OpenRosa attachment update auditing (#1646)

* add failing test: OpenRosa attachment addition submission is not auditlogged

* blobs: refactor ensure()

- Make inserting a blob which already exists a true no-op
  (saves DB churn; the sha update of the replaced approach caused a row copy)
- Remove comment related to force-a-write-so-we-can-return-the-id
  (as we do it differently now)
- Remove comment about avoiding a TOCTOU issue by sending the file over
  (potentially unnecessarily).
  1. There was almost a TOCTOU issue anyway, but it was elided by
     touching every used row, which makes concurrent deleters/updaters
     of that row block until our transaction commit.
  2. Avoiding sending the file over *and* avoiding a TOCTOU should be
     doable with a row lock or advisory lock.

* OpenRosa submissions: auditlog updates to attachment set, also on subsequent POSTs (continuations of attachment uploads). Fixes getodk/central#1426

* Handle resubmitting or altering attachment when resending submission with missing attachment

---------

Co-authored-by: Kathleen Tuite <[email protected]>

Author: brontolosone

docs/api.yaml

@@ -931,7 +931,7 @@ tags:
     * `submission.create` when a new Submission is created.
     * `submission.update` when a Submission's metadata is updated.
     * `submission.update.version` when a Submission XML data is updated.
-    * `submission.attachment.update` when a Submission Attachment binary is set or cleared, but _only via the REST API_. Attachments created alongside the submission over the OpenRosa `/submission` API (including submissions from Collect) do not generate audit log entries.
+    * `submission.attachment.update` when a Submission Attachment binary is set or cleared.
     * `submission.delete` when a Submission is soft-deleted.
     * `submission.purge` when soft-deleted Submissions are purged.
     * `submission.restore` when a Submission is restored.

lib/model/query/blobs.js

@@ -12,20 +12,21 @@ const { isEmpty, map } = require('ramda');
 const { Blob } = require('../frames');
 const { construct } = require('../../util/util');
 
-// 1. there may be a better way to do this. with this approach, we always
-//    ship the bits to the database, even if they're already in there. shipping
-//    bits is expensive and slow.
-//    (but the old select-insert way was two separate round-trips in the did-not-exist
-//    case, which wasn't great either. and it has concurrency issues.)
-// 2. we /have/ to do an update on conflict in order for values to return.
-//    so we just set the sha back to what we already know it is.
+const DEFAULT_CONTENT_TYPE = 'application/octet-stream';
+
 const ensure = (blob) => ({ oneFirst }) => oneFirst(sql`
-with ensured as
-(insert into blobs (sha, md5, content, "contentType") values
-    (${blob.sha}, ${blob.md5}, ${sql.binary(blob.content)}, ${blob.contentType || sql`DEFAULT`})
-  on conflict (sha, "contentType") do update set sha = EXCLUDED.sha
-  returning id)
-select id from ensured`);
+  WITH extant AS (
+    SELECT id FROM blobs WHERE (sha, "contentType") = (${blob.sha}, ${blob.contentType || DEFAULT_CONTENT_TYPE})
+  ),
+  ensured AS (
+    INSERT INTO blobs (sha, md5, content, "contentType") VALUES (
+      ${blob.sha}, ${blob.md5}, ${sql.binary(blob.content)}, ${blob.contentType || sql`DEFAULT`}
+    )
+    ON CONFLICT (sha, "contentType") DO NOTHING
+    RETURNING id
+  )
+  SELECT coalesce((SELECT id FROM ensured), (SELECT id FROM extant)) as id
+`);
 
 const getById = (blobId) => ({ maybeOne }) =>
   maybeOne(sql`select * from blobs where id=${blobId}`)

lib/model/query/submission-attachments.js

@@ -100,21 +100,48 @@ const create = (submission, form, binaryFields, files = [], deprecated = []) =>
   });
 };
 
