split audit logs into two: - get session credentials - start session

x032205 · x032205 · commit bfb49172b95c · 2025-11-19T16:08:38.000-05:00
diff --git a/backend/src/ee/routes/v1/pam-session-router.ts b/backend/src/ee/routes/v1/pam-session-router.ts
@@ -41,24 +41,37 @@ export const registerPamSessionRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const { credentials, projectId, account } = await server.services.pamAccount.getSessionCredentials(
-        req.params.sessionId,
-        req.permission
-      );
+      const { credentials, projectId, account, sessionStarted } =
+        await server.services.pamAccount.getSessionCredentials(req.params.sessionId, req.permission);
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
         orgId: req.permission.orgId,
         projectId,
         event: {
-          type: EventType.PAM_SESSION_START,
+          type: EventType.PAM_SESSION_CREDENTIALS_GET,
           metadata: {
             sessionId: req.params.sessionId,
             accountName: account.name
           }
         }
       });
 
+      if (sessionStarted) {
+        await server.services.auditLog.createAuditLog({
+          ...req.auditLogInfo,
+          orgId: req.permission.orgId,
+          projectId,
+          event: {
+            type: EventType.PAM_SESSION_START,
+            metadata: {
+              sessionId: req.params.sessionId,
+              accountName: account.name
+            }
+          }
+        });
+      }
+
       return { credentials: credentials as z.infer<typeof SessionCredentialsSchema> };
     }
   });
diff --git a/backend/src/ee/services/audit-log/audit-log-types.ts b/backend/src/ee/services/audit-log/audit-log-types.ts
@@ -535,6 +535,7 @@ export enum EventType {
   DASHBOARD_GET_SECRET_VALUE = "dashboard-get-secret-value",
   DASHBOARD_GET_SECRET_VERSION_VALUE = "dashboard-get-secret-version-value",
 
+  PAM_SESSION_CREDENTIALS_GET = "pam-session-credentials-get",
   PAM_SESSION_START = "pam-session-start",
   PAM_SESSION_LOGS_UPDATE = "pam-session-logs-update",
   PAM_SESSION_END = "pam-session-end",
@@ -3978,6 +3979,14 @@ interface OrgRoleDeleteEvent {
   };
 }
 
+interface PamSessionCredentialsGetEvent {
+  type: EventType.PAM_SESSION_CREDENTIALS_GET;
+  metadata: {
+    sessionId: string;
+    accountName: string;
+  };
+}
+
 interface PamSessionStartEvent {
   type: EventType.PAM_SESSION_START;
   metadata: {
@@ -4531,6 +4540,7 @@ export type Event =
   | OrgRoleCreateEvent
   | OrgRoleUpdateEvent
   | OrgRoleDeleteEvent
+  | PamSessionCredentialsGetEvent
   | PamSessionStartEvent
   | PamSessionLogsUpdateEvent
   | PamSessionEndEvent
diff --git a/backend/src/ee/services/pam-account/pam-account-service.ts b/backend/src/ee/services/pam-account/pam-account-service.ts
@@ -684,12 +684,15 @@ export const pamAccountServiceFactory = ({
 
     const decryptedResource = await decryptResource(resource, session.projectId, kmsService);
 
+    let sessionStarted = false;
+
     // Mark session as started
     if (session.status === PamSessionStatus.Starting) {
       await pamSessionDAL.updateById(sessionId, {
         status: PamSessionStatus.Active,
         startedAt: new Date()
       });
+      sessionStarted = true;
     }
 
     return {
@@ -698,7 +701,8 @@ export const pamAccountServiceFactory = ({
         ...decryptedAccount.credentials
       },
       projectId: project.id,
-      account
+      account,
+      sessionStarted
     };
   };
 
diff --git a/frontend/src/hooks/api/auditLogs/constants.tsx b/frontend/src/hooks/api/auditLogs/constants.tsx
@@ -262,6 +262,7 @@ export const eventToNameMap: { [K in EventType]: string } = {
   [EventType.UPDATE_IDENTITY_PROJECT_MEMBERSHIP]: "Update Identity Project Membership",
   [EventType.DELETE_IDENTITY_PROJECT_MEMBERSHIP]: "Delete Identity Project Membership",
 
+  [EventType.PAM_SESSION_CREDENTIALS_GET]: "PAM Session Credentials Get",
   [EventType.PAM_SESSION_START]: "PAM Session Start",
   [EventType.PAM_SESSION_LOGS_UPDATE]: "PAM Session Logs Update",
   [EventType.PAM_SESSION_END]: "PAM Session End",
@@ -314,6 +315,7 @@ const sharedProjectEvents = [
 export const projectToEventsMap: Partial<Record<ProjectType, EventType[]>> = {
   [ProjectType.PAM]: [
     ...sharedProjectEvents,
+    EventType.PAM_SESSION_CREDENTIALS_GET,
     EventType.PAM_SESSION_START,
     EventType.PAM_SESSION_LOGS_UPDATE,
     EventType.PAM_SESSION_END,
diff --git a/frontend/src/hooks/api/auditLogs/enums.tsx b/frontend/src/hooks/api/auditLogs/enums.tsx
@@ -254,6 +254,7 @@ export enum EventType {
   UPDATE_IDENTITY_PROJECT_MEMBERSHIP = "update-identity-project-membership",
   DELETE_IDENTITY_PROJECT_MEMBERSHIP = "delete-identity-project-membership",
 
+  PAM_SESSION_CREDENTIALS_GET = "pam-session-credentials-get",
   PAM_SESSION_START = "pam-session-start",
   PAM_SESSION_LOGS_UPDATE = "pam-session-logs-update",
   PAM_SESSION_END = "pam-session-end",
