feat(siteruntime): ExternalSystem.Call emits Audit Log #23 event on every sync call
Wraps IExternalSystemClient.CallAsync inside ScriptRuntimeContext's
ExternalSystemHelper so every script-initiated ExternalSystem.Call
produces exactly one ApiOutbound/ApiCall AuditEvent via IAuditWriter.
- Captures duration with Stopwatch.GetTimestamp() around the call.
- Builds the audit event with full provenance (SiteId, InstanceId,
SourceScript) and a fresh EventId; ForwardState=Pending.
- Maps Success → AuditStatus.Delivered, Failure (or thrown) → Failed;
parses HTTP {code} out of the ExternalSystemClient's error message
to populate HttpStatus.
- Audit emission is fully best-effort: event-build failures, sync
WriteAsync throws, AND async WriteAsync faults are all logged at
Warning and swallowed so the script's call path is never aborted
by an audit-write failure (alog.md §7).
- Original ExternalCallResult or original exception flows back to the
caller unchanged.
ScriptExecutionActor resolves IAuditWriter from DI and threads it
into ScriptRuntimeContext alongside the existing site identity.
Adds ExternalSystemCallAuditEmissionTests covering: success →
Delivered, HTTP 500 → Failed+httpStatus, HTTP 400 → Failed+httpStatus,
client-thrown network exception → Failed with original exception
re-thrown, audit-writer throw → original result returned, provenance
populated from context, DurationMs recorded.
Refs Audit Log #23 M2 Bundle F.
This commit is contained in:
Joseph Doherty
@@ -1,6 +1,9 @@
|
||||
using System.Diagnostics;
|
||||
using System.Text.Json;
|
||||
using System.Text.RegularExpressions;
|
||||
using Akka.Actor;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using ScadaLink.Commons.Entities.Audit;
|
||||
using ScadaLink.Commons.Interfaces.Services;
|
||||
using ScadaLink.Commons.Messages.Instance;
|
||||
using ScadaLink.Commons.Messages.Notification;
|
||||
@@ -75,6 +78,13 @@ public class ScriptRuntimeContext
|
||||
/// </summary>
|
||||
private readonly string? _sourceScript;
|
||||
|
||||
/// <summary>
|
||||
/// Audit Log #23: best-effort emitter for boundary-crossing actions executed
|
||||
/// by the script. Optional — when null the helpers degrade to a no-op audit
|
||||
/// path so tests / contexts that do not need the audit pipeline still work.
|
||||
/// </summary>
|
||||
private readonly IAuditWriter? _auditWriter;
|
||||
|
||||
public ScriptRuntimeContext(
|
||||
IActorRef instanceActor,
|
||||
IActorRef self,
|
||||
@@ -89,7 +99,8 @@ public class ScriptRuntimeContext
|
||||
StoreAndForwardService? storeAndForward = null,
|
||||
ICanTell? siteCommunicationActor = null,
|
||||
string siteId = "",
|
||||
string? sourceScript = null)
|
||||
string? sourceScript = null,
|
||||
IAuditWriter? auditWriter = null)
|
||||
{
|
||||
_instanceActor = instanceActor;
|
||||
_self = self;
|
||||
@@ -105,6 +116,7 @@ public class ScriptRuntimeContext
|
||||
_siteCommunicationActor = siteCommunicationActor;
|
||||
_siteId = siteId;
|
||||
_sourceScript = sourceScript;
|
||||
_auditWriter = auditWriter;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
@@ -204,7 +216,8 @@ public class ScriptRuntimeContext
|
||||
/// ExternalSystem.Call("systemName", "methodName", params)
|
||||
/// ExternalSystem.CachedCall("systemName", "methodName", params)
|
||||
/// </summary>
|
||||
public ExternalSystemHelper ExternalSystem => new(_externalSystemClient, _instanceName, _logger);
|
||||
public ExternalSystemHelper ExternalSystem => new(
|
||||
_externalSystemClient, _instanceName, _logger, _auditWriter, _siteId, _sourceScript);
|
||||
|
||||
/// <summary>
|
||||
/// WP-13: Provides access to database operations.
|
||||
@@ -275,17 +288,41 @@ public class ScriptRuntimeContext
|
||||
/// <summary>
|
||||
/// WP-13: Helper for ExternalSystem.Call/CachedCall syntax.
|
||||
/// </summary>
|
||||
/// <remarks>
|
||||
/// Audit Log #23 (M2 Bundle F): every <see cref="Call"/> invocation emits
|
||||
/// one <c>ApiOutbound</c>/<c>ApiCall</c> audit row via <see cref="IAuditWriter"/>.
