Merge pull request #82 from Virtual-Finland-Development/feat/db-auditlogs

Audit logs using postgresql triggers

Author: lsipii

Docs/README.adminfunction.md

@@ -33,6 +33,9 @@ dotnet run --project ./VirtualFinland.UsersAPI.AdminFunction.CLI migrate
 - `migrate` - runs the database migrations
   - lambda function payload: `{"Action": "Migrate"}`
   - cli command: `dotnet run --project ./VirtualFinland.UsersAPI.AdminFunction.CLI migrate`
+- `initialize-database-audit-log-triggers` - initializes the database audit logging triggers
+  - lambda function payload: `{"Action": "InitializeDatabaseAuditLogTriggers"}`
+  - cli command: `dotnet run --project ./VirtualFinland.UsersAPI.AdminFunction.CLI initialize-database-audit-log-triggers`
 - `initialize-database-user` - setup the application-level user credentials to the database
   - lambda function payload: `{"Action": "InitializeDatabaseUser", "data": "{\"Username\": \"appuser\", \"Password\": \"pass\"}"}`
   - cli command: `DATABASE_USER=appuser DATABASE_PASSWORD=pass dotnet run --project ./VirtualFinland.UsersAPI.AdminFunction.CLI initialize-database-user`

Docs/README.deployment.md

@@ -20,3 +20,12 @@ Deployment to a fresh environment requires the following steps to be performed i
     - Select the tab "Test"
     - Add a new test event with the following content: `{"Action": "Migrate"}`
     - Click "Test" button and wait for the execution to finish
+
+## Deployment on existing environment
+ 
+Pulumi does not have good tooling to handle attaching to existing resources such as AWS CloudWatch log groups. When deploying to a system where there are already resources created, one could tackle the problem by manually importing the resources to the pulumi state. 
+
+Example for importing a CloudWatch log group of a RDS instance:
+  - `pulumi import aws:cloudwatch/logGroup:LogGroup users-api-database-dev /aws/rds/instance/users-api-postgres-db-dev2313s/postgresql`
+
+Read more of the pulumi import-tooling from [here](https://www.pulumi.com/docs/cli/commands/pulumi_import/).

Makefile

@@ -25,6 +25,8 @@ packages: test
 	dotnet lambda package --project-location ./VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI --output-package ./build-artifacts/VirtualFinland.UsersAPI.zip
 	@echo "> Building and packaging deployment package for the admin functions"
 	dotnet lambda package --project-location ./VirtualFinland.UsersAPI.AdminFunction --output-package ./build-artifacts/VirtualFinland.UsersAPI.AdminFunction.zip
+	@echo "> Building and packaging deployment package for the audit log subscription function"
+	dotnet lambda package --project-location ./VirtualFinland.UsersAPI.AuditLogSubscription --output-package ./build-artifacts/VirtualFinland.UsersAPI.AuditLogSubscription.zip
 
 deploy: packages
 	pulumi -C ./VirtualFinland.UsersAPI.Deployment up

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Activities/Identity/IdentityController.cs

@@ -1,10 +1,8 @@
-using System.Security.Claims;
 using MediatR;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Swashbuckle.AspNetCore.Annotations;
 using VirtualFinland.UserAPI.Activities.Identity.Operations;
-using VirtualFinland.UserAPI.Helpers;
 
 namespace VirtualFinland.UserAPI.Activities.Identity;
 
@@ -25,15 +23,13 @@ public IdentityController(IMediator mediator)
     [SwaggerOperation(Summary = "Verifies the existence of a user that was identified by an external identity provider.",
         Description =
             "Given the access token from an external identity provider, the operation tries to find if the user exists in the system database and creates the user into the system. Notice: The user can't access the API other paths without being created into the system with this call.")]
-    [ProducesResponseType(typeof(VerifyIdentityUser.User), StatusCodes.Status200OK)]
+    [ProducesResponseType(typeof(VerifyIdentityPerson.User), StatusCodes.Status200OK)]
     [ProducesErrorResponseType(typeof(ProblemDetails))]
-    public async Task<IActionResult> VerifyIdentityUser()
+    public async Task<IActionResult> VerifyIdentityPerson()
     {
         var user = await _mediator.Send(
-            new VerifyIdentityUser.Query(
-                this.User.FindFirst(ClaimTypes.NameIdentifier)?.Value ??
-                this.User.FindFirst(Constants.Web.ClaimUserId)?.Value,
-                this.User.Claims.First().Issuer
+            new VerifyIdentityPerson.Query(
+                HttpContext
             )
         );
 

