feat: Create audit records for invite and role operations (#1207)

Author: AmanGIT07

cmd/serve.go

@@ -373,14 +373,11 @@ func buildAPIDependencies(
 	relationPGRepository := postgres.NewRelationRepository(dbc)
 	relationService := relation.NewService(relationPGRepository, authzRelationRepository)
 
-	roleRepository := postgres.NewRoleRepository(dbc)
-	roleService := role.NewService(roleRepository, relationService, permissionService)
+	auditRecordRepository := postgres.NewAuditRecordRepository(dbc)
 
+	roleRepository := postgres.NewRoleRepository(dbc)
 	policyPGRepository := postgres.NewPolicyRepository(dbc)
-	policyService := policy.NewService(policyPGRepository, relationService, roleService)
-
 	userRepository := postgres.NewUserRepository(dbc)
-	userService := user.NewService(userRepository, relationService, policyService, roleService)
 
 	prospectRepository := postgres.NewProspectRepository(dbc)
 	prospectService := prospect.NewService(prospectRepository)
@@ -415,15 +412,20 @@ func buildAPIDependencies(
 			return api.Deps{}, fmt.Errorf("failed to parse passkey config: %w", err)
 		}
 	}
-	authnService := authenticate.NewService(logger, cfg.App.Authentication,
-		postgres.NewFlowRepository(logger, dbc), mailDialer, tokenService, sessionService, userService, serviceUserService, webAuthConfig)
 
 	groupRepository := postgres.NewGroupRepository(dbc)
-	groupService := group.NewService(groupRepository, relationService, authnService, policyService)
-
 	organizationRepository := postgres.NewOrganizationRepository(dbc)
+
+	roleService := role.NewService(roleRepository, relationService, permissionService, auditRecordRepository)
+	policyService := policy.NewService(policyPGRepository, relationService, roleService)
+	userService := user.NewService(userRepository, relationService, policyService, roleService)
+	authnService := authenticate.NewService(logger, cfg.App.Authentication,
+		postgres.NewFlowRepository(logger, dbc), mailDialer, tokenService, sessionService, userService, serviceUserService, webAuthConfig)
+	groupService := group.NewService(groupRepository, relationService, authnService, policyService)
 	organizationService := organization.NewService(organizationRepository, relationService, userService,
-		authnService, policyService, preferenceService)
+		authnService, policyService, preferenceService, auditRecordRepository)
+
+	auditRecordService := auditrecord.NewService(auditRecordRepository, userService, serviceUserService, sessionService)
 
 	orgKycRepository := postgres.NewOrgKycRepository(dbc)
 	orgKycService := kyc.NewService(orgKycRepository)
@@ -478,7 +480,8 @@ func buildAPIDependencies(
 	)
 
 	invitationService := invitation.NewService(mailDialer, postgres.NewInvitationRepository(logger, dbc),
-		organizationService, groupService, userService, relationService, policyService, preferenceService)
+		organizationService, groupService, userService, relationService, policyService, preferenceService,
+		auditRecordRepository)
 
 	if GetStripeClientFunc == nil {
 		// allow to override the stripe client creation function in tests
@@ -562,9 +565,6 @@ func buildAPIDependencies(
 		audit.WithIgnoreList(cfg.Log.IgnoredAuditEvents),
 	)
 
-	auditRecordRepository := postgres.NewAuditRecordRepository(dbc)
-	auditRecordService := auditrecord.NewService(auditRecordRepository, userService, serviceUserService, sessionService)
-
 	dependencies := api.Deps{
 		OrgService:                       organizationService,
 		OrgKycService:                    orgKycService,

