feat: Beta support for next generation SAP Audit Log Service (#162)

Co-authored-by: Miroslav Tsvetanov <Miroslav.Tsvetanov@sap.com>
Co-authored-by: sjvans <30337871+sjvans@users.noreply.github.com>
Co-authored-by: D050513 <sebastian.van.syckel@sap.com>

Author: 3 people

.github/workflows/ci.yml

@@ -39,3 +39,4 @@ jobs:
           ALS_CREDS_OAUTH2: ${{ secrets.ALS_CREDS_OAUTH2 }}
           ALS_CREDS_STANDARD: ${{ secrets.ALS_CREDS_STANDARD }}
           ALS_CREDS_PREMIUM: ${{ secrets.ALS_CREDS_PREMIUM }}
+          ALS_CREDS_NG: ${{ secrets.ALS_CREDS_NG }}

.gitignore

@@ -137,3 +137,5 @@ package-lock.json
 .npmrc
 .babelrc
 .prettierrc.js
+.vscode/
+.vscode-test/

CHANGELOG.md

@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 The format is based on [Keep a Changelog](http://keepachangelog.com/).
 
+## Version 1.0.0 - 2025-07-11
+
+### Added
+
+- Beta support for next generation SAP Audit Log Service
+  - Use explicit kind `audit-log-to-alsng` or alpha auto-detect kind `audit-log-to-als`
+
 ## Version 0.9.0 - 2025-06-05
 
 ### Added

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cap-js/audit-logging",
-  "version": "0.9.0",
+  "version": "1.0.0",
   "description": "CDS plugin providing integration to the SAP Audit Log service as well as out-of-the-box personal data-related audit logging based on annotations.",
   "repository": "cap-js/audit-logging",
   "author": "SAP SE (https://www.sap.com)",
@@ -53,11 +53,17 @@
         "audit-log-to-console": {
           "impl": "@cap-js/audit-logging/srv/log2console"
         },
+        "audit-log-to-als": {
+          "impl": "@cap-js/audit-logging/srv/log2als"
+        },
         "audit-log-to-restv2": {
           "impl": "@cap-js/audit-logging/srv/log2restv2",
           "vcap": {
             "label": "auditlog"
           }
+        },
+        "audit-log-to-alsng": {
+          "impl": "@cap-js/audit-logging/srv/log2alsng"
         }
       }
     }

srv/log2als.js

@@ -0,0 +1,4 @@
+const credentials = JSON.parse(process.env.VCAP_SERVICES) || {}
+const isV3 = credentials['user-provided']?.some(obj => obj.tags.includes('auditlog-ng'))
+
+module.exports = isV3 ? require('./log2alsng') : require('./log2restv2')

