iven/erp
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(audit): Q2 Chunk 3 — 审计日志补全

Browse Source 
- 登录成功/失败均写入审计日志(含 IP、User-Agent)
- 登出、密码修改添加审计日志
- 用户/角色 update 记录变更前后值(old_value/new_value)
- 插件数据 CRUD(create/update/delete)添加审计日志
- auth handler 提取 X-Forwarded-For/X-Real-IP/User-Agent
This commit is contained in:
iven
2026-04-17 19:21:43 +08:00
parent 080d2cb3d6
commit 7c14bf83ca
5 changed files with 139 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
crates/erp-auth/src/handler/auth_handler.rs
View File

@@ -1,5 +1,6 @@
use axum::Extension;
use axum::extract::{FromRef, State};
use axum::http::HeaderMap;
use axum::response::Json;
use validator::Validate;
@@ -8,7 +9,21 @@ use erp_core::types::{ApiResponse, TenantContext};
use crate::auth_state::AuthState;
use crate::dto::{ChangePasswordReq, LoginReq, LoginResp, RefreshReq};
use crate::service::auth_service::{AuthService, JwtConfig};
use crate::service::auth_service::{AuthService, JwtConfig, RequestInfo};
/// 从请求头中提取客户端信息。
fn extract_request_info(headers: &HeaderMap) -> RequestInfo {
let ip = headers
.get("x-forwarded-for")
.or_else(|| headers.get("x-real-ip"))
.and_then(|v| v.to_str().ok())
.map(|s| s.split(',').next().unwrap_or(s).trim().to_string());
let user_agent = headers
.get("user-agent")
.and_then(|v| v.to_str().ok())
.map(|s| s.to_string());
RequestInfo { ip, user_agent }
}
#[utoipa::path(
post,
@@ -29,6 +44,7 @@ use crate::service::auth_service::{AuthService, JwtConfig};
/// In production, this will come from a tenant-resolution middleware.
pub async fn login<S>(
State(state): State<AuthState>,
headers: HeaderMap,
Json(req): Json<LoginReq>,
) -> Result<Json<ApiResponse<LoginResp>>, AppError>
where
@@ -38,6 +54,7 @@ where
req.validate()
.map_err(|e| AppError::Validation(e.to_string()))?;
let req_info = extract_request_info(&headers);
let tenant_id = state.default_tenant_id;
let jwt_config = JwtConfig {
@@ -53,6 +70,7 @@ where
&state.db,
&jwt_config,
&state.event_bus,
Some(&req_info),
)
.await?;
@@ -108,13 +126,15 @@ where
/// logging them out on all devices.
pub async fn logout<S>(
State(state): State<AuthState>,
headers: HeaderMap,
Extension(ctx): Extension<TenantContext>,
) -> Result<Json<ApiResponse<()>>, AppError>
where
AuthState: FromRef<S>,
S: Clone + Send + Sync + 'static,
{
AuthService::logout(ctx.user_id, ctx.tenant_id, &state.db).await?;
let req_info = extract_request_info(&headers);
AuthService::logout(ctx.user_id, ctx.tenant_id, &state.db, Some(&req_info)).await?;
Ok(Json(ApiResponse {
success: true,
@@ -141,6 +161,7 @@ where
/// 用户需要在所有设备上重新登录。
pub async fn change_password<S>(
State(state): State<AuthState>,
headers: HeaderMap,
Extension(ctx): Extension<TenantContext>,
Json(req): Json<ChangePasswordReq>,
) -> Result<Json<ApiResponse<()>>, AppError>
@@ -151,12 +172,14 @@ where
req.validate()
.map_err(|e| AppError::Validation(e.to_string()))?;
let req_info = extract_request_info(&headers);
AuthService::change_password(
ctx.user_id,
ctx.tenant_id,
&req.current_password,
&req.new_password,
&state.db,
Some(&req_info),
)
.await?;

