Skip to main content

CloudEvents-style audit event model, builder, integrity signing and Kafka publishing for Mobius Python (FastAPI) services.

Project description

mobius-auditlog-py

Build, sign, and publish CloudEvents-style audit events from Mobius Python (FastAPI / Starlette) services.

  • PyPI: pip install mobius-auditlog-py
  • Import package: mobius_auditlog
  • Python: 3.10+

Install

pip install mobius-auditlog-py

pydantic, starlette, and py-kafka-producer-client are installed automatically.

Quick start (auto-capture middleware)

from fastapi import FastAPI
from kafka_producer_client import KafkaProducerConfig
from mobius_auditlog import setup_auditlog

app = FastAPI()

setup_auditlog(
    app,
    topic="audit-logs",
    signing_key="your-hmac-key",                # optional signature
    kafka_config=KafkaProducerConfig(bootstrap_servers="broker:9092"),
    capture_payloads=False,                      # set True to buffer req/resp bodies
    compliance_category="GDPR",
)

The middleware emits one audit event per request: action (route, method, status, severity), network (client IP + user-agent), objectref (from the path), and the envelope/subject from the request context. It skips health/metrics/swagger paths.

The event schema

AuditLogEvent — flat envelope + nested sections, serialized with empty values omitted and keys alphabetically ordered:

Section Fields
envelope id, specversion, timestamp, traceid, transactionid, tenantid
subject userid, type, groups[]
kubernetes namespacename, podname, containername, nodename
objectref resource, resourceid, apiversion
action name, method, severity, status
network sourceip, useragent
eventdata requestpayload{}, responsepayload{}, metadata{issensitive, compliancecategory}
security hash, signature
event.to_dict()    # pruned dict (empties dropped), ready to publish
event.to_json()    # canonical JSON: pruned + sorted keys (used for hashing)

Building events manually

from mobius_auditlog import AuditLogBuilder

event = (
    AuditLogBuilder()
    .from_context()                              # tenant/trace/txn/subject from context
    .object_ref(resource="order", resourceid="order-789", apiversion="v1.0")
    .action(name="order.create", method="POST", severity="INFO", status="SUCCESS")
    .network(sourceip="1.2.3.4", useragent="curl/8")
    .event_data(requestpayload={"amount": 42}, issensitive=True, compliancecategory="PCI")
    .build()
)

from_context() pulls tenantid/traceid/transactionid/subject from the mobius-tracer-py request context when that package is installed, and kubernetes from the downward-API env vars (POD_NAMESPACE, POD_NAME, CONTAINER_NAME, NODE_NAME).

Integrity: hash + signature

from mobius_auditlog import seal, verify, compute_hash

seal(event, signing_key="key")     # sets security.hash (+ signature)
verify(event, signing_key="key")   # True if hash + signature match
  • hash = SHA-256 over the canonical JSON excluding the security block.
  • signature = HMAC-SHA256 of the hash with your key (omitted if no key).

The publisher seals events automatically before sending.

Publishing

The publisher depends only on a small protocol — no hard Kafka coupling:

class LogEventSender(Protocol):
    def send(self, value: dict, *, topic: str) -> Any: ...

setup_auditlog resolves a publisher from (in order) kafka_senderkafka_producerkafka_config → the configured py-kafka-producer-client singleton. Or use it directly:

from mobius_auditlog import AuditLogPublisher, PyKafkaProducerClientSender, set_publisher

publisher = AuditLogPublisher(PyKafkaProducerClientSender(client),
                              topic="audit-logs", signing_key="key")
set_publisher(publisher)
publisher.publish(event)           # seals + sends, fire-and-forget

Publishing runs on a background thread and never raises into the request path.

Payload capture

With capture_payloads=True, the middleware buffers request and response bodies (JSON-parsed, size-capped at 64 KB) into eventdata.requestpayload / responsepayload. Off by default for privacy and overhead. Non-JSON bodies are stored as {"_raw": "..."}.

Development

python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pytest

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mobius_auditlog_py-1.0.0.tar.gz (12.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mobius_auditlog_py-1.0.0-py3-none-any.whl (12.8 kB view details)

Uploaded Python 3

File details

Details for the file mobius_auditlog_py-1.0.0.tar.gz.

File metadata

  • Download URL: mobius_auditlog_py-1.0.0.tar.gz
  • Upload date:
  • Size: 12.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.19

File hashes

Hashes for mobius_auditlog_py-1.0.0.tar.gz
Algorithm Hash digest
SHA256 643aed3af3a8c403cb8ac121aeb7c5e2007eab3bfbf91d7d3596652046aaf78e
MD5 2dc988b17a4d4ce8162135acf14d18a7
BLAKE2b-256 4722f352c93b4139ab452e2a44eaf022fcccc9c6f9180a27e04da9bfb4317f76

See more details on using hashes here.

File details

Details for the file mobius_auditlog_py-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for mobius_auditlog_py-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 6593b7fba9ab4c71c9027b974ef9baa10df962fa160f4fcf5ff5dcd2511319c6
MD5 cdaa7daa3fb83df080488980e3a5ace1
BLAKE2b-256 60de75c95fde17c751e99a6dbd168a8fdd6ac52a0660d1dbabbb5bd60f397102

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page