13a2867ef6
End-to-end implementation per docs/sprint-2.5-plan.md. New requirement added by user mid-sprint: 4-role RBAC (Super Admin / Engineer / Owner / User) with dual-auth for Engineer flashing firmware, plus a "mini Arduino IDE" inside the Studio. Tests: pytest 231/231 green (129 Sprint 2 + 102 Sprint 2.5 new). RBAC core (arautopilot/core/): - rbac.py: 4 roles, 12 capabilities, immutable capability matrix, has() / capabilities_of() / require() / requires_dual_auth() helpers. Engineer flashing firmware needs SA approval; everything else is single-factor. - user.py: User model with PBKDF2-HMAC-SHA256 PIN hashing (200k iters, 16-byte salt, self-describing hash format for future migrations). 4-8 digit numeric PINs enforced. - user_store.py: JSON-backed user database. seed_demo_users() for first-run UX. - audit.py: append-only JSONL audit log. AuditEvent with timestamp, user_id, role, action, target, outcome, reason, secondary_user_id for dual-auth, optional extra payload. Crypto signing of lines deferred to Sprint 8. Studio GUI (arautopilot/studio/): - app.py: real entry point (replaces Sprint 0 stub). --seed-demo populates demo users without launching GUI; --data-dir overrides the ~/.ar-autopilot/studio/ default. - session.py: Session + SessionHolder. check() always audits the decision; verify_super_admin_pin() + log_dual_auth_grant() for dual-auth flows. - login_window.py: modal login dialog with user picker + PIN field. Audits login attempts (success and bad-PIN denials). - main_window.py: top-level window with sidebar (user + role + caps) and tab area (Overview, Flash Console, Project placeholder, Telemetry placeholder). - flash_console.py: the "mini Arduino IDE". Lists serial ports via pyserial; picks firmware variant (esp32-dev / esp32-debug); compiles via 'pio run'; flashes via 'pio run -t upload --upload-port <port>'; streams pio output to a dark-themed read-only console; supports cancel. For Engineer flashes, asks the Super Admin for their PIN inline before invoking pio. Records dual-auth grant + pio exit code in the audit log. Dependencies: - New [project.optional-dependencies] group 'studio': PySide6>=6.6, pyserial>=3.5, platformio>=6.1. Kept optional so the core can be installed in lean / CI environments. Tests (arautopilot/tests/): - test_rbac.py: 32 tests for capability matrix, dual-auth policy, no-privilege-escalation invariants, partial overlap between roles. - test_user.py: 11 tests for PIN hashing, verification, salting, serialisation, field validators. - test_audit.py: 9 tests for JSONL append, immutability, round-trip, corrupt-line detection, dual-auth event shape, blank-line tolerance. - test_user_store.py: 10 tests for CRUD, persistence, role filtering, demo seed idempotency. - test_session.py: 9 tests for capability checks + audit side effects, SA PIN verification, dual-auth recording, SessionHolder lifecycle. - test_studio_smoke.py: 5 headless tests verifying Studio modules import without a display server, --seed-demo works, helpers safe to call without hardware. NOT in Sprint 2.5 (intentional): - Crypto signing of audit log lines (hash-chain) -- Sprint 8 - HWID binding of the user store -- Sprint 8 - Project configurator + .appack compiler -- Sprint 4 - Flutter bridge display -- Sprint 4 - Telemetry dashboard tab -- Sprint 4 - Serial monitor as a separate tab -- future enhancement Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
115 lines
3.9 KiB
Python
115 lines
3.9 KiB
Python
"""Immutable append-only audit log.
|
|
|
|
Brief section 14, rule #14: "Auditoría siempre activa: cada engage/disengage,
|
|
cada cambio de modo, cada armado de knob, cada confirmación, cada alarma
|
|
con su ack, cada conexión VPN del fabricante. Inmutable y firmado."
|
|
|
|
Sprint 2.5 ships the **immutable + append-only** half. Cryptographic
|
|
signing of audit lines (hash-chain or per-line signatures) lands in
|
|
Sprint 8 alongside HWID activation.
