Add trust and revoke events to audit trail.

tmpfs · tmpfs · commit d07fb7e6e07f · 2025-01-18T10:25:51.000+08:00
Closes #246.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/audit/src/encoding.rs b/crates/audit/src/encoding.rs
@@ -113,6 +113,9 @@ impl Encodable for AuditData {
                 writer.write_bytes(to_vault_id.as_bytes()).await?;
                 writer.write_bytes(to_secret_id.as_bytes()).await?;
             }
+            AuditData::Device(public_key) => {
+                writer.write_bytes(public_key.as_ref()).await?;
+            }
         }
         Ok(())
     }
diff --git a/crates/audit/src/event.rs b/crates/audit/src/event.rs
@@ -1,6 +1,7 @@
 //! Audit trail event.
 use bitflags::bitflags;
 use serde::{Deserialize, Serialize};
+use sos_core::device::DevicePublicKey;
 use sos_core::events::{
     AccountEvent, Event, EventKind, ReadEvent, WriteEvent,
 };
@@ -17,6 +18,8 @@ bitflags! {
         const DATA_SECRET = 0b00000100;
         /// Indicates the data has a move event.
         const MOVE_SECRET = 0b00001000;
+        /// Indicates the data is for a device event.
+        const DEVICE = 0b00010000;
     }
 }
 
@@ -101,6 +104,9 @@ impl AuditEvent {
                 AuditData::MoveSecret { .. } => {
                     flags.set(AuditLogFlags::MOVE_SECRET, true);
                 }
+                AuditData::Device { .. } => {
+                    flags.set(AuditLogFlags::DEVICE, true);
+                }
             }
             flags
         } else {
@@ -213,6 +219,8 @@ pub enum AuditData {
         /// New secret identifier.
         to_secret_id: SecretId,
     },
+    /// Device trust or revoke events.
+    Device(DevicePublicKey),
 }
 
 impl Default for AuditData {
diff --git a/crates/database/src/db/system_message.rs b/crates/database/src/db/system_message.rs
@@ -54,50 +54,6 @@ where
         Self { conn }
     }
 
-    /*
-    fn find_server_statement(
-        &self,
-    ) -> std::result::Result<CachedStatement, SqlError> {
-        Ok(self.conn.prepare_cached(
-            r#"
-                SELECT
-                    system_message_id,
-                    created_at,
-                    modified_at,
-                    key,
-                    json_data
-                FROM system_messages
-                WHERE account_id=?1
-            "#,
-        )?)
-    }
-
-    /// Find a system message in the database.
-    pub fn find_one(
-        &self,
-        account_id: i64,
-    ) -> std::result::Result<SystemMessageRow, SqlError> {
-        let mut stmt = self.find_server_statement()?;
-        Ok(stmt.query_row((account_id), |row| {
-            Ok(row.try_into()?)
-        })?)
-    }
-
-    /// Find an optional server in the database.
-    pub fn find_optional(
-        &self,
-        account_id: i64,
-        url: &Url,
-    ) -> std::result::Result<Option<SystemMessageRow>, SqlError> {
-        let mut stmt = self.find_server_statement()?;
-        Ok(stmt
-            .query_row((account_id, url.to_string()), |row| {
-                Ok(row.try_into()?)
-            })
-            .optional()?)
-    }
-    */
-
     /// Load system messages for an account.
     pub fn load_system_messages(
         &self,
diff --git a/crates/net/Cargo.toml b/crates/net/Cargo.toml
@@ -27,9 +27,9 @@ full = [
   "clipboard",
 ]
 
+audit = ["sos-audit", "sos-account/audit"]
 listen = ["sos-protocol/listen"]
 hashcheck = ["sos-protocol/hashcheck"]
-audit = ["sos-account/audit"]
 archive = ["sos-account/archive"]
 files = ["sos-sdk/files", "sos-protocol/files"]
 clipboard = ["sos-account/clipboard"]
@@ -56,6 +56,7 @@ sos-signer.workspace = true
 sos-sync.workspace = true
 sos-vault.workspace = true
 
