feat: audit logs for "Stop Job" action (#392)

## 📝 Description

Added auditing for stop job operation via Web and API/CLI.

Introduced audit middleware to the `public-api-gateway` service to
capture and log these actions. The middleware is designed to be
extensible for future auditing of other API operations.

Related [task](renderedtext/tasks#8123). 
## ✅ Checklist
- [x] I have tested this change
- [x] ~This change requires documentation update~ - N/A

Author: dexyk

.semaphore/daily-builds.yml

@@ -1993,6 +1993,9 @@ blocks:
         - name: "Test"
           commands:
             - make test
+        - name: "E2E Test"
+          commands:
+            - make test.e2e
         - name: "Lint"
           commands:
             - make lint

.semaphore/semaphore.yml

@@ -2191,6 +2191,9 @@ blocks:
         - name: "Test"
           commands:
             - make test
+        - name: "E2E Test"
+          commands:
+            - make test.e2e
         - name: "Lint"
           commands:
             - make lint

front/lib/front/audit/events_decorator.ex

@@ -33,6 +33,10 @@ defmodule Front.Audit.EventsDecorator do
       field(:pipeline, Front.Models.Pipeline.t(), enforce: false)
       field(:has_pipeline, String.t(), enforce: false, default: false)
 
+      field(:job_id, String.t(), enforce: false)
+      field(:job, Front.Models.Job.t(), enforce: false)
+      field(:has_job, String.t(), enforce: false, default: false)
+
       field(:agent, Map.t(), enforce: false)
     end
   end
@@ -78,6 +82,10 @@ defmodule Front.Audit.EventsDecorator do
       has_workflow: false,
       pipeline_id: Map.get(metadata, "pipeline_id", nil),
 
+      # initialy setting it to false, later the preloader can change it
+      has_job: false,
+      job_id: Map.get(metadata, "job_id", nil),
+
       # inject agent data if the event is related to a self-hosted agent
       agent: decorate_agent(event, metadata)
     )

front/lib/front/audit/events_decorator/preloader.ex

@@ -19,15 +19,18 @@ defmodule Front.Audit.EventsDecorator.Preloader do
     project_ids = extract_unique_id_list(events, :project_id)
     workflow_ids = extract_unique_id_list(events, :workflow_id)
     pipeline_ids = extract_unique_id_list(events, :pipeline_id)
+    job_ids = extract_unique_id_list(events, :job_id)
 
     projects = Front.Models.Project.find_many_by_ids(project_ids)
     workflows = Front.Models.Workflow.find_many_by_ids(workflow_ids)
     pipelines = Front.Models.Pipeline.find_many(pipeline_ids)
+    jobs = find_jobs_by_ids(job_ids)
 
     inject(events, %{
       projects: remove_nils(projects),
       workflows: remove_nils(workflows),
-      pipelines: remove_nils(pipelines)
+      pipelines: remove_nils(pipelines),
+      jobs: remove_nils(jobs)
     })
   end
 
@@ -36,11 +39,13 @@ defmodule Front.Audit.EventsDecorator.Preloader do
       project = Enum.find(data.projects, fn p -> p.id == event.project_id end)
       workflow = Enum.find(data.workflows, fn w -> w.id == event.workflow_id end)
       pipeline = Enum.find(data.pipelines, fn p -> p.id == event.pipeline_id end)
+      job = Enum.find(data.jobs, fn j -> j.id == event.job_id end)
 
       event
       |> add_if_not_nil(project, :project, :has_project)
       |> add_if_not_nil(workflow, :workflow, :has_workflow)
       |> add_if_not_nil(pipeline, :pipeline, :has_pipeline)
+      |> add_if_not_nil(job, :job, :has_job)
     end)
   end
 
