⚡ Optimized audit, event logging system
✨ Audit logs ✨ Admin edit user permissions
This commit is contained in:
parent
5200e00c9b
commit
8c89d89382
14
.idea/workspace.xml
generated
14
.idea/workspace.xml
generated
@ -4,10 +4,14 @@
|
|||||||
<option name="autoReloadType" value="ALL" />
|
<option name="autoReloadType" value="ALL" />
|
||||||
</component>
|
</component>
|
||||||
<component name="ChangeListManager">
|
<component name="ChangeListManager">
|
||||||
<list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":sparkles: Password reset & user lookup API">
|
<list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":recycle: Optimized the initial permission system">
|
||||||
|
<change afterPath="$PROJECT_DIR$/pkg/internal/models/audit.go" afterDir="false" />
|
||||||
|
<change afterPath="$PROJECT_DIR$/pkg/internal/server/admin/permissions_api.go" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/pkg/internal/services/accounts.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/services/accounts.go" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/pkg/internal/database/migrator.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/database/migrator.go" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/settings.toml" beforeDir="false" afterPath="$PROJECT_DIR$/settings.toml" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/pkg/internal/server/admin/index.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/server/admin/index.go" afterDir="false" />
|
||||||
|
<change beforePath="$PROJECT_DIR$/pkg/internal/services/events.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/services/events.go" afterDir="false" />
|
||||||
|
<change beforePath="$PROJECT_DIR$/pkg/main.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/main.go" afterDir="false" />
|
||||||
</list>
|
</list>
|
||||||
<option name="SHOW_DIALOG" value="false" />
|
<option name="SHOW_DIALOG" value="false" />
|
||||||
<option name="HIGHLIGHT_CONFLICTS" value="true" />
|
<option name="HIGHLIGHT_CONFLICTS" value="true" />
|
||||||
@ -153,7 +157,6 @@
|
|||||||
</option>
|
</option>
|
||||||
</component>
|
</component>
|
||||||
<component name="VcsManagerConfiguration">
|
<component name="VcsManagerConfiguration">
|
||||||
<MESSAGE value=":sparkles: Can pick up mfa request" />
|
|
||||||
<MESSAGE value=":sparkles: Status system" />
|
<MESSAGE value=":sparkles: Status system" />
|
||||||
<MESSAGE value=":bug: Fix status expired in cache" />
|
<MESSAGE value=":bug: Fix status expired in cache" />
|
||||||
<MESSAGE value=":bug: Fix online condition" />
|
<MESSAGE value=":bug: Fix online condition" />
|
||||||
@ -178,7 +181,8 @@
|
|||||||
<MESSAGE value=":recycle: Improve notify API" />
|
<MESSAGE value=":recycle: Improve notify API" />
|
||||||
<MESSAGE value=":sparkles: Reset password APIs" />
|
<MESSAGE value=":sparkles: Reset password APIs" />
|
||||||
<MESSAGE value=":sparkles: Password reset & user lookup API" />
|
<MESSAGE value=":sparkles: Password reset & user lookup API" />
|
||||||
<option name="LAST_COMMIT_MESSAGE" value=":sparkles: Password reset & user lookup API" />
|
<MESSAGE value=":recycle: Optimized the initial permission system" />
|
||||||
|
<option name="LAST_COMMIT_MESSAGE" value=":recycle: Optimized the initial permission system" />
|
||||||
</component>
|
</component>
|
||||||
<component name="VgoProject">
|
<component name="VgoProject">
|
||||||
<settings-migrated>true</settings-migrated>
|
<settings-migrated>true</settings-migrated>
|
||||||
|
@ -21,6 +21,7 @@ var AutoMaintainRange = []any{
|
|||||||
&models.ActionEvent{},
|
&models.ActionEvent{},
|
||||||
&models.Notification{},
|
&models.Notification{},
|
||||||
&models.NotificationSubscriber{},
|
&models.NotificationSubscriber{},
|
||||||
|
&models.AuditRecord{},
|
||||||
}
|
}
|
||||||
|
|
||||||
func RunMigration(source *gorm.DB) error {
|
func RunMigration(source *gorm.DB) error {
|
||||||
|
13
pkg/internal/models/audit.go
Normal file
13
pkg/internal/models/audit.go
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
package models
|
||||||
|
|
||||||
|
import "gorm.io/datatypes"
|
||||||
|
|
||||||
|
type AuditRecord struct {
|
||||||
|
BaseModel
|
||||||
|
|
||||||
|
Action string `json:"action"`
|
||||||
|
Metadata datatypes.JSONMap `json:"metadata"`
|
||||||
|
UserAgent string `json:"user_agent"`
|
||||||
|
IpAddress string `json:"ip_address"`
|
||||||
|
AccountID uint `json:"account_id"`
|
||||||
|
}
|
@ -11,5 +11,7 @@ func MapAdminAPIs(app *fiber.App) {
|
|||||||
admin.Delete("/badges/:badgeId", revokeBadge)
|
admin.Delete("/badges/:badgeId", revokeBadge)
|
||||||
|
|
||||||
admin.Post("/notify/all", notifyAllUser)
|
admin.Post("/notify/all", notifyAllUser)
|
||||||
|
|
||||||
|
