audit

package

v0.2.0 Latest Latest Go to latest Published: Apr 23, 2026 License: GPL-3.0 Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/openctemio/api

Links

Open Source Insights

Documentation ¶

Index ¶

type AuditContext
type AuditEvent
type AuditService
- func NewAuditService(repo auditdom.Repository, log *logger.Logger) *AuditService
type ChainBreak
type ChainVerifyResult
type ListAuditLogsInput

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AuditContext ¶

type AuditContext struct {
	TenantID   string
	ActorID    string
	ActorEmail string
	ActorIP    string
	UserAgent  string
	RequestID  string
	SessionID  string
	// ActorRole captures the caller's role at the moment of the action.
	// Used by pentest module to distinguish reviewer QA edits from creator
	// self-edits in audit forensics. Optional — empty for non-pentest paths.
	ActorRole string
}

AuditContext holds contextual information for audit logging.

type AuditEvent ¶

type AuditEvent struct {
	Action       auditdom.Action
	ResourceType auditdom.ResourceType
	ResourceID   string
	ResourceName string
	Result       auditdom.Result
	Severity     auditdom.Severity
	Changes      *auditdom.Changes
	Message      string
	Metadata     map[string]any
}

AuditEvent represents an audit event to log.

func NewDeniedEvent ¶

func NewDeniedEvent(action auditdom.Action, resourceType auditdom.ResourceType, resourceID string, reason string) AuditEvent

NewDeniedEvent creates a denied audit event.

func NewFailureEvent ¶

func NewFailureEvent(action auditdom.Action, resourceType auditdom.ResourceType, resourceID string, err error) AuditEvent

NewFailureEvent creates a failure audit event.

func NewSuccessEvent ¶

func NewSuccessEvent(action auditdom.Action, resourceType auditdom.ResourceType, resourceID string) AuditEvent

NewSuccessEvent creates a success audit event.

func (AuditEvent) WithChanges ¶

func (e AuditEvent) WithChanges(changes *auditdom.Changes) AuditEvent

WithChanges sets the changes.

func (AuditEvent) WithMessage ¶

func (e AuditEvent) WithMessage(message string) AuditEvent

WithMessage sets the message.

func (AuditEvent) WithMetadata ¶

func (e AuditEvent) WithMetadata(key string, value any) AuditEvent

WithMetadata adds metadata.

func (AuditEvent) WithResourceName ¶

func (e AuditEvent) WithResourceName(name string) AuditEvent

WithResourceName sets the resource name.

func (AuditEvent) WithSeverity ¶

func (e AuditEvent) WithSeverity(severity auditdom.Severity) AuditEvent

WithSeverity sets the severity.

type AuditService ¶

type AuditService struct {
	// contains filtered or unexported fields
}

AuditService handles audit logging operations.

func NewAuditService ¶

func NewAuditService(repo auditdom.Repository, log *logger.Logger) *AuditService

NewAuditService creates a new AuditService.

func (*AuditService) CleanupOldLogs ¶

func (s *AuditService) CleanupOldLogs(ctx context.Context, retentionDays int) (int64, error)

CleanupOldLogs removes audit logs older than the retention period. Preserves high and critical severity logs.

func (*AuditService) GetActionCount ¶

func (s *AuditService) GetActionCount(ctx context.Context, tenantID string, action auditdom.Action, since time.Time) (int64, error)

GetActionCount returns the count of a specific action within a time range.

func (*AuditService) GetAuditLog ¶

func (s *AuditService) GetAuditLog(ctx context.Context, auditLogID string) (*auditdom.AuditLog, error)

GetAuditLog retrieves an audit log by ID.

func (*AuditService) GetResourceHistory ¶

func (s *AuditService) GetResourceHistory(ctx context.Context, tenantID shared.ID, resourceType, resourceID string, page, perPage int) (pagination.Result[*auditdom.AuditLog], error)

GetResourceHistory retrieves audit history for a specific resource within a tenant. tenantID MUST be provided to prevent cross-tenant reads (F-2).

func (*AuditService) GetUserActivity ¶

func (s *AuditService) GetUserActivity(ctx context.Context, userID string, page, perPage int) (pagination.Result[*auditdom.AuditLog], error)

GetUserActivity retrieves audit logs for a specific user.

func (*AuditService) ListAuditLogs ¶

func (s *AuditService) ListAuditLogs(ctx context.Context, input ListAuditLogsInput) (pagination.Result[*auditdom.AuditLog], error)

ListAuditLogs retrieves audit logs with filtering and pagination.

func (*AuditService) LogAgentActivated ¶

func (s *AuditService) LogAgentActivated(ctx context.Context, actx AuditContext, agentID, agentName string) error

LogAgentActivated logs an agent activation event.

