Add role-based filtering and imporve code

2025-10-15 16:12:49 +02:00
parent 96ad5c6692
commit 8f9e9a7edc
158 changed files with 11033 additions and 1544 deletions
--- a/services/pos/Dockerfile
+++ b/services/pos/Dockerfile
@@ -16,9 +16,13 @@ RUN apt-get update && apt-get install -y \
    && rm -rf /var/lib/apt/lists/*

 # Copy requirements
+COPY shared/requirements-tracing.txt /tmp/
+
 COPY services/pos/requirements.txt .

 # Install Python dependencies
+RUN pip install --no-cache-dir -r /tmp/requirements-tracing.txt
+
 RUN pip install --no-cache-dir -r requirements.txt

 # Copy shared libraries from the shared stage
--- a/services/pos/app/api/configurations.py
+++ b/services/pos/app/api/configurations.py
@@ -12,9 +12,11 @@ from app.core.database import get_db
 from shared.auth.decorators import get_current_user_dep
 from shared.auth.access_control import require_user_role, admin_role_required
 from shared.routing import RouteBuilder
+from shared.security import create_audit_logger, AuditSeverity, AuditAction

 router = APIRouter()
 logger = structlog.get_logger()
+audit_logger = create_audit_logger("pos-service")
 route_builder = RouteBuilder('pos')


@@ -110,6 +112,29 @@ async def update_pos_configuration(
 ):
    """Update a POS configuration (Admin/Owner only)"""
    try:
+        # Log HIGH severity audit event for configuration changes
+        try:
+            await audit_logger.log_event(
+                db_session=db,
+                tenant_id=str(tenant_id),
+                user_id=current_user["user_id"],
+                action=AuditAction.UPDATE.value,
+                resource_type="pos_configuration",
+                resource_id=str(config_id),
+                severity=AuditSeverity.HIGH.value,
+                description=f"Admin {current_user.get('email', 'unknown')} updated POS configuration",
+                changes={"configuration_updates": configuration_data},
+                endpoint=f"/configurations/{config_id}",
+                method="PUT"
+            )
+        except Exception as audit_error:
+            logger.warning("Failed to log audit event", error=str(audit_error))
+
+        logger.info("POS configuration updated",
+                   config_id=str(config_id),
+                   tenant_id=str(tenant_id),
+                   user_id=current_user["user_id"])
+
        return {"message": "Configuration updated successfully", "id": str(config_id)}
    except Exception as e:
        logger.error("Failed to update POS configuration", error=str(e),
@@ -130,6 +155,27 @@ async def delete_pos_configuration(
 ):
    """Delete a POS configuration (Owner only)"""
    try:
+        # Log CRITICAL severity audit event for configuration deletion
+        try:
+            await audit_logger.log_deletion(
+                db_session=db,
+                tenant_id=str(tenant_id),
+                user_id=current_user["user_id"],
+                resource_type="pos_configuration",
+                resource_id=str(config_id),
+                severity=AuditSeverity.CRITICAL.value,
+                description=f"Owner {current_user.get('email', 'unknown')} deleted POS configuration",
+                endpoint=f"/configurations/{config_id}",
+                method="DELETE"
+            )
+        except Exception as audit_error:
+            logger.warning("Failed to log audit event", error=str(audit_error))
+
+        logger.info("POS configuration deleted",
+                   config_id=str(config_id),
+                   tenant_id=str(tenant_id),
+                   user_id=current_user["user_id"])
+
        return {"message": "Configuration deleted successfully"}
    except Exception as e:
        logger.error("Failed to delete POS configuration", error=str(e),
--- a/services/pos/app/models/init.py
+++ b/services/pos/app/models/init.py
@@ -2,6 +2,13 @@
 Database models for POS Integration Service
 """

+# Import AuditLog model for this service
+from shared.security import create_audit_log_model
+from shared.database.base import Base
+
+# Create audit log model for this service
+AuditLog = create_audit_log_model(Base)
+
 from .pos_config import POSConfiguration
 from .pos_transaction import POSTransaction, POSTransactionItem
 from .pos_webhook import POSWebhookLog
@@ -12,5 +19,6 @@ __all__ = [
    "POSTransaction",
    "POSTransactionItem", 
    "POSWebhookLog",
-    "POSSyncLog"
+    "POSSyncLog",
+    "AuditLog"
 ]
--- a/services/pos/migrations/versions/20251015_1228_e9976ec9fe9e_initial_schema_20251015_1228.py
+++ b/services/pos/migrations/versions/20251015_1228_e9976ec9fe9e_initial_schema_20251015_1228.py
@@ -1,18 +1,18 @@
-"""initial_schema_20251009_2038
+"""initial_schema_20251015_1228

