feat: Add apollo audit log common solution backend

[BlackBear2003]

What's the purpose of this PR

add audit log module, PR for code review and further discussion

Which issue(s) this PR fixes:

Fixes #
#3505

Brief changelog

Add Apollo-Audit module which contains 4 modules of annotation, api, impl, springbootstarter

Follow this checklist to help us incorporate your contribution quickly and easily:

• [✔️] Read the Contributing Guide before making this pull request.
• [✔️] Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Write necessary unit tests to verify the code.
• [✔️] Run mvn clean test to make sure this pull request doesn't break anything.
• Update the CHANGES log.

[github-actions]

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

[BlackBear2003]

I have read the CLA Document and I hereby sign the CLA

[BlackBear2003]

import apollo-audit-api in biz module, but register that 'api' bean in AdminService module when ApolloAuditAutoConfiguration auto configure. I guess that's the reason of the test failures.

[Anilople]

todo, table need index

[Anilople]

1. think that how user will query by ui
2. from user's query, how many http api we need to provide, and what there are. include request, response
3. according the http api's request, try to add index to the table.

---

key word: page, filter by time, find by traceId, filter by OpName

[Anilople]

Suggested change

	<version>${revision}</version>
	<version>${project.version}</version>

revision here will cause some problem to maven, use project.version instead of it.

[Anilople]

Illustrate that how to use this module by the config and annotation

[codecov]

Codecov Report

Merging #4958 (21b061f) into master (84c1d0b) will decrease coverage by 0.10%.
Report is 4 commits behind head on master.
The diff coverage is 84.61%.

❗ Current head 21b061f differs from pull request most recent head c43217e. Consider uploading reports for the commit c43217e to get more accurate results

@@             Coverage Diff              @@
##             master    #4958      +/-   ##
============================================
- Coverage     48.48%   48.39%   -0.10%     
+ Complexity     1726     1724       -2     
============================================
  Files           346      347       +1     
  Lines         10836    10848      +12     
  Branches       1080     1080              
============================================
- Hits           5254     5250       -4     
- Misses         5258     5273      +15     
- Partials        324      325       +1     

Files Changed	Coverage Δ
.../com/ctrip/framework/apollo/common/entity/App.java	0.00% <ø> (ø)
...p/framework/apollo/common/entity/AppNamespace.java	0.00% <ø> (ø)
...rip/framework/apollo/common/entity/BaseEntity.java	0.00% <0.00%> (ø)
...mework/apollo/portal/controller/AppController.java	26.82% <ø> (ø)
...ork/apollo/portal/service/AppNamespaceService.java	66.33% <66.66%> (-0.34%)	⬇️
...ip/framework/apollo/portal/service/AppService.java	16.47% <66.66%> (+0.80%)	⬆️
...ortal/audit/ApolloAuditOperatorPortalSupplier.java	75.00% <75.00%> (ø)
...ctrip/framework/apollo/biz/service/AppService.java	50.00% <100.00%> (+1.28%)	⬆️
.../framework/apollo/openapi/PortalOpenApiConfig.java	100.00% <100.00%> (ø)
...k/apollo/portal/component/RestTemplateFactory.java	100.00% <100.00%> (ø)
... and 1 more

... and 3 files with indirect coverage changes

[BlackBear2003]

Illustrate that how to use this module by the config and annotation

to explain what this feature will bring to the persistence, this feature consists of two entity classes, AuditLog and AuditLogDataInfluence.

• AuditLog records the invoke of methods with audit significance, and it is designed based on the idea of distributed link tracing(mainly open-tracing), which can obtain a DAG of the complete user request process through a unique TraceId.
• AuditLogDataInfluence are informations attached to an AuditLog that records data changes. Currently, the design of this class is to record the database table name of the target entity, the unique ID (to locate the changing entity), the changed Field name, and the old and new values.

Personally, there are still doubts about whether to record the old and new values, because the new value of the previous record is probably the old value of this record, and at the same time it will make it more difficult to automatically capture data changes.

===> need more suggestions here ! <===

now its easier to illustrate that how to use this module by the config and annotation/api:

config side:

Currently, only one configuration option is available, apollo.audit.log.enabled (default to be false).

