apitech
/
Rocket.Chat
mirror of https://github.com/RocketChat/Rocket.Chat
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The communications platform that puts data protection first.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
28658 Commits
706 Branches
1176 Tags
2.1 GiB
 
 
 
 
 
Tag: Branch: Tree: develop
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'develop'
${ noResults }
Rocket.Chat/apps/meteor/server/lib/auditServerEvents/userChanged.ts

168 lines
4.7 KiB
Raw Permalink Blame History

import type { IAuditServerUserActor, IServerEvents, ExtractDataToParams, IUser } from '@rocket.chat/core-typings';
import { ServerEvents } from '@rocket.chat/models';
import type { UpdateFilter } from 'mongodb';
const userKeysToObfuscate = ['authorizedClients', 'e2e', 'inviteToken', 'oauth'];
const nestableKeysToObfuscate = ['services', 'password', 'bcrypt']; // ex: services.password.bcrypt
const obfuscateServices = (services: Record<string, any>): Record<string, any> => {
return Object.fromEntries(
Object.keys(services).map((key) => {
// Email 2FA is okay, only tells if it's enabled
if (key === 'email2fa') {
return [key, services[key]];
}
return [key, '****'];
}),
);
};
export class UserChangedAuditStore {
private originalUser: Partial<IUser> | undefined;
private updateFilter: UpdateFilter<IUser> | undefined;
private actor: IAuditServerUserActor;
constructor(actor: Omit<IAuditServerUserActor, 'type'>, type: IAuditServerUserActor['type'] = 'user') {
this.actor = { ...actor, type };
}
public setOriginalUser(user: Partial<IUser>) {
this.originalUser = user;
}
public setUpdateFilter(updateFilter: UpdateFilter<IUser>) {
this.updateFilter = Object.fromEntries(
Object.entries(updateFilter).map(([key, value]) => {
const obfuscatedValue = Object.entries(value).reduce((acc, [k, v]) => {
if (userKeysToObfuscate.includes(k)) {
return {
...acc,
[k]: '****',
};
}
// In case all services are set at once, we need to obfuscate them
if (k === 'services') {
return {
...acc,
[k]: obfuscateServices(v as Record<string, any>),
};
}
if (nestableKeysToObfuscate.some((key) => k.includes(key))) {
return {
...acc,
[k]: '****',
};
}
return { ...acc, [k]: v };
}, {});
return [key, obfuscatedValue];
}),
);
}
private filterUserChangedProperties(originalUser: Partial<IUser>, updateFilter: UpdateFilter<IUser>): Partial<IUser> {
if (Object.keys(updateFilter).length === 0) {
return {};
}
// extract keys from updateFilter (keys are nested in $set, $unset, $inc, etc)
const updateFilterKeys: string[] = Object.values(updateFilter).reduce((acc, current) => {
const keys = Object.keys(current);
if (keys.length === 0) {
return acc;
}
return [...acc, ...keys];
}, []);
return Object.entries(originalUser).reduce((acc, [key, value]) => {
if (!updateFilterKeys.some((k) => k.includes(key))) {
return acc;
}
if (userKeysToObfuscate.includes(key)) {
return {
...acc,
[key]: '****',
};
}
if (key === 'services') {
// In case all services are set at once we should
// obfuscate all user services, because they'll all change
if (updateFilterKeys.some((k) => k === 'services')) {
return {
...acc,
[key]: obfuscateServices(value as Record<string, any>),
};
}
const changedNestedServices = updateFilterKeys
.filter((k) => k.includes(key) && k.includes('.'))
.map((serviceKey) => {
// service key can be nested with dot notation
// ex: services.password.bcrypt
const serviceKeyParts = serviceKey.split('.');
return [serviceKeyParts[1], value[serviceKey as keyof typeof value]];
})
.filter(Boolean);
if (!changedNestedServices.length) {
return acc;
}
return {
...acc,
[key]: obfuscateServices(Object.fromEntries(changedNestedServices) as Record<string, any>),
};
}
return {
...acc,
[key]: value,
};
}, {});
}
private getEventData(
originalUser: Partial<IUser>,
updateFilter: UpdateFilter<IUser>,
): ExtractDataToParams<IServerEvents['user.changed']> {
const userData = this.filterUserChangedProperties(originalUser, updateFilter);
return {
user: { _id: originalUser._id || '', username: originalUser.username },
user_data: userData,
operation: updateFilter,
};
}
private buildEvent(): ['user.changed', ExtractDataToParams<IServerEvents['user.changed']>, IAuditServerUserActor] {
if (!this.updateFilter) {
throw new Error('UserChangedAuditStore - Updater is undefined');
}
if (!this.originalUser) {
throw new Error('UserChangedAuditStore - OriginalUser is undefined');
}
const eventData = this.getEventData(this.originalUser, this.updateFilter);
if (Object.keys(eventData.user_data).length === 0 || Object.keys(eventData.operation).length === 0) {
// UpdaterImpl throws an error when trying to build the filter if no changes are detected
// so we should never get here
throw new Error('UserChangedAuditStore - No changes detected');
}
return ['user.changed', eventData, this.actor];
}
public async commitAuditEvent() {
const event = this.buildEvent();
return ServerEvents.createAuditServerEvent(...event);
}
}