func (*AuditService) LogAgentConnected ¶

func (s *AuditService) LogAgentConnected(ctx context.Context, actx AuditContext, agentID, agentName, ipAddress string) error

LogAgentConnected logs when an agent first connects (comes online).

func (*AuditService) LogAgentCreated ¶

func (s *AuditService) LogAgentCreated(ctx context.Context, actx AuditContext, agentID, agentName, agentType string) error

LogAgentCreated logs an agent creation event.

func (*AuditService) LogAgentDeactivated ¶

func (s *AuditService) LogAgentDeactivated(ctx context.Context, actx AuditContext, agentID, agentName, reason string) error

LogAgentDeactivated logs an agent deactivation event.

func (*AuditService) LogAgentDeleted ¶

func (s *AuditService) LogAgentDeleted(ctx context.Context, actx AuditContext, agentID, agentName string) error

LogAgentDeleted logs an agent deletion event.

func (*AuditService) LogAgentDisconnected ¶

func (s *AuditService) LogAgentDisconnected(ctx context.Context, actx AuditContext, agentID, agentName string) error

LogAgentDisconnected logs when an agent goes offline (timeout).

func (*AuditService) LogAgentKeyRegenerated ¶

func (s *AuditService) LogAgentKeyRegenerated(ctx context.Context, actx AuditContext, agentID, agentName string) error

LogAgentKeyRegenerated logs an agent API key regeneration event.

func (*AuditService) LogAgentRevoked ¶

func (s *AuditService) LogAgentRevoked(ctx context.Context, actx AuditContext, agentID, agentName, reason string) error

LogAgentRevoked logs an agent revocation event.

func (*AuditService) LogAgentUpdated ¶

func (s *AuditService) LogAgentUpdated(ctx context.Context, actx AuditContext, agentID, agentName string, changes *auditdom.Changes) error

LogAgentUpdated logs an agent update event.

func (*AuditService) LogAuthFailed ¶

func (s *AuditService) LogAuthFailed(ctx context.Context, actx AuditContext, reason string) error

LogAuthFailed logs an authentication failure event.

func (*AuditService) LogCredentialAccessed ¶

func (s *AuditService) LogCredentialAccessed(ctx context.Context, actx AuditContext, credID, name string) error

LogCredentialAccessed logs a credential access (decrypt) event.

func (*AuditService) LogCredentialCreated ¶

func (s *AuditService) LogCredentialCreated(ctx context.Context, actx AuditContext, credID, name, credType string) error

LogCredentialCreated logs a credential creation event.

func (*AuditService) LogCredentialDeleted ¶

func (s *AuditService) LogCredentialDeleted(ctx context.Context, actx AuditContext, credID string) error

LogCredentialDeleted logs a credential deletion event.

func (*AuditService) LogCredentialUpdated ¶

func (s *AuditService) LogCredentialUpdated(ctx context.Context, actx AuditContext, credID, name string) error

LogCredentialUpdated logs a credential update event.

func (*AuditService) LogEvent ¶

func (s *AuditService) LogEvent(ctx context.Context, actx AuditContext, event AuditEvent) error

LogEvent creates and persists an audit log entry.

func (*AuditService) LogInvitationAccepted ¶

func (s *AuditService) LogInvitationAccepted(ctx context.Context, actx AuditContext, invitationID, email string) error

LogInvitationAccepted logs an invitation acceptance event.

func (*AuditService) LogInvitationCreated ¶

func (s *AuditService) LogInvitationCreated(ctx context.Context, actx AuditContext, invitationID, email, role string) error

LogInvitationCreated logs an invitation creation event.

func (*AuditService) LogMemberAdded ¶

func (s *AuditService) LogMemberAdded(ctx context.Context, actx AuditContext, membershipID, email, role string) error

LogMemberAdded logs a member addition event.

func (*AuditService) LogMemberRemoved ¶

func (s *AuditService) LogMemberRemoved(ctx context.Context, actx AuditContext, membershipID, email string) error

LogMemberRemoved logs a member removal event.

func (*AuditService) LogMemberRoleChanged ¶

func (s *AuditService) LogMemberRoleChanged(ctx context.Context, actx AuditContext, membershipID, email, oldRole, newRole string) error

LogMemberRoleChanged logs a member role change event.

func (*AuditService) LogPermissionDenied ¶

func (s *AuditService) LogPermissionDenied(ctx context.Context, actx AuditContext, resourceType auditdom.ResourceType, resourceID, action, reason string) error

LogPermissionDenied logs a permission denied event.

func (*AuditService) LogRuleOverrideCreated ¶

func (s *AuditService) LogRuleOverrideCreated(ctx context.Context, actx AuditContext, overrideID, pattern string) error

LogRuleOverrideCreated logs a rule override creation event.

