https://github.com/gmhafiz/audit
Audit database INSERT, UPDATE and DELETE by recording who is making that change along with previous and after records.
https://github.com/gmhafiz/audit
audit golang security
Last synced: 2 months ago
JSON representation
Audit database INSERT, UPDATE and DELETE by recording who is making that change along with previous and after records.
- Host: GitHub
- URL: https://github.com/gmhafiz/audit
- Owner: gmhafiz
- License: mit
- Created: 2021-09-13T03:12:06.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2021-09-22T05:31:11.000Z (almost 5 years ago)
- Last Synced: 2025-01-03T22:16:12.783Z (over 1 year ago)
- Topics: audit, golang, security
- Language: Go
- Homepage:
- Size: 42 KB
- Stars: 2
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Audit: audit.go
Awesome Lists containing this project
README
# Introduction
Audit database queries and execs by making use of interceptors from [ngrok/sqlmw](github.com/ngrok/sqlmw).
Any record modifications including `insert`, `update` and `delete` create a new record in the `audits` table. Audit values like
- who is making the change
- old value
- new value
- modification time
among others are recorded.
Full list:
```go
type Event struct {
Organisation uint64 `db:"organisation"` // or tenant
ActorID uint64 `db:"actor_id"`
TableRowID uint64 `db:"table_row_id"`
Table string `db:"table_name"`
Action Action `db:"action"`
OldValues string `db:"old_values"`
NewValues string `db:"new_values"`
HTTPMethod string `db:"http_method"`
URL string `db:"url"`
IPAddress string `db:"ip_address"`
UserAgent string `db:"user_agent"`
CreatedAt time.Time `db:"created_at"`
}
```
Both `old_values` and `new_values` are stored in JSON format. For example:
| id | organisation\_id | actor\_id | table\_row\_id | table\_name | action | old\_values | new\_values | http\_method | url | ip\_address | user\_agent | created\_at |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
| 42 | 1 | 2 | 15 | users | update | {"name":"test name","id":"42"} | {"name":"changed name","id":"42"} | PUT | /api/v1/user/42 | localhost:8080 | PostmanRuntime/7.28.4 | 2021-09-15 02:10:02 |
# Install
go get github.com/gmhafiz/audit
go get github.com/go-sql-driver/mysql
# Usage
1. Open database connection pool and register the database middleware and auditor
Create a new audit instance
```go
auditor, err := audit.NewAudit()
```
Optionally, you can customize the audit table name
```go
auditor, err := audit.NewAudit(audit.WithTableName("other_audit_table_name")) // only alphanumeric name is accepted
```
You can also add a list of tables to be exempted:
```go
auditor, err := audit.NewAudit(
audit.WithTableName("other_audit_table_name"),
audit.WithTableException("schema_migrations", "other_tables"),
)
```
Add the code to where you open database connection:
```go
package database
import (
"database/sql"
"log"
"github.com/gmhafiz/audit"
"github.com/go-sql-driver/mysql"
"github.com/ngrok/sqlmw"
)
func NewDB(dataSourceName string) (*sql.DB, auditor *audit.Auditor) {
// initialise auditor
auditor, err := audit.NewAudit()
if err != nil {
log.Fatal(err)
}
// register sql interceptor and our custom driver
databaseDriverName, err := audit.RegisterDriverInterceptor(auditor, "mysql")
if err != nil {
log.Fatal(err)
}
// open database connection using that driver
db, err := sql.Open(databaseDriverName, dataSourceName)
if err != nil {
log.Fatal(err)
}
```
Adding your application database instance is compulsory and is done after connection pool is opened. This is used to query and save both old values and new values of the affected record.
```go
err = auditor.SetDB(
audit.Sql(db),
)
if err != nil {
log.Fatal(err)
}
return db, auditor
}
```
By setting the database, the library will create an `audits` table automatically for you. Index creation is left to the user. Often, you would want a composite index of (`table_row_id`, `table_name`) - and possibly a separate `actor_id` index.
For Mysql:
```sql
create index audits_table_row_id_table_name_index
on audits (table_row_id, table_name);
create index audits_actor_id_index
on audits (actor_id);
```
2. A middleware is needed to capture current user ID and optionally organisation/tenant ID from the current request context. In order to use it, both user ID and organisation ID must be saved into `context` in `UserID` and `OrganisationID` respectively. These two values are retrieved from JWT or session cookies.
```go
import (
"github.com/gmhafiz/audit/middleware"
)
func Auth(store *redisstore.RedisStore) Adapter {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
var organisationID = get session.Values["organisationID"]
var userID = session.Values["userID"]
ctx := context.WithValue(r.Context(), middleware.OrganisationID, organisationID)
ctx = context.WithValue(ctx, middleware.UserID, userID)
next.ServeHTTP(w, r.WithContext(ctx))
})
}
}
```
3. Use the provided middleware that captures current user ID and optionally organisation ID by registering it to your router.
Your own `Auth` middleware has to be registered before `middleware.Audit`.
```go
import (
"github.com/gmhafiz/audit/middleware"
"github.com/go-chi/chi/v5"
)
func router() *chi.Mux {
r := chi.NewRouter()
r.Use(middleware.Auth)
r.Use(middleware.Audit)
return r
}
```
# Test
1. Create an appropriate testing database for each postgres and mysql
2. Set both `MYSQL_DSN` and `POSTGRES_DSN` in your environment variable.
POSTGRES_DSN=host=0.0.0.0 port=5432d user=users password=password dbname=audit_test sslmode=disable
MYSQL_DSN=root:password@tcp(0.0.0.0:3306)/audit_test?parseTime=true&interpolateParams=true
3. Run
go test ./...
# Limitations
1. [Table ID](#table-id)
2. [Hooks](#hooks)
3. [Login](#login)
4. [`IN` operator](#IN-operator)
## Table ID
This library assumes your table ids are in `uint64` format and named `id`,
## Hooks
## Login
Scenario: Say for every login, you save the time that user last logged in - and you want this to be audited.
Remember that an `Auth` middleware is needed to capture user id (from JWT or session token). This audit library won't be able to capture the IDs because you do not place an `Auth` middleware to logging in a user.
To work around this, save the IDs manually before making a call to set user's last login time.
```go
func (u *userService) Login(ctx context.Context, loginReq *LoginRequest) (*models.User, error) {
user, err := u.repository.Get(ctx, loginReq)
if err != nil {
return nil, err
}
isValidPassword, err := checkValidPassword(loginReq.Password, user.Password)
if err != nil {
return nil, err
}
// once you've checked that the login is valid, you may save the IDs
ctx = context.WithValue(ctx, "userID", user.ID)
// Finally, you may set the time this user last login. The hooks will be applied since you are making an `update` database operation.
err = u.repository.SetLastLogin(ctx, user)
return user, nil
}
```
## IN Operator
Currently, this audit package doesn't parse `IN` operator correctly.
# Credit
- https://github.com/qustavo/sqlhooks/ for the SQL hooks.
- https://github.com/owen-it/laravel-auditing for the motivation (no similar library has existed for Go) and schema inspiration.