feat(10-01): add audit event logging to config backup operations

- config_snapshot_created event after successful snapshot INSERT - config_snapshot_skipped_duplicate event on dedup match - config_diff_generated event after diff INSERT - config_backup_manual_trigger event on manual trigger success - All log_action calls wrapped in try/except for safety Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:44:00 -05:00
parent 50211d1853
commit 1a1ceb2cb1
4 changed files with 68 additions and 2 deletions
--- a/backend/app/services/config_snapshot_subscriber.py
+++ b/backend/app/services/config_snapshot_subscriber.py
@@ -11,6 +11,7 @@ import asyncio
 import json
 import logging
 import time
+import uuid as _uuid
 from datetime import datetime, timezone
 from typing import Any, Optional

@@ -20,6 +21,7 @@ from sqlalchemy.exc import IntegrityError, OperationalError

 from app.config import settings
 from app.database import AdminAsyncSessionLocal
+from app.services.audit_service import log_action
 from app.services.config_diff_service import generate_and_store_diff
 from app.services.openbao_service import OpenBaoTransitService

@@ -111,6 +113,18 @@ async def handle_config_snapshot(msg) -> None:
                device_id,
            )
            config_snapshot_dedup_skipped_total.inc()
+            try:
+                await log_action(
+                    db=None,
+                    tenant_id=_uuid.UUID(tenant_id),
+                    user_id=None,
+                    action="config_snapshot_skipped_duplicate",
+                    resource_type="config_snapshot",
+                    device_id=_uuid.UUID(device_id),
+                    details={"sha256_hash": sha256_hash},
+                )
+            except Exception:
+                pass
            await msg.ack()
            return

@@ -173,6 +187,20 @@ async def handle_config_snapshot(msg) -> None:
            await msg.nak()
            return

+        try:
+            await log_action(
+                db=None,
+                tenant_id=_uuid.UUID(tenant_id),
+                user_id=None,
+                action="config_snapshot_created",
+                resource_type="config_snapshot",
+                resource_id=str(new_snapshot_id),
+                device_id=_uuid.UUID(device_id),
+                details={"sha256_hash": sha256_hash},
+            )
+        except Exception:
+            pass
+
        # --- Diff generation (best-effort) ---
        try:
            await generate_and_store_diff(device_id, tenant_id, str(new_snapshot_id), session)