-const upsert = (def, files) => ({ Blobs, SubmissionAttachments }) =>
+const upsert = (submission, form, def, files) => ({ run, Blobs, SubmissionAttachments, context }) =>
   SubmissionAttachments.getAllByDefId(def.id)
     .then((expecteds) => {
       const lookup = new Set(expecteds.map((att) => att.name));
       const present = files.filter((file) => lookup.has(file.fieldname));
-      return Promise.all(present
-        .map((file) => Blobs.ensure(Blob.fromBuffer(file.buffer, file.mimetype || defaultMimetypeFor(file.fieldname)))
-          .then((blobId) => SubmissionAttachments.attach(def.id, file.fieldname, blobId))));
+      return Promise.all(
+        present.map((file) => Blobs.ensure(Blob.fromBuffer(file.buffer, file.mimetype || defaultMimetypeFor(file.fieldname)))
+          .then((blobId) => SubmissionAttachments.attach(def.id, file.fieldname, blobId))
+        )
+      ).then(linkResults =>
+        // auditlog the updates (only those which were added or of which the content changed)
+        linkResults
+          .filter(el => el.blobNow && el.blobBefore !== el.blobNow)
+          .map(linkResult =>
+            Audit.of(
+              context.auth.actor,
+              'submission.attachment.update',
+              form,
+              {
+                instanceId: submission.instanceId,
+                submissionDefId: def.id,
+                name: linkResult.name,
+                newBlobId: linkResult.blobNow,
+              }
+            )
+          )
+      ).then(auditsInSpe => run(insertMany(auditsInSpe)));
     });
 
-const attach = (defId, name, blobId) => ({ run }) => run(sql`
-update submission_attachments set "blobId"=${blobId}
-where "submissionDefId"=${defId} and name=${name}`);
-
-// TODO: this is currently audit logged in resource/submissions. probably deal w it here instead.
+const attach = (defId, name, blobId) => ({ one }) => one(sql`
+    WITH extant AS (
+      SELECT "blobId"
+      FROM submission_attachments
+      WHERE "submissionDefId"=${defId} AND name=${name}
+    ),
+    attached AS (
+      UPDATE submission_attachments SET "blobId"=${blobId}
+      WHERE "submissionDefId"=${defId} AND name=${name} AND "blobId" IS DISTINCT FROM ${blobId}
+      RETURNING "blobId"
+    )
+    SELECT ${name} as name, (SELECT "blobId" FROM extant) as "blobBefore", (SELECT "blobId" FROM attached) as "blobNow"
+`);
 
 const clear = (sa) => ({ run }) => run(sql`
 update submission_attachments set "blobId"=null

lib/resources/submissions.js

@@ -122,7 +122,7 @@ module.exports = (service, endpoint, anonymousEndpoint) => {
                       // EDITED SUBMISSION ATTACHMENT UPSERT REQUEST: check safety then do that.
                       if (Buffer.compare(Buffer.from(partial.xml), Buffer.from(usurper.xml)) !== 0)
                         throw Problem.user.xmlConflict();
-                      return SubmissionAttachments.upsert(usurper, files);
+                      return SubmissionAttachments.upsert(partial, form, usurper, files);
                     })
                   // SUBMISSION EDIT REQUEST: find the now-deprecated submission and supplant it.
                   : Promise.all([
@@ -140,7 +140,7 @@ module.exports = (service, endpoint, anonymousEndpoint) => {
                     // ATTACHMENT UPSERT REQUEST: check safety and add attachments to the extant def.
                     if (extant.current !== true) throw Problem.user.deprecatingOldSubmission({ instanceId: partial.instanceId });
                     if (Buffer.compare(Buffer.from(partial.xml), Buffer.from(extant.xml)) !== 0) throw Problem.user.xmlConflict();
-                    return SubmissionAttachments.upsert(extant, files);
+                    return SubmissionAttachments.upsert(partial, form, extant, files);
                   }
                   // NEW SUBMISSION REQUEST: create a new submission and attachments.
                   return Promise.all([