|
||||
/// The audit emission is wrapped in a try/catch that swallows every exception
|
||||
/// — the audit pipeline is best-effort and must NEVER abort the script's
|
||||
/// outbound call (alog.md §7). The original <see cref="ExternalCallResult"/>
|
||||
/// (or the original thrown exception) flows back to the caller unchanged.
|
||||
/// </remarks>
|
||||
public class ExternalSystemHelper
|
||||
{
|
||||
private static readonly Regex HttpStatusRegex = new(
|
||||
@"HTTP\s+(?<code>\d{3})",
|
||||
RegexOptions.Compiled | RegexOptions.CultureInvariant);
|
||||
|
||||
private readonly IExternalSystemClient? _client;
|
||||
private readonly string _instanceName;
|
||||
private readonly ILogger _logger;
|
||||
private readonly IAuditWriter? _auditWriter;
|
||||
private readonly string _siteId;
|
||||
private readonly string? _sourceScript;
|
||||
|
||||
internal ExternalSystemHelper(IExternalSystemClient? client, string instanceName, ILogger logger)
|
||||
internal ExternalSystemHelper(
|
||||
IExternalSystemClient? client,
|
||||
string instanceName,
|
||||
ILogger logger,
|
||||
IAuditWriter? auditWriter = null,
|
||||
string siteId = "",
|
||||
string? sourceScript = null)
|
||||
{
|
||||
_client = client;
|
||||
_instanceName = instanceName;
|
||||
_logger = logger;
|
||||
_auditWriter = auditWriter;
|
||||
_siteId = siteId;
|
||||
_sourceScript = sourceScript;
|
||||
}
|
||||
|
||||
public async Task<ExternalCallResult> Call(
|
||||
@@ -297,7 +334,31 @@ public class ScriptRuntimeContext
|
||||
if (_client == null)
|
||||
throw new InvalidOperationException("External system client not available");
|
||||
|
||||
return await _client.CallAsync(systemName, methodName, parameters, cancellationToken);
|
||||
// Audit Log #23 (M2 Bundle F): wrap the outbound call so every
|
||||
// attempt emits exactly one ApiOutbound/ApiCall row. The wrapper
|
||||
// mirrors the existing call-site behaviour — the original result
|
||||
// OR original exception flows back to the script untouched; the
|
||||
// audit emission is best-effort.
|
||||
var occurredAtUtc = DateTime.UtcNow;
|
||||
var startTicks = Stopwatch.GetTimestamp();
|
||||
ExternalCallResult? result = null;
|
||||
Exception? thrown = null;
|
||||
try
|
||||
{
|
||||
result = await _client.CallAsync(systemName, methodName, parameters, cancellationToken);
|
||||
return result;
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
thrown = ex;
|
||||
throw;
|
||||
}
|
||||
finally
|
||||
{
|
||||
var elapsedMs = (int)((Stopwatch.GetTimestamp() - startTicks)
|
||||
* 1000d / Stopwatch.Frequency);
|
||||
EmitCallAudit(systemName, methodName, occurredAtUtc, elapsedMs, result, thrown);
|
||||
}
|
||||
}
|
||||
|
||||
public async Task<ExternalCallResult> CachedCall(
|
||||
@@ -311,6 +372,145 @@ public class ScriptRuntimeContext
|
||||
|
||||
return await _client.CachedCallAsync(systemName, methodName, parameters, _instanceName, cancellationToken);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Best-effort emission of one <c>ApiOutbound</c>/<c>ApiCall</c> audit
|
||||
/// row. Any exception thrown by the writer is logged and swallowed —
|
||||
/// audit-write failures must never abort the user-facing action.
|
||||
/// </summary>
|
||||
private void EmitCallAudit(
|
||||
string systemName,
|
||||
string methodName,
|
||||
DateTime occurredAtUtc,
|
||||
int durationMs,
|
||||
ExternalCallResult? result,
|
||||
Exception? thrown)
|
||||
{
|
||||
if (_auditWriter == null)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
AuditEvent evt;
|
||||
try
|
||||
{
|
||||
evt = BuildCallAuditEvent(systemName, methodName, occurredAtUtc, durationMs, result, thrown);
|
||||
}
|
||||
catch (Exception buildEx)
|
||||
{
|
||||
// Building the event itself must never propagate. This is a
|
||||
// defensive guard — populating a record from already-validated
|
||||
// values shouldn't throw, but we honour the alog.md §7
|
||||
// best-effort contract regardless.
