lockbot 2.3.3__tar.gz → 2.5.0__tar.gz

{lockbot-2.3.3/python/lockbot.egg-info → lockbot-2.5.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: lockbot
-Version: 2.3.3
+Version: 2.5.0
 Summary: Cluster resource management bot for IM platforms
 Author-email: Jianbang Yang <yangjianbang112@gmail.com>
 License: MIT
@@ -33,9 +33,10 @@ Requires-Dist: cryptography
 Requires-Dist: bcrypt
 Requires-Dist: python-multipart
 Requires-Dist: httpx
+Requires-Dist: slowapi
 Provides-Extra: dev
 Requires-Dist: pytest>=7.0; extra == "dev"
-Requires-Dist: ruff>=0.1.0; extra == "dev"
+Requires-Dist: ruff==0.15.10; extra == "dev"
 Dynamic: license-file
 
 # lockbot

{lockbot-2.3.3 → lockbot-2.5.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "lockbot"
-version = "2.3.3"
+version = "2.5.0"
 description = "Cluster resource management bot for IM platforms"
 readme = "README.md"
 license = {text = "MIT"}
@@ -41,12 +41,13 @@ dependencies = [
     "bcrypt",
     "python-multipart",
     "httpx",
+    "slowapi",
 ]
 
 [project.optional-dependencies]
 dev = [
     "pytest>=7.0",
-    "ruff>=0.1.0",
+    "ruff==0.15.10",
 ]
 
 [project.urls]

{lockbot-2.3.3 → lockbot-2.5.0}/python/lockbot/backend/app/admin/router.py

@@ -11,11 +11,12 @@ import tempfile
 import zipfile
 from datetime import datetime
 
-from fastapi import APIRouter, Depends, HTTPException
+from fastapi import APIRouter, Depends, HTTPException, Request
 from fastapi.responses import FileResponse, Response
 from sqlalchemy.orm import Session
 from starlette.background import BackgroundTask
 
+from lockbot.backend.app.audit.service import write_audit_log
 from lockbot.backend.app.auth.dependencies import (
     can_assign_role,
     can_create_user_with_role,
@@ -40,6 +41,7 @@ router = APIRouter(prefix="/api/admin", tags=["admin"])
 
 @router.post("/users", response_model=PasswordResetOut, status_code=201)
 def admin_create_user(
+    request: Request,
     body: AdminCreateUser,
     operator: User = Depends(require_admin),
     db: Session = Depends(get_db),
@@ -67,6 +69,17 @@ def admin_create_user(
         must_change_password=True,
     )
     db.add(user)
+    db.flush()
+    write_audit_log(
+        db,
+        operator,
+        "user.create",
+        target_type="user",
+        target_id=user.id,
+        target_name=user.username,
+        detail={"role": body.role},
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
     db.refresh(user)
     return PasswordResetOut(id=user.id, username=user.username, new_password=raw_password)
@@ -108,6 +121,7 @@ def list_users(
 def admin_edit_user(
     user_id: int,
     body: AdminEditUser,
+    request: Request,
     operator: User = Depends(require_admin),
     db: Session = Depends(get_db),
 ):
@@ -120,16 +134,19 @@ def admin_edit_user(
     if not can_manage_user(operator, target.role):
         raise HTTPException(status_code=403, detail="Cannot manage this user")
 
+    changes: dict = {}
     if body.username is not None and body.username != target.username:
         dup = db.query(User).filter(User.username == body.username).first()
         if dup:
             raise HTTPException(status_code=409, detail="Username already taken")
+        changes["username"] = {"old": target.username, "new": body.username}
         target.username = body.username
 
     if body.email is not None and body.email != target.email:
         dup = db.query(User).filter(User.email == body.email).first()
         if dup:
             raise HTTPException(status_code=409, detail="Email already taken")
+        changes["email"] = {"old": target.email, "new": body.email}
         target.email = body.email
 
     if body.role is not None:
@@ -139,12 +156,24 @@ def admin_edit_user(
             raise HTTPException(status_code=status_code, detail=error_msg)
         # Force logout when role changes
         if target.role != body.role:
+            changes["role"] = {"old": target.role, "new": body.role}
             target.token_version = target.effective_token_version + 1
         target.role = body.role
 
     if body.max_running_bots is not None:
+        changes["max_running_bots"] = {"old": target.max_running_bots, "new": body.max_running_bots}
         target.max_running_bots = body.max_running_bots
 