srv/log2alsng.js

@@ -0,0 +1,178 @@
+const cds = require('@sap/cds')
+
+const LOG = cds.log('audit-log')
+
+const https = require('https')
+
+const AuditLogService = require('./service')
+
+module.exports = class AuditLog2ALSNG extends AuditLogService {
+  constructor() {
+    super()
+    this._vcap = JSON.parse(process.env.VCAP_SERVICES || '{}')
+    this._userProvided = this._vcap['user-provided']?.find(obj => obj.tags.includes('auditlog-ng')) || {}
+    if (!this._userProvided.credentials) throw new Error('No credentials found for SAP Audit Log Service NG')
+    this._vcapApplication = this._vcap['VCAP_APPLICATION'] || {}
+  }
+
+  async init() {
+    this.on('*', function (req) {
+      const { event, data } = req
+      return this.eventMapper(event, data)
+    })
+    await super.init()
+  }
+
+  eventMapper(event, data) {
+    return {
+      PersonalDataModified: () => this.logEvent('dppDataModification', data),
+      SensitiveDataRead: () => this.logEvent('dppDataAccess', data),
+      ConfigurationModified: () => this.logEvent('configurationChange', data),
+      SecurityEvent: () => this.logEvent('legacySecurityWrapper', data)
+    }[event]()
+  }
+
+  eventDataPayload(event, data) {
+    const object = data['object'] || { type: 'not provided', id: { ID: 'not provided' } }
+    const channel = data['channel'] || { type: 'not specified', id: 'not specified' }
+    const subject = data['data_subject'] || { type: 'not provided', id: { ID: 'not provided' } }
+    const attributes = data['attributes'] || [{ name: 'not provided', old: 'not provided', new: 'not provided' }]
+    const objectId = object['id']?.['ID'] || 'not provided'
+    const oldValue = attributes[0]['old'] ?? ''
+    const newValue = attributes[0]['new'] ?? ''
+    const dataSubjectId = subject['id']?.['ID'] || 'not provided'
+    return {
+      dppDataModification: {
+        objectType: object['type'],
+        objectId: objectId,
+        attribute: attributes[0]['name'],
+        oldValue: oldValue,
+        newValue: newValue,
+        dataSubjectType: subject['type'],
+        dataSubjectId: dataSubjectId
+      },
+      dppDataAccess: {
+        channelType: channel['type'],
+        channelId: channel['id'],
+        dataSubjectType: subject['type'],
+        dataSubjectId: dataSubjectId,
+        objectType: object['type'],
+        objectId: objectId,
+        attribute: attributes[0]['name']
+      },
+      configurationChange: {
+        propertyName: attributes[0]['name'],
+        oldValue: oldValue,
+        newValue: newValue,
+        objectType: object['type'],
+        objectId: objectId
+      },
+      legacySecurityWrapper: {
+        origEvent: JSON.stringify({
+          ...data,
+          data:
+            typeof data.data === 'object' && data.data !== null && !Array.isArray(data.data)
+              ? JSON.stringify(data.data)
+              : data.data
+        })
+      }
+    }[event]
+  }
+
+  eventPayload(event, data) {
+    const tenant = cds.context?.tenant || null
+    const timestamp = new Date().toISOString()
+
+    const eventData = {
+      id: cds.utils.uuid(),
+      specversion: 1,
+      source: `/${this._userProvided.credentials?.region}/${this._userProvided.credentials?.namespace}/${tenant}`,
+      type: event,
+      time: timestamp,
+      data: {
+        metadata: {
+          ts: timestamp,
+          appId: this._vcapApplication.application_id || 'default app',
+          infrastructure: {
+            other: {
+              runtimeType: 'Node.js'
+            }
+          },
+          platform: {
+            other: {
+              platformName: 'CAP'
+            }
+          }
+        },
+        data: {
+          [event]: this.eventDataPayload(event, data)
+        }
+      }
+    }
+
+    return eventData
+  }
+
+  logEvent(event, data) {
+    const passphrase = this._userProvided.credentials?.keyPassphrase
+    const url = new URL(`${this._userProvided.credentials?.url}/ingestion/v1/events`)
+    let eventData = []
+
+    if (event === 'legacySecurityWrapper') {
+      eventData = JSON.stringify([this.eventPayload(event, data)])
+    } else {
+      eventData = data['attributes'].map(attr => {
+        return this.eventPayload(event, {
+          ...data,
+          attributes: [attr]
+        })
+      })
+      eventData = JSON.stringify(eventData)
+    }
+
+    const options = {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Content-Length': Buffer.byteLength(eventData)
+      },
+      key: this._userProvided.credentials?.key,
+      cert: this._userProvided.credentials?.cert,
+      ...(passphrase !== undefined && { passphrase })
+    }
+
+    return new Promise((resolve, reject) => {
+      const req = https.request(url, options, res => {
+        LOG.trace('🛰️ Status Code:', res.statusCode)
+
+        const chunks = []
+        res.on('data', chunk => chunks.push(chunk))
+
+        res.on('end', () => {
+          const { statusCode, statusMessage } = res
+          let body = Buffer.concat(chunks).toString()
+          if (res.headers['content-type']?.match(/json/)) body = JSON.parse(body)
+          if (res.statusCode >= 400) {
+            // prettier-ignore
+            const err = new Error(`Request failed with${statusMessage ? `: ${statusCode} - ${statusMessage}` : ` status ${statusCode}`}`)
+            err.request = { method: options.method, url, headers: options.headers, body: data }
+            if (err.request.headers.authorization)
+              err.request.headers.authorization = err.request.headers.authorization.split(' ')[0] + ' ***'
+            err.response = { statusCode, statusMessage, headers: res.headers, body }
+            reject(err)
+          } else {
+            resolve(body)
+          }
+        })
+      })
+
+      req.on('error', e => {
+        reject(e.message)
+        LOG.trace(`Problem with request: ${e.message}`)
+      })
+
+      req.write(eventData)
+      req.end()
+    })
+  }
+}

test/integration/ng.test.js

@@ -0,0 +1,22 @@
+const cds = require('@sap/cds')
+
+const { POST } = cds.test().in(__dirname)
+
+cds.env.requires['audit-log'].kind = 'audit-log-to-alsng'
+cds.env.requires['audit-log'].impl = '@cap-js/audit-logging/srv/log2alsng'
+const VCAP_SERVICES = {
+  'user-provided': [
+    {
+      tags: ['auditlog-ng'],
+      credentials: process.env.ALS_CREDS_NG && JSON.parse(process.env.ALS_CREDS_NG)
+    }
+  ]
+}
+process.env.VCAP_SERVICES = JSON.stringify(VCAP_SERVICES)
+
+describe('Log to Audit Log Service NG ', () => {
+  if (!VCAP_SERVICES['user-provided'][0].credentials)
+    return test.skip('Skipping tests due to missing credentials', () => {})
+
+  require('./tests')(POST)
+})