backend/app/services/audit_log_service.py

# =============================================================================
# 企微IT智能服务台 — 审计日志服务
# =============================================================================
# 说明: 提供 audit_log 写入/查询的统一入口
# 用法:
#   from app.services.audit_log_service import record_audit_log
#   await record_audit_log(
#       db, employee_id="sxn", action="role_change",
#       resource="agent", resource_id="agent-001",
#       details={"role": "agent"}, request=request,
#   )
# =============================================================================

import logging
from datetime import datetime
from typing import Any, Dict, Optional

from fastapi import Request
from sqlalchemy import select, func, and_
from sqlalchemy.ext.asyncio import AsyncSession

from app.models.audit_log import AuditLog

logger = logging.getLogger(__name__)


async def record_audit_log(
    db: AsyncSession,
    employee_id: str,
    action: str,
    resource: str,
    resource_id: Optional[str] = None,
    details: Optional[Dict[str, Any]] = None,
    result: str = "success",
    request: Optional[Request] = None,
) -> AuditLog:
    """记录一条审计日志。

    Args:
        db: 数据库会话
        employee_id: 操作人企微 UserID,系统操作传 "system"
        action: 操作类型
        resource: 目标资源类型
        resource_id: 目标资源 ID(可选)
        details: 详细上下文 JSON(可选)
        result: success / failure / partial
        request: FastAPI Request(可选,自动取 IP + UA)

    Returns:
        AuditLog: 写入的日志对象
    """
    ip_address = None
    user_agent = None
    if request is not None:
        # 优先用 X-Forwarded-For / X-Real-IP(proxy 后面)
        ip_address = (
            request.headers.get("x-forwarded-for", "").split(",")[0].strip()
            or request.headers.get("x-real-ip")
            or (request.client.host if request.client else None)
        )
        user_agent = request.headers.get("user-agent")

    log = AuditLog(
        employee_id=employee_id,
        action=action,
        resource=resource,
        resource_id=resource_id,
        details=details or {},
        result=result,
        ip_address=ip_address,
        user_agent=user_agent,
        created_at=datetime.now(),
    )
    db.add(log)
    # 注:不 commit,让调用方跟主操作一起 commit(避免日志写一半就回滚)
    return log


async def list_audit_logs(
    db: AsyncSession,
    employee_id: Optional[str] = None,
    action: Optional[str] = None,
    resource: Optional[str] = None,
    from_time: Optional[datetime] = None,
    to_time: Optional[datetime] = None,
    page: int = 1,
    page_size: int = 50,
) -> Dict[str, Any]:
    """查询审计日志(分页 + 多维过滤)。

    Args:
        db: 数据库会话
        employee_id: 按操作人过滤(可选)
        action: 按操作类型过滤(可选)
        resource: 按资源类型过滤(可选)
        from_time: 起始时间(可选)
        to_time: 结束时间(可选)
        page: 页码,从 1 开始
        page_size: 每页条数,默认 50

    Returns:
        Dict: {items: [...], total: int, page, page_size}
    """
    stmt = select(AuditLog)
    conditions = []
    if employee_id:
        conditions.append(AuditLog.employee_id == employee_id)
    if action:
        conditions.append(AuditLog.action == action)
    if resource:
        conditions.append(AuditLog.resource == resource)
    if from_time:
        conditions.append(AuditLog.created_at >= from_time)
    if to_time:
        conditions.append(AuditLog.created_at <= to_time)
    if conditions:
        stmt = stmt.where(and_(*conditions))

    # 倒序 + 分页
    stmt = stmt.order_by(AuditLog.created_at.desc())
    stmt = stmt.offset((page - 1) * page_size).limit(page_size)

    result = await db.execute(stmt)
    items = result.scalars().all()

    # 总数
    count_stmt = select(func.count()).select_from(AuditLog)
    if conditions:
        count_stmt = count_stmt.where(and_(*conditions))
    total = (await db.execute(count_stmt)).scalar() or 0

    return {
        "items": items,
        "total": total,
        "page": page,
        "page_size": page_size,
    }
feat(v0.7.1): P0 修复 + 企微 SSO + RBAC 细粒度 + audit_log 2026-06-22 17:38:47 +08:00			`# =============================================================================`
			`# 企微IT智能服务台 — 审计日志服务`
			`# =============================================================================`
			`# 说明: 提供 audit_log 写入/查询的统一入口`
			`# 用法:`
			`# from app.services.audit_log_service import record_audit_log`
			`# await record_audit_log(`
			`# db, employee_id="sxn", action="role_change",`
			`# resource="agent", resource_id="agent-001",`
			`# details={"role": "agent"}, request=request,`
			`# )`
			`# =============================================================================`