+    write_audit_log(
+        db,
+        operator,
+        "user.edit",
+        target_type="user",
+        target_id=target.id,
+        target_name=target.username,
+        detail=changes,
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
     db.refresh(target)
     return target
@@ -154,6 +183,7 @@ def admin_edit_user(
 def set_max_bots(
     user_id: int,
     body: dict,
+    request: Request,
     operator: User = Depends(require_admin),
     db: Session = Depends(get_db),
 ):
@@ -162,7 +192,18 @@ def set_max_bots(
         raise HTTPException(status_code=404, detail="User not found")
     if not can_manage_user(operator, user.role):
         raise HTTPException(status_code=403, detail="Cannot manage this user")
+    old_val = user.max_running_bots
     user.max_running_bots = body["max_running_bots"]
+    write_audit_log(
+        db,
+        operator,
+        "user.set_max_bots",
+        target_type="user",
+        target_id=user.id,
+        target_name=user.username,
+        detail={"old": old_val, "new": user.max_running_bots},
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
     db.refresh(user)
     return {"id": user.id, "max_running_bots": user.max_running_bots}
@@ -171,6 +212,7 @@ def set_max_bots(
 @router.post("/users/{user_id}/reset-password", response_model=PasswordResetOut)
 def admin_reset_password(
     user_id: int,
+    request: Request,
     operator: User = Depends(require_admin),
     db: Session = Depends(get_db),
 ):
@@ -185,6 +227,15 @@ def admin_reset_password(
     target.must_change_password = True
     # Force logout - invalidate all existing tokens
     target.token_version = target.effective_token_version + 1
+    write_audit_log(
+        db,
+        operator,
+        "user.reset_password",
+        target_type="user",
+        target_id=target.id,
+        target_name=target.username,
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
     db.refresh(target)
     return PasswordResetOut(id=target.id, username=target.username, new_password=raw_password)
@@ -193,6 +244,7 @@ def admin_reset_password(
 @router.post("/users/{user_id}/force-logout")
 def force_logout_user(
     user_id: int,
+    request: Request,
     operator: User = Depends(require_admin),
     db: Session = Depends(get_db),
 ):
@@ -203,6 +255,15 @@ def force_logout_user(
     if not can_manage_user(operator, target.role):
         raise HTTPException(status_code=403, detail="Cannot manage this user")
     target.token_version = target.effective_token_version + 1
+    write_audit_log(
+        db,
+        operator,
+        "user.force_logout",
+        target_type="user",
+        target_id=target.id,
+        target_name=target.username,
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
     return {"id": target.id, "username": target.username, "message": "User logged out successfully"}
 
@@ -235,7 +296,9 @@ def platform_stats(
 
 @router.get("/backup")
 def download_backup(
+    request: Request,
     _admin: User = Depends(require_super_admin),
+    db: Session = Depends(get_db),
 ):
     """Download full SQLite database backup (super_admin only)."""
     from lockbot.backend.app.config import DATABASE_URL
@@ -258,6 +321,9 @@ def download_backup(
             os.unlink(tmp_path)
         raise
 
+    write_audit_log(db, _admin, "admin.backup", ip=request.client.host if request.client else None)
+    db.commit()
+
     filename = f"lockbot_backup_{datetime.now().strftime('%Y%m%d_%H%M%S')}.db"
     return FileResponse(
         path=tmp_path,
@@ -272,6 +338,7 @@ _DEFAULT_DATA_DIR = os.environ.get("DATA_DIR", "/data")
 
 @router.get("/bot-states")
 def download_all_bot_states(
+    request: Request,
     _admin: User = Depends(require_super_admin),
     db: Session = Depends(get_db),
 ):
@@ -299,6 +366,9 @@ def download_all_bot_states(
     buf.seek(0)
     content = buf.read()
 
+    write_audit_log(db, _admin, "admin.bot_states", ip=request.client.host if request.client else None)
+    db.commit()
+
     filename = f"lockbot_states_{datetime.now().strftime('%Y%m%d_%H%M%S')}.zip"
     return Response(
         content=content,

