mirror of
https://github.com/coder/coder.git
synced 2026-06-04 21:48:22 +00:00
Emit user secret audit log entries for create/update/delete operations.
Reads stay un-audited, matching every other resource.
Audit log entries record changes in user secret name, environment
variable name, file path, and value. The secret value column is marked
`ActionSecret` so the diff records the change without showing the
ciphertext or plaintext.
Closes a TOCTOU window on delete to ensure no phantom audit logs for a
delete of a non-existent secret. Secret update accepts a small TOCTOU
window matching the other audited resources (templates, workspaces,
chats). The two-query pattern is wrapped in a transaction so audit state
can't leak from a failed mutation.
(cherry picked from commit 1c30d52b2b)
<!--
If you have used AI to produce some or all of this PR, please ensure you
have read our [AI Contribution
guidelines](https://coder.com/docs/about/contributing/AI_CONTRIBUTING)
before submitting.
-->
Co-authored-by: Zach <3724288+zedkipp@users.noreply.github.com>
This commit is contained in:
Cian Johnston
Generated
+2
-1
@@ -526,7 +526,8 @@ CREATE TYPE resource_type AS ENUM (
|
||||
'prebuilds_settings',
|
||||
'task',
|
||||
'ai_seat',
|
||||
'chat'
|
||||
'chat',
|
||||
'user_secret'
|
||||
);
|
||||
|
||||
CREATE TYPE shareable_workspace_owners AS ENUM (
|
||||
|
||||
Reference in New Issue
Block a user