Add audit log for repo settings

Author: AndriiMysko

lib/travis/api/app/endpoint/logs.rb

@@ -8,6 +8,10 @@ class Logs < Endpoint
       get '/:id' do |id|
         resource = service(:find_log, id: params[:id]).run
         job = resource ? Job.find(resource.job_id) : nil
+        repo_can_write = !!job.repository.users.where(id: current_user.id, permissions: { push: true }).first
+
+        raise LogExpired if !job.repository.user_settings.job_log_time_based_limit && job.started_at < Time.now - job.repository.user_settings.job_log_access_older_than_days.days
+        raise LogAccessDenied if job.repository.user_settings.job_log_access_based_limit && !repo_can_write
 
         if !resource || ((job.try(:private?) || !allow_public?) && !has_permission?(job))
           halt 404

lib/travis/api/v3/models/audit.rb

@@ -0,0 +1,6 @@
+module Travis::API::V3
+  class Models::Audit < Model
+    belongs_to :owner, polymorphic: true
+    belongs_to :source, polymorphic: true
+  end
+end

lib/travis/api/v3/models/json_slice.rb

@@ -2,7 +2,9 @@
 
 module Travis::API::V3
   class Models::JsonSlice
-    include Virtus.model, Enumerable, Models::JsonSync, ActiveModel::Validations
+    include Virtus.model, Enumerable, Models::JsonSync, ActiveModel::Validations, ActiveSupport::Callbacks, ActiveModel::Dirty
+    extend ActiveSupport::Concern
+    define_callbacks :after_save
 
     class << self
       attr_accessor :child_klass
@@ -30,14 +32,21 @@ def read(name)
 
     def update(name, value)
       raise NotFound unless respond_to?(:"#{name}=")
+      @changes = { :"#{name}" => { before: send(name), after: value } } unless value == send(name)
       send(:"#{name}=", value)
       raise UnprocessableEntity, errors.full_messages.to_sentence unless valid?
       sync!
+      run_callbacks :after_save
+      @changes = {}
       read(name)
     end
 
     def to_h
       Hash[map { |x| [x.name, x.value] }]
     end
+
+    def changes
+      @changes
+    end
   end
 end

lib/travis/api/v3/models/user_settings.rb

@@ -20,8 +20,12 @@ class Models::UserSettings < Models::JsonSlice
 
     validate :job_log_access_older_than_days_restriction
 
+    set_callback :after_save, :after, :save_audit
+
     attr_reader :repo
 
+    attr_accessor :user, :change_source
+
     def initialize(repo, data)
       @repo = repo
       super(data)
@@ -75,5 +79,11 @@ def job_log_access_older_than_days_restriction
         errors.add(:job_log_access_older_than_days, "is outside the bounds")
       end
     end
+
+    private
+
+    def save_audit
+      Travis::API::V3::Models::Audit.create!(owner: self.user, change_source: self.change_source, source: self.repo, source_changes: { settings: self.changes })
+    end
   end
 end

lib/travis/api/v3/queries/user_setting.rb

@@ -6,8 +6,11 @@ def find(repository)
       repository.user_settings.read(_name)
     end
 
-    def update(repository)
-      repository.user_settings.update(_name, _value)
+    def update(repository, user)
+      user_settings = repository.user_settings
+      user_settings.user = user
+      user_settings.change_source = 'travis-api'
+      user_settings.update(_name, _value)
     end
 
     private

lib/travis/api/v3/services/user_setting/update.rb

@@ -10,7 +10,7 @@ def run!
       user_setting = query.find(repository)
       access_control.permissions(user_setting).write!
 
-      user_setting = query.update(repository)      
+      user_setting = query.update(repository, access_control.user)
       result user_setting
     end
   end