Skip to content

feat: support auditing#970

Merged
iziang merged 19 commits into
mainfrom
feature/audit
Jun 22, 2025
Merged

feat: support auditing#970
iziang merged 19 commits into
mainfrom
feature/audit

Conversation

@iziang
Copy link
Copy Markdown
Contributor

@iziang iziang commented Jun 20, 2025

No description provided.

@apecloud-bot apecloud-bot added the size/XXL Denotes a PR that changes 1000+ lines. label Jun 20, 2025
cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]
cursor Bot reviewed Jun 22, 2025
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: AuditService Session Management & Authorization Flaws

The AuditService incorrectly uses get_async_session() as an async iterator (async for session in get_async_session():), which can lead to database connection leaks and improper session management. Additionally, the /audit-logs/{audit_id} endpoint lacks proper authorization, allowing any authenticated user to access detailed audit logs instead of restricting access to administrators.

aperag/views/audit.py#L96-L101

ApeRAG/aperag/views/audit.py

Lines 96 to 101 in ae7c70b

@router.get("/audit-logs/{audit_id}")
async def get_audit_log(audit_id: str, user: User = Depends(current_user)):
"""Get a specific audit log by ID"""
async for session in get_async_session():

aperag/service/audit_service.py#L162-L166

ApeRAG/aperag/service/audit_service.py

Lines 162 to 166 in ae7c70b

# Save to database asynchronously
async for session in get_async_session():
session.add(audit_log)
await session.commit()

Fix in Cursor

Bug: Audit Log Access and Filtering Issues

The audit log endpoints (/audit-logs and /audit-logs/{audit_id}) lack administrator authorization, allowing any authenticated user to access sensitive audit data. Additionally, the /audit-logs endpoint accepts username and resource_id query parameters, but these are not passed to the audit service, rendering filtering by these fields non-functional.

aperag/views/audit.py#L29-L66

ApeRAG/aperag/views/audit.py

Lines 29 to 66 in ae7c70b

@router.get("/audit-logs")
async def list_audit_logs(
user_id: Optional[str] = Query(None, description="Filter by user ID"),
username: Optional[str] = Query(None, description="Filter by username"),
resource_type: Optional[str] = Query(None, description="Filter by resource type"),
resource_id: Optional[str] = Query(None, description="Filter by resource ID"),
api_name: Optional[str] = Query(None, description="Filter by API name"),
http_method: Optional[str] = Query(None, description="Filter by HTTP method"),
status_code: Optional[int] = Query(None, description="Filter by status code"),
start_date: Optional[datetime] = Query(None, description="Filter by start date"),
end_date: Optional[datetime] = Query(None, description="Filter by end date"),
limit: int = Query(1000, le=5000, description="Maximum number of records"),
user: User = Depends(current_user),
):
"""List audit logs with filtering"""
# Convert string enums to actual enum values
audit_resource = None
if resource_type:
try:
audit_resource = AuditResource(resource_type)
except ValueError:
raise HTTPException(status_code=400, detail=f"Invalid resource_type: {resource_type}")
# Get audit logs
audit_logs = await audit_service.list_audit_logs(
user_id=user_id,
resource_type=audit_resource,
api_name=api_name,
http_method=http_method,
status_code=status_code,
start_date=start_date,
end_date=end_date,
limit=limit,
)

Fix in Cursor

Was this report helpful? Give feedback by reacting with 👍 or 👎

@iziang iziang merged commit ce378f1 into main Jun 22, 2025
6 of 7 checks passed
@iziang iziang deleted the feature/audit branch June 22, 2025 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

size/XXL Denotes a PR that changes 1000+ lines.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@iziang @apecloud-bot