Fixes #539

Author: oharsta

server/src/main/java/invite/api/InvitationController.java

@@ -1,5 +1,6 @@
 package invite.api;
 
+import invite.audit.UserRoleAuditService;
 import invite.exception.InvitationEmailMatchingException;
 import invite.exception.InvitationExpiredException;
 import invite.exception.InvitationStatusException;
@@ -79,6 +80,7 @@ public class InvitationController implements InvitationResource {
     private final SecurityContextRepository securityContextRepository;
     private final SuperAdmin superAdmin;
     private final InvitationOperations invitationOperations;
+    private final UserRoleAuditService userRoleAuditService;
 
     public InvitationController(MailBox mailBox,
                                 Manage manage,
@@ -87,7 +89,7 @@ public InvitationController(MailBox mailBox,
                                 RoleRepository roleRepository,
                                 ProvisioningService provisioningService,
                                 SecurityContextRepository securityContextRepository,
-                                SuperAdmin superAdmin) {
+                                SuperAdmin superAdmin, UserRoleAuditService userRoleAuditService) {
         this.mailBox = mailBox;
         this.manage = manage;
         this.invitationRepository = invitationRepository;
@@ -97,6 +99,7 @@ public InvitationController(MailBox mailBox,
         this.securityContextRepository = securityContextRepository;
         this.superAdmin = superAdmin;
         this.invitationOperations = new InvitationOperations(this);
+        this.userRoleAuditService = userRoleAuditService;
     }
 
     @PostMapping("")
@@ -208,13 +211,19 @@ public ResponseEntity<Map<String, Object>> accept(@Validated @RequestBody Accept
                         Authority currentAuthority = userRole.getAuthority();
                         //Only act upon different authorities
                         if (!currentAuthority.equals(intendedAuthority)) {
+                            boolean userRoleChanged = false;
                             if (intendedAuthority.hasHigherRights(currentAuthority)) {
                                 userRole.setAuthority(intendedAuthority);
                                 userRole.setEndDate(invitation.getRoleExpiryDate());
+                                userRoleChanged = true;
                             }
                             if (currentAuthority.equals(Authority.GUEST) || intendedAuthority.equals(Authority.GUEST) ||
                                     invitation.isGuestRoleIncluded()) {
                                 userRole.setGuestRoleIncluded(true);
+                                userRoleChanged = true;
+                            }
+                            if (userRoleChanged) {
+                                userRoleAuditService.logAction(userRole, UserRoleAudit.ActionType.UPDATE);
                             }
                         }
                     } else {
@@ -245,6 +254,7 @@ public ResponseEntity<Map<String, Object>> accept(@Validated @RequestBody Accept
         }
         userRepository.save(user);
         AccessLogger.user(LOG, Event.Created, user);
+        newUserRoles.forEach(userRole -> userRoleAuditService.logAction(userRole, UserRoleAudit.ActionType.ADD));
 
         //Only interact with the provisioning service if there is a guest role
         boolean isGuest = user.getUserRoles().stream()

server/src/main/java/invite/api/UserRoleController.java

@@ -1,5 +1,6 @@
 package invite.api;
 
+import invite.audit.UserRoleAuditService;
 import invite.config.Config;
 import invite.exception.NotAllowedException;
 import invite.exception.NotFoundException;
@@ -58,17 +59,20 @@ public class UserRoleController implements UserRoleResource {
     private final ProvisioningService provisioningService;
     private final Config config;
     private final UserRoleOperations userRoleOperations;
+    private final UserRoleAuditService userRoleAuditService;
 
     public UserRoleController(UserRoleRepository userRoleRepository,
                               RoleRepository roleRepository,
                               UserRepository userRepository,
                               ProvisioningService provisioningService,
+                              UserRoleAuditService userRoleAuditService,
                               Config config) {
         this.userRoleRepository = userRoleRepository;
         this.roleRepository = roleRepository;
         this.userRepository = userRepository;
         this.provisioningService = provisioningService;
         this.config = config;
+        this.userRoleAuditService = userRoleAuditService;
         this.userRoleOperations = new UserRoleOperations(this);
     }
 
@@ -172,7 +176,8 @@ public ResponseEntity<User> userRoleProvisioning(@Validated @RequestBody UserRol
                                 : null)
                 .filter(Objects::nonNull)
                 .toList();
-
+        newUserRoles.stream().filter(userRole -> userRole.getId() == null)
+                .forEach(userRole -> this.userRoleAuditService.logAction(userRole, UserRoleAudit.ActionType.ADD));
         userRepository.save(user);
         AccessLogger.user(LOG, Event.Created, user);
 
@@ -194,6 +199,7 @@ public ResponseEntity<Map<String, Integer>> updateUserRoleExpirationDate(@Valida
         UserPermissions.assertValidInvitation(user, userRole.getAuthority(), List.of(userRole.getRole()));
         userRole.setEndDate(updateUserRole.getEndDate());
         userRoleRepository.save(userRole);
+        userRoleAuditService.logAction(userRole, UserRoleAudit.ActionType.UPDATE);
         //If there is a EVA provisioning, then update the account
         provisioningService.updateUserRoleRequest(userRole);
         return Results.createResult();
@@ -215,11 +221,13 @@ public ResponseEntity<Void> deleteUserRole(@PathVariable("id") Long id,
                 userRole.setAuthority(Authority.GUEST);
             }
             userRoleRepository.save(userRole);
+            userRoleAuditService.logAction(userRole, UserRoleAudit.ActionType.UPDATE);
             AccessLogger.userRole(LOG, Event.Updated, user, userRole);
 
