feat(auditlog): AuditLogIngestActor + gRPC handler (#23)

2026-05-20 12:48:26 -04:00
parent b679430d13
commit 87cae88f92
6 changed files with 579 additions and 0 deletions
--- a/src/ScadaLink.Communication/Grpc/SiteStreamGrpcServer.cs
+++ b/src/ScadaLink.Communication/Grpc/SiteStreamGrpcServer.cs
@@ -4,6 +4,9 @@ using Akka.Actor;
 using Grpc.Core;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Messages.Audit;
+using ScadaLink.Commons.Types.Enums;
 using GrpcStatus = Grpc.Core.Status;

 namespace ScadaLink.Communication.Grpc;
@@ -23,6 +26,15 @@ public class SiteStreamGrpcServer : SiteStreamService.SiteStreamServiceBase
    private readonly TimeSpan _maxStreamLifetime;
    private volatile bool _ready;
    private long _actorCounter;
+    // Audit Log (#23 M2): central-side ingest actor proxy. Set by the host
+    // after the cluster singleton starts (see Bundle E wiring). When null the
+    // IngestAuditEvents RPC replies with an empty IngestAck so sites can
+    // safely retry — wiring-incomplete is treated as transient, never fatal.
+    private IActorRef? _auditIngestActor;
+    // Per Bundle D's brief — Ask timeout is 30 s. The ingest actor's repo
+    // calls are sub-100 ms in steady state; a generous timeout absorbs a slow
+    // MSSQL connection without surfacing as a gRPC failure on a healthy site.
+    private static readonly TimeSpan AuditIngestAskTimeout = TimeSpan.FromSeconds(30);

    /// <summary>
    /// Test-only constructor — kept <c>internal</c> so the DI container sees a
@@ -76,6 +88,19 @@ public class SiteStreamGrpcServer : SiteStreamService.SiteStreamServiceBase
        _ready = true;
    }

+    /// <summary>
+    /// Hands the central-side <c>AuditLogIngestActor</c> proxy to the gRPC
+    /// server so the <see cref="IngestAuditEvents"/> RPC can route incoming
+    /// site batches. Audit Log (#23) M2 wiring point — mirrors the way
+    /// <c>CommunicationService.SetNotificationOutbox</c> takes the Notification
+    /// Outbox singleton proxy. Bundle E supplies the actor after the cluster
+    /// singleton starts.
+    /// </summary>
+    public void SetAuditIngestActor(IActorRef proxy)
+    {
+        _auditIngestActor = proxy;
+    }
+
    /// <summary>
    /// Number of currently active streaming subscriptions. Exposed for diagnostics.
    /// </summary>
@@ -168,6 +193,114 @@ public class SiteStreamGrpcServer : SiteStreamService.SiteStreamServiceBase
        }
    }

