journaled 5.0.0 → 5.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ac63d8988a5cbbd63340c019b82642a039a9dfee81f46d83b15e5a71d83e9cb7
-  data.tar.gz: ae809e4b05901d6eb73eb0196119999be2b0fd414c3af3c4bb30d280216098cf
+  metadata.gz: 5d0222aba969718f085949e0bf6b1fee163c70ed9512190c2b53abf75d0a120c
+  data.tar.gz: d3d2ac0e99d142aeb608f66f7d1a1ae15831d56483a8975bb7a991d3447058ac
 SHA512:
-  metadata.gz: 72bcbe0ae43717280eb8a0b3383672cc87762e4c2b9b082778f1beac249004ef90a41e32e6fbabd693377a4d0af6cf6fc78df8a2b8ff44067276dd502cece63a
-  data.tar.gz: b21401ba2cf6155a25f50f1c58c634e3036754ec69b8d7f287c86408f69819aed5cfac1a43d55636a2be461545096b1510318a6ce665bf47595f30c8b90bceb9
+  metadata.gz: a6b4789d6314447dad04cc152b76cdf861f21d92cf27af5030f2ce500a8f2c6b791f7adfe86b975e614cba3f3af5b811022e6895feb32a831893851fabc5426d
+  data.tar.gz: 735a2305bb0599d1b6db9b355e39c1523079df60cbd975627eb5b273c155228d3740a3215341983ad15a90ff53dd6772f81a154829d13237ea8dde0eed92d34b

data/app/models/concerns/journaled/changes.rb

@@ -56,7 +56,7 @@ module Journaled::Changes
   end
 
   class_methods do
-    def journal_changes_to(*attribute_names, as:, enqueue_with: {}) # rubocop:disable Naming/MethodParameterName
+    def journal_changes_to(*attribute_names, as:, enqueue_with: {})
       if attribute_names.empty? || attribute_names.any? { |n| !n.is_a?(Symbol) }
         raise "one or more symbol attribute_name arguments is required"
       end

data/app/models/journaled/audit_log/event.rb

@@ -0,0 +1,87 @@
+# FIXME: This cannot be included in lib/ because Journaled::Event is autoloaded via app/models
+#        Autoloading Journaled::Event isn't strictly necessary, and for compatibility it would
+#        make sense to move it to lib/.
+module Journaled
+  module AuditLog
+    Event = Struct.new(:record, :database_operation, :unfiltered_changes) do
+      include Journaled::Event
+
+      journal_attributes :class_name, :table_name, :record_id,
+                         :database_operation, :changes, :snapshot, :actor, tagged: true
+
+      def journaled_stream_name
+        AuditLog.default_stream_name || super
+      end
+
+      def created_at
+        case database_operation
+          when 'insert'
+            record_created_at
+          when 'update'
+            record_updated_at
+          when 'delete'
+            Time.zone.now
+          else
+            raise "Unhandled database operation type: #{database_operation}"
+        end
+      end
+
+      def record_created_at
+        record.try(:created_at) || Time.zone.now
+      end
+
+      def record_updated_at
+        record.try(:updated_at) || Time.zone.now
+      end
+
+      def class_name
+        record.class.name
+      end
+
+      def table_name
+        record.class.table_name
+      end
+
+      def record_id
+        record.id
+      end
+
+      def changes
+        filtered_changes = unfiltered_changes.deep_dup.deep_symbolize_keys
+        filtered_changes.each do |key, value|
+          filtered_changes[key] = value.map { |val| '[FILTERED]' if val } if filter_key?(key)
+        end
+      end
+
+      def snapshot
+        filtered_attributes if record._log_snapshot || AuditLog.snapshots_enabled
+      end
+
+      def actor
+        Journaled.actor_uri
+      end
+
+      private
+
+      def filter_key?(key)
+        filter_params.include?(key) || encrypted_column?(key)
+      end
+
+      def encrypted_column?(key)
+        key.to_s.end_with?('_crypt', '_hmac') ||
+          (Rails::VERSION::MAJOR >= 7 && record.encrypted_attribute?(key))
+      end
+
+      def filter_params
+        Rails.application.config.filter_parameters
+      end
+
+      def filtered_attributes
+        attrs = record.attributes.dup.symbolize_keys
+        attrs.each do |key, _value|
+          attrs[key] = '[FILTERED]' if filter_key?(key)
+        end
+      end
+    end
+  end
+end