core/auditrecord/auditrecord.go

@@ -1,70 +1,12 @@
 package auditrecord
 
-import (
-	"time"
-
-	"github.com/raystack/frontier/pkg/metadata"
-	"github.com/raystack/frontier/pkg/utils"
-)
-
-type AuditRecord struct {
-	ID             string            `json:"id,omitempty"`
-	Event          string            `json:"event"`
-	Actor          Actor             `json:"actor"`
-	Resource       Resource          `json:"resource"`
-	Target         *Target           `json:"target"`
-	OccurredAt     time.Time         `json:"occurred_at"`
-	OrgID          string            `json:"org_id"`
-	RequestID      *string           `json:"request_id"`
-	CreatedAt      time.Time         `json:"created_at,omitempty"`
-	Metadata       metadata.Metadata `json:"metadata"`
-	IdempotencyKey string            `json:"idempotency_key"`
-}
-
-type Actor struct {
-	ID       string            `json:"id"`
-	Type     string            `json:"type"`
-	Name     string            `json:"name"`
-	Metadata metadata.Metadata `json:"metadata"`
-}
-
-type Resource struct {
-	ID       string            `json:"id"`
-	Type     string            `json:"type"`
-	Name     string            `json:"name"`
-	Metadata metadata.Metadata `json:"metadata"`
-}
-
-type Target struct {
-	ID       string            `json:"id"`
-	Type     string            `json:"type"`
-	Name     string            `json:"name"`
-	Metadata metadata.Metadata `json:"metadata"`
-}
-
-type AuditRecordsList struct {
-	AuditRecords []AuditRecord
-	Group        *utils.Group
-	Page         utils.Page
-}
-
-// AuditRecordRQLSchema is the schema for audit record RQL queries. This is a flattened version of the AuditRecord struct.
-// This is needed because the RQL parser does not support nested structs.
-type AuditRecordRQLSchema struct {
-	ID             string    `rql:"name=id,type=string"`
-	Event          string    `rql:"name=event,type=string"`
-	ActorID        string    `rql:"name=actor_id,type=string"`
-	ActorType      string    `rql:"name=actor_type,type=string"`
-	ActorName      string    `rql:"name=actor_name,type=string"`
-	ResourceID     string    `rql:"name=resource_id,type=string"`
-	ResourceType   string    `rql:"name=resource_type,type=string"`
-	ResourceName   string    `rql:"name=resource_name,type=string"`
-	TargetID       string    `rql:"name=target_id,type=string"`
-	TargetType     string    `rql:"name=target_type,type=string"`
-	TargetName     string    `rql:"name=target_name,type=string"`
-	OccurredAt     time.Time `rql:"name=occurred_at,type=datetime"`
-	OrgID          string    `rql:"name=org_id,type=string"`
-	RequestID      string    `rql:"name=request_id,type=string"`
-	CreatedAt      time.Time `rql:"name=created_at,type=datetime"`
-	IdempotencyKey string    `rql:"name=idempotency_key,type=string"`
-}
+import "github.com/raystack/frontier/core/auditrecord/models"
+
+// Models moved to a new package to avoid circular dependency with other packages.
+// Re-assigned for backward compatibility
+type AuditRecord = models.AuditRecord
+type Actor = models.Actor
+type Resource = models.Resource
+type Target = models.Target
+type AuditRecordsList = models.AuditRecordsList
+type AuditRecordRQLSchema = models.AuditRecordRQLSchema