func (*AuditService) LogRuleOverrideDeleted ¶

func (s *AuditService) LogRuleOverrideDeleted(ctx context.Context, actx AuditContext, overrideID, pattern string) error

LogRuleOverrideDeleted logs a rule override deletion event.

func (*AuditService) LogRuleOverrideUpdated ¶

func (s *AuditService) LogRuleOverrideUpdated(ctx context.Context, actx AuditContext, overrideID, pattern string) error

LogRuleOverrideUpdated logs a rule override update event.

func (*AuditService) LogRuleSourceCreated ¶

func (s *AuditService) LogRuleSourceCreated(ctx context.Context, actx AuditContext, sourceID, name, sourceType string) error

LogRuleSourceCreated logs a rule source creation event.

func (*AuditService) LogRuleSourceDeleted ¶

func (s *AuditService) LogRuleSourceDeleted(ctx context.Context, actx AuditContext, sourceID, name string) error

LogRuleSourceDeleted logs a rule source deletion event.

func (*AuditService) LogRuleSourceUpdated ¶

func (s *AuditService) LogRuleSourceUpdated(ctx context.Context, actx AuditContext, sourceID, name string) error

LogRuleSourceUpdated logs a rule source update event.

func (*AuditService) LogUserCreated ¶

func (s *AuditService) LogUserCreated(ctx context.Context, actx AuditContext, userID, email string) error

LogUserCreated logs a user creation event.

func (*AuditService) LogUserLogin ¶

func (s *AuditService) LogUserLogin(ctx context.Context, actx AuditContext, userID, email string) error

LogUserLogin logs a user login event.

func (*AuditService) LogUserLogout ¶

func (s *AuditService) LogUserLogout(ctx context.Context, actx AuditContext, userID, email string) error

LogUserLogout logs a user logout event.

func (*AuditService) LogUserRegistered ¶

func (s *AuditService) LogUserRegistered(ctx context.Context, actx AuditContext, userID, email string) error

LogUserRegistered logs a user registration event.

func (*AuditService) LogUserSuspended ¶

func (s *AuditService) LogUserSuspended(ctx context.Context, actx AuditContext, userID, email, reason string) error

LogUserSuspended logs a user suspension event.

func (*AuditService) LogUserUpdated ¶

func (s *AuditService) LogUserUpdated(ctx context.Context, actx AuditContext, userID, email string, changes *auditdom.Changes) error

LogUserUpdated logs a user update event.

func (*AuditService) VerifyChain ¶

func (s *AuditService) VerifyChain(ctx context.Context, tenantID shared.ID, limit int) (*ChainVerifyResult, error)

VerifyChain walks the audit_log_chain entries for a tenant in chain_position order and confirms each stored hash matches the hash recomputed from the original audit_logs row. A single tampered audit row surfaces as (at least) one break; downstream entries typically break too because prev_hash no longer links.

Limit bounds memory for large tenants; pagination support is a follow-up. Zero/negative limit means "use default 10_000". Values above maxVerifyChainLimit are clamped — same cap is also enforced at the handler and repository layers (defense in depth, closes CodeQL go/uncontrolled-allocation-size sink at the make() site).

type ChainBreak ¶

type ChainBreak struct {
	AuditLogID    string
	ChainPosition int64
	ExpectedHash  string // hash recomputed from the audit_log row
	ActualHash    string // hash stored in audit_log_chain
	Reason        string // "hash_mismatch" | "prev_hash_mismatch" | "audit_log_missing"
}

ChainBreak describes a single inconsistency discovered while walking the audit hash-chain for a tenant.

type ChainVerifyResult ¶

type ChainVerifyResult struct {
	TenantID string
	Total    int
	Verified int
	Breaks   []ChainBreak
	OK       bool
}

ChainVerifyResult is the outcome of a VerifyChain call. OK is true iff Breaks is empty.

type ListAuditLogsInput ¶

type ListAuditLogsInput struct {
	TenantID      string   `validate:"omitempty,uuid"`
	ActorID       string   `validate:"omitempty,uuid"`
	Actions       []string `validate:"max=20"`
	ResourceTypes []string `validate:"max=10"`
	ResourceID    string   `validate:"max=255"`
	Results       []string `validate:"max=3"`
	Severities    []string `validate:"max=4"`
	RequestID     string   `validate:"max=100"`
	Since         *time.Time
	Until         *time.Time
	SearchTerm    string `validate:"max=255"`
	Page          int    `validate:"min=0"`
	PerPage       int    `validate:"min=0,max=100"`
	SortBy        string `validate:"omitempty,oneof=logged_at action resource_type result severity"`
	SortOrder     string `validate:"omitempty,oneof=asc desc"`
	ExcludeSystem bool
}

ListAuditLogsInput represents the input for listing audit logs.

Source Files ¶

View all Source files

service.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL