@abtnode/core 1.15.17 → 1.16.0-beta-b16cb035

package/lib/states/access-key.js

@@ -1,3 +1,4 @@
+const get = require('lodash/get');
 const { fromRandom } = require('@ocap/wallet');
 const { toBase58 } = require('@ocap/util');
 const logger = require('@abtnode/logger')('@abtnode/core:access-key');
@@ -15,20 +16,23 @@ const validatePassport = (passport) => {
   }
 };
 
-class AccessKeyState extends BaseState {
-  constructor(baseDir, options = {}) {
-    super(baseDir, { filename: 'access_key.db', ...options });
+const getUserName = (context) => get(context, 'user.fullName', '');
 
-    this.db.ensureIndex({ fieldName: 'accessKeyId', unique: true }, (error) => {
-      if (error) {
-        logger.error('ensure unique index failed', { error });
-      }
+class AccessKeyState extends BaseState {
+  constructor(baseDir, config = {}) {
+    super(baseDir, { filename: 'access_key.db', ...config });
+
+    this.onReady(() => {
+      this.ensureIndex({ fieldName: 'accessKeyId', unique: true }, (error) => {
+        if (error) {
+          logger.error('ensure unique index failed', { error });
+        }
+      });
     });
   }
 
-  // eslint-disable-next-line no-unused-vars
-  async create(input = {}, context) {
-    const { remark, passport } = input;
+  async create(input, context) {
+    const { remark, passport, tag } = input || {};
 
     validateRemark(remark);
     validatePassport(passport);
@@ -39,16 +43,33 @@ class AccessKeyState extends BaseState {
       accessKeyPublic: wallet.publicKey,
       passport,
     };
+
     if (remark) {
       data.remark = remark;
     }
-    const doc = await this.asyncDB.insert(data);
+
+    if (tag) {
+      data.tag = tag;
+    }
+
+    data.createdBy = getUserName(context);
+    data.updatedBy = getUserName(context);
+
+    const doc = await this.insert(data);
     return {
       ...doc,
       accessKeySecret: toBase58(wallet.secretKey),
     };
   }
 
+  async getAccessKeyByTag({ tag } = {}) {
+    if (!tag) {
+      throw new Error('tag should not be empty');
+    }
+
+    return this.findOne({ tag });
+  }
+
   // eslint-disable-next-line no-unused-vars
   async list(params, context) {
     const res = await this.paginate({}, { createdAt: -1 }, { pageSize: 100 });
@@ -61,7 +82,7 @@ class AccessKeyState extends BaseState {
     if (!accessKeyId) {
       throw new Error('accessKeyId should not be empty');
     }
-    const doc = await this.asyncDB.findOne({ accessKeyId });
+    const doc = await this.findOne({ accessKeyId });
     return doc;
   }
 
@@ -76,7 +97,7 @@ class AccessKeyState extends BaseState {
     if (!accessKeyId) {
       throw new Error('accessKeyId should not be empty');
     }
-    const doc = await this.asyncDB.findOne({ accessKeyId });
+    const doc = await this.findOne({ accessKeyId });
     if (!doc) {
       throw new Error(`Access Key Id ${accessKeyId} does not exist`);
     }
@@ -84,8 +105,9 @@ class AccessKeyState extends BaseState {
       doc.remark = remark;
     }
     doc.passport = passport;
+    doc.updatedBy = getUserName(context);
 
-    await this.asyncDB.update({ accessKeyId }, { $set: doc });
+    await super.update({ accessKeyId }, { $set: doc });
     return doc;
   }
 
@@ -94,12 +116,12 @@ class AccessKeyState extends BaseState {
     if (!accessKeyId) {
       throw new Error('accessKeyId should not be empty');
     }
-    const doc = await this.asyncDB.findOne({ accessKeyId });
+    const doc = await this.findOne({ accessKeyId });
     if (!doc) {
       throw new Error(`Access Key Id ${accessKeyId} does not exist`);
     }
     doc.lastUsedAt = new Date();
-    await this.asyncDB.update({ accessKeyId }, { $set: doc });
+    await super.update({ accessKeyId }, { $set: doc });
     return doc;
   }
 