lockbot-2.5.0/python/lockbot/backend/app/audit/models.py

@@ -0,0 +1,37 @@
+"""
+AuditLog model — records who did what, when, and to which resource.
+"""
+
+from datetime import datetime
+
+from sqlalchemy import DateTime, Integer, String, Text, func
+from sqlalchemy.orm import Mapped, mapped_column
+
+from lockbot.backend.app.database import Base
+
+
+class AuditLog(Base):
+    __tablename__ = "audit_logs"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
+
+    # Operator info (denormalized so records survive user deletion)
+    operator_id: Mapped[int | None] = mapped_column(Integer, nullable=True)
+    operator_username: Mapped[str] = mapped_column(String(64), nullable=False)
+    operator_role: Mapped[str] = mapped_column(String(16), nullable=False)
+
+    # Action: namespace.verb, e.g. "auth.login", "bot.start", "user.create"
+    action: Mapped[str] = mapped_column(String(64), nullable=False, index=True)
+
+    # Target resource (optional)
+    target_type: Mapped[str | None] = mapped_column(String(16), nullable=True)  # "user" | "bot"
+    target_id: Mapped[int | None] = mapped_column(Integer, nullable=True)
+    target_name: Mapped[str | None] = mapped_column(String(128), nullable=True)  # denormalized
+
+    # Extra context (JSON string)
+    detail: Mapped[str | None] = mapped_column(Text, nullable=True)
+
+    ip_address: Mapped[str | None] = mapped_column(String(64), nullable=True)
+    result: Mapped[str] = mapped_column(String(16), nullable=False, default="success")  # success | failure
+
+    created_at: Mapped[datetime] = mapped_column(DateTime, server_default=func.now(), index=True)

lockbot-2.5.0/python/lockbot/backend/app/audit/router.py

@@ -0,0 +1,141 @@
+"""
+Audit log query API.
+
+Visibility rules:
+  - super_admin : sees ALL records
+  - admin       : sees records where operator_id is in the set of
+                  {own id} ∪ {ids of users with role="user"}
+                  (admins cannot see each other's actions)
+  - user        : sees own records (operator_id == self) PLUS anonymous
+                  failed-login attempts where operator_username == self
+                  (so users can detect brute-force attempts on their account)
+"""
+
+import json
+from datetime import datetime
+from typing import Any
+
+from fastapi import APIRouter, Depends, Query
+from pydantic import BaseModel
+from sqlalchemy import and_, or_
+from sqlalchemy.orm import Session
+
+from lockbot.backend.app.audit.models import AuditLog
+from lockbot.backend.app.auth.dependencies import get_current_user
+from lockbot.backend.app.auth.models import User
+from lockbot.backend.app.database import get_db
+
+router = APIRouter(prefix="/api/audit", tags=["audit"])
+
+
+class AuditLogOut(BaseModel):
+    id: int
+    operator_id: int | None
+    operator_username: str
+    operator_role: str
+    action: str
+    target_type: str | None
+    target_id: int | None
+    target_name: str | None
+    detail: Any | None  # parsed JSON or raw string
+    ip_address: str | None
+    result: str
+    created_at: datetime
+
+    model_config = {"from_attributes": True}
+
+
+class AuditLogsPage(BaseModel):
+    total: int
+    items: list[AuditLogOut]
+
+
+def _parse_detail(raw: str | None) -> Any:
+    if raw is None:
+        return None
+    try:
+        return json.loads(raw)
+    except Exception:
+        return raw
+
+
+def _to_out(log: AuditLog) -> AuditLogOut:
+    return AuditLogOut(
+        id=log.id,
+        operator_id=log.operator_id,
+        operator_username=log.operator_username,
+        operator_role=log.operator_role,
+        action=log.action,
+        target_type=log.target_type,
+        target_id=log.target_id,
+        target_name=log.target_name,
+        detail=_parse_detail(log.detail),
+        ip_address=log.ip_address,
+        result=log.result,
+        created_at=log.created_at,
+    )
+
+
+@router.get("/logs", response_model=AuditLogsPage)
+def list_audit_logs(
+    # Filters
+    action: str | None = Query(None, description="Filter by action, e.g. 'bot.start'"),
+    operator_id: int | None = Query(None),
+    operator_username: str | None = Query(None, description="Filter by operator username (partial match)"),
+    target_type: str | None = Query(None),
+    target_id: int | None = Query(None),
+    result: str | None = Query(None, description="'success' or 'failure'"),
+    start_date: datetime | None = Query(None),
+    end_date: datetime | None = Query(None),
+    # Pagination
+    page: int = Query(1, ge=1),
+    limit: int = Query(50, ge=1, le=200),
+    # Auth
+    operator: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    q = db.query(AuditLog)
+
+    # --- Visibility scope ---
+    if operator.role == "user":
+        # Own authenticated actions + anonymous failed-login attempts targeting this account
+        q = q.filter(
+            or_(
+                AuditLog.operator_id == operator.id,
+                and_(
+                    AuditLog.operator_id.is_(None),
+                    AuditLog.operator_username == operator.username,
+                    AuditLog.action == "auth.login",
+                    AuditLog.result == "failure",
+                ),
+            )
+        )
+    elif operator.role != "super_admin":
+        # admin: own actions + actions of users they manage (role="user")
+        # Also include anonymous records (operator_id IS NULL, e.g. failed logins)
+        managed_ids = [u.id for u in db.query(User.id).filter(User.role == "user").all()]
+        visible_ids = list({operator.id, *managed_ids})
+        q = q.filter(or_(AuditLog.operator_id.in_(visible_ids), AuditLog.operator_id.is_(None)))
+
+    # --- Filters ---
+    if action:
+        q = q.filter(AuditLog.action == action)
+    if operator_id is not None:
+        q = q.filter(AuditLog.operator_id == operator_id)
+    if operator_username:
+        q = q.filter(AuditLog.operator_username.ilike(f"%{operator_username}%"))
+    if target_type:
+        q = q.filter(AuditLog.target_type == target_type)
+    if target_id is not None:
+        q = q.filter(AuditLog.target_id == target_id)
+    if result:
+        q = q.filter(AuditLog.result == result)
+    if start_date:
+        q = q.filter(AuditLog.created_at >= start_date)
+    if end_date:
+        q = q.filter(AuditLog.created_at <= end_date)
+
+    total = q.count()
+    items = q.order_by(AuditLog.created_at.desc()).offset((page - 1) * limit).limit(limit).all()
+
+    return AuditLogsPage(total=total, items=[_to_out(i) for i in items])

