feat: add audit logs for billing account details update and kyc update (#971)

rohilsurana · web-flow · commit 1a61f2f7e0a2 · 2025-04-28T14:18:02.000+05:30
* feat: add audit logs for billing account details update and kyc update

* fix: typo in error message

* feat: add check to see ensure billing account belongs to specified org

* fix: linting

* fix: remove checking for billing account before updating it

* refactor: remove unnecessary util function

* fix: typo in error message
diff --git a/core/audit/audit.go b/core/audit/audit.go
@@ -80,6 +80,7 @@ const (
 	OrgDisabledEvent      EventName = "app.organization.disabled"
 	OrgMemberCreatedEvent EventName = "app.organization.member.created"
 	OrgMemberDeletedEvent EventName = "app.organization.member.deleted"
+	OrgKycUpdatedEvent    EventName = "app.organization.kyc.updated"
 
 	ProjectCreatedEvent EventName = "app.project.created"
 	ProjectUpdatedEvent EventName = "app.project.updated"
@@ -88,6 +89,8 @@ const (
 	ResourceCreatedEvent EventName = "app.resource.created"
 	ResourceUpdatedEvent EventName = "app.resource.updated"
 	ResourceDeletedEvent EventName = "app.resource.deleted"
+
+	BillingAccountDetailsUpdatedEvent EventName = "app.billing.account.details.updated"
 )
 
 var systemEvents = []EventName{
diff --git a/internal/api/v1beta1/billing_customer.go b/internal/api/v1beta1/billing_customer.go
@@ -12,6 +12,7 @@ import (
 	"google.golang.org/grpc/status"
 
 	"github.com/raystack/frontier/billing/customer"
+	"github.com/raystack/frontier/core/audit"
 	"github.com/raystack/frontier/pkg/metadata"
 	frontierv1beta1 "github.com/raystack/frontier/proto/v1beta1"
 	"google.golang.org/protobuf/types/known/timestamppb"
@@ -387,17 +388,27 @@ func (h Handler) UpdateBillingAccountDetails(ctx context.Context,
 	request *frontierv1beta1.UpdateBillingAccountDetailsRequest) (*frontierv1beta1.UpdateBillingAccountDetailsResponse, error) {
 	if request.GetDueInDays() < 0 {
 		return nil, status.Errorf(codes.FailedPrecondition,
-			"cannot create predated invoices: due in days shoule be greated than 0")
+			"cannot create predated invoices: due in days should be greater than 0")
 	}
 
-	_, err := h.customerService.UpdateDetails(ctx, request.GetId(), customer.Details{
+	details, err := h.customerService.UpdateDetails(ctx, request.GetId(), customer.Details{
 		CreditMin: request.GetCreditMin(),
 		DueInDays: request.GetDueInDays(),
 	})
 	if err != nil {
 		return nil, err
 	}
 
+	// Add audit log
+	audit.GetAuditor(ctx, request.GetOrgId()).
+		LogWithAttrs(audit.BillingAccountDetailsUpdatedEvent, audit.Target{
+			ID:   request.GetId(),
+			Type: "billing_account",
+		}, map[string]string{
+			"credit_min":  fmt.Sprintf("%d", details.CreditMin),
+			"due_in_days": fmt.Sprintf("%d", details.DueInDays),
+		})
+
 	return &frontierv1beta1.UpdateBillingAccountDetailsResponse{}, nil
 }
 
diff --git a/internal/api/v1beta1/billing_customer_test.go b/internal/api/v1beta1/billing_customer_test.go
@@ -2,10 +2,12 @@ package v1beta1
 
 import (
 	"context"
+	"errors"
 	"testing"
 
 	"github.com/google/uuid"
 	"github.com/raystack/frontier/billing/customer"
+	"github.com/raystack/frontier/core/audit"
 	"github.com/raystack/frontier/core/organization"
 	"github.com/raystack/frontier/internal/api/v1beta1/mocks"
 	frontierv1beta1 "github.com/raystack/frontier/proto/v1beta1"
@@ -90,3 +92,78 @@ func TestHandler_GetRequestCustomerID(t *testing.T) {
 		})
 	}
 }
+
+func TestUpdateBillingAccountDetails(t *testing.T) {
+	tests := []struct {
+		name              string
+		request           *frontierv1beta1.UpdateBillingAccountDetailsRequest
+		mockUpdateDetails customer.Details
+		mockUpdateError   error
+		expectError       bool
+		expectedError     error
+	}{
+		{
+			name: "successful billing account details update",
+			request: &frontierv1beta1.UpdateBillingAccountDetailsRequest{
+				Id:        "billing-account-id",
+				CreditMin: -100,
+				DueInDays: 30,
+			},
+			mockUpdateDetails: customer.Details{
+				CreditMin: -100,
+				DueInDays: 30,
+			},
+			mockUpdateError: nil,
+			expectError:     false,
+		},
+		{
+			name: "negative due in days error",
+			request: &frontierv1beta1.UpdateBillingAccountDetailsRequest{
+				Id:        "billing-account-id",
+				CreditMin: -100,
+				DueInDays: -1, // Negative due_in_days not allowed
+			},
+			expectError: true,
+		},
+		{
+			name: "update details error",
+			request: &frontierv1beta1.UpdateBillingAccountDetailsRequest{
+				Id:        "billing-account-id",
+				CreditMin: -100,
+				DueInDays: 30,
+			},
+			mockUpdateError: errors.New("failed to update details"),
+			expectError:     true,
+			expectedError:   errors.New("failed to update details"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockCustomerService := mocks.NewCustomerService(t)
+
+			if tt.request.GetDueInDays() >= 0 {
+				mockCustomerService.EXPECT().UpdateDetails(mock.Anything, tt.request.GetId(), mock.Anything).
+					Return(tt.mockUpdateDetails, tt.mockUpdateError)
+			}
+
+			handler := Handler{
+				customerService: mockCustomerService,
+			}
+
+			ctx := context.Background()
+			ctx = audit.SetContextWithService(ctx, audit.NewService("test", audit.NewNoopRepository(), audit.NewNoopWebhookService()))
+
+			_, err := handler.UpdateBillingAccountDetails(ctx, tt.request)
+
+			if tt.expectError {
+				assert.Error(t, err)
+				if tt.expectedError != nil {
+					assert.Equal(t, tt.expectedError.Error(), err.Error())
+				}
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
diff --git a/internal/api/v1beta1/kyc.go b/internal/api/v1beta1/kyc.go
@@ -3,7 +3,9 @@ package v1beta1
 import (
 	"context"
 	"errors"
+	"strconv"
 
