futu_core/

audit_log_writer.rs

//! Shared secure audit log writer.
//!
//! The daemon and auth crate both need identical audit JSONL writer behavior:
//! directory paths roll daily as `futu-audit.log*`, log directories are tightened
//! to 0700, log files are tightened to 0600, and world-readable temp paths emit a
//! visible warning. Keeping the implementation here avoids silent drift between
//! `futu-core::log` and `futu-auth::audit`.

use std::path::Path;

/// Open an audit output path as a non-blocking writer.
///
/// - Existing directories, trailing-slash paths, and extension-less paths are
///   treated as daily rolling directories.
/// - Paths with extensions are treated as single append-only files.
pub fn open_writer(
    path: &Path,
) -> std::io::Result<(
    tracing_appender::non_blocking::NonBlocking,
    tracing_appender::non_blocking::WorkerGuard,
)> {
    let is_dir_hint = path.is_dir()
        || path.as_os_str().to_string_lossy().ends_with('/')
        || path.extension().is_none();

    warn_if_world_readable_path(path);

    if is_dir_hint {
        std::fs::create_dir_all(path)?;
        tighten_dir_perms(path);
        tighten_log_files_in_dir(path);
        let appender = tracing_appender::rolling::daily(path, "futu-audit.log");
        let wrapped = Mode0600Appender::new(appender, path.to_path_buf());
        Ok(tracing_appender::non_blocking(wrapped))
    } else {
        if let Some(parent) = path.parent()
            && !parent.as_os_str().is_empty()
        {
            std::fs::create_dir_all(parent)?;
            tighten_dir_perms(parent);
        }
        let file = open_file_0600(path)?;
        Ok(tracing_appender::non_blocking(file))
    }
}

/// Best-effort tighten audit log directory permissions to 0700 on Unix.
///
/// Already stricter permissions are preserved; Windows and other platforms are
/// no-ops.
#[cfg(unix)]
pub fn tighten_dir_perms(path: &Path) {
    use std::os::unix::fs::PermissionsExt;
    if let Ok(meta) = std::fs::metadata(path) {
        let cur = meta.permissions().mode() & 0o777;
        if cur & 0o077 != 0
            && let Err(err) = std::fs::set_permissions(path, std::fs::Permissions::from_mode(0o700))
        {
            eprintln!(
                "futu-opend: failed to tighten audit log directory permissions {}: {}",
                path.display(),
                err
            );
        }
    }
}

#[cfg(not(unix))]
pub fn tighten_dir_perms(_path: &Path) {}

/// Open an audit log file with 0600 permissions on Unix.
///
/// Existing files are tightened if they are too loose. Already stricter files
/// are preserved.
pub fn open_file_0600(path: &Path) -> std::io::Result<std::fs::File> {
    let mut opts = std::fs::OpenOptions::new();
    opts.append(true).create(true);
    #[cfg(unix)]
    {
        use std::os::unix::fs::OpenOptionsExt;
        opts.mode(0o600);
    }
    let file = opts.open(path)?;
    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        if let Ok(meta) = file.metadata() {
            let cur = meta.permissions().mode() & 0o777;
            if cur & 0o077 != 0
                && let Err(err) =
                    std::fs::set_permissions(path, std::fs::Permissions::from_mode(0o600))
            {
                eprintln!(
                    "futu-opend: failed to tighten audit log file permissions {}: {}",
                    path.display(),
                    err
                );
            }
        }
    }
    Ok(file)
}

/// Emit a warning when the audit log path lives under a world-readable temp dir.
pub fn warn_if_world_readable_path(path: &Path) {
    let s = path.as_os_str().to_string_lossy();
    let world_readable_prefixes = ["/tmp/", "/var/tmp/", "/private/tmp/", "/tmp"];
    for prefix in &world_readable_prefixes {
        if s == *prefix || s.starts_with(prefix) {
            eprintln!(
                "⚠️  audit log path {s:?} 位于 world-readable 目录 (mode 1777). \
                 audit log 含账户 id + redacted token 占位 + timestamp, 同机其他\n\
                 用户 (包括 agent skill) 可读. 建议改用 ~/.futu-opend-rs/logs/ \
                 或 /var/log/futu/ 等 0700 目录."
            );
            break;
        }
    }
}

struct Mode0600Appender {
    inner: tracing_appender::rolling::RollingFileAppender,
    dir: std::path::PathBuf,
    last_tighten: std::sync::atomic::AtomicU64,
}

impl Mode0600Appender {
    fn new(inner: tracing_appender::rolling::RollingFileAppender, dir: std::path::PathBuf) -> Self {
        Self {
            inner,
            dir,
            last_tighten: std::sync::atomic::AtomicU64::new(0),
        }
    }

    fn maybe_tighten(&self) {
        let now = audit_log_unix_secs_or_zero();
        let last = self.last_tighten.load(std::sync::atomic::Ordering::Relaxed);
        if now > last
            && self
                .last_tighten
                .compare_exchange(
                    last,
                    now,
                    std::sync::atomic::Ordering::Relaxed,
                    std::sync::atomic::Ordering::Relaxed,
                )
                .is_ok()
        {
            tighten_log_files_in_dir(&self.dir);
        }
    }
}

fn audit_log_unix_secs_or_zero() -> u64 {
    match std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH) {
        Ok(elapsed) => elapsed.as_secs(),
        Err(err) => {
            eprintln!(
                "futu-opend: audit log wall clock is before UNIX_EPOCH; \
                 using zero timestamp fallback: {err}"
            );
            0
        }
    }
}

impl std::io::Write for Mode0600Appender {
    fn write(&mut self, buf: &[u8]) -> std::io::Result<usize> {
        let n = self.inner.write(buf)?;
        self.maybe_tighten();
        Ok(n)
    }

    fn flush(&mut self) -> std::io::Result<()> {
        self.inner.flush()
    }
}

/// Best-effort chmod all `futu-audit.log*` files in a rolling audit directory.
#[cfg(unix)]
pub fn tighten_log_files_in_dir(dir: &Path) {
    use std::os::unix::fs::PermissionsExt;
    let Ok(rd) = std::fs::read_dir(dir) else {
        return;
    };
    for entry in rd.flatten() {
        let p = entry.path();
        let name = match p.file_name().and_then(|n| n.to_str()) {
            Some(n) => n,
            None => continue,
        };
        if !name.starts_with("futu-audit.log") {
            continue;
        }
        if let Ok(meta) = std::fs::metadata(&p) {
            if !meta.is_file() {
                continue;
            }
            let cur = meta.permissions().mode() & 0o777;
            if cur & 0o077 != 0
                && let Err(err) =
                    std::fs::set_permissions(&p, std::fs::Permissions::from_mode(0o600))
            {
                eprintln!(
                    "futu-opend: failed to tighten audit log file permissions {}: {}",
                    p.display(),
                    err
                );
            }
        }
    }
}

#[cfg(not(unix))]
pub fn tighten_log_files_in_dir(_dir: &Path) {}

#[cfg(test)]
mod tests;