v3(service-plan-visibility): add audit events (cloudfoundry#1890)

Derik Evangelista · web-flow · commit d8744057d50b · 2020-10-09T15:24:04.000+01:00
[#166785822](https://www.pivotaltracker.com/story/show/166785822)
diff --git a/app/controllers/v3/service_plan_visibility_controller.rb b/app/controllers/v3/service_plan_visibility_controller.rb
@@ -42,12 +42,16 @@ def destroy
     resource_not_found!(:service_plan_visibility) unless to_delete.present?
 
     ServicePlanVisibilityDelete.delete(to_delete)
-
+    event_repository.record_service_plan_delete_visibility_event(service_plan, org)
     head :no_content
   end
 
   private
 
+  def event_repository
+    VCAP::CloudController::Repositories::ServiceEventRepository::WithUserActor.new(user_audit_info)
+  end
+
   def update_visibility(opts={})
     service_plan = ServicePlanFetcher.fetch(hashed_params[:guid])
     service_plan_not_found! unless service_plan.present? && visible_to_current_user?(plan: service_plan)
@@ -57,6 +61,7 @@ def update_visibility(opts={})
     bad_request!(message.errors.full_messages) unless message.valid?
 
     updated_service_plan = V3::ServicePlanVisibilityUpdate.new.update(service_plan, message, opts)
+    event_repository.record_service_plan_update_visibility_event(service_plan, message.audit_hash)
 
     visible_in_orgs = ServicePlanVisibilityFetcher.new(permission_queryer).fetch_orgs(
       service_plan_guids: [service_plan.guid]
diff --git a/app/repositories/service_event_repository.rb b/app/repositories/service_event_repository.rb
@@ -17,6 +17,8 @@ def logger
 
       delegate(
         :record_service_plan_visibility_event,
+        :record_service_plan_update_visibility_event,
+        :record_service_plan_delete_visibility_event,
         :record_broker_event,
         :record_broker_event_with_request,
         :record_service_instance_event,
@@ -78,20 +80,23 @@ def initialize(user_audit_info)
         end
 
         def record_service_plan_visibility_event(type, visibility, params)
-          actee = {
-            actee:      visibility.guid,
-            actee_type: 'service_plan_visibility',
-            actee_name: ''
-          }
-
-          metadata = { request: params }
-
           space_data = {
             space_guid:        '',
             organization_guid: visibility.organization_guid
           }
+          record_plan_visibility_event(type, visibility.guid, params, space_data)
+        end
 
-          create_event("audit.service_plan_visibility.#{type}", user_actor, actee, metadata, space_data)
+        def record_service_plan_update_visibility_event(plan, params)
+          record_plan_visibility_event(:update, plan.guid, params)
+        end
+
+        def record_service_plan_delete_visibility_event(plan, org)
+          space_data = {
+            space_guid: '',
+            organization_guid: org.guid
+          }
+          record_plan_visibility_event(:delete, plan.guid, {}, space_data)
         end
 
         def record_broker_event(type, broker, params)
@@ -191,6 +196,18 @@ def record_service_plan_delete_event(plan)
 
         attr_reader :user_audit_info
 
+        def record_plan_visibility_event(type, actee_guid, params, space_data=nil)
+          actee = {
+            actee:      actee_guid,
+            actee_type: 'service_plan_visibility',
+            actee_name: ''
+          }
+
+          metadata = { request: params }
+
+          create_event("audit.service_plan_visibility.#{type}", user_actor, actee, metadata, space_data)
+        end
+
         def with_parameters_redacted(request_data)
           redact(request_data, for_key: 'parameters', with: Presenters::Censorship::PRIVATE_DATA_HIDDEN)
         end
diff --git a/spec/request/service_plan_visibility_spec.rb b/spec/request/service_plan_visibility_spec.rb
@@ -384,26 +384,25 @@
 
   describe 'POST /v3/service_plans/:guid/visibility' do
     let(:third_org) { VCAP::CloudController::Organization.make }
+    let(:yet_another_org) { VCAP::CloudController::Organization.make }
     let(:api_url) { "/v3/service_plans/#{guid}/visibility" }
     let(:api_call) { lambda { |user_headers| post api_url, req_body.to_json, user_headers } }
     let(:guid) { service_plan.guid }
-
     let(:service_plan) do
       plan = VCAP::CloudController::ServicePlan.make(public: false)
       VCAP::CloudController::ServicePlanVisibility.make(organization: org, service_plan: plan)
       VCAP::CloudController::ServicePlanVisibility.make(organization: other_org, service_plan: plan)
       plan
     end
+    let(:body) { { type: 'organization', organizations: [{ guid: third_org.guid }, { guid: yet_another_org.guid }] } }
 
     context 'when the plan current visibility is "organization"' do
       it 'can add new organizations' do
-        yet_another_org = VCAP::CloudController::Organization.make
-        body = { type: 'organization', organizations: [{ guid: third_org.guid }, { guid: yet_another_org.guid }] }.to_json
         expected_orgs = [org, other_org, third_org, yet_another_org].map do |o|
           { 'guid' => o.guid, 'name' => o.name }
         end
 
-        post api_url, body, admin_headers
+        post api_url, body.to_json, admin_headers
         expect(last_response).to have_status_code(200)
         expect(parsed_response['type']).to eq 'organization'
         expect(parsed_response['organizations']).to match_array(expected_orgs)
@@ -413,6 +412,16 @@
         expect(parsed_response['organizations']).to match_array(expected_orgs)
       end
 
