arbiter-audit 0.0.20

Structured audit logging with argument redaction for the Arbiter proxy
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264

//! In-memory audit statistics tracker.
//!
//! Maintains lightweight per-session counters for denied requests and
//! anomaly detections. Updated on each audit entry write. Queryable
//! by session ID for session close summaries.

use std::collections::HashMap;
use std::sync::Arc;
use std::sync::atomic::{AtomicU64, Ordering};
use tokio::sync::RwLock;

/// Per-session audit statistics.
#[derive(Debug, Default)]
struct SessionCounters {
    denied: AtomicU64,
    anomalies: AtomicU64,
}

/// Queryable audit statistics returned to callers.
#[derive(Debug, Clone, Default)]
pub struct SessionAuditStats {
    pub denied_count: u64,
    pub anomaly_count: u64,
}

/// Aggregated audit statistics across all tracked sessions.
#[derive(Debug, Clone, Default)]
pub struct AggregateAuditStats {
    pub total_denied: u64,
    pub total_anomalies: u64,
    pub sessions_with_anomalies: u64,
    pub sessions_with_denials: u64,
    /// Per-session stats keyed by session ID.
    pub per_session: Vec<(String, SessionAuditStats)>,
}

/// Thread-safe audit stats tracker, shared between the audit write path
/// and the session close query path.
#[derive(Clone, Default)]
pub struct AuditStats {
    sessions: Arc<RwLock<HashMap<String, Arc<SessionCounters>>>>,
}

impl AuditStats {
    pub fn new() -> Self {
        Self::default()
    }

    /// Record an audit entry. Inspects the entry to update per-session counters.
    pub async fn record(&self, entry: &crate::entry::AuditEntry) {
        if entry.task_session_id.is_empty() {
            return;
        }

        let counters = {
            let sessions = self.sessions.read().await;
            sessions.get(&entry.task_session_id).cloned()
        };

        let counters = match counters {
            Some(c) => c,
            None => {
                let mut sessions = self.sessions.write().await;
                sessions
                    .entry(entry.task_session_id.clone())
                    .or_insert_with(|| Arc::new(SessionCounters::default()))
                    .clone()
            }
        };

        if entry.authorization_decision == "deny" {
            counters.denied.fetch_add(1, Ordering::Relaxed);
        }

        if !entry.anomaly_flags.is_empty() {
            counters.anomalies.fetch_add(1, Ordering::Relaxed);
        }
    }

    /// Query stats for a specific session.
    pub async fn stats_for_session(&self, session_id: &str) -> SessionAuditStats {
        let sessions = self.sessions.read().await;
        match sessions.get(session_id) {
            Some(counters) => SessionAuditStats {
                denied_count: counters.denied.load(Ordering::Relaxed),
                anomaly_count: counters.anomalies.load(Ordering::Relaxed),
            },
            None => SessionAuditStats::default(),
        }
    }

    /// Remove stats for a session (called after session close to prevent unbounded growth).
    pub async fn remove_session(&self, session_id: &str) {
        let mut sessions = self.sessions.write().await;
        sessions.remove(session_id);
    }

    /// Aggregate stats across all tracked sessions. Returns totals and counts
    /// of sessions that have anomalies or denials.
    pub async fn aggregate(&self) -> AggregateAuditStats {
        let sessions = self.sessions.read().await;
        let mut total_denied: u64 = 0;
        let mut total_anomalies: u64 = 0;
        let mut sessions_with_anomalies: u64 = 0;
        let mut sessions_with_denials: u64 = 0;
        let mut per_session = Vec::with_capacity(sessions.len());

        for (session_id, counters) in sessions.iter() {
            let denied = counters.denied.load(Ordering::Relaxed);
            let anomalies = counters.anomalies.load(Ordering::Relaxed);
            total_denied += denied;
            total_anomalies += anomalies;
            if anomalies > 0 {
                sessions_with_anomalies += 1;
            }
            if denied > 0 {
                sessions_with_denials += 1;
            }
            per_session.push((
                session_id.clone(),
                SessionAuditStats {
                    denied_count: denied,
                    anomaly_count: anomalies,
                },
            ));
        }

