Module: Legion::Phi::AccessLog

Defined in:

lib/legion/phi/access_log.rb

Constant Summary

AUDIT_EVENT_TYPE =

'phi_access'

Class Method Summary

• .build_entry(actor:, resource:, action:, phi_fields:, reason:) ⇒ Object
• .emit_warning(message) ⇒ Object
• .format_detail(entry) ⇒ Object
• .log_access(actor:, resource:, action:, phi_fields:, reason: nil) ⇒ Object

  Logs PHI access to the audit trail.

• .log_access!(actor:, resource:, action:, phi_fields:, reason: nil) ⇒ Object

  Same as log_access but raises on failure.

• .log_to_logger(entry) ⇒ Object
• .persist(entry) ⇒ Object
• .persist!(entry) ⇒ Object
• .query_in_memory ⇒ Object
• .query_via_audit(resource:, limit:) ⇒ Object
• .recent_access(resource:, limit: 100) ⇒ Object

  Query recent PHI access records for a given resource.

• .record_via_audit(entry) ⇒ Object
• .record_via_audit!(entry) ⇒ Object

Class Method Details

.build_entry(actor:, resource:, action:, phi_fields:, reason:) ⇒ Object

# File 'lib/legion/phi/access_log.rb', line 38

def build_entry(actor:, resource:, action:, phi_fields:, reason:)
  {
    actor:      actor.to_s,
    resource:   resource.to_s,
    action:     action.to_s,
    phi_fields: Array(phi_fields).map(&:to_s),
    reason:     reason&.to_s,
    timestamp:  Time.now.utc.iso8601
  }
end

.emit_warning(message) ⇒ Object

# File 'lib/legion/phi/access_log.rb', line 99

def emit_warning(message)
  Legion::Logging.warn(message) if defined?(Legion::Logging)
rescue NoMethodError
  Kernel.warn(message)
end

.format_detail(entry) ⇒ Object

# File 'lib/legion/phi/access_log.rb', line 105

def format_detail(entry)
  "fields=#{entry[:phi_fields].join(',')};reason=#{entry[:reason]}"
end

.log_access(actor:, resource:, action:, phi_fields:, reason: nil) ⇒ Object

Logs PHI access to the audit trail. Returns true on success, false on failure.

# File 'lib/legion/phi/access_log.rb', line 11

def log_access(actor:, resource:, action:, phi_fields:, reason: nil)
  entry = build_entry(actor: actor, resource: resource, action: action,
                      phi_fields: phi_fields, reason: reason)
  persist(entry)
  true
rescue StandardError => e
  emit_warning("PHI access log failed: #{e.message}")
  false
end

.log_access!(actor:, resource:, action:, phi_fields:, reason: nil) ⇒ Object

Same as log_access but raises on failure.

# File 'lib/legion/phi/access_log.rb', line 22

def log_access!(actor:, resource:, action:, phi_fields:, reason: nil)
  entry = build_entry(actor: actor, resource: resource, action: action,
                      phi_fields: phi_fields, reason: reason)
  persist!(entry)
  true
end

.log_to_logger(entry) ⇒ Object

# File 'lib/legion/phi/access_log.rb', line 89

def log_to_logger(entry)
  return unless defined?(Legion::Logging)

  Legion::Logging.info(
    "[PHI ACCESS] actor=#{entry[:actor]} resource=#{entry[:resource]} " \
    "action=#{entry[:action]} fields=#{entry[:phi_fields].join(',')} " \
    "reason=#{entry[:reason]} at=#{entry[:timestamp]}"
  )
end

.persist(entry) ⇒ Object

# File 'lib/legion/phi/access_log.rb', line 49

def persist(entry)
  if defined?(Legion::Audit)
    record_via_audit(entry)
  else
    log_to_logger(entry)
  end
end

.persist!(entry) ⇒ Object

# File 'lib/legion/phi/access_log.rb', line 57

def persist!(entry)
  if defined?(Legion::Audit)
    record_via_audit!(entry)
  else
    log_to_logger(entry)
  end
end

.query_in_memory ⇒ Object

# File 'lib/legion/phi/access_log.rb', line 118

def query_in_memory(**)
  []
end

.query_via_audit(resource:, limit:) ⇒ Object

# File 'lib/legion/phi/access_log.rb', line 109

def query_via_audit(resource:, limit:)
  return [] unless defined?(Legion::Data::Model::AuditLog)

  Legion::Audit.recent(limit: limit, resource: resource, event_type: AUDIT_EVENT_TYPE)
rescue StandardError => e
  Legion::Logging.warn "Phi::AccessLog#query_via_audit failed for resource=#{resource}: #{e.message}" if defined?(Legion::Logging)
  []
end

.recent_access(resource:, limit: 100) ⇒ Object

Query recent PHI access records for a given resource.

# File 'lib/legion/phi/access_log.rb', line 30

def recent_access(resource:, limit: 100)
  if defined?(Legion::Audit)
    query_via_audit(resource: resource, limit: limit)
  else
    query_in_memory(resource: resource, limit: limit)
  end
end

.record_via_audit(entry) ⇒ Object

# File 'lib/legion/phi/access_log.rb', line 65

def record_via_audit(entry)
  Legion::Audit.record(
    event_type:   AUDIT_EVENT_TYPE,
    principal_id: entry[:actor],
    action:       entry[:action],
    resource:     entry[:resource],
    source:       'phi',
    detail:       format_detail(entry)
  )
rescue StandardError => e
  emit_warning("PHI audit record failed: #{e.message}")
end

.record_via_audit!(entry) ⇒ Object

# File 'lib/legion/phi/access_log.rb', line 78

def record_via_audit!(entry)
  Legion::Audit.record(
    event_type:   AUDIT_EVENT_TYPE,
    principal_id: entry[:actor],
    action:       entry[:action],
    resource:     entry[:resource],
    source:       'phi',
    detail:       format_detail(entry)
  )
end