feat(groups): Classify resources for audit events

Makefile

@@ -169,6 +169,8 @@ protobuild:
 	@protoc-go-inject-tag -input=./internal/gen/controller/api/services/authtokens_service.pb.go
 	@protoc-go-inject-tag -input=./sdk/pbs/controller/api/resources/managedgroups/managed_group.pb.go
 	@protoc-go-inject-tag -input=./internal/gen/controller/api/services/managed_group_service.pb.go
+	@protoc-go-inject-tag -input=./sdk/pbs/controller/api/resources/groups/group.pb.go
+	@protoc-go-inject-tag -input=./internal/gen/controller/api/services/group_service.pb.go
 
 	# these protos, services and openapi artifacts are purely for testing purposes
 	@protoc-go-inject-tag -input=./internal/gen/testing/event/event.pb.go

internal/gen/controller/api/services/group_service.pb.go

@@ -29,7 +29,7 @@ type GetGroupRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty" class:"public"` // @gotags: `class:"public"`
 }
 
 func (x *GetGroupRequest) Reset() {
@@ -123,9 +123,9 @@ type ListGroupsRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	ScopeId   string `protobuf:"bytes,1,opt,name=scope_id,proto3" json:"scope_id,omitempty"`
-	Recursive bool   `protobuf:"varint,20,opt,name=recursive,proto3" json:"recursive,omitempty"`
-	Filter    string `protobuf:"bytes,30,opt,name=filter,proto3" json:"filter,omitempty"`
+	ScopeId   string `protobuf:"bytes,1,opt,name=scope_id,proto3" json:"scope_id,omitempty" class:"public"`     // @gotags: `class:"public"`
+	Recursive bool   `protobuf:"varint,20,opt,name=recursive,proto3" json:"recursive,omitempty" class:"public"` // @gotags: `class:"public"`
+	Filter    string `protobuf:"bytes,30,opt,name=filter,proto3" json:"filter,omitempty" class:"public"`        // @gotags: `class:"public"`
 }
 
 func (x *ListGroupsRequest) Reset() {
@@ -280,7 +280,7 @@ type CreateGroupResponse struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Uri  string        `protobuf:"bytes,1,opt,name=uri,proto3" json:"uri,omitempty"`
+	Uri  string        `protobuf:"bytes,1,opt,name=uri,proto3" json:"uri,omitempty" class:"public"` // @gotags: `class:"public"`
 	Item *groups.Group `protobuf:"bytes,2,opt,name=item,proto3" json:"item,omitempty"`
 }
 
@@ -335,7 +335,7 @@ type UpdateGroupRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Id         string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	Id         string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty" class:"public"` // @gotags: `class:"public"`
 	Item       *groups.Group          `protobuf:"bytes,2,opt,name=item,proto3" json:"item,omitempty"`
 	UpdateMask *fieldmaskpb.FieldMask `protobuf:"bytes,3,opt,name=update_mask,proto3" json:"update_mask,omitempty"`
 }
@@ -445,7 +445,7 @@ type DeleteGroupRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty" class:"public"` // @gotags: `class:"public"`
 }
 
 func (x *DeleteGroupRequest) Reset() {
@@ -530,11 +530,11 @@ type AddGroupMembersRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty" class:"public"` // @gotags: `class:"public"`
 	// Version is used to ensure this resource has not changed.
 	// The mutation will fail if the version does not match the latest known good version.
-	Version   uint32   `protobuf:"varint,2,opt,name=version,proto3" json:"version,omitempty"`
-	MemberIds []string `protobuf:"bytes,3,rep,name=member_ids,proto3" json:"member_ids,omitempty"`
+	Version   uint32   `protobuf:"varint,2,opt,name=version,proto3" json:"version,omitempty" class:"public"`      // @gotags: `class:"public"`
+	MemberIds []string `protobuf:"bytes,3,rep,name=member_ids,proto3" json:"member_ids,omitempty" class:"public"` // @gotags: `class:"public"`
 }
 
