mirror of
https://github.com/SigNoz/signoz.git
synced 2026-04-18 01:40:28 +01:00
0648cd4e18
* feat(audit): add telemetry audit query infrastructure Add pkg/telemetryaudit/ with tables, field mapper, condition builder, and statement builder for querying audit logs from signoz_audit database. Add SourceAudit to source enum and integrate audit key resolution into the metadata store. * chore: address review comments Comment out SourceAudit from Enum() until frontend is ready. Use actual audit table constants in metadata test helpers. * fix(audit): align field mapper with actual audit DDL schema Remove resources_string (not in audit table DDL). Add event_name as intrinsic column. Resource context resolves only through the resource JSON column. * feat(audit): add audit field value autocomplete support Wire distributed_tag_attributes_v2 for signoz_audit into the metadata store. Add getAuditFieldValues() and route SignalLogs + SourceAudit to it in GetFieldValues(). * test(audit): add statement builder tests Cover all three request types (list, time series, scalar) with audit-specific query patterns: materialized column filters, AND/OR conditions, limit CTEs, and group-by expressions. * refactor(audit): inline field key map into test file Remove test_data.go and inline the audit field key map directly into statement_builder_test.go with a compact helper function. * style(audit): move column map to const.go, use sqlbuilder.As in metadata Move logsV2Columns from field_mapper.go to const.go to colocate all column definitions. Switch getAuditKeys() to use sb.As() instead of raw string formatting. Fix FieldContext alignment. * fix(audit): align table names with schema migration Migration uses logs/distributed_logs (not logs_v2/distributed_logs_v2). Rename LogsV2TableName to LogsTableName and LogsV2LocalTableName to LogsLocalTableName to match the actual signoz_audit DDL. * feat(audit): add integration test fixture for audit logs AuditLog fixture inserts into all 5 signoz_audit tables matching the schema migration DDL: distributed_logs (no resources_string, has event_name), distributed_logs_resource, distributed_tag_attributes_v2, distributed_logs_attribute_keys, distributed_logs_resource_keys. * fix(audit): rename tag_attributes_v2 to tag_attributes Migration uses tag_attributes/distributed_tag_attributes (no _v2 suffix). Rename constants and update all references including the integration test fixture. * feat(audit): wire audit statement builder into querier Add auditStmtBuilder to querier struct and route LogAggregation queries with source=audit to it in all three dispatch locations (main query, live tail, shiftedQuery). Create and wire the full audit query stack in signozquerier provider. * test(audit): add integration tests for audit log querying Cover the documented query patterns: list all events, filter by principal ID, filter by outcome, filter by resource name+ID, filter by principal type, scalar count for alerting, and isolation test ensuring audit data doesn't leak into regular logs. * fix(audit): revert sb.As in getAuditKeys, fix fixture column_names Revert getAuditKeys to use raw SQL strings instead of sb.As() which incorrectly treated string literals as column references. Add explicit column_names to all ClickHouse insert calls in the audit fixture. * fix(audit): remove debug assertion from integration test * feat(audit): internalize resource filter in audit statement builder Build the resource filter internally pointing at signoz_audit.distributed_logs_resource. Add LogsResourceTableName constant. Remove resourceFilterStmtBuilder from constructor params. Update test expectations to use the audit resource table. * fix(audit): rename resource.name to resource.kind, move to resource attributes Align with schema change from SigNoz/signoz#10826: - signoz.audit.resource.name renamed to signoz.audit.resource.kind - resource.kind and resource.id moved from event attributes to OTel Resource attributes (resource JSON column) - Materialized columns reduced from 7 to 5 (resource.kind and resource.id no longer materialized) * refactor(audit): use pytest.mark.parametrize for filter integration tests Consolidate filter test functions into a single parametrized test. 6/8 tests passing; resource kind+ID filter and scalar count need further investigation (resource filter JSON key extraction with dotted keys, scalar response format). * fix(audit): add source to resource filter for correct metadata routing Add source param to telemetryresourcefilter.New so the resource filter's key selectors include Source when calling GetKeysMulti. Without this, audit resource keys route to signoz_logs metadata tables instead of signoz_audit. Fix scalar test to use table response format (columns+data, not rows). * refactor(audit): reuse querier fixtures in integration tests Add source param to BuilderQuery and build_scalar_query in the querier fixture. Replace custom _build_audit_query and _build_audit_ts_query helpers with BuilderQuery and build_scalar_query from the shared fixtures. * refactor(audit): remove wrapper helpers, inline make_query_request calls Remove _query_audit_raw and _query_audit_scalar helpers. Use make_query_request, BuilderQuery, and build_scalar_query directly. Compute time window at test execution time via _time_window() to avoid stale module-level timestamps. * refactor(audit): inline _time_window into test functions * style(audit): use snake_case for pytest parametrize IDs * refactor(audit): inline DEFAULT_ORDER using build_order_by Use build_order_by from querier fixtures instead of OrderBy/ TelemetryFieldKey dataclasses. Allow BuilderQuery.order to accept plain dicts alongside OrderBy objects. * refactor(audit): inline all data setup, use distinct scenarios per test Remove _insert_standard_audit_events helper. Each test now owns its data: list_all uses alert-rule/saved-view/user resource types, scalar_count uses multiple failures from different principals (count=2), leak test uses a single organization event. Parametrized filter tests keep the original 5-event dataset. * fix(audit): remove silent empty-string guards in metadata store Remove guards that silently returned nil/empty when audit DB params were empty. All call sites now pass real constants, so misconfiguration should fail loudly rather than produce silent empty results. * style(audit): remove module docstring from integration test * style: formatting fix in tables file * style: formatting fix in tables file * fix: add auditStmtBuilder nil param to querier_test.go * fix: fix fmt