enact_security/

audit.rs

//! Audit logging for security events
//!
//! Provides structured logging of security-relevant events with rotation support.

use anyhow::Result;
use chrono::{DateTime, Utc};
use parking_lot::Mutex;
use serde::{Deserialize, Serialize};
use std::fs::OpenOptions;
use std::io::Write;
use std::path::PathBuf;
use uuid::Uuid;

/// Audit event types
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum AuditEventType {
    CommandExecution,
    FileAccess,
    ConfigChange,
    AuthSuccess,
    AuthFailure,
    PolicyViolation,
    SecurityEvent,
    ToolInvocation,
    AgentAction,
}

/// Actor information (who performed the action)
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Actor {
    pub channel: String,
    pub user_id: Option<String>,
    pub username: Option<String>,
    pub session_id: Option<String>,
}

/// Action information (what was done)
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Action {
    pub command: Option<String>,
    pub tool_name: Option<String>,
    pub risk_level: Option<String>,
    pub approved: bool,
    pub allowed: bool,
}

/// Execution result
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ExecutionResult {
    pub success: bool,
    pub exit_code: Option<i32>,
    pub duration_ms: Option<u64>,
    pub error: Option<String>,
}

/// Security context
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
pub struct SecurityContext {
    pub policy_violation: bool,
    pub rate_limit_remaining: Option<u32>,
    pub autonomy_level: Option<String>,
    pub sandbox_backend: Option<String>,
}

/// Complete audit event
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditEvent {
    pub timestamp: DateTime<Utc>,
    pub event_id: String,
    pub event_type: AuditEventType,
    pub actor: Option<Actor>,
    pub action: Option<Action>,
    pub result: Option<ExecutionResult>,
    pub security: SecurityContext,
}

impl AuditEvent {
    /// Create a new audit event
    pub fn new(event_type: AuditEventType) -> Self {
        Self {
            timestamp: Utc::now(),
            event_id: Uuid::new_v4().to_string(),
            event_type,
            actor: None,
            action: None,
            result: None,
            security: SecurityContext::default(),
        }
    }

    /// Set the actor
    pub fn with_actor(mut self, actor: Actor) -> Self {
        self.actor = Some(actor);
        self
    }

    /// Set the action
    pub fn with_action(mut self, action: Action) -> Self {
        self.action = Some(action);
        self
    }

    /// Set the result
    pub fn with_result(mut self, result: ExecutionResult) -> Self {
        self.result = Some(result);
        self
    }

    /// Set security context
    pub fn with_security(mut self, security: SecurityContext) -> Self {
        self.security = security;
        self
    }

    /// Mark as policy violation
    pub fn as_violation(mut self) -> Self {
        self.security.policy_violation = true;
        self
    }
}

/// Audit logger configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditConfig {
    pub enabled: bool,
    pub log_path: String,
    pub max_size_mb: u32,
    pub retain_days: u32,
}

impl Default for AuditConfig {
    fn default() -> Self {
        Self {
            enabled: true,
            log_path: "audit.log".to_string(),
            max_size_mb: 100,
            retain_days: 90,
        }
    }
}

/// Audit logger with rotation support
pub struct AuditLogger {
    log_path: PathBuf,
    config: AuditConfig,
    #[allow(dead_code)] // reserved for batching/flush
    buffer: Mutex<Vec<AuditEvent>>,
}

impl AuditLogger {
    /// Create a new audit logger
    pub fn new(config: AuditConfig, workspace_dir: PathBuf) -> Result<Self> {
        let log_path = workspace_dir.join(&config.log_path);
        Ok(Self {
            log_path,
            config,
            buffer: Mutex::new(Vec::new()),
        })
    }

    /// Log an event
    pub fn log(&self, event: &AuditEvent) -> Result<()> {
        if !self.config.enabled {
            return Ok(());
        }

        self.rotate_if_needed()?;

        let line = serde_json::to_string(event)?;
        let mut file = OpenOptions::new()
            .create(true)
            .append(true)
            .open(&self.log_path)?;

        writeln!(file, "{}", line)?;
        file.sync_all()?;

