Organizations: show audit logs

Author: stsewd

readthedocs/audit/filters.py

@@ -21,4 +21,18 @@ class UserSecurityLogFilter(FilterSet):
 
     class Meta:
         model = AuditLog
-        fields = ['ip', 'project', 'action']
+        fields = []
+
+
+class OrganizationSecurityLogFilter(UserSecurityLogFilter):
+
+    action = ChoiceFilter(
+        field_name='action',
+        lookup_expr='exact',
+        choices=[
+            (AuditLog.AUTHN, _('Authentication success')),
+            (AuditLog.AUTHN_FAILURE, _('Authentication failure')),
+            (AuditLog.PAGEVIEW, _('Page view')),
+        ],
+    )
+    user = CharFilter(field_name='log_user_username', lookup_expr='exact')

readthedocs/audit/models.py

@@ -190,5 +190,16 @@ def save(self, **kwargs):
                 self.log_organization_slug = organization.slug
         super().save(**kwargs)
 
+    def auth_backend_display(self):
+        backend = self.auth_backend or ''
+        backend_displays = {
+            'TemporaryAccessTokenBackend': _('shared link'),
+            'TemporaryAccessPasswordBackend': _('shared password'),
+        }
+        for name, display in backend_displays.items():
+            if name in backend:
+                return display
+        return ''
+
     def __str__(self):
         return self.action

readthedocs/audit/templates/audit/list_logs.html

@@ -0,0 +1,78 @@
+{% load i18n %}
+
+<div class="module-list">
+  <div class="module-list-wrapper">
+    <ul>
+      {% for log in object_list %}
+      <li class="module-item">
+        {% if log.action == AuditLog.AUTHN %}
+          {% if omit_user %}
+            {% blocktrans trimmed with action=log.action method=log.auth_backend_display %}
+              <a href="?action={{ action }}" title="{{ method }}">Authenticated</a>
+            {% endblocktrans %}
+          {% elif log.log_user_id %}
+            {% blocktrans trimmed with action=log.action user=log.log_user_username method=log.auth_backend_display %}
+              <a href="?user={{ user }}">
+                <code>{{ user }}</code>
+              </a>
+              <a href="?action={{ action }}" title="{{ method }}">authenticated</a>
+            {% endblocktrans %}
+          {% else %}
+            {% blocktrans trimmed with action=log.action method=log.auth_backend_display %}
+              User <a href="?action={{ action }}" title="{{ method }}">authenticated</a>
+            {% endblocktrans %}
+          {% endif %}
+        {% elif log.action == AuditLog.AUTHN_FAILURE %}
+          {% blocktrans trimmed with action=log.action method=log.auth_backend_display %}
+            <a href="?action={{ action }}" title="{{ method }}">Authentication attempt</a>
+          {% endblocktrans %}
+        {% elif log.action == AuditLog.PAGEVIEW %}
+          {% if log.log_user_id %}
+            {% blocktrans trimmed with action=log.action user=log.log_user_username path=log.resource %}
+              <a href="?user={{ user }}">
+                <code>{{ user }}</code>
+              </a>
+              <a href="?action={{ action }}" title="{{ path }}">visited</a> a page
+            {% endblocktrans %}
+          {% else %}
+            {% blocktrans trimmed with action=log.action user=log.log_user_username path=log.resource %}
+              A user <a href="?action={{ action }}" title="{{ path }}">visited</a> a page
+            {% endblocktrans %}
+          {% endif %}
+        {% endif %}
+
+        {% trans "from" %}
+
+        <a href="?ip={{ log.ip }}" title="{{ log.browser }}">
+          <code>{{ log.ip }}</code>
+        </a>
+
+        {# If the authentication was on a doc domain. #}
+        {% if log.log_project_id %}
+          {% trans "on" %}
+          {% if log.project %}
+            <a href="{% url 'projects_detail' log.log_project_slug %}">
+              <code>{{ log.log_project_slug }}</code>
+            </a>
+          {% else %}
+            {# The original project has been deleted, don't link to it. #}
+            <code title="{{ log.resource }}">{{ log.log_project_slug }}</code>
+          {% endif %}
+        {% endif %}
+
+        <span class="quiet right" title="{{ log.created|date:"DATETIME_FORMAT" }}">
+          {% blocktrans trimmed with log.created|timesince as date %}
+            {{ date }} ago
+          {% endblocktrans %}
+        </span>
+      </li>
+      {% empty %}
+      <li class="module-item">
+        <p class="quiet">
+          {% trans 'No activity logged yet' %}
+        </p>
+      </li>
+      {% endfor %}
+    </ul>
+  </div>
+</div>

