acton-service 0.23.0

Production-ready Rust backend framework with type-enforced API versioning
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346

//! Audit event types
//!
//! Core types for representing audit trail events including authentication,
//! HTTP requests, and custom application events.

use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use uuid::Uuid;

/// A single audit trail event
///
/// Events are sealed by [`AuditChain`](super::AuditChain) with BLAKE3 hash chaining
/// before being persisted, providing tamper detection.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditEvent {
    /// Unique event identifier
    pub id: Uuid,
    /// When the event occurred
    pub timestamp: DateTime<Utc>,
    /// Category of the event
    pub kind: AuditEventKind,
    /// Severity level (maps to syslog severity 0-7)
    pub severity: AuditSeverity,
    /// Source information (IP, user agent, subject, request ID)
    pub source: AuditSource,
    /// HTTP method (if applicable)
    pub method: Option<String>,
    /// Request path (if applicable)
    pub path: Option<String>,
    /// HTTP status code (if applicable)
    pub status_code: Option<u16>,
    /// Request duration in milliseconds (if applicable)
    pub duration_ms: Option<u64>,
    /// Name of the service that generated this event
    pub service_name: String,
    /// Additional structured metadata
    pub metadata: Option<serde_json::Value>,
    /// BLAKE3 hash of this event (set by AuditChain::seal)
    pub hash: Option<String>,
    /// Hash of the previous event in the chain
    pub previous_hash: Option<String>,
    /// Monotonically increasing sequence number
    pub sequence: u64,
}

impl AuditEvent {
    /// Create a new audit event with the given kind and severity
    pub fn new(kind: AuditEventKind, severity: AuditSeverity, service_name: String) -> Self {
        Self {
            id: Uuid::new_v4(),
            timestamp: Utc::now(),
            kind,
            severity,
            source: AuditSource::default(),
            method: None,
            path: None,
            status_code: None,
            duration_ms: None,
            service_name,
            metadata: None,
            hash: None,
            previous_hash: None,
            sequence: 0,
        }
    }

    /// Set the source information
    pub fn with_source(mut self, source: AuditSource) -> Self {
        self.source = source;
        self
    }

    /// Set HTTP request details
    pub fn with_http(
        mut self,
        method: String,
        path: String,
        status_code: Option<u16>,
        duration_ms: Option<u64>,
    ) -> Self {
        self.method = Some(method);
        self.path = Some(path);
        self.status_code = status_code;
        self.duration_ms = duration_ms;
        self
    }

    /// Set additional metadata
    pub fn with_metadata(mut self, metadata: serde_json::Value) -> Self {
        self.metadata = Some(metadata);
        self
    }
}

/// Categories of audit events
///
/// Auth events are automatically emitted when the `auth` feature is active.
/// HTTP events come from the audit middleware. Custom events are user-defined.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
pub enum AuditEventKind {
    /// Successful authentication
    AuthLoginSuccess,
    /// Failed authentication attempt
    AuthLoginFailed,
    /// User logout
    AuthLogout,
    /// Token refresh
    AuthTokenRefresh,
    /// Token revocation
    AuthTokenRevoked,
    /// Password changed
    AuthPasswordChanged,
    /// API key created
    AuthApiKeyCreated,
    /// API key revoked
    AuthApiKeyRevoked,
    /// OAuth callback processed
    AuthOAuthCallback,
    /// Permission denied
    AuthPermissionDenied,
    /// Account locked due to repeated login failures (requires `login-lockout` feature)
    #[cfg(feature = "login-lockout")]
    AuthAccountLocked,
    /// Account unlocked (requires `login-lockout` feature)
    #[cfg(feature = "login-lockout")]
    AuthAccountUnlocked,
    /// Account created (requires `accounts` feature)
    #[cfg(feature = "accounts")]
    AccountCreated,
    /// Account disabled by administrator (requires `accounts` feature)
    #[cfg(feature = "accounts")]
    AccountDisabled,
    /// Account enabled/re-activated (requires `accounts` feature)
    #[cfg(feature = "accounts")]
    AccountEnabled,
    /// Account locked due to security event (requires `accounts` feature)
    #[cfg(feature = "accounts")]
    AccountLocked,
    /// Account unlocked (requires `accounts` feature)
    #[cfg(feature = "accounts")]
    AccountUnlocked,
    /// Account expired (requires `accounts` feature)
    #[cfg(feature = "accounts")]
    AccountExpired,
    /// Account deleted (requires `accounts` feature)
    #[cfg(feature = "accounts")]
    AccountDeleted,
    /// Account updated (profile, email verified, password changed, roles) (requires `accounts` feature)
    #[cfg(feature = "accounts")]
    AccountUpdated,
    /// Signing key was rotated (new key activated, old key moved to draining)
    AuthKeyRotated,
    /// Signing key was retired (drain period expired)
    AuthKeyRetired,
    /// Key rotation failed
    AuthKeyRotationFailed,
    /// Configuration loaded at startup (NIST CM-3)
    ConfigLoaded,
    /// Active configuration differs from on-disk sources (NIST CM-3)
    ConfigDriftDetected,
    /// HTTP request (from audit middleware)
    HttpRequest,
    /// HTTP request denied (rate limit, auth failure, etc.)
    HttpRequestDenied,
    /// Application-defined event
    Custom(String),
}

