Add Organizational event logging feature

[BlackDex]

This PR adds event/audit logging support for organizations.
By default this feature is disabled, since it does log a lot and adds
extra database transactions.

All events are touched except a few, since we do not support those
features (yet), like SSO for example.

This feature is tested with multiple clients and all database types.

Fixes #229

---

Checklist:

User ✔️

• UserLoggedIn
• UserChangedPassword
• UserUpdated2fa
• UserDisabled2fa
• UserRecovered2fa
• UserFailedLogIn
• UserFailedLogIn2fa
• UserClientExportedVault
• UserUpdatedTempPassword
• UserMigratedKeyToKeyConnector

Cipher ✔️

• CipherCreated
• CipherUpdated
• CipherDeleted
• CipherAttachmentCreated
• CipherAttachmentDeleted
• CipherShared
• CipherUpdatedCollections
• CipherClientViewed
• CipherClientToggledPasswordVisible
• CipherClientToggledHiddenFieldVisible
• CipherClientToggledCardCodeVisible
• CipherClientCopiedPassword
• CipherClientCopiedHiddenField
• CipherClientCopiedCardCode
• CipherClientAutofilled
• CipherSoftDeleted
• CipherRestored
• CipherClientToggledCardNumberVisible

Collection ✔️

• CollectionCreated
• CollectionUpdated
• CollectionDeleted

Group ✔️

• GroupCreated
• GroupUpdated
• GroupDeleted

Org User ✔️

• OrganizationUserInvited
• OrganizationUserConfirmed
• OrganizationUserUpdated
• OrganizationUserRemoved
• OrganizationUserUpdatedGroups
• OrganizationUserUnlinkedSso
• OrganizationUserResetPasswordEnroll
• OrganizationUserResetPasswordWithdraw
• OrganizationUserAdminResetPassword
• OrganizationUserResetSsoLink
• OrganizationUserFirstSsoLogin
• OrganizationUserRevoked
• OrganizationUserRestored

Organization ✔️

• OrganizationUpdated
• OrganizationPurgedVault
• OrganizationClientExportedVault
• OrganizationVaultAccessed
• OrganizationEnabledSso
• OrganizationDisabledSso
• OrganizationEnabledKeyConnector
• OrganizationDisabledKeyConnector
• OrganizationSponsorshipsSynced
• PolicyUpdated

Misc:

• Log Admin Interface user update/delete actions.
• Config option to enable/disable this feature
• Test MySQL and PostgreSQL
• Cronjob to clean event logs with a retention of x days
• Test all event types and links the web-vault generate
• Test other clients, Desktop, Mobile, etc..
• Use the continuation token and load a max of 30 items a time?

[dani-garcia]

Overall looks like a good start, I think we should provide a way to disable event logging for those who aren't interested in the functionality, though.

Other than that seems like we're going to have to add a lot of event logging calls for all the available EventTypes (all of them except UserClient* and CipherClient* which are collected and sent from the client it seems)

[BlackDex]

Ok, I have made some larger updates now. It would be really cool if some other longtime contributors also check this PR and give there comments where needed 😄 (hinting @dani-garcia & @jjlin mostly, but others are also welcome, the more the better).

Some items you can disregard upfront (Since i will remove these from this PR):

• Library updates
• Github Workflow adjustments
• admin.rs clippy fixes

I also want to check if i can just have one log_event function instead of the current 3 (or maybe at least 2, log_event and log_user_event). But if you have any other thoughts about that, please let me know.

The items not yet checked above are still on the ToDo list, all other items should be there (and if you think otherwise, please point them out).

Thanks in advance!

[BlackDex]

Checking Bitwarden and the events (https://bitwarden.com/help/event-logs/#what-are-event-logs) it looks like they keep the events indefinitely. I still tend to add a job to clean-up. But maybe we need to disable it by default?

[BlackDex]

I Think this PR is ready for review.
I might make some small changes maybe, but this PR now is a fully working and tested feature.
All database types have been tested. Android, Linux Desktop, CLI and Browser interactions are tested.

Please provide your comments.

[ilsalgo]

Can I test this feature on my docker installation? How?
Thanks

[BlackDex]

Can I test this feature on my docker installation? How? Thanks

There is no image yet for this. If you really want I can build an image. But I would at least recommend to create a backup of the database before starting it.

If you want, let me know which image type, arch (x86_64, armv7) and base (Debian or Alpine).

[ilsalgo]

I have a fresh installation for my organisation and this feature would be great for me.
I have a docker installation on Arm64 device with Armbian aarch64 based on Ubuntu

[BlackDex]

I have a fresh installation for my organisation and this feature would be great for me. I have a docker installation on Arm64 device with Armbian aarch64 based on Ubuntu

If you dare, I have build the images locally and pushed them to my Docker Hub.
Just keep in mind that you need to switch the image once this PR has been merged :), i will probably not keep those images there for months.

See: https://hub.docker.com/r/blackdex/vaultwarden/tags
For Debian based: docker pull blackdex/vaultwarden:arm64
For Alpine based: docker pull blackdex/vaultwarden:arm64-alpine

[ilsalgo]

I risk it with enthusiasm, I try it right away.
You are a legend, for now thanks. 💯

[ilsalgo]

I have pull a new image and recreate the container but the log list dont appears, what am I doing wrong?

[BlackDex]

I have pull a new image and recreate the container but the log list dont appears, what am I doing wrong?

You need to enable it. It is disabled by default.

vaultwarden/.env.template

Lines 84 to 87 in 1e20761

	## Controls whether event logging is enabled for organizations
	## This setting applies to organizations.
	## Default this is disabled. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings.
	# ORG_EVENTS_ENABLED=false

[ilsalgo]

You are a man!! Works great! Thank you so much 👍

[TwoTwenty]

I'll test this as well with a clone of my production setup.

[ilsalgo]

Hi, can I go back to the "latest" version without risk? Thank you

[BlackDex]

Hi, can I go back to the "latest" version without risk? Thank you

Yes you can, but as always, create a backup.

[h00bi]

ORG_EVENTS_ENABLED=true seems not to work fo me.
I run vaultwarden since 2020 with no env file. My config is completely based on the admin panel.
I added ORG_EVENTS_ENABLED with value true to ENV section in Portainer and re-deployed 1.27.0
Cannot find the event log in my organization.

[BlackDex]

ORG_EVENTS_ENABLED=true seems not to work fo me. I run vaultwarden since 2020 with no env file. My config is completely based on the admin panel. I added ORG_EVENTS_ENABLED with value true to ENV section in Portainer and re-deployed 1.27.0 Cannot find the event log in my organization.

It should work just fine. Those are read-only config items, which should work, and are not stored within the config.json.
So, setting that environment variable and stop/start should work just fine.

Check the admin setting under the read-only section.