readthedocs/organizations/templates/organizations/admin/base.html

@@ -11,6 +11,7 @@
       <ul>
         <li class="{% block organization-admin-details %}{% endblock %}"><a href="{% url 'organization_edit' organization.slug %}">{% trans "Details" %}</a></li>
         <li class="{% block organization-admin-owners %}{% endblock %}"><a href="{% url 'organization_owners' organization.slug %}">{% trans "Owners" %}</a></li>
+        <li class="{% block organization-admin-security-log %}{% endblock %}"><a href="{% url 'organization_security_log' organization.slug %}">{% trans "Security Log" %}</a></li>
       </ul>
       <div>
         <h2>{% block edit_content_header %}{% endblock %}</h2>

readthedocs/organizations/templates/organizations/security_log.html

@@ -0,0 +1,37 @@
+{% extends "organizations/admin/base.html" %}
+
+{% load i18n %}
+{% load pagination_tags %}
+
+{% block title %}{% trans "Security Log" %}{% endblock %}
+
+{% block organization-admin-security-log %}active{% endblock %}
+
+{% block edit_content_header %} {% trans "Security Log" %} {% endblock %}
+
+{% block edit_content %}
+
+{% if not enabled %}
+  {% include 'projects/includes/feature_disabled.html' with organization=organization %}
+{% elif days_limit and days_limit > 0 %}
+  <p>
+    {% blocktrans trimmed with days_limit as days_limit %}
+      Showing logs from the last {{ days_limit }} days.
+    {% endblocktrans %}
+  </p>
+{% else %}
+  <p>{% trans "Showing logs from all time." %}</p>
+{% endif %}
+</p>
+
+{% autopaginate object_list 15 %}
+
+<div class="module">
+  <form method="get">
+    <button type="submit" name="download" value="true">{% trans "Download all data" %}</button>
+  </form>
+
+  {% include "audit/list_logs.html" with omit_user=False %}
+</div>
+{% paginate %}
+{% endblock %}

readthedocs/organizations/urls/private.py

@@ -24,6 +24,11 @@
         views.DeleteOrganization.as_view(),
         name='organization_delete',
     ),
+    url(
+        r'^(?P<slug>[\w.-]+)/security-log/$',
+        views.OrganizationSecurityLog.as_view(),
+        name='organization_security_log',
+    ),
     # Owners
     url(
         r'^(?P<slug>[\w.-]+)/owners/(?P<owner>\d+)/delete/$',

readthedocs/organizations/views/private.py

@@ -1,23 +1,31 @@
 """Views that require login."""
 # pylint: disable=too-many-ancestors
+
+from django.conf import settings
 from django.contrib import messages
 from django.urls import reverse_lazy
+from django.utils import timezone
 from django.utils.translation import ugettext_lazy as _
 from vanilla import CreateView, DeleteView, ListView, UpdateView
 
+from readthedocs.audit.filters import OrganizationSecurityLogFilter
+from readthedocs.audit.models import AuditLog
 from readthedocs.core.history import UpdateChangeReasonPostView
 from readthedocs.core.mixins import PrivateViewMixin
+from readthedocs.core.utils.extend import SettingsOverrideObject
 from readthedocs.organizations.forms import (
     OrganizationSignupForm,
     OrganizationTeamProjectForm,
 )
 from readthedocs.organizations.models import Organization
 from readthedocs.organizations.views.base import (
+    OrganizationMixin,
     OrganizationOwnerView,
     OrganizationTeamMemberView,
     OrganizationTeamView,
     OrganizationView,
 )
+from readthedocs.projects.utils import get_csv_file
 
