Added admin audit log for admin config integration setup

CHANGELOG.md

@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ## [Unreleased]
 ### Changed
 - Add application's support for Nextcloud 30
+- Log admin configuration to  audit log (`/audit.log`)
 
 ## 2.6.3 - 2024-04-17
 ### Changed

lib/Controller/ConfigController.php

@@ -216,11 +216,21 @@ private function setIntegrationConfig(array $values): array {
 
 		// creates or replace the app password
 		if (key_exists('setup_app_password', $values) && $values['setup_app_password'] === true) {
+			$isAppPasswordBeingReplaced = $this->openprojectAPIService->hasAppPassword();
 			$this->openprojectAPIService->deleteAppPassword();
 			if (!$this->userManager->userExists(Application::OPEN_PROJECT_ENTITIES_NAME)) {
 				throw new NoUserException('User "' . Application::OPEN_PROJECT_ENTITIES_NAME . '" does not exists to create application password');
 			}
 			$appPassword = $this->openprojectAPIService->generateAppPasswordTokenForUser();
+			if($isAppPasswordBeingReplaced) {
+				$this->openprojectAPIService->logToAuditFile(
+					"Application password for user 'OpenProject has been replaced' with new password in application " . Application::APP_ID
+				);
+			} else {
+				$this->openprojectAPIService->logToAuditFile(
+					"New application password for user 'OpenProject' has been created in application " . Application::APP_ID
+				);
+			}
 		}
 
 		$oldOpenProjectOauthUrl = $this->config->getAppValue(
@@ -280,6 +290,11 @@ private function setIntegrationConfig(array $values): array {
 		// resetting and keeping the project folder setup should delete the user app password
 		if (key_exists('setup_app_password', $values) && $values['setup_app_password'] === false) {
 			$this->openprojectAPIService->deleteAppPassword();
+			if(!$runningFullReset) {
+				$this->openprojectAPIService->logToAuditFile(
+					"Project folder setup has been deactivated in application " . Application::APP_ID
+				);
+			}
 		}
 
 		$this->config->deleteAppValue(Application::APP_ID, 'oPOAuthTokenRevokeStatus');
@@ -337,6 +352,9 @@ private function setIntegrationConfig(array $values): array {
 		// so setting `fresh_project_folder_setup` as true
 		if ($runningFullReset) {
 			$this->config->setAppValue(Application::APP_ID, 'fresh_project_folder_setup', "1");
+			$this->openprojectAPIService->logToAuditFile(
+				"OpenProject Integration admin configuration has been reset in application " . Application::APP_ID
+			);
 		} elseif (key_exists('setup_app_password', $values) && key_exists('setup_project_folder', $values)) {
 			// for other cases when api has key 'setup_app_password' and 'setup_project_folder' we set it to false
 			// assuming user has either fully set the integration or partially without project folder/app password
@@ -366,6 +384,23 @@ private function setIntegrationConfig(array $values): array {
 	public function setAdminConfig(array $values): DataResponse {
 		try {
 			$result = $this->setIntegrationConfig($values);
+			$isOPOAuthCrdentialSet = key_exists('openproject_client_id', $values) &&
+				key_exists('openproject_client_secret', $values) &&
+				$values['openproject_client_id'] &&
+				$values['openproject_client_secret'];
+
+			if(key_exists('openproject_instance_url', $values) &&
+				$values['openproject_instance_url'] && !$isOPOAuthCrdentialSet) {
+				// sending admin audit log if admin has changed or added the openproject host url
+				$this->openprojectAPIService->logToAuditFile(
+					"OpenProject host url has been set to '" . $values['openproject_instance_url'] . "' in application " . Application::APP_ID
+				);
+			}
+			if($isOPOAuthCrdentialSet) {
+				$this->openprojectAPIService->logToAuditFile(
+					"OpenProject OAuth credential 'openproject_client_id' and 'openproject_client_secret' has been set in application " . Application::APP_ID
+				);
+			}
 			return new DataResponse($result);
 		} catch (OpenprojectGroupfolderSetupConflictException $e) {
 			return new DataResponse([
@@ -528,7 +563,11 @@ private function storeUserInfo(): array {
 	 * @return DataResponse
 	 */
 	public function autoOauthCreation(): DataResponse {
-		return new DataResponse($this->recreateOauthClientInformation());
+		$result = $this->recreateOauthClientInformation();
+		$this->openprojectAPIService->logToAuditFile(
+			"Nextcloud OAuth credential has been set in application " . Application::APP_ID
+		);
+		return new DataResponse($result);
 	}
 
 	private function deleteOauthClient(): void {

lib/Service/OpenProjectAPIService.php

@@ -21,6 +21,7 @@
 use OC\Authentication\Events\AppPasswordCreatedEvent;
 use OC\Authentication\Token\IProvider;
 use OC\User\NoUserException;
+use OCA\AdminAudit\AuditLogger;
 use OCA\GroupFolders\Folder\FolderManager;
 use OCA\OpenProject\AppInfo\Application;
 use OCA\OpenProject\Exception\OpenprojectErrorException;
@@ -49,6 +50,7 @@
 use OCP\IL10N;
 use OCP\IURLGenerator;
 use OCP\IUserManager;
+use OCP\Log\ILogFactory;
 use OCP\PreConditionNotMetException;
 use OCP\Security\ISecureRandom;
 use OCP\Server;
@@ -115,6 +117,7 @@ class OpenProjectAPIService {
 	 */
 	private ISubAdmin $subAdminManager;
 	private IDBConnection $db;
+	private ILogFactory $logFactory;
 
