0a6f81beaa
REST-API mit Response-Envelope (1:1 mail-gateway), HS256-JWT-Signer (Secret persistent unter /var/lib/edgeguard/.jwt_fingerprint), Setup-Wizard (Bcrypt-Admin-Passwort in setup.json), Auth-Middleware (Cookie + Bearer), Setup-Gate. Update-Banner-Endpoints /system/package-versions + /system/upgrade ab Tag 1 wired (Pattern aus enconf-management-agent: systemd-run detached, HTTP-Response geht VOR dem Self-Replace raus). CRUD-Repos für domains/backends/routing_rules mit pgxpool + handgeschriebenem SQL (mail-gateway-Pattern, kein GORM zur Laufzeit). Audit-Log-Schreiber auf jede Mutation, NodeID aus /etc/machine-id. DB-Pool öffnet best-effort — ohne erreichbare PG bleiben CRUD-Routen unregistriert, Auth/Setup/System antworten weiter (Dev ohne PG). End-to-end live-getestet gegen lokale postgres-16: Setup → Login → POST/PUT/DELETE Backends + Domains + Routing-Rules → audit_log schreibt 5 Zeilen mit korrektem actor/action/subject. Graceful degrade ohne DB ebenfalls verifiziert. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
49 lines
1.2 KiB
Go
49 lines
1.2 KiB
Go
// Package audit appends rows to the audit_log table. Every mutation
|
|
// in the API funnels through this so the operator can answer
|
|
// "who did what when?" from a single SELECT.
|
|
package audit
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
|
|
"github.com/jackc/pgx/v5/pgxpool"
|
|
)
|
|
|
|
type Repo struct {
|
|
Pool *pgxpool.Pool
|
|
}
|
|
|
|
func New(pool *pgxpool.Pool) *Repo { return &Repo{Pool: pool} }
|
|
|
|
// Log writes one audit_log row. detail is JSON-encodable (typically a
|
|
// map[string]any) — empty map means "no payload". If pool is nil
|
|
// (e.g. dev env without DB), Log silently no-ops so handlers don't
|
|
// have to guard each call site.
|
|
func (r *Repo) Log(ctx context.Context, actor, action, subject string, detail any, nodeID string) error {
|
|
if r == nil || r.Pool == nil {
|
|
return nil
|
|
}
|
|
var detailJSON []byte
|
|
if detail != nil {
|
|
var err error
|
|
detailJSON, err = json.Marshal(detail)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
var subjectArg any = subject
|
|
if subject == "" {
|
|
subjectArg = nil
|
|
}
|
|
var nodeArg any = nodeID
|
|
if nodeID == "" {
|
|
nodeArg = nil
|
|
}
|
|
_, err := r.Pool.Exec(ctx,
|
|
`INSERT INTO audit_log (actor, action, subject, detail, node_id)
|
|
VALUES ($1, $2, $3, $4, $5)`,
|
|
actor, action, subjectArg, detailJSON, nodeArg)
|
|
return err
|
|
}
|