When adding the apollo-audit-springboot-starter to the library, through this configuration, the automatic configuration function of the entire module can be enabled.

if apollo.audit.log.enabled = true then ApolloAuditAutoConfiguration works,

else then ApolloAuditNoOpAutoConfiguration works. This will register the corresponding NoOp bean to ensure that the application starts and runs smoothly.

annotation/api side:

change log: Align the functionality of the API and annotations

Added the ApolloAuditLogApi interface class as a new function to manually replace the original annotation when using the framework. The methods in the API interface can equally implement the function of annotation. Might do something annotations could not do, like batch delete or else.

How Annotation and Api align
└── annotation
    ├── ApolloAuditLog.java
    ├── ApolloAuditLogDataInfluence.java
    ├── ApolloAuditLogDataInfluenceTable.java
    ├── ApolloAuditLogDataInfluenceTableField.java
    ├── ApolloAuditLogDataInfluenceTableId.java
    └── OpType.java
└── api
    ├── ApolloAuditEntityWrapper.java
    └── ApolloAuditLogApi.java

public interface ApolloAuditLogApi {
  AutoCloseable appendSpan(OpType type, String name, String description);

  void appendSingleDataInfluence(String entityId, String entityName, String fieldName,
      String fieldOldValue, String fieldNewValue);

  <T> void appendDataInfluencesByManagedClass(List<T> entities, OpType type, Class<?> managedClass);

  <T> void appendDataInfluencesByWrapper(List<T> entities, OpType type,
      ApolloAuditEntityWrapper wrapper);
}
public class ApolloAuditEntityWrapper {
  private String entityName;
  private List<Field> dataInfluenceFields;
  private Field entityIdField;
  ...
}

At the same time, an ApolloAuditEntityWrapper class is added to replace the original annotation on the Entity class, and you can manually specify the tableName, unique IdField, and DataInfluencesFields to be recorded.

For trace id, span id, scope and else, mentor told me those are the internal complexity of the framework itself, which does not want to be perceived externally. So I design AutoCloseable appendSpan(OpType type, String name) method to give out a AutoCloseable, it indicates that this resource needs to be closed, and I think this is a better way to hide trace.

like the code shows below, completly use api manually.

public void delete(long id, String operator) {
  App app = appRepository.findById(id).orElse(null);
  if (app == null) {
    return;
  }
  try(AutoCloseable auditScope = apolloAuditLogApi.appendSpan(OpType.DELETE, "app.delete")) {
    app.setDeleted(true);
    app.setDataChangeLastModifiedBy(operator);
    appRepository.save(app);
    ApolloAuditEntityWrapper wrapper = new ApolloAuditEntityWrapper();
    wrapper.entityName("App")
        .entityIdField(app.getClass().getDeclaredField("appId"))
        .addDataInfluenceFields(app.getClass().getDeclaredField("name"));
    apolloAuditLogApi.appendDataInfluencesByWrapper(Collections.singletonList(app),OpType.DELETE, wrapper);
    auditService.audit(App.class.getSimpleName(), id, Audit.OP.DELETE, operator);
  } catch (Exception e) {
    throw new RuntimeException(e);
  }
}

[Anilople]

@apolloconfig/committers For backward compability as more as possible

The solution is that

• create new table, the new audit log only save in the new table.
• open this feature by config apollo.audit.log.enabled=true, and user can close it by change to apollo.audit.log.enabled=false
• create new maven module apollo-audit, other modules use this feature by annotation or interface ApolloAuditLogApi .

Is it ok?

[BlackBear2003]

here used @EnableJpaRepositories to manually scan repositories before, but it is actually unnecessary and will affect the scanning of repositories in my audit module.
The JpaRepositoriesAutoConfiguration autoconfiguration class itself automatically scans all packages under the startup classpath. So without this annotation, it can also scan the original repositories.
Therefore, the note itself can be deleted.

[BlackBear2003]

I'm so so so sorry because when I formatted these test classes, I seem to have changed a lot of the original format...

[BlackBear2003]

In fact, the things I changed with the test module were the deletion of unnecessary annotations and the addition of statements to the properties file to start the audit module

[Anilople]

git checkout ${commitId} -- ${file relative path}

use a old commitId, the file will change to old content

[BlackBear2003]

I haven't add many uses of the audit module to other modules, for the reason that it seems decrease the test covery, so what should I do? Add the annotation/api uses in another pull request?

