feat(api): Phase 2 — REST-API MVP + CRUD für Domains/Backends/Routing
REST-API mit Response-Envelope (1:1 mail-gateway), HS256-JWT-Signer (Secret persistent unter /var/lib/edgeguard/.jwt_fingerprint), Setup-Wizard (Bcrypt-Admin-Passwort in setup.json), Auth-Middleware (Cookie + Bearer), Setup-Gate. Update-Banner-Endpoints /system/package-versions + /system/upgrade ab Tag 1 wired (Pattern aus enconf-management-agent: systemd-run detached, HTTP-Response geht VOR dem Self-Replace raus). CRUD-Repos für domains/backends/routing_rules mit pgxpool + handgeschriebenem SQL (mail-gateway-Pattern, kein GORM zur Laufzeit). Audit-Log-Schreiber auf jede Mutation, NodeID aus /etc/machine-id. DB-Pool öffnet best-effort — ohne erreichbare PG bleiben CRUD-Routen unregistriert, Auth/Setup/System antworten weiter (Dev ohne PG). End-to-end live-getestet gegen lokale postgres-16: Setup → Login → POST/PUT/DELETE Backends + Domains + Routing-Rules → audit_log schreibt 5 Zeilen mit korrektem actor/action/subject. Graceful degrade ohne DB ebenfalls verifiziert. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Debian
48
internal/services/audit/audit.go
Normal file
48
internal/services/audit/audit.go
Normal file
@@ -0,0 +1,48 @@
|
||||
// Package audit appends rows to the audit_log table. Every mutation
|
||||
// in the API funnels through this so the operator can answer
|
||||
// "who did what when?" from a single SELECT.
|
||||
package audit
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
|
||||
"github.com/jackc/pgx/v5/pgxpool"
|
||||
)
|
||||
|
||||
type Repo struct {
|
||||
Pool *pgxpool.Pool
|
||||
}
|
||||
|
||||
func New(pool *pgxpool.Pool) *Repo { return &Repo{Pool: pool} }
|
||||
|
||||
// Log writes one audit_log row. detail is JSON-encodable (typically a
|
||||
// map[string]any) — empty map means "no payload". If pool is nil
|
||||
// (e.g. dev env without DB), Log silently no-ops so handlers don't
|
||||
// have to guard each call site.
|
||||
func (r *Repo) Log(ctx context.Context, actor, action, subject string, detail any, nodeID string) error {
|
||||
if r == nil || r.Pool == nil {
|
||||
return nil
|
||||
}
|
||||
var detailJSON []byte
|
||||
if detail != nil {
|
||||
var err error
|
||||
detailJSON, err = json.Marshal(detail)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
var subjectArg any = subject
|
||||
if subject == "" {
|
||||
subjectArg = nil
|
||||
}
|
||||
var nodeArg any = nodeID
|
||||
if nodeID == "" {
|
||||
nodeArg = nil
|
||||
}
|
||||
_, err := r.Pool.Exec(ctx,
|
||||
`INSERT INTO audit_log (actor, action, subject, detail, node_id)
|
||||
VALUES ($1, $2, $3, $4, $5)`,
|
||||
actor, action, subjectArg, detailJSON, nodeArg)
|
||||
return err
|
||||
}
|
||||
Reference in New Issue
Block a user