freedakgmail
51 lines
1.8 KiB
Python
51 lines
1.8 KiB
Python
"""系统自审计 ORM 模型:不可篡改操作日志(R19)。
|
|
|
|
每条日志含哈希链(prev_hash + 内容 → entry_hash),任何篡改都会断链,可检测。
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import datetime as dt
|
|
import uuid
|
|
|
|
from sqlalchemy import BigInteger, DateTime, Identity, Index, String
|
|
from sqlalchemy.dialects.postgresql import JSONB, UUID
|
|
from sqlalchemy.orm import Mapped, mapped_column
|
|
|
|
from app.db import Base
|
|
|
|
|
|
def _uuid() -> uuid.UUID:
|
|
return uuid.uuid4()
|
|
|
|
|
|
def _now() -> dt.datetime:
|
|
return dt.datetime.now(dt.UTC)
|
|
|
|
|
|
class AuditLog(Base):
|
|
"""不可篡改审计轨迹。仅追加,不可更新/删除(应用层与制度共同保证)。"""
|
|
|
|
__tablename__ = "audit_log"
|
|
__table_args__ = (
|
|
Index("ix_audit_actor", "actor"),
|
|
Index("ix_audit_action", "action"),
|
|
Index("ix_audit_seq", "seq", unique=True),
|
|
)
|
|
|
|
id: Mapped[uuid.UUID] = mapped_column(UUID(as_uuid=True), primary_key=True, default=_uuid)
|
|
# 自增序号,构成哈希链顺序
|
|
seq: Mapped[int] = mapped_column(
|
|
BigInteger, Identity(always=False), nullable=False, unique=True
|
|
)
|
|
actor: Mapped[str] = mapped_column(String(64), nullable=False)
|
|
role: Mapped[str | None] = mapped_column(String(32), nullable=True)
|
|
action: Mapped[str] = mapped_column(String(64), nullable=False) # 如 rule.update/clue.assign
|
|
target_type: Mapped[str | None] = mapped_column(String(64), nullable=True)
|
|
target_id: Mapped[str | None] = mapped_column(String(128), nullable=True)
|
|
detail: Mapped[dict] = mapped_column(JSONB, default=dict)
|
|
created_at: Mapped[dt.datetime] = mapped_column(DateTime(timezone=True), default=_now)
|
|
|
|
prev_hash: Mapped[str | None] = mapped_column(String(64), nullable=True)
|
|
entry_hash: Mapped[str] = mapped_column(String(64), nullable=False)
|