@@ -58,4 +63,14 @@ defmodule Front.Audit.EventsDecorator.Preloader do
   end
 
   defp remove_nils(arr), do: Enum.filter(arr, fn e -> e != nil end)
+
+  defp find_jobs_by_ids([]), do: []
+
+  defp find_jobs_by_ids([id | ids]) do
+    Front.Models.Job.find(id)
+    |> case do
+      nil -> find_jobs_by_ids(ids)
+      job -> [job | find_jobs_by_ids(ids)]
+    end
+  end
 end

front/lib/front_web/controllers/job_controller.ex

@@ -2,7 +2,7 @@ defmodule FrontWeb.JobController do
   require Logger
   use FrontWeb, :controller
 
-  alias Front.Async
+  alias Front.{Async, Audit}
   alias Front.MemoryCookie
   alias Front.Models
   alias FrontWeb.Plugs.{FetchPermissions, Header, PageAccess, PublicPageAccess, PutProjectAssigns}
@@ -216,6 +216,8 @@ defmodule FrontWeb.JobController do
 
       case Front.Models.Job.stop(job_id, user_id) do
         {:ok, _} ->
+          audit_log(conn, :Stopped, user_id, job_id)
+
           conn
           |> put_flash(:notice, "Job will be stopped shortly.")
           |> redirect(to: job_path(conn, :show, job_id))
@@ -311,6 +313,21 @@ defmodule FrontWeb.JobController do
     end)
   end
 
+  def audit_log(conn, action, user_id, job_id) do
+    conn
+    |> Audit.new(:Job, action)
+    |> Audit.add(description: audit_desc(action))
+    |> Audit.add(resource_id: job_id)
+    |> Audit.metadata(requester_id: user_id)
+    |> Audit.metadata(project_id: conn.assigns.project.id)
+    |> Audit.metadata(project_name: conn.assigns.project.name)
+    |> Audit.metadata(pipeline_id: conn.assigns.job.ppl_id)
+    |> Audit.metadata(job_id: conn.assigns.job.id)
+    |> Audit.log()
+  end
+
+  defp audit_desc(:Stopped), do: "Stopped the job"
+
   # Private
 
   defp send_first_chunk(conn, next) do

front/lib/front_web/templates/audit/index.html.eex

@@ -34,6 +34,9 @@
                   <div>Pipeline: <%= link event.pipeline.name, to: workflow_path(@conn, :show, event.workflow.id, pipeline_id: event.pipeline.id)  %></div>
                 <% end %>
               <% end %>
+              <%= if event.has_job do %>
+                <div>Job: <%= link event.job.name, to: job_path(@conn, :show, event.job.id) %></div>
+              <% end %>
             <% end %>
             <div><%= event.description %></div>
             </div>

public-api-gateway/Dockerfile

@@ -13,30 +13,34 @@ RUN echo "Build of $APP_NAME started"
 RUN apt-get update -y && apt-get install --no-install-recommends -y ca-certificates unzip curl libc-bin libc6 \
     && apt-get clean && rm -f /var/lib/apt/lists/*_*
 
-WORKDIR /app
-COPY api api
-COPY go.mod go.mod
-COPY go.sum go.sum
-COPY main.go main.go
-
-FROM base AS dev
-
-COPY test test
-COPY scripts scripts
-COPY lint.toml lint.toml
-
 WORKDIR /tmp
 RUN curl -sL https://github.com/google/protobuf/releases/download/v3.3.0/protoc-3.3.0-linux-x86_64.zip -o protoc && \
   unzip protoc && \
   mv bin/protoc /usr/local/bin/protoc
 
 WORKDIR /app
+
 RUN go install github.com/mgechev/[email protected]
 RUN go install gotest.tools/[email protected]
 RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
 RUN go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
+
+FROM base AS dev
+
+WORKDIR /app
+
+COPY api api
+COPY protos protos
+COPY go.mod go.mod
+COPY go.sum go.sum
+COPY main.go main.go
+
 RUN rm -rf build && CGO_ENABLED=0 go build -o build/server main.go
 
+COPY test test
+COPY scripts scripts
+COPY lint.toml lint.toml
+
 CMD [ "/bin/bash",  "-c \"while sleep 1000; do :; done\"" ]
 