@@ -109,7 +131,7 @@ class AccessKeyState extends BaseState {
     if (!accessKeyId) {
       throw new Error('accessKeyId should not be empty');
     }
-    const num = await this.asyncDB.remove({ accessKeyId });
+    const num = await super.remove({ accessKeyId });
     if (num <= 0) {
       throw new Error(`Access Key Id ${accessKeyId} does not exist`);
     }

package/lib/states/audit-log.js

@@ -0,0 +1,462 @@
+/* eslint-disable no-async-promise-executor */
+const pick = require('lodash/pick');
+const get = require('lodash/get');
+const joinUrl = require('url-join');
+const { getDisplayName } = require('@blocklet/meta/lib/util');
+const { BLOCKLET_SITE_GROUP_SUFFIX, NODE_SERVICES } = require('@abtnode/constant');
+const logger = require('@abtnode/logger')('@abtnode/core:states:audit-log');
+
+const BaseState = require('./base');
+
+const { parse } = require('../util/ua');
+
+const getServerInfo = (info) => `[${info.name}](${joinUrl(info.routing.adminPath, '/settings/about')})`;
+const getBlockletInfo = (blocklet, info) => `[${getDisplayName(blocklet)} v${blocklet.meta.version}](${joinUrl(info.routing.adminPath, '/blocklets/', blocklet.meta.did, '/overview')})`; // prettier-ignore
+const expandTeam = async (teamDid, info, node) => {
+  if (!teamDid) {
+    return '';
+  }
+
+  if (teamDid === info.did) {
+    return getServerInfo(info);
+  }
+
+  const { blocklet } = node.states;
+  const doc = await blocklet.getBlocklet(teamDid);
+  return doc ? getBlockletInfo(doc, info) : '';
+};
+const expandSite = async (siteId, info, node) => {
+  if (!siteId) {
+    return '';
+  }
+
+  const { blocklet, site } = node.states;
+  const doc = await site.findOne({ _id: siteId });
+  if (!doc) {
+    return '';
+  }
+
+  if (doc.domain === '*') {
+    return 'default site';
+  }
+
+  if (doc.domain === '') {
+    return getServerInfo(info);
+  }
+
+  if (doc.domain.endsWith(BLOCKLET_SITE_GROUP_SUFFIX)) {
+    const tmp = await blocklet.getBlocklet(doc.domain.replace(BLOCKLET_SITE_GROUP_SUFFIX, ''));
+    return tmp ? getBlockletInfo(tmp, info) : '';
+  }
+
+  return '';
+};
+const expandUser = async (teamDid, userDid, passportId, info, node) => {
+  if (!teamDid || !userDid) {
+    return ['', ''];
+  }
+
+  const user = await node.getUser({ teamDid, user: { did: userDid } });
+  if (!user) {
+    return ['', ''];
+  }
+
+  const passport = user.passports.find((x) => x.id === passportId);
+
+  if (teamDid === info.did) {
+    return [`[${user.fullName}](${joinUrl(info.routing.adminPath, '/team/members')})`, passport ? passport.name : ''];
+  }
+
+  return [`[${user.fullName}](${joinUrl(info.routing.adminPath, '/blocklets/', teamDid, '/members')})`, passport ? passport.name : '']; // prettier-ignore
+};
+
+/**
+ * Create log content in markdown format
+ *
+ * @param {string} action - GraphQL query/mutation name
+ * @param {object} args - GraphQL arguments
+ * @param {object} context - request context: user, ip, user-agent, etc.
+ * @param {object} result - GraphQL resolve result
+ * @param {object} info - server info
+ * @param {object} node - server instance
+ * @return {string} the generated markdown source
+ */
+const getLogContent = async (action, args, context, result, info, node) => {
+  const [team, site, [user, passport]] = await Promise.all([
+    expandTeam(args.teamDid, info, node),
+    expandSite(args.id, info, node),
+    expandUser(args.teamDid, args.userDid || get(args, 'user.did') || args.ownerDid, args.passportId, info, node),
+  ]);
+
+  switch (action) {
