`192d41d`

Add auth audit recorder writing typed actions to auth_audit_log

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 6 days ago

SHA: 192d41d0d511777875cf2397608eb30eebe34748
Parents: 74ae64c
Tree: 363a6f1

2 changed files

Status	File	+	-
A	`internal/auth/audit/audit.go`	96	0
A	`internal/auth/audit/audit_test.go`	74	0

internal/auth/audit/audit.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +// Package audit writes structured rows into the auth_audit_log table for
 +// security-relevant events. The schema is generic — actor, action, target,
 +// meta JSON — so future sprints reuse this for permission changes,
 +// org-membership changes, admin actions, etc.
 +//
 +// Callers MUST NOT put secret material in the meta JSON. The values land
 +// unredacted in the DB; treat the table contents as confidential but
 +// never sensitive (no plaintext passwords, no TOTP secrets, no PATs).
 +package audit
++
 +import (
 +	"context"
 +	"encoding/json"
 +	"errors"
 +	"fmt"
++
 +	"github.com/jackc/pgx/v5/pgtype"
++
 +	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
 +)
++
 +// DBTX matches sqlc's DBTX so callers can pass *pgxpool.Pool or a tx.
 +type DBTX = usersdb.DBTX
++
 +// Action is a typed action constant. Reuse these across packages so the
 +// set stays tight and grep-able.
 +type Action string
++
 +const (
 +	Action2FAEnabled            Action = "2fa_enabled"
 +	Action2FADisabled           Action = "2fa_disabled"
 +	ActionRecoveryCodesIssued   Action = "recovery_codes_issued"
 +	ActionRecoveryCodeUsed      Action = "recovery_code_used"
 +	ActionRecoveryRegenerated   Action = "recovery_codes_regenerated"
 +	ActionAdminCleared2FA       Action = "admin_cleared_2fa"
 +	ActionPasswordChanged       Action = "password_changed"
 +	ActionPasswordReset         Action = "password_reset_consumed"
 +	ActionLoginSucceeded        Action = "login_succeeded"
 +	ActionLoginFailedThrottled  Action = "login_failed_throttled"
 +	ActionAccountSuspended      Action = "account_suspended"
 +)
++
 +// Target is a typed target-type constant.
 +type Target string
++
 +const (
 +	TargetUser Target = "user"
 +)
++
 +// Recorder writes audit rows. Bound to the sqlc queries handle.
 +type Recorder struct {
 +	q *usersdb.Queries
 +}
++
 +// NewRecorder constructs a recorder.
 +func NewRecorder() *Recorder { return &Recorder{q: usersdb.New()} }
++
 +// Record inserts a single audit-log row. actorID is the user_id of the
 +// actor performing the action (use 0 for system / admin-CLI actions).
 +// targetID is the affected entity (use 0 for actions without a single
 +// concrete target).
 +//
 +// meta MUST be a JSON-serializable map; secrets and PII (tokens, raw
 +// passwords, etc.) MUST NOT appear here.
 +func (r *Recorder) Record(
 +	ctx context.Context, db DBTX,
 +	actorID int64, action Action, target Target, targetID int64, meta map[string]any,
 +) error {
 +	if action == "" || target == "" {
 +		return errors.New("audit: action and target_type required")
 +	}
 +	if meta == nil {
 +		meta = map[string]any{}
 +	}
 +	metaJSON, err := json.Marshal(meta)
 +	if err != nil {
 +		return fmt.Errorf("audit: marshal meta: %w", err)
 +	}
 +	var actorParam pgtype.Int8
 +	if actorID != 0 {
 +		actorParam = pgtype.Int8{Int64: actorID, Valid: true}
 +	}
 +	var targetParam pgtype.Int8
 +	if targetID != 0 {
 +		targetParam = pgtype.Int8{Int64: targetID, Valid: true}
 +	}
 +	return r.q.InsertAuditLog(ctx, db, usersdb.InsertAuditLogParams{
 +		ActorID:    actorParam,
 +		Action:     string(action),
 +		TargetType: string(target),
 +		TargetID:   targetParam,
 +		Meta:       metaJSON,
 +	})
 +}

internal/auth/audit/audit_test.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package audit
++
 +import (
 +	"context"
 +	"encoding/json"
 +	"testing"
++
 +	"github.com/jackc/pgx/v5/pgtype"
++
 +	"github.com/tenseleyFlow/shithub/internal/testing/dbtest"
 +	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
 +)
++
 +func pgInt(v int64) pgtype.Int8 { return pgtype.Int8{Int64: v, Valid: true} }
++
 +func TestRecord_RoundTrip(t *testing.T) {
 +	t.Parallel()
 +	pool := dbtest.NewTestDB(t)
 +	ctx := context.Background()
 +	q := usersdb.New()
++
 +	// Seed a user so actor_id FK is satisfied.
 +	user, err := q.CreateUser(ctx, pool, usersdb.CreateUserParams{
 +		Username:     "alice",
 +		DisplayName:  "Alice",
 +		PasswordHash: "$argon2id$v=19$m=16384,t=1,p=1$AAAAAAAAAAAAAAAA$AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
 +	})
 +	if err != nil {
 +		t.Fatalf("CreateUser: %v", err)
 +	}
++
 +	r := NewRecorder()
 +	if err := r.Record(ctx, pool, user.ID, Action2FAEnabled, TargetUser, user.ID, map[string]any{
 +		"recovery_count": 10,
 +	}); err != nil {
 +		t.Fatalf("Record: %v", err)
 +	}
++
 +	rows, err := q.ListAuditLogForTarget(ctx, pool, usersdb.ListAuditLogForTargetParams{
 +		TargetType: string(TargetUser),
 +		TargetID:   pgInt(user.ID),
 +		Limit:      10,
 +	})
 +	if err != nil {
 +		t.Fatalf("ListAuditLogForTarget: %v", err)
 +	}
 +	if len(rows) != 1 {
 +		t.Fatalf("got %d rows, want 1", len(rows))
 +	}
 +	if rows[0].Action != string(Action2FAEnabled) {
 +		t.Fatalf("action = %q, want %q", rows[0].Action, Action2FAEnabled)
 +	}
 +	var meta map[string]any
 +	if err := json.Unmarshal(rows[0].Meta, &meta); err != nil {
 +		t.Fatalf("meta JSON: %v", err)
 +	}
 +	if meta["recovery_count"] == nil {
 +		t.Fatalf("meta missing recovery_count: %v", meta)
 +	}
 +}
++
 +func TestRecord_RejectsEmpty(t *testing.T) {
 +	t.Parallel()
 +	pool := dbtest.NewTestDB(t)
 +	r := NewRecorder()
 +	if err := r.Record(context.Background(), pool, 0, "", TargetUser, 0, nil); err == nil {
 +		t.Fatal("expected error for empty action")
 +	}
 +	if err := r.Record(context.Background(), pool, 0, Action2FAEnabled, "", 0, nil); err == nil {
 +		t.Fatal("expected error for empty target_type")
 +	}
 +}