feature: Audit Logs (#54)

Author: bryan-robitaille

@types/express/index.d.ts

@@ -5,7 +5,8 @@ declare global {
   // biome-ignore lint/style/noNamespace: <It is the only way to do this.  If we use module Biome also complains>
   namespace Express {
     interface Request {
-      serviceAccountId?: string;
+      serviceAccountId: string;
+      serviceUserId: string;
     }
   }
 }

package.json

@@ -21,6 +21,7 @@
   "dependencies": {
     "@aws-sdk/client-dynamodb": "^3.629.0",
     "@aws-sdk/client-secrets-manager": "^3.637.0",
+    "@aws-sdk/client-sqs": "^3.645.0",
     "@aws-sdk/lib-dynamodb": "^3.629.0",
     "axios": "^1.7.3",
     "dotenv": "^16.4.5",

pnpm-lock.yaml

@@ -0,0 +1,80 @@
+import { GetQueueUrlCommand, SendMessageCommand } from "@aws-sdk/client-sqs";
+import { AwsServicesConnector } from "./connectors/awsServicesConnector.js";
+import { logMessage } from "./logger.js";
+import { EnvironmentMode, ENVIRONMENT_MODE } from "@src/config.js";
+
+export enum AuditLogEvent {
+  // Form Response Events
+  DownloadResponse = "DownloadResponse",
+  ConfirmResponse = "ConfirmResponse",
+  IdentifyProblemResponse = "IdentifyProblemResponse",
+  RetrieveNewResponses = "RetrieveResponses",
+  // Application Events
+  AccessDenied = "AccessDenied",
+  // Template Events
+  RetrieveTemplate = "RetrieveTemplate",
+}
+export type AuditLogEventStrings = keyof typeof AuditLogEvent;
+
+export enum AuditSubjectType {
+  ServiceAccount = "ServiceAccount",
+  Form = "Form",
+  Response = "Response",
+}
+
+let queueUrlRef: string | null = null;
+
+const getQueueUrl = async () => {
+  if (!queueUrlRef) {
+    const data = await AwsServicesConnector.getInstance().sqsClient.send(
+      new GetQueueUrlCommand({
+        QueueName: "api_audit_log_queue",
+      }),
+    );
+    queueUrlRef = data.QueueUrl ?? null;
+    logMessage.debug(`Audit Log Queue URL initialized: ${queueUrlRef}`);
+  }
+  return queueUrlRef;
+};
+
+//Initialise the queueUrlRef on load except when running tests
+// This mock should be refactored when we once we have a better way to mock the AWS SDK
+process.env.NODE_ENV !== "test" && getQueueUrl();
+
+export const logEvent = async (
+  userId: string,
+  subject: { type: keyof typeof AuditSubjectType; id?: string },
+  event: AuditLogEventStrings,
+  description?: string,
+): Promise<void> => {
+  const auditLog = JSON.stringify({
+    userId,
+    event,
+    timestamp: Date.now(),
+    subject,
+    description,
+  });
+  try {
+    const queueUrl = await getQueueUrl();
+    if (!queueUrl) {
+      throw new Error("Audit Log Queue not connected");
+    }
+    await AwsServicesConnector.getInstance().sqsClient.send(
+      new SendMessageCommand({
+        MessageBody: auditLog,
+        QueueUrl: queueUrl,
+      }),
+    );
+  } catch (e) {
+    // Only log the error in Production environment.
+    // Development may be running without LocalStack setup
+    if (ENVIRONMENT_MODE === EnvironmentMode.Local) {
+      return logMessage.info(`AuditLog:${auditLog}`);
+    }
+
+    logMessage.error("ERROR with Audit Logging");
+    logMessage.error(e as Error);
+    // Ensure the audit event is not lost by sending to console
+    logMessage.warn(`AuditLog:${auditLog}`);
+  }
+};

src/lib/auditLogs.ts

@@ -2,6 +2,7 @@ import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 import { DynamoDBDocumentClient } from "@aws-sdk/lib-dynamodb";
 import { AWS_REGION, LOCALSTACK_ENDPOINT } from "@src/config.js";
 import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+import { SQSClient } from "@aws-sdk/client-sqs";
 
 const globalConfig = {
   region: AWS_REGION,
@@ -20,6 +21,8 @@ export class AwsServicesConnector {
 
   public secretsClient: SecretsManagerClient;
 
+  public sqsClient: SQSClient;
+
   private constructor() {
     this.dynamodbClient = DynamoDBDocumentClient.from(
       new DynamoDBClient({
@@ -31,6 +34,11 @@ export class AwsServicesConnector {
       ...globalConfig,
       ...localstackConfig,
     });
+
+    this.sqsClient = new SQSClient({
+      ...globalConfig,
+      ...localstackConfig,
+    });
   }
 
   public static getInstance(): AwsServicesConnector {

src/lib/connectors/awsServicesConnector.ts

@@ -5,7 +5,7 @@ import { ZITADEL_APPLICATION_KEY, ZITADEL_DOMAIN } from "@src/config.js";
 import { logMessage } from "@src/lib/logger.js";
 