core/auditrecord/models/models.go

@@ -0,0 +1,71 @@
+package models
+
+import (
+	"time"
+
+	"github.com/raystack/frontier/pkg/auditrecord"
+	"github.com/raystack/frontier/pkg/metadata"
+	"github.com/raystack/frontier/pkg/utils"
+)
+
+type AuditRecord struct {
+	ID             string            `json:"id,omitempty"`
+	Event          auditrecord.Event `json:"event"`
+	Actor          Actor             `json:"actor"`
+	Resource       Resource          `json:"resource"`
+	Target         *Target           `json:"target"`
+	OccurredAt     time.Time         `json:"occurred_at"`
+	OrgID          string            `json:"org_id"`
+	RequestID      *string           `json:"request_id"`
+	CreatedAt      time.Time         `json:"created_at,omitempty"`
+	Metadata       metadata.Metadata `json:"metadata"`
+	IdempotencyKey string            `json:"idempotency_key"`
+}
+
+type Actor struct {
+	ID       string            `json:"id"`
+	Type     string            `json:"type"`
+	Name     string            `json:"name"`
+	Metadata metadata.Metadata `json:"metadata"`
+}
+
+type Resource struct {
+	ID       string                 `json:"id"`
+	Type     auditrecord.EntityType `json:"type"`
+	Name     string                 `json:"name"`
+	Metadata metadata.Metadata      `json:"metadata"`
+}
+
+type Target struct {
+	ID       string                 `json:"id"`
+	Type     auditrecord.EntityType `json:"type"`
+	Name     string                 `json:"name"`
+	Metadata metadata.Metadata      `json:"metadata"`
+}
+
+type AuditRecordsList struct {
+	AuditRecords []AuditRecord
+	Group        *utils.Group
+	Page         utils.Page
+}
+
+// AuditRecordRQLSchema is the schema for audit record RQL queries. This is a flattened version of the AuditRecord struct.
+// This is needed because the RQL parser does not support nested structs.
+type AuditRecordRQLSchema struct {
+	ID             string    `rql:"name=id,type=string"`
+	Event          string    `rql:"name=event,type=string"`
+	ActorID        string    `rql:"name=actor_id,type=string"`
+	ActorType      string    `rql:"name=actor_type,type=string"`
+	ActorName      string    `rql:"name=actor_name,type=string"`
+	ResourceID     string    `rql:"name=resource_id,type=string"`
+	ResourceType   string    `rql:"name=resource_type,type=string"`
+	ResourceName   string    `rql:"name=resource_name,type=string"`
+	TargetID       string    `rql:"name=target_id,type=string"`
+	TargetType     string    `rql:"name=target_type,type=string"`
+	TargetName     string    `rql:"name=target_name,type=string"`
+	OccurredAt     time.Time `rql:"name=occurred_at,type=datetime"`
+	OrgID          string    `rql:"name=org_id,type=string"`
+	RequestID      string    `rql:"name=request_id,type=string"`
+	CreatedAt      time.Time `rql:"name=created_at,type=datetime"`
+	IdempotencyKey string    `rql:"name=idempotency_key,type=string"`
+}

core/auditrecord/service.go

@@ -137,7 +137,7 @@ func (s *Service) Export(ctx context.Context, query *rql.Query) (io.Reader, stri
 
 func computeHash(auditRecord AuditRecord) string {
 	// Normalize event and IDs - trim spaces and lowercase for consistency
-	normalisedEvent := strings.ToLower(strings.TrimSpace(auditRecord.Event))
+	normalisedEvent := strings.ToLower(strings.TrimSpace(auditRecord.Event.String()))
 	normalisedActorID := strings.ToLower(strings.TrimSpace(auditRecord.Actor.ID))
 	normalisedResourceID := strings.ToLower(strings.TrimSpace(auditRecord.Resource.ID))
 	normalisedOrgID := strings.ToLower(strings.TrimSpace(auditRecord.OrgID))

core/invitation/service.go

@@ -15,9 +15,11 @@ import (
 	"go.uber.org/zap"
 
 	"github.com/mcuadros/go-defaults"
+	"github.com/raystack/frontier/core/auditrecord/models"
 	"github.com/raystack/frontier/core/authenticate"
 	"github.com/raystack/frontier/core/policy"
 	"github.com/raystack/frontier/core/preference"
+	pkgAuditRecord "github.com/raystack/frontier/pkg/auditrecord"
 	"gopkg.in/mail.v2"
 
 	"github.com/raystack/frontier/pkg/mailer"
@@ -67,30 +69,37 @@ type PreferencesService interface {
 	LoadPlatformPreferences(ctx context.Context) (map[string]string, error)
 }
 
+type AuditRecordRepository interface {
+	Create(ctx context.Context, auditRecord models.AuditRecord) (models.AuditRecord, error)
+}
+
 type Service struct {
-	dialer          mailer.Dialer
-	repo            Repository
-	orgSvc          OrganizationService
-	groupSvc        GroupService
-	userService     UserService
-	relationService RelationService
-	policyService   PolicyService
-	prefService     PreferencesService
+	dialer                mailer.Dialer
+	repo                  Repository
+	orgSvc                OrganizationService
+	groupSvc              GroupService
+	userService           UserService
+	relationService       RelationService
+	policyService         PolicyService
+	prefService           PreferencesService
+	auditRecordRepository AuditRecordRepository
 }
 
