auditlog 0.1.0

Audit trail for your data models — an ORM-agnostic core with a pluggable, async sqlx backend (SQLite & Postgres).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306

//! The `audited_changes` payload and the rules for computing it.
//!
//! This is the single most correctness-sensitive part of auditlog. The shape of the change set
//! depends on the [`Action`]:
//!
//! | Action  | Shape                                  |
//! |---------|----------------------------------------|
//! | Create  | `{ column: value }` (single values)    |
//! | Update  | `{ column: [old, new] }` (2-elem pairs)|
//! | Destroy | `{ column: value }` (single values)    |
//!
//! Because a create/destroy snapshot value may *itself* be a JSON array (an array-typed column),
//! the stored form is ambiguous on its own — it can only be interpreted with knowledge of the
//! row's `action`. All accessors therefore take an [`Action`].

use indexmap::IndexMap;
use serde::{Deserialize, Serialize};
use serde_json::Value;

use crate::action::Action;

/// An ordered map of column name to JSON value.
pub type ValueMap = IndexMap<String, Value>;

/// The default placeholder used for redacted columns (`audited redacted: ...`).
pub const REDACTED: &str = "[REDACTED]";

/// The placeholder used for encrypted attributes (distinct from [`REDACTED`]).
pub const FILTERED: &str = "[FILTERED]";

/// The serialized `audited_changes` payload of one audit.
///
/// Stored verbatim as a JSON object. Use [`AuditedChanges::new_attributes`] /
/// [`AuditedChanges::old_attributes`] / [`AuditedChanges::typed`] (all action-aware) to interpret
/// it.
#[derive(Clone, Debug, Default, PartialEq, Serialize, Deserialize)]
#[serde(transparent)]
pub struct AuditedChanges(pub ValueMap);

/// A single interpreted change entry.
#[derive(Clone, Debug, PartialEq)]
pub enum ChangeValue {
    /// A single value (create/destroy snapshot, or a legacy single-value update).
    Set(Value),
    /// An update pair `(old, new)`.
    Update(Value, Value),
}

impl AuditedChanges {
    /// An empty change set.
    pub fn empty() -> Self {
        AuditedChanges(IndexMap::new())
    }

    /// Build directly from a value map (values interpreted per the eventual action).
    pub fn from_map(map: ValueMap) -> Self {
        AuditedChanges(map)
    }

    /// Snapshot form used by `create` and `destroy`: every value stored as-is.
    pub fn snapshot(attrs: ValueMap) -> Self {
        AuditedChanges(attrs)
    }

    /// Diff form used by `update`: for every column whose value differs between `old` and `new`,
    /// store `[old, new]`. Column order follows `new`. A column present in `new` but missing in
    /// `old` is treated as having an old value of `null`.
    ///
    /// Equality uses [`serde_json::Value`] equality, which compares already-type-cast values — so
    /// `0` vs `"0"` *do* differ here. Callers are expected to feed already-normalized attribute
    /// maps (the same normalization their column would produce), so dirty tracking operates on
    /// type-cast values.
    pub fn diff(old: &ValueMap, new: &ValueMap) -> Self {
        let mut out = IndexMap::new();
        for (key, new_val) in new {
            let old_val = old.get(key);
            if old_val != Some(new_val) {
                let old_val = old_val.cloned().unwrap_or(Value::Null);
                out.insert(key.clone(), Value::Array(vec![old_val, new_val.clone()]));
            }
        }
        AuditedChanges(out)
    }

    /// Whether there are no recorded changes.
    pub fn is_empty(&self) -> bool {
        self.0.is_empty()
    }

    /// Number of changed columns.
    pub fn len(&self) -> usize {
        self.0.len()
    }

    /// Iterate raw `(column, stored_value)` entries.
    pub fn iter(&self) -> impl Iterator<Item = (&String, &Value)> {
        self.0.iter()
    }

    /// Whether a column is present.
    pub fn contains(&self, key: &str) -> bool {
        self.0.contains_key(key)
    }

    /// The new value of `column`, interpreted for `action`.
    pub fn new_value(&self, action: Action, column: &str) -> Option<Value> {
        self.0.get(column).map(|v| new_of(action, v))
    }

    /// The old value of `column`, interpreted for `action`.
    pub fn old_value(&self, action: Action, column: &str) -> Option<Value> {
        self.0.get(column).map(|v| old_of(action, v))
    }

    /// The changed attributes paired with their *new* values.
    pub fn new_attributes(&self, action: Action) -> ValueMap {
        self.0
            .iter()
            .map(|(k, v)| (k.clone(), new_of(action, v)))
            .collect()
    }

    /// The changed attributes paired with their *old* values.
    pub fn old_attributes(&self, action: Action) -> ValueMap {
        self.0
            .iter()
            .map(|(k, v)| (k.clone(), old_of(action, v)))
            .collect()
    }

    /// Interpret the whole change set into typed [`ChangeValue`]s.
    pub fn typed(&self, action: Action) -> IndexMap<String, ChangeValue> {
        self.0
            .iter()
            .map(|(k, v)| (k.clone(), typed_of(action, v)))
            .collect()
    }

    /// Replace the values of any listed columns with `placeholder`. If the stored value is an
    /// array (an update `[old, new]` pair *or* an array-typed snapshot column) each element is
    /// replaced, preserving arity; otherwise the single value is replaced. Columns not present are
    /// ignored. Used for both `redacted` and encrypted-attribute filtering.
    pub(crate) fn mask(&mut self, columns: &[String], placeholder: &Value) {
        for col in columns {
            if let Some(slot) = self.0.get_mut(col) {
                *slot = match slot {
                    Value::Array(items) => {
                        Value::Array(items.iter().map(|_| placeholder.clone()).collect())
                    }
                    _ => placeholder.clone(),
                };
            }
        }
    }