        AggregateAuditStats {
            total_denied,
            total_anomalies,
            sessions_with_anomalies,
            sessions_with_denials,
            per_session,
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::entry::AuditEntry;
    use uuid::Uuid;

    #[tokio::test]
    async fn tracks_denied_and_anomalies() {
        let stats = AuditStats::new();
        let session_id = Uuid::new_v4().to_string();

        // Allowed request, no counters increment.
        let mut entry = AuditEntry::new(Uuid::new_v4());
        entry.task_session_id = session_id.clone();
        entry.authorization_decision = "allow".into();
        stats.record(&entry).await;

        // Denied request.
        let mut entry = AuditEntry::new(Uuid::new_v4());
        entry.task_session_id = session_id.clone();
        entry.authorization_decision = "deny".into();
        stats.record(&entry).await;

        // Another denied request with anomaly flag.
        let mut entry = AuditEntry::new(Uuid::new_v4());
        entry.task_session_id = session_id.clone();
        entry.authorization_decision = "deny".into();
        entry.anomaly_flags = vec!["suspicious".into()];
        stats.record(&entry).await;

        let result = stats.stats_for_session(&session_id).await;
        assert_eq!(result.denied_count, 2);
        assert_eq!(result.anomaly_count, 1);
    }

    #[tokio::test]
    async fn unknown_session_returns_zero() {
        let stats = AuditStats::new();
        let result = stats.stats_for_session("nonexistent").await;
        assert_eq!(result.denied_count, 0);
        assert_eq!(result.anomaly_count, 0);
    }

    #[tokio::test]
    async fn remove_session_cleans_up() {
        let stats = AuditStats::new();
        let session_id = Uuid::new_v4().to_string();

        let mut entry = AuditEntry::new(Uuid::new_v4());
        entry.task_session_id = session_id.clone();
        entry.authorization_decision = "deny".into();
        stats.record(&entry).await;

        stats.remove_session(&session_id).await;
        let result = stats.stats_for_session(&session_id).await;
        assert_eq!(result.denied_count, 0);
    }

    // -----------------------------------------------------------------------
    // Unbounded memory growth in audit stats map
    // -----------------------------------------------------------------------

    /// Create 1000 unique session IDs and record entries for each. Verify
    /// that aggregate() returns correct totals. This documents the growth
    /// behavior: without remove_session(), the map grows monotonically.
    /// Also verify that remove_session() can reclaim entries.
    #[tokio::test]
    async fn stats_growth_with_many_sessions() {
        let stats = AuditStats::new();
        let session_count = 1000;

        let mut session_ids = Vec::with_capacity(session_count);
        for i in 0..session_count {
            let session_id = format!("session-{}", i);
            session_ids.push(session_id.clone());

            let mut entry = AuditEntry::new(Uuid::new_v4());
            entry.task_session_id = session_id;
            entry.authorization_decision = "deny".into();
            entry.anomaly_flags = if i % 3 == 0 {
                vec!["anomaly".into()]
            } else {
                vec![]
            };
            stats.record(&entry).await;
        }

        // Verify aggregate returns correct totals.
        let agg = stats.aggregate().await;
        assert_eq!(
            agg.per_session.len(),
            session_count,
            "all {} sessions must be tracked",
            session_count
        );
        assert_eq!(
            agg.total_denied, session_count as u64,
            "every session had one denied entry"
        );
        assert_eq!(
            agg.sessions_with_denials, session_count as u64,
            "all sessions have denials"
        );
        // Every 3rd session (i % 3 == 0) has an anomaly: 0, 3, 6, ..., 999
        // That's ceil(1000/3) = 334 sessions.
        let expected_anomaly_sessions = (0..session_count).filter(|i| i % 3 == 0).count() as u64;
        assert_eq!(
            agg.sessions_with_anomalies, expected_anomaly_sessions,
            "every 3rd session should have anomaly flag"
        );
        assert_eq!(
            agg.total_anomalies, expected_anomaly_sessions,
            "one anomaly entry per anomaly session"
        );

        // Verify that removing sessions reduces the map size.
        for session_id in &session_ids[..500] {
            stats.remove_session(session_id).await;
        }
        let agg_after = stats.aggregate().await;
        assert_eq!(
            agg_after.per_session.len(),
            500,
            "after removing 500 sessions, 500 must remain"
        );
    }
}