+    // blocklets
+    case 'installBlocklet':
+      return `installed blocklet ${getBlockletInfo(result, info)} from ${result.deployedFrom}`;
+    case 'startBlocklet':
+      return `started blocklet ${getBlockletInfo(result, info)} ${args.reason || ''}`;
+    case 'restartBlocklet':
+      return `restarted blocklet ${getBlockletInfo(result, info)}`;
+    case 'reloadBlocklet':
+      return `reloaded blocklet ${getBlockletInfo(result, info)}`;
+    case 'stopBlocklet':
+      return `stopped blocklet ${getBlockletInfo(result, info)}`;
+    case 'resetBlocklet':
+      return `reset blocklet ${getBlockletInfo(result, info)} data and config`;
+    case 'deleteBlocklet':
+      return `removed blocklet ${getBlockletInfo(result, info)} ${args.keepData ? 'but kept its data and config' : 'and its data and config'}`; // prettier-ignore
+    case 'installComponent':
+      return `added component from ${args.file ? 'Upload' : args.url} at **${args.mountPoint}** to ${getBlockletInfo(result, info)}`; // prettier-ignore
+    case 'deleteComponent':
+      return `removed component ${args.did} from blocklet ${getBlockletInfo(result, info)}`;
+    case 'configBlocklet':
+      return `updated following config for blocklet ${getBlockletInfo(result, info)}:\n${args.configs.map(x => `- ${x.key}: ${x.value}\n`)}`; // prettier-ignore
+    case 'upgradeBlocklet':
+      if (result.resultStatus === 'failed') {
+        return `upgrade blocklet failed: ${getBlockletInfo(result, info)}`;
+      }
+      return `upgraded blocklet ${getBlockletInfo(result, info)} to v${result.meta.version}`;
+    case 'upgradeComponents':
+      return `upgraded components for blocklet ${getBlockletInfo(result, info)}`;
+    case 'configPublicToStore':
+      if (args.publicToStore) {
+        return `set publicToStore to true for blocklet ${getBlockletInfo(result, info)}`;
+      }
+      return `set publicToStore to false for blocklet ${getBlockletInfo(result, info)}`;
+    case 'configNavigations':
+      // eslint-disable-next-line prettier/prettier
+      return `updated following navigations for blocklet ${getBlockletInfo(result, info)}:\n${args.navigations.map(
+        (x) => `- ${x.title}: ${x.link}\n`
+      )}`;
+    case 'updateComponentTitle':
+      return `update component title to **${args.title}** for blocklet ${getBlockletInfo(result, info)}`;
+    case 'updateComponentMountPoint':
+      return `update component mount point to **${args.mountPoint}** for blocklet ${getBlockletInfo(result, info)}`;
+    // store
+    case 'addBlockletStore':
+      return `added blocklet store ${args.url}`;
+    case 'deleteBlockletStore':
+      return `removed blocklet store ${args.url}`;
+    case 'selectBlockletStore':
+      return `selected blocklet store ${args.url}`;
+
+    // teams: members/passports
+    case 'addUser':
+      if (args.passport) {
+        return `${args.reason} and received **${args.passport.name}** passport from ${team}`;
+      }
+      return `joined team ${team} by ${args.reason}`;
+    case 'updateUser':
+      return `${args.reason} and received **${args.passport.name}** passport from ${team}`;
+    case 'switchProfile':
+      return `switched profile to ${args.profile.fullName} for ${team}`;
+    case 'switchPassport':
+      return `switched passport to ${args.passport.name} for ${team}`;
+    case 'login':
+      return `${user} logged in to ${team} with passport ${args.passport.name}`;
+    case 'updateWhoCanAccess':
+      return `updated access control policy to **${args.whoCanAccess}**`;