    /// Merge `other` on top of `self`, later keys winning. This is the merge applied when
    /// `combine_audits` folds several change sets into one.
    pub(crate) fn merge_in(&mut self, other: &AuditedChanges) {
        for (k, v) in &other.0 {
            self.0.insert(k.clone(), v.clone());
        }
    }
}

fn new_of(action: Action, v: &Value) -> Value {
    if action.is_update() {
        match v {
            Value::Array(items) if items.len() == 2 => items[1].clone(),
            other => other.clone(), // legacy single-value tolerance
        }
    } else {
        v.clone()
    }
}

fn old_of(action: Action, v: &Value) -> Value {
    if action.is_update() {
        match v {
            Value::Array(items) if items.len() == 2 => items[0].clone(),
            other => other.clone(),
        }
    } else {
        v.clone()
    }
}

fn typed_of(action: Action, v: &Value) -> ChangeValue {
    if action.is_update()
        && let Value::Array(items) = v
        && items.len() == 2
    {
        return ChangeValue::Update(items[0].clone(), items[1].clone());
    }
    ChangeValue::Set(v.clone())
}

#[cfg(test)]
mod tests {
    use super::*;
    use serde_json::json;

    fn map(pairs: &[(&str, Value)]) -> ValueMap {
        pairs
            .iter()
            .map(|(k, v)| (k.to_string(), v.clone()))
            .collect()
    }

    #[test]
    fn create_snapshot_is_single_values() {
        let c = AuditedChanges::snapshot(map(&[("name", json!("Brandon")), ("status", json!(1))]));
        assert_eq!(
            c.new_attributes(Action::Create),
            map(&[("name", json!("Brandon")), ("status", json!(1))])
        );
        assert_eq!(
            c.old_attributes(Action::Create),
            map(&[("name", json!("Brandon")), ("status", json!(1))])
        );
    }

    #[test]
    fn update_diff_is_pairs() {
        let old = map(&[("name", json!("Brandon")), ("age", json!(30))]);
        let new = map(&[("name", json!("Changed")), ("age", json!(30))]);
        let c = AuditedChanges::diff(&old, &new);
        assert_eq!(c.len(), 1);
        assert_eq!(c.0.get("name"), Some(&json!(["Brandon", "Changed"])));
        assert_eq!(
            c.new_attributes(Action::Update),
            map(&[("name", json!("Changed"))])
        );
        assert_eq!(
            c.old_attributes(Action::Update),
            map(&[("name", json!("Brandon"))])
        );
    }

    #[test]
    fn typecast_equal_values_are_not_a_change() {
        // identical JSON values produce no diff entry
        let old = map(&[("logins", json!(0))]);
        let new = map(&[("logins", json!(0))]);
        assert!(AuditedChanges::diff(&old, &new).is_empty());
    }

    #[test]
    fn destroy_snapshot_like_create() {
        let c = AuditedChanges::snapshot(map(&[("name", json!("Brandon"))]));
        assert_eq!(
            c.new_attributes(Action::Destroy),
            map(&[("name", json!("Brandon"))])
        );
    }

    #[test]
    fn mask_update_redacts_both_sides() {
        let mut c = AuditedChanges::diff(
            &map(&[("password", json!("old"))]),
            &map(&[("password", json!("new"))]),
        );
        c.mask(&["password".to_string()], &json!(REDACTED));
        assert_eq!(
            c.0.get("password"),
            Some(&json!(["[REDACTED]", "[REDACTED]"]))
        );
    }

    #[test]
    fn mask_create_redacts_single() {
        let mut c = AuditedChanges::snapshot(map(&[("password", json!("secret"))]));
        c.mask(&["password".to_string()], &json!(REDACTED));
        assert_eq!(c.0.get("password"), Some(&json!("[REDACTED]")));
    }

    #[test]
    fn mask_array_typed_snapshot_is_element_wise() {
        // a snapshot of an array-typed column must keep its arity after masking
        let mut c = AuditedChanges::snapshot(map(&[("tags", json!(["a", "b", "c"]))]));
        c.mask(&["tags".to_string()], &json!(REDACTED));
        assert_eq!(
            c.0.get("tags"),
            Some(&json!(["[REDACTED]", "[REDACTED]", "[REDACTED]"]))
        );
    }

    #[test]
    fn merge_later_wins() {
        let mut a = AuditedChanges::snapshot(map(&[
            ("name", json!("Foobar")),
            ("username", json!("brandon")),
        ]));
        let b = AuditedChanges::from_map(map(&[("name", json!(["Foobar", "Awesome"]))]));
        a.merge_in(&b);
        assert_eq!(a.0.get("name"), Some(&json!(["Foobar", "Awesome"])));
        assert_eq!(a.0.get("username"), Some(&json!("brandon")));
    }

    #[test]
    fn legacy_single_value_update_tolerated() {
        // old storage format: update stored only the new scalar, not a pair
        let c = AuditedChanges::from_map(map(&[("name", json!("value"))]));
        assert_eq!(c.new_value(Action::Update, "name"), Some(json!("value")));
        assert_eq!(c.old_value(Action::Update, "name"), Some(json!("value")));
    }
}