refactor: standardize audit logging for ISO27001 compliance
This commit is contained in:
Ubuntu
@@ -7,6 +7,7 @@ from gatehouse_app.extensions import db
|
||||
from gatehouse_app.models import Device
|
||||
from gatehouse_app.models.user import User
|
||||
from gatehouse_app.services.audit_service import AuditService
|
||||
from gatehouse_app.utils.constants import AuditAction
|
||||
from gatehouse_app.exceptions import (
|
||||
DeviceNotFoundError,
|
||||
DeviceAlreadyExistsError,
|
||||
@@ -74,7 +75,7 @@ def register_device(
|
||||
device.save()
|
||||
|
||||
AuditService.log_action(
|
||||
action="device.registered",
|
||||
action=AuditAction.DEVICE_REGISTERED,
|
||||
user_id=user_id,
|
||||
organization_id=organization_id,
|
||||
resource_type="device",
|
||||
@@ -142,7 +143,7 @@ def update_device(
|
||||
device.update(**kwargs)
|
||||
|
||||
AuditService.log_action(
|
||||
action="device.updated",
|
||||
action=AuditAction.DEVICE_UPDATED,
|
||||
user_id=user_id,
|
||||
organization_id=device.organization_id,
|
||||
resource_type="device",
|
||||
@@ -175,7 +176,7 @@ def remove_device(device_id: str, user_id: str) -> None:
|
||||
device.delete(soft=True)
|
||||
|
||||
AuditService.log_action(
|
||||
action="device.removed",
|
||||
action=AuditAction.DEVICE_REMOVED,
|
||||
user_id=user_id,
|
||||
organization_id=device.organization_id,
|
||||
resource_type="device",
|
||||
|
||||
@@ -871,7 +871,7 @@ class MfaPolicyService:
|
||||
org_ids = [org.organization_id for org in suspended_orgs]
|
||||
|
||||
AuditService.log_action(
|
||||
action=AuditAction.USER_LOGIN,
|
||||
action=AuditAction.LOGIN_BLOCKED_COMPLIANCE,
|
||||
user_id=user.id,
|
||||
organization_id=org_ids[0] if org_ids else None,
|
||||
description=f"Login attempt while compliance suspended. Suspended orgs: {org_ids}",
|
||||
@@ -898,7 +898,7 @@ class MfaPolicyService:
|
||||
user_agent: Client user agent
|
||||
"""
|
||||
AuditService.log_action(
|
||||
action=AuditAction.USER_LOGIN, # Reusing USER_LOGIN for audit
|
||||
action=AuditAction.MFA_COMPLIANCE_BYPASS_ATTEMPT,
|
||||
user_id=user.id,
|
||||
resource_type="endpoint",
|
||||
resource_id=endpoint,
|
||||
|
||||
@@ -23,6 +23,7 @@ from gatehouse_app.utils.constants import (
|
||||
ApprovalState,
|
||||
ActivationEndReason,
|
||||
KillSwitchScope,
|
||||
AuditAction,
|
||||
)
|
||||
from gatehouse_app.exceptions import (
|
||||
ApprovalNotFoundError,
|
||||
@@ -89,7 +90,7 @@ def request_access(
|
||||
_ensure_zerotier_member(device.node_id, portal_network_id, authorized=False)
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.approval.reopened",
|
||||
action=AuditAction.ZT_APPROVAL_REOPENED,
|
||||
user_id=user_id,
|
||||
organization_id=organization_id,
|
||||
resource_type="network_access_request",
|
||||
@@ -122,7 +123,7 @@ def request_access(
|
||||
_ensure_zerotier_member(device.node_id, portal_network_id, authorized=False)
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.approval.requested",
|
||||
action=AuditAction.ZT_APPROVAL_REQUESTED,
|
||||
user_id=user_id,
|
||||
organization_id=organization_id,
|
||||
resource_type="network_access_request",
|
||||
@@ -206,7 +207,7 @@ def assign_access(
|
||||
_ensure_zerotier_member(device.node_id, portal_network_id, authorized=False)
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.approval.granted",
|
||||
action=AuditAction.ZT_APPROVAL_GRANTED,
|
||||
user_id=granted_by_user_id,
|
||||
organization_id=organization_id,
|
||||
resource_type="network_access_request",
|
||||
@@ -238,7 +239,7 @@ def approve_request(
|
||||
request.save()
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.approval.granted",
|
||||
action=AuditAction.ZT_APPROVAL_GRANTED,
|
||||
user_id=approver_user_id,
|
||||
organization_id=request.organization_id,
|
||||
resource_type="network_access_request",
|
||||
@@ -266,7 +267,7 @@ def reject_request(
|
||||
request.save()
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.approval.rejected",
|
||||
action=AuditAction.ZT_APPROVAL_REJECTED,