+    case 'configPassportIssuance':
+      return `${args.enabled ? 'enabled' : 'disabled'} passport issuance for ${team}`;
+    case 'createPassportIssuance':
+      return `issued **${args.name}** passport to ${user} for ${team}, issuance id: ${result.id}`;
+    case 'processPassportIssuance':
+      return `claimed passport **${args.name}** from ${team}, issuance id: ${args.sessionId}`;
+    case 'revokeUserPassport':
+      return `revoked **${passport}** passport of user ${user} for ${team}`;
+    case 'enableUserPassport':
+      return `enabled **${passport}** passport of user ${user} for ${team}`;
+    case 'updateUserApproval':
+      return `${args.user.approved ? 'enabled' : 'disabled'} user ${user} for ${team}`;
+    case 'deletePassportIssuance':
+      return `removed passport issuance ${args.sessionId} from ${team}`;
+    case 'createMemberInvitation':
+      return `created member invitation(${result.inviteId}: ${args.remark}) with **${args.role}** passport for ${team}`; // prettier-ignore
+    case 'deleteInvitation':
+      return `removed unused member invitation(${args.inviteId}) from ${team}`;
+    case 'createRole':
+      return `created passport ${args.name}(${args.title}) for ${team}`;
+    case 'updateRole':
+      return `updated passport ${args.role.name}(${args.role.title}) for ${team}`;
+    case 'updatePermissionsForRole':
+      return `granted following permissions to passport ${args.roleName} for ${team}: \n${args.grantNames.map(x => `- ${x}`).join('\n')}`; // prettier-ignore
+    case 'configTrustedPassports':
+      if (args.trustedPassports.length === 0) {
+        return `removed all trusted passport issuers for ${team}`;
+      }
+      return `updated trusted passport issuers to following for ${team}: \n${args.trustedPassports.map(x => `- ${x.remark}: ${x.issuerDid}`).join('\n')}`; // prettier-ignore
+    case 'delegateTransferNFT':
+      return `${args.owner} ${args.reason}`;
+    case 'issuePassportToUser':
+      return `issued **${args.role}** passport to ${user}`;
+
+    // accessKeys
+    case 'createAccessKey':
+      return `created access key ${result.accessKeyId} with passport ${args.passport}: ${args.remark}`;
+    case 'updateAccessKey':
+      return `updated access key ${result.accessKeyId} with following changes:\n - passport: ${args.passport}\n - remark: ${args.remark}`; // prettier-ignore
+    case 'deleteAccessKey':
+      return `deleted access key ${args.accessKeyId}`; // prettier-ignore
+
+    // integrations
+    case 'createWebHook':
+      return `added integration ${result._id}: \n- type: ${args.type}\n${args.params.map(x => `- ${x.name}: ${x.value}`).join('\n')}`; // prettier-ignore
+    case 'deleteWebHook':
+      return `deleted integration ${args.id}`;
+
+    // server
+    case 'updateNodeInfo':
+      return `updated basic server settings: \n${Object.keys(args).map(x => `- ${x}: ${args[x]}`).join('\n')}`; // prettier-ignore
+    case 'upgradeNodeVersion':
+      return `upgrade server to ${info.nextVersion}`;
+    case 'restartServer':
+      return 'server was restarted';
+    case 'startServer':
+      return 'server was started';
+    case 'stopServer':
+      return 'server was stopped';
+
+    // certificates
+    case 'addCertificate':
+      return `added certificate #${args.id}, domain ${result.domain}`;
+    case 'deleteCertificate':
+      return `deleted certificate #${args.id}`;
+    case 'updateCertificate':
+      return `updated certificate #${args.id}`;
