forked from baron/baron-sso
adminFront에 Audit Log 기능 추가
This commit is contained in:
Lectom C Han
@@ -7,6 +7,7 @@ import (
|
||||
|
||||
// AuditLog represents a single audit event
|
||||
type AuditLog struct {
|
||||
EventID string `json:"event_id"`
|
||||
Timestamp time.Time `json:"timestamp"`
|
||||
UserID string `json:"user_id"`
|
||||
EventType string `json:"event_type"` // e.g., "login_success", "login_failed", "otp_sent"
|
||||
@@ -20,6 +21,11 @@ type AuditLog struct {
|
||||
// AuditRepository defines interface for storing logs
|
||||
type AuditRepository interface {
|
||||
Create(log *AuditLog) error
|
||||
FindAll(ctx context.Context, limit, offset int) ([]AuditLog, error)
|
||||
FindPage(ctx context.Context, limit int, cursor *AuditCursor) ([]AuditLog, error)
|
||||
Ping(ctx context.Context) error
|
||||
}
|
||||
|
||||
type AuditCursor struct {
|
||||
Timestamp time.Time
|
||||
EventID string
|
||||
}
|
||||
|
||||
@@ -2,9 +2,13 @@ package handler
|
||||
|
||||
import (
|
||||
"baron-sso-backend/internal/domain"
|
||||
"encoding/base64"
|
||||
"errors"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/gofiber/fiber/v2"
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
type AuditHandler struct {
|
||||
@@ -34,6 +38,9 @@ func (h *AuditHandler) CreateLog(c *fiber.Ctx) error {
|
||||
if req.Timestamp.IsZero() {
|
||||
req.Timestamp = time.Now()
|
||||
}
|
||||
if req.EventID == "" {
|
||||
req.EventID = ensureRequestID(c)
|
||||
}
|
||||
|
||||
if err := h.repo.Create(&req); err != nil {
|
||||
// Log internal error but don't expose details
|
||||
@@ -50,18 +57,68 @@ func (h *AuditHandler) CreateLog(c *fiber.Ctx) error {
|
||||
// ListLogs handles GET /api/v1/audit
|
||||
func (h *AuditHandler) ListLogs(c *fiber.Ctx) error {
|
||||
limit := c.QueryInt("limit", 50)
|
||||
offset := c.QueryInt("offset", 0)
|
||||
cursorRaw := c.Query("cursor")
|
||||
cursor, err := parseAuditCursor(cursorRaw)
|
||||
if err != nil {
|
||||
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{
|
||||
"error": "Invalid cursor",
|
||||
})
|
||||
}
|
||||
|
||||
logs, err := h.repo.FindAll(c.Context(), limit, offset)
|
||||
logs, err := h.repo.FindPage(c.Context(), limit+1, cursor)
|
||||
if err != nil {
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{
|
||||
"error": "Failed to retrieve audit logs",
|
||||
})
|
||||
}
|
||||
|
||||
nextCursor := ""
|
||||
if len(logs) > limit {
|
||||
last := logs[limit-1]
|
||||
nextCursor = encodeAuditCursor(last)
|
||||
logs = logs[:limit]
|
||||
}
|
||||
|
||||
return c.JSON(fiber.Map{
|
||||
"items": logs,
|
||||
"limit": limit,
|
||||
"offset": offset,
|
||||
"items": logs,
|
||||
"limit": limit,
|
||||
"cursor": cursorRaw,
|
||||
"next_cursor": nextCursor,
|
||||
})
|
||||
}
|
||||
|
||||
func ensureRequestID(c *fiber.Ctx) string {
|
||||
reqID := c.Get("X-Request-Id")
|
||||
if reqID == "" {
|
||||
reqID = uuid.New().String()
|
||||
c.Set("X-Request-Id", reqID)
|
||||
}
|
||||
return reqID
|
||||
}
|
||||
|
||||
func parseAuditCursor(raw string) (*domain.AuditCursor, error) {
|
||||
if raw == "" {
|
||||
return nil, nil
|
||||
}
|
||||
decoded, err := base64.RawURLEncoding.DecodeString(raw)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
parts := strings.SplitN(string(decoded), "|", 2)
|
||||
if len(parts) != 2 {
|
||||
return nil, errors.New("invalid cursor")
|
||||
}
|
||||
ts, err := time.Parse(time.RFC3339Nano, parts[0])
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &domain.AuditCursor{
|
||||
Timestamp: ts,
|
||||