+	"github.com/raystack/frontier/core/audit"
 	"github.com/raystack/frontier/core/kyc"
 	frontierv1beta1 "github.com/raystack/frontier/proto/v1beta1"
 	"google.golang.org/grpc/codes"
@@ -37,6 +39,14 @@ func (h Handler) SetOrganizationKyc(ctx context.Context, request *frontierv1beta
 			return nil, err
 		}
 	}
+
+	// Add audit log
+	audit.GetAuditor(ctx, orgKyc.OrgID).
+		LogWithAttrs(audit.OrgKycUpdatedEvent, audit.OrgTarget(orgKyc.OrgID), map[string]string{
+			"status": strconv.FormatBool(orgKyc.Status),
+			"link":   orgKyc.Link,
+		})
+
 	return &frontierv1beta1.SetOrganizationKycResponse{OrganizationKyc: transformOrgKycToPB(orgKyc)}, nil
 }
 
diff --git a/internal/api/v1beta1/kyc_test.go b/internal/api/v1beta1/kyc_test.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"testing"
 
+	"github.com/raystack/frontier/core/audit"
 	"github.com/raystack/frontier/core/kyc"
 	"github.com/raystack/frontier/internal/api/v1beta1/mocks"
 	frontierv1beta1 "github.com/raystack/frontier/proto/v1beta1"
@@ -90,16 +91,37 @@ func TestSetOrganizationKyc(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			h := Handler{orgKycService: tt.mockService}
-			tt.mockService.On("SetKyc", mock.Anything, mock.Anything).Return(tt.mockResponse, tt.mockError)
-			resp, err := h.SetOrganizationKyc(context.Background(), tt.request)
+			// Setup mock behavior
+			if tt.mockError != nil {
+				tt.mockService.EXPECT().SetKyc(mock.Anything, mock.Anything).Return(kyc.KYC{}, tt.mockError)
+			} else {
+				tt.mockService.EXPECT().SetKyc(mock.Anything, mock.Anything).Return(tt.mockResponse, nil)
+			}
+
+			// Create handler with mock service
+			handler := Handler{
+				orgKycService: tt.mockService,
+			}
 
+			// Create context with audit service
+			ctx := context.Background()
+			ctx = audit.SetContextWithService(ctx, audit.NewService("test", audit.NewNoopRepository(), audit.NewNoopWebhookService()))
+
+			// Call the handler method
+			response, err := handler.SetOrganizationKyc(ctx, tt.request)
+
+			// Verify results
 			if tt.expectError {
 				assert.Error(t, err)
-				assert.Equal(t, tt.expectedError.Error(), err.Error())
+				if tt.expectedError != nil {
+					assert.Equal(t, tt.expectedError.Error(), err.Error())
+				}
 			} else {
 				assert.NoError(t, err)
-				assert.NotNil(t, resp)
+				assert.NotNil(t, response)
+				assert.Equal(t, tt.mockResponse.OrgID, response.GetOrganizationKyc().GetOrgId())
+				assert.Equal(t, tt.mockResponse.Status, response.GetOrganizationKyc().GetStatus())
+				assert.Equal(t, tt.mockResponse.Link, response.GetOrganizationKyc().GetLink())
 			}
 		})
 	}
diff --git a/pkg/server/interceptors/authorization.go b/pkg/server/interceptors/authorization.go
@@ -1044,9 +1044,17 @@ var authorizationValidationMap = map[string]func(ctx context.Context, handler *v
 		return handler.IsSuperUser(ctx)
 	},
 	"/raystack.frontier.v1beta1.AdminService/GetBillingAccountDetails": func(ctx context.Context, handler *v1beta1.Handler, req any) error {
+		pbReq := req.(*frontierv1beta1.GetBillingAccountDetailsRequest)
+		if err := ensureBillingAccountBelongToOrg(ctx, handler, pbReq.GetOrgId(), pbReq.GetId()); err != nil {
+			return err
+		}
 		return handler.IsSuperUser(ctx)
 	},
 	"/raystack.frontier.v1beta1.AdminService/UpdateBillingAccountDetails": func(ctx context.Context, handler *v1beta1.Handler, req any) error {
+		pbReq := req.(*frontierv1beta1.UpdateBillingAccountDetailsRequest)
+		if err := ensureBillingAccountBelongToOrg(ctx, handler, pbReq.GetOrgId(), pbReq.GetId()); err != nil {
+			return err
+		}
 		return handler.IsSuperUser(ctx)
 	},
 	"/raystack.frontier.v1beta1.AdminService/RevertBillingUsage": func(ctx context.Context, handler *v1beta1.Handler, req any) error {
