diff --git a/backend/src/ee/routes/v1/pam-session-router.ts b/backend/src/ee/routes/v1/pam-session-router.ts index cc8969c924d..3c39a9516ef 100644 --- a/backend/src/ee/routes/v1/pam-session-router.ts +++ b/backend/src/ee/routes/v1/pam-session-router.ts @@ -41,17 +41,15 @@ export const registerPamSessionRouter = async (server: FastifyZodProvider) => { }, onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]), handler: async (req) => { - const { credentials, projectId, account } = await server.services.pamAccount.getSessionCredentials( - req.params.sessionId, - req.permission - ); + const { credentials, projectId, account, sessionStarted } = + await server.services.pamAccount.getSessionCredentials(req.params.sessionId, req.permission); await server.services.auditLog.createAuditLog({ ...req.auditLogInfo, orgId: req.permission.orgId, projectId, event: { - type: EventType.PAM_SESSION_START, + type: EventType.PAM_SESSION_CREDENTIALS_GET, metadata: { sessionId: req.params.sessionId, accountName: account.name @@ -59,6 +57,21 @@ export const registerPamSessionRouter = async (server: FastifyZodProvider) => { } }); + if (sessionStarted) { + await server.services.auditLog.createAuditLog({ + ...req.auditLogInfo, + orgId: req.permission.orgId, + projectId, + event: { + type: EventType.PAM_SESSION_START, + metadata: { + sessionId: req.params.sessionId, + accountName: account.name + } + } + }); + } + return { credentials: credentials as z.infer }; } }); diff --git a/backend/src/ee/services/audit-log/audit-log-types.ts b/backend/src/ee/services/audit-log/audit-log-types.ts index de3ce9af6a6..eb4bd16ef0c 100644 --- a/backend/src/ee/services/audit-log/audit-log-types.ts +++ b/backend/src/ee/services/audit-log/audit-log-types.ts @@ -535,6 +535,7 @@ export enum EventType { DASHBOARD_GET_SECRET_VALUE = "dashboard-get-secret-value", DASHBOARD_GET_SECRET_VERSION_VALUE = "dashboard-get-secret-version-value", + PAM_SESSION_CREDENTIALS_GET = "pam-session-credentials-get", PAM_SESSION_START = "pam-session-start", PAM_SESSION_LOGS_UPDATE = "pam-session-logs-update", PAM_SESSION_END = "pam-session-end", @@ -3978,6 +3979,14 @@ interface OrgRoleDeleteEvent { }; } +interface PamSessionCredentialsGetEvent { + type: EventType.PAM_SESSION_CREDENTIALS_GET; + metadata: { + sessionId: string; + accountName: string; + }; +} + interface PamSessionStartEvent { type: EventType.PAM_SESSION_START; metadata: { @@ -4531,6 +4540,7 @@ export type Event = | OrgRoleCreateEvent | OrgRoleUpdateEvent | OrgRoleDeleteEvent + | PamSessionCredentialsGetEvent | PamSessionStartEvent | PamSessionLogsUpdateEvent | PamSessionEndEvent diff --git a/backend/src/ee/services/pam-account/pam-account-service.ts b/backend/src/ee/services/pam-account/pam-account-service.ts index 8c93fbfaf2e..1eae8df15c7 100644 --- a/backend/src/ee/services/pam-account/pam-account-service.ts +++ b/backend/src/ee/services/pam-account/pam-account-service.ts @@ -668,11 +668,6 @@ export const pamAccountServiceFactory = ({ throw new BadRequestError({ message: "Session has ended or expired" }); } - // Verify that the session has not already had credentials fetched - if (session.status !== PamSessionStatus.Starting) { - throw new BadRequestError({ message: "Session has already been started" }); - } - const account = await pamAccountDAL.findById(session.accountId); if (!account) throw new NotFoundError({ message: `Account with ID '${session.accountId}' not found` }); @@ -689,11 +684,16 @@ export const pamAccountServiceFactory = ({ const decryptedResource = await decryptResource(resource, session.projectId, kmsService); + let sessionStarted = false; + // Mark session as started - await pamSessionDAL.updateById(sessionId, { - status: PamSessionStatus.Active, - startedAt: new Date() - }); + if (session.status === PamSessionStatus.Starting) { + await pamSessionDAL.updateById(sessionId, { + status: PamSessionStatus.Active, + startedAt: new Date() + }); + sessionStarted = true; + } return { credentials: { @@ -701,7 +701,8 @@ export const pamAccountServiceFactory = ({ ...decryptedAccount.credentials }, projectId: project.id, - account + account, + sessionStarted }; }; diff --git a/frontend/src/hooks/api/auditLogs/constants.tsx b/frontend/src/hooks/api/auditLogs/constants.tsx index 796ab7b7800..74a1ade3108 100644 --- a/frontend/src/hooks/api/auditLogs/constants.tsx +++ b/frontend/src/hooks/api/auditLogs/constants.tsx @@ -262,24 +262,25 @@ export const eventToNameMap: { [K in EventType]: string } = { [EventType.UPDATE_IDENTITY_PROJECT_MEMBERSHIP]: "Update Identity Project Membership", [EventType.DELETE_IDENTITY_PROJECT_MEMBERSHIP]: "Delete Identity Project Membership", - [EventType.PAM_SESSION_START]: "PAM Session Start", - [EventType.PAM_SESSION_LOGS_UPDATE]: "PAM Session Logs Update", - [EventType.PAM_SESSION_END]: "PAM Session End", - [EventType.PAM_SESSION_GET]: "PAM Session Get", - [EventType.PAM_SESSION_LIST]: "PAM Session List", - [EventType.PAM_FOLDER_CREATE]: "PAM Folder Create", - [EventType.PAM_FOLDER_UPDATE]: "PAM Folder Update", - [EventType.PAM_FOLDER_DELETE]: "PAM Folder Delete", - [EventType.PAM_ACCOUNT_LIST]: "PAM Account List", - [EventType.PAM_ACCOUNT_ACCESS]: "PAM Account Access", - [EventType.PAM_ACCOUNT_CREATE]: "PAM Account Create", - [EventType.PAM_ACCOUNT_UPDATE]: "PAM Account Update", - [EventType.PAM_ACCOUNT_DELETE]: "PAM Account Delete", - [EventType.PAM_RESOURCE_LIST]: "PAM Resource List", - [EventType.PAM_RESOURCE_GET]: "PAM Resource Get", - [EventType.PAM_RESOURCE_CREATE]: "PAM Resource Create", - [EventType.PAM_RESOURCE_UPDATE]: "PAM Resource Update", - [EventType.PAM_RESOURCE_DELETE]: "PAM Resource Delete", + [EventType.PAM_SESSION_CREDENTIALS_GET]: "Get PAM Session Credentials", + [EventType.PAM_SESSION_START]: "Start PAM Session", + [EventType.PAM_SESSION_LOGS_UPDATE]: "Update PAM Session Logs", + [EventType.PAM_SESSION_END]: "End PAM Session", + [EventType.PAM_SESSION_GET]: "Get PAM Session", + [EventType.PAM_SESSION_LIST]: "List PAM Sessions", + [EventType.PAM_FOLDER_CREATE]: "Create PAM Folder", + [EventType.PAM_FOLDER_UPDATE]: "Update PAM Folder", + [EventType.PAM_FOLDER_DELETE]: "Delete PAM Folder", + [EventType.PAM_ACCOUNT_LIST]: "List PAM Accounts", + [EventType.PAM_ACCOUNT_ACCESS]: "Access PAM Account", + [EventType.PAM_ACCOUNT_CREATE]: "Create PAM Account", + [EventType.PAM_ACCOUNT_UPDATE]: "Update PAM Account", + [EventType.PAM_ACCOUNT_DELETE]: "Delete PAM Account", + [EventType.PAM_RESOURCE_LIST]: "List PAM Resources", + [EventType.PAM_RESOURCE_GET]: "Get PAM Resource", + [EventType.PAM_RESOURCE_CREATE]: "Create PAM Resource", + [EventType.PAM_RESOURCE_UPDATE]: "Update PAM Resource", + [EventType.PAM_RESOURCE_DELETE]: "Delete PAM Resource", [EventType.CREATE_CERTIFICATE_PROFILE]: "Create Certificate Profile", [EventType.UPDATE_CERTIFICATE_PROFILE]: "Update Certificate Profile", @@ -314,6 +315,7 @@ const sharedProjectEvents = [ export const projectToEventsMap: Partial> = { [ProjectType.PAM]: [ ...sharedProjectEvents, + EventType.PAM_SESSION_CREDENTIALS_GET, EventType.PAM_SESSION_START, EventType.PAM_SESSION_LOGS_UPDATE, EventType.PAM_SESSION_END, diff --git a/frontend/src/hooks/api/auditLogs/enums.tsx b/frontend/src/hooks/api/auditLogs/enums.tsx index cf104dfae3c..bde306450c1 100644 --- a/frontend/src/hooks/api/auditLogs/enums.tsx +++ b/frontend/src/hooks/api/auditLogs/enums.tsx @@ -254,6 +254,7 @@ export enum EventType { UPDATE_IDENTITY_PROJECT_MEMBERSHIP = "update-identity-project-membership", DELETE_IDENTITY_PROJECT_MEMBERSHIP = "delete-identity-project-membership", + PAM_SESSION_CREDENTIALS_GET = "pam-session-credentials-get", PAM_SESSION_START = "pam-session-start", PAM_SESSION_LOGS_UPDATE = "pam-session-logs-update", PAM_SESSION_END = "pam-session-end",