oxirs-core 0.3.0

Core RDF and SPARQL functionality for OxiRS - native Rust implementation with zero dependencies
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

//! Audit event types for SOC2/GDPR-compliant structured event logging.

use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use uuid::Uuid;

/// The type of actor who performed an action.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
#[serde(rename_all = "snake_case")]
pub enum ActorType {
    /// An authenticated human user.
    User,
    /// An automated service account (e.g., a pipeline or integration).
    ServiceAccount,
    /// An internal system process (e.g., scheduled maintenance).
    System,
    /// An unauthenticated caller.
    Anonymous,
}

/// The actor who performed an action.
///
/// Captures identity information for the party responsible for the event.
/// Distinct from the data subject (who the action concerns).
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
pub struct AuditActor {
    /// Stable identifier for the actor (e.g., user ID, service account name).
    pub actor_id: String,
    /// The class of actor.
    pub actor_type: ActorType,
    /// Client IP address at the time of the action, if known.
    pub ip_address: Option<String>,
    /// Session or token identifier, if applicable.
    pub session_id: Option<String>,
}

/// The resource that was acted upon.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
pub struct AuditResource {
    /// Resource class, e.g. `"dataset"`, `"graph"`, `"query"`, `"user"`.
    pub resource_type: String,
    /// Stable identifier for the specific resource instance.
    pub resource_id: String,
    /// Tenant scope, for multi-tenant deployments.
    pub tenant_id: Option<String>,
}

/// Outcome of the audited action.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
#[serde(tag = "status", rename_all = "snake_case")]
pub enum AuditOutcome {
    /// The action completed successfully.
    Success,
    /// The action failed outright.
    Failure {
        /// Human-readable description of why the action failed.
        reason: String,
    },
    /// The action partially succeeded.
    PartialSuccess {
        /// Details about what succeeded and what did not.
        details: String,
    },
}

/// High-level category of the audited event.
///
/// Used for compliance filtering (e.g., SOC2 CC6, GDPR Article 30).
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Hash)]
#[serde(rename_all = "snake_case")]
pub enum AuditEventKind {
    /// Login, logout, token refresh, MFA challenge.
    Authentication,
    /// Access check, RBAC decision, policy evaluation.
    Authorization,
    /// SPARQL SELECT, graph read, dataset list.
    DataAccess,
    /// SPARQL UPDATE, INSERT, DELETE, CLEAR.
    DataModification,
    /// User management, dataset creation/deletion, configuration change.
    Admin,
    /// Failed authentication, rate limiting, suspicious access pattern.
    Security,
    /// Startup, shutdown, backup, restore.
    System,
}

/// A single immutable audit event record.
///
/// Once constructed via [`AuditEvent::new`], the core identity and timing fields
/// are fixed. Builder methods add optional enrichment (`with_duration`,
/// `with_metadata`, `with_data_subject`).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditEvent {
    /// UUID v4 uniquely identifying this event record.
    pub event_id: String,
    /// Wall-clock time the event was recorded (UTC).
    pub timestamp: DateTime<Utc>,
    /// High-level event category.
    pub kind: AuditEventKind,
    /// Machine-readable action label, e.g. `"sparql.select"`, `"auth.login"`.
    pub action: String,
    /// Who performed the action.
    pub actor: AuditActor,
    /// What the action was performed on.
    pub resource: AuditResource,
    /// Whether the action succeeded.
    pub outcome: AuditOutcome,
    /// Elapsed time for the action, if measured.
    pub duration_ms: Option<u64>,
    /// Arbitrary key-value metadata for context (e.g., query text, bytes transferred).
    pub metadata: HashMap<String, String>,
    /// GDPR: which data subject does this event concern?
    ///
    /// Distinct from the `actor`. For example, an admin modifying another user's
    /// profile: `actor.actor_id` is the admin, `data_subject_id` is the target user.
    pub data_subject_id: Option<String>,
}

impl AuditEvent {
    /// Create a new audit event with a fresh UUID and the current UTC timestamp.
    ///
    /// The `event_id` is generated with [`Uuid::new_v4`] and `timestamp` is set
    /// to [`Utc::now()`]. All optional fields default to `None`/empty.
    pub fn new(
        kind: AuditEventKind,
        action: impl Into<String>,
        actor: AuditActor,
        resource: AuditResource,
        outcome: AuditOutcome,
    ) -> Self {
        Self {
            event_id: Uuid::new_v4().to_string(),
            timestamp: Utc::now(),
            kind,
            action: action.into(),
            actor,
            resource,
            outcome,
            duration_ms: None,
            metadata: HashMap::new(),
            data_subject_id: None,
        }
    }

    /// Attach a measured duration to this event.
    #[must_use]
    pub fn with_duration(mut self, duration_ms: u64) -> Self {
        self.duration_ms = Some(duration_ms);
        self
    }

    /// Attach a single key-value metadata entry.
    ///
    /// Can be chained to add multiple entries.
    #[must_use]
    pub fn with_metadata(mut self, key: impl Into<String>, value: impl Into<String>) -> Self {
        self.metadata.insert(key.into(), value.into());
        self
    }

    /// Associate this event with a GDPR data subject.
    ///
    /// Required for [`crate::audit::gdpr::GdprService`] to generate correct
    /// data subject reports and pseudonymisation.
    #[must_use]
    pub fn with_data_subject(mut self, subject_id: impl Into<String>) -> Self {
        self.data_subject_id = Some(subject_id.into());
        self
    }
}