 func (x *AddGroupMembersRequest) Reset() {
@@ -642,11 +642,11 @@ type SetGroupMembersRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty" class:"public"` // @gotags: `class:"public"`
 	// Version is used to ensure this resource has not changed.
 	// The mutation will fail if the version does not match the latest known good version.
-	Version   uint32   `protobuf:"varint,2,opt,name=version,proto3" json:"version,omitempty"`
-	MemberIds []string `protobuf:"bytes,3,rep,name=member_ids,proto3" json:"member_ids,omitempty"`
+	Version   uint32   `protobuf:"varint,2,opt,name=version,proto3" json:"version,omitempty" class:"public"`      // @gotags: `class:"public"`
+	MemberIds []string `protobuf:"bytes,3,rep,name=member_ids,proto3" json:"member_ids,omitempty" class:"public"` // @gotags: `class:"public"`
 }
 
 func (x *SetGroupMembersRequest) Reset() {
@@ -754,11 +754,11 @@ type RemoveGroupMembersRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty" class:"public"` // @gotags: `class:"public"`
 	// Version is used to ensure this resource has not changed.
 	// The mutation will fail if the version does not match the latest known good version.
-	Version   uint32   `protobuf:"varint,2,opt,name=version,proto3" json:"version,omitempty"`
-	MemberIds []string `protobuf:"bytes,3,rep,name=member_ids,proto3" json:"member_ids,omitempty"`
+	Version   uint32   `protobuf:"varint,2,opt,name=version,proto3" json:"version,omitempty" class:"public"`      // @gotags: `class:"public"`
+	MemberIds []string `protobuf:"bytes,3,rep,name=member_ids,proto3" json:"member_ids,omitempty" class:"public"` // @gotags: `class:"public"`
 }
 
 func (x *RemoveGroupMembersRequest) Reset() {

internal/proto/controller/api/resources/groups/v1/group.proto

@@ -11,45 +11,45 @@ import "controller/custom_options/v1/options.proto";
 
 message Member {
 	// Output only. The ID of the member.
-	string id = 10;
+	string id = 10; // @gotags: `class:"public"`
 
 	// Output only. The Scope ID of the member.
-	string scope_id = 20 [json_name="scope_id"];
+	string scope_id = 20 [json_name="scope_id"]; // @gotags: `class:"public"`
 }
 
 // Group contains all fields related to a Group resource
 message Group {
 	// Output only. The ID of the Group.
-	string id = 10;
+	string id = 10; // @gotags: `class:"public"`
 
 	// The ID of the scope of which this Group is a part.
-	string scope_id = 20 [json_name="scope_id"];
+	string scope_id = 20 [json_name="scope_id"]; // @gotags: `class:"public"`
 
 	// Output only. Scope information for this Group.
 	resources.scopes.v1.ScopeInfo scope = 30;
 
 	// Optional name for identification purposes.
-	google.protobuf.StringValue name = 40 [(custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = {this:"name" that: "name"}];
+	google.protobuf.StringValue name = 40 [(custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = {this:"name" that: "name"}]; // @gotags: `class:"public"`
 
 	// Optional user-set descripton for identification purposes.
-	google.protobuf.StringValue description = 50 [(custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = {this:"description" that: "description"}];
+	google.protobuf.StringValue description = 50 [(custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = {this:"description" that: "description"}]; // @gotags: `class:"public"`
 
 	// Output only. The time this resource was created.
-	google.protobuf.Timestamp created_time = 60 [json_name="created_time"];
+	google.protobuf.Timestamp created_time = 60 [json_name="created_time"]; // @gotags: `class:"public"`
 
 	// Output only. The time this resource was last updated.
-	google.protobuf.Timestamp updated_time = 70 [json_name="updated_time"];
+	google.protobuf.Timestamp updated_time = 70 [json_name="updated_time"]; // @gotags: `class:"public"`
 
