Skip to content

Commit 347142c

Browse files
committed
Fixes #1830 Merge 1.3.2-rc.1 into develop for audit-manager
Signed-off-by: GOKULRAJ136 <110164849+GOKULRAJ136@users.noreply.github.com>
1 parent dc32a7b commit 347142c

13 files changed

Lines changed: 222 additions & 105 deletions

File tree

.github/workflows/push-trigger.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ on:
1919
- 'develop*'
2020
- 'master'
2121
- '1.*'
22+
- 'release*'
2223

2324
jobs:
2425
build-maven-audit-manager:
@@ -55,15 +56,13 @@ jobs:
5556
- SERVICE_LOCATION: 'kernel/kernel-auditmanager-service'
5657
SERVICE_NAME: 'kernel-auditmanager-service'
5758
BUILD_ARTIFACT: 'kernel-auditmanager-service'
58-
SQUASH_LAYERS: '4'
5959
fail-fast: false
6060
name: ${{ matrix.SERVICE_NAME }}
6161
uses: mosip/kattu/.github/workflows/docker-build.yml@master-java21
6262
with:
6363
SERVICE_LOCATION: ${{ matrix.SERVICE_LOCATION }}
6464
SERVICE_NAME: ${{ matrix.SERVICE_NAME }}
6565
BUILD_ARTIFACT: ${{ matrix.BUILD_ARTIFACT }}
66-
SQUASH_LAYERS: ${{ matrix.SQUASH_LAYERS }}
6766
secrets:
6867
DEV_NAMESPACE_DOCKER_HUB: ${{ secrets.DEV_NAMESPACE_DOCKER_HUB }}
6968
ACTOR_DOCKER_HUB: ${{ secrets.ACTOR_DOCKER_HUB }}

