pollutri
/
res_levis_API
1
0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Aktiviteter
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
12 Incheckningar
4 Grenar
203 MiB
 
 
 
 
Träd: 468980024b
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från '468980024b'
${ noResults }
res_levis_API/audit.py

130 rader
3.9 KiB
Blame Historik 

  1. import json

  2. import time

  3. import logging

  4. from datetime import datetime, timezone

  5. from typing import Any, Dict, Optional

  6. 

  7. from fastapi import Request

  8. from starlette.middleware.base import BaseHTTPMiddleware

  9. from jose import jwt

  10. 

  11. from security import _get_key, KEYCLOAK_ISSUER, ALGORITHMS

  12. 

  13. audit_logger = logging.getLogger("audit")

  14. audit_logger.setLevel(logging.INFO)

  15. 

  16. 

  17. def _ts_minute_utc() -> str:

  18.     # formato: 2025-12-12 15:47 (UTC)

  19.     return datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M")

  20. 

  21. 

  22. def _compact_json(obj: Any, max_len: int = 2000) -> str:

  23.     try:

  24.         s = json.dumps(obj, ensure_ascii=False, separators=(",", ":"))

  25.     except Exception:

  26.         s = str(obj)

  27.     if len(s) > max_len:

  28.         return s[:max_len] + "...(truncated)"

  29.     return s

  30. 

  31. 

  32. async def _user_from_bearer(request: Request) -> Optional[str]:

  33.     auth = request.headers.get("authorization", "")

  34.     if not auth.lower().startswith("bearer "):

  35.         return None

  36.     token = auth.split(" ", 1)[1].strip()

  37. 

  38.     try:

  39.         key = await _get_key(token)

  40.         claims = jwt.decode(

  41.             token,

  42.             key,

  43.             algorithms=ALGORITHMS,

  44.             issuer=KEYCLOAK_ISSUER,

  45.             options={"verify_aud": False, "verify_iss": True},

  46.         )

  47.         return (

  48.             claims.get("preferred_username")

  49.             or claims.get("username")

  50.             or claims.get("email")

  51.         )

  52.     except Exception:

  53.         return None

  54. 

  55. 

  56. async def _read_request_body_if_any(request: Request) -> Optional[str]:

  57.     # logga solo metodi che tipicamente hanno body

  58.     if request.method not in ("POST", "PUT", "PATCH", "DELETE"):

  59.         return None

  60. 

  61.     ctype = (request.headers.get("content-type") or "").lower()

  62.     if not ctype:

  63.         return None

  64. 

  65.     # Evita file upload / form-data grossi

  66.     if "multipart/form-data" in ctype:

  67.         return "<multipart/form-data omitted>"

  68. 

  69.     try:

  70.         raw = await request.body()

  71.         if not raw:

  72.             return None

  73. 

  74.         # Prova JSON

  75.         if "application/json" in ctype:

  76.             try:

  77.                 return _compact_json(json.loads(raw.decode("utf-8", errors="replace")))

  78.             except Exception:

  79.                 # se non parseabile, logga raw truncato

  80.                 txt = raw.decode("utf-8", errors="replace")

  81.                 return (txt[:2000] + "...(truncated)") if len(txt) > 2000 else txt

  82. 

  83.         # Testo semplice

  84.         if "text/" in ctype or "application/x-www-form-urlencoded" in ctype:

  85.             txt = raw.decode("utf-8", errors="replace")

  86.             return (txt[:2000] + "...(truncated)") if len(txt) > 2000 else txt

  87. 

  88.         # Altro (binary)

  89.         return f"<body omitted content-type={ctype} bytes={len(raw)}>"

  90.     except Exception:

  91.         return "<body read error>"

  92. 

  93. 

  94. class AuditMiddleware(BaseHTTPMiddleware):

  95.     async def dispatch(self, request: Request, call_next):

  96.         start = time.time()

  97. 

  98.         method = request.method

  99.         path = request.url.path

  100. 

  101.         # 1) via header del proxy (preferito)

  102.         user = request.headers.get("x-authenticated-user")

  103. 

  104.         # 2) fallback: decodifica bearer senza usare verify_token (evita spam del logger security)

  105.         if not user:

  106.             user = await _user_from_bearer(request) or "-"

  107. 

  108.         body_str = await _read_request_body_if_any(request)

  109. 

  110.         status_code = 500

  111.         try:

  112.             response = await call_next(request)

  113.             status_code = response.status_code

  114.             return response

  115.         finally:

  116.             duration_ms = int((time.time() - start) * 1000)

  117.             ts = _ts_minute_utc()

  118. 

  119.             if body_str:

  120.                 audit_logger.info(

  121.                     "%s user=%s %s %s status=%s ms=%s body=%s",

  122.                     ts, user, method, path, status_code, duration_ms, body_str

  123.                 )

  124.             else:

  125.                 audit_logger.info(

  126.                     "%s user=%s %s %s status=%s ms=%s",

  127.                     ts, user, method, path, status_code, duration_ms

  128.                 )