Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions src/Audit/AuditRecordType.php
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,11 @@ enum AuditRecordType: string
case FilterListEntryEnabled = 'filter_list_entry_enabled';
case FilterListEntryEdited = 'filter_list_entry_edited';

// security advisory
case SecurityAdvisoryCreated = 'security_advisory_created';
case SecurityAdvisoryEdited = 'security_advisory_edited';
case SecurityAdvisoryWithdrawn = 'security_advisory_withdrawn';

// organization
case OrganizationCreated = 'organization_created';

Expand All @@ -75,6 +80,8 @@ public function category(): string
self::FilterListEntryAdded, self::FilterListEntryDeleted,
self::FilterListEntryDisabled, self::FilterListEntryEnabled,
self::FilterListEntryEdited => 'filterlist',
self::SecurityAdvisoryCreated, self::SecurityAdvisoryEdited,
self::SecurityAdvisoryWithdrawn => 'advisory',
self::OrganizationCreated => 'organization',
};
}
Expand Down
31 changes: 31 additions & 0 deletions src/Audit/Display/AuditLogDisplayFactory.php
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,37 @@ public function buildSingle(AuditRecord $record): AuditLogDisplayInterface
$this->buildActor($record->attributes['actor'] ?? null),
$record->ip
),
AuditRecordType::SecurityAdvisoryCreated => new SecurityAdvisoryCreatedDisplay(
$record->datetime,
$record->attributes['name'],
$record->attributes['advisoryId'],
$record->attributes['cve'] ?? null,
$record->attributes['title'],
$record->attributes['source'],
$this->buildActor($record->attributes['actor'] ?? null),
$record->ip,
),
AuditRecordType::SecurityAdvisoryEdited => new SecurityAdvisoryEditedDisplay(
$record->datetime,
$record->attributes['name'],
$record->attributes['advisoryId'],
$record->attributes['cve'] ?? null,
$record->attributes['title'],
$record->attributes['source'],
$record->attributes['changes'] ?? [],
$this->buildActor($record->attributes['actor'] ?? null),
$record->ip,
),
AuditRecordType::SecurityAdvisoryWithdrawn => new SecurityAdvisoryWithdrawnDisplay(
$record->datetime,
$record->attributes['name'],
$record->attributes['advisoryId'],
$record->attributes['cve'] ?? null,
$record->attributes['title'],
$record->attributes['source'],
$this->buildActor($record->attributes['actor'] ?? null),
$record->ip,
),
AuditRecordType::OrganizationCreated => new OrganizationCreatedDisplay(
$record->datetime,
OrganizationDisplay::fromRecord($record->attributes['organization']),
Expand Down
41 changes: 41 additions & 0 deletions src/Audit/Display/SecurityAdvisoryCreatedDisplay.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
<?php declare(strict_types=1);

/*
* This file is part of Packagist.
*
* (c) Jordi Boggiano <j.boggiano@seld.be>
* Nils Adermann <naderman@naderman.de>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace App\Audit\Display;

use App\Audit\AuditRecordType;

readonly class SecurityAdvisoryCreatedDisplay extends AbstractAuditLogDisplay
{
public function __construct(
\DateTimeImmutable $datetime,
public string $packageName,
public string $advisoryId,
public ?string $cve,
public string $title,
public string $source,
ActorDisplay $actor,
?string $ip,
) {
parent::__construct($datetime, $actor, $ip);
}

public function getType(): AuditRecordType
{
return AuditRecordType::SecurityAdvisoryCreated;
}

public function getTemplateName(): string
{
return 'audit_log/display/security_advisory_created.html.twig';
}
}
45 changes: 45 additions & 0 deletions src/Audit/Display/SecurityAdvisoryEditedDisplay.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
<?php declare(strict_types=1);

/*
* This file is part of Packagist.
*
* (c) Jordi Boggiano <j.boggiano@seld.be>
* Nils Adermann <naderman@naderman.de>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace App\Audit\Display;

use App\Audit\AuditRecordType;

readonly class SecurityAdvisoryEditedDisplay extends AbstractAuditLogDisplay
{
/**
* @param array<string, array{from: scalar|null, to: scalar|null}> $changes
*/
public function __construct(
\DateTimeImmutable $datetime,
public string $packageName,
public string $advisoryId,
public ?string $cve,
public string $title,
public string $source,
public array $changes,
ActorDisplay $actor,
?string $ip,
) {
parent::__construct($datetime, $actor, $ip);
}

public function getType(): AuditRecordType
{
return AuditRecordType::SecurityAdvisoryEdited;
}

public function getTemplateName(): string
{
return 'audit_log/display/security_advisory_edited.html.twig';
}
}
41 changes: 41 additions & 0 deletions src/Audit/Display/SecurityAdvisoryWithdrawnDisplay.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
<?php declare(strict_types=1);