 FROM ${RUNNER_IMAGE} AS runner

public-api-gateway/Makefile

@@ -29,8 +29,11 @@ api.checkout:
 bin.build:
 	docker compose run --remove-orphans --rm $(VOLUME_BIND) app sh -c "rm -rf build && CGO_ENABLED=0 go build -o build/server main.go"
 
-test: bin.build
+test.e2e: bin.build
 	docker compose run --remove-orphans --rm $(VOLUME_BIND) app bash ./test/test.sh
 
+test:
+	docker compose run --remove-orphans --rm $(VOLUME_BIND) app gotestsum --format short-verbose --junitfile out/test-reports.xml --packages="./..." -- -p 1
+
 lint:
 	docker compose run --remove-orphans --rm $(VOLUME_BIND) app revive -formatter friendly -config lint.toml ./...

public-api-gateway/api/clients/audit_client.go

@@ -0,0 +1,102 @@
+package clients
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/golang/glog"
+	"github.com/renderedtext/go-tackle"
+	"google.golang.org/protobuf/proto"
+
+	auditProto "github.com/semaphoreio/semaphore/public-api-gateway/protos/audit"
+)
+
+// AuditClient provides methods for sending audit events
+type AuditClient struct {
+	tacklePublisher *tackle.Publisher
+	amqpURL         string
+}
+
+// AuditEventOptions contains options for creating an audit event
+type AuditEventOptions struct {
+	// UserID of the user performing the action
+	UserID string
+	// OrgID of the organization where the action is performed
+	OrgID string
+	// Resource type that is being audited
+	Resource auditProto.Event_Resource
+	// Operation being performed
+	Operation auditProto.Event_Operation
+	// Description of the audit event
+	Description string
+	// ResourceID of the affected resource
+	ResourceID string
+	// ResourceName of the affected resource
+	ResourceName string
+	// Medium through which the action was performed (e.g. API, CLI)
+	Medium auditProto.Event_Medium
+	// Additional metadata
+	Metadata map[string]string
+	// IP address of the client
+	IPAddress string
+	// Username of the user
+	Username string
+}
+
+// NewAuditClient creates a new audit client
+func NewAuditClient(amqpURL string) (*AuditClient, error) {
+	client := &AuditClient{
+		amqpURL: amqpURL,
+	}
+
+	if amqpURL == "" {
+		return nil, fmt.Errorf("AMQP URL is required")
+	}
+
+	tacklePublisher, err := tackle.NewPublisher(amqpURL, tackle.PublisherOptions{
+		ConnectionName:    clientConnectionName(),
+		ConnectionTimeout: 5 * time.Second,
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to create AMQP publisher: %w", err)
+	}
+
+	client.tacklePublisher = tacklePublisher
+
+	return client, nil
+}
+
+// SendAuditEvent sends an audit event via AMQP
+func (c *AuditClient) SendAuditEvent(ctx context.Context, event *auditProto.Event) error {
+	data, err := proto.Marshal(event)
+	if err != nil {
+		return fmt.Errorf("error marshaling audit event: %w", err)
+	}
+
+	err = c.tacklePublisher.PublishWithContext(ctx, &tackle.PublishParams{
+		Body:       data,
+		Exchange:   "audit",
+		RoutingKey: "log",
+	})
+
+	if err != nil {
+		glog.Errorf("Error publishing audit event: %v", err)
+		return fmt.Errorf("error publishing audit event: %w", err)
+	}
+
+	glog.Infof("Audit event published via AMQP: resource=%s, operation=%s, resource_id=%s, operation_id=%s", event.Resource.String(), event.Operation.String(), event.ResourceId, event.OperationId)
+
+	return nil
+}
+
+func clientConnectionName() string {
+	hostname := os.Getenv("HOSTNAME")
+	if hostname == "" {
+		return "public-api-gateway"
+	}
+
+	return hostname
+}