fix: removed the exposed NodesAuditEventsGet RPC handler that exposed eventually sensitive metadata

tegefaulkes · tegefaulkes · commit 8b02ceb4757b · 2025-06-02T13:04:52.000+10:00
It is being removed for now but the handler code itself is being kept. It needs to be protected by some permission system, probably a claim with authority to get audit data for a private network.

Updating network version since this breaks an existing RPC handler. However, nothing currently uses it.
diff --git a/src/PolykeyAgent.ts b/src/PolykeyAgent.ts
@@ -718,7 +718,6 @@ class PolykeyAgent {
         port: optionsDefaulted.agentServicePort,
         ipv6Only: optionsDefaulted.ipv6Only,
         agentService: agentServerManifest({
-          audit: this.audit,
           acl: this.acl,
           db: this.db,
           keyRing: this.keyRing,
diff --git a/src/config.ts b/src/config.ts
@@ -33,7 +33,7 @@ const config = {
    * It is only incremented on breaking changes
    * Use this to know if you must upgrade your service client
    */
-  networkVersion: 2,
+  networkVersion: 3,
   /**
    * Default provider configuration
    * These are managed by Matrix AI and Polykey developers
diff --git a/src/nodes/agent/callers/index.ts b/src/nodes/agent/callers/index.ts
@@ -1,6 +1,5 @@
 import type { ClientManifest } from '@matrixai/rpc';
 import nodesAuthenticateConnection from './nodesAuthenticateConnection.js';
-import nodesAuditEventsGet from './nodesAuditEventsGet.js';
 import nodesClaimsGet from './nodesClaimsGet.js';
 import nodesClosestActiveConnectionsGet from './nodesClosestActiveConnectionsGet.js';
 import nodesClosestLocalNodesGet from './nodesClosestLocalNodesGet.js';
@@ -40,7 +39,6 @@ type AgentClientManifestNodeManager = typeof manifestClientNodeManager &
 const manifestClient = {
   ...manifestClientNodeConnectionManager,
   ...manifestClientNodeManager,
-  nodesAuditEventsGet,
   nodesClaimNetworkSign,
   nodesClaimNetworkVerify,
   notificationsSend,
@@ -57,7 +55,6 @@ export {
   manifestClientNodeConnectionManager,
   manifestClientNodeManager,
   nodesAuthenticateConnection,
-  nodesAuditEventsGet,
   nodesClaimsGet,
   nodesClosestActiveConnectionsGet,
   nodesClosestLocalNodesGet,
diff --git a/src/nodes/agent/handlers/NodesAuditEventsGet.ts b/src/nodes/agent/handlers/NodesAuditEventsGet.ts
@@ -13,6 +13,8 @@ import type { AuditEventId } from '../../../ids/index.js';
 import { ServerHandler } from '@matrixai/rpc';
 import * as auditUtils from '../../../audit/utils.js';
 
+// This is currently not used until security is built into it. It will require some way to verify that the requesting
+//  node should have access to the information. For that we need a claim that we can verify.
 /**
  * Gets audit events from a node
  */
diff --git a/src/nodes/agent/handlers/index.ts b/src/nodes/agent/handlers/index.ts
@@ -1,7 +1,6 @@
 import type { DB } from '@matrixai/db';
 import type Logger from '@matrixai/logger';
 import type KeyRing from '../../../keys/KeyRing.js';
-import type Audit from '../../../audit/Audit.js';
 import type Sigchain from '../../../sigchain/Sigchain.js';
 import type ACL from '../../../acl/ACL.js';
 import type NodeGraph from '../../../nodes/NodeGraph.js';
@@ -11,7 +10,6 @@ import type NotificationsManager from '../../../notifications/NotificationsManag
 import type VaultManager from '../../../vaults/VaultManager.js';
 import type { AgentClientManifest } from '../callers/index.js';
 import NodesAuthenticateConnection from './NodesAuthenticateConnection.js';
-import NodesAuditEventsGet from './NodesAuditEventsGet.js';
 import NodesClaimsGet from './NodesClaimsGet.js';
 import NodesClosestActiveConnectionsGet from './NodesClosestActiveConnectionsGet.js';
 import NodesClosestLocalNodesGet from './NodesClosestLocalNodesGet.js';
@@ -28,7 +26,6 @@ import VaultsScan from './VaultsScan.js';
  * Server manifest factory.
  */
 const manifestServer = (container: {
-  audit: Audit;
   db: DB;
   sigchain: Sigchain;
   nodeGraph: NodeGraph;
@@ -42,7 +39,6 @@ const manifestServer = (container: {
 }) => {
   return {
     nodesAuthenticateConnection: new NodesAuthenticateConnection(container),
-    nodesAuditEventsGet: new NodesAuditEventsGet(container),
     nodesClaimsGet: new NodesClaimsGet(container),
     nodesClosestActiveConnectionsGet: new NodesClosestActiveConnectionsGet(
       container,
@@ -65,7 +61,6 @@ export default manifestServer;
 
 export {
   NodesAuthenticateConnection,
-  NodesAuditEventsGet,
   NodesClaimsGet,
   NodesClosestActiveConnectionsGet,
   NodesClosestLocalNodesGet,
diff --git a/tests/nodes/agent/handlers/nodesAuditsGet.test.ts b/tests/nodes/agent/handlers/nodesAuditsGet.test.ts
@@ -14,7 +14,7 @@ import { RPCClient, RPCServer } from '@matrixai/rpc';
 import * as tlsTestsUtils from '../../../utils/tls.js';
 import * as testNodesUtils from '../../../nodes/utils.js';
 import NodesAuditEventsGet from '#nodes/agent/handlers/NodesAuditEventsGet.js';
-import { nodesAuditEventsGet } from '#nodes/agent/callers/index.js';
+import nodesAuditEventsGet from '#nodes/agent/callers/nodesAuditEventsGet.js';
 import * as nodesUtils from '#nodes/utils.js';
 import KeyRing from '#keys/KeyRing.js';
 import Audit from '#audit/Audit.js';
