fix(security-events): scope events by org#1292
Open
Nav-Prak wants to merge 3 commits into
Open
Conversation
Stamp each security event with the actor's organization on emit (resolved from the database and cached per actor) and constrain the admin security- event query to the caller's org, so a tenant admin cannot read another organization's security events. - Add _resolve_actor_org_id and apply it in emit_security_event. - Add an org_id filter to the admin get_security_events query. - Backfill security_events.org_id on existing deployments via ALTER TABLE ADD COLUMN/INDEX IF NOT EXISTS. CREATE TABLE IF NOT EXISTS is a no-op once the table exists, so without this an upgraded deployment would lack the column and fail on org-scoped insert/query (mirrors audit_log). - Add tenant-scope regression tests for emit, resolver caching, the org-scoped admin query, and the schema migration. Part of AUDIT2 tenant-scoping, split out of BlazeUp-AI#1184.
LOGIN_FAILURE was emitted with actor_email only, so emit_security_event could not resolve an org for it. With the security-events query now scoped by org, a real tenant user's wrong-password attempts would be stored with org_id="" and stay invisible to their own tenant admins. The /login and /token handlers now attribute a wrong-password failure for an existing user to that user (actor_id/email/role) so it resolves to their org; unknown-identifier attempts have no org and remain global. Adds parametrized regression tests for both endpoints covering the existing-user (attributed) and unknown-user (orgless) cases. Part of AUDIT2 tenant-scoping, split out of BlazeUp-AI#1184.
github-actions
Bot
added
new contributor
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose / Description
Scope security-event reads to the caller's organization so a tenant admin cannot list another organization's security events.
This is part of the AUDIT2 tenant-scoping work and is split out from the closed broader tenant-scope PR #1184 to keep the security-events change independently reviewable.
Fixes
Approach
This change stamps security events with an
org_idand filters the admin security-events query by the current admin's org.get_security_eventsquery.security_events.org_idand its bloom-filter index.How Has This Been Tested?
Targeted security-events tenant-scope tests:
Result: security-events tenant-scope tests passed, including schema migration coverage and login-failure attribution for both
/loginand/token.Lint/format:
Also re-ran adjacent auth/security and security-events suites as part of split verification; no regressions were found.
Checklist
Please, go through these checks before submitting the PR.