freedak/InternalAuditInterprise
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: InternalAuditInterprise

Browse Source
This commit is contained in:
freedakgmail
2026-06-16 00:38:57 +08:00
commit 7b1e2b10a8
57 changed files with 4622 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/audit/__init__.py
+1
View File
@@ -0,0 +1 @@
"""系统自审计模块:不可篡改操作日志、独立性与分权(R19)。"""
backend/app/audit/models.py
+50
View File
@@ -0,0 +1,50 @@
"""系统自审计 ORM 模型:不可篡改操作日志(R19)。
每条日志含哈希链(prev_hash + 内容 → entry_hash),任何篡改都会断链,可检测。
"""
from __future__ import annotations
import datetime as dt
import uuid
from sqlalchemy import BigInteger, DateTime, Identity, Index, String
from sqlalchemy.dialects.postgresql import JSONB, UUID
from sqlalchemy.orm import Mapped, mapped_column
from app.db import Base
def _uuid() -> uuid.UUID:
return uuid.uuid4()
def _now() -> dt.datetime:
return dt.datetime.now(dt.UTC)
class AuditLog(Base):
"""不可篡改审计轨迹。仅追加,不可更新/删除(应用层与制度共同保证)。"""
__tablename__ = "audit_log"
__table_args__ = (
Index("ix_audit_actor", "actor"),
Index("ix_audit_action", "action"),
Index("ix_audit_seq", "seq", unique=True),
)
id: Mapped[uuid.UUID] = mapped_column(UUID(as_uuid=True), primary_key=True, default=_uuid)
# 自增序号,构成哈希链顺序
seq: Mapped[int] = mapped_column(
BigInteger, Identity(always=False), nullable=False, unique=True
)
actor: Mapped[str] = mapped_column(String(64), nullable=False)
role: Mapped[str | None] = mapped_column(String(32), nullable=True)
action: Mapped[str] = mapped_column(String(64), nullable=False) # 如 rule.update/clue.assign
target_type: Mapped[str | None] = mapped_column(String(64), nullable=True)
target_id: Mapped[str | None] = mapped_column(String(128), nullable=True)
detail: Mapped[dict] = mapped_column(JSONB, default=dict)
created_at: Mapped[dt.datetime] = mapped_column(DateTime(timezone=True), default=_now)
prev_hash: Mapped[str | None] = mapped_column(String(64), nullable=True)
entry_hash: Mapped[str] = mapped_column(String(64), nullable=False)
backend/app/audit/rbac.py
+78
View File
@@ -0,0 +1,78 @@
"""RBAC 权限与独立性约束(R19、PRD §6 权限矩阵)。
核心独立性规则(硬约束):
- 任何角色都不能删除线索(DELETE_CLUE 不授予任何角色;数据库触发器再兜底)。
- 业务方(business)对系统无任何写权限。
- 配规则/改阈值/看线索/出报告分权制衡。
"""
from __future__ import annotations
import enum
class Role(str, enum.Enum):
AUDITOR = "auditor" # 审计员
AUDIT_MANAGER = "audit_manager" # 审计主管
RULE_ADMIN = "rule_admin" # 规则管理员
SYS_ADMIN = "sys_admin" # 系统管理员
SYS_AUDITOR = "sys_auditor" # 系统审计员(独立监督)
BUSINESS = "business" # 被审计业务方(无写权限)
class Permission(str, enum.Enum):
QUERY = "query" # 自然语言查询
VIEW_CLUE = "view_clue" # 查看线索
ADJUDICATE_CLUE = "adjudicate_clue" # 研判/定性线索
ASSIGN_CLUE = "assign_clue" # 分派线索
DELETE_CLUE = "delete_clue" # 删除线索(禁止授予任何人)
CONFIG_RULE = "config_rule" # 配置规则
ADJUST_THRESHOLD = "adjust_threshold" # 调整阈值
ISSUE_REPORT = "issue_report" # 出具报告
DATA_INGEST = "data_ingest" # 数据接入配置