        Ok(())
    }

    /// Log a command execution
    #[allow(clippy::too_many_arguments)]
    pub fn log_command(
        &self,
        channel: &str,
        command: &str,
        risk_level: &str,
        approved: bool,
        allowed: bool,
        success: bool,
        duration_ms: u64,
    ) -> Result<()> {
        let event = AuditEvent::new(AuditEventType::CommandExecution)
            .with_actor(Actor {
                channel: channel.to_string(),
                user_id: None,
                username: None,
                session_id: None,
            })
            .with_action(Action {
                command: Some(command.to_string()),
                tool_name: None,
                risk_level: Some(risk_level.to_string()),
                approved,
                allowed,
            })
            .with_result(ExecutionResult {
                success,
                exit_code: None,
                duration_ms: Some(duration_ms),
                error: None,
            });

        self.log(&event)
    }

    /// Log a tool invocation
    pub fn log_tool(
        &self,
        channel: &str,
        tool_name: &str,
        allowed: bool,
        success: bool,
        duration_ms: u64,
        error: Option<&str>,
    ) -> Result<()> {
        let event = AuditEvent::new(AuditEventType::ToolInvocation)
            .with_actor(Actor {
                channel: channel.to_string(),
                user_id: None,
                username: None,
                session_id: None,
            })
            .with_action(Action {
                command: None,
                tool_name: Some(tool_name.to_string()),
                risk_level: None,
                approved: true,
                allowed,
            })
            .with_result(ExecutionResult {
                success,
                exit_code: None,
                duration_ms: Some(duration_ms),
                error: error.map(String::from),
            });

        self.log(&event)
    }

    /// Log a policy violation
    pub fn log_violation(&self, channel: &str, description: &str) -> Result<()> {
        let event = AuditEvent::new(AuditEventType::PolicyViolation)
            .with_actor(Actor {
                channel: channel.to_string(),
                user_id: None,
                username: None,
                session_id: None,
            })
            .with_action(Action {
                command: Some(description.to_string()),
                tool_name: None,
                risk_level: Some("high".to_string()),
                approved: false,
                allowed: false,
            })
            .as_violation();

        self.log(&event)
    }

    /// Check if rotation is needed
    fn rotate_if_needed(&self) -> Result<()> {
        if let Ok(metadata) = std::fs::metadata(&self.log_path) {
            let current_size_mb = metadata.len() / (1024 * 1024);
            if current_size_mb >= u64::from(self.config.max_size_mb) {
                self.rotate()?;
            }
        }
        Ok(())
    }

    /// Rotate the log file
    fn rotate(&self) -> Result<()> {
        for i in (1..10).rev() {
            let old_name = format!("{}.{}.log", self.log_path.display(), i);
            let new_name = format!("{}.{}.log", self.log_path.display(), i + 1);
            let _ = std::fs::rename(&old_name, &new_name);
        }

        let rotated = format!("{}.1.log", self.log_path.display());
        std::fs::rename(&self.log_path, &rotated)?;
        Ok(())
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use tempfile::TempDir;

    #[test]
    fn audit_event_new_creates_unique_id() {
        let event1 = AuditEvent::new(AuditEventType::CommandExecution);
        let event2 = AuditEvent::new(AuditEventType::CommandExecution);
        assert_ne!(event1.event_id, event2.event_id);
    }

    #[test]
    fn audit_event_serializes_to_json() {
        let event = AuditEvent::new(AuditEventType::CommandExecution)
            .with_actor(Actor {
                channel: "telegram".to_string(),
                user_id: None,
                username: None,
                session_id: None,
            })
            .with_action(Action {
                command: Some("ls".to_string()),
                tool_name: None,
                risk_level: Some("low".to_string()),
                approved: false,
                allowed: true,
            });

        let json = serde_json::to_string(&event);
        assert!(json.is_ok());
    }

    #[test]
    fn audit_logger_disabled_does_not_create_file() -> Result<()> {
        let tmp = TempDir::new()?;
        let config = AuditConfig {
            enabled: false,
            ..Default::default()
        };
        let logger = AuditLogger::new(config, tmp.path().to_path_buf())?;
        let event = AuditEvent::new(AuditEventType::CommandExecution);

        logger.log(&event)?;

        assert!(!tmp.path().join("audit.log").exists());
        Ok(())
    }

    #[test]
    fn audit_logger_writes_event_when_enabled() -> Result<()> {
        let tmp = TempDir::new()?;
        let config = AuditConfig {
            enabled: true,
            max_size_mb: 10,
            ..Default::default()
        };
        let logger = AuditLogger::new(config, tmp.path().to_path_buf())?;

        logger.log_command("cli", "ls", "low", false, true, true, 15)?;

        let log_path = tmp.path().join("audit.log");
        assert!(log_path.exists());

        let content = std::fs::read_to_string(&log_path)?;
        assert!(!content.is_empty());
        Ok(())
    }
}