 
 # Organization views
@@ -160,3 +168,99 @@ def post(self, request, *args, **kwargs):
         resp = super().post(request, *args, **kwargs)
         messages.success(self.request, self.success_message)
         return resp
+
+
+class OrganizationSecurityLogBase(PrivateViewMixin, OrganizationMixin, ListView):
+
+    """Display security logs related to this organization."""
+
+    model = AuditLog
+    template_name = 'organizations/security_log.html'
+
+    def get(self, request, *args, **kwargs):
+        download_data = request.GET.get('download', False)
+        if download_data:
+            return self._get_csv_data()
+        return super().get(request, *args, **kwargs)
+
+    def _get_csv_data(self):
+        organization = self.get_organization()
+        now = timezone.now().date()
+        retention_limit = self._get_retention_days_limit(organization)
+        if retention_limit in [None, -1]:
+            # Unlimited.
+            days_ago = organization.pub_date.date()
+        else:
+            days_ago = now - timezone.timedelta(days=retention_limit)
+
+        values = [
+            ('Date', 'created'),
+            ('User', 'log_user_username'),
+            ('Project', 'log_project_slug'),
+            ('Organization', 'log_organization_slug'),
+            ('Action', 'action'),
+            ('Resource', 'resource'),
+            ('IP', 'ip'),
+            ('Browser', 'browser'),
+        ]
+        data = self._get_queryset().values_list(*[value for _, value in values])
+        csv_data = [
+            [timezone.datetime.strftime(date, '%Y-%m-%d %H:%M:%S'), *rest]
+            for date, *rest in data
+        ]
+        csv_data.insert(0, [header for header, _ in values])
+        filename = 'readthedocs_organization_security_logs_{organization}_{start}_{end}.csv'.format(
+            organization=organization.slug,
+            start=timezone.datetime.strftime(days_ago, '%Y-%m-%d'),
+            end=timezone.datetime.strftime(now, '%Y-%m-%d'),
+        )
+        return get_csv_file(filename=filename, csv_data=csv_data)
+
+    def get_context_data(self, **kwargs):
+        organization = self.get_organization()
+        context = super().get_context_data(**kwargs)
+        context['enabled'] = self._is_enabled(organization)
+        context['days_limit'] = self._get_retention_days_limit(organization)
+        context['filter'] = self.filter
+        context['AuditLog'] = AuditLog
+        return context
+
+    def _get_queryset(self):
+        organization = self.get_organization()
+        if not self._is_enabled(organization):
+            return AuditLog.objects.none()
+
+        retention_limit = self._get_retention_days_limit(organization)
+        if retention_limit in [None, -1]:
+            # Unlimited.
+            days_ago = organization.pub_date.date()
+        else:
+            days_ago = timezone.now() - timezone.timedelta(days=retention_limit)
+        queryset = AuditLog.objects.filter(
+            log_organization_id=organization.id,
+            action__in=[AuditLog.AUTHN, AuditLog.AUTHN_FAILURE, AuditLog.PAGEVIEW],
+            created__gte=days_ago,
+        )
+        return queryset
+
+    def get_queryset(self):
+        queryset = self._get_queryset()
+        # Set filter on self, so we can use it in the context.
+        # Without executing it twice.
+        self.filter = OrganizationSecurityLogFilter(
+            self.request.GET,
+            queryset=queryset,
+        )
+        return self.filter.qs
+
+    def _get_retention_days_limit(self, organization):
+        """From how many days we need to show data for this project?"""
+        return settings.RTD_AUDITLOGS_DEFAULT_RETENTION_DAYS
+
+    def _is_enabled(self, organization):
+        """Should we show audit logs for this organization?"""
+        return True
+
+
+class OrganizationSecurityLog(SettingsOverrideObject):
+    _default_class = OrganizationSecurityLogBase

readthedocs/projects/views/private.py

@@ -13,7 +13,7 @@
 from django.utils import timezone
 from django.utils.safestring import mark_safe
 from django.utils.translation import ugettext_lazy as _
-from django.views.generic import ListView, TemplateView, View
+from django.views.generic import ListView, TemplateView
 from formtools.wizard.views import SessionWizardView
 from vanilla import (
     CreateView,
@@ -35,7 +35,6 @@
 )
 from readthedocs.core.history import UpdateChangeReasonPostView
 from readthedocs.core.mixins import ListViewWithForm, PrivateViewMixin
-from readthedocs.core.utils import trigger_build
 from readthedocs.core.utils.extend import SettingsOverrideObject
 from readthedocs.integrations.models import HttpExchange, Integration
 from readthedocs.oauth.services import registry

readthedocs/templates/profiles/private/security_log.html

@@ -24,56 +24,7 @@
     <button type="submit" name="download" value="true">{% trans "Download all data" %}</button>
   </form>
 
-  <div class="module-list">
-    <div class="module-list-wrapper">
-      <ul>
-        {% for log in object_list %}
-        <li class="module-item">
-          {% if log.action == AuditLog.AUTHN %}
-            {% blocktrans trimmed with action=AuditLog.AUTHN%}
-            <a href="?action={{ action }}">Authenticated</a>
-            {% endblocktrans %}
-          {% elif log.action == AuditLog.AUTHN_FAILURE %}
-            {% blocktrans trimmed with action=AuditLog.AUTHN_FAILURE %}
-            <a href="?action={{ action }}">Authentication attempt</a>
-            {% endblocktrans %}
-          {% endif %}
-
-          {% trans "from" %}
-
-          <a href="?ip={{ log.ip }}" title="{{ log.browser }}">
-            <code>{{ log.ip }}</code>
-          </a>
-
-          {# If the authentication was on a doc domain. #}
-          {% if log.log_project_id %}
-            {% trans "on" %}
-            {% if log.project %}
-              <a href="{% url 'projects_detail' log.log_project_slug %}">
-                <code>{{ log.log_project_slug }}</code>
-              </a>
-            {% else %}
-              {# The original project has been deleted, don't link to it. #}
-              <code>{{ log.log_project_slug }}</code>
-            {% endif %}
-          {% endif %}
-
-          <span class="quiet right" title="{{ log.created|date:"DATETIME_FORMAT" }}">
-            {% blocktrans trimmed with log.created|timesince as date %}
-            {{ date }} ago
-            {% endblocktrans %}
-          </span>
-        </li>
-        {% empty %}
-        <li class="module-item">
-          <p class="quiet">
-          {% trans 'No authentication attempts logged yet' %}
-          </p>
-        </li>
-        {% endfor %}
-      </ul>
-    </div>
-  </div>
+  {% include "audit/list_logs.html" with omit_user=True %}
 </div>
 {% paginate %}
 {% endblock %}