 
 	/**
@@ -125,6 +128,8 @@ class OpenProjectAPIService {
 	private IProvider $tokenProvider;
 	private ISecureRandom $random;
 	private IEventDispatcher $eventDispatcher;
+	private AuditLogger $auditLogger;
+
 	public function __construct(
 		string $appName,
 		IAvatarManager $avatarManager,
@@ -142,7 +147,8 @@ public function __construct(
 		ISecureRandom $random,
 		IEventDispatcher $eventDispatcher,
 		ISubAdmin $subAdminManager,
-		IDBConnection $db
+		IDBConnection $db,
+		ILogFactory $logFactory,
 	) {
 		$this->appName = $appName;
 		$this->avatarManager = $avatarManager;
@@ -161,6 +167,7 @@ public function __construct(
 		$this->random = $random;
 		$this->eventDispatcher = $eventDispatcher;
 		$this->db = $db;
+		$this->logFactory = $logFactory;
 	}
 
 	/**
@@ -1070,6 +1077,33 @@ class_exists('\OCA\GroupFolders\Folder\FolderManager') &&
 		);
 	}
 
+	/**
+	 * @param $auditLogMessage
+	 * @return void
+	 */
+	public function logToAuditFile($auditLogMessage): void {
+		if($this->isAdminAuditConfigSetCorrectly()) {
+			$this->auditLogger = new AuditLogger($this->logFactory, $this->config);
+			$this->auditLogger->info($auditLogMessage,
+				['app' => 'admin_audit']
+			);
+		}
+	}
+
+	public function isAdminAuditConfigSetCorrectly(): bool {
+		$logLevel = $this->config->getSystemValue('loglevel');
+		$configAuditFile = $this->config->getSystemValue('logfile_audit');
+		$logCondition = $this->config->getSystemValue('log.condition');
+		// All the above config should be satisfied in order for admin audit log for the integration application
+		// if any of the config is failed to be set then we are not able to send the admin audit logging in the audit.log file
+		return (
+			$this->appManager->isInstalled('admin_audit') &&
+			$configAuditFile === $this->config->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data') . '/audit.log' &&
+			(isset($logCondition["apps"]) && in_array('admin_audit', $logCondition["apps"])) &&
+			$logLevel >= 1
+		);
+	}
+
 	public function isTermsOfServiceAppEnabled(): bool {
 		return (
 			class_exists('\OCA\TermsOfService\Db\Entities\Signatory') &&
@@ -1081,6 +1115,8 @@ class_exists('\OCA\TermsOfService\Db\Mapper\TermsMapper') &&
 		);
 	}
 
+
+
 	/**
 	 * @return array<mixed>
 	 */
@@ -1231,6 +1267,9 @@ public function deleteAppPassword(): void {
 			foreach ($tokens as $token) {
 				if ($token->getName() === Application::OPEN_PROJECT_ENTITIES_NAME) {
 					$this->tokenProvider->invalidateTokenById(Application::OPEN_PROJECT_ENTITIES_NAME, $token->getId());
+					$this->logToAuditFile(
+						"Application password for user 'OpenProject has been deleted' in application " . Application::APP_ID
+					);
 				}
 			}
 		}

psalm.xml

@@ -38,6 +38,8 @@
 				<referencedClass name="Helmich\JsonAssert\JsonAssertions" />
 				<!-- these classes belong to the event app, which isn't compulsory, so might not exist while running psalm -->
 				<referencedClass name="OCP\App\Events\AppEnableEvent" />
+				<referencedClass name="OCA\AdminAudit\AuditLogger" />
+
 			</errorLevel>
 		</UndefinedClass>
 		<TooFewArguments>

tests/lib/Controller/OpenProjectAPIControllerTest.php

@@ -810,8 +810,11 @@ public function testIsValidOpenProjectInstance(
 		$response->method('getBody')->willReturn($body);
 		$service = $this->getMockBuilder(OpenProjectAPIService::class)
 			->disableOriginalConstructor()
-			->onlyMethods(['rawRequest'])
+			->onlyMethods(['rawRequest','isAdminAuditConfigSetCorrectly'])
 			->getMock();
+		$service
+			->method('isAdminAuditConfigSetCorrectly')
+			->willReturn(false);
 		$service
 			->method('rawRequest')
 			->willReturn($response);
@@ -873,11 +876,14 @@ public function testIsValidOpenProjectInstanceRedirectNoLocationHeader(): void {
 			->willReturn('');
 		$service = $this->getMockBuilder(OpenProjectAPIService::class)
 			->disableOriginalConstructor()
-			->onlyMethods(['rawRequest'])
+			->onlyMethods(['rawRequest','isAdminAuditConfigSetCorrectly'])
 			->getMock();
 		$service
 			->method('rawRequest')
 			->willReturn($response);
+		$service
+			->method('isAdminAuditConfigSetCorrectly')
+			->willReturn(false);
 		$controller = new OpenProjectAPIController(
 			'integration_openproject',
 			$this->requestMock,
@@ -971,8 +977,11 @@ public function testIsValidOpenProjectInstanceException(
 	): void {
 		$service = $this->getMockBuilder(OpenProjectAPIService::class)
 			->disableOriginalConstructor()
-			->onlyMethods(['rawRequest'])
+			->onlyMethods(['rawRequest', 'isAdminAuditConfigSetCorrectly'])
 			->getMock();
+		$service
+			->method('isAdminAuditConfigSetCorrectly')
+			->willReturn(false);
 		$service
 			->method('rawRequest')
 			->willThrowException($thrownException);