 	// Version is used in mutation requests, after the initial creation, to ensure this resource has not changed.
 	// The mutation will fail if the version does not match the latest known good version.
-	uint32 version = 80;
+	uint32 version = 80; // @gotags: `class:"public"`
 
 	// Output only. Contains the list of member IDs in this Group.
-	repeated string member_ids = 90 [json_name="member_ids"];
+	repeated string member_ids = 90 [json_name="member_ids"]; // @gotags: `class:"public"`
 
 	// Output only. The members of this Group.
 	repeated Member members = 100;
 
 	// Output only. The available actions on this resource for this user.
-	repeated string authorized_actions = 300 [json_name="authorized_actions"];
+	repeated string authorized_actions = 300 [json_name="authorized_actions"]; // @gotags: `class:"public"`
 }

internal/proto/controller/api/services/v1/group_service.proto

@@ -131,7 +131,7 @@ service GroupService {
 }
 
 message GetGroupRequest {
-  string id = 1;
+  string id = 1; // @gotags: `class:"public"`
 }
 
 message GetGroupResponse {
@@ -139,9 +139,9 @@ message GetGroupResponse {
 }
 
 message ListGroupsRequest {
-  string scope_id = 1 [json_name="scope_id"];
-  bool recursive = 20 [json_name="recursive"];
-  string filter = 30 [json_name="filter"];
+  string scope_id = 1 [json_name="scope_id"]; // @gotags: `class:"public"`
+  bool recursive = 20 [json_name="recursive"]; // @gotags: `class:"public"`
+  string filter = 30 [json_name="filter"]; // @gotags: `class:"public"`
 }
 
 message ListGroupsResponse {
@@ -153,12 +153,12 @@ message CreateGroupRequest {
 }
 
 message CreateGroupResponse {
-  string uri = 1;
+  string uri = 1; // @gotags: `class:"public"`
   resources.groups.v1.Group item = 2;
 }
 
 message UpdateGroupRequest {
-  string id = 1;
+  string id = 1; // @gotags: `class:"public"`
   resources.groups.v1.Group item = 2;
   google.protobuf.FieldMask update_mask = 3 [json_name="update_mask"];
 }
@@ -168,17 +168,17 @@ message UpdateGroupResponse {
 }
 
 message DeleteGroupRequest {
-  string id = 1;
+  string id = 1; // @gotags: `class:"public"`
 }
 
 message DeleteGroupResponse {}
 
 message AddGroupMembersRequest {
-  string id = 1;
+  string id = 1; // @gotags: `class:"public"`
   // Version is used to ensure this resource has not changed.
   // The mutation will fail if the version does not match the latest known good version.
-  uint32 version = 2;
-  repeated string member_ids = 3 [json_name="member_ids"];
+  uint32 version = 2; // @gotags: `class:"public"`
+  repeated string member_ids = 3 [json_name="member_ids"]; // @gotags: `class:"public"`
 }
 
 message AddGroupMembersResponse {
@@ -186,11 +186,11 @@ message AddGroupMembersResponse {
 }
 
 message SetGroupMembersRequest {
-  string id = 1;
+  string id = 1; // @gotags: `class:"public"`
   // Version is used to ensure this resource has not changed.
   // The mutation will fail if the version does not match the latest known good version.
-  uint32 version = 2;
-  repeated string member_ids = 3 [json_name="member_ids"];
+  uint32 version = 2; // @gotags: `class:"public"`
+  repeated string member_ids = 3 [json_name="member_ids"]; // @gotags: `class:"public"`
 }
 
 message SetGroupMembersResponse {
@@ -198,11 +198,11 @@ message SetGroupMembersResponse {
 }
 
 message RemoveGroupMembersRequest {
-  string id = 1;
+  string id = 1; // @gotags: `class:"public"`
   // Version is used to ensure this resource has not changed.
   // The mutation will fail if the version does not match the latest known good version.
-  uint32 version = 2;
-  repeated string member_ids = 3 [json_name="member_ids"];
+  uint32 version = 2; // @gotags: `class:"public"`
+  repeated string member_ids = 3 [json_name="member_ids"]; // @gotags: `class:"public"`
 }
 