AGENTS.md

Lines changed: 122 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,122 @@
1+
# AGENTS.md
2+
3+
This file provides guidance to AI agents when working with code in this repository.
4+
5+
## What This Service Does
6+
7+
`audit-manager` is a MOSIP kernel microservice that provides a centralised, tamper-evident audit trail for the entire MOSIP identity platform. Every other MOSIP service (Registration Processor, ID Authentication, Resident Services, Pre-Registration, etc.) calls this service's single POST endpoint to persist an audit event. The service performs no business logic beyond validating the incoming record and writing it to the `audit.app_audit_log` PostgreSQL table.
8+
9+
## Build & Test Commands
10+
11+
All Maven commands must be run from the `kernel/` directory (the Maven multi-module root).
12+
13+
```bash
14+
# Full build, skip tests and GPG signing (standard dev build)
15+
cd kernel && mvn install -DskipTests=true -Dmaven.javadoc.skip=true -Dgpg.skip=true
16+
17+
# Build and run all tests
18+
cd kernel && mvn install -Dmaven.javadoc.skip=true -Dgpg.skip=true
19+
20+
# Run tests for a single module
21+
cd kernel && mvn test -pl kernel-auditmanager-service -Dgpg.skip=true
22+
23+
# Run a single test class
24+
cd kernel && mvn test -pl kernel-auditmanager-service -Dtest=AuditServiceTest -Dgpg.skip=true
25+
26+
# Generate OpenAPI JSON (starts service on port 8090, generates JSON, then stops)
27+
cd kernel && mvn verify -pl kernel-auditmanager-service -P openapi-doc-generate-profile -Dgpg.skip=true
28+
29+
# SonarQube analysis
30+
cd kernel && mvn verify -P sonar -Dsonar.login=<token> -Dgpg.skip=true
31+
```
32+
33+
Tests use H2 in-memory with schema `AUDIT` auto-created at startup. No external dependencies needed to run tests.
34+
35+
## Module Structure
36+
37+
The project is a two-module Maven build under `kernel/`:
38+
39+
| Module | Purpose |
40+
|--------|---------|
41+
| `kernel-auditmanager-api` | Shared library: JPA entity, repository, request DTO, validation logic (`AuditUtils`), `AuditHandlerImpl`, and builder |
42+
| `kernel-auditmanager-service` | Runnable Spring Boot service: REST controller, service layer, auth wiring, exception handler, Swagger config |
43+
44+
`kernel-auditmanager-service` depends on `kernel-auditmanager-api` as a runtime dependency. External MOSIP services that want to log audits programmatically (not via HTTP) can embed `kernel-auditmanager-api` as a library dependency.
45+
46+
## Request Flow
47+
48+
```
49+
POST /v1/auditmanager/audits
50+
→ AuditManagerController (service module)
51+
→ AuditManagerServiceImpl (service module)
52+
→ AuditHandlerImpl.addAudit() (api module)
53+
→ AuditUtils.validateAudit() (validates all fields, throws KER-AUD-001 on failure)
54+
→ AuditRepository.save() (JPA → audit.app_audit_log)
55+
← ResponseWrapper<AuditResponseDto> { status: true }
56+
```
57+
58+
The controller wraps requests in MOSIP's `RequestWrapper<AuditRequestDto>` and responses in `ResponseWrapper<AuditResponseDto>`. The response body's `status` field is always `true` on success.
59+
60+
## Database
61+
62+
- **Schema / table:** `audit.app_audit_log`
63+
- **Primary key:** `log_id` (UUID, auto-generated)
64+
- **DDL strategy:** `spring.jpa.hibernate.ddl-auto=none` — schema is managed by scripts in `db_scripts/mosip_audit/` and upgrade scripts in `db_upgrade_scripts/`
65+
- **Production:** PostgreSQL; connection URL injected via `${audit_database_url}` at runtime from Spring Cloud Config
66+
- **Local dev:** H2 in-memory (`application-local.properties`); H2 console available at `/admin/h2-console/`
67+
- **Tests:** H2 in-memory, schema auto-created via `INIT=CREATE SCHEMA IF NOT EXISTS AUDIT` in the JDBC URL; `schema.sql` in main resources initialises the table for local/dev profiles
68+
69+
## Configuration & Profiles
70+
71+
Spring Cloud Config is the source of truth for production config (external `mosip-config` repo, files `application-default.properties` and `kernel-default.properties`). The service name is `kernel-auditmanager-service`.
72+
73+
Local profiles in `kernel/kernel-auditmanager-service/src/main/resources/`:
74+
75+
| Profile | DB | Config server |
76+
|---------|-----|---------------|
77+
| `dev` | PostgreSQL at `dev.mosip.net:30090` | disabled (`spring.cloud.config.enabled=false`) |
78+
| `local` | H2 in-memory | disabled |
79+
80+
Active profile is set in `bootstrap.properties` (`spring.profiles.active=dev`) or overridden at runtime via the `active_profile_env` Docker env var.
81+
82+
## Authentication & Authorisation
83+
84+
The service uses `kernel-auth-adapter` (loaded at runtime via `iam_adapter_url_env` in Docker) to validate MOSIP Bearer tokens. The adapter is added to the classpath via `-Dloader.path`.
85+
86+
Roles permitted to call `POST /audits` are configured via:
87+
```properties
88+
mosip.role.auditmanager.postaudits=INDIVIDUAL,REGISTRATION_ADMIN,REGISTRATION_ADMIN_GENERAL,REGISTRATION_ADMIN_ALL_INDIVIDUAL
89+
```
90+
These roles are bound in `AuthorizedRolesDTO` and injected into the security config.
91+
92+
## Docker & Deployment
93+
94+
The container runs as user `mosip` (UID 1001) on port `8081`. The servlet context path is `/v1/auditmanager`.
95+
96+
Runtime environment variables expected by the container:
97+
98+
| Variable | Purpose |
99+
|----------|---------|
100+
| `active_profile_env` | Spring active profile |
101+
| `spring_config_label_env` | Git branch for Spring Cloud Config |
102+
| `spring_config_url_env` | Spring Cloud Config server URL |
103+
| `iam_adapter_url_env` | URL to download `kernel-auth-adapter.jar` |
104+
| `loader_path_env` | Directory for additional JARs (auth adapter) |
105+
106+
JVM flags are hardcoded in the Dockerfile `CMD`: ZGC with generational mode (`-XX:+UseZGC -XX:+ZGenerational`). Additional JVM tuning is provided via the Helm value `additionalResources.javaOpts` (passed as `JDK_JAVA_OPTIONS`) with a full ZGC tuning profile (heap `-Xms1875m -Xmx3200m`, metaspace limits, GC thread counts, etc.) — see `helm/auditmanager/values.yaml`.
107+
108+
Helm chart is in `helm/auditmanager/`. Install via `deploy/install.sh [kubeconfig]` which deploys into the `kernel` namespace with Istio injection enabled. Chart version for develop is `0.0.1-develop`.
109+
110+
## CI/CD
111+
112+
GitHub Actions (`.github/workflows/push-trigger.yml`) uses reusable workflows from `mosip/kattu@master-java21`:
113+
1. **build-maven-audit-manager** — Maven build at `./kernel/`
114+
2. **publish_to_nexus** — publishes SNAPSHOT artifacts (skipped on master, PRs, and releases)
115+
3. **build-dockers** — builds and pushes `mosipqa/kernel-auditmanager-service` image
116+
4. **sonar_analysis** — SonarQube analysis via sonarcloud.io (skipped on PRs)
117+
118+
Triggers: pushes to `MOSIP*`, `develop*`, `master`, `1.*`, `release*` branches.
119+
120+
## Version Management
121+
122+
The project version follows `kernel/pom.xml`. All three pom files (`kernel/pom.xml`, `kernel-auditmanager-api/pom.xml`, `kernel-auditmanager-service/pom.xml`) must carry the same version. Internal dependency version properties (`kernel.core.version`, `kernel.audit-api.version`, etc.) are also kept in sync. When bumping versions, update all occurrences of the SNAPSHOT string across all three files.