VIEW_AUDIT_TRAIL = "view_audit_trail" # 查看自审计轨迹
MODEL_DEPLOY = "model_deploy" # 模型部署/升级
# 角色 -> 权限集合。注意:DELETE_CLUE 不出现在任何角色中(线索不可删,R19)。
ROLE_PERMISSIONS: dict[Role, set[Permission]] = {
Role.AUDITOR: {
Permission.QUERY,
Permission.VIEW_CLUE,
Permission.ADJUDICATE_CLUE,
Permission.ISSUE_REPORT,
},
Role.AUDIT_MANAGER: {
Permission.QUERY,
Permission.VIEW_CLUE,
Permission.ADJUDICATE_CLUE,
Permission.ASSIGN_CLUE,
Permission.ISSUE_REPORT,
},
Role.RULE_ADMIN: {
Permission.QUERY,
Permission.VIEW_CLUE,
Permission.CONFIG_RULE,
Permission.ADJUST_THRESHOLD,
},
Role.SYS_ADMIN: {
Permission.DATA_INGEST,
Permission.MODEL_DEPLOY,
},
Role.SYS_AUDITOR: {
Permission.QUERY,
Permission.VIEW_CLUE,
Permission.VIEW_AUDIT_TRAIL,
Permission.ISSUE_REPORT,
},
Role.BUSINESS: set(), # 业务方无任何权限
}
def has_permission(role: Role, perm: Permission) -> bool:
return perm in ROLE_PERMISSIONS.get(role, set())
def can_delete_clue(role: Role) -> bool:
"""线索不可删除——对所有角色恒为 False(独立性硬约束)。"""
return False
backend/app/audit/service.py
+81
View File
@@ -0,0 +1,81 @@
"""系统自审计服务:写入哈希链审计日志、校验完整性(R19)。"""
from __future__ import annotations
import hashlib
import json
from sqlalchemy import select
from sqlalchemy.orm import Session
from app.audit.models import AuditLog
def _compute_hash(prev_hash: str | None, payload: dict) -> str:
body = json.dumps(payload, sort_keys=True, ensure_ascii=False, default=str)
raw = f"{prev_hash or ''}|{body}"
return hashlib.sha256(raw.encode("utf-8")).hexdigest()
def record(
session: Session,
actor: str,
action: str,
*,
role: str | None = None,
target_type: str | None = None,
target_id: str | None = None,
detail: dict | None = None,
) -> AuditLog:
"""追加一条审计日志,自动接续哈希链。"""
last = session.execute(
select(AuditLog).order_by(AuditLog.seq.desc()).limit(1)
).scalar_one_or_none()
prev_hash = last.entry_hash if last else None
payload = {
"actor": actor,
"role": role,
"action": action,
"target_type": target_type,
"target_id": target_id,
"detail": detail or {},
}
entry_hash = _compute_hash(prev_hash, payload)
log = AuditLog(
actor=actor,
role=role,
action=action,
target_type=target_type,
target_id=target_id,
detail=detail or {},
prev_hash=prev_hash,
entry_hash=entry_hash,
)
session.add(log)
session.flush()
return log
def verify_chain(session: Session) -> tuple[bool, int | None]:
"""校验审计日志哈希链完整性。
返回 (是否完整, 首个断链的 seq 或 None)。
"""
rows = session.execute(select(AuditLog).order_by(AuditLog.seq.asc())).scalars().all()
prev_hash: str | None = None
for row in rows:
payload = {
"actor": row.actor,
"role": row.role,
"action": row.action,
"target_type": row.target_type,
"target_id": row.target_id,
"detail": row.detail or {},
}
expected = _compute_hash(prev_hash, payload)
if expected != row.entry_hash or row.prev_hash != prev_hash:
return False, row.seq
prev_hash = row.entry_hash
return True, None