lockbot-2.5.0/python/lockbot/backend/app/audit/service.py

@@ -0,0 +1,72 @@
+"""
+Audit log service — write_audit_log() helper.
+
+Failures are logged as warnings and never propagate to the caller,
+so audit recording never breaks the main business flow.
+"""
+
+import json
+import logging
+from types import SimpleNamespace
+from typing import Any
+
+from sqlalchemy.orm import Session
+
+from lockbot.backend.app.audit.models import AuditLog
+
+logger = logging.getLogger(__name__)
+
+
+def _anon_operator(username: str, role: str = "unknown") -> Any:
+    """Build a lightweight non-ORM operator for anonymous/failed operations."""
+    return SimpleNamespace(id=None, username=username, role=role)
+
+
+def write_audit_log(
+    db: Session,
+    operator: Any,
+    action: str,
+    *,
+    target_type: str | None = None,
+    target_id: int | None = None,
+    target_name: str | None = None,
+    detail: dict | str | None = None,
+    ip: str | None = None,
+    result: str = "success",
+) -> None:
+    """
+    Write one audit log entry.
+
+    :param db:           SQLAlchemy session (already open, caller commits).
+    :param operator:     Object with .id, .username, .role  (User ORM or SimpleNamespace).
+    :param action:       Dot-namespaced verb, e.g. "auth.login", "bot.start", "user.create".
+    :param target_type:  Optional resource type: "user" | "bot".
+    :param target_id:    Optional resource primary key.
+    :param target_name:  Optional denormalized resource name.
+    :param detail:       Optional dict or JSON string with extra context.
+    :param ip:           Client IP address (from request.client.host).
+    :param result:       "success" (default) or "failure".
+    """
+    try:
+        detail_str: str | None = None
+        if isinstance(detail, dict):
+            detail_str = json.dumps(detail, ensure_ascii=False)
+        elif isinstance(detail, str):
+            detail_str = detail
+
+        log = AuditLog(
+            operator_id=operator.id,
+            operator_username=operator.username,
+            operator_role=operator.role,
+            action=action,
+            target_type=target_type,
+            target_id=target_id,
+            target_name=target_name,
+            detail=detail_str,
+            ip_address=ip,
+            result=result,
+        )
+        db.add(log)
+        db.flush()  # Write within the same transaction as the main operation
+    except Exception:
+        logger.warning("Failed to write audit log for action=%s operator=%s", action, operator.username, exc_info=True)