[BlackBear2003]

For this PR, what else needs to be done and what needs to be improved？ :)

[Anilople]

data_influences -> dataInfluences, delete _

[Anilople]

@PathVariable String entityName -> @RequestParam String entityName

[Anilople]

use ApolloAuditLogDataInfluence instead

[Anilople]

delete it, index by traceId finally

[Anilople]

Only use apollo-audit-api?

[BlackBear2003]

Only use apollo-audit-api?

when running biz-tests, it need to register bean of ApolloAuditLogApi which is provide by auto-configuration. So the dependency's scope is test to making tests pass.
we don't run biz individually, so yes we only need apollo-audit-api. But in tests, we run it individually, so it needs starter for starting app.

[Anilople]

git checkout ${commitId} -- ${file relative path}

use a old commitId, the file will change to old content

[Anilople]

Controller use ApolloAuditLogApi

[Anilople]

Maybe create 2 api

• ApolloAuditLogRecordApi
• ApolloAuditLogQueryApi (for user's query)

then let ApolloAuditLogApi extends them

[Anilople]

delete this method? only keep findByOpName?

[Anilople]

KEY DataChange_LastTime (DataChange_LastTime),

[Anilople]

1. think that how user will query by ui
2. from user's query, how many http api we need to provide, and what there are. include request, response
3. according the http api's request, try to add index to the table.

---

key word: page, filter by time, find by traceId, filter by OpName

[Anilople]

Why add jpa here? Need annotation?

[BlackBear2003]

yes, for entities annotations.Should replaced by

<dependency>
      <groupId>jakarta.persistence</groupId>
      <artifactId>jakarta.persistence-api</artifactId>
    </dependency>
    <dependency>
      <groupId>org.hibernate</groupId>
      <artifactId>hibernate-core</artifactId>
    </dependency>

?

[Anilople]

Suggested change

	List<ApolloAuditLog> queryAllLogs(Pageable page);
	List<ApolloAuditLog> queryLogs(Pageable page);

[Anilople]

Suggested change

	public class JpaApolloAuditLogApi implements ApolloAuditLogApi {
	public class ApolloAuditLogApiJpaImpl implements ApolloAuditLogApi {

[Anilople]

If someone use ApolloAuditLogRecordApi, appendDataInfluenceWrapper should be notice?

Can we append the DataInfluence directly?

i.e append the DataInfluence and the definition class in a method.

[Anilople]

Why need isDeleted here?

[Anilople]

Can we append DataInfluence after method finished?

Maybe after pjp.proceed() finished, just call a method in api will be more simpler?

for example

returnVal = pjp.proceed();
Class<?> xxxEntity = // get from method signaure, argument with annotation
api.appendDataInfluenceList(xxxEntity, dataInfluenceList);

and it work will without appendDataInfluenceWrapper?

[Anilople]

Suggested change

	apollo.audit.log.enabled = false
	# true: enabled the new feature of audit log
	# false: disable it
	apollo.audit.log.enabled = false

[Anilople]

Can we move ApolloAuditSpanService and ApolloAuditConfiguration to audit-log module?

The logic in portal or admin service are equal? i.e always add some information to RequestContextHolder.getRequestAttributes(); if those information don't exist.

[Anilople]

The comment

[Anilople]

Suggested change

	public interface ApolloAuditHttpHeader {
	public interface ApolloAuditHttpHeaderContants {

[Anilople]

If two thread invoke the activate method, the field will be overwrite.

[Anilople]

Why need aspectj here? the aop?

[Anilople]

• NoOpApolloAuditHttpInterceptor?

[Anilople]

Add comment like admin service for user

[Anilople]

Can we delete this class?

[Anilople]

Suggested change

	@ApolloAuditLog(type = OpType.UPDATE, name = "user-command.app.update")
	@ApolloAuditLog(type = OpType.UPDATE, name = "app.update")

if in openapi, use openapi.app.update

[hound]

Missing semicolon.

[hound]

Missing semicolon.

[hound]

Missing semicolon.

[hound]

Missing semicolon.

[hound]

Missing semicolon.

[hound]

Missing semicolon.

[hound]

Missing semicolon.

[hound]

Missing semicolon.

[hound]

Missing semicolon.

[hound]

Missing semicolon.

[hound]

'let' is available in ES6 (use 'esversion: 6') or Mozilla JS extensions (use moz).

[hound]

Missing semicolon.