[SM-1273] Adding new logging for secrets (#5991)

* Adding new logging for secrets * fixing secrest controller tests * fixing the tests
2026-02-18 02:19:06 +00:00 · 2025-07-02 22:28:48 -04:00
parent b7df8525af
commit 669a5cb372
6 changed files with 73 additions and 21 deletions
--- a/src/Api/SecretsManager/Controllers/SecretsController.cs
+++ b/src/Api/SecretsManager/Controllers/SecretsController.cs
@@ -109,7 +109,7 @@ public class SecretsController : Controller
        }

        var result = await _createSecretCommand.CreateAsync(secret, accessPoliciesUpdates);
-
+        await LogSecretEventAsync(secret, EventType.Secret_Created);
        // Creating a secret means you have read & write permission.
        return new SecretResponseModel(result, true, true);
    }
@@ -135,10 +135,7 @@ public class SecretsController : Controller
            throw new NotFoundException();
        }

-        if (_currentContext.IdentityClientType == IdentityClientType.ServiceAccount)
-        {
-            await _eventService.LogServiceAccountSecretEventAsync(userId, secret, EventType.Secret_Retrieved);
-        }
+        await LogSecretEventAsync(secret, EventType.Secret_Retrieved);

        return new SecretResponseModel(secret, access.Read, access.Write);
    }
@@ -188,10 +185,10 @@ public class SecretsController : Controller
            {
                throw new NotFoundException();
            }
-
        }

        var result = await _updateSecretCommand.UpdateAsync(updatedSecret, accessPoliciesUpdates);
+        await LogSecretEventAsync(secret, EventType.Secret_Edited);

        // Updating a secret means you have read & write permission.
        return new SecretResponseModel(result, true, true);
@@ -234,6 +231,7 @@ public class SecretsController : Controller

        await _deleteSecretCommand.DeleteSecrets(secretsToDelete);
        var responses = results.Select(r => new BulkDeleteResponseModel(r.Secret.Id, r.Error));
+        await LogSecretsEventAsync(secretsToDelete, EventType.Secret_Deleted);
        return new ListResponseModel<BulkDeleteResponseModel>(responses);
    }

@@ -253,7 +251,7 @@ public class SecretsController : Controller
            throw new NotFoundException();
        }

-        await LogSecretsRetrievalAsync(secrets);
+        await LogSecretsEventAsync(secrets, EventType.Secret_Retrieved);

        var responses = secrets.Select(s => new BaseSecretResponseModel(s));
        return new ListResponseModel<BaseSecretResponseModel>(responses);
@@ -290,18 +288,28 @@ public class SecretsController : Controller

        if (syncResult.HasChanges)
        {
-            await LogSecretsRetrievalAsync(syncResult.Secrets);
+            await LogSecretsEventAsync(syncResult.Secrets, EventType.Secret_Retrieved);
        }

        return new SecretsSyncResponseModel(syncResult.HasChanges, syncResult.Secrets);
    }

-    private async Task LogSecretsRetrievalAsync(IEnumerable<Secret> secrets)
+    private async Task LogSecretsEventAsync(IEnumerable<Secret> secrets, EventType eventType)
    {
-        if (_currentContext.IdentityClientType == IdentityClientType.ServiceAccount)
+        var userId = _userService.GetProperUserId(User)!.Value;
+
+        switch (_currentContext.IdentityClientType)
        {
-            var userId = _userService.GetProperUserId(User)!.Value;
-            await _eventService.LogServiceAccountSecretsEventAsync(userId, secrets, EventType.Secret_Retrieved);
+            case IdentityClientType.ServiceAccount:
+                await _eventService.LogServiceAccountSecretsEventAsync(userId, secrets, eventType);
+                break;
+            case IdentityClientType.User:
+                await _eventService.LogUserSecretsEventAsync(userId, secrets, eventType);
+                break;
        }
    }
+
+    private Task LogSecretEventAsync(Secret secret, EventType eventType) =>
+       LogSecretsEventAsync(new[] { secret }, eventType);
+
 }
--- a/src/Core/AdminConsole/Enums/EventType.cs
+++ b/src/Core/AdminConsole/Enums/EventType.cs
@@ -90,4 +90,7 @@ public enum EventType : int
    OrganizationDomain_NotVerified = 2003,

    Secret_Retrieved = 2100,
+    Secret_Created = 2101,
+    Secret_Edited = 2102,
+    Secret_Deleted = 2103,
 }
--- a/src/Core/AdminConsole/Services/IEventService.cs
+++ b/src/Core/AdminConsole/Services/IEventService.cs
@@ -30,6 +30,6 @@ public interface IEventService
    Task LogProviderOrganizationEventsAsync(IEnumerable<(ProviderOrganization, EventType, DateTime?)> events);
    Task LogOrganizationDomainEventAsync(OrganizationDomain organizationDomain, EventType type, DateTime? date = null);
    Task LogOrganizationDomainEventAsync(OrganizationDomain organizationDomain, EventType type, EventSystemUser systemUser, DateTime? date = null);
-    Task LogServiceAccountSecretEventAsync(Guid serviceAccountId, Secret secret, EventType type, DateTime? date = null);
+    Task LogUserSecretsEventAsync(Guid userId, IEnumerable<Secret> secrets, EventType type, DateTime? date = null);
    Task LogServiceAccountSecretsEventAsync(Guid serviceAccountId, IEnumerable<Secret> secrets, EventType type, DateTime? date = null);
 }
--- a/src/Core/AdminConsole/Services/Implementations/EventService.cs
+++ b/src/Core/AdminConsole/Services/Implementations/EventService.cs
@@ -409,9 +409,30 @@ public class EventService : IEventService
        await _eventWriteService.CreateAsync(e);
    }

-    public async Task LogServiceAccountSecretEventAsync(Guid serviceAccountId, Secret secret, EventType type, DateTime? date = null)
+    public async Task LogUserSecretsEventAsync(Guid userId, IEnumerable<Secret> secrets, EventType type, DateTime? date = null)
    {
-        await LogServiceAccountSecretsEventAsync(serviceAccountId, new[] { secret }, type, date);
+        var orgAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
+        var eventMessages = new List<IEvent>();
+
+        foreach (var secret in secrets)
+        {
+            if (!CanUseEvents(orgAbilities, secret.OrganizationId))
+            {
+                continue;
+            }
+
+            var e = new EventMessage(_currentContext)
+            {
+                OrganizationId = secret.OrganizationId,
+                Type = type,
+                SecretId = secret.Id,
+                UserId = userId,
+                Date = date.GetValueOrDefault(DateTime.UtcNow)
+            };
+            eventMessages.Add(e);
+        }
+
+        await _eventWriteService.CreateManyAsync(eventMessages);
    }

    public async Task LogServiceAccountSecretsEventAsync(Guid serviceAccountId, IEnumerable<Secret> secrets, EventType type, DateTime? date = null)
--- a/src/Core/AdminConsole/Services/NoopImplementations/NoopEventService.cs
+++ b/src/Core/AdminConsole/Services/NoopImplementations/NoopEventService.cs
@@ -116,7 +116,7 @@ public class NoopEventService : IEventService
        return Task.FromResult(0);
    }

-    public Task LogServiceAccountSecretEventAsync(Guid serviceAccountId, Secret secret, EventType type,
+    public Task LogUserSecretsEventAsync(Guid userId, IEnumerable<Secret> secrets, EventType type,
        DateTime? date = null)
    {
        return Task.FromResult(0);