Create audit log when archive is sent to device (#1847)

nshoes · web-flow · commit b2454311208f · 2025-02-04T08:09:01.000+13:00
If an archive is sent to a device on connect or from an archive update,
an audit log is created specifying device, deployment, and archive
details.
diff --git a/lib/nerves_hub/audit_logs/templates/device_templates.ex b/lib/nerves_hub/audit_logs/templates/device_templates.ex
@@ -2,7 +2,9 @@ defmodule NervesHub.AuditLogs.DeviceTemplates do
   @moduledoc """
   Templates for and handling of audit logging for device operations.
   """
+
   alias NervesHub.Accounts.User
+  alias NervesHub.Archives.Archive
   alias NervesHub.AuditLogs
   alias NervesHub.Deployments.Deployment
   alias NervesHub.Devices.Device
@@ -107,4 +109,18 @@ defmodule NervesHub.AuditLogs.DeviceTemplates do
       "Multiple matching deployments found, updating #{device.identifier}'s deployment to #{deployment.name}"
     )
   end
+
+  @spec audit_device_archive_update_triggered(Device.t(), Archive.t(), UUIDv7.t()) :: :ok
+  def audit_device_archive_update_triggered(
+        device,
+        archive,
+        reference_id
+      ) do
+    description =
+      "Archive update triggered for #{device.identifier}. Sending archive #{archive.uuid}."
+
+    AuditLogs.audit_with_ref!(device, device, description, reference_id)
+
+    :ok
+  end
 end
diff --git a/lib/nerves_hub_web/channels/device_channel.ex b/lib/nerves_hub_web/channels/device_channel.ex
@@ -160,7 +160,7 @@ defmodule NervesHubWeb.DeviceChannel do
   end
 
   def handle_info(%Broadcast{event: "archives/updated"}, socket) do
-    {:noreply, maybe_send_archive(socket)}
+    {:noreply, maybe_send_archive(socket, audit_log: true)}
   end
 
   def handle_info(%Broadcast{event: "moved"}, %{assigns: %{device: device}} = socket) do
@@ -203,7 +203,7 @@ defmodule NervesHubWeb.DeviceChannel do
       socket
       |> update_device(device)
       |> maybe_start_penalty_timer()
-      |> maybe_send_archive()
+      |> maybe_send_archive(audit_log: true)
 
     {:noreply, socket}
   end
@@ -485,12 +485,21 @@ defmodule NervesHubWeb.DeviceChannel do
     end
   end
 
-  defp maybe_send_archive(%{assigns: %{device: device}} = socket) do
+  defp maybe_send_archive(%{assigns: %{device: device}} = socket, opts \\ []) do
+    opts = Keyword.validate!(opts, audit_log: false)
     updates_enabled = device.updates_enabled && !Devices.device_in_penalty_box?(device)
     version_match = Version.match?(socket.assigns.device_api_version, ">= 2.0.0")
 
     if updates_enabled && version_match do
       if archive = Archives.archive_for_deployment(device.deployment_id) do
+        if opts[:audit_log],
+          do:
+            DeviceTemplates.audit_device_archive_update_triggered(
+              device,
+              archive,
+              socket.assigns.reference_id
+            )
+
         push(socket, "archive", %{
           size: archive.size,
           uuid: archive.uuid,
diff --git a/test/nerves_hub_web/channels/device_channel_test.exs b/test/nerves_hub_web/channels/device_channel_test.exs
@@ -2,10 +2,13 @@ defmodule NervesHubWeb.DeviceChannelTest do
   use NervesHubWeb.ChannelCase
   use DefaultMocks
 
+  import Ecto.Query
   import TrackerHelper
 
   alias NervesHub.Devices
+  alias NervesHub.AuditLogs.AuditLog
   alias NervesHub.Fixtures
+  alias NervesHub.Repo
   alias NervesHubWeb.DeviceChannel
   alias NervesHubWeb.DeviceSocket
   alias NervesHubWeb.ExtensionsChannel
@@ -91,6 +94,68 @@ defmodule NervesHubWeb.DeviceChannelTest do
     assert_push("archive_public_keys", %{keys: [_]})
   end
 
