fix: address review findings for observability PR

1. Security: Replace insecure extractRemoteIP() in audit service with middleware.RealIP() which validates trusted proxies before trusting X-Real-IP/X-Forwarded-For headers. Export RealIP from middleware. Update audit tests to verify anti-spoofing behavior. 2. Audit coverage: Add audit instrumentation to all 9 handlers that had dead action constants: HandleEnvVarSave, HandleLabelAdd, HandleLabelEdit, HandleLabelDelete, HandleVolumeAdd, HandleVolumeEdit, HandleVolumeDelete, HandlePortAdd, HandlePortDelete. 3. README: Fix API path from /api/audit to /api/v1/audit. 4. README: Fix duplicate numbering in DI order section (items 10-11 were listed twice, now correctly numbered 10-16).
2026-03-17 02:52:34 -07:00
parent f558e2cdd8
commit ef109b9513
6 changed files with 79 additions and 45 deletions
--- a/internal/service/audit/audit_test.go
+++ b/internal/service/audit/audit_test.go
@@ -103,13 +103,15 @@ func TestAuditServiceLogFromRequest(t *testing.T) {
 	assert.Equal(t, "app-1", entries[0].ResourceID.String)
 }

-func TestAuditServiceLogFromRequestWithXRealIP(t *testing.T) {
+func TestAuditServiceLogFromRequestWithXRealIPTrustedProxy(t *testing.T) {
 	t.Parallel()

 	svc, db := setupTestAuditService(t)
 	ctx := context.Background()

+	// When the request comes from a trusted proxy (RFC1918), X-Real-IP is honoured.
 	request := httptest.NewRequest(http.MethodPost, "/apps", nil)
+	request.RemoteAddr = "10.0.0.1:1234"
 	request.Header.Set("X-Real-IP", "203.0.113.50")

 	svc.LogFromRequest(ctx, request, audit.LogEntry{
@@ -124,6 +126,29 @@ func TestAuditServiceLogFromRequestWithXRealIP(t *testing.T) {
 	assert.Equal(t, "203.0.113.50", entries[0].RemoteIP.String)
 }

+func TestAuditServiceLogFromRequestWithXRealIPUntrustedProxy(t *testing.T) {
+	t.Parallel()
+
+	svc, db := setupTestAuditService(t)
+	ctx := context.Background()
+
+	// When the request comes from a public IP, X-Real-IP is ignored (anti-spoof).
+	request := httptest.NewRequest(http.MethodPost, "/apps", nil)
+	request.RemoteAddr = "203.0.113.99:1234"
+	request.Header.Set("X-Real-IP", "10.0.0.1")
+
+	svc.LogFromRequest(ctx, request, audit.LogEntry{
+		Username:     "admin",
+		Action:       models.AuditActionAppCreate,
+		ResourceType: models.AuditResourceApp,
+	})
+
+	entries, err := models.FindAuditEntries(ctx, db, 10)
+	require.NoError(t, err)
+	require.Len(t, entries, 1)
+	assert.Equal(t, "203.0.113.99", entries[0].RemoteIP.String)
+}
+
 func TestAuditServiceRecent(t *testing.T) {
 	t.Parallel()