Skip to main content

CloudEvents-style audit event model, builder, integrity signing and Kafka publishing for Mobius Python (FastAPI) services.

Project description

mobius-auditlog-py

Build, sign, and publish CloudEvents-style audit events from Mobius Python (FastAPI / Starlette) services.

  • PyPI: pip install mobius-auditlog-py
  • Import package: mobius_auditlog
  • Python: 3.10+

Install

pip install mobius-auditlog-py

pydantic, starlette, and py-kafka-producer-client are installed automatically.

Quick start (auto-capture middleware)

from fastapi import FastAPI
from kafka_producer_client import KafkaProducerConfig
from mobius_auditlog import setup_auditlog

app = FastAPI()

setup_auditlog(
    app,
    topic="audit-logs",
    signing_key="your-hmac-key",                # optional signature
    kafka_config=KafkaProducerConfig(bootstrap_servers="broker:9092"),
    capture_payloads=False,                      # set True to buffer req/resp bodies
    compliance_category="GDPR",
)

The middleware emits one audit event per request: action (route, method, status, severity), network (client IP + user-agent), objectref (from the path), and the envelope/subject from the request context. It skips health/metrics/swagger paths.

The event schema

AuditLogEvent — flat envelope + nested sections, serialized with empty values omitted and keys alphabetically ordered:

Section Fields
envelope id, specversion, timestamp, traceid, transactionid, tenantid
subject userid, type, groups[]
kubernetes namespacename, podname, containername, nodename
objectref resource, resourceid, apiversion
action name, method, severity, status
network sourceip, useragent
eventdata requestpayload{}, responsepayload{}, metadata{issensitive, compliancecategory}
security hash, signature
event.to_dict()    # pruned dict (empties dropped), ready to publish
event.to_json()    # canonical JSON: pruned + sorted keys (used for hashing)

Building events manually

from mobius_auditlog import AuditLogBuilder

event = (
    AuditLogBuilder()
    .from_context()                              # tenant/trace/txn/subject from context
    .object_ref(resource="order", resourceid="order-789", apiversion="v1.0")
    .action(name="order.create", method="POST", severity="INFO", status="SUCCESS")
    .network(sourceip="1.2.3.4", useragent="curl/8")
    .event_data(requestpayload={"amount": 42}, issensitive=True, compliancecategory="PCI")
    .build()
)

from_context() pulls tenantid/traceid/transactionid/subject from the mobius-tracer-py request context when that package is installed, and kubernetes from the downward-API env vars (POD_NAMESPACE, POD_NAME, CONTAINER_NAME, NODE_NAME).

Integrity: hash + signature

from mobius_auditlog import seal, verify, compute_hash

seal(event, signing_key="key")     # sets security.hash (+ signature)
verify(event, signing_key="key")   # True if hash + signature match
  • hash = SHA-256 over the canonical JSON excluding the security block.
  • signature = HMAC-SHA256 of the hash with your key (omitted if no key).

The publisher seals events automatically before sending.

Publishing

The publisher depends only on a small protocol — no hard Kafka coupling:

class LogEventSender(Protocol):
    def send(self, value: dict, *, topic: str) -> Any: ...

setup_auditlog resolves a publisher from (in order) kafka_senderkafka_producerkafka_config → the configured py-kafka-producer-client singleton. Or use it directly:

from mobius_auditlog import AuditLogPublisher, PyKafkaProducerClientSender, set_publisher

publisher = AuditLogPublisher(PyKafkaProducerClientSender(client),
                              topic="audit-logs", signing_key="key")
set_publisher(publisher)
publisher.publish(event)           # seals + sends, fire-and-forget

Publishing runs on a background thread and never raises into the request path.

Payload capture

With capture_payloads=True, the middleware buffers request and response bodies (JSON-parsed, size-capped at 64 KB) into eventdata.requestpayload / responsepayload. Off by default for privacy and overhead. Non-JSON bodies are stored as {"_raw": "..."}.

Development

python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pytest

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mobius_auditlog_py-1.0.2.tar.gz (12.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mobius_auditlog_py-1.0.2-py3-none-any.whl (12.9 kB view details)

Uploaded Python 3

File details

Details for the file mobius_auditlog_py-1.0.2.tar.gz.

File metadata

  • Download URL: mobius_auditlog_py-1.0.2.tar.gz
  • Upload date:
  • Size: 12.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.19

File hashes

Hashes for mobius_auditlog_py-1.0.2.tar.gz
Algorithm Hash digest
SHA256 a537ca9fe59335cd0de0b5aff9202c590c54b12f09e5e083dc3d5e286fde26b3
MD5 49657f5e0dcfd716e87d4ba6a55dc87e
BLAKE2b-256 ebeb72c7507fc0b11b3b0b3e5382f48ee9672e6ba2f3819b099431739012bc64

See more details on using hashes here.

File details

Details for the file mobius_auditlog_py-1.0.2-py3-none-any.whl.

File metadata

File hashes

Hashes for mobius_auditlog_py-1.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 fdc576cf1f6779fd694a8f0788cf50a08c72c8ecd523a74ebe2c0adc58651eef
MD5 0660a6130d1f35efbf3c7a17ba10a87a
BLAKE2b-256 00ec919b36385926a2fbd96700d35d13a90c5246f3ffb6791f455d74d8400d11

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page