80
crates/erp-auth/src/service/auth_service.rs
View File

@@ -5,6 +5,8 @@ use uuid::Uuid;
use crate::dto::{LoginResp, RoleResp, UserResp};
use crate::entity::{role, user, user_credential, user_role};
use crate::error::AuthError;
use erp_core::audit::AuditLog;
use erp_core::audit_service;
use erp_core::events::EventBus;
use crate::error::AuthResult;
@@ -12,6 +14,12 @@ use crate::error::AuthResult;
use super::password;
use super::token_service::TokenService;
/// 请求来源信息,用于审计日志记录。
pub struct RequestInfo {
pub ip: Option<String>,
pub user_agent: Option<String>,
}
/// JWT configuration needed for token signing.
pub struct JwtConfig<'a> {
pub secret: &'a str,
@@ -41,16 +49,32 @@ impl AuthService {
db: &sea_orm::DatabaseConnection,
jwt: &JwtConfig<'_>,
event_bus: &EventBus,
req_info: Option<&RequestInfo>,
) -> AuthResult<LoginResp> {
// 1. Find user by tenant_id + username
let user_model = user::Entity::find()
let user_model = match user::Entity::find()
.filter(user::Column::TenantId.eq(tenant_id))
.filter(user::Column::Username.eq(username))
.filter(user::Column::DeletedAt.is_null())
.one(db)
.await
.map_err(|e| AuthError::Validation(e.to_string()))?
.ok_or(AuthError::InvalidCredentials)?;
{
Some(m) => m,
None => {
// 审计:用户不存在(登录失败)
audit_service::record(
AuditLog::new(tenant_id, None, "user.login_failed", "user")
.with_request_info(
req_info.as_ref().and_then(|r| r.ip.clone()),
req_info.as_ref().and_then(|r| r.user_agent.clone()),
),
db,
)
.await;
return Err(AuthError::InvalidCredentials);
}
};
// 2. Check user status
if user_model.status != "active" {
@@ -75,6 +99,16 @@ impl AuthService {
.ok_or(AuthError::InvalidCredentials)?;
if !password::verify_password(password_plain, stored_hash)? {
// 审计:密码错误(登录失败)
audit_service::record(
AuditLog::new(tenant_id, Some(user_model.id), "user.login_failed", "user")
.with_request_info(
req_info.as_ref().and_then(|r| r.ip.clone()),
req_info.as_ref().and_then(|r| r.user_agent.clone()),
),
db,
)
.await;
return Err(AuthError::InvalidCredentials);
}
@@ -130,6 +164,18 @@ impl AuthService {
serde_json::json!({ "user_id": user_model.id, "username": user_model.username }),
), db).await;
// 审计:登录成功
audit_service::record(
AuditLog::new(tenant_id, Some(user_model.id), "user.login", "user")
.with_resource_id(user_model.id)
.with_request_info(
req_info.as_ref().and_then(|r| r.ip.clone()),
req_info.as_ref().and_then(|r| r.user_agent.clone()),
),
db,
)
.await;
Ok(LoginResp {
access_token,
refresh_token,
@@ -217,8 +263,23 @@ impl AuthService {
user_id: Uuid,
tenant_id: Uuid,
db: &sea_orm::DatabaseConnection,
req_info: Option<&RequestInfo>,
) -> AuthResult<()> {
TokenService::revoke_all_user_tokens(user_id, tenant_id, db).await
TokenService::revoke_all_user_tokens(user_id, tenant_id, db).await?;
// 审计:登出
audit_service::record(
AuditLog::new(tenant_id, Some(user_id), "user.logout", "user")
.with_resource_id(user_id)
.with_request_info(
req_info.as_ref().and_then(|r| r.ip.clone()),
req_info.as_ref().and_then(|r| r.user_agent.clone()),
),
db,
)
.await;
Ok(())
}
/// Change password for the authenticated user.
@@ -234,6 +295,7 @@ impl AuthService {
current_password: &str,
new_password: &str,
db: &sea_orm::DatabaseConnection,
req_info: Option<&RequestInfo>,
) -> AuthResult<()> {
// 1. Find the user's password credential
let cred = user_credential::Entity::find()
@@ -271,6 +333,18 @@ impl AuthService {
// 4. Revoke all refresh tokens — force re-login on all devices
TokenService::revoke_all_user_tokens(user_id, tenant_id, db).await?;
// 审计:密码修改
audit_service::record(
AuditLog::new(tenant_id, Some(user_id), "user.change_password", "user")
.with_resource_id(user_id)
.with_request_info(
req_info.as_ref().and_then(|r| r.ip.clone()),
req_info.as_ref().and_then(|r| r.user_agent.clone()),
),
db,
)
.await;
tracing::info!(user_id = %user_id, "Password changed successfully");
Ok(())
}

