[Backport 5.1] treat unknown actors as internal for the purpose of audit logs (#54895)

github-actions[bot] · web-flow · commit 2f3bf5ec0109 · 2023-07-12T21:57:22.000Z
diff --git a/cmd/frontend/internal/httpapi/graphql_test.go b/cmd/frontend/internal/httpapi/graphql_test.go
@@ -8,6 +8,7 @@ import (
 	"github.com/sourcegraph/log/logtest"
 	"github.com/stretchr/testify/assert"
 
+	"github.com/sourcegraph/sourcegraph/internal/actor"
 	"github.com/sourcegraph/sourcegraph/internal/conf"
 	"github.com/sourcegraph/sourcegraph/schema"
 )
@@ -49,7 +50,8 @@ func Test_recordAuditLog(t *testing.T) {
 
 			logger, exportLogs := logtest.Captured(t)
 
-			recordAuditLog(context.Background(), logger, traceData{
+			ctx := actor.WithActor(context.Background(), actor.FromUser(1))
+			recordAuditLog(ctx, logger, traceData{
 				queryParams: graphQLQueryParams{
 					Query:     `repository(name: "github.com/gorilla/mux") { name }`,
 					Variables: map[string]any{"param1": "value1"},
diff --git a/cmd/gitserver/server/accesslog/BUILD.bazel b/cmd/gitserver/server/accesslog/BUILD.bazel
diff --git a/cmd/gitserver/server/accesslog/accesslog_test.go b/cmd/gitserver/server/accesslog/accesslog_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
 
+	"github.com/sourcegraph/sourcegraph/internal/actor"
 	"github.com/sourcegraph/sourcegraph/internal/conf/conftypes"
 	"github.com/sourcegraph/sourcegraph/internal/requestclient"
 	"github.com/sourcegraph/sourcegraph/schema"
@@ -121,6 +122,7 @@ func TestHTTPMiddleware(t *testing.T) {
 		})
 		rec := httptest.NewRecorder()
 		req := httptest.NewRequest("GET", "/", nil)
+		req = req.WithContext(actor.WithActor(context.Background(), actor.FromUser(32)))
 
 		// Request with access logging disabled
 		h.ServeHTTP(rec, req)
diff --git a/internal/audit/audit.go b/internal/audit/audit.go
@@ -23,12 +23,17 @@ func Log(ctx context.Context, logger log.Logger, record Record) {
 
 	// internal actors add a lot of noise to the audit log
 	siteConfig := conf.SiteConfig()
+	// if the actor is internal  and internal traffic logging is disabled, do not log
 	if act.Internal && !IsEnabled(siteConfig, InternalTraffic) {
 		return
 	}
 
 	client := requestclient.FromContext(ctx)
-
+	// if the actor and client ip is unknown, and internal traffic logging is disabled, do not log
+	// internal actors generate a large volume of logs, and they are generally not useful
+	if (actorId(act) == "unknown" && ip(client) == "unknown") && !IsEnabled(siteConfig, InternalTraffic) {
+		return
+	}
 	auditId := uuid.New().String()
 	if record.auditIDGenerator != nil {
 		auditId = record.auditIDGenerator()
diff --git a/internal/database/security_event_logs_test.go b/internal/database/security_event_logs_test.go
@@ -71,16 +71,19 @@ func TestSecurityEventLogs_ValidInfo(t *testing.T) {
 		},
 		{
 			name:  "JustUser",
+			actor: &actor.Actor{UID: 1}, // if we have a userID, we should have a valid actor UID
 			event: &SecurityEvent{Name: "test_event", URL: "http://sourcegraph.com", Source: "Web", UserID: 1, AnonymousUserID: ""},
 			err:   "<nil>",
 		},
 		{
 			name:  "JustAnonymous",
+			actor: &actor.Actor{AnonymousUID: "blah"},
 			event: &SecurityEvent{Name: "test_event", URL: "http://sourcegraph.com", Source: "Web", UserID: 0, AnonymousUserID: "blah"},
 			err:   "<nil>",
 		},
 		{
 			name:  "ValidInsert",
+			actor: &actor.Actor{UID: 1}, // if we have a userID, we should have a valid actor UID
 			event: &SecurityEvent{Name: "test_event", UserID: 1, URL: "http://sourcegraph.com", Source: "WEB"},
 			err:   "<nil>",
 		},