/*
* This file is part of Packagist.
*
* (c) Jordi Boggiano <j.boggiano@seld.be>
* Nils Adermann <naderman@naderman.de>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace App\Audit\Display;

use App\Audit\AuditRecordType;

readonly class SecurityAdvisoryWithdrawnDisplay extends AbstractAuditLogDisplay
{
public function __construct(
\DateTimeImmutable $datetime,
public string $packageName,
public string $advisoryId,
public ?string $cve,
public string $title,
public string $source,
ActorDisplay $actor,
?string $ip,
) {
parent::__construct($datetime, $actor, $ip);
}

public function getType(): AuditRecordType
{
return AuditRecordType::SecurityAdvisoryWithdrawn;
}

public function getTemplateName(): string
{
return 'audit_log/display/security_advisory_withdrawn.html.twig';
}
}
2 changes: 1 addition & 1 deletion src/Controller/TransparencyLogController.php
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ public function viewAuditLogs(Request $request, AuditRecordRepository $auditReco
}

// Group types by category in desired order
$categoryOrder = ['ownership', 'package', 'version', 'user', 'filterlist'];
$categoryOrder = ['ownership', 'package', 'version', 'user', 'filterlist', 'advisory'];
$groupedTypes = [];
foreach (AuditRecordType::cases() as $type) {
// Don't display 2FA events in the type filter initially
Expand Down
100 changes: 100 additions & 0 deletions src/Entity/AuditRecord.php
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
use Composer\Pcre\Preg;
use Doctrine\DBAL\Types\Types;
use Doctrine\ORM\Mapping as ORM;
use Doctrine\ORM\PersistentCollection;
use Symfony\Component\Uid\Ulid;

/**
Expand Down Expand Up @@ -514,6 +515,42 @@ public static function filterListEntryEdited(FilterListEntry $entry, array $prev
);
}

public static function securityAdvisoryCreated(SecurityAdvisory $advisory, ?User $actor, ?int $packageId): self
{
return new self(
AuditRecordType::SecurityAdvisoryCreated,
self::getSecurityAdvisoryData($advisory, $actor),
vendor: self::vendorFromPackageName($advisory->getPackageName()),
Comment thread
glaubinix marked this conversation as resolved.
actorId: $actor?->getId(),
packageId: $packageId,
);
}

/**
* @param array<string, array{mixed, mixed}|PersistentCollection<array-key, mixed>> $changeSet the Doctrine entity change set (field => [old, new])
*/
public static function securityAdvisoryEdited(SecurityAdvisory $advisory, ?User $actor, array $changeSet, ?int $packageId): self
{
return new self(
AuditRecordType::SecurityAdvisoryEdited,
[...self::getSecurityAdvisoryData($advisory, $actor), 'changes' => self::getSecurityAdvisoryChanges($changeSet)],
vendor: self::vendorFromPackageName($advisory->getPackageName()),
actorId: $actor?->getId(),
packageId: $packageId,
);
}

public static function securityAdvisoryWithdrawn(SecurityAdvisory $advisory, ?User $actor, ?int $packageId): self
{
return new self(
AuditRecordType::SecurityAdvisoryWithdrawn,
self::getSecurityAdvisoryData($advisory, $actor),
vendor: self::vendorFromPackageName($advisory->getPackageName()),
actorId: $actor?->getId(),
packageId: $packageId,
);
}

/**
* @return array{id: int, username: string}|string
*/
Expand All @@ -526,6 +563,69 @@ private static function getUserData(?User $user, string $fallbackString = 'unkno
return ['id' => $user->getId(), 'username' => $user->getUsername()];
}

/**
* @return array{name: string, advisoryId: string, source: string, remoteId: string, cve: string|null, title: string, actor: array{id: int, username: string}|string}
*/
private static function getSecurityAdvisoryData(SecurityAdvisory $advisory, ?User $actor): array
{
return [
'name' => $advisory->getPackageName(),
'advisoryId' => $advisory->getPackagistAdvisoryId(),
'source' => $advisory->getSource(),
'remoteId' => $advisory->getRemoteId(),
'cve' => $advisory->getCve(),
'title' => $advisory->getTitle(),
'actor' => self::getUserData($actor, 'automation'),
];
}

/**
* Normalises a Doctrine change set into a JSON-friendly list of field diffs.
*
* @param array<string, array{mixed, mixed}|PersistentCollection<array-key, mixed>> $changeSet
* @return array<string, array{from: scalar|null, to: scalar|null}>
*/
private static function getSecurityAdvisoryChanges(array $changeSet): array
{
$changes = [];
foreach ($changeSet as $field => $change) {
// Skip the timestamp and any collection-valued changes; we only record scalar field diffs.
if ($field === 'updatedAt' || !\is_array($change)) {
continue;
}

[$from, $to] = $change;
$changes[$field] = [
'from' => self::normalizeAuditValue($from),
'to' => self::normalizeAuditValue($to),
];
}

return $changes;
}

private static function normalizeAuditValue(mixed $value): string|int|float|bool|null
{
if ($value === null || \is_scalar($value)) {
return $value;
}

if ($value instanceof \BackedEnum) {
return $value->value;
}

if ($value instanceof \DateTimeInterface) {
return $value->format(\DATE_ATOM);
}

return (string) json_encode($value);
}

private static function vendorFromPackageName(string $packageName): string
{
return explode('/', $packageName, 2)[0];
}

/**
* @return FilterListEntryData
*/
Expand Down
Loading