Integrated code lifecycle: Add access log for repositories

src/main/java/de/tum/in/www1/artemis/domain/vcstokens/AuthenticationMechanism.java

@@ -0,0 +1,20 @@
+package de.tum.in.www1.artemis.domain.vcstokens;
+
+public enum AuthenticationMechanism {
+    /**
+     * The user used password to authenticate to the LocalVC
+     */
+    PASSWORD,
+    /**
+     * The user used the participation+user token to authenticate to the LocalVC
+     */
+    PARTICIPATION_VCS_ACCESS_TOKEN,
+    /**
+     * The user used the user token to authenticate to the LocalVC
+     */
+    USER_VCS_ACCESS_TOKEN,
+    /**
+     * The user used SSH user token to authenticate to the LocalVC
+     */
+    SSH
+}

src/main/java/de/tum/in/www1/artemis/domain/vcstokens/VcsAccessLog.java

@@ -0,0 +1,75 @@
+package de.tum.in.www1.artemis.domain.vcstokens;
+
+import java.time.ZonedDateTime;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.Table;
+
+import org.hibernate.annotations.Cache;
+import org.hibernate.annotations.CacheConcurrencyStrategy;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+
+import de.tum.in.www1.artemis.domain.DomainObject;
+import de.tum.in.www1.artemis.domain.User;
+import de.tum.in.www1.artemis.domain.participation.Participation;
+import de.tum.in.www1.artemis.web.rest.repository.RepositoryActionType;
+
+/**
+ * A Vcs access log entry.
+ */
+@Entity
+@Table(name = "vcs_access_log")
+@Cache(usage = CacheConcurrencyStrategy.NONSTRICT_READ_WRITE)
+@JsonInclude(JsonInclude.Include.NON_EMPTY)
+public class VcsAccessLog extends DomainObject {
+
+    @ManyToOne
+    private User user;
+
+    @ManyToOne
+    private Participation participation;
+
+    @Column(name = "name")
+    private String name;
+
+    @Column(name = "email")
+    private String email;
+
+    @Column(name = "repository_action_type", nullable = false)
+    @Enumerated(EnumType.ORDINAL)
+    private RepositoryActionType repositoryActionType;
+
+    @Column(name = "authentication_mechanism", nullable = false)
+    @Enumerated(EnumType.ORDINAL)
+    private AuthenticationMechanism authenticationMechanism;
+
+    @Column(name = "commit_hash")
+    private String commitHash;
+
+    @Column(name = "ip_address")
+    private String ipAddress;
+
+    @Column(name = "timestamp")
+    private ZonedDateTime timestamp;
+
+    public VcsAccessLog(User user, Participation participation, String name, String email, RepositoryActionType repositoryActionType,
+            AuthenticationMechanism authenticationMechanism, String commitHash, String ipAddress) {
+        this.user = user;
+        this.participation = participation;
+        this.name = name;
+        this.email = email;
+        this.repositoryActionType = repositoryActionType;
+        this.authenticationMechanism = authenticationMechanism;
+        this.commitHash = commitHash;
+        this.ipAddress = ipAddress;
+        this.timestamp = ZonedDateTime.now();
+    }
+
+    public VcsAccessLog() {
+    }
+}

src/main/java/de/tum/in/www1/artemis/repository/VcsAccessLogRepository.java

@@ -0,0 +1,23 @@
+package de.tum.in.www1.artemis.repository;
+
+import static de.tum.in.www1.artemis.config.Constants.PROFILE_CORE;
+
+import org.springframework.context.annotation.Profile;
+import org.springframework.stereotype.Repository;
+
+import de.tum.in.www1.artemis.domain.vcstokens.VcsAccessLog;
+import de.tum.in.www1.artemis.repository.base.ArtemisJpaRepository;
+
+/**
+ * Spring Data JPA repository for the User entity.<br>
+ * <br>
+ * <p>
+ * <b>Note</b>: Please keep in mind that the User entities are soft-deleted when adding new queries to this repository.
+ * If you don't need deleted user entities, add `WHERE user.isDeleted = FALSE` to your query.
+ * </p>
+ */
+@Profile(PROFILE_CORE)
+@Repository
+public interface VcsAccessLogRepository extends ArtemisJpaRepository<VcsAccessLog, Long> {
+
+}