{lockbot-2.3.3 → lockbot-2.5.0}/python/lockbot/backend/app/auth/router.py

@@ -6,11 +6,12 @@ import secrets
 import string
 
 import bcrypt as _bcrypt
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, Request, status
 from sqlalchemy import or_
 from sqlalchemy.orm import Session
 
 import lockbot.backend.app.config as _config
+from lockbot.backend.app.audit.service import _anon_operator, write_audit_log
 from lockbot.backend.app.auth.dependencies import create_access_token, get_current_user
 from lockbot.backend.app.auth.models import User
 from lockbot.backend.app.auth.schemas import (
@@ -23,6 +24,7 @@ from lockbot.backend.app.auth.schemas import (
     UserRegister,
 )
 from lockbot.backend.app.database import get_db
+from lockbot.backend.app.rate_limit import limiter
 
 router = APIRouter(prefix="/api/auth", tags=["auth"])
 
@@ -50,7 +52,8 @@ def _generate_password(length: int = 12) -> str:
 
 
 @router.post("/register", response_model=UserOut, status_code=status.HTTP_201_CREATED)
-def register(body: UserRegister, db: Session = Depends(get_db)):
+@limiter.limit("5/minute")
+def register(request: Request, body: UserRegister, db: Session = Depends(get_db)):
     if not _config.ALLOW_REGISTER:
         raise HTTPException(status_code=403, detail="Registration is disabled. Contact admin.")
 
@@ -70,10 +73,24 @@ def register(body: UserRegister, db: Session = Depends(get_db)):
 
 
 @router.post("/login", response_model=TokenOut)
-def login(body: UserLogin, db: Session = Depends(get_db)):
+@limiter.limit("10/minute")
+def login(request: Request, body: UserLogin, db: Session = Depends(get_db)):
+    ip = request.client.host if request.client else None
     user = db.query(User).filter(User.username == body.username).first()
     if not user or not _verify_password(body.password, user.password_hash):
+        write_audit_log(
+            db,
+            _anon_operator(body.username),
+            "auth.login",
+            ip=ip,
+            result="failure",
+            detail={"reason": "invalid credentials"},
+        )
+        db.commit()
         raise HTTPException(status_code=401, detail="Invalid credentials")
+
+    write_audit_log(db, user, "auth.login", ip=ip)
+    db.commit()
     return TokenOut(
         access_token=create_access_token(user.id, user.effective_token_version, user.must_change_password),
         must_change_password=user.must_change_password,
@@ -87,6 +104,7 @@ def me(user: User = Depends(get_current_user)):
 
 @router.put("/change-password", response_model=TokenOut)
 def change_password(
+    request: Request,
     body: ChangePassword,
     user: User = Depends(get_current_user),
     db: Session = Depends(get_db),
@@ -97,6 +115,7 @@ def change_password(
         raise HTTPException(status_code=400, detail="Password must be at least 6 characters")
     user.password_hash = _hash_password(body.new_password)
     user.must_change_password = False
+    write_audit_log(db, user, "auth.change_password", ip=request.client.host if request.client else None)
     db.commit()
     return TokenOut(
         access_token=create_access_token(user.id, user.effective_token_version, False),
@@ -106,6 +125,7 @@ def change_password(
 
 @router.put("/force-change-password", response_model=TokenOut)
 def force_change_password(
+    request: Request,
     body: ForceChangePassword,
     user: User = Depends(get_current_user),
     db: Session = Depends(get_db),
@@ -118,6 +138,13 @@ def force_change_password(
         raise HTTPException(status_code=400, detail="Password must be at least 6 characters")
     user.password_hash = _hash_password(body.new_password)
     user.must_change_password = False
+    write_audit_log(
+        db,
+        user,
+        "auth.change_password",
+        ip=request.client.host if request.client else None,
+        detail={"type": "force_change"},
+    )
     db.commit()
     return TokenOut(
         access_token=create_access_token(user.id, user.effective_token_version, False),
@@ -127,6 +154,7 @@ def force_change_password(
 
 @router.put("/change-email", response_model=UserOut)
 def change_email(
+    request: Request,
     body: ChangeEmail,
     user: User = Depends(get_current_user),
     db: Session = Depends(get_db),
@@ -134,7 +162,15 @@ def change_email(
     exists = db.query(User).filter(User.email == body.new_email).filter(User.id != user.id).first()
     if exists:
         raise HTTPException(status_code=409, detail="Email already taken")
+    old_email = user.email
     user.email = body.new_email
+    write_audit_log(
+        db,
+        user,
+        "auth.change_email",
+        ip=request.client.host if request.client else None,
+        detail={"old_email": old_email, "new_email": body.new_email},
+    )
     db.commit()
     db.refresh(user)
     return user