|
||||
_logger.LogWarning(buildEx,
|
||||
"Failed to build Audit Log #23 event for {System}.{Method} — skipping emission",
|
||||
systemName, methodName);
|
||||
return;
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
// Fire-and-forget so we never block the script on the audit
|
||||
// writer; the writer itself is responsible for fast, durable
|
||||
// enqueue (site SQLite hot-path). We DO observe failures via
|
||||
// ContinueWith so a thrown writer is logged rather than going
|
||||
// to the unobserved-task firehose.
|
||||
var writeTask = _auditWriter.WriteAsync(evt, CancellationToken.None);
|
||||
if (!writeTask.IsCompleted)
|
||||
{
|
||||
writeTask.ContinueWith(
|
||||
t => _logger.LogWarning(t.Exception,
|
||||
"Audit Log #23 write failed for EventId {EventId} ({System}.{Method})",
|
||||
evt.EventId, systemName, methodName),
|
||||
CancellationToken.None,
|
||||
TaskContinuationOptions.OnlyOnFaulted | TaskContinuationOptions.ExecuteSynchronously,
|
||||
TaskScheduler.Default);
|
||||
}
|
||||
else if (writeTask.IsFaulted)
|
||||
{
|
||||
_logger.LogWarning(writeTask.Exception,
|
||||
"Audit Log #23 write failed for EventId {EventId} ({System}.{Method})",
|
||||
evt.EventId, systemName, methodName);
|
||||
}
|
||||
}
|
||||
catch (Exception writeEx)
|
||||
{
|
||||
// Synchronous throw from WriteAsync (e.g. ArgumentNullException
|
||||
// before the writer's own try/catch). Swallow + log per the
|
||||
// alog.md §7 contract.
|
||||
_logger.LogWarning(writeEx,
|
||||
"Audit Log #23 write threw synchronously for EventId {EventId} ({System}.{Method})",
|
||||
evt.EventId, systemName, methodName);
|
||||
}
|
||||
}
|
||||
|
||||
private AuditEvent BuildCallAuditEvent(
|
||||
string systemName,
|
||||
string methodName,
|
||||
DateTime occurredAtUtc,
|
||||
int durationMs,
|
||||
ExternalCallResult? result,
|
||||
Exception? thrown)
|
||||
{
|
||||
// Status: Delivered on a Success result; Failed otherwise (the
|
||||
// ExternalSystemClient already maps HTTP non-2xx + transient
|
||||
// exceptions into Success=false on the result, or surfaces a raw
|
||||
// exception). M2 makes no distinction between transient + permanent
|
||||
// failure here — both manifest as Status.Failed on the sync path.
|
||||
var status = (thrown == null && result != null && result.Success)
|
||||
? AuditStatus.Delivered
|
||||
: AuditStatus.Failed;
|
||||
|
||||
string? errorMessage = null;
|
||||
string? errorDetail = null;
|
||||
int? httpStatus = null;
|
||||
|
||||
if (thrown != null)
|
||||
{
|
||||
errorMessage = thrown.Message;
|
||||
errorDetail = thrown.ToString();
|
||||
}
|
||||
else if (result != null && !result.Success)
|
||||
{
|
||||
errorMessage = result.ErrorMessage;
|
||||
// The ExternalSystemClient embeds the HTTP status code in the
|
||||
// error message as "HTTP {code}". Parse it back out so the
|
||||
// audit row carries the structured value.
|
||||
if (!string.IsNullOrEmpty(result.ErrorMessage))
|
||||
{
|
||||
var match = HttpStatusRegex.Match(result.ErrorMessage);
|
||||
if (match.Success
|
||||
&& int.TryParse(match.Groups["code"].Value, out var parsed))
|
||||
{
|
||||
httpStatus = parsed;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return new AuditEvent
|
||||
{
|
||||
EventId = Guid.NewGuid(),
|
||||
OccurredAtUtc = DateTime.SpecifyKind(occurredAtUtc, DateTimeKind.Utc),
|
||||
Channel = AuditChannel.ApiOutbound,
|
||||
Kind = AuditKind.ApiCall,
|
||||
CorrelationId = null,
|
||||
SourceSiteId = string.IsNullOrEmpty(_siteId) ? null : _siteId,
|
||||
SourceInstanceId = _instanceName,
|
||||
SourceScript = _sourceScript,
|
||||
Actor = null,
|
||||
Target = $"{systemName}.{methodName}",
|
||||
Status = status,
|
||||
HttpStatus = httpStatus,
|
||||
DurationMs = durationMs,
|
||||
ErrorMessage = errorMessage,
|
||||
ErrorDetail = errorDetail,
|
||||
RequestSummary = null,
|
||||
ResponseSummary = null,
|
||||
PayloadTruncated = false,
|
||||
Extra = null,
|
||||
ForwardState = AuditForwardState.Pending,
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
|
||||
Reference in New Issue
Block a user