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Activities/Identity/Operations/VerifyIdentityPerson.cs

@@ -0,0 +1,43 @@
+using MediatR;
+using Swashbuckle.AspNetCore.Annotations;
+using VirtualFinland.UserAPI.Helpers.Extensions;
+using VirtualFinland.UserAPI.Helpers.Services;
+using VirtualFinland.UserAPI.Security.Models;
+
+namespace VirtualFinland.UserAPI.Activities.Identity.Operations;
+
+public static class VerifyIdentityPerson
+{
+    [SwaggerSchema(Title = "TestbedIdentityUserRequest")]
+    public class Query : IRequest<User>
+    {
+        public Query(HttpContext context)
+        {
+            Context = context;
+        }
+
+        public HttpContext Context { get; }
+    }
+
+    public class Handler : IRequestHandler<Query, User>
+    {
+        private readonly AuthenticationService _authenticationService;
+        private readonly ILogger<Handler> _logger;
+
+        public Handler(AuthenticationService authenticationService, ILogger<Handler> logger)
+        {
+            _authenticationService = authenticationService;
+            _logger = logger;
+        }
+
+        public async Task<User> Handle(Query request, CancellationToken cancellationToken)
+        {
+            var person = await _authenticationService.AuthenticateAndGetOrRegisterAndGetPerson(request.Context, cancellationToken);
+            _logger.LogAuditLogEvent(AuditLogEvent.Read, "Identity", request.Context.Items["User"] as RequestAuthenticatedUser ?? throw new Exception("Unknown error occurred on verifying identity"));
+            return new User(person.Id, person.Created, person.Modified);
+        }
+    }
+
+    [SwaggerSchema(Title = "TestbedIdentityUserResponse")]
+    public record User(Guid Id, DateTime Created, DateTime Modified);
+}

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Activities/Identity/Operations/VerifyIdentityUser.cs

@@ -2,36 +2,38 @@
 using Microsoft.EntityFrameworkCore;
 using Swashbuckle.AspNetCore.Annotations;
 using VirtualFinland.UserAPI.Data;
-using VirtualFinland.UserAPI.Helpers.Swagger;
+using VirtualFinland.UserAPI.Helpers;
+using VirtualFinland.UserAPI.Helpers.Extensions;
+using VirtualFinland.UserAPI.Security.Models;
 
 namespace VirtualFinland.UserAPI.Activities.Productizer.Operations.BasicInformation;
 
 public static class GetPersonBasicInformation
 {
     [SwaggerSchema(Title = "GetPersonBasicInformationRequest")]
-    public class Query : IRequest<GetPersonBasicInformationResponse>
+    public class Query : AuthenticatedRequest<GetPersonBasicInformationResponse>
     {
-        public Query(Guid? userId)
+        public Query(RequestAuthenticatedUser RequestAuthenticatedUser) : base(RequestAuthenticatedUser)
         {
-            UserId = userId;
         }
-
-        [SwaggerIgnore]
-        public Guid? UserId { get; }
     }
 
     public class Handler : IRequestHandler<Query, GetPersonBasicInformationResponse>
     {
         private readonly UsersDbContext _context;
+        private readonly ILogger<Handler> _logger;
 
-        public Handler(UsersDbContext context)
+        public Handler(UsersDbContext context, ILogger<Handler> logger)
         {
             _context = context;
+            _logger = logger;
         }
 
         public async Task<GetPersonBasicInformationResponse> Handle(Query request, CancellationToken cancellationToken)
         {
-            var person = await _context.Persons.SingleAsync(p => p.Id == request.UserId, cancellationToken);
+            var person = await _context.Persons.SingleAsync(p => p.Id == request.User.PersonId, cancellationToken);
+
+            _logger.LogAuditLogEvent(AuditLogEvent.Read, "Person", request.User);
 
             return new GetPersonBasicInformationResponse(
                 person.GivenName,

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Activities/Productizer/Operations/BasicInformation/GetPersonBasicInformation.cs