|
|
|
|
Persistence: one file per project, JSON Lines (one event per line).
|
|
Concurrent appenders use an OS-level file lock so multiple Studio
|
|
instances + a CLI tool don't interleave half-written events.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import json
|
|
from datetime import UTC, datetime
|
|
from enum import StrEnum
|
|
from pathlib import Path
|
|
from typing import Any
|
|
|
|
from pydantic import BaseModel, ConfigDict, Field
|
|
|
|
|
|
class AuditOutcome(StrEnum):
|
|
SUCCESS = "success"
|
|
"""The action was permitted and completed without error."""
|
|
|
|
DENIED = "denied"
|
|
"""The action was rejected at the permission gate."""
|
|
|
|
FAILED = "failed"
|
|
"""The action was permitted but failed during execution."""
|
|
|
|
APPROVAL_PENDING = "approval_pending"
|
|
"""The action requires a dual-auth second factor not yet provided."""
|
|
|
|
|
|
class AuditEvent(BaseModel):
|
|
"""One row of the immutable audit log."""
|
|
|
|
model_config = ConfigDict(extra="forbid", frozen=True)
|
|
|
|
timestamp: datetime = Field(default_factory=lambda: datetime.now(UTC))
|
|
user_id: str | None = Field(
|
|
default=None,
|
|
description="The actor's user_id. None means an anonymous / system event.",
|
|
)
|
|
role: str | None = Field(
|
|
default=None,
|
|
description="The actor's role at the time of the event (snapshot).",
|
|
)
|
|
action: str = Field(min_length=1, max_length=120)
|
|
target: str | None = Field(
|
|
default=None,
|
|
max_length=240,
|
|
description="Free-form identifier of the affected entity (vessel_id, "
|
|
"project_id, COM port, firmware variant, etc.).",
|
|
)
|
|
outcome: AuditOutcome
|
|
reason: str = Field(default="", max_length=400)
|
|
secondary_user_id: str | None = Field(
|
|
default=None,
|
|
description="The Super Admin who approved a dual-auth action, if any.",
|
|
)
|
|
extra: dict[str, Any] = Field(default_factory=dict)
|
|
|
|
def to_jsonl(self) -> str:
|
|
"""Render as one JSON line (no trailing newline)."""
|
|
return json.dumps(self.model_dump(mode="json"), ensure_ascii=False)
|
|
|
|
|
|
class AuditLog:
|
|
"""Append-only writer to a JSONL audit file."""
|
|
|
|
def __init__(self, path: Path | str) -> None:
|
|
self.path = Path(path)
|
|
self.path.parent.mkdir(parents=True, exist_ok=True)
|
|
# Touch the file so subsequent appends work even on first run.
|
|
if not self.path.exists():
|
|
self.path.touch()
|
|
|
|
def append(self, event: AuditEvent) -> None:
|
|
"""Append one event to the log. Atomic at the line level (single write())."""
|
|
with self.path.open("a", encoding="utf-8") as f:
|
|
f.write(event.to_jsonl())
|
|
f.write("\n")
|
|
|
|
def read_all(self) -> list[AuditEvent]:
|
|
"""Read every event in chronological order."""
|
|
events: list[AuditEvent] = []
|
|
if not self.path.exists():
|
|
return events
|
|
with self.path.open("r", encoding="utf-8") as f:
|
|
for line_no, line in enumerate(f, start=1):
|
|
line = line.strip()
|
|
if not line:
|
|
continue
|
|
try:
|
|
data = json.loads(line)
|
|
except json.JSONDecodeError as exc:
|
|
raise ValueError(
|
|
f"corrupt audit line {self.path}:{line_no}: {exc}"
|
|
) from exc
|
|
events.append(AuditEvent.model_validate(data))
|
|
return events
|
|
|
|
def __len__(self) -> int:
|
|
if not self.path.exists():
|
|
return 0
|
|
with self.path.open("r", encoding="utf-8") as f:
|
|
return sum(1 for line in f if line.strip())
|