+  test "if archive is sent on connect an audit log is not created" do
+    %{certificate: certificate, params: params, archive_uuid: archive_uuid} =
+      archive_setup()
+
+    {:ok, socket} =
+      connect(DeviceSocket, %{}, connect_info: %{peer_data: %{ssl_cert: certificate.der}})
+
+    {:ok, %{}, _socket} = subscribe_and_join(socket, DeviceChannel, "device", params)
+
+    audit_log_count_before = Repo.aggregate(AuditLog, :count)
+
+    assert_push("archive", %{uuid: ^archive_uuid})
+
+    assert audit_log_count_before == Repo.aggregate(AuditLog, :count)
+  end
+
+  test "if archive is sent when an archive updates an audit log is created" do
+    %{device: device, certificate: certificate, params: params} = archive_setup()
+
+    {:ok, socket} =
+      connect(DeviceSocket, %{}, connect_info: %{peer_data: %{ssl_cert: certificate.der}})
+
+    {:ok, %{}, socket} = subscribe_and_join(socket, DeviceChannel, "device", params)
+
+    Phoenix.PubSub.broadcast(
+      NervesHub.PubSub,
+      "device:#{device.id}",
+      %Phoenix.Socket.Broadcast{event: "archives/updated"}
+    )
+
+    _ = :sys.get_state(socket.channel_pid)
+
+    assert Repo.exists?(
+             from(al in AuditLog,
+               where: like(al.description, "Archive update triggered for%")
+             )
+           )
+  end
+
+  test "if archive is sent when a device updates an audit log is created" do
+    %{device: device, certificate: certificate, params: params} = archive_setup()
+
+    {:ok, socket} =
+      connect(DeviceSocket, %{}, connect_info: %{peer_data: %{ssl_cert: certificate.der}})
+
+    {:ok, %{}, socket} = subscribe_and_join(socket, DeviceChannel, "device", params)
+
+    Phoenix.PubSub.broadcast(
+      NervesHub.PubSub,
+      "device:#{device.id}",
+      %Phoenix.Socket.Broadcast{event: "devices/updated"}
+    )
+
+    _ = :sys.get_state(socket.channel_pid)
+
+    assert Repo.exists?(
+             from(al in AuditLog,
+               where: like(al.description, "Archive update triggered for%")
+             )
+           )
+  end
+
   test "the first fwup_progress marks an update as happening" do
     user = Fixtures.user_fixture()
     {device, _firmware, _deployment} = device_fixture(user, %{identifier: "123"})
@@ -247,4 +312,30 @@ defmodule NervesHubWeb.DeviceChannelTest do
 
     {device, firmware, deployment}
   end
+
+  defp archive_setup() do
+    user = Fixtures.user_fixture()
+    org = Fixtures.org_fixture(user, %{name: "BigOrg2022"})
+    product = Fixtures.product_fixture(user, org, %{name: "Hop"})
+    org_key = Fixtures.org_key_fixture(org, user)
+    archive = %{uuid: archive_uuid} = Fixtures.archive_fixture(org_key, product)
+    firmware = Fixtures.firmware_fixture(org_key, product, %{dir: System.tmp_dir()})
+    deployment = Fixtures.deployment_fixture(org, firmware, %{archive_id: archive.id})
+
+    {device, _firmware, _deployment} =
+      device_fixture(user, %{identifier: "123", deployment_id: deployment.id})
+
+    %{db_cert: certificate} = Fixtures.device_certificate_fixture(device)
+
+    params =
+      for {k, v} <- Map.from_struct(device.firmware_metadata),
+          into: %{"device_api_version" => "2.0.1"} do
+        case k do
+          :uuid -> {"nerves_fw_uuid", Ecto.UUID.generate()}
+          _ -> {"nerves_fw_#{k}", v}
+        end
+      end
+
+    %{device: device, certificate: certificate, params: params, archive_uuid: archive_uuid}
+  end
 end
