Limit the deployment history in the system-udf (#42278)

Prevent from seeing audit logs before the retention period. Manually tested and confirmed the UDF throws. GitOrigin-RevId: eecc56dd7fba1728f80e8d3d999229e55cc6cd2a

Author: nipunn1313

npm-packages/system-udfs/convex/_system/frontend/listDeploymentEventsFromTime.ts

@@ -1,6 +1,7 @@
 import { Doc } from "../../_generated/dataModel";
 import { queryPrivateSystem } from "../secretSystemTables";
 import { v } from "convex/values";
+import { clampForAuditLogRetention } from "./paginatedDeploymentEvents";
 
 /**
  * Get the deployment events on or after the provided timestamp from least recent
@@ -12,6 +13,7 @@ export default queryPrivateSystem({
  { db },
  { fromTimestamp },
  ): Promise<Doc<"_deployment_audit_log">[]> {
+ fromTimestamp = await clampForAuditLogRetention(db, fromTimestamp);
  return await db
  .query("_deployment_audit_log")
  .withIndex("by_creation_time", (q) =>

npm-packages/system-udfs/convex/_system/frontend/paginatedDeploymentEvents.ts

@@ -2,6 +2,7 @@ import { paginationOptsValidator } from "convex/server";
 import { queryPrivateSystem } from "../secretSystemTables";
 import { v } from "convex/values";
 import { maximumBytesRead, maximumRowsRead } from "../paginationLimits";
+import { DatabaseReader } from "../../_generated/server";
 
 /**
  * Paginated query for the deployment events from most recent to least recent
@@ -17,6 +18,8 @@ export default queryPrivateSystem({
  }),
  },
  handler: async function ({ db }, { paginationOpts, filters }) {
+ filters.minDate = await clampForAuditLogRetention(db, filters.minDate);
+
  const paginatedResults = await db
  .query("_deployment_audit_log")
  .withIndex("by_creation_time", (q) => {
@@ -58,3 +61,21 @@ export default queryPrivateSystem({
  return paginatedResults;
  },
 });
+
+export async function clampForAuditLogRetention(
+ db: DatabaseReader,
+ minDate: number,
+) {
+ const backendInfo = await db.query("_backend_info").first();
+ const auditLogRetentionDays = Number(backendInfo?.auditLogRetentionDays || 0);
+ // no limit if auditLogRetentionDays is -1
+ if (auditLogRetentionDays === -1) {
+ return minDate;
+ }
+ const minAllowable =
+ Date.now() - (auditLogRetentionDays + 1) * 24 * 60 * 60 * 1000;
+ if (minDate < minAllowable) {
+ return minAllowable;
+ }
+ return minDate;
+}

npm-packages/system-udfs/convex/schema.ts

@@ -445,4 +445,7 @@ export default defineSchema({
  _backend_state: backendStateTable,
  _snapshot_imports: snapshotImportsTable,
  _aws_lambda_versions: awsLambdaVersionsTable,
+ _backend_info: defineTable({
+ auditLogRetentionDays: v.union(v.int64(), v.null()),
+ }),
 });