data/journaled_schemas/journaled/audit_log/event.json

@@ -0,0 +1,31 @@
+{
+  "type": "object",
+  "title": "audit_log_event",
+  "additionalProperties": false,
+  "required": [
+    "id",
+    "event_type",
+    "created_at",
+    "class_name",
+    "table_name",
+    "record_id",
+    "database_operation",
+    "changes",
+    "snapshot",
+    "actor",
+    "tags"
+  ],
+  "properties": {
+    "id": { "type": "string" },
+    "event_type": { "type": "string" },
+    "created_at": { "type": "string" },
+    "class_name": { "type": "string" },
+    "table_name": { "type": "string" },
+    "record_id": { "type": ["string", "integer"] },
+    "database_operation": { "type": "string" },
+    "changes": { "type": "object", "additionalProperties": true },
+    "snapshot": { "type": ["object", "null"], "additionalProperties": true },
+    "actor": { "type": "string" },
+    "tags": { "type": "object", "additionalProperties": true }
+  }
+}

data/lib/journaled/audit_log.rb

@@ -0,0 +1,194 @@
+require 'active_support/core_ext/module/attribute_accessors_per_thread'
+
+module Journaled
+  module AuditLog
+    extend ActiveSupport::Concern
+
+    DEFAULT_EXCLUDED_CLASSES = %w(
+      Delayed::Job
+      PaperTrail::Version
+      ActiveStorage::Attachment
+      ActiveStorage::Blob
+      ActiveRecord::InternalMetadata
+      ActiveRecord::SchemaMigration
+    ).freeze
+
+    mattr_accessor(:default_ignored_columns) { %i(created_at updated_at) }
+    mattr_accessor(:default_stream_name) { Journaled.default_stream_name }
+    mattr_accessor(:excluded_classes) { DEFAULT_EXCLUDED_CLASSES.dup }
+    thread_mattr_accessor(:snapshots_enabled) { false }
+    thread_mattr_accessor(:_disabled) { false }
+    thread_mattr_accessor(:_force) { false }
+
+    class << self
+      def exclude_classes!
+        excluded_classes.each do |name|
+          if Rails::VERSION::MAJOR >= 6 && Rails.autoloaders.zeitwerk_enabled?
+            zeitwerk_exclude!(name)
+          else
+            classic_exclude!(name)
+          end
+        end
+      end
+
+      def with_snapshots
+        snapshots_enabled_was = snapshots_enabled
+        self.snapshots_enabled = true
+        yield
+      ensure
+        self.snapshots_enabled = snapshots_enabled_was
+      end
+
+      def without_audit_logging
+        disabled_was = _disabled
+        self._disabled = true
+        yield
+      ensure
+        self._disabled = disabled_was
+      end
+
+      private
+
+      def zeitwerk_exclude!(name)
+        if Object.const_defined?(name)
+          name.constantize.skip_audit_log
+        else
+          Rails.autoloaders.main.on_load(name) { |klass, _path| klass.skip_audit_log }
+        end
+      end
+
+      def classic_exclude!(name)
+        name.constantize.skip_audit_log
+      rescue NameError
+        nil
+      end
+    end
+
+    Config = Struct.new(:enabled, :ignored_columns) do
+      private :enabled
+      def enabled?
+        !AuditLog._disabled && self[:enabled].present?
+      end
+    end
+
+    included do
+      prepend BlockedMethods
+      singleton_class.prepend BlockedClassMethods
+
+      class_attribute :audit_log_config, default: Config.new(false, AuditLog.default_ignored_columns)
+      attr_accessor :_log_snapshot
+
+      after_create { _emit_audit_log!('insert') }
+      after_update { _emit_audit_log!('update') if _audit_log_changes.any? }
+      after_destroy { _emit_audit_log!('delete') }
+    end
+
+    class_methods do
+      def has_audit_log(ignore: [])
+        ignored_columns = _audit_log_inherited_ignored_columns + [ignore].flatten(1)
+        self.audit_log_config = Config.new(true, ignored_columns.uniq)
+      end
+
+      def skip_audit_log
+        self.audit_log_config = Config.new(false, _audit_log_inherited_ignored_columns.uniq)
+      end
+
+      private
+
+      def _audit_log_inherited_ignored_columns
+        (superclass.try(:audit_log_config)&.ignored_columns || []) + audit_log_config.ignored_columns
+      end
+    end
+
+    module BlockedMethods
+      BLOCKED_METHODS = {
+        delete: '#destroy',
+        update_column: '#update!',
+        update_columns: '#update!',
+      }.freeze
+
+      def delete(**kwargs)
+        _journaled_audit_log_check!(:delete, **kwargs) do
+          super()
+        end
+      end
+
+      def update_column(name, value, **kwargs)
+        _journaled_audit_log_check!(:update_column, **kwargs.merge(name => value)) do
+          super(name, value)
+        end
+      end
+
+      def update_columns(args = {}, **kwargs)
+        _journaled_audit_log_check!(:update_columns, **args.merge(kwargs)) do
+          super(args.merge(kwargs).except(:_force))
+        end
+      end
+
+      def _journaled_audit_log_check!(method, **kwargs) # rubocop:disable Metrics/AbcSize
+        force_was = AuditLog._force
+        AuditLog._force = kwargs.delete(:_force) if kwargs.key?(:_force)
+        audited_columns = kwargs.keys - audit_log_config.ignored_columns
+
+        if method == :delete || audited_columns.any?
+          column_message = <<~MSG if kwargs.any?
+            You are attempting to change the following audited columns:
+              #{audited_columns.inspect}
+
+          MSG
+          raise <<~MSG if audit_log_config.enabled? && !AuditLog._force
+            #{column_message}Using `#{method}` is blocked because it skips audit logging (and other Rails callbacks)!
+            Consider using `#{BLOCKED_METHODS[method]}` instead, or pass `_force: true` as an argument.
+          MSG
+        end
+
+        yield
+      ensure
+        AuditLog._force = force_was
+      end
+    end
+
+    module BlockedClassMethods
+      BLOCKED_METHODS = {
+        delete_all: '.destroy_all',
+        insert: '.create!',
+        insert_all: '.each { create!(...) }',
+        update_all: '.find_each { update!(...) }',
+        upsert: '.create_or_find_by!',
+        upsert_all: '.each { create_or_find_by!(...) }',
+      }.freeze
+
+      BLOCKED_METHODS.each do |method, alternative|
+        define_method(method) do |*args, **kwargs, &block|
+          force_was = AuditLog._force
+          AuditLog._force = kwargs.delete(:_force) if kwargs.key?(:_force)
+
+          raise <<~MSG if audit_log_config.enabled? && !AuditLog._force
+            `#{method}` is blocked because it skips callbacks and audit logs!
+            Consider using `#{alternative}` instead, or pass `_force: true` as an argument.
+          MSG
+
+          super(*args, **kwargs, &block)
+        ensure
+          AuditLog._force = force_was
+        end
+      end
+    end
+
+    def _emit_audit_log!(database_operation)
+      if audit_log_config.enabled?
+        event = Journaled::AuditLog::Event.new(self, database_operation, _audit_log_changes)
+        ActiveSupport::Notifications.instrument('journaled.audit_log.journal', event: event) do
+          event.journal!
+        end
+      end
+    end
+
+    def _audit_log_changes
+      previous_changes.except(*audit_log_config.ignored_columns)
+    end
+  end
+end
+
+ActiveSupport.on_load(:active_record) { include Journaled::AuditLog }
+Journaled::Engine.config.after_initialize { Journaled::AuditLog.exclude_classes! }

