audit-logging/cds-plugin.js at main · cap-js/audit-logging · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
const cds = require("@sap/cds");

const { auditAccess } = require("./lib/access");
const {
  addDiffToCtx,
  calcModLogs4Before,
  calcModLogs4After,
  emitModLogs,
} = require("./lib/modification");
const { hasPersonalData } = require("./lib/utils");

const WRITE = ["CREATE", "UPDATE", "DELETE"];

/*
 * Add generic audit logging handlers
 */
cds.on("served", (services) => {
  const db = cds.db;

  for (const service of services) {
    if (!(service instanceof cds.ApplicationService)) continue;

    const relevantEntities = [];
    for (const entity of service.entities)
      if (hasPersonalData(entity)) relevantEntities.push(entity);
    if (!relevantEntities.length) continue;

    // automatically promote entities that are associated with data subjects
    for (const entity of relevantEntities) {
      if (entity["@PersonalData.EntitySemantics"] !== "DataSubject") continue;
      for (const e of service.entities) {
        for (const k in e.associations) {
          if (
            e.associations[k].target === entity.name &&
            k !== "SiblingEntity"
          ) {
            e["@PersonalData.EntitySemantics"] ??= "Other";
            e.associations[k]["@PersonalData.FieldSemantics"] ??=
              "DataSubjectID";
            if (!relevantEntities.includes(e)) relevantEntities.push(e);
          }
        }
      }
    }
  }
  for (const service of services) {
    if (!(service instanceof cds.ApplicationService)) continue;
    service.after("READ", async (res, req) => {
      // Checking for req.target._service to make sure only entities within services are considered
      if (!req.target._service || !hasPersonalData(req.target)) return;
      await auditAccess.call(service, res, req);
    });

    service.after(WRITE, async (res, req) => {
      if (!req.target._service || !hasPersonalData(req.target)) return;
      await emitModLogs.call(service, res, req);
    });
  }

  db.before("CREATE", async (req) => {
    if (!req.target._service || !hasPersonalData(req.target)) return;
    await addDiffToCtx.call(db, req);
  });
  /*
   * for new or modified data, modifications are calculated in after phase
   * for deleted data, modifications are calculated in before phase
   * deep updates can contain new, modified and deleted data -> both phases
   */
  db.after(["CREATE", "UPDATE"], async (res, req) => {
    if (!req.target._service || !hasPersonalData(req.target)) return;
    await calcModLogs4After.call(db, res, req);
  });
  db.before(["DELETE", "UPDATE"], async (req) => {
    if (!req.target._service || !hasPersonalData(req.target)) return;
    await addDiffToCtx.call(db, req);
    await calcModLogs4Before.call(db, req);
  });
});

/*
 * Export base class for extending in custom implementations
 */
module.exports = {
  AuditLogService: require("./srv/service"),
};