Add version reference change and version deletion audit logs

phpstan-baseline.neon

@@ -15,6 +15,21 @@ parameters:
 			count: 1
 			path: src/DataFixtures/PackageFixtures.php
 
+		-
+			message: "#^Query error\\: Column \"audit_log\\.attributes\" expects value type string, got type array\\<string, mixed\\>$#"
+			count: 1
+			path: src/Entity/AuditRecordRepository.php
+
+		-
+			message: "#^Query error\\: Column \"audit_log\\.datetime\" expects value type string, got type DateTimeImmutable$#"
+			count: 1
+			path: src/Entity/AuditRecordRepository.php
+
+		-
+			message: "#^Query error\\: Column \"audit_log\\.id\" expects value type string, got type Symfony\\\\Component\\\\Uid\\\\Ulid$#"
+			count: 1
+			path: src/Entity/AuditRecordRepository.php
+
 		-
 			message: "#^Method App\\\\Entity\\\\PackageRepository\\:\\:getDependents\\(\\) should return array\\<array\\{id\\: int, name\\: string, description\\: string\\|null, language\\: string\\|null, abandoned\\: int, replacementPackage\\: string\\|null\\}\\> but returns array\\<int\\<0, max\\>, non\\-empty\\-array\\<string, mixed\\>\\>\\.$#"
 			count: 1
@@ -40,21 +55,6 @@ parameters:
 			count: 1
 			path: src/Entity/Version.php
 
-		-
-			message: "#^Query error\\: Column \"audit_log\\.attributes\" expects value type string, got type array\\<string, mixed\\>$#"
-			count: 1
-			path: src/EventListener/PackageListener.php
-
-		-
-			message: "#^Query error\\: Column \"audit_log\\.datetime\" expects value type string, got type DateTimeImmutable$#"
-			count: 1
-			path: src/EventListener/PackageListener.php
-
-		-
-			message: "#^Query error\\: Column \"audit_log\\.id\" expects value type string, got type Symfony\\\\Component\\\\Uid\\\\Ulid$#"
-			count: 1
-			path: src/EventListener/PackageListener.php
-
 		-
 			message: "#^Method App\\\\Model\\\\FavoriteManager\\:\\:getFavoriteCount\\(\\) should return int\\<0, max\\> but returns int\\.$#"
 			count: 1

src/Audit/AuditRecordType.php

@@ -23,8 +23,8 @@ enum AuditRecordType: string
     case PackageCreated = 'package_created';
     case PackageDeleted = 'package_deleted';
     case CanonicalUrlChange = 'canonical_url_change';
-    case VersionDeleted = 'version_deleted'; # TODO
-    case VersionChange = 'version_change'; # TODO
+    case VersionDeleted = 'version_deleted';
+    case VersionReferenceChange = 'version_reference_change';
     case PackageAbandoned = 'package_abandoned'; # TODO
     case PackageUnabandoned = 'package_unabandoned'; # TODO
 

src/Entity/AuditRecord.php

@@ -66,6 +66,25 @@ public static function canonicalUrlChange(Package $package, User|null $user, str
         return new self(AuditRecordType::CanonicalUrlChange, ['name' => $package->getName(), 'repository_from' => $oldRepository, 'repository_to' => $package->getRepository(), 'actor' => self::getUserData($user)], $user?->getId(), $package->getVendor(), $package->getId());
     }
 
+    public static function versionDeleted(Version $version, User|null $user): self
+    {
+        $package = $version->getPackage();
+
+        return new self(AuditRecordType::VersionDeleted, ['name' => $package->getName(), 'version' => $version->getVersion(), 'actor' => self::getUserData($user, 'automation')], $user?->getId(), $package->getVendor(), $package->getId());
+    }
+
+    public static function versionReferenceChange(Version $version, string|null $oldSourceReference, string|null $oldDistReference): self
+    {
+        $package = $version->getPackage();
+
+        return new self(
+            AuditRecordType::VersionReferenceChange,
+            ['name' => $package->getName(), 'version' => $version->getVersion(), 'source_from' => $oldSourceReference, 'source_to' => $version->getSource()['reference'] ?? null, 'dist_from' => $oldDistReference, 'dist_to' => $version->getDist()['reference'] ?? null],
+            vendor: $package->getVendor(),
+            packageId: $package->getId()
+        );
+    }
+
     /**
      * @return array{id: int, username: string}|string
      */

src/Entity/AuditRecordRepository.php

@@ -14,6 +14,8 @@
 
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
+use Doctrine\DBAL\Types\Types;
+use Symfony\Bridge\Doctrine\Types\UlidType;
 
