Skip to content
This repository was archived by the owner on Sep 30, 2024. It is now read-only.

event_logs: instrument SOAP-related event logs #44325

Merged
merged 1 commit into from
Nov 17, 2022
Merged

event_logs: instrument SOAP-related event logs #44325

merged 1 commit into from
Nov 17, 2022

Conversation

@unknwon
Copy link
Contributor

@unknwon unknwon commented Nov 13, 2022
edited
Loading

This PR adds instruments for SOAP-related event logs, including:

  1. All GraphQL requests (both the cookie or access token authenticated) are logged for SOAP users.
  2. All event logs and security event logs are attributed with "sourcegraph_operator": true in the public_argument and argument columns respectively.

Below are the captures of event logs that we want in both event_logs and security_event_logs tables:

CleanShot 2022-11-16 at 19 35 26@2x

CleanShot 2022-11-16 at 19 34 55@2x

Test plan

  1. Create a temporary JSON file (site-config.json) with the following content, the credentials can be obtained from the "Okta test instance admin" in 1Password and the "OpenID Connect (sourcegraph.test:3443)" application: 
    {
  "authProviders": {
    "sourcegraphOperator": {
      "issuer": "https://dev-433675.oktapreview.com",
      "clientID": "<REDACTED>",
      "clientSecret": "<REDACTED>",
      "lifecycleDuration": 60
    }
  }
}
  2. Save the "Sourcegraph Cloud site config singer key" in 1Password to a temporary file (singer.key), and use it to sign the site config: 
    go run enterprise/internal/cloud/sign_site_config.go -private-key singer.key  -site-config site-config.json
  3. Set the output of the above command as the value of the env var SRC_CLOUD_SITE_CONFIG
  4. Comment out the "licenseKey" from the dev-private/enterprise/dev/site-config.json
  5. Boot up the local Sourcegraph instance and try to sign in with "Sourcergaph Operators" using the same Okta account used in step 1.
  6. Entries generated in event_logs and security_event_logs are attributed with "sourcegraph_operator": true in public_argument and argument columns respectively.

Stacked on https://github.com/sourcegraph/sourcegraph/pull/44200, closes https://github.com/sourcegraph/customer/issues/1428

@cla-bot cla-bot bot added the cla-signed label Nov 13, 2022
@unknwon unknwon force-pushed the jc/soap-06-event-logs branch from 49b4aee to b6e04dc Compare November 14, 2022 06:50
unknwon
unknwon commented Nov 14, 2022
View reviewed changes
@unknwon unknwon force-pushed the jc/soap-06-event-logs branch 3 times, most recently from 2d75fe1 to 5fa9d6d Compare November 14, 2022 07:12
@unknwon unknwon force-pushed the jc/soap-05-exclude-license-count branch from d8dcd53 to 9ce8705 Compare November 14, 2022 14:11
@unknwon unknwon force-pushed the jc/soap-06-event-logs branch from 5fa9d6d to 915bc72 Compare November 14, 2022 14:13
Base automatically changed from jc/soap-05-exclude-license-count to main November 15, 2022 02:53
@unknwon unknwon force-pushed the jc/soap-06-event-logs branch 6 times, most recently from ef0da48 to 257d500 Compare November 16, 2022 11:27
@unknwon unknwon force-pushed the jc/soap-06-event-logs branch from 257d500 to 2a5b04e Compare November 16, 2022 11:43
@unknwon unknwon marked this pull request as ready for review November 16, 2022 11:44
@unknwon unknwon requested a review from a team November 16, 2022 11:44
@sourcegraph-bot
Copy link
Contributor

sourcegraph-bot commented Nov 16, 2022

Codenotify: Notifying subscribers in CODENOTIFY files for diff e8a9c9c...2a5b04e.

Notify File(s)
@keegancsmith cmd/frontend/graphqlbackend/search_test.go
@rvantonder cmd/frontend/graphqlbackend/search_test.go

@unknwon unknwon requested review from a team, ebrodymoore and eseliger November 16, 2022 11:46
@unknwon
Copy link
Contributor Author

unknwon commented Nov 16, 2022

@sourcegraph/iam Please take this as a soft review request, because I don't know who else to tag 😁

michaellzc
michaellzc approved these changes Nov 16, 2022
View reviewed changes
Copy link
Member

@michaellzc michaellzc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

followed the test plan and it worked for me

code changes LGTM

unknwon
unknwon commented Nov 17, 2022
View reviewed changes
cmd/frontend/internal/httpapi/auth.go
Comment on lines +100 to +107
// FIXME: Can we find a way to do this only for SOAP users?
soapCount, err := db.UserExternalAccounts().Count(
r.Context(),
database.ExternalAccountsListOptions{
UserID: subjectUserID,
ServiceType: auth.SourcegraphOperatorProviderType,
},
)
Copy link
Contributor Author

@unknwon unknwon Nov 17, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On dotcom with 34000+ rows in the user_external_accounts, this query takes ~10ms (with no result, since SOAP users are very rare), just as a data point. I think it is acceptable for now.

If this becomes a problem, we could store whether a user is created by SOAP in Redis to reduce the number of direct DB queries. Or very dumb in-memory cache within the frontend.

@unknwon
Copy link
Contributor Author

unknwon commented Nov 17, 2022

Merging as-is, post-merge comments are welcome (as always) and will address them once I'm back from PTO (Nov 28th)!

@unknwon unknwon merged commit b386b54 into main Nov 17, 2022
@unknwon unknwon deleted the jc/soap-06-event-logs branch November 17, 2022 13:57
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@ebrodymoore ebrodymoore Awaiting requested review from ebrodymoore

@eseliger eseliger Awaiting requested review from eseliger

1 more reviewer

@michaellzc michaellzc michaellzc approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@unknwon @sourcegraph-bot @michaellzc