apps: #show_environment_variables has audit event

tlwr · tlwr · commit c22a490cde88 · 2020-08-19T11:29:59.000+01:00
The environment can contain sensitive information, access to sensitive
information should be audited

Signed-off-by: toby lorne &lt;toby@toby.codes&gt;
diff --git a/app/controllers/v3/apps_controller.rb b/app/controllers/v3/apps_controller.rb
@@ -261,6 +261,8 @@ def show_environment_variables
 
     FeatureFlag.raise_unless_enabled!(:space_developer_env_var_visibility)
 
+    Repositories::AppEventRepository.new.record_app_show_environment_variables(app, user_audit_info)
+
     render status: :ok, json: Presenters::V3::AppEnvironmentVariablesPresenter.new(app)
   end
 
diff --git a/app/repositories/app_event_repository.rb b/app/repositories/app_event_repository.rb
@@ -160,6 +160,11 @@ def record_app_show_env(app, user_audit_info)
         create_app_audit_event('audit.app.environment.show', app, app.space, actor_hash, {})
       end
 
+      def record_app_show_environment_variables(app, user_audit_info)
+        actor_hash = { name: user_audit_info.user_email, guid: user_audit_info.user_guid, user_name: user_audit_info.user_name, type: 'user' }
+        create_app_audit_event('audit.app.environment_variables.show', app, app.space, actor_hash, {})
+      end
+
       private
 
       def create_app_audit_event(type, app, space, actor, metadata)
diff --git a/spec/unit/controllers/v3/apps_controller_spec.rb b/spec/unit/controllers/v3/apps_controller_spec.rb
@@ -1996,6 +1996,27 @@
         })
       end
     end
+
+    it 'records an audit event' do
+      set_current_user_as_admin(user: user, email: 'mona@example.com')
+
+      expect {
+        get :show_environment_variables, params: { guid: app_model.guid }, as: :json
+      }.to change { VCAP::CloudController::Event.count }.by(1)
+
+      event = VCAP::CloudController::Event.find(type: 'audit.app.environment_variables.show')
+      expect(event).not_to be_nil
+      expect(event.actor).to eq(user.guid)
+      expect(event.actor_type).to eq('user')
+      expect(event.actor_name).to eq('mona@example.com')
+      expect(event.actee).to eq(app_model.guid)
+      expect(event.actee_type).to eq('app')
+      expect(event.actee_name).to eq(app_model.name)
+      expect(event.timestamp).to be
+      expect(event.space_guid).to eq(app_model.space_guid)
+      expect(event.organization_guid).to eq(app_model.space.organization.guid)
+      expect(event.metadata).to eq({})
+    end
   end
 
   describe '#update_environment_variables' do