8
crates/erp-auth/src/service/role_service.rs
View File

@@ -171,6 +171,8 @@ impl RoleService {
.filter(|r| r.tenant_id == tenant_id && r.deleted_at.is_none())
.ok_or_else(|| AuthError::Validation("角色不存在".to_string()))?;
let old_json = serde_json::to_value(&model).unwrap_or(serde_json::Value::Null);
let next_ver = check_version(version, model.version)
.map_err(|e| AuthError::Validation(e.to_string()))?;
@@ -192,8 +194,12 @@ impl RoleService {
.await
.map_err(|e| AuthError::Validation(e.to_string()))?;
let new_json = serde_json::to_value(&updated).unwrap_or(serde_json::Value::Null);
audit_service::record(
AuditLog::new(tenant_id, Some(operator_id), "role.update", "role").with_resource_id(id),
AuditLog::new(tenant_id, Some(operator_id), "role.update", "role")
.with_resource_id(id)
.with_changes(Some(old_json), Some(new_json)),
db,
)
.await;

8
crates/erp-auth/src/service/user_service.rs
View File

@@ -204,6 +204,8 @@ impl UserService {
.map_err(|e| AuthError::Validation(e.to_string()))?
.ok_or_else(|| AuthError::Validation("用户不存在".to_string()))?;
let old_json = serde_json::to_value(&user_model).unwrap_or(serde_json::Value::Null);
let next_ver = check_version(req.version, user_model.version)
.map_err(|e| AuthError::Validation(e.to_string()))?;
@@ -233,8 +235,12 @@ impl UserService {
.await
.map_err(|e| AuthError::Validation(e.to_string()))?;
let new_json = serde_json::to_value(&updated).unwrap_or(serde_json::Value::Null);
audit_service::record(
AuditLog::new(tenant_id, Some(operator_id), "user.update", "user").with_resource_id(id),
AuditLog::new(tenant_id, Some(operator_id), "user.update", "user")
.with_resource_id(id)
.with_changes(Some(old_json), Some(new_json)),
db,
)
.await;

23
crates/erp-plugin/src/data_service.rs
View File

@@ -1,6 +1,8 @@
use sea_orm::{ColumnTrait, ConnectionTrait, EntityTrait, FromQueryResult, QueryFilter, Statement};
use uuid::Uuid;
use erp_core::audit::{AuditLog};
use erp_core::audit_service;
use erp_core::error::{AppError, AppResult};
use erp_core::events::EventBus;
@@ -51,6 +53,13 @@ impl PluginDataService {
.await?
.ok_or_else(|| PluginError::DatabaseError("INSERT 未返回结果".to_string()))?;
audit_service::record(
AuditLog::new(tenant_id, Some(operator_id), "plugin.data.create", entity_name)
.with_resource_id(result.id),
db,
)
.await;
Ok(PluginDataResp {
id: result.id.to_string(),
data: result.data,
@@ -243,6 +252,13 @@ impl PluginDataService {
.await?
.ok_or_else(|| AppError::VersionMismatch)?;
audit_service::record(
AuditLog::new(tenant_id, Some(operator_id), "plugin.data.update", entity_name)
.with_resource_id(id),
db,
)
.await;
Ok(PluginDataResp {
id: result.id.to_string(),
data: result.data,
@@ -369,6 +385,13 @@ impl PluginDataService {
))
.await?;
audit_service::record(
AuditLog::new(tenant_id, None, "plugin.data.delete", entity_name)
.with_resource_id(id),
db,
)
.await;
Ok(())
}