(t *testing.T)
| 22 | ) |
| 23 | |
| 24 | func TestUserSecretAuditDiffRedaction(t *testing.T) { |
| 25 | // Ensure secret values never appear in plaintext in audit diffs. The |
| 26 | // enterprise auditor needs to be used because it writes actual diffs. |
| 27 | // We read straight from the audit_logs table to exercise the full |
| 28 | // insert, filter, dbauthz read path. |
| 29 | t.Parallel() |
| 30 | |
| 31 | db, ps := dbtestutil.NewDB(t) |
| 32 | auditor := entaudit.NewAuditor( |
| 33 | db, |
| 34 | entaudit.DefaultFilter, |
| 35 | backends.NewPostgres(db, true), |
| 36 | ) |
| 37 | |
| 38 | ownerClient, owner := coderdenttest.New(t, &coderdenttest.Options{ |
| 39 | AuditLogging: true, |
| 40 | Options: &coderdtest.Options{ |
| 41 | Database: db, |
| 42 | Pubsub: ps, |
| 43 | Auditor: auditor, |
| 44 | }, |
| 45 | LicenseOptions: &coderdenttest.LicenseOptions{ |
| 46 | Features: license.Features{ |
| 47 | codersdk.FeatureAuditLog: 1, |
| 48 | }, |
| 49 | }, |
| 50 | }) |
| 51 | memberClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID) |
| 52 | ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitMedium) |
| 53 | defer cancel() |
| 54 | |
| 55 | initialDescription := "initial" |
| 56 | initialValue := "initial-secret-value" |
| 57 | secret, err := memberClient.CreateUserSecret(ctx, codersdk.Me, codersdk.CreateUserSecretRequest{ |
| 58 | Name: "createDiff-target", |
| 59 | Description: initialDescription, |
| 60 | Value: initialValue, |
| 61 | }) |
| 62 | require.NoError(t, err) |
| 63 | |
| 64 | newDescription := "after" |
| 65 | newValue := "new-secret-value" |
| 66 | _, err = memberClient.UpdateUserSecret(ctx, codersdk.Me, secret.Name, codersdk.UpdateUserSecretRequest{ |
| 67 | Description: &newDescription, |
| 68 | Value: &newValue, |
| 69 | }) |
| 70 | require.NoError(t, err) |
| 71 | |
| 72 | // Read straight from the database. AsSystemRestricted is necessary because |
| 73 | // the test does not authenticate as an admin when querying the store directly. |
| 74 | rows, err := db.GetAuditLogsOffset( |
| 75 | dbauthz.AsSystemRestricted(ctx), |
| 76 | database.GetAuditLogsOffsetParams{ |
| 77 | ResourceType: string(database.ResourceTypeUserSecret), |
| 78 | LimitOpt: 10, |
| 79 | }, |
| 80 | ) |
| 81 | require.NoError(t, err) |
nothing calls this directly
no test coverage detected