.clojars.dantheman"
+                       :jar_name "toast"
+                       :version "0.0.1"
+                       :message "the name in the pom (test) does not match the name you are deploying to (toast)"
+                       :tag "pom-entry-mismatch"})
 
     (is (thrown-with-msg?
          org.sonatype.aether.deployment.DeploymentException
@@ -739,13 +732,13 @@
                                 :password token}}
            :local-repo help/local-repo)))
 
-    (match-audit {:username "dantheman"}
-                 {:user "dantheman"
-                  :group_name "org.clojars.dantheman"
-                  :jar_name "test"
-                  :version "1.0.0"
-                  :message "the version in the pom (0.0.1) does not match the version you are deploying to (1.0.0)"
-                  :tag "pom-entry-mismatch"})))
+    (help/match-audit {:username "dantheman"}
+                      {:user "dantheman"
+                       :group_name "org.clojars.dantheman"
+                       :jar_name "test"
+                       :version "1.0.0"
+                       :message "the version in the pom (0.0.1) does not match the version you are deploying to (1.0.0)"
+                       :tag "pom-entry-mismatch"})))
 
 (deftest deploy-requires-lowercase-project
   (-> (session (help/app-from-system))
@@ -763,13 +756,13 @@
                                 :password token}}
            :local-repo help/local-repo)))
 
-    (match-audit {:username "dantheman"}
-                 {:user "dantheman"
-                  :group_name "org.clojars.dantheman"
-                  :jar_name "teST"
-                  :version "0.0.1"
-                  :message "project names must consist solely of lowercase letters, numbers, hyphens and underscores (see https://git.io/v1IAl)"
-                  :tag "regex-validation-failed"})))
+    (help/match-audit {:username "dantheman"}
+                      {:user "dantheman"
+                       :group_name "org.clojars.dantheman"
+                       :jar_name "teST"
+                       :version "0.0.1"
+                       :message "project names must consist solely of lowercase letters, numbers, hyphens and underscores (see https://git.io/v1IAl)"
+                       :tag "regex-validation-failed"})))
 
 (deftest deploy-requires-ascii-version
   (-> (session (help/app-from-system))
@@ -787,13 +780,13 @@
                                 :password token}}
            :local-repo help/local-repo)))
 
-    (match-audit {:username "dantheman"}
-                 {:user "dantheman"
-                  :group_name "org.clojars.dantheman"
-                  :jar_name "test"
-                  :version "1.α.0"
-                  :message "version strings must consist solely of letters, numbers, dots, pluses, hyphens and underscores (see https://git.io/v1IA2)"
-                  :tag "regex-validation-failed"})))
+    (help/match-audit {:username "dantheman"}
+                      {:user "dantheman"
+                       :group_name "org.clojars.dantheman"
+                       :jar_name "test"
+                       :version "1.α.0"
+                       :message "version strings must consist solely of letters, numbers, dots, pluses, hyphens and underscores (see https://git.io/v1IA2)"
+                       :tag "regex-validation-failed"})))
 
 (deftest put-on-html-fails
   (let [sess (-> (session (help/app-from-system))