THIRD-PARTY-NOTICES

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -105,4 +105,3 @@ Homepage: https://projects.eclipse.org/projects/ee4j.servlet
105105
================================================================================
106106

107107
Full license texts and additional details for each of the above packages are available in the license/ directory of this repository. Please refer to those files or the original source of each package for complete legal terms and conditions.
108-
Footer

api-docs/Audit-Manager-Controller.yml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,31 @@ paths:
2626
application/json:
2727
schema:
2828
"$ref": "#/components/schemas/RequestWrapperAuditRequestDto"
29+
examples:
30+
AuditExmaple:
31+
summary: Example audit request
32+
value:
33+
id: "REQ-001"
34+
version: "1.0"
35+
requesttime: "2025-07-06T10:45:00Z"
36+
metadata: {}
37+
request:
38+
eventId: "EVT-20230704-001"
39+
eventName: "UserLogin"
40+
eventType: "Authentication"
41+
actionTimeStamp: "2025-07-06T10:45:00Z"
42+
hostName: "auth-server-1"
43+
hostIp: "192.168.1.100"
44+
applicationId: "APP-001"
45+
applicationName: "IdentityManagement"
46+
sessionUserId: "USR-001"
47+
sessionUserName: "johndoe"
48+
id: "ENTITY-001"
49+
idType: "USER_ID"
50+
createdBy: "system"
51+
moduleName: "LoginModule"
52+
53+
2954
required: true
3055
responses:
3156
'200':
@@ -34,6 +59,17 @@ paths:
3459
application/json:
3560
schema:
3661
"$ref": "#/components/schemas/ResponseWrapperAuditResponseDto"
62+
examples:
63+
AuditSuccessResponse:
64+
summary: Succesful audit record creation
65+
value:
66+
id: "RESP-001"
67+
version: "1.0"
68+
responsetime: "2025-07-06T10:45:30Z"
69+
metadata: {}
70+
response:
71+
status: true
72+
errors: []
3773
'401':
3874
description: Unauthorized
3975
'403':
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
\echo 'Rollback Queries not required for transition from $CURRENT_VERSION to $UPGRADE_VERSION'
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
\echo 'Upgrade Queries not required for transition from $CURRENT_VERSION to $UPGRADE_VERSION'

helm/auditmanager/.gitignore

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,2 @@
11
charts/
2-
Chart.lock
2+
Charts.lock

0 commit comments

Comments
 (0)