-Revision ID: 65eda9df893b
+Revision ID: e9976ec9fe9e
 Revises: 
-Create Date: 2025-10-09 20:38:17.435929+02:00
+Create Date: 2025-10-15 12:28:31.849997+02:00

 """
 from typing import Sequence, Union

 from alembic import op
 import sqlalchemy as sa
-
+from sqlalchemy.dialects import postgresql

 # revision identifiers, used by Alembic.
-revision: str = '65eda9df893b'
+revision: str = 'e9976ec9fe9e'
 down_revision: Union[str, None] = None
 branch_labels: Union[str, Sequence[str], None] = None
 depends_on: Union[str, Sequence[str], None] = None
@@ -20,6 +20,38 @@ depends_on: Union[str, Sequence[str], None] = None

 def upgrade() -> None:
    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('audit_logs',
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('tenant_id', sa.UUID(), nullable=False),
+    sa.Column('user_id', sa.UUID(), nullable=False),
+    sa.Column('action', sa.String(length=100), nullable=False),
+    sa.Column('resource_type', sa.String(length=100), nullable=False),
+    sa.Column('resource_id', sa.String(length=255), nullable=True),
+    sa.Column('severity', sa.String(length=20), nullable=False),
+    sa.Column('service_name', sa.String(length=100), nullable=False),
+    sa.Column('description', sa.Text(), nullable=True),
+    sa.Column('changes', postgresql.JSON(astext_type=sa.Text()), nullable=True),
+    sa.Column('audit_metadata', postgresql.JSON(astext_type=sa.Text()), nullable=True),
+    sa.Column('ip_address', sa.String(length=45), nullable=True),
+    sa.Column('user_agent', sa.Text(), nullable=True),
+    sa.Column('endpoint', sa.String(length=255), nullable=True),
+    sa.Column('method', sa.String(length=10), nullable=True),
+    sa.Column('created_at', sa.DateTime(timezone=True), nullable=False),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index('idx_audit_resource_type_action', 'audit_logs', ['resource_type', 'action'], unique=False)
+    op.create_index('idx_audit_service_created', 'audit_logs', ['service_name', 'created_at'], unique=False)
+    op.create_index('idx_audit_severity_created', 'audit_logs', ['severity', 'created_at'], unique=False)
+    op.create_index('idx_audit_tenant_created', 'audit_logs', ['tenant_id', 'created_at'], unique=False)
+    op.create_index('idx_audit_user_created', 'audit_logs', ['user_id', 'created_at'], unique=False)
+    op.create_index(op.f('ix_audit_logs_action'), 'audit_logs', ['action'], unique=False)
+    op.create_index(op.f('ix_audit_logs_created_at'), 'audit_logs', ['created_at'], unique=False)
+    op.create_index(op.f('ix_audit_logs_resource_id'), 'audit_logs', ['resource_id'], unique=False)
+    op.create_index(op.f('ix_audit_logs_resource_type'), 'audit_logs', ['resource_type'], unique=False)
+    op.create_index(op.f('ix_audit_logs_service_name'), 'audit_logs', ['service_name'], unique=False)
+    op.create_index(op.f('ix_audit_logs_severity'), 'audit_logs', ['severity'], unique=False)
+    op.create_index(op.f('ix_audit_logs_tenant_id'), 'audit_logs', ['tenant_id'], unique=False)
+    op.create_index(op.f('ix_audit_logs_user_id'), 'audit_logs', ['user_id'], unique=False)
    op.create_table('pos_configurations',
    sa.Column('id', sa.UUID(), nullable=False),
    sa.Column('tenant_id', sa.UUID(), nullable=False),
@@ -389,4 +421,18 @@ def downgrade() -> None:
    op.drop_index('idx_pos_config_connected', table_name='pos_configurations')
    op.drop_index('idx_pos_config_active', table_name='pos_configurations')
    op.drop_table('pos_configurations')
+    op.drop_index(op.f('ix_audit_logs_user_id'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_tenant_id'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_severity'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_service_name'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_resource_type'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_resource_id'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_created_at'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_action'), table_name='audit_logs')
+    op.drop_index('idx_audit_user_created', table_name='audit_logs')
+    op.drop_index('idx_audit_tenant_created', table_name='audit_logs')
+    op.drop_index('idx_audit_severity_created', table_name='audit_logs')
+    op.drop_index('idx_audit_service_created', table_name='audit_logs')
+    op.drop_index('idx_audit_resource_type_action', table_name='audit_logs')
+    op.drop_table('audit_logs')
    # ### end Alembic commands ###