MB-46881: Audit for updating scope limits

anuthan · anuthan · commit 57637bf3e740 · 2021-09-03T01:06:26.000Z
Change-Id: I640d0b29128f29d3e2476039de128bf02282acd7 Reviewed-on: http://review.couchbase.org/c/ns_server/+/159833 Tested-by: Abhijeeth Nuthan <abhijeeth.nuthan@couchbase.com> Well-Formed: Build Bot <build@couchbase.com> Reviewed-by: Artem Stemkovski <artem@couchbase.com>
diff --git a/etc/audit_descriptor.json b/etc/audit_descriptor.json
@@ -1186,6 +1186,7 @@
               "new_manifest_uid" : ""
           },
           "optional_fields" : {
+              "limits" : "",
               "sessionid" : ""
           }
       },
@@ -1341,7 +1342,27 @@
           "optional_fields" : {
               "sessionid" : ""
           }
+      },
+      {
+          "id" : 8268,
+          "name" : "update scope",
+          "description" : "Scope properties were updated",
+          "sync" : false,
+          "enabled" : true,
+          "filtering_permitted" : false,
+          "mandatory_fields" : {
+              "timestamp" : "",
+              "real_userid" : {"domain" : "", "user" : ""},
+              "remote" : {"ip" : "", "port" : 1},
+              "local" : {"ip" : "", "port" : 1},
+              "bucket_name" : "",
+              "scope_name" : "",
+              "new_manifest_uid" : ""
+          },
+          "optional_fields" : {
+              "limits" : "",
+              "sessionid" : ""
+          }
       }
-
     ]
 }
diff --git a/src/collections.erl b/src/collections.erl
@@ -52,6 +52,7 @@
          get_scopes/1,
          get_collections/1,
          diff_manifests/2,
+         jsonify_limits/1,
          last_seen_ids_key/2,
          last_seen_ids_set/3]).
 
@@ -232,6 +233,9 @@ manifest_json(Identity, Bucket, Snapshot) ->
                          Manifest),
     jsonify_manifest(FilteredManifest, true).
 
+jsonify_limits(Limits) ->
+    {[{S, {L}} || {S, L} <- Limits]}.
+
 jsonify_manifest(Manifest, WithDefaults) ->
     ScopesJson =
         lists:map(
@@ -240,8 +244,7 @@ jsonify_manifest(Manifest, WithDefaults) ->
                                    [] ->
                                        [];
                                    Limits ->
-                                       [{limits,
-                                         {[{S, {L}} || {S, L} <- Limits]}}]
+                                       [{limits, jsonify_limits(Limits)}]
                                end,
                   {[{name, list_to_binary(ScopeName)},
                     {uid, uid(Scope)},
diff --git a/src/menelaus_web_collections.erl b/src/menelaus_web_collections.erl
@@ -31,6 +31,16 @@ handle_get(Bucket, Req) ->
       Req, collections:manifest_json(menelaus_auth:get_identity(Req),
                                      Bucket, direct)).
 
+get_scope_audit_props(Limits) ->
+    Limits1 = case Limits of
+                     no_limits ->
+                         [];
+                     _ ->
+                         Limits
+                 end,
+    LimitsJson = ejson:encode(collections:jsonify_limits(Limits1)),
+    [{limits, LimitsJson}].
+
 handle_post_scope(Bucket, Req) ->
     assert_api_available(Bucket),
 
@@ -41,11 +51,17 @@ handle_post_scope(Bucket, Req) ->
               RV = collections:create_scope(Bucket, Name, Limits),
               case {RV, Limits} of
                   {{scope_already_exists, _}, L} when L =/= no_limits ->
-                      RV1 = collections:update_limits(Bucket, Name, Limits),
-                      handle_rv(RV1, Req);
+                      Ret = collections:update_limits(Bucket, Name, Limits),
+                      maybe_audit(Ret, Req,
+                                  ns_audit:update_scope(
+                                    _, Bucket, Name,
+                                    get_scope_audit_props(Limits), _)),
+                      handle_rv(Ret, Req);
                   _ ->
                       maybe_audit(RV, Req,
-                                  ns_audit:create_scope(_, Bucket, Name, _)),
+                                  ns_audit:create_scope(
+                                    _, Bucket, Name,
+                                    get_scope_audit_props(Limits), _)),
                       handle_rv(RV, Req)
               end
       end, Req, form,
diff --git a/src/ns_audit.erl b/src/ns_audit.erl
@@ -31,7 +31,8 @@
          modify_bucket/4,
          delete_bucket/2,
          flush_bucket/2,
-         create_scope/4,
+         create_scope/5,
+         update_scope/5,
          drop_scope/4,
          create_collection/5,
          drop_collection/5,
@@ -370,7 +371,9 @@ code(rbac_info_retrieved) ->
 code(admin_password_reset) ->
     8266;
 code(modify_analytics_settings) ->
-    8267.
+    8267;
+code(update_scope) ->
+    8268.
 
 to_binary({list, List}) ->
     [to_binary(A) || A <- List];
@@ -885,10 +888,18 @@ failover_settings(Req, Settings) ->
     put(failover_settings, Req,
         [{settings, {prepare_list(Settings1)}}]).
 
-create_scope(Req, BucketName, ScopeName, Uid) ->
+get_scope_params(BucketName, ScopeName, Props, Uid) ->
+    [{bucket_name, BucketName},
+     {scope_name, ScopeName},
+     {new_manifest_uid, Uid}] ++ Props.
+
+update_scope(Req, BucketName, ScopeName, Props, Uid) ->
+    put(update_scope, Req,
+        get_scope_params(BucketName, ScopeName, Props, Uid)).
+
+create_scope(Req, BucketName, ScopeName, Props, Uid) ->
     put(create_scope, Req,
-        [{bucket_name, BucketName}, {scope_name, ScopeName},
-         {new_manifest_uid, Uid}]).
+        get_scope_params(BucketName, ScopeName, Props, Uid)).
 
 drop_scope(Req, BucketName, ScopeName, Uid) ->
     put(drop_scope, Req,