admin.Put("/users/:user/permissions", editUserPermission)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
46
pkg/internal/server/admin/permissions_api.go
Normal file
46
pkg/internal/server/admin/permissions_api.go
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
package admin
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
|
||||||
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
|
||||||
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/server/exts"
|
||||||
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/services"
|
||||||
|
"github.com/gofiber/fiber/v2"
|
||||||
|
)
|
||||||
|
|
||||||
|
func editUserPermission(c *fiber.Ctx) error {
|
||||||
|
userId, _ := c.ParamsInt("user")
|
||||||
|
|
||||||
|
if err := exts.EnsureGrantedPerm(c, "AdminUserPermission", true); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
operator := c.Locals("user").(models.Account)
|
||||||
|
|
||||||
|
var data struct {
|
||||||
|
PermNodes map[string]any `json:"perm_nodes" validate:"required"`
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := exts.BindAndValidate(c, &data); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
var user models.Account
|
||||||
|
if err := database.C.Where("id = ?", userId).First(&user).Error; err != nil {
|
||||||
|
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("account was not found: %v", err))
|
||||||
|
}
|
||||||
|
|
||||||
|
prev := user.PermNodes
|
||||||
|
user.PermNodes = data.PermNodes
|
||||||
|
|
||||||
|
if err := database.C.Save(&user).Error; err != nil {
|
||||||
|
return fiber.NewError(fiber.StatusInternalServerError, err.Error())
|
||||||
|
} else {
|
||||||
|
services.AddAuditRecord(operator, "user.permissions.edit", c.IP(), c.Get(fiber.HeaderUserAgent), map[string]any{
|
||||||
|
"previous_permissions": prev,
|
||||||
|
"new_permissions": data.PermNodes,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.SendStatus(fiber.StatusOK)
|
||||||
|
}
|
@ -3,18 +3,46 @@ package services
|
|||||||
import (
|
import (
|
||||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
|
||||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
|
||||||
|
"github.com/rs/zerolog/log"
|
||||||
)
|
)
|
||||||
|
|
||||||
func AddEvent(user models.Account, event, target, ip, ua string) models.ActionEvent {
|
var writeEventQueue []models.ActionEvent
|
||||||
evt := models.ActionEvent{
|
var writeAuditQueue []models.AuditRecord
|
||||||
|
|
||||||
|
// AddEvent to keep operation logs by user themselves clear to query
|
||||||
|
func AddEvent(user models.Account, event, target, ip, ua string) {
|
||||||
|
writeEventQueue = append(writeEventQueue, models.ActionEvent{
|
||||||
Type: event,
|
Type: event,
|
||||||
Target: target,
|
Target: target,
|
||||||
IpAddress: ip,
|
IpAddress: ip,
|
||||||
UserAgent: ua,
|
UserAgent: ua,
|
||||||
AccountID: user.ID,
|
AccountID: user.ID,
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
database.C.Save(&evt)
|
// AddAuditRecord to keep logs to make administrators' operations clear to query
|
||||||
|
func AddAuditRecord(operator models.Account, act, ip, ua string, metadata map[string]any) {
|
||||||
return evt
|
writeAuditQueue = append(writeAuditQueue, models.AuditRecord{
|
||||||
|
Action: act,
|
||||||
|
Metadata: metadata,
|
||||||
|
IpAddress: ip,
|
||||||
|
UserAgent: ua,
|
||||||
|
AccountID: operator.ID,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// SaveEventChanges runs every 60 seconds to save events / audits changes into database
|
||||||
|
func SaveEventChanges() {
|
||||||
|
if len(writeEventQueue) > 0 {
|
||||||
|
count := len(writeEventQueue)
|
||||||
|
database.C.CreateInBatches(writeEventQueue, min(count, 1000))
|
||||||
|
log.Info().Int("count", count).Msg("Saved action events changes into database...")
|
||||||
|
clear(writeEventQueue)
|
||||||
|
}
|
||||||
|
if len(writeAuditQueue) > 0 {
|
||||||
|
count := len(writeAuditQueue)
|
||||||
|
database.C.CreateInBatches(writeAuditQueue, min(count, 1000))
|
||||||
|
log.Info().Int("count", count).Msg("Saved audit records changes into database...")
|
||||||
|
clear(writeAuditQueue)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -70,6 +70,7 @@ func main() {
|
|||||||
quartz.AddFunc("@every 60s", services.RecycleAuthContext)
|
quartz.AddFunc("@every 60s", services.RecycleAuthContext)
|
||||||
quartz.AddFunc("@every 60m", services.RecycleUnConfirmAccount)
|
quartz.AddFunc("@every 60m", services.RecycleUnConfirmAccount)
|
||||||
quartz.AddFunc("@every 5m", services.KexCleanup)
|
quartz.AddFunc("@every 5m", services.KexCleanup)
|
||||||
|
quartz.AddFunc("@every 60s", services.SaveEventChanges)
|
||||||
quartz.Start()
|
quartz.Start()
|
||||||
|
|
||||||
// Messages
|
// Messages
|
||||||
|
Loading…
Reference in New Issue
Block a user