eising/sshecret
1
0
Fork 0
Code Issues 28 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Add sub-projects

Browse Source
This commit is contained in:
Allan Eising
2025-04-16 15:08:51 +02:00
parent 2dbf216d37
commit db538adfdd
22 changed files with 1157 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

151
packages/sshecret-backend/src/sshecret_backend/audit.py Normal file
View File

@ -0,0 +1,151 @@
"""Audit methods."""
from collections.abc import Sequence
from fastapi import Request
from sqlmodel import Session, select
from .models import AuditLog, Client, ClientSecret
def _get_origin(request: Request) -> str | None:
"""Resolve the request origin."""
origin: str | None = None
if request.client:
origin = request.client.host
return origin
def _write_audit_log(
session: Session, request: Request, entry: AuditLog, commit: bool = True
) -> None:
"""Write the audit log."""
origin = _get_origin(request)
entry.origin = origin
session.add(entry)
if commit:
session.commit()
def audit_create_client(
session: Session, request: Request, client: Client, commit: bool = True
) -> None:
"""Log the creation of a client."""
entry = AuditLog(
operation="CREATE",
client_id=client.id,
client_name=client.name,
message="Client Created",
)
_write_audit_log(session, request, entry, commit)
def audit_create_secret(
session: Session,
request: Request,
client: Client,
secret: ClientSecret,
commit: bool = True,
) -> None:
"""Audit a create secret event."""
entry = AuditLog(
operation="CREATE",
object="ClientSecret",
object_id=str(secret.id),
client_id=client.id,
client_name=client.name,
message="Added secret to client",
)
_write_audit_log(session, request, entry, commit)
def audit_update_secret(
session: Session,
request: Request,
client: Client,
secret: ClientSecret,
commit: bool = True,
) -> None:
"""Audit an update secret event."""
entry = AuditLog(
operation="UPDATE",
object="ClientSecret",
object_id=str(secret.id),
client_id=client.id,
client_name=client.name,
message="Secret value updated",
)
_write_audit_log(session, request, entry, commit)
def audit_invalidate_secrets(
session: Session,
request: Request,
client: Client,
commit: bool = True,
) -> None:
"""Audit Invalidate client secrets."""
entry = AuditLog(
operation="INVALIDATE",
object="ClientSecret",
client_name=client.name,
client_id=client.id,
message="Client fingerprint updated. All secrets invalidated.",
)
_write_audit_log(session, request, entry, commit)
def audit_access_secrets(
session: Session,
request: Request,
client: Client,
secrets: Sequence[ClientSecret] | None = None,
commit: bool = True,
) -> None:
"""Audit that multiple secrets were accessed.
With no secrets provided, all secrets of the client will be resolved.
"""
if not secrets:
secrets = session.exec(
select(ClientSecret).where(ClientSecret.client_id == client.id)
).all()
for secret in secrets:
audit_access_secret(session, request, client, secret, False)
if commit:
session.commit()
def audit_access_secret(
session: Session,
request: Request,
client: Client,
secret: ClientSecret,
commit: bool = True,
) -> None:
"""Audit that someone accessed one secrets."""
entry = AuditLog(
operation="ACCESS",
message="Secret was viewed",
object="ClientSecret",
object_id=str(secret.id),
client_id=client.id,
client_name=client.name,
)
_write_audit_log(session, request, entry, commit)
def audit_access_audit_log(
session: Session, request: Request, commit: bool = True
) -> None:
"""Audit access to the audit log.
Because why not...
"""
entry = AuditLog(
operation="ACCESS",
message="Audit log was viewed",
object="AuditLog",
)
_write_audit_log(session, request, entry, commit)