Audit Service
Overview
The objective of audit service is listed as below -
To provide a one-stop framework for signing data i.e. creating an immutable data entry to track activities of an entity. Whenever an entity is created/updated/deleted the operation is captured in the data logs and is digitally signed to protect it from tampering.
Pre-requisites
Prior Knowledge of Java/J2EE.
Prior Knowledge of SpringBoot.
Prior Knowledge of PostgresSQL.
Prior Knowledge of REST APIs and related concepts like path parameters, headers, JSON etc.
Setup And Key Functionalities
Audit service will be parsing all the persister configs so that it can process data received by the persister and create audit logs out of it.
Setup:
Step 1: Add the following metrics to the existing persister configs -
isAuditEnabled: true module: PGR objecIdJsonPath: $.id tenantIdJsonPath: $.tenantId transactionCodeJsonPath: $.transactionCode auditAttributeBasePath: $.service
*** Please note that auditAttributeBasePath has to be the same as the parent objects path. For example, in case of bulk objects, auditAttributeBasePath will be $.Licenses.*
and in case of single object payload, it will be $.service
.
*** Also, the other jsonPaths like objectIdJsonPath, tenantIdJsonPath, transactionCodeJsonPath are all written with respect to a single object i.e. it does not matter in case of these attributes whether the incoming payload contains objects in bulk or singular objects.
Step 2: If a custom implementation of
ConfigurableSignAndVerify
interface is present, provide the signing algorithm implementation name as a part ofaudit.log.signing.algorithm
property. For example, if the signing algorithm is HMAC, the property will be set as follows -audit.log.signing.algorithm=HMAC
Step 3: Set
egov.persist.yml.repo.path
this property to the location of persister configs.Step 4: Run the audit-service application along with persister service.
Definitions:
Config file - A YAML (xyz.yml) file which contains persister configuration for running audit service.
API - A REST endpoint to post audit logs data.
Functionality:
When audit-service create API is hit, it will validate request size, keyValueMap and operationType.
Upon successful validation, it will choose the configured signer and sign entity data.
Once audit logs are signed and ready, it will send it to
audit-create
topic.Persister will listen on this topic and persist the audit logs.
Deployment Details
Add the required keys for enabling audit service in persister configs.
Deploy the latest version of Audit service and Persister service.
Add Role-Action mapping for API’s.
Integration
Integration Scope
The audit service is used to push signed data for tracking each and every create/modify/delete operation done on database entities.
Integration Benefits
Can be used to have tamper proof audit logs for all database transactions.
Replaying events in chronological order will lead to current state of entity in the database.
Steps to Integration
To integrate, host of audit-service module should be overwritten in helm chart.
Deploy the latest version of egov-persister service as if you deploy audit service without the latest version of persister, it might go into an infinite loop while trying to create audit logs.
audit-service/log/v1/_create
should be added as the create endpoint for the config added.audit-service/log/v1/_search
should be added as the search endpoint for the config added.
API Details
1. URI: The format of the API to be used to create audit logs using audit-service is as follows: audit-service/log/v1/_create
Body: Body consists of 2 parts: RequestInfo and AuditLogs.
Sample Request Body -
{
"RequestInfo": {
"apiId": "asset-services",
"ver": null,
"ts": null,
"action": null,
"did": null,
"key": null,
"msgId": "search with from and to values",
"authToken": "83a1cfb3-6fde-4406-9ee1-622b3ecc7dab"
},
"AuditLogs": [
{
"userUUID": "11b0e02b-0145-4de2-bc42-c97b96264807",
"module": "PGR",
"tenantId": "pb.amritsar",
"transactionCode": "PGR.CREATE",
"changeDate": 1657104693726,
"entityName": "eg_pgr_service",
"objectId": "c8c901da-61e9-4cd5-89f7-7560997922b7",
"keyValueMap": {
"id": "89651651-841a-4b8c-a503-f5d4bb10f4d5",
"tenantId": "pb.amritsar",
"assemblyConstituency": "AMC",
"applicationNumber": "c8c901da-61e9-4cd5-89f7-7560997922b7",
"applicantId": null,
"dateSinceResidence": 1590825279,
"createdBy": "11b0e02b-0145-4de2-bc42-c97b96264807",
"lastModifiedBy": "11b0e02b-0145-4de2-bc42-c97b96264807",
"createdTime": 1657104693312,
"lastModifiedTime": 1657104693312
},
"operationType": "CREATE"
},
{
"userUUID": "11b0e02b-0145-4de2-bc42-c97b96264807",
"module": "PGR",
"tenantId": "pb.amritsar",
"transactionCode": "PGR.CREATE",
"changeDate": 1657104693732,
"entityName": "eg_pgr_address",
"objectId": "c8c901da-61e9-4cd5-89f7-7560997922b7",
"keyValueMap": {
"id": "84cbe5d1-6ee8-4379-a0c4-0e2a5c94689d",
"tenantId": "pb.amritsar",
"doorNo": "1010",
"latitude": null,
"longitude": null,
"buildingName": "Avigna Residence",
"addressId": null,
"addressNumber": "34 GA",
"type": "RESIDENTIAL",
"addressLine1": "KP Layout",
"addressLine2": "",
"landmark": "Petrol pump",
"street": "12th Main",
"city": "Amritsar",
"locality": "New Amritsar Locality",
"pincode": "143501",
"detail": "",
"registrationId": "89651651-841a-4b8c-a503-f5d4bb10f4d5"
},
"operationType": "CREATE"
}
]
}
2. URI: The format of the API to be used to search audit logs using audit-service is as follows: audit-service/log/v1/_search
Body: Body consists RequestInfo and search criteria is passed as query params.
Sample curl for search -