+    /// <summary>
+    /// Audit Log (#23) M2 site→central push RPC. Decodes a site batch into
+    /// <see cref="AuditEvent"/> rows, Asks the central <c>AuditLogIngestActor</c>
+    /// proxy to persist them, and echoes the accepted EventIds back so the site
+    /// can flip its local rows to <c>Forwarded</c>.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// The DTO→entity conversion is inlined here (rather than calling the
+    /// AuditLog mapper) to avoid a project-reference cycle:
+    /// <c>ScadaLink.AuditLog</c> already references
+    /// <c>ScadaLink.Communication</c>, so the gRPC server cannot reach back
+    /// into AuditLog for its mapper. The shape mirrors
+    /// <c>AuditEventMapper.FromDto</c> in <c>ScadaLink.AuditLog.Telemetry</c>;
+    /// the two must evolve together.
+    /// </para>
+    /// <para>
+    /// When <see cref="_auditIngestActor"/> is not yet wired (host startup
+    /// race window), the RPC returns an empty <see cref="IngestAck"/> rather
+    /// than failing — the site treats the missing ack as a transient outcome
+    /// and retries on the next drain, which is the desired idempotent
+    /// behaviour.
+    /// </para>
+    /// </remarks>
+    public override async Task<IngestAck> IngestAuditEvents(
+        AuditEventBatch request,
+        ServerCallContext context)
+    {
+        // Empty batch is a no-op; reply immediately so the client moves on.
+        if (request.Events.Count == 0)
+        {
+            return new IngestAck();
+        }
+
+        var actor = _auditIngestActor;
+        if (actor is null)
+        {
+            // Wiring incomplete (host startup race). Sites treat an empty
+            // ack as "nothing was acked, leave rows Pending, retry next
+            // drain" — exactly the right behaviour during host bring-up.
+            _logger.LogWarning(
+                "IngestAuditEvents received {Count} events before SetAuditIngestActor was called; returning empty ack.",
+                request.Events.Count);
+            return new IngestAck();
+        }
+
+        // Inlined FromDto. Keep in sync with AuditEventMapper.FromDto in
+        // ScadaLink.AuditLog.Telemetry — there is no shared mapper because
+        // doing so would create a project-reference cycle (AuditLog → Communication).
+        var entities = new List<AuditEvent>(request.Events.Count);
+        foreach (var dto in request.Events)
+        {
+            entities.Add(new AuditEvent
+            {
+                EventId = Guid.Parse(dto.EventId),
+                OccurredAtUtc = DateTime.SpecifyKind(dto.OccurredAtUtc.ToDateTime(), DateTimeKind.Utc),
+                IngestedAtUtc = null,
+                Channel = Enum.Parse<AuditChannel>(dto.Channel),
+                Kind = Enum.Parse<AuditKind>(dto.Kind),
+                CorrelationId = string.IsNullOrEmpty(dto.CorrelationId) ? null : Guid.Parse(dto.CorrelationId),
+                SourceSiteId = NullIfEmpty(dto.SourceSiteId),
+                SourceInstanceId = NullIfEmpty(dto.SourceInstanceId),
+                SourceScript = NullIfEmpty(dto.SourceScript),
+                Actor = NullIfEmpty(dto.Actor),
+                Target = NullIfEmpty(dto.Target),
+                Status = Enum.Parse<AuditStatus>(dto.Status),
+                HttpStatus = dto.HttpStatus,
+                DurationMs = dto.DurationMs,
+                ErrorMessage = NullIfEmpty(dto.ErrorMessage),
+                ErrorDetail = NullIfEmpty(dto.ErrorDetail),
+                RequestSummary = NullIfEmpty(dto.RequestSummary),
+                ResponseSummary = NullIfEmpty(dto.ResponseSummary),
+                PayloadTruncated = dto.PayloadTruncated,
+                Extra = NullIfEmpty(dto.Extra),
+                ForwardState = null,
+            });
+        }
+
+        var cmd = new IngestAuditEventsCommand(entities);
+        IngestAuditEventsReply reply;
+        try
+        {
+            reply = await actor.Ask<IngestAuditEventsReply>(
+                cmd, AuditIngestAskTimeout, context.CancellationToken);
+        }
+        catch (Exception ex)
+        {
+            // Audit ingest is best-effort; failing this RPC at the gRPC layer
+            // would surface as a transport error and force the site to retry
+            // (which it would do anyway). Logging + an empty ack keeps the
+            // semantics consistent with the "wiring incomplete" path above.
+            _logger.LogError(ex,
+                "AuditLogIngestActor Ask failed for batch of {Count} events; returning empty ack.",
+                request.Events.Count);
+            return new IngestAck();
+        }
+
+        var ack = new IngestAck();
+        foreach (var id in reply.AcceptedEventIds)
+        {
+            ack.AcceptedEventIds.Add(id.ToString());
+        }
+        return ack;
+    }
+
+    private static string? NullIfEmpty(string? value) =>
+        string.IsNullOrEmpty(value) ? null : value;
+
    /// <summary>
    /// Tracks a single active stream so cleanup only removes its own entry.
    /// </summary>