impl std::fmt::Display for AuditEventKind {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::AuthLoginSuccess => write!(f, "auth.login.success"),
            Self::AuthLoginFailed => write!(f, "auth.login.failed"),
            Self::AuthLogout => write!(f, "auth.logout"),
            Self::AuthTokenRefresh => write!(f, "auth.token.refresh"),
            Self::AuthTokenRevoked => write!(f, "auth.token.revoked"),
            Self::AuthPasswordChanged => write!(f, "auth.password.changed"),
            Self::AuthApiKeyCreated => write!(f, "auth.apikey.created"),
            Self::AuthApiKeyRevoked => write!(f, "auth.apikey.revoked"),
            Self::AuthOAuthCallback => write!(f, "auth.oauth.callback"),
            Self::AuthPermissionDenied => write!(f, "auth.permission.denied"),
            #[cfg(feature = "login-lockout")]
            Self::AuthAccountLocked => write!(f, "auth.account.locked"),
            #[cfg(feature = "login-lockout")]
            Self::AuthAccountUnlocked => write!(f, "auth.account.unlocked"),
            #[cfg(feature = "accounts")]
            Self::AccountCreated => write!(f, "account.created"),
            #[cfg(feature = "accounts")]
            Self::AccountDisabled => write!(f, "account.disabled"),
            #[cfg(feature = "accounts")]
            Self::AccountEnabled => write!(f, "account.enabled"),
            #[cfg(feature = "accounts")]
            Self::AccountLocked => write!(f, "account.locked"),
            #[cfg(feature = "accounts")]
            Self::AccountUnlocked => write!(f, "account.unlocked"),
            #[cfg(feature = "accounts")]
            Self::AccountExpired => write!(f, "account.expired"),
            #[cfg(feature = "accounts")]
            Self::AccountDeleted => write!(f, "account.deleted"),
            #[cfg(feature = "accounts")]
            Self::AccountUpdated => write!(f, "account.updated"),
            Self::AuthKeyRotated => write!(f, "auth.key.rotated"),
            Self::AuthKeyRetired => write!(f, "auth.key.retired"),
            Self::AuthKeyRotationFailed => write!(f, "auth.key.rotation_failed"),
            Self::ConfigLoaded => write!(f, "config.loaded"),
            Self::ConfigDriftDetected => write!(f, "config.drift_detected"),
            Self::HttpRequest => write!(f, "http.request"),
            Self::HttpRequestDenied => write!(f, "http.request.denied"),
            Self::Custom(name) => write!(f, "custom.{}", name),
        }
    }
}