EventID: parts[1],
|
||||
}, nil
|
||||
}
|
||||
|
||||
func encodeAuditCursor(log domain.AuditLog) string {
|
||||
payload := log.Timestamp.UTC().Format(time.RFC3339Nano) + "|" + log.EventID
|
||||
return base64.RawURLEncoding.EncodeToString([]byte(payload))
|
||||
}
|
||||
|
||||
106
backend/internal/middleware/audit_required.go
Normal file
106
backend/internal/middleware/audit_required.go
Normal file
@@ -0,0 +1,106 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"baron-sso-backend/internal/domain"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"log/slog"
|
||||
"time"
|
||||
|
||||
"github.com/gofiber/fiber/v2"
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
type AuditRequiredConfig struct {
|
||||
Repo domain.AuditRepository
|
||||
ExcludePaths map[string]struct{}
|
||||
CommandMethods map[string]struct{}
|
||||
}
|
||||
|
||||
func RequireAudit(config AuditRequiredConfig) fiber.Handler {
|
||||
commandMethods := config.CommandMethods
|
||||
if len(commandMethods) == 0 {
|
||||
commandMethods = map[string]struct{}{
|
||||
fiber.MethodPost: {},
|
||||
fiber.MethodPut: {},
|
||||
fiber.MethodPatch: {},
|
||||
fiber.MethodDelete: {},
|
||||
}
|
||||
}
|
||||
|
||||
excludePaths := config.ExcludePaths
|
||||
if excludePaths == nil {
|
||||
excludePaths = map[string]struct{}{}
|
||||
}
|
||||
|
||||
return func(c *fiber.Ctx) error {
|
||||
if _, ok := commandMethods[c.Method()]; !ok {
|
||||
return c.Next()
|
||||
}
|
||||
if _, excluded := excludePaths[c.Path()]; excluded {
|
||||
return c.Next()
|
||||
}
|
||||
if config.Repo == nil {
|
||||
return fiber.NewError(fiber.StatusServiceUnavailable, "audit repository unavailable")
|
||||
}
|
||||
|
||||
start := time.Now()
|
||||
reqID := c.Get("X-Request-Id")
|
||||
if reqID == "" {
|
||||
reqID = uuid.New().String()
|
||||
c.Set("X-Request-Id", reqID)
|
||||
}
|
||||
|
||||
err := c.Next()
|
||||
latency := time.Since(start)
|
||||
|
||||
status := c.Response().StatusCode()
|
||||
if err != nil {
|
||||
if fiberErr, ok := err.(*fiber.Error); ok {
|
||||
status = fiberErr.Code
|
||||
} else {
|
||||
status = fiber.StatusInternalServerError
|
||||
}
|
||||
}
|
||||
|
||||
statusText := "success"
|
||||
if status >= fiber.StatusBadRequest {
|
||||
statusText = "failure"
|
||||
}
|
||||
|
||||
details := map[string]any{
|
||||
"request_id": reqID,
|
||||
"method": c.Method(),
|
||||
"path": c.Path(),
|
||||
"status": status,
|
||||
"latency_ms": latency.Milliseconds(),
|
||||
}
|
||||
if err != nil {
|
||||
details["error"] = err.Error()
|
||||
}
|
||||
|
||||
detailsJSON, jsonErr := json.Marshal(details)
|
||||
if jsonErr != nil {
|
||||
slog.Warn("failed to marshal audit details", "error", jsonErr, "req_id", reqID)
|
||||
}
|
||||
|
||||
auditLog := &domain.AuditLog{
|
||||
EventID: reqID,
|
||||
Timestamp: time.Now(),
|
||||
UserID: "",
|
||||
EventType: fmt.Sprintf("%s %s", c.Method(), c.Path()),
|
||||
Status: statusText,
|
||||
IPAddress: c.IP(),
|
||||
UserAgent: c.Get("User-Agent"),
|
||||
DeviceID: "",
|
||||
Details: string(detailsJSON),
|
||||
}
|
||||
|
||||
if createErr := config.Repo.Create(auditLog); createErr != nil {
|
||||
slog.Error("audit log write failed", "error", createErr, "req_id", reqID, "path", c.Path())
|
||||
return fiber.NewError(fiber.StatusServiceUnavailable, "audit logging unavailable")
|
||||
}
|
||||
|
||||
return err
|
||||
}
|
||||
}
|
||||
@@ -36,6 +36,7 @@ func NewClickHouseRepository(host string, port int, user, password, db string) (
|
||||
// Note: In production, use migrations.