 func NewService(dialer mailer.Dialer, repo Repository,
 	orgSvc OrganizationService, grpSvc GroupService,
 	userService UserService, relService RelationService,
-	policyService PolicyService, prefService PreferencesService) *Service {
+	policyService PolicyService, prefService PreferencesService,
+	auditRecordRepository AuditRecordRepository) *Service {
 	return &Service{
-		dialer:          dialer,
-		repo:            repo,
-		orgSvc:          orgSvc,
-		groupSvc:        grpSvc,
-		userService:     userService,
-		relationService: relService,
-		policyService:   policyService,
-		prefService:     prefService,
+		dialer:                dialer,
+		repo:                  repo,
+		orgSvc:                orgSvc,
+		groupSvc:              grpSvc,
+		userService:           userService,
+		relationService:       relService,
+		policyService:         policyService,
+		prefService:           prefService,
+		auditRecordRepository: auditRecordRepository,
 	}
 }
 
@@ -359,6 +368,35 @@ func (s Service) Accept(ctx context.Context, id uuid.UUID) error {
 		}
 	}
 
+	// fetch organization details for audit record
+	org, err := s.orgSvc.Get(ctx, invite.OrgID)
+	if err != nil {
+		return err
+	}
+
+	// create audit record for invitation acceptance
+	_, err = s.auditRecordRepository.Create(ctx, models.AuditRecord{
+		Event: pkgAuditRecord.OrganizationInvitationAcceptedEvent,
+		Resource: models.Resource{
+			ID:   org.ID,
+			Type: pkgAuditRecord.OrganizationType,
+			Name: org.Title,
+		},
+		Target: &models.Target{
+			ID:   userOb.ID,
+			Type: pkgAuditRecord.UserType,
+			Name: userOb.Title,
+			Metadata: map[string]any{
+				"email": userOb.Email,
+			},
+		},
+		OrgID:      invite.OrgID,
+		OccurredAt: time.Now(),
+	})
+	if err != nil {
+		return err
+	}
+
 	// delete the invitation
 	return s.Delete(ctx, id)
 }

core/invitation/service_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"testing"
 
+	auditMocks "github.com/raystack/frontier/core/auditrecord/mocks"
 	"github.com/raystack/frontier/core/authenticate"
 	"github.com/raystack/frontier/internal/bootstrap/schema"
 
@@ -19,7 +20,7 @@ import (
 )
 
 func mockService(t *testing.T) (*mocks2.Dialer, *mocks.Repository, *mocks.OrganizationService, *mocks.GroupService,
-	*mocks.UserService, *mocks.RelationService, *mocks.PolicyService, *mocks.PreferencesService) {
+	*mocks.UserService, *mocks.RelationService, *mocks.PolicyService, *mocks.PreferencesService, *auditMocks.Repository) {
 	t.Helper()
 	dialer := mocks2.NewDialer(t)
 	repo := mocks.NewRepository(t)
@@ -29,7 +30,8 @@ func mockService(t *testing.T) (*mocks2.Dialer, *mocks.Repository, *mocks.Organi
 	relationService := mocks.NewRelationService(t)
 	policyService := mocks.NewPolicyService(t)
 	prefService := mocks.NewPreferencesService(t)
-	return dialer, repo, orgService, groupService, userService, relationService, policyService, prefService
+	auditRecordRepo := auditMocks.NewRepository(t)
+	return dialer, repo, orgService, groupService, userService, relationService, policyService, prefService, auditRecordRepo
 }
 
 func TestService_Create(t *testing.T) {
@@ -48,7 +50,7 @@ func TestService_Create(t *testing.T) {
 			},
 			err: invitation.ErrAlreadyMember,
 			setup: func() *invitation.Service {
-				dialer, repo, orgService, groupService, userService, relationService, policyService, prefService := mockService(t)
+				dialer, repo, orgService, groupService, userService, relationService, policyService, prefService, auditRecordRepo := mockService(t)
 
 				prefService.EXPECT().LoadPlatformPreferences(mock.Anything).Return(map[string]string{}, nil)
 				orgService.EXPECT().Get(mock.Anything, "org-id").Return(organization.Organization{
@@ -69,7 +71,7 @@ func TestService_Create(t *testing.T) {
 				}, nil)
 
 				return invitation.NewService(dialer, repo, orgService, groupService,
-					userService, relationService, policyService, prefService)
+					userService, relationService, policyService, prefService, auditRecordRepo)
 			},
 		},
 	}