EXT-1497 Check AppData before audit enabled (#24877) (#24996)

StekPerepolnen · UgnineSirdis · web-flow · commit ac8e6cee4ff5 · 2025-09-16T16:51:34.000+02:00
Co-authored-by: Vasily Gerasimov &lt;galaxycrab@nebius.com&gt;
diff --git a/ydb/core/mon/audit/audit.cpp b/ydb/core/mon/audit/audit.cpp
@@ -59,6 +59,16 @@ namespace {
     }
 }
 
+bool TAuditCtx::AuditEnabled(NKikimrConfig::TAuditConfig::TLogClassConfig::ELogPhase logPhase, NACLibProto::ESubjectType subjectType)
+{
+    if (NKikimr::HasAppData()) {
+        return NKikimr::AppData()->AuditConfig.EnableLogging(NKikimrConfig::TAuditConfig::TLogClassConfig::ClusterAdmin,
+                                                             logPhase, subjectType);
+    }
+    return false;
+}
+
+
 void TAuditCtx::AddAuditLogPart(TStringBuf name, const TString& value) {
     Parts.emplace_back(name, value);
 }
@@ -151,9 +161,7 @@ void TAuditCtx::SetSubjectType(NACLibProto::ESubjectType subjectType) {
 }
 
 void TAuditCtx::LogAudit(ERequestStatus status, const TString& reason, NKikimrConfig::TAuditConfig::TLogClassConfig::ELogPhase logPhase) {
-    auto auditEnabled = NKikimr::AppData()->AuditConfig.EnableLogging(NKikimrConfig::TAuditConfig::TLogClassConfig::ClusterAdmin, logPhase, SubjectType);
-
-    if (!Auditable || !auditEnabled) {
+    if (!Auditable || !AuditEnabled(logPhase, SubjectType)) {
         return;
     }
 
diff --git a/ydb/core/mon/audit/audit.h b/ydb/core/mon/audit/audit.h
@@ -26,6 +26,7 @@ class TAuditCtx {
     void LogOnReceived();
     void LogOnCompleted(const NHttp::THttpOutgoingResponsePtr& response);
     void SetSubjectType(NACLibProto::ESubjectType subjectType);
+    static bool AuditEnabled(NKikimrConfig::TAuditConfig::TLogClassConfig::ELogPhase logPhase, NACLibProto::ESubjectType subjectType);
 
 private:
     void AddAuditLogPart(TStringBuf name, const TString& value);
diff --git a/ydb/core/mon/audit/audit_ut.cpp b/ydb/core/mon/audit/audit_ut.cpp
@@ -0,0 +1,12 @@
+#include <ydb/core/mon/audit/audit.h>
+
+#include <library/cpp/testing/unittest/registar.h>
+#include <library/cpp/testing/unittest/tests_data.h>
+
+using namespace NMonitoring::NAudit;
+
+Y_UNIT_TEST_SUITE(TAuditTest) {
+    Y_UNIT_TEST(AuditDisabledWithoutAppData) {
+        UNIT_ASSERT(!TAuditCtx::AuditEnabled(NKikimrConfig::TAuditConfig::TLogClassConfig::Completed, NACLibProto::SUBJECT_TYPE_ANONYMOUS));
+    }
+}
diff --git a/ydb/core/mon/audit/ut/ya.make b/ydb/core/mon/audit/ut/ya.make
@@ -9,6 +9,7 @@ PEERDIR(
 )
 
 SRCS(
+    audit_ut.cpp
     url_matcher_ut.cpp
 )
 

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,16 @@ namespace {`
`59`	`59`	`}`
`60`	`60`	`}`
`61`	`61`
	`62`	`+bool TAuditCtx::AuditEnabled(NKikimrConfig::TAuditConfig::TLogClassConfig::ELogPhase logPhase, NACLibProto::ESubjectType subjectType)`
	`63`	`+{`
	`64`	`+ if (NKikimr::HasAppData()) {`
	`65`	`+ return NKikimr::AppData()->AuditConfig.EnableLogging(NKikimrConfig::TAuditConfig::TLogClassConfig::ClusterAdmin,`
	`66`	`+ logPhase, subjectType);`
	`67`	`+ }`
	`68`	`+ return false;`
	`69`	`+}`
	`70`	`+`
	`71`	`+`
`62`	`72`	`void TAuditCtx::AddAuditLogPart(TStringBuf name, const TString& value) {`
`63`	`73`	`Parts.emplace_back(name, value);`
`64`	`74`	`}`
`@@ -151,9 +161,7 @@ void TAuditCtx::SetSubjectType(NACLibProto::ESubjectType subjectType) {`
`151`	`161`	`}`
`152`	`162`
`153`	`163`	`void TAuditCtx::LogAudit(ERequestStatus status, const TString& reason, NKikimrConfig::TAuditConfig::TLogClassConfig::ELogPhase logPhase) {`
`154`		`- auto auditEnabled = NKikimr::AppData()->AuditConfig.EnableLogging(NKikimrConfig::TAuditConfig::TLogClassConfig::ClusterAdmin, logPhase, SubjectType);`
`155`		`-`
`156`		`- if (!Auditable \|\| !auditEnabled) {`
	`164`	`+ if (!Auditable \|\| !AuditEnabled(logPhase, SubjectType)) {`
`157`	`165`	`return;`
`158`	`166`	`}`
`159`	`167`
Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ PEERDIR(`
`9`	`9`	`)`
`10`	`10`
`11`	`11`	`SRCS(`
	`12`	`+ audit_ut.cpp`
`12`	`13`	`url_matcher_ut.cpp`
`13`	`14`	`)`
`14`	`15`