Files
2026-07-13 13:39:12 +08:00

308 lines
9.3 KiB
TypeScript

import test from "node:test";
import assert from "node:assert/strict";
import fs from "node:fs";
import os from "node:os";
import path from "node:path";
const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omniroute-compliance-"));
process.env.DATA_DIR = TEST_DATA_DIR;
process.env.APP_LOG_RETENTION_DAYS = "10";
process.env.CALL_LOG_RETENTION_DAYS = "5";
const core = await import("../../src/lib/db/core.ts");
const compliance = await import("../../src/lib/compliance/index.ts");
function resetDb() {
core.resetDbInstance();
if (fs.existsSync(TEST_DATA_DIR)) {
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
}
fs.mkdirSync(TEST_DATA_DIR, { recursive: true });
}
test.beforeEach(() => {
resetDb();
});
test.after(() => {
core.resetDbInstance();
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
});
test("compliance audit log initialization, writes and filtered reads work end to end", () => {
compliance.initAuditLog();
compliance.logAuditEvent({
action: "settings.update",
actor: "admin",
target: "system-settings",
details: { changed: ["theme"] },
resourceType: "settings",
status: "success",
requestId: "req-123",
ipAddress: "127.0.0.1",
});
compliance.logAuditEvent({
action: "apiKey.create",
details: '"manual note"',
});
const all = compliance.getAuditLog();
const filtered = compliance.getAuditLog({
action: "settings.update",
actor: "admin",
limit: 1,
offset: 0,
});
assert.equal(all.length, 2);
assert.equal(all[0].action, "apiKey.create");
assert.equal(all[0].actor, "system");
assert.equal(all[0].details, "manual note");
assert.equal(filtered[0].resourceType, "settings");
assert.equal(filtered[0].resource_type, "settings");
assert.equal(filtered[0].status, "success");
assert.equal(filtered[0].requestId, "req-123");
assert.equal(filtered[0].request_id, "req-123");
assert.equal(filtered[0].ip, "127.0.0.1");
assert.deepEqual(filtered[0].metadata, { changed: ["theme"] });
assert.deepEqual(filtered, [
{
...filtered[0],
action: "settings.update",
actor: "admin",
target: "system-settings",
details: { changed: ["theme"] },
ip_address: "127.0.0.1",
},
]);
});
test("compliance audit log supports structured filters, totals and secret redaction", () => {
compliance.initAuditLog();
compliance.logAuditEvent({
action: "provider.credentials.updated",
actor: "admin",
target: "openai:primary",
resourceType: "provider_credentials",
status: "success",
requestId: "req-provider-1",
details: {
apiKey: "sk-secret",
nested: {
refreshToken: "refresh-secret",
},
changedFields: ["defaultModel"],
},
ipAddress: "10.0.0.4",
createdAt: "2026-04-14T10:00:00.000Z",
});
compliance.logAuditEvent({
action: "provider.validation.ssrf_blocked",
actor: "admin",
target: "provider-node",
resourceType: "provider_validation",
status: "blocked",
requestId: "req-provider-2",
metadata: {
reason: "Blocked private or local provider URL",
baseUrl: "http://127.0.0.1:11434/v1",
},
createdAt: "2026-04-14T11:00:00.000Z",
});
const filtered = compliance.getAuditLog({
resourceType: "provider_validation",
status: "blocked",
requestId: "req-provider-2",
from: "2026-04-14T10:30:00.000Z",
to: "2026-04-14T12:00:00.000Z",
});
assert.equal(compliance.countAuditLog({ actor: "admin" }), 2);
assert.equal(filtered.length, 1);
assert.equal(filtered[0].action, "provider.validation.ssrf_blocked");
assert.deepEqual(filtered[0].metadata, {
reason: "Blocked private or local provider URL",
baseUrl: "http://127.0.0.1:11434/v1",
});
const updatedEntry = compliance.getAuditLog({ action: "provider.credentials.updated" })[0];
assert.deepEqual(updatedEntry.details, {
apiKey: "[redacted]",
nested: {
refreshToken: "[redacted]",
},
changedFields: ["defaultModel"],
});
assert.deepEqual(updatedEntry.metadata, updatedEntry.details);
});
test("compliance noLog helpers cover missing ids, in-memory overrides and persisted DB values", () => {
const db = core.getDbInstance();
const now = new Date().toISOString();
db.prepare(
"INSERT INTO api_keys (id, name, key, machine_id, allowed_models, no_log, created_at) VALUES (?, ?, ?, ?, ?, ?, ?)"
).run("persisted-no-log", "Persisted", "sk-persisted", null, "[]", 1, now);
assert.equal(compliance.isNoLog(""), false);
assert.equal(compliance.isNoLog("persisted-no-log"), true);
compliance.setNoLog("manual-no-log", true);
assert.equal(compliance.isNoLog("manual-no-log"), true);
compliance.setNoLog("manual-no-log", false);
assert.equal(compliance.isNoLog("manual-no-log"), false);
assert.deepEqual(compliance.getRetentionDays(), { app: 10, call: 5 });
});
test("cleanupExpiredLogs removes stale rows across all log tables and records an audit entry", async () => {
compliance.initAuditLog();
const db = core.getDbInstance();
const oldCallTs = new Date(Date.now() - 8 * 24 * 60 * 60 * 1000).toISOString();
const oldAppTs = new Date(Date.now() - 12 * 24 * 60 * 60 * 1000).toISOString();
const freshTs = new Date().toISOString();
db.prepare("INSERT INTO usage_history (provider, model, timestamp) VALUES (?, ?, ?)").run(
"openai",
"gpt-4o",
oldCallTs
);
db.prepare("INSERT INTO usage_history (provider, model, timestamp) VALUES (?, ?, ?)").run(
"openai",
"gpt-4o",
freshTs
);
db.prepare("INSERT INTO call_logs (id, timestamp, method, path) VALUES (?, ?, ?, ?)").run(
"call-old",
oldCallTs,
"POST",
"/v1/chat/completions"
);
db.prepare("INSERT INTO call_logs (id, timestamp, method, path) VALUES (?, ?, ?, ?)").run(
"call-new",
freshTs,
"POST",
"/v1/chat/completions"
);
db.prepare("INSERT INTO proxy_logs (id, timestamp, status, proxy_type) VALUES (?, ?, ?, ?)").run(
"proxy-old",
oldCallTs,
"ok",
"http"
);
db.prepare("INSERT INTO proxy_logs (id, timestamp, status, proxy_type) VALUES (?, ?, ?, ?)").run(
"proxy-new",
freshTs,
"ok",
"http"
);
db.prepare("INSERT INTO request_detail_logs (id, call_log_id, timestamp) VALUES (?, ?, ?)").run(
"rdl-old",
"call-old",
oldCallTs
);
db.prepare("INSERT INTO request_detail_logs (id, call_log_id, timestamp) VALUES (?, ?, ?)").run(
"rdl-new",
"call-new",
freshTs
);
db.prepare("INSERT INTO mcp_tool_audit (tool_name, created_at) VALUES (?, ?)").run(
"memory_search",
oldAppTs
);
db.prepare("INSERT INTO mcp_tool_audit (tool_name, created_at) VALUES (?, ?)").run(
"memory_add",
freshTs
);
compliance.logAuditEvent({
action: "admin.cleanup.seed",
actor: "admin",
details: { seeded: true },
});
db.prepare("UPDATE audit_log SET timestamp = ? WHERE action = ?").run(
oldAppTs,
"admin.cleanup.seed"
);
const result = await compliance.cleanupExpiredLogs();
const usageCount = (db.prepare("SELECT COUNT(*) as count FROM usage_history").get() as any).count;
const callCount = (db.prepare("SELECT COUNT(*) as count FROM call_logs").get() as any).count;
const proxyCount = (db.prepare("SELECT COUNT(*) as count FROM proxy_logs").get() as any).count;
const requestDetailCount = (
db.prepare("SELECT COUNT(*) as count FROM request_detail_logs") as any
).get().count;
const mcpAuditCount = (db.prepare("SELECT COUNT(*) as count FROM mcp_tool_audit").get() as any)
.count;
const auditEntries = compliance.getAuditLog();
const auditActions = auditEntries.map((entry) => entry.action);
assert.deepEqual(result, {
deletedUsage: 1,
deletedCallLogs: 1,
deletedProxyLogs: 1,
deletedRequestDetailLogs: 1,
deletedAuditLogs: 1,
deletedMcpAuditLogs: 1,
trimmedCallLogs: 0,
trimmedProxyLogs: 0,
appRetentionDays: 10,
callRetentionDays: 5,
callLogsMaxRows: result.callLogsMaxRows,
proxyLogsMaxRows: result.proxyLogsMaxRows,
});
assert.equal(usageCount, 1);
assert.equal(callCount, 1);
assert.equal(proxyCount, 1);
assert.equal(requestDetailCount, 1);
assert.equal(mcpAuditCount, 1);
assert.ok(auditActions.includes("compliance.cleanup"));
const cleanupEntry = auditEntries.find((entry) => entry.action === "compliance.cleanup");
assert.equal(cleanupEntry.resourceType, "maintenance");
assert.equal(cleanupEntry.status, "success");
assert.equal(cleanupEntry.target, "log-retention");
});
test("cleanupExpiredLogs tolerates missing tables and logAuditEvent failures without breaking", async () => {
compliance.initAuditLog();
const db = core.getDbInstance();
db.exec(`
DROP TABLE usage_history;
DROP TABLE call_logs;
DROP TABLE proxy_logs;
DROP TABLE request_detail_logs;
DROP TABLE audit_log;
DROP TABLE mcp_tool_audit;
`);
compliance.logAuditEvent({
action: "will.fail.silently",
details: { reason: "table dropped" },
});
const result = await compliance.cleanupExpiredLogs();
assert.deepEqual(result, {
deletedUsage: 0,
deletedCallLogs: 0,
deletedProxyLogs: 0,
deletedRequestDetailLogs: 0,
deletedAuditLogs: 0,
deletedMcpAuditLogs: 0,
trimmedCallLogs: 0,
trimmedProxyLogs: 0,
appRetentionDays: 10,
callRetentionDays: 5,
callLogsMaxRows: result.callLogsMaxRows,
proxyLogsMaxRows: result.proxyLogsMaxRows,
});
});