data/lib/journaled/version.rb

@@ -1,3 +1,3 @@
 module Journaled
-  VERSION = "5.0.0".freeze
+  VERSION = "5.1.0".freeze
 end

data/lib/journaled.rb

@@ -69,3 +69,5 @@ module Journaled
     Current.tags = Current.tags.merge(tags)
   end
 end
+
+require 'journaled/audit_log'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: journaled
 version: !ruby/object:Gem::Version
-  version: 5.0.0
+  version: 5.1.0
 platform: ruby
 authors:
 - Jake Lipson
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-08-23 00:00:00.000000000 Z
+date: 2022-09-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activejob
@@ -41,6 +41,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: aws-sdk-kinesis
   requirement: !ruby/object:Gem::Requirement
@@ -242,6 +256,7 @@ files:
 - app/jobs/journaled/delivery_job.rb
 - app/models/concerns/journaled/changes.rb
 - app/models/journaled/actor_uri_provider.rb
+- app/models/journaled/audit_log/event.rb
 - app/models/journaled/change.rb
 - app/models/journaled/change_definition.rb
 - app/models/journaled/change_writer.rb
@@ -252,9 +267,11 @@ files:
 - config/initializers/change_protection.rb
 - config/spring.rb
 - journaled_schemas/base_event.json
+- journaled_schemas/journaled/audit_log/event.json
 - journaled_schemas/journaled/change.json
 - journaled_schemas/tagged_event.json
 - lib/journaled.rb
+- lib/journaled/audit_log.rb
 - lib/journaled/connection.rb
 - lib/journaled/current.rb
 - lib/journaled/engine.rb