+sos-audit = { workspace = true, optional = true }
 sos-search = { workspace = true, optional = true }
 sos-migrate = { workspace = true, optional = true }
 
diff --git a/crates/net/src/account/network_account.rs b/crates/net/src/account/network_account.rs
@@ -68,6 +68,13 @@ use sos_migrate::import::ImportTarget;
 #[cfg(feature = "listen")]
 use sos_protocol::network_client::WebSocketHandle;
 
+#[cfg(feature = "audit")]
+use {
+    sos_audit::{AuditData, AuditEvent},
+    sos_backend::audit::append_audit_events,
+    sos_core::events::EventKind,
+};
+
 /*
 #[cfg(feature = "security-report")]
 use crate::sdk::account::security_report::{
@@ -248,6 +255,17 @@ impl NetworkAccount {
             storage.revoke_device(device_key).await?;
         }
 
+        #[cfg(feature = "audit")]
+        {
+            let audit_event = AuditEvent::new(
+                Default::default(),
+                EventKind::RevokeDevice,
+                *self.account_id(),
+                Some(AuditData::Device(*device_key)),
+            );
+            append_audit_events(&[audit_event]).await?;
+        }
+
         // Send the device event logs to the remote servers
         if let Some(e) = self.sync().await.first_error() {
             tracing::error!(error = ?e);
diff --git a/crates/sos/src/commands/tools/audit.rs b/crates/sos/src/commands/tools/audit.rs
@@ -123,6 +123,15 @@ fn print_event(event: AuditEvent, json: bool) -> Result<()> {
                     to_secret_id,
                 ));
             }
+            AuditData::Device(public_key) => {
+                info(format!(
+                    "{} {} by {}, device = {}",
+                    event.time().to_rfc3339()?,
+                    event.event_kind(),
+                    event.account_id(),
+                    public_key,
+                ));
+            }
         }
     } else {
         info(format!(
diff --git a/crates/storage/client/src/client.rs b/crates/storage/client/src/client.rs
@@ -37,7 +37,11 @@ use tokio::sync::RwLock;
 use sos_backup_archive::RestoreTargets;
 
 #[cfg(feature = "audit")]
-use {sos_audit::AuditEvent, sos_backend::audit::append_audit_events};
+use {
+    sos_audit::{AuditData, AuditEvent},
+    sos_backend::audit::append_audit_events,
+    sos_core::events::EventKind,
+};
 
 use sos_core::{
     device::{DevicePublicKey, TrustedDevice},
@@ -1738,6 +1742,7 @@ impl ClientStorage {
         &mut self,
         events: Vec<DeviceEvent>,
     ) -> Result<()> {
+        // Update the event log
         let mut event_log = self.device_log.write().await;
         event_log.apply(events.iter().collect()).await?;
 
@@ -1746,6 +1751,25 @@ impl ClientStorage {
         let devices = reducer.reduce().await?;
         self.devices = devices;
 
+        #[cfg(feature = "audit")]
+        {
+            let audit_events = events
+                .iter()
+                .filter_map(|event| match event {
+                    DeviceEvent::Trust(device) => Some(AuditEvent::new(
+                        Default::default(),
+                        EventKind::TrustDevice,
+                        *self.account_id(),
+                        Some(AuditData::Device(*device.public_key())),
+                    )),
+                    _ => None,
+                })
+                .collect::<Vec<_>>();
+            if !audit_events.is_empty() {
+                append_audit_events(audit_events.as_slice()).await?;
+            }
+        }
+
         Ok(())
     }
 

Original file line number	Diff line number	Diff line change
`@@ -113,6 +113,9 @@ impl Encodable for AuditData {`
`113`	`113`	`writer.write_bytes(to_vault_id.as_bytes()).await?;`
`114`	`114`	`writer.write_bytes(to_secret_id.as_bytes()).await?;`
`115`	`115`	`}`
	`116`	`+ AuditData::Device(public_key) => {`
	`117`	`+ writer.write_bytes(public_key.as_ref()).await?;`
	`118`	`+ }`
`116`	`119`	`}`
`117`	`120`	`Ok(())`
`118`	`121`	`}`