Audit logging

[woodruffw]

Adds UserEvent and ProjectEvent models, as well as corresponding helpers for recording events.

A shortlist of loggable events (not all of which need to be part of this PR):

Users:

• Login (+ whether a 2FA method was used)
• Token creation/deletion
• 2FA method creation/deletion
• Email addition/removal/verification/deverification
• Password change

Projects:

• Version upload/removal
• Change in owner/maintainers
• Token creation by a user with the project in scope

TODO:

• Add asserts to record_event calls in unit tests, where appropriate.
• Restrict retrieval of user events to a recent timespan (last two weeks?)
• Allow Warehouse admins to view the events for a user/project

Summary of events added:

Users:

• account:email:add (New email added to account)
• account:email:remove (Email removed from account)
• account:email:primary:change (Primary email changed or added)
• account:email:reverify (Email reverified)
• account:password:change (Account password changed)
• account:two_factor:method_added (Two factor method added)
• account:two_factor:method_removed (Two factor method removed)
• account:api_token:added (API token added)
• account:api_token:removed (API token removed)
• account:create (Account created)
• account:password:reset:request (Password reset request sent)
• account:password:reset (Password reset request completed)
• account:email:verified (Email address verified)
• account:login:success (Successful login)

Projects:

• project:create (Project created)
• project:release:added (New project release added)
• project:release:removed (Project release removed)
• project:release:file:removed (Project release file removed)
• project:api_token:added (API token added w/ project in scope)
• project:api_token:removed (API token removed w/ project in scope)
• project:role:add (New role added to project)
• project:role:delete (Role removed from project)
• project:role:change (Role changed in project)

cc @brainwane @ewdurbin @di @dstufft @nlhkabu

Closes #5863.

[woodruffw]

@nlhkabu this should be ready for your input on UI/X 😄

[nlhkabu]

Thanks @woodruffw

I've formatted the new events in the security history page - but I wasn't sure how I could test these... Would you be able to generate a screenshot on your side?

Also, I was wondering - is there a technical reason why we don't capture/expose data re: the user who has created the release, removed the release and removed the file? I would have thought this is pretty useful information to expose.

[woodruffw]

but I wasn't sure how I could test these... Would you be able to generate a screenshot on your side?

For project:create and project:release:add, you should be able to test them by creating a token and uploading a new project to your local instance. For project:release:remove and project:release:file:remove, you should be able to use the management view to delete an extant release or particular file, which should trigger the event. I'll also take a screenshot in a bit 🙂

Also, I was wondering - is there a technical reason why we don't capture/expose data re: the user who has created the release, removed the release and removed the file? I would have thought this is pretty useful information to expose.

Nope, just an oversight on my part. I'll expose this information.

[woodruffw]

Here's what the new events look like:

[woodruffw]

Woot!