 export type IntrospectionResult = {
-  username: string;
+  serviceUserId: string;
   exp: number;
   serviceAccountId: string;
 };
@@ -55,7 +55,7 @@ export async function introspectToken(
     }
 
     return {
-      username: introspectionResponse.username as string,
+      serviceUserId: introspectionResponse.username as string,
       exp: introspectionResponse.exp as number,
       serviceAccountId: introspectionResponse.sub as string,
     };

src/lib/idp/introspectToken.ts

@@ -4,13 +4,15 @@ import {
   getIntrospectionCache,
   setIntrospectionCache,
 } from "@lib/idp/introspectionCache.js";
+import { logEvent } from "@src/lib/auditLogs.js";
 
 export async function authenticationMiddleware(
   request: Request,
   response: Response,
   next: NextFunction,
 ) {
   const accessToken = request.headers.authorization?.split(" ")[1];
+  const formId = request.params.formId;
 
   if (!accessToken) {
     return response.sendStatus(401);
@@ -24,18 +26,29 @@ export async function authenticationMiddleware(
     return response.sendStatus(403);
   }
 
-  const formId = request.params.formId;
-
-  if (introspectionResult.username !== formId) {
+  if (introspectionResult.serviceUserId !== formId) {
+    logEvent(
+      introspectionResult.serviceUserId,
+      { type: "Form", id: formId },
+      "AccessDenied",
+      "User does not have access to this form",
+    );
     return response.sendStatus(403);
   }
 
   if (introspectionResult.exp < Date.now() / 1000) {
+    logEvent(
+      introspectionResult.serviceUserId,
+      { type: "Form", id: formId },
+      "AccessDenied",
+      "Access token has expired",
+    );
     return response.status(401).json({ error: "Access token has expired" });
   }
 
   await setIntrospectionCache(accessToken, introspectionResult);
 
+  request.serviceUserId = introspectionResult.serviceUserId;
   request.serviceAccountId = introspectionResult.serviceAccountId;
 
   next();

src/middleware/authentication/middleware.ts

@@ -1,3 +1,4 @@
+import { logEvent } from "@src/lib/auditLogs.js";
 import { logMessage } from "@src/lib/logger.js";
 import { getNewFormSubmissions } from "@src/lib/vault/getNewFormSubmissions.js";
 import { type Request, type Response, Router } from "express";
@@ -10,13 +11,20 @@ const MAXIMUM_NUMBER_OF_RETURNED_NEW_FORM_SUBMISSIONS: number = 100;
 
 newApiRoute.get("/", async (request: Request, response: Response) => {
   const formId = request.params.formId;
+  const serviceUserId = request.serviceUserId;
 
   try {
     const newFormSubmissions = await getNewFormSubmissions(
       formId,
       MAXIMUM_NUMBER_OF_RETURNED_NEW_FORM_SUBMISSIONS,
     );
 
+    logEvent(
+      serviceUserId,
+      { type: "Form", id: formId },
+      "RetrieveNewResponses",
+    );
+
     return response.json(newFormSubmissions);
   } catch (error) {
     logMessage.error(

src/routes/forms/formId/submission/new/router.ts

@@ -6,6 +6,7 @@ import {
 } from "@src/lib/vault/dataStructures/exceptions.js";
 import { type Request, type Response, Router } from "express";
 import { logMessage } from "@src/lib/logger.js";
+import { logEvent } from "@src/lib/auditLogs.js";
 
 export const confirmApiRoute = Router({
   mergeParams: true,
@@ -17,9 +18,15 @@ confirmApiRoute.put(
     const formId = request.params.formId;
     const submissionName = request.params.submissionName;
     const confirmationCode = request.params.confirmationCode;
+    const serviceUserId = request.serviceUserId;
 
     try {
       await confirmFormSubmission(formId, submissionName, confirmationCode);
+      logEvent(
+        serviceUserId,
+        { type: "Response", id: submissionName },
+        "ConfirmResponse",
+      );
       return response.sendStatus(200);
     } catch (error) {
       if (error instanceof FormSubmissionNotFoundException) {

src/routes/forms/formId/submission/submissionName/confirm/router.ts

@@ -9,6 +9,7 @@ import type { Schema } from "express-validator";
 import { requestValidatorMiddleware } from "@src/middleware/requestValidator/middleware.js";
 import { ENVIRONMENT_MODE, EnvironmentMode } from "@src/config.js";
 import { logMessage } from "@src/lib/logger.js";
+import { logEvent } from "@src/lib/auditLogs.js";
 
 export const problemApiRoute = Router({
   mergeParams: true,
@@ -41,6 +42,7 @@ problemApiRoute.post(
   async (request: Request, response: Response) => {
     const formId = request.params.formId;
     const submissionName = request.params.submissionName;
+    const serviceUserId = request.serviceUserId;
 
     const contactEmail = request.body.contactEmail as string;
     const description = request.body.description as string;
@@ -63,7 +65,11 @@ problemApiRoute.post(
           "[local] Will not notify support about submission problem.",
         );
       }
-
+      logEvent(
+        serviceUserId,
+        { type: "Response", id: submissionName },
+        "IdentifyProblemResponse",
+      );
       return response.sendStatus(200);
     } catch (error) {
       if (error instanceof FormSubmissionNotFoundException) {