Sync GovOPlaN module state
This commit is contained in:
@@ -1,7 +1,12 @@
|
||||
from __future__ import annotations
|
||||
|
||||
from govoplan_audit.backend.db import models as audit_models # noqa: F401 - populate Audit ORM metadata
|
||||
from govoplan_core.core.access import CAPABILITY_AUTH_PERMISSION_EVALUATOR, CAPABILITY_AUTH_PRINCIPAL_RESOLVER
|
||||
from govoplan_core.core.access import (
|
||||
CAPABILITY_AUDIT_RECORDER,
|
||||
CAPABILITY_AUDIT_RETENTION,
|
||||
CAPABILITY_AUTH_PERMISSION_EVALUATOR,
|
||||
CAPABILITY_AUTH_PRINCIPAL_RESOLVER,
|
||||
)
|
||||
from govoplan_core.core.module_guards import drop_table_retirement_provider, persistent_table_uninstall_guard
|
||||
from govoplan_core.core.modules import MigrationSpec, ModuleContext, ModuleManifest
|
||||
from govoplan_core.db.base import Base
|
||||
@@ -14,6 +19,20 @@ def _route_factory(context: ModuleContext):
|
||||
return router
|
||||
|
||||
|
||||
def _audit_recorder(context: ModuleContext):
|
||||
del context
|
||||
from govoplan_audit.backend.recording import SqlAuditRecorder
|
||||
|
||||
return SqlAuditRecorder()
|
||||
|
||||
|
||||
def _audit_retention(context: ModuleContext):
|
||||
del context
|
||||
from govoplan_audit.backend.retention import SqlAuditRetentionProvider
|
||||
|
||||
return SqlAuditRetentionProvider()
|
||||
|
||||
|
||||
manifest = ModuleManifest(
|
||||
id="audit",
|
||||
name="Audit",
|
||||
@@ -30,6 +49,10 @@ manifest = ModuleManifest(
|
||||
uninstall_guard_providers=(
|
||||
persistent_table_uninstall_guard(audit_models.AuditLog, label="Audit"),
|
||||
),
|
||||
capability_factories={
|
||||
CAPABILITY_AUDIT_RECORDER: _audit_recorder,
|
||||
CAPABILITY_AUDIT_RETENTION: _audit_retention,
|
||||
},
|
||||
)
|
||||
|
||||
|
||||
|
||||
45
src/govoplan_audit/backend/recording.py
Normal file
45
src/govoplan_audit/backend/recording.py
Normal file
@@ -0,0 +1,45 @@
|
||||
from __future__ import annotations
|
||||
|
||||
from sqlalchemy.orm import Session
|
||||
|
||||
from govoplan_audit.backend.db.models import AuditLog
|
||||
from govoplan_core.core.access import AuditEvent, AuditRecordRef, AuditRecorder
|
||||
|
||||
|
||||
class SqlAuditRecorder(AuditRecorder):
|
||||
def record_event(self, session: object, event: AuditEvent) -> AuditRecordRef:
|
||||
db = _session(session)
|
||||
item = AuditLog(
|
||||
scope=event.scope,
|
||||
tenant_id=event.tenant_id,
|
||||
user_id=event.user_id,
|
||||
api_key_id=event.api_key_id,
|
||||
action=event.action,
|
||||
object_type=event.resource_type,
|
||||
object_id=event.resource_id,
|
||||
details=dict(event.details or {}),
|
||||
)
|
||||
db.add(item)
|
||||
db.flush()
|
||||
return _record_ref(item)
|
||||
|
||||
|
||||
def _record_ref(item: AuditLog) -> AuditRecordRef:
|
||||
return AuditRecordRef(
|
||||
id=item.id,
|
||||
scope=item.scope,
|
||||
tenant_id=item.tenant_id,
|
||||
user_id=item.user_id,
|
||||
api_key_id=item.api_key_id,
|
||||
action=item.action,
|
||||
object_type=item.object_type,
|
||||
object_id=item.object_id,
|
||||
details=dict(item.details or {}),
|
||||
created_at=item.created_at,
|
||||
)
|
||||
|
||||
|
||||
def _session(session: object) -> Session:
|
||||
if not isinstance(session, Session):
|
||||
raise TypeError("Audit recording requires a SQLAlchemy Session")
|
||||
return session
|
||||
74
src/govoplan_audit/backend/retention.py
Normal file
74
src/govoplan_audit/backend/retention.py
Normal file
@@ -0,0 +1,74 @@
|
||||
from __future__ import annotations
|
||||
|
||||
from collections.abc import Callable, Mapping
|
||||
from datetime import datetime, timedelta
|
||||
|
||||
from sqlalchemy.orm import Session
|
||||
|
||||
from govoplan_audit.backend.db.models import AuditLog
|
||||
from govoplan_audit.backend.recording import _record_ref
|
||||
from govoplan_core.core.access import AuditRecordRef, AuditRetentionProvider
|
||||
|
||||
|
||||
class SqlAuditRetentionProvider(AuditRetentionProvider):
|
||||
def apply_detail_retention(
|
||||
self,
|
||||
session: object,
|
||||
*,
|
||||
dry_run: bool,
|
||||
now: datetime,
|
||||
policy_for_record: Callable[[AuditRecordRef], object],
|
||||
) -> Mapping[str, int]:
|
||||
db = _session(session)
|
||||
result = {"eligible": 0, "redacted": 0, "already_redacted": 0}
|
||||
items = db.query(AuditLog).order_by(AuditLog.created_at.asc()).all()
|
||||
for item in items:
|
||||
policy = policy_for_record(_record_ref(item))
|
||||
cutoff = _cutoff(getattr(policy, "audit_detail_retention_days", None), now=now)
|
||||
if not _is_before_cutoff(item.created_at, cutoff):
|
||||
continue
|
||||
details = item.details if isinstance(item.details, dict) else {}
|
||||
if details.get("_retention", {}).get("audit_detail_redacted"):
|
||||
result["already_redacted"] += 1
|
||||
continue
|
||||
result["eligible"] += 1
|
||||
if dry_run:
|
||||
continue
|
||||
item.details = {
|
||||
"_retention": {
|
||||
"audit_detail_redacted": True,
|
||||
"redacted_at": now.isoformat(),
|
||||
"original_detail_sha256": _json_sha256(details),
|
||||
}
|
||||
}
|
||||
db.add(item)
|
||||
result["redacted"] += 1
|
||||
return result
|
||||
|
||||
|
||||
def _cutoff(days: int | None, *, now: datetime) -> datetime | None:
|
||||
if days is None:
|
||||
return None
|
||||
return now - timedelta(days=days)
|
||||
|
||||
|
||||
def _is_before_cutoff(value: datetime | None, cutoff: datetime | None) -> bool:
|
||||
if value is None or cutoff is None:
|
||||
return False
|
||||
candidate = value
|
||||
if candidate.tzinfo is None:
|
||||
candidate = candidate.replace(tzinfo=cutoff.tzinfo)
|
||||
return candidate < cutoff
|
||||
|
||||
|
||||
def _json_sha256(value: object) -> str:
|
||||
import hashlib
|
||||
import json
|
||||
|
||||
return hashlib.sha256(json.dumps(value, sort_keys=True, default=str).encode("utf-8")).hexdigest()
|
||||
|
||||
|
||||
def _session(session: object) -> Session:
|
||||
if not isinstance(session, Session):
|
||||
raise TypeError("Audit retention requires a SQLAlchemy Session")
|
||||
return session
|
||||
Reference in New Issue
Block a user