/// Audit event severity levels
///
/// Maps directly to syslog severity values (RFC 5424).
#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord)]
pub enum AuditSeverity {
    /// System is unusable (syslog 0)
    Emergency = 0,
    /// Action must be taken immediately (syslog 1)
    Alert = 1,
    /// Critical conditions (syslog 2)
    Critical = 2,
    /// Error conditions (syslog 3)
    Error = 3,
    /// Warning conditions (syslog 4)
    Warning = 4,
    /// Normal but significant condition (syslog 5)
    Notice = 5,
    /// Informational messages (syslog 6)
    Informational = 6,
    /// Debug-level messages (syslog 7)
    Debug = 7,
}

impl AuditSeverity {
    /// Get the numeric syslog severity value (0-7)
    pub fn as_syslog_severity(&self) -> u8 {
        *self as u8
    }
}

impl std::fmt::Display for AuditSeverity {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::Emergency => write!(f, "EMERGENCY"),
            Self::Alert => write!(f, "ALERT"),
            Self::Critical => write!(f, "CRITICAL"),
            Self::Error => write!(f, "ERROR"),
            Self::Warning => write!(f, "WARNING"),
            Self::Notice => write!(f, "NOTICE"),
            Self::Informational => write!(f, "INFO"),
            Self::Debug => write!(f, "DEBUG"),
        }
    }
}

/// Source information for an audit event
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct AuditSource {
    /// Client IP address
    pub ip: Option<String>,
    /// User agent string
    pub user_agent: Option<String>,
    /// Authenticated subject (user ID, service account, etc.)
    pub subject: Option<String>,
    /// Request ID for correlation
    pub request_id: Option<String>,
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_audit_event_new() {
        let event = AuditEvent::new(
            AuditEventKind::AuthLoginSuccess,
            AuditSeverity::Informational,
            "test-service".to_string(),
        );
        assert_eq!(event.kind, AuditEventKind::AuthLoginSuccess);
        assert_eq!(event.service_name, "test-service");
        assert!(event.hash.is_none());
        assert_eq!(event.sequence, 0);
    }

    #[test]
    fn test_audit_event_with_http() {
        let event = AuditEvent::new(
            AuditEventKind::HttpRequest,
            AuditSeverity::Informational,
            "test-service".to_string(),
        )
        .with_http("GET".into(), "/api/v1/users".into(), Some(200), Some(42));

        assert_eq!(event.method, Some("GET".to_string()));
        assert_eq!(event.path, Some("/api/v1/users".to_string()));
        assert_eq!(event.status_code, Some(200));
        assert_eq!(event.duration_ms, Some(42));
    }

    #[test]
    fn test_audit_event_kind_display() {
        assert_eq!(
            AuditEventKind::AuthLoginSuccess.to_string(),
            "auth.login.success"
        );
        assert_eq!(AuditEventKind::HttpRequest.to_string(), "http.request");
        assert_eq!(
            AuditEventKind::Custom("user.delete".to_string()).to_string(),
            "custom.user.delete"
        );
    }

    #[test]
    fn test_audit_severity_syslog_value() {
        assert_eq!(AuditSeverity::Emergency.as_syslog_severity(), 0);
        assert_eq!(AuditSeverity::Alert.as_syslog_severity(), 1);
        assert_eq!(AuditSeverity::Informational.as_syslog_severity(), 6);
        assert_eq!(AuditSeverity::Debug.as_syslog_severity(), 7);
    }

    #[test]
    fn test_audit_event_serde_roundtrip() {
        let event = AuditEvent::new(
            AuditEventKind::AuthLoginFailed,
            AuditSeverity::Warning,
            "test".to_string(),
        )
        .with_source(AuditSource {
            ip: Some("192.168.1.1".to_string()),
            user_agent: Some("curl/8.0".to_string()),
            subject: None,
            request_id: Some("req-123".to_string()),
        });

        let json = serde_json::to_string(&event).unwrap();
        let deserialized: AuditEvent = serde_json::from_str(&json).unwrap();

        assert_eq!(deserialized.id, event.id);
        assert_eq!(deserialized.kind, AuditEventKind::AuthLoginFailed);
        assert_eq!(deserialized.source.ip, Some("192.168.1.1".to_string()));
    }
}