+    case 'issueLetsEncryptCert':
+      return `tried to issue lets encrypt certificate for domain **${args.domain}**, ticket: ${result._id}`;
+
+    // router
+    case 'addDomainAlias':
+      return `added extra domain **${args.domainAlias}** to ${site}`; // prettier-ignore
+    case 'deleteDomainAlias':
+      return `removed extra domain **${args.domainAlias}** from ${site}`; // prettier-ignore
+    case 'updateRoutingSite':
+      return `updated site from ${site}`; // prettier-ignore
+    case 'addRoutingRule':
+      return `added routing rule **${args.rule?.from?.pathPrefix}** from ${site}`; // prettier-ignore
+    case 'updateRoutingRule':
+      return `updated routing rule **${args.rule?.from?.pathPrefix}** from ${site}`; // prettier-ignore
+    case 'deleteRoutingRule':
+      return `deleted routing rule from ${site}`; // prettier-ignore
+    case 'updateGateway': {
+      const changes = [
+        args.requestLimit.enabled ? `rate limit: enabled, rate: ${args.requestLimit.rate}` : 'rate limit: disabled',
+        args.cacheEnabled ? `global cache: enabled, rate: ${args.cacheEnabled}` : 'global cache: disabled',
+      ];
+      const message = `update gateway: ${changes.join('; ')}`;
+      return message;
+    }
+    case 'createTransferInvitation':
+      return `created a transfer node invitation(${result.inviteId})`;
+
+    default:
+      return action;
+  }
+};
+
+const getLogCategory = (action) => {
+  switch (action) {
+    // blocklets
+    case 'installBlocklet':
+    case 'installComponent':
+    case 'startBlocklet':
+    case 'restartBlocklet':
+    case 'reloadBlocklet':
+    case 'stopBlocklet':
+    case 'resetBlocklet':
+    case 'deleteBlocklet':
+    case 'deleteComponent':
+    case 'configBlocklet':
+    case 'upgradeBlocklet':
+    case 'upgradeComponents':
+    case 'configPublicToStore':
+    case 'configNavigations':
+    case 'updateComponentTitle':
+    case 'updateComponentMountPoint':
+      return 'blocklet';
+
+    // store
+    case 'addBlockletStore':
+    case 'deleteBlockletStore':
+    case 'selectBlockletStore':
+      return 'server';
+
+    // teams: members/passports
+    case 'addUser':
+    case 'updateUser':
+    case 'switchProfile':
+    case 'switchPassport':
+    case 'login':
+    case 'configWhoCanAccess':
+    case 'processPassportIssuance':
+    case 'configPassportIssuance':
+    case 'createPassportIssuance':
+    case 'deletePassportIssuance':
+    case 'revokeUserPassport':
+    case 'enableUserPassport':
+    case 'updateUserApproval':
+    case 'createMemberInvitation':
+    case 'deleteInvitation':
+    case 'createRole':
+    case 'updateRole':
+    case 'updatePermissionsForRole':
+    case 'configTrustedPassports':
+    case 'delegateTransferNFT':
+    case 'createTransferInvitation':
+      return 'team';
+
+    // accessKeys
+    case 'createAccessKey':
+    case 'updateAccessKey':
+    case 'deleteAccessKey':
+      return 'security';
+
+    // integrations
+    case 'createWebHook':
+    case 'deleteWebHook':
+      return 'integrations';
+
+    // server
+    case 'updateNodeInfo':
+    case 'upgradeNodeVersion':
+    case 'startServer':
+    case 'stopServer':
+      return 'server';
+
+    // certificates
+    case 'addCertificate':
+    case 'deleteCertificate':
+    case 'updateCertificate':
+    case 'issueLetsEncryptCert':
+      return 'certificates';
+
+    case 'updateGateway':
+      return 'gateway';
+
+    default:
+      return '';
+  }
+};
+