 message RemoveGroupMembersResponse {

internal/tests/api/groups/classification_test.go

@@ -0,0 +1,113 @@
+package groups_test
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/boundary/sdk/pbs/controller/api"
+	pb "github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/groups"
+	"github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/scopes"
+	"github.com/hashicorp/boundary/sdk/wrapper"
+	"github.com/hashicorp/eventlogger"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/timestamppb"
+	"google.golang.org/protobuf/types/known/wrapperspb"
+)
+
+func TestGroupsClassification(t *testing.T) {
+	ctx := context.Background()
+	now := time.Now()
+	pbNow := timestamppb.Now()
+	wrapper := wrapper.TestWrapper(t)
+	testEncryptingFilter := api.NewEncryptFilter(t, wrapper)
+
+	cases := []struct {
+		name string
+		in   *eventlogger.Event
+		want *eventlogger.Event
+	}{
+		{
+			name: "validate-group-filtering",
+			in: &eventlogger.Event{
+				Type:      "test",
+				CreatedAt: now,
+				Payload: &pb.Group{
+					Id:      "id",
+					ScopeId: "scope-id",
+					Scope: &scopes.ScopeInfo{
+						Id:            "id",
+						Type:          "type",
+						Name:          "name",
+						Description:   "description",
+						ParentScopeId: "parent-scope-id",
+					},
+					Name:        &wrapperspb.StringValue{Value: "name"},
+					Description: &wrapperspb.StringValue{Value: "description"},
+					CreatedTime: pbNow,
+					UpdatedTime: pbNow,
+					Version:     1,
+					MemberIds:   []string{"member-id"},
+					Members: []*pb.Member{
+						{
+							Id:      "member-id",
+							ScopeId: "scope-id",
+						},
+					},
+					AuthorizedActions: []string{
+						"action-1",
+						"action-2",
+					},
+				},
+			},
+			want: &eventlogger.Event{
+				Type:      "test",
+				CreatedAt: now,
+				Payload: &pb.Group{
+					Id:      "id",
+					ScopeId: "scope-id",
+					Scope: &scopes.ScopeInfo{
+						Id:            "id",
+						Type:          "type",
+						Name:          "name",
+						Description:   "description",
+						ParentScopeId: "parent-scope-id",
+					},
+					Name:        &wrapperspb.StringValue{Value: "name"},
+					Description: &wrapperspb.StringValue{Value: "description"},
+					CreatedTime: pbNow,
+					UpdatedTime: pbNow,
+					Version:     1,
+					MemberIds:   []string{"member-id"},
+					Members: []*pb.Member{
+						{
+							Id:      "member-id",
+							ScopeId: "scope-id",
+						},
+					},
+					AuthorizedActions: []string{
+						"action-1",
+						"action-2",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			assert, require := assert.New(t), require.New(t)
+			got, err := testEncryptingFilter.Process(ctx, tc.in)
+			require.NoError(err)
+			require.NotNil(got)
+			gotJSON, err := json.Marshal(got)
+			require.NoError(err)
+
+			wantJSON, err := json.Marshal(tc.want)
+			require.NoError(err)
+			assert.JSONEq(string(wantJSON), string(gotJSON))
+		})
+	}
+}

sdk/pbs/controller/api/resources/groups/group.pb.go

@@ -30,9 +30,9 @@ type Member struct {
 	unknownFields protoimpl.UnknownFields
 
 	// Output only. The ID of the member.
-	Id string `protobuf:"bytes,10,opt,name=id,proto3" json:"id,omitempty"`
+	Id string `protobuf:"bytes,10,opt,name=id,proto3" json:"id,omitempty" class:"public"` // @gotags: `class:"public"`
 	// Output only. The Scope ID of the member.
-	ScopeId string `protobuf:"bytes,20,opt,name=scope_id,proto3" json:"scope_id,omitempty"`
+	ScopeId string `protobuf:"bytes,20,opt,name=scope_id,proto3" json:"scope_id,omitempty" class:"public"` // @gotags: `class:"public"`
 }
 
 func (x *Member) Reset() {
@@ -88,28 +88,28 @@ type Group struct {
 	unknownFields protoimpl.UnknownFields
 