			`import logging`
			`from datetime import datetime`
			`from typing import Any, Dict, Optional`

			`from fastapi import Request`
			`from sqlalchemy import select, func, and_`
			`from sqlalchemy.ext.asyncio import AsyncSession`

			`from app.models.audit_log import AuditLog`

			`logger = logging.getLogger(__name__)`


			`async def record_audit_log(`
			`db: AsyncSession,`
			`employee_id: str,`
			`action: str,`
			`resource: str,`
			`resource_id: Optional[str] = None,`
			`details: Optional[Dict[str, Any]] = None,`
			`result: str = "success",`
			`request: Optional[Request] = None,`
			`) -> AuditLog:`
			`"""记录一条审计日志。`

			`Args:`
			`db: 数据库会话`
			`employee_id: 操作人企微 UserID,系统操作传 "system"`
			`action: 操作类型`
			`resource: 目标资源类型`
			`resource_id: 目标资源 ID(可选)`
			`details: 详细上下文 JSON(可选)`
			`result: success / failure / partial`
			`request: FastAPI Request(可选,自动取 IP + UA)`

			`Returns:`
			`AuditLog: 写入的日志对象`
			`"""`
			`ip_address = None`
			`user_agent = None`
			`if request is not None:`
			`# 优先用 X-Forwarded-For / X-Real-IP(proxy 后面)`
			`ip_address = (`
			`request.headers.get("x-forwarded-for", "").split(",")[0].strip()`
			`or request.headers.get("x-real-ip")`
			`or (request.client.host if request.client else None)`
			`)`
			`user_agent = request.headers.get("user-agent")`

			`log = AuditLog(`
			`employee_id=employee_id,`
			`action=action,`
			`resource=resource,`
			`resource_id=resource_id,`
			`details=details or {},`
			`result=result,`
			`ip_address=ip_address,`
			`user_agent=user_agent,`
			`created_at=datetime.now(),`
			`)`
			`db.add(log)`
			`# 注:不 commit,让调用方跟主操作一起 commit(避免日志写一半就回滚)`
			`return log`


			`async def list_audit_logs(`
			`db: AsyncSession,`
			`employee_id: Optional[str] = None,`
			`action: Optional[str] = None,`
			`resource: Optional[str] = None,`
			`from_time: Optional[datetime] = None,`
			`to_time: Optional[datetime] = None,`
			`page: int = 1,`
			`page_size: int = 50,`
			`) -> Dict[str, Any]:`
			`"""查询审计日志(分页 + 多维过滤)。`

			`Args:`
			`db: 数据库会话`
			`employee_id: 按操作人过滤(可选)`
			`action: 按操作类型过滤(可选)`
			`resource: 按资源类型过滤(可选)`
			`from_time: 起始时间(可选)`
			`to_time: 结束时间(可选)`
			`page: 页码,从 1 开始`
			`page_size: 每页条数,默认 50`

			`Returns:`
			`Dict: {items: [...], total: int, page, page_size}`
			`"""`
			`stmt = select(AuditLog)`
			`conditions = []`
			`if employee_id:`
			`conditions.append(AuditLog.employee_id == employee_id)`
			`if action:`
			`conditions.append(AuditLog.action == action)`
			`if resource:`
			`conditions.append(AuditLog.resource == resource)`
			`if from_time:`
			`conditions.append(AuditLog.created_at >= from_time)`
			`if to_time:`
			`conditions.append(AuditLog.created_at <= to_time)`
			`if conditions:`
			`stmt = stmt.where(and_(*conditions))`

			`# 倒序 + 分页`
			`stmt = stmt.order_by(AuditLog.created_at.desc())`
			`stmt = stmt.offset((page - 1) * page_size).limit(page_size)`

			`result = await db.execute(stmt)`
			`items = result.scalars().all()`

			`# 总数`
			`count_stmt = select(func.count()).select_from(AuditLog)`
			`if conditions:`
			`count_stmt = count_stmt.where(and_(*conditions))`
			`total = (await db.execute(count_stmt)).scalar() or 0`

			`return {`
			`"items": items,`
			`"total": total,`
			`"page": page,`
			`"page_size": page_size,`
			`}`