|
||||
user_id=rejecter_user_id,
|
||||
organization_id=request.organization_id,
|
||||
resource_type="network_access_request",
|
||||
@@ -307,7 +308,7 @@ def revoke_access(
|
||||
logger.warning(f"[revoke_access] Could not deauthorize {device.node_id}: {exc}")
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.approval.revoked",
|
||||
action=AuditAction.ZT_APPROVAL_REVOKED,
|
||||
user_id=revoker_user_id,
|
||||
organization_id=request.organization_id,
|
||||
resource_type="network_access_request",
|
||||
@@ -417,7 +418,7 @@ def activate_request(
|
||||
_authorize_in_zerotier(device.node_id, network.zerotier_network_id, request)
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.membership.activated",
|
||||
action=AuditAction.ZT_MEMBERSHIP_ACTIVATED,
|
||||
user_id=user_id,
|
||||
organization_id=request.organization_id,
|
||||
resource_type="activation_session",
|
||||
@@ -485,7 +486,7 @@ def deactivate_request(
|
||||
request.save()
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.membership.deactivated",
|
||||
action=AuditAction.ZT_MEMBERSHIP_DEACTIVATED,
|
||||
user_id=deactivated_by_user_id,
|
||||
organization_id=request.organization_id,
|
||||
resource_type="network_access_request",
|
||||
@@ -548,7 +549,7 @@ def kill_switch(
|
||||
|
||||
# Log audit
|
||||
AuditService.log_action(
|
||||
action="zt.kill_switch.activated",
|
||||
action=AuditAction.ZT_KILL_SWITCH_ACTIVATED,
|
||||
user_id=user_id,
|
||||
organization_id=org_id,
|
||||
resource_type="network_access_request",
|
||||
@@ -637,7 +638,7 @@ def _authorize_in_zerotier(
|
||||
zt_membership.save()
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.member.authorized",
|
||||
action=AuditAction.ZT_MEMBER_AUTHORIZED,
|
||||
user_id=request.user_id,
|
||||
organization_id=request.organization_id,
|
||||
resource_type="zerotier_membership",
|
||||
@@ -677,7 +678,7 @@ def _deauthorize_in_zerotier(node_id: str, zerotier_network_id: str,
|
||||
zt_membership.save()
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.member.deauthorized",
|
||||
action=AuditAction.ZT_MEMBER_DEAUTHORIZED,
|
||||
user_id=None,
|
||||
organization_id=zt_membership.organization_id,
|
||||
resource_type="zerotier_membership",
|
||||
@@ -785,7 +786,7 @@ def join_network_for_device(
|
||||
_ensure_zerotier_member(device.node_id, portal_network_id, authorized=False)
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.membership.created",
|
||||
action=AuditAction.ZT_MEMBERSHIP_CREATED,
|
||||
user_id=user_id,
|
||||
organization_id=organization_id,
|
||||
resource_type="network_access_request",
|
||||
@@ -832,7 +833,7 @@ def revoke_request_soft(
|
||||
request.save()
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.request.revoked",
|
||||
action=AuditAction.ZT_REQUEST_REVOKED,
|
||||
user_id=revoker_user_id,
|
||||
organization_id=request.organization_id,
|
||||
resource_type="network_access_request",
|
||||
|
||||
@@ -123,7 +123,7 @@ class NotificationService:
|
||||
f"({days_until_deadline} days remaining)"
|
||||
)
|
||||
AuditService.log_action(
|
||||
action=AuditAction.MFA_POLICY_USER_COMPLIANT,
|
||||
action=AuditAction.MFA_NOTIFICATION_SENT,
|
||||
user_id=user.id,
|
||||
organization_id=compliance.organization_id,
|
||||
description=f"MFA deadline reminder sent. Days remaining: {days_until_deadline}",
|
||||
@@ -196,7 +196,7 @@ class NotificationService:
|
||||
)
|
||||
logger.info(f"Sent MFA suspension notification to {user.email}")
|
||||
AuditService.log_action(
|
||||
action=AuditAction.MFA_POLICY_USER_SUSPENDED,
|
||||
action=AuditAction.MFA_SUSPENSION_NOTIFICATION_SENT,
|
||||
user_id=user.id,
|
||||
organization_id=compliance.organization_id,
|
||||
description="MFA compliance suspension notification sent",
|
||||
|
||||
@@ -246,7 +246,7 @@ def handle_login_callback(
|
||||
auth_method.save()
|
||||
|
||||
AuditService.log_action(
|
||||
action="user.register",
|
||||
action=AuditAction.USER_REGISTER,
|
||||
user_id=user.id,
|
||||