@@ -3,13 +3,15 @@
 using Swashbuckle.AspNetCore.Annotations;
 using VirtualFinland.UserAPI.Data;
 using VirtualFinland.UserAPI.Exceptions;
-using VirtualFinland.UserAPI.Helpers.Swagger;
+using VirtualFinland.UserAPI.Helpers;
+using VirtualFinland.UserAPI.Helpers.Extensions;
+using VirtualFinland.UserAPI.Security.Models;
 
 namespace VirtualFinland.UserAPI.Activities.Productizer.Operations.BasicInformation;
 
 public static class UpdatePersonBasicInformation
 {
-    public class Command : IRequest<UpdatePersonBasicInformationResponse>
+    public class Command : AuthenticatedRequest<UpdatePersonBasicInformationResponse>
     {
         public Command(string? givenName, string? lastName, string email, string? phoneNumber, string residency)
         {
@@ -20,34 +22,28 @@ public Command(string? givenName, string? lastName, string email, string? phoneN
             Residency = residency;
         }
 
-        [SwaggerIgnore]
-        public Guid? UserId { get; set; }
-
         public string? GivenName { get; }
         public string? LastName { get; }
         public string Email { get; }
         public string? PhoneNumber { get; }
         public string? Residency { get; }
-
-        public void SetAuth(Guid? userDatabaseId)
-        {
-            UserId = userDatabaseId;
-        }
     }
 
     public class Handler : IRequestHandler<Command, UpdatePersonBasicInformationResponse>
     {
         private readonly UsersDbContext _context;
+        private readonly ILogger<Handler> _logger;
 
-        public Handler(UsersDbContext context)
+        public Handler(UsersDbContext context, ILogger<Handler> logger)
         {
             _context = context;
+            _logger = logger;
         }
 
         public async Task<UpdatePersonBasicInformationResponse> Handle(Command request,
             CancellationToken cancellationToken)
         {
-            var person = await _context.Persons.SingleAsync(p => p.Id == request.UserId, cancellationToken);
+            var person = await _context.Persons.SingleAsync(p => p.Id == request.User.PersonId, cancellationToken);
 
             person.GivenName = request.GivenName ?? person.GivenName;
             person.LastName = request.LastName ?? person.LastName;
@@ -57,13 +53,14 @@ public async Task<UpdatePersonBasicInformationResponse> Handle(Command request,
 
             try
             {
-                await _context.SaveChangesAsync(cancellationToken);
+                await _context.SaveChangesAsync(request.User, cancellationToken);
             }
             catch (DbUpdateException e)
             {
                 throw new BadRequestException(e.InnerException?.Message ?? e.Message);
             }
 
+            _logger.LogAuditLogEvent(AuditLogEvent.Update, "Person", request.User);
 
             return new UpdatePersonBasicInformationResponse
             (

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Activities/Productizer/Operations/BasicInformation/UpdatePersonBasicInformation.cs

@@ -4,30 +4,29 @@
 using Swashbuckle.AspNetCore.Annotations;
 using VirtualFinland.UserAPI.Data;
 using VirtualFinland.UserAPI.Helpers;
-using VirtualFinland.UserAPI.Helpers.Swagger;
+using VirtualFinland.UserAPI.Helpers.Extensions;
+using VirtualFinland.UserAPI.Security.Models;
 
 namespace VirtualFinland.UserAPI.Activities.Productizer.Operations.JobApplicantProfile;
 
 public static class GetJobApplicantProfile
 {
-    public class Query : IRequest<PersonJobApplicantProfileResponse>
+    public class Query : AuthenticatedRequest<PersonJobApplicantProfileResponse>
     {
-        public Query(Guid? personId)
+        public Query(RequestAuthenticatedUser RequestAuthenticatedUser) : base(RequestAuthenticatedUser)
         {
-            PersonId = personId;
         }
-
-        [SwaggerIgnore]
-        public Guid? PersonId { get; }
     }
 
     public class Handler : IRequestHandler<Query, PersonJobApplicantProfileResponse>
     {
         private readonly UsersDbContext _context;
+        private readonly ILogger<Handler> _logger;
 
-        public Handler(UsersDbContext context)
+        public Handler(UsersDbContext context, ILogger<Handler> logger)
         {
             _context = context;
+            _logger = logger;
         }
 
         public async Task<PersonJobApplicantProfileResponse> Handle(Query request, CancellationToken cancellationToken)
@@ -40,7 +39,9 @@ public async Task<PersonJobApplicantProfileResponse> Handle(Query request, Cance
                 .Include(p => p.Certifications)
                 .Include(p => p.Permits)
                 .Include(p => p.WorkPreferences)
-                .SingleAsync(p => p.Id == request.PersonId, cancellationToken);
+                .SingleAsync(p => p.Id == request.User.PersonId, cancellationToken);
+
+            _logger.LogAuditLogEvent(AuditLogEvent.Read, "JobApplicantProfile", request.User);
 
             return new PersonJobApplicantProfileResponse
             {