feat(opsserver): add health, audit, cluster health, and durable credential management hardening

2026-04-30 07:10:21 +00:00
parent c3e5cabe3d
commit f4e5f02d0c
34 changed files with 1722 additions and 320 deletions
@@ -1,7 +1,7 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity, requireValidIdentity } from '../helpers/guards.ts';

 export class ObjectsHandler {
  public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -34,8 +34,15 @@ export class ObjectsHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteObject>(
        'deleteObject',
        async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          await this.opsServerRef.objectStorageRef.deleteObject(dataArg.bucketName, dataArg.key);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'object.delete',
+            targetType: 'object',
+            targetId: `${dataArg.bucketName}/${dataArg.key}`,
+            success: true,
+          });
          return { ok: true };
        },
      ),
@@ -57,13 +64,20 @@ export class ObjectsHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_PutObject>(
        'putObject',
        async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          await this.opsServerRef.objectStorageRef.putObject(
            dataArg.bucketName,
            dataArg.key,
            dataArg.base64Content,
            dataArg.contentType,
          );
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'object.put',
+            targetType: 'object',
+            targetId: `${dataArg.bucketName}/${dataArg.key}`,
+            success: true,
+          });
          return { ok: true };
        },
      ),
@@ -74,8 +88,15 @@ export class ObjectsHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeletePrefix>(
        'deletePrefix',
        async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          await this.opsServerRef.objectStorageRef.deletePrefix(dataArg.bucketName, dataArg.prefix);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'objectPrefix.delete',
+            targetType: 'objectPrefix',
+            targetId: `${dataArg.bucketName}/${dataArg.prefix}`,
+            success: true,
+          });
          return { ok: true };
        },
      ),
@@ -98,12 +119,22 @@ export class ObjectsHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_MoveObject>(
        'moveObject',
        async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          return await this.opsServerRef.objectStorageRef.moveObject(
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const result = await this.opsServerRef.objectStorageRef.moveObject(
            dataArg.bucketName,
            dataArg.sourceKey,
            dataArg.destKey,
          );
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'object.move',
+            targetType: 'object',
+            targetId: `${dataArg.bucketName}/${dataArg.sourceKey}`,
+            success: result.success,
+            metadata: { destKey: dataArg.destKey },
+            message: result.error,
+          });
+          return result;
        },
      ),
    );
@@ -113,12 +144,22 @@ export class ObjectsHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_MovePrefix>(
        'movePrefix',
        async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          return await this.opsServerRef.objectStorageRef.movePrefix(
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const result = await this.opsServerRef.objectStorageRef.movePrefix(
            dataArg.bucketName,
            dataArg.sourcePrefix,
            dataArg.destPrefix,
          );
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'objectPrefix.move',
+            targetType: 'objectPrefix',
+            targetId: `${dataArg.bucketName}/${dataArg.sourcePrefix}`,
+            success: result.success,
+            metadata: { destPrefix: dataArg.destPrefix },
+            message: result.error,
+          });
+          return result;
        },
      ),
    );