auditAIProviderKeyChanges emits one audit entry per added or removed key, attributed to the actor on the HTTP request. Per-key entries keep key rotation visible in the audit log because the parent AIProvider audit diff is empty for key-only PATCHes (keys live in a separate table). APIKey is replace
(ctx context.Context, r *http.Request, auditor audit.Auditor, log slog.Logger, changes aiProviderKeyChanges)
| 638 | // the audit pipeline so plaintext keys never land in the diff or any |
| 639 | // audit backend, independent of the api_key column's audit policy. |
| 640 | func auditAIProviderKeyChanges(ctx context.Context, r *http.Request, auditor audit.Auditor, log slog.Logger, changes aiProviderKeyChanges) { |
| 641 | if len(changes.Added) == 0 && len(changes.Removed) == 0 { |
| 642 | return |
| 643 | } |
| 644 | key, ok := httpmw.APIKeyOptional(r) |
| 645 | if !ok { |
| 646 | return |
| 647 | } |
| 648 | requestID, _ := httpmw.RequestIDOptional(r) |
| 649 | emit := func(action database.AuditAction, before, after database.AIProviderKey) { |
| 650 | before.APIKey = aibridgeutils.MaskSecret(before.APIKey) |
| 651 | after.APIKey = aibridgeutils.MaskSecret(after.APIKey) |
| 652 | audit.BackgroundAudit(ctx, &audit.BackgroundAuditParams[database.AIProviderKey]{ |
| 653 | Audit: auditor, |
| 654 | Log: log, |
| 655 | UserID: key.UserID, |
| 656 | RequestID: requestID, |
| 657 | Status: http.StatusOK, |
| 658 | IP: r.RemoteAddr, |
| 659 | UserAgent: r.UserAgent(), |
| 660 | Action: action, |
| 661 | Old: before, |
| 662 | New: after, |
| 663 | }) |
| 664 | } |
| 665 | for _, k := range changes.Removed { |
| 666 | emit(database.AuditActionDelete, k, database.AIProviderKey{}) |
| 667 | } |
| 668 | for _, k := range changes.Added { |
| 669 | emit(database.AuditActionCreate, database.AIProviderKey{}, k) |
| 670 | } |
| 671 | } |
| 672 | |
| 673 | // applyAIProviderKeyOps reconciles a provider's keys against the |
| 674 | // supplied mutation list inside a transaction: kept-by-ID rows stay, |
no test coverage detected