+      it 'creates an audit event' do
+        post api_url, body.to_json, admin_headers
+        event = VCAP::CloudController::Event.find(type: 'audit.service_plan_visibility.update')
+        expect(event).to be
+        expect(event.actee).to eq(service_plan.guid)
+        expect(event.data).to include({
+          'request' => body.with_indifferent_access
+        })
+      end
+
       it 'ignores organizations that already have visibility' do
         body = { type: 'organization', organizations: [{ guid: org.guid }, { guid: third_org.guid }] }.to_json
         expected_orgs = [
@@ -442,14 +451,24 @@
 
       context 'when the current visibility type is not organization' do
         let(:service_plan) { VCAP::CloudController::ServicePlan.make(public: true) }
+        let(:body) { { type: 'organization', organizations: [{ guid: org.guid }] } }
 
         it 'updates the visibility type AND add the orgs' do
-          body = { type: 'organization', organizations: [{ guid: org.guid }] }.to_json
-          post api_url, body, admin_headers
+          post api_url, body.to_json, admin_headers
 
           expect(parsed_response['type']).to eq 'organization'
           expect(parsed_response['organizations']).to contain_exactly({ 'guid' => org.guid, 'name' => org.name })
         end
+
+        it 'creates an audit event' do
+          post api_url, body.to_json, admin_headers
+          event = VCAP::CloudController::Event.find(type: 'audit.service_plan_visibility.update')
+          expect(event).to be
+          expect(event.actee).to eq(service_plan.guid)
+          expect(event.data).to include({
+            'request' => body.with_indifferent_access
+          })
+        end
       end
 
       context 'when an org in the list does not exist' do
@@ -497,16 +516,27 @@
     end
 
     context 'when request type is not "organization"' do
+      let(:body) { { type: 'public' } }
+
       it 'behaves like a PATCH' do
-        body = { type: 'public' }.to_json
-        post api_url, body, admin_headers
+        post api_url, body.to_json, admin_headers
         expect(last_response).to have_status_code(200)
 
         get api_url, {}, admin_headers
         expect(parsed_response).to eq({ 'type' => 'public' })
         visibilities = VCAP::CloudController::ServicePlanVisibility.where(service_plan: service_plan).all
         expect(visibilities).to be_empty
       end
+
+      it 'creates an audit event' do
+        post api_url, body.to_json, admin_headers
+        event = VCAP::CloudController::Event.find(type: 'audit.service_plan_visibility.update')
+        expect(event).to be
+        expect(event.actee).to eq(service_plan.guid)
+        expect(event.data).to include({
+          'request' => body.with_indifferent_access
+        })
+      end
     end
 
     context 'permissions' do
@@ -607,5 +637,14 @@
 
       it_behaves_like 'permissions for delete endpoint', ALL_PERMISSIONS
     end
+
+    it 'creates an audit event' do
+      delete api_url, {}, admin_headers
+      expect(last_response).to have_status_code(204)
+      event = VCAP::CloudController::Event.find(type: 'audit.service_plan_visibility.delete')
+      expect(event).to be
+      expect(event.actee).to eq(service_plan.guid)
+      expect(event.organization_guid).to eq(org.guid)
+    end
   end
 end
diff --git a/spec/unit/repositories/service_event_repository_spec.rb b/spec/unit/repositories/service_event_repository_spec.rb
@@ -38,6 +38,53 @@ module Repositories
         end
       end
 
+      describe 'record_service_plan_update_visibility_event' do
+        let(:service_plan) { VCAP::CloudController::ServicePlan.make }
+
+        it 'creates the event' do
+          params = {
+            type: 'organization',
+            organizations: [
+              { guid: '9c246656-830f-4c47-968f-f92c2d659560' },
+              { guid: 'c01fdfc3-ffe4-4ec1-a294-e5a84ef425f1' }
+            ]
+          }
+          repository.record_service_plan_update_visibility_event(service_plan, params)
+
+          event = Event.find(type: 'audit.service_plan_visibility.update')
+          expect(event.actor_type).to eq('user')
+          expect(event.timestamp).to be
+          expect(event.actor).to eq(user.guid)
+          expect(event.actor_name).to eq(email)
+          expect(event.actor_username).to eq(user_name)
+          expect(event.actee).to eq(service_plan.guid)
+          expect(event.actee_type).to eq('service_plan_visibility')
+          expect(event.actee_name).to eq('')
+          expect(event.metadata).to eq({ 'request' => params.with_indifferent_access })
+        end
+      end
+
+      describe 'record_service_plan_delete_visibility_event' do
+        let(:service_plan) { VCAP::CloudController::ServicePlan.make }
+        let(:org) { VCAP::CloudController::Organization.make }
+
+        it 'creates the event' do
+          repository.record_service_plan_delete_visibility_event(service_plan, org)
+
+          event = Event.find(type: 'audit.service_plan_visibility.delete')
+          expect(event.actor_type).to eq('user')
+          expect(event.timestamp).to be
+          expect(event.actor).to eq(user.guid)
+          expect(event.actor_name).to eq(email)
+          expect(event.actor_username).to eq(user_name)
+          expect(event.actee).to eq(service_plan.guid)
+          expect(event.actee_type).to eq('service_plan_visibility')
+          expect(event.actee_name).to eq('')
+          expect(event.metadata).to eq({ 'request' => {} })
+          expect(event.organization_guid).to eq(org.guid)
+        end
+      end
+
       describe '#record_broker_event' do
         let(:service_broker) { VCAP::CloudController::ServiceBroker.make }
         let(:params) do