 /**
  * @extends ServiceEntityRepository<AuditRecord>
@@ -42,4 +44,24 @@ public function remove(AuditRecord $entity, bool $flush = false): void
             $this->getEntityManager()->flush();
         }
     }
+
+    /**
+     * Performs a direct insert not requiring usage of the ORM so it can be used within ORM lifecycle listeners
+     */
+    public function insert(AuditRecord $record): void
+    {
+        $this->getEntityManager()->getConnection()->insert('audit_log', [
+            'id' => $record->id,
+            'datetime' => $record->datetime,
+            'type' => $record->type->value,
+            'attributes' => $record->attributes,
+            'userId' => $record->userId,
+            'vendor' => $record->vendor,
+            'packageId' => $record->packageId,
+        ], [
+            'id' => UlidType::NAME,
+            'datetime' => Types::DATETIME_IMMUTABLE,
+            'attributes' => Types::JSON
+        ]);
+    }
 }

src/EventListener/PackageListener.php

@@ -17,12 +17,10 @@
 use App\Entity\User;
 use App\Util\DoctrineTrait;
 use Doctrine\Bundle\DoctrineBundle\Attribute\AsEntityListener;
-use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\EntityManager;
 use Doctrine\Persistence\Event\LifecycleEventArgs;
 use Doctrine\ORM\Event\PreUpdateEventArgs;
 use Doctrine\Persistence\ManagerRegistry;
-use Symfony\Bridge\Doctrine\Types\UlidType;
 use Symfony\Bundle\SecurityBundle\Security;
 
 #[AsEntityListener(event: 'postPersist', entity: Package::class)]
@@ -47,7 +45,7 @@ public function __construct(
      */
     public function postPersist(Package $package, LifecycleEventArgs $event): void
     {
-        $this->insert(AuditRecord::packageCreated($package, $this->getUser()));
+        $this->getEM()->getRepository(AuditRecord::class)->insert(AuditRecord::packageCreated($package, $this->getUser()));
     }
 
     /**
@@ -74,8 +72,9 @@ public function preUpdate(Package $package, PreUpdateEventArgs $event): void
     public function postUpdate(Package $package, LifecycleEventArgs $event): void
     {
         if ($this->buffered) {
+            $repo = $this->getEM()->getRepository(AuditRecord::class);
             foreach ($this->buffered as $record) {
-                $this->insert($record);
+                $repo->insert($record);
             }
             $this->buffered = [];
         }
@@ -87,21 +86,4 @@ private function getUser(): User|null
 
         return $user instanceof User ? $user : null;
     }
-
-    private function insert(AuditRecord $record): void
-    {
-        $this->getEM()->getConnection()->insert('audit_log', [
-            'id' => $record->id,
-            'datetime' => $record->datetime,
-            'type' => $record->type->value,
-            'attributes' => $record->attributes,
-            'userId' => $record->userId,
-            'vendor' => $record->vendor,
-            'packageId' => $record->packageId,
-        ], [
-            'id' => UlidType::NAME,
-            'datetime' => Types::DATETIME_IMMUTABLE,
-            'attributes' => Types::JSON
-        ]);
-    }
 }

src/EventListener/VersionListener.php

@@ -0,0 +1,86 @@
+<?php declare(strict_types=1);
+
+/*
+ * This file is part of Packagist.
+ *
+ * (c) Jordi Boggiano <j.boggiano@seld.be>
+ *     Nils Adermann <naderman@naderman.de>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace App\EventListener;
+
+use App\Entity\AuditRecord;
+use App\Entity\User;
+use App\Entity\Version;
+use App\Util\DoctrineTrait;
+use Doctrine\Bundle\DoctrineBundle\Attribute\AsEntityListener;
+use Doctrine\ORM\EntityManager;
+use Doctrine\ORM\Event\PreUpdateEventArgs;
+use Doctrine\Persistence\Event\LifecycleEventArgs;
+use Doctrine\Persistence\ManagerRegistry;
+use Symfony\Bundle\SecurityBundle\Security;
+
+#[AsEntityListener(event: 'preRemove', entity: Version::class)]
+#[AsEntityListener(event: 'preUpdate', entity: Version::class)]
+#[AsEntityListener(event: 'postUpdate', entity: Version::class)]
+class VersionListener
+{
+    use DoctrineTrait;
+
+    /** @var list<AuditRecord> */
+    private array $buffered = [];
+
+    public function __construct(
+        private ManagerRegistry $doctrine,
+        private Security $security,
+    ) {
+    }
+
+    /**
+     * @param LifecycleEventArgs<EntityManager> $event
+     */
+    public function preRemove(Version $version, LifecycleEventArgs $event): void
+    {
+        $record = AuditRecord::versionDeleted($version, $this->getUser());
+        $this->getEM()->persist($record);
+        // let the record be flushed together with the entity
+    }
+
+    public function preUpdate(Version $version, PreUpdateEventArgs $event): void
+    {
+        if (($event->hasChangedField('source') || $event->hasChangedField('dist')) && !$version->isDevelopment()) {
+            $oldDistRef = $event->getOldValue('dist')['reference'] ?? null;
+            $oldSourceRef = $event->getOldValue('source')['reference'] ?? null;
+            $newDistRef = $event->getNewValue('dist')['reference'] ?? null;
+            $newSourceRef = $event->getNewValue('source')['reference'] ?? null;
+            if ($oldDistRef !== $newDistRef || $oldSourceRef !== $newSourceRef) {
+                // buffering things to be inserted in postUpdate once we can confirm it is done
+                $this->buffered[] = AuditRecord::versionReferenceChange($version, $oldSourceRef, $oldDistRef);
+            }
+        }
+    }
+
+    /**
+     * @param LifecycleEventArgs<EntityManager> $event
+     */
+    public function postUpdate(Version $version, LifecycleEventArgs $event): void
+    {
+        if ($this->buffered) {
+            $repo = $this->getEM()->getRepository(AuditRecord::class);
+            foreach ($this->buffered as $record) {
+                $repo->insert($record);
+            }
+            $this->buffered = [];
+        }
+    }
+
+    private function getUser(): User|null
+    {
+        $user = $this->security->getUser();
+
+        return $user instanceof User ? $user : null;
+    }
+}