 	// Output only. The ID of the Group.
-	Id string `protobuf:"bytes,10,opt,name=id,proto3" json:"id,omitempty"`
+	Id string `protobuf:"bytes,10,opt,name=id,proto3" json:"id,omitempty" class:"public"` // @gotags: `class:"public"`
 	// The ID of the scope of which this Group is a part.
-	ScopeId string `protobuf:"bytes,20,opt,name=scope_id,proto3" json:"scope_id,omitempty"`
+	ScopeId string `protobuf:"bytes,20,opt,name=scope_id,proto3" json:"scope_id,omitempty" class:"public"` // @gotags: `class:"public"`
 	// Output only. Scope information for this Group.
 	Scope *scopes.ScopeInfo `protobuf:"bytes,30,opt,name=scope,proto3" json:"scope,omitempty"`
 	// Optional name for identification purposes.
-	Name *wrapperspb.StringValue `protobuf:"bytes,40,opt,name=name,proto3" json:"name,omitempty"`
+	Name *wrapperspb.StringValue `protobuf:"bytes,40,opt,name=name,proto3" json:"name,omitempty" class:"public"` // @gotags: `class:"public"`
 	// Optional user-set descripton for identification purposes.
-	Description *wrapperspb.StringValue `protobuf:"bytes,50,opt,name=description,proto3" json:"description,omitempty"`
+	Description *wrapperspb.StringValue `protobuf:"bytes,50,opt,name=description,proto3" json:"description,omitempty" class:"public"` // @gotags: `class:"public"`
 	// Output only. The time this resource was created.
-	CreatedTime *timestamppb.Timestamp `protobuf:"bytes,60,opt,name=created_time,proto3" json:"created_time,omitempty"`
+	CreatedTime *timestamppb.Timestamp `protobuf:"bytes,60,opt,name=created_time,proto3" json:"created_time,omitempty" class:"public"` // @gotags: `class:"public"`
 	// Output only. The time this resource was last updated.
-	UpdatedTime *timestamppb.Timestamp `protobuf:"bytes,70,opt,name=updated_time,proto3" json:"updated_time,omitempty"`
+	UpdatedTime *timestamppb.Timestamp `protobuf:"bytes,70,opt,name=updated_time,proto3" json:"updated_time,omitempty" class:"public"` // @gotags: `class:"public"`
 	// Version is used in mutation requests, after the initial creation, to ensure this resource has not changed.
 	// The mutation will fail if the version does not match the latest known good version.
-	Version uint32 `protobuf:"varint,80,opt,name=version,proto3" json:"version,omitempty"`
+	Version uint32 `protobuf:"varint,80,opt,name=version,proto3" json:"version,omitempty" class:"public"` // @gotags: `class:"public"`
 	// Output only. Contains the list of member IDs in this Group.
-	MemberIds []string `protobuf:"bytes,90,rep,name=member_ids,proto3" json:"member_ids,omitempty"`
+	MemberIds []string `protobuf:"bytes,90,rep,name=member_ids,proto3" json:"member_ids,omitempty" class:"public"` // @gotags: `class:"public"`
 	// Output only. The members of this Group.
 	Members []*Member `protobuf:"bytes,100,rep,name=members,proto3" json:"members,omitempty"`
 	// Output only. The available actions on this resource for this user.
-	AuthorizedActions []string `protobuf:"bytes,300,rep,name=authorized_actions,proto3" json:"authorized_actions,omitempty"`
+	AuthorizedActions []string `protobuf:"bytes,300,rep,name=authorized_actions,proto3" json:"authorized_actions,omitempty" class:"public"` // @gotags: `class:"public"`
 }
 
 func (x *Group) Reset() {