+const getScope = (args = {}) => {
+  // this param usually means mutating an application (server or blocklet)
+  if (args.teamDid) {
+    return args.teamDid;
+  }
+
+  // this param usually means mutating a child component
+  if (args.rootDid) {
+    return args.rootDid;
+  }
+
+  // this param usually means mutating an blockle application
+  if (args.did) {
+    // this param usually means mutating a nested child component
+    if (Array.isArray(args.did)) {
+      return args.did[0];
+    }
+
+    return args.did;
+  }
+
+  return null;
+};
+
+const fixActor = (actor) => {
+  if ([NODE_SERVICES.AUTH_SERVICE, 'blocklet'].includes(actor?.role)) {
+    actor.role = '';
+  }
+};
+
+class AuditLogState extends BaseState {
+  constructor(baseDir, config = {}) {
+    super(baseDir, { filename: 'audit-log.db', ...config });
+  }
+
+  /**
+   * Create new audit log
+   *
+   * @param {string} action the api name
+   * @param {object} args the api args
+   * @param {object} result the api result
+   * @param {object} context the log context
+   * {
+      protocol: 'http',
+      user: {
+        meta: 'profile',
+        fullName: 'wangshijun',
+        email: 'shijun@arcblock.io',
+        type: 'profile',
+        did: 'z1jq5bGF64wnZiy29EbRyuQqUxmRHmSdt1Q',
+        pk: 'zHTcKwgi9DK8US8QQY9K7wQ3qF79CtrWYn6BYAgTQUeVQ',
+        passports: [ [Object] ],
+        approved: true,
+        locale: 'en',
+        firstLoginAt: '2022-04-27T22:55:51.788Z',
+        lastLoginAt: '2022-04-27T22:55:51.788Z',
+        _id: 'dvOIJJVUJHGxnWBU',
+        createdAt: '2022-04-27T22:55:51.789Z',
+        updatedAt: '2022-04-27T22:55:51.789Z',
+        role: 'owner',
+        passportId: 'z2iTzSDhwGQFtYXeya8kqCyXro1tRkwUuwN6K'
+      },
+      url: '/api/gql?locale=en',
+      query: { locale: 'en' },
+      hostname: '192.168.123.236',
+      port: 0,
+      ip: '127.0.0.1'
+    }
+   * @return {object} new doc
+   */
+  create({ action, args = {}, context = {}, result = {} }, node) {
+    return new Promise(async (resolve) => {
+      // Do not store secure configs in audit log
+      if (Array.isArray(args.configs)) {
+        args.configs.forEach((x) => {
+          if (x.secure) {
+            x.value = '******';
+          }
+        });
+      }
+
+      try {
+        const { ip, ua, user = {} } = context;
+        const [info, uaInfo] = await Promise.all([node.states.node.read(), parse(ua)]);
+
+        fixActor(user);
+
+        const data = await this.insert({
+          scope: getScope(args) || info.did, // server or blocklet did
+          action,
+          category: await getLogCategory(action, args, context, result, info, node),
+          content: (await getLogContent(action, args, context, result, info, node)).trim(),
+          actor: pick(user.actual || user, ['did', 'fullName', 'role']),
+          extra: args,
+          env: pick(uaInfo, ['browser', 'os', 'device']),
+          ip,
+          ua,
+        });
+
+        logger.info('create', data);
+        return resolve(data);
+      } catch (err) {
+        logger.error('create error', { error: err, action, args, context });
+        return resolve(null);
+      }
+    });
+  }
+
+  async findPaginated({ scope, category, paging } = {}) {
+    const conditions = {};
+    if (scope) {
+      conditions.scope = scope;
+    }
+    if (category) {
+      conditions.category = category;
+    }
+
+    return super.paginate(conditions, { createdAt: -1 }, { pageSize: 20, ...paging });
+  }
+}
+
+module.exports = AuditLogState;