         } else {
             provisioningService.updateGroupRequest(userRole, OperationType.Remove);
             provisioningService.deleteUserRoleRequest(userRole);
+            userRoleAuditService.logAction(userRole, UserRoleAudit.ActionType.DELETE);
             userRoleRepository.deleteUserRoleById(id);
             AccessLogger.userRole(LOG, Event.Deleted, user, userRole);
         }

server/src/main/java/invite/audit/UserRoleAuditService.java

@@ -0,0 +1,27 @@
+package invite.audit;
+
+import invite.model.UserRole;
+import invite.model.UserRoleAudit;
+import invite.repository.UserRoleAuditRepository;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Service;
+
+@Service
+public class UserRoleAuditService {
+
+    private final UserRoleAuditRepository userRoleAuditRepository;
+
+    public UserRoleAuditService(UserRoleAuditRepository userRoleAuditRepository) {
+        this.userRoleAuditRepository = userRoleAuditRepository;
+    }
+
+
+    public void logAction(UserRole userRole, UserRoleAudit.ActionType action) {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        String authority = authentication != null ? authentication.getName() : "system";
+
+        UserRoleAudit audit = new UserRoleAudit(action, userRole, authority);
+        userRoleAuditRepository.save(audit);
+    }
+}

server/src/main/java/invite/model/UserRoleAudit.java

@@ -0,0 +1,69 @@
+package invite.model;
+
+import jakarta.persistence.*;
+import jakarta.validation.constraints.NotNull;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+import java.time.Instant;
+
+@Entity(name = "user_roles_audit")
+@NoArgsConstructor
+@Getter
+@Setter
+public class UserRoleAudit {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @Column(name = "user_id", nullable = false)
+    private Long userId;
+
+    @Column(name = "user_email", nullable = false)
+    private String userEmail;
+
+    @Column(name = "role_id", nullable = false)
+    private Long roleId;
+
+    @Column(name = "role_name", nullable = false)
+    private String roleName;
+
+    @Column(name = "end_date")
+    private Instant endDate;
+
+    @Enumerated(EnumType.STRING)
+    @Column(name = "action", nullable = false)
+    private ActionType action;
+
+    @Enumerated(EnumType.STRING)
+    @Column
+    @NotNull
+    private Authority authority;
+
+    @Column(name = "created_at")
+    private Instant createdAt;
+
+    @Column(name = "created_by", nullable = false)
+    private String createdBy;
+
+    public UserRoleAudit(ActionType action, UserRole userRole, String createdBy) {
+        User user = userRole.getUser();
+        Role role = userRole.getRole();
+        this.userId = user.getId();
+        this.userEmail = user.getEmail();
+        this.roleId = role.getId();
+        this.roleName = role.getName();
+        this.endDate = userRole.getEndDate();
+        this.action = action;
+        this.authority = userRole.getAuthority();
+        this.createdAt = Instant.now();
+        this.createdBy = createdBy;
+    }
+
+    public enum ActionType {
+        ADD, DELETE, UPDATE
+    }
+
+}

server/src/main/java/invite/repository/UserRoleAuditRepository.java

@@ -0,0 +1,10 @@
+package invite.repository;
+
+import invite.model.UserRoleAudit;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+@Repository
+public interface UserRoleAuditRepository extends JpaRepository<UserRoleAudit, Long> {
+
+}

server/src/main/java/invite/teams/TeamsController.java

@@ -1,6 +1,7 @@
 package invite.teams;
 
 import invite.api.Results;
+import invite.audit.UserRoleAuditService;
 import invite.exception.InvalidInputException;
 import invite.manage.Manage;
 import invite.model.Role;
@@ -43,19 +44,21 @@ public class TeamsController {
     private final ApplicationRepository applicationRepository;
     private final Manage manage;
     private final ProvisioningService provisioningService;
+    private final UserRoleAuditService userRoleAuditService;
 
     public TeamsController(RoleRepository roleRepository,
                            UserRepository userRepository,
                            UserRoleRepository userRoleRepository,
                            ApplicationRepository applicationRepository,
                            Manage manage,
-                           ProvisioningService provisioningService) {
+                           ProvisioningService provisioningService, UserRoleAuditService userRoleAuditService) {
         this.roleRepository = roleRepository;
         this.userRepository = userRepository;
         this.userRoleRepository = userRoleRepository;
         this.applicationRepository = applicationRepository;
         this.manage = manage;
         this.provisioningService = provisioningService;
+        this.userRoleAuditService = userRoleAuditService;
     }
 
     @PutMapping("")
@@ -156,6 +159,7 @@ private void provision(Role role, Membership membership) {
         boolean guestRoleIncluded = teamsRole.equals(invite.teams.Role.ADMIN) || teamsRole.equals(invite.teams.Role.MANAGER);
         userRole.setGuestRoleIncluded(guestRoleIncluded);
         userRole = userRoleRepository.save(userRole);
+        userRoleAuditService.logAction(userRole, UserRoleAudit.ActionType.ADD);
 
         provisioningService.updateGroupRequest(userRole, OperationType.Add);
     }

server/src/main/resources/db/mysql/migration/V46_0__user_role_audit.sql

@@ -0,0 +1,15 @@
+CREATE TABLE user_roles_audit
+(
+    id         BIGINT AUTO_INCREMENT PRIMARY KEY,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    user_id    BIGINT       NOT NULL,
+    user_email VARCHAR(255) NOT NULL,
+    role_id    BIGINT       NOT NULL,
+    role_name  VARCHAR(255) NOT NULL,
+    end_date   DATETIME DEFAULT NULL,
+    action     VARCHAR(255) NOT NULL,
+    authority  VARCHAR(255) NOT NULL,
+    created_by varchar(255) NOT NULL
+) ENGINE = InnoDB
+  AUTO_INCREMENT = 1
+  DEFAULT CHARSET = utf8mb4;