tests/Audit/PackageAuditRecordTest.php

@@ -51,6 +51,7 @@ public function testPackageChangesGetRecorded(): void
         self::assertSame(AuditRecordType::PackageCreated->value, $logs[0]['type']);
 
         $package->setRepository('https://github.com/composer/packagist');
+        $em->persist($package);
         $em->flush();
 
         $logs = $container->get(Connection::class)->fetchAllAssociative('SELECT * FROM audit_log ORDER BY id DESC');

tests/Audit/VersionAuditRecordTest.php

@@ -0,0 +1,87 @@
+<?php declare(strict_types=1);
+
+/*
+ * This file is part of Packagist.
+ *
+ * (c) Jordi Boggiano <j.boggiano@seld.be>
+ *     Nils Adermann <naderman@naderman.de>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace App\Tests\Controller;
+
+use App\Audit\AuditRecordType;
+use App\Entity\Version;
+use Doctrine\DBAL\Connection;
+use Doctrine\Persistence\ManagerRegistry;
+use App\Entity\Package;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+class VersionAuditRecordTest extends KernelTestCase
+{
+    public function setUp(): void
+    {
+        self::bootKernel();
+        static::getContainer()->get(Connection::class)->beginTransaction();
+
+        parent::setUp();
+    }
+
+    public function tearDown(): void
+    {
+        static::getContainer()->get(Connection::class)->rollBack();
+
+        parent::tearDown();
+    }
+
+    public function testVersionChangesGetRecorded(): void
+    {
+        $container = static::getContainer();
+        $em = $container->get(ManagerRegistry::class)->getManager();
+
+        $package = new Package();
+        $package->setRepository('https://github.com/composer/composer');
+
+        $version = new Version();
+        $version->setPackage($package);
+        $version->setName($package->getName());
+        $version->setVersion('1.0.0');
+        $version->setNormalizedVersion('1.0.0.0');
+        $version->setDevelopment(false);
+        $version->setLicense([]);
+        $version->setAutoload([]);
+        $version->setDist(['reference' => 'old-dist-ref', 'type' => 'zip', 'url' => 'https://example.org/dist.zip']);
+
+        $em->persist($package);
+        $em->persist($version);
+        $em->flush();
+
+        $version->setDist(['reference' => 'new-dist-ref', 'type' => 'zip', 'url' => 'https://example.org/dist.zip']);
+        $version->setSource(['reference' => 'new-source-ref', 'type' => 'git', 'url' => 'git://example.org/dist.zip']);
+        $em->persist($version);
+        $em->flush();
+
+        $logs = $container->get(Connection::class)->fetchAllAssociative('SELECT * FROM audit_log ORDER BY id DESC');
+        self::assertCount(2, $logs); // package creation + version reference change
+        self::assertSame(AuditRecordType::VersionReferenceChange->value, $logs[0]['type']);
+        self::assertSame('{"name": "composer/composer", "dist_to": "new-dist-ref", "version": "1.0.0", "dist_from": "old-dist-ref", "source_to": "new-source-ref", "source_from": null}', $logs[0]['attributes']);
+
+        // verify that only reference changes triggers a new audit log
+        $version->setDist(['reference' => 'new-dist-ref', 'type' => 'zip2', 'url' => 'https://example.org/dist.zip2']);
+        $version->setSource(['reference' => 'new-source-ref', 'type' => 'git2', 'url' => 'git://example.org/dist.zip2']);
+        $em->persist($version);
+        $em->flush();
+
+        $logs = $container->get(Connection::class)->fetchAllAssociative('SELECT * FROM audit_log ORDER BY id DESC');
+        self::assertCount(2, $logs);
+
+        $em->remove($version);
+        $em->flush();
+
+        $logs = $container->get(Connection::class)->fetchAllAssociative('SELECT * FROM audit_log ORDER BY id DESC');
+        self::assertCount(3, $logs);
+        self::assertSame(AuditRecordType::VersionDeleted->value, $logs[0]['type']);
+    }
+}