src/main/java/de/tum/in/www1/artemis/service/VcsAccessLogService.java

@@ -0,0 +1,45 @@
+package de.tum.in.www1.artemis.service;
+
+import static de.tum.in.www1.artemis.config.Constants.PROFILE_LOCALVC;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.annotation.Profile;
+import org.springframework.stereotype.Service;
+
+import de.tum.in.www1.artemis.domain.User;
+import de.tum.in.www1.artemis.domain.participation.Participation;
+import de.tum.in.www1.artemis.domain.participation.ProgrammingExerciseParticipation;
+import de.tum.in.www1.artemis.domain.vcstokens.AuthenticationMechanism;
+import de.tum.in.www1.artemis.domain.vcstokens.VcsAccessLog;
+import de.tum.in.www1.artemis.repository.VcsAccessLogRepository;
+import de.tum.in.www1.artemis.web.rest.repository.RepositoryActionType;
+
+@Profile(PROFILE_LOCALVC)
+@Service
+public class VcsAccessLogService {
+
+    private static final Logger log = LoggerFactory.getLogger(VcsAccessLogService.class);
+
+    private final VcsAccessLogRepository vcsAccessLogRepository;
+
+    VcsAccessLogService(VcsAccessLogRepository vcsAccessLogRepository) {
+        this.vcsAccessLogRepository = vcsAccessLogRepository;
+    }
+
+    /**
+     * Creates a vcs access log entry and stores it to the database
+     *
+     * @param user                    The user accessing the repository
+     * @param participation           The participation which owns the repository
+     * @param actionType              The action type: READ or WRITE
+     * @param authenticationMechanism The used authentication mechanism: password, token or SSH
+     */
+    public void storeAccessLog(User user, ProgrammingExerciseParticipation participation, RepositoryActionType actionType, AuthenticationMechanism authenticationMechanism,
+            String ipAddress) {
+        log.debug("Storing access operation for user {}", user);
+
+        VcsAccessLog accessLogEntry = new VcsAccessLog(user, (Participation) participation, user.getName(), user.getEmail(), actionType, authenticationMechanism, null, ipAddress);
+        vcsAccessLogRepository.save(accessLogEntry);
+    }
+}

src/main/java/de/tum/in/www1/artemis/service/connectors/localvc/LocalVCServletService.java

@@ -45,6 +45,7 @@
 import de.tum.in.www1.artemis.domain.participation.ProgrammingExerciseParticipation;
 import de.tum.in.www1.artemis.domain.participation.ProgrammingExerciseStudentParticipation;
 import de.tum.in.www1.artemis.domain.participation.SolutionProgrammingExerciseParticipation;
+import de.tum.in.www1.artemis.domain.vcstokens.AuthenticationMechanism;
 import de.tum.in.www1.artemis.exception.ContinuousIntegrationException;
 import de.tum.in.www1.artemis.exception.VersionControlException;
 import de.tum.in.www1.artemis.exception.localvc.LocalVCAuthException;
@@ -55,6 +56,7 @@
 import de.tum.in.www1.artemis.repository.UserRepository;
 import de.tum.in.www1.artemis.security.SecurityUtils;
 import de.tum.in.www1.artemis.service.AuthorizationCheckService;
+import de.tum.in.www1.artemis.service.VcsAccessLogService;
 import de.tum.in.www1.artemis.service.connectors.ci.ContinuousIntegrationTriggerService;
 import de.tum.in.www1.artemis.service.programming.AuxiliaryRepositoryService;
 import de.tum.in.www1.artemis.service.programming.ProgrammingExerciseParticipationService;
@@ -100,6 +102,8 @@ public class LocalVCServletService {
 
     private final ProgrammingTriggerService programmingTriggerService;
 