organization_id=state_record.organization_id,
|
||||
resource_type="user",
|
||||
|
||||
@@ -142,7 +142,7 @@ def handle_register_callback(
|
||||
state_record.mark_used()
|
||||
|
||||
AuditService.log_action(
|
||||
action="user.register",
|
||||
action=AuditAction.USER_REGISTER,
|
||||
user_id=user.id,
|
||||
organization_id=state_record.organization_id,
|
||||
resource_type="user",
|
||||
|
||||
@@ -353,7 +353,7 @@ class OrganizationService:
|
||||
resource_type="organization_member",
|
||||
resource_id=member.id,
|
||||
metadata={"added_user_id": user_id, "role": role.value},
|
||||
description=f"Member added to organization with role: {role.value}",
|
||||
description=f"Member {user_id} added to organization with role: {role.value}",
|
||||
)
|
||||
|
||||
return member
|
||||
@@ -398,7 +398,7 @@ class OrganizationService:
|
||||
resource_type="organization_member",
|
||||
resource_id=member.id,
|
||||
metadata={"removed_user_id": user_id},
|
||||
description="Member removed from organization",
|
||||
description=f"Member {user_id} removed from organization",
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
@@ -438,7 +438,7 @@ class OrganizationService:
|
||||
"old_role": old_role.value,
|
||||
"new_role": new_role.value,
|
||||
},
|
||||
description=f"Member role changed from {old_role.value} to {new_role.value}",
|
||||
description=f"Member {user_id} role changed from {old_role.value} to {new_role.value}",
|
||||
)
|
||||
|
||||
return member
|
||||
|
||||
@@ -9,7 +9,7 @@ from gatehouse_app.models.organization import Organization
|
||||
from gatehouse_app.models.user import User
|
||||
from gatehouse_app.services.audit_service import AuditService
|
||||
from gatehouse_app.services import zerotier_api_service as zt
|
||||
from gatehouse_app.utils.constants import NetworkRequestMode, NetworkEnvironment
|
||||
from gatehouse_app.utils.constants import NetworkRequestMode, NetworkEnvironment, AuditAction
|
||||
from gatehouse_app.exceptions import (
|
||||
NetworkNotFoundError,
|
||||
InvalidNetworkIdError,
|
||||
@@ -110,7 +110,7 @@ def create_network(
|
||||
deleted.save()
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.network.restored",
|
||||
action=AuditAction.ZT_NETWORK_RESTORED,
|
||||
user_id=owner_user_id,
|
||||
organization_id=organization_id,
|
||||
resource_type="portal_network",
|
||||
@@ -157,7 +157,7 @@ def create_network(
|
||||
)
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.network.created",
|
||||
action=AuditAction.ZT_NETWORK_CREATED,
|
||||
user_id=owner_user_id,
|
||||
organization_id=organization_id,
|
||||
resource_type="portal_network",
|
||||
@@ -246,7 +246,7 @@ def update_network(
|
||||
network.update(**kwargs)
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.network.updated",
|
||||
action=AuditAction.ZT_NETWORK_UPDATED,
|
||||
user_id=user_id,
|
||||
organization_id=network.organization_id,
|
||||
resource_type="portal_network",
|
||||
@@ -292,7 +292,7 @@ def delete_network(network_id: str, user_id: str) -> None:
|
||||
db.session.commit()
|
||||
|
||||
AuditService.log_action(
|
||||
action="zt.network.deleted",
|
||||
action=AuditAction.ZT_NETWORK_DELETED,
|
||||
user_id=user_id,
|
||||
organization_id=network.organization_id,
|
||||
resource_type="portal_network",
|
||||
|
||||
@@ -16,6 +16,7 @@ from gatehouse_app.services import zerotier_api_service as zt
|
||||
from gatehouse_app.utils.constants import (
|
||||
ActivationEndReason,
|
||||
ApprovalState,
|
||||
AuditAction,
|
||||
)
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
@@ -452,7 +453,7 @@ def _expire_session(session: ActivationSession) -> None:
|
||||
|
||||
from gatehouse_app.services.audit_service import AuditService
|
||||
AuditService.log_action(
|
||||
action="zt.activation.expired",
|
||||
action=AuditAction.ZT_ACTIVATION_EXPIRED,
|
||||
user_id=session.user_id,
|
||||
organization_id=session.organization_id,
|
||||
resource_type="activation_session",
|
||||
|
||||
Reference in New Issue
Block a user