|
||||
query := `
|
||||
CREATE TABLE IF NOT EXISTS audit_logs (
|
||||
event_id String,
|
||||
timestamp DateTime DEFAULT now(),
|
||||
user_id String,
|
||||
event_type String,
|
||||
@@ -51,6 +52,14 @@ func NewClickHouseRepository(host string, port int, user, password, db string) (
|
||||
return nil, fmt.Errorf("failed to create table: %w", err)
|
||||
}
|
||||
|
||||
alterQuery := `
|
||||
ALTER TABLE audit_logs
|
||||
ADD COLUMN IF NOT EXISTS event_id String
|
||||
`
|
||||
if err := conn.Exec(context.Background(), alterQuery); err != nil {
|
||||
return nil, fmt.Errorf("failed to alter table: %w", err)
|
||||
}
|
||||
|
||||
return &ClickHouseRepository{conn: conn}, nil
|
||||
}
|
||||
|
||||
@@ -63,10 +72,11 @@ func (r *ClickHouseRepository) Create(log *domain.AuditLog) error {
|
||||
}
|
||||
|
||||
query := `
|
||||
INSERT INTO audit_logs (timestamp, user_id, event_type, status, ip_address, user_agent, device_id, details)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?)
|
||||
INSERT INTO audit_logs (event_id, timestamp, user_id, event_type, status, ip_address, user_agent, device_id, details)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
|
||||
`
|
||||
return r.conn.Exec(ctx, query,
|
||||
log.EventID,
|
||||
log.Timestamp,
|
||||
log.UserID,
|
||||
log.EventType,
|
||||
@@ -78,21 +88,28 @@ func (r *ClickHouseRepository) Create(log *domain.AuditLog) error {
|
||||
)
|
||||
}
|
||||
|
||||
func (r *ClickHouseRepository) FindAll(ctx context.Context, limit, offset int) ([]domain.AuditLog, error) {
|
||||
func (r *ClickHouseRepository) FindPage(ctx context.Context, limit int, cursor *domain.AuditCursor) ([]domain.AuditLog, error) {
|
||||
if limit <= 0 {
|
||||
limit = 50
|
||||
}
|
||||
if offset < 0 {
|
||||
offset = 0
|
||||
}
|
||||
|
||||
query := `
|
||||
SELECT timestamp, user_id, event_type, status, ip_address, user_agent, device_id, details
|
||||
SELECT event_id, timestamp, user_id, event_type, status, ip_address, user_agent, device_id, details
|
||||
FROM audit_logs
|
||||
ORDER BY timestamp DESC
|
||||
LIMIT ? OFFSET ?
|
||||
`
|
||||
rows, err := r.conn.Query(ctx, query, limit, offset)
|
||||
args := make([]any, 0, 4)
|
||||
if cursor != nil {
|
||||
query += `
|
||||
WHERE (timestamp < ?) OR (timestamp = ? AND event_id < ?)
|
||||
`
|
||||
args = append(args, cursor.Timestamp, cursor.Timestamp, cursor.EventID)
|
||||
}
|
||||
query += `
|
||||
ORDER BY timestamp DESC, event_id DESC
|
||||
LIMIT ?
|
||||
`
|
||||
args = append(args, limit)
|
||||
|
||||
rows, err := r.conn.Query(ctx, query, args...)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to query audit logs: %w", err)
|
||||
}
|
||||
@@ -102,6 +119,7 @@ func (r *ClickHouseRepository) FindAll(ctx context.Context, limit, offset int) (
|
||||
for rows.Next() {
|
||||
var log domain.AuditLog
|
||||
if err := rows.Scan(
|
||||
&log.EventID,
|
||||
&log.Timestamp,
|
||||
&log.UserID,
|
||||
&log.EventType,
|
||||
|
||||
Reference in New Issue
Block a user