+    private final VcsAccessLogService vcsAccessLogService;
+
     private static URL localVCBaseUrl;
 
     private final ParticipationVCSAccessTokenRepository participationVCSAccessTokenRepository;
@@ -132,7 +136,7 @@ public LocalVCServletService(AuthenticationManager authenticationManager, UserRe
             ProgrammingExerciseParticipationService programmingExerciseParticipationService, AuxiliaryRepositoryService auxiliaryRepositoryService,
             ContinuousIntegrationTriggerService ciTriggerService, ProgrammingSubmissionService programmingSubmissionService,
             ProgrammingMessagingService programmingMessagingService, ProgrammingTriggerService programmingTriggerService,
-            ParticipationVCSAccessTokenRepository participationVCSAccessTokenRepository) {
+            ParticipationVCSAccessTokenRepository participationVCSAccessTokenRepository, VcsAccessLogService vcsAccessLogService) {
         this.authenticationManager = authenticationManager;
         this.userRepository = userRepository;
         this.programmingExerciseRepository = programmingExerciseRepository;
@@ -145,6 +149,8 @@ public LocalVCServletService(AuthenticationManager authenticationManager, UserRe
         this.programmingMessagingService = programmingMessagingService;
         this.programmingTriggerService = programmingTriggerService;
         this.participationVCSAccessTokenRepository = participationVCSAccessTokenRepository;
+        this.vcsAccessLogService = vcsAccessLogService;
+
     }
 
     /**
@@ -238,13 +244,37 @@ public void authenticateAndAuthorizeGitRequest(HttpServletRequest request, Repos
             throw new LocalVCForbiddenException();
         }
 
-        authorizeUser(repositoryTypeOrUserName, user, exercise, repositoryAction, localVCRepositoryUri.isPracticeRepository());
+        var authenticationMechanism = resolveAuthenticationMechanism(authorizationHeader, user);
+        var ipAddress = request.getRemoteAddr();
+        authorizeUser(repositoryTypeOrUserName, user, exercise, repositoryAction, authenticationMechanism, ipAddress, localVCRepositoryUri.isPracticeRepository());
 
         request.setAttribute("user", user);
 
         log.debug("Authorizing user {} for repository {} took {}", user.getLogin(), localVCRepositoryUri, TimeLogUtil.formatDurationFrom(timeNanoStart));
     }
 
+    /**
+     * Resolves the user's authentication mechanism for the repository
+     *
+     * @param authorizationHeader the request's authorizationHeader, containing the token or password
+     * @param user                the user
+     * @return the authentication type
+     * @throws LocalVCAuthException if extracting the token or password from the authorizationHeader fails
+     */
+    private AuthenticationMechanism resolveAuthenticationMechanism(String authorizationHeader, User user) throws LocalVCAuthException {
+        UsernameAndPassword usernameAndPassword = extractUsernameAndPassword(authorizationHeader);
+
+        String password = usernameAndPassword.password();
+        if (!password.startsWith("vcpat")) {
+            return AuthenticationMechanism.PASSWORD;
+        }
+        if (password.equals(user.getVcsAccessToken())) {
+            return AuthenticationMechanism.USER_VCS_ACCESS_TOKEN;
+        }
+        return AuthenticationMechanism.PARTICIPATION_VCS_ACCESS_TOKEN;
+
+    }
+
     private User authenticateUser(String authorizationHeader, ProgrammingExercise exercise, LocalVCRepositoryUri localVCRepositoryUri) throws LocalVCAuthException {
 
         UsernameAndPassword usernameAndPassword = extractUsernameAndPassword(authorizationHeader);
@@ -380,8 +410,8 @@ private UsernameAndPassword extractUsernameAndPassword(String authorizationHeade
      * @param isPracticeRepository     Whether the repository is a practice repository.
      * @throws LocalVCForbiddenException If the user is not allowed to access the repository.
      */
-    public void authorizeUser(String repositoryTypeOrUserName, User user, ProgrammingExercise exercise, RepositoryActionType repositoryActionType, boolean isPracticeRepository)
-            throws LocalVCForbiddenException {
+    public void authorizeUser(String repositoryTypeOrUserName, User user, ProgrammingExercise exercise, RepositoryActionType repositoryActionType,
+            AuthenticationMechanism authenticationMechanism, String ipAddress, boolean isPracticeRepository) throws LocalVCForbiddenException {
 
         if (repositoryTypeOrUserName.equals(RepositoryType.TESTS.toString()) || auxiliaryRepositoryService.isAuxiliaryRepositoryOfExercise(repositoryTypeOrUserName, exercise)) {
             // Test and auxiliary repositories are only accessible by instructors and higher.
@@ -405,6 +435,7 @@ public void authorizeUser(String repositoryTypeOrUserName, User user, Programmin
 
         try {
             repositoryAccessService.checkAccessRepositoryElseThrow(participation, user, exercise, repositoryActionType);
+            vcsAccessLogService.storeAccessLog(user, participation, repositoryActionType, authenticationMechanism, ipAddress);
         }
         catch (AccessForbiddenException e) {
             throw new LocalVCForbiddenException(e);

src/main/java/de/tum/in/www1/artemis/service/icl/SshGitLocationResolverService.java

