Skip to main content

CloudEvents-style audit event model, builder, integrity signing and Kafka publishing for Mobius Python (FastAPI) services.

Project description

mobius-auditlog-py

Build, sign, and publish CloudEvents-style audit events from Mobius Python (FastAPI / Starlette) services.

  • PyPI: pip install mobius-auditlog-py
  • Import package: mobius_auditlog
  • Python: 3.10+

Install

pip install mobius-auditlog-py

pydantic, starlette, and py-kafka-producer-client are installed automatically.

Quick start (auto-capture middleware)

from fastapi import FastAPI
from kafka_producer_client import KafkaProducerConfig
from mobius_auditlog import setup_auditlog

app = FastAPI()

setup_auditlog(
    app,
    topic="audit-logs",
    signing_key="your-hmac-key",                # optional signature
    kafka_config=KafkaProducerConfig(bootstrap_servers="broker:9092"),
    capture_payloads=False,                      # set True to buffer req/resp bodies
    compliance_category="GDPR",
)

The middleware emits one audit event per request: action (route, method, status, severity), network (client IP + user-agent), objectref (from the path), and the envelope/subject from the request context. It skips health/metrics/swagger paths.

The event schema

AuditLogEvent — flat envelope + nested sections, serialized with empty values omitted and keys alphabetically ordered:

Section Fields
envelope id, specversion, timestamp, traceid, transactionid, tenantid, schemaid
subject userid, type, groups[]
kubernetes namespacename, podname, containername, nodename
objectref resource, resourceid, apiversion
action name, method, severity, status
network sourceip, useragent
eventdata requestpayload{}, responsepayload{}, metadata{issensitive, compliancecategory}
security hash, signature
event.to_dict()    # pruned dict (empties dropped), ready to publish
event.to_json()    # canonical JSON: pruned + sorted keys (used for hashing)

Building events manually

from mobius_auditlog import AuditLogBuilder

event = (
    AuditLogBuilder()
    .from_context()                              # tenant/trace/txn/subject from context
    .object_ref(resource="order", resourceid="order-789", apiversion="v1.0")
    .action(name="order.create", method="POST", severity="INFO", status="SUCCESS")
    .network(sourceip="1.2.3.4", useragent="curl/8")
    .event_data(requestpayload={"amount": 42}, issensitive=True, compliancecategory="PCI")
    .build()
)

from_context() pulls identity fields from the request context or fallback headers. It maps the outer envelope tenantid and schemaid to the platform tenant ID (defaults to "2cf76e5f-26ad-4f2c-bccc-f4bc1e7bfb64") and schema ID (defaults to ""). These can be overridden explicitly via the tenant_id and schema_id parameters in setup_auditlog(), or globally via the KAFKA_PLATFORM_TENANT_ID environment variable. The user's trace, transaction, and subject identity (userid/type) are preserved from context/headers. It also pulls kubernetes metadata from downward-API env vars (POD_NAMESPACE, POD_NAME, CONTAINER_NAME, NODE_NAME).

Integrity: hash + signature

from mobius_auditlog import seal, verify, compute_hash

seal(event, signing_key="key")     # sets security.hash (+ signature)
verify(event, signing_key="key")   # True if hash + signature match
  • hash = SHA-256 over the canonical JSON excluding the security block.
  • signature = HMAC-SHA256 of the hash with your key (omitted if no key).

The publisher seals events automatically before sending.

Publishing

The publisher depends only on a small protocol — no hard Kafka coupling:

class LogEventSender(Protocol):
    def send(self, value: dict, *, topic: str) -> Any: ...

setup_auditlog resolves a publisher from (in order) kafka_senderkafka_producerkafka_config → the configured py-kafka-producer-client singleton. Or use it directly:

from mobius_auditlog import AuditLogPublisher, PyKafkaProducerClientSender, set_publisher

publisher = AuditLogPublisher(PyKafkaProducerClientSender(client),
                              topic="audit-logs", signing_key="key")
set_publisher(publisher)
publisher.publish(event)           # seals + sends, fire-and-forget

Publishing runs on a background thread and never raises into the request path.

Payload capture

With capture_payloads=True, the middleware buffers request and response bodies (JSON-parsed, size-capped at 64 KB) into eventdata.requestpayload / responsepayload. Off by default for privacy and overhead. Non-JSON bodies are stored as {"_raw": "..."}.

Development

python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pytest

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mobius_auditlog_py-1.1.0.tar.gz (13.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mobius_auditlog_py-1.1.0-py3-none-any.whl (14.1 kB view details)

Uploaded Python 3

File details

Details for the file mobius_auditlog_py-1.1.0.tar.gz.

File metadata

  • Download URL: mobius_auditlog_py-1.1.0.tar.gz
  • Upload date:
  • Size: 13.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.6

File hashes

Hashes for mobius_auditlog_py-1.1.0.tar.gz
Algorithm Hash digest
SHA256 2c6a7d6539b5ead48ab2117ed85216fa4f56c90c11519b1b1c5b3415a4fdc61c
MD5 aa2d2fd432e4a693d5c57857984daf9d
BLAKE2b-256 43d64686a4bc966a6068aeec5abb45d4ce81b5c863cc1bae40c4deb5d1a3884b

See more details on using hashes here.

File details

Details for the file mobius_auditlog_py-1.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for mobius_auditlog_py-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 e9efc4397dfbd01b8bad077cc7334dc928a134fbc718764589c5ea07f1b5eda1
MD5 f26c804e83adae399040e4d2dc12082d
BLAKE2b-256 c2d5943bea44da021bd19030e5eca8ddf4ace87a6e6148f0c6dc41e554fb1a00

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page