test/integration/api/audits.js

@@ -864,5 +864,110 @@ describe('/audits', () => {
             }));
       }));
     });
+
+    describe('audit logs of OpenRosa submission attachment events', () => {
+      it('should get the attachment events of a (partial) submission', testService((service) =>
+        service.login('alice', (asAlice) =>
+          asAlice.post('/v1/projects/1/forms?publish=true')
+            .set('Content-Type', 'application/xml')
+            .send(testData.forms.binaryType)
+            .expect(200)
+            .then(() => asAlice.post('/v1/projects/1/submission')
+              .set('X-OpenRosa-Version', '1.0')
+              .attach('xml_submission_file', Buffer.from(testData.instances.binaryType.both), { filename: 'data.xml' })
+              .attach('my_file1.mp4', Buffer.from('this is test file one'), { filename: 'my_file1.mp4' })
+              .expect(201)
+              .then(() => asAlice.get('/v1/audits?action=submission.attachment.update')
+                .expect(200))
+              .then(({ body }) => {
+                body[0].details.name.should.equal('my_file1.mp4');
+              })
+            )
+            .then(() => asAlice.post('/v1/projects/1/submission')
+              .set('X-OpenRosa-Version', '1.0')
+              .attach('xml_submission_file', Buffer.from(testData.instances.binaryType.both), { filename: 'data.xml' })
+              .attach('here_is_file2.jpg', Buffer.from('this is test file two'), { filename: 'here_is_file2.jpg' })
+              .expect(201)
+              .then(() => asAlice.get('/v1/audits?action=submission.attachment.update')
+                .expect(200))
+              .then(({ body }) => {
+                body.length.should.equal(2);
+                body[0].details.name.should.equal('here_is_file2.jpg');
+                body[1].details.name.should.equal('my_file1.mp4');
+              })
+            )
+        )
+      ));
+
+      it('should handle resubmitting partial submission with all attachments', testService((service) =>
+        service.login('alice', (asAlice) =>
+          asAlice.post('/v1/projects/1/forms?publish=true')
+            .set('Content-Type', 'application/xml')
+            .send(testData.forms.binaryType)
+            .expect(200)
+            .then(() => asAlice.post('/v1/projects/1/submission')
+              .set('X-OpenRosa-Version', '1.0')
+              .attach('xml_submission_file', Buffer.from(testData.instances.binaryType.both), { filename: 'data.xml' })
+              .attach('my_file1.mp4', Buffer.from('this is test file one'), { filename: 'my_file1.mp4' })
+              .expect(201)
+              .then(() => asAlice.get('/v1/audits?action=submission.attachment.update')
+                .expect(200))
+              .then(({ body }) => {
+                body[0].details.name.should.equal('my_file1.mp4');
+              })
+            )
+            .then(() => asAlice.post('/v1/projects/1/submission')
+              .set('X-OpenRosa-Version', '1.0')
+              .attach('xml_submission_file', Buffer.from(testData.instances.binaryType.both), { filename: 'data.xml' })
+              .attach('my_file1.mp4', Buffer.from('this is test file one'), { filename: 'my_file1.mp4' })
+              .attach('here_is_file2.jpg', Buffer.from('this is test file two'), { filename: 'here_is_file2.jpg' })
+              .expect(201)
+              .then(() => asAlice.get('/v1/audits?action=submission.attachment.update')
+                .expect(200))
+              .then(({ body }) => {
+                body.length.should.equal(2);
+                body[0].details.name.should.equal('here_is_file2.jpg');
+                body[1].details.name.should.equal('my_file1.mp4');
+              })
+            )
+        )
+      ));
+
+      it('should handle resubmitting partial submission with contents of attachment changed', testService((service) =>
+        service.login('alice', (asAlice) =>
+          asAlice.post('/v1/projects/1/forms?publish=true')
+            .set('Content-Type', 'application/xml')
+            .send(testData.forms.binaryType)
+            .expect(200)
+            .then(() => asAlice.post('/v1/projects/1/submission')
+              .set('X-OpenRosa-Version', '1.0')
+              .attach('xml_submission_file', Buffer.from(testData.instances.binaryType.both), { filename: 'data.xml' })
+              .attach('my_file1.mp4', Buffer.from('this is test file one'), { filename: 'my_file1.mp4' })
+              .expect(201)
+              .then(() => asAlice.get('/v1/audits?action=submission.attachment.update')
+                .expect(200))
+              .then(({ body }) => {
+                body[0].details.name.should.equal('my_file1.mp4');
+              })
+            )
+            .then(() => asAlice.post('/v1/projects/1/submission')
+              .set('X-OpenRosa-Version', '1.0')
+              .attach('xml_submission_file', Buffer.from(testData.instances.binaryType.both), { filename: 'data.xml' })
+              .attach('my_file1.mp4', Buffer.from('file one contents have changed'), { filename: 'my_file1.mp4' })
+              .attach('here_is_file2.jpg', Buffer.from('this is test file two'), { filename: 'here_is_file2.jpg' })
+              .expect(201)
+              .then(() => asAlice.get('/v1/audits?action=submission.attachment.update')
+                .expect(200))
+              .then(({ body }) => {
+                body.length.should.equal(3);
+                body[0].details.name.should.equal('here_is_file2.jpg');
+                body[1].details.name.should.equal('my_file1.mp4');
+                body[2].details.name.should.equal('my_file1.mp4');
+                body[1].details.newBlobId.should.not.equal(body[2].details.newBlobId);
+              })
+            )
+        )
+      ));
+    });
   });
 });