@@ -20,6 +20,7 @@
 
 import de.tum.in.www1.artemis.config.icl.ssh.SshConstants;
 import de.tum.in.www1.artemis.domain.ProgrammingExercise;
+import de.tum.in.www1.artemis.domain.vcstokens.AuthenticationMechanism;
 import de.tum.in.www1.artemis.exception.localvc.LocalVCForbiddenException;
 import de.tum.in.www1.artemis.exception.localvc.LocalVCInternalException;
 import de.tum.in.www1.artemis.repository.ProgrammingExerciseRepository;
@@ -78,7 +79,8 @@ public Path resolveRootDirectory(String command, String[] args, ServerSession se
         else {
             final var user = session.getAttribute(SshConstants.USER_KEY);
             try {
-                localVCServletService.authorizeUser(repositoryTypeOrUserName, user, exercise, repositoryAction, localVCRepositoryUri.isPracticeRepository());
+                localVCServletService.authorizeUser(repositoryTypeOrUserName, user, exercise, repositoryAction, AuthenticationMechanism.SSH, session.getClientAddress().toString(),
+                        localVCRepositoryUri.isPracticeRepository());
             }
             catch (LocalVCForbiddenException e) {
                 log.error("User {} does not have access to the repository {}", user.getLogin(), repositoryPath);

src/main/resources/config/liquibase/changelog/20240804144500_changelog.xml

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog https://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd">
+    <changeSet id="20240804144500" author="entholzer">
+        <!--
+            Change Set for creating a new table for storing the LocalVC access logs
+        -->
+        <createTable tableName="vcs_access_log">
+            <column autoIncrement="true" name="id" type="bigint">
+                <constraints nullable="false" primaryKey="true"/>
+            </column>
+            <column name="user_id" type="bigint">
+                <constraints nullable="false"/>
+            </column>
+            <column name="participation_id" type="bigint">
+                <constraints nullable="false"/>
+            </column>
+            <column name="name" type="varchar(50)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="email" type="varchar(100)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="repository_action_type" type="tinyint">
+                <constraints nullable="false"/>
+            </column>
+            <column name="authentication_mechanism" type="tinyint">
+                <constraints nullable="false"/>
+            </column>
+            <column name="commit_hash" type="varchar(40)">
+                <constraints nullable="true"/>
+            </column>
+            <column name="ip_address" type="varchar(45)">
+                <constraints nullable="true"/>
+            </column>
+            <column defaultValueComputed="CURRENT_TIMESTAMP" name="timestamp" type="timestamp">
+                <constraints nullable="false"/>
+            </column>
+        </createTable>
+        <createIndex indexName="idx_vcs_access_log_user_participation" tableName="vcs_access_log">
+            <column name="user_id"/>
+            <column name="participation_id"/>
+        </createIndex>
+    </changeSet>
+</databaseChangeLog>

src/main/resources/config/liquibase/master.xml

@@ -21,6 +21,8 @@
     <include file="classpath:config/liquibase/changelog/20240626200000_changelog.xml" relativeToChangelogFile="false"/>
     <include file="classpath:config/liquibase/changelog/20240708144500_changelog.xml" relativeToChangelogFile="false"/>
     <include file="classpath:config/liquibase/changelog/20240802091201_changelog.xml" relativeToChangelogFile="false"/>
+    <include file="classpath:config/liquibase/changelog/20240804144500_changelog.xml" relativeToChangelogFile="false"/>
+
     <!-- NOTE: please use the format "YYYYMMDDhhmmss_changelog.xml", i.e. year month day hour minutes seconds and not something else! -->
     <!-- we should also stay in a chronological order! -->
     <!-- you can use the command 'date '+%Y%m%d%H%M%S'' to get the current date and time in the correct format -->