feat: added ability to configure TTL index for audit documents

Author: CodeDead

.env.example

@@ -12,6 +12,7 @@ DB_USER_COLLECTION=users
 DB_AUDIT_COLLECTION=audits
 DB_CREATE_INDEXES=true
 DB_AUDIT_ENABLED=false
+DB_AUDIT_TTL=0
 
 # JWT
 JWT_SECRET=topSecretSecret

Cargo.lock

@@ -37,6 +37,7 @@ ENV [email protected]
 ENV DEFAULT_USER_PASSWORD=123456
 ENV DEFAULT_USER_ENABLED=true
 ENV MAX_FETCH_LIMIT=100
+ENV DB_AUDIT_TTL=0
 
 # Set the working directory
 WORKDIR /usr/src/auth-rs

Dockerfile

@@ -12,31 +12,34 @@
 
 The following environment variables can be used to configure `auth-rs`:
 
-| Variable                 | Default       | Required                                     | Type        | Description                                                            |
-|--------------------------|---------------|----------------------------------------------|-------------|------------------------------------------------------------------------|
-| SERVER_ADDR              | `0.0.0.0`     | `false`                                      | `IPAddress` | The server address                                                     |
-| SERVER_PORT              | `8080`        | `false`                                      | `u16`       | The port that the server will use                                      |
-| MAX_FETCH_LIMIT          | `100`         | `false`                                      | `i64`       | The maximum amount of entity records that can be retrieved in one call |
-| DB_CONNECTION_STRING     | N/A           | `true`                                       | `String`    | The MongoDB connection string                                          |
-| DB_DATABASE              | N/A           | `true`                                       | `String`    | The MongoDB Database that will be used by `auth-rs`                    |
-| DB_PERMISSION_COLLECTION | `permissions` | `false`                                      | `String`    | The collection that holds the `Permission` entities                    |
-| DB_ROLE_COLLECTION       | `roles`       | `false`                                      | `String`    | The collection that holds the `Role` entities                          |
-| DB_USER_COLLECTION       | `users`       | `false`                                      | `String`    | The collection that holds the `User` entities                          |
-| DB_AUDIT_COLLECTION      | `audits`      | `false`                                      | `String`    | The collection that holds the `Audit` entities                         |
-| DB_CREATE_INDEXES        | `true`        | `false`                                      | `bool`      | Automatically create collection indexes                                |
-| DB_AUDIT_ENABLED         | `false`       | `false`                                      | `bool`      | Enable or disable audit trails                                         |
-| JWT_SECRET               | N/A           | `true`                                       | `String`    | The JWT secret                                                         |
-| JWT_EXPIRATION           | `3600`        | `false`                                      | `usize`     | The JWT expiration time in seconds                                     |
-| RUST_LOG                 | N/A           | `false`                                      | `String`    | The default log level                                                  |
-| RUST_BACKTRACE           | N/A           | `false`                                      | `String`    | Controls whether or not backtraces are displayed when a panic occurs   |
-| GENERATE_DEFAULT_USER    | `true`        | `false`                                      | `bool`      | Sets whether a default administrator `User` should be generated        |
-| DEFAULT_USER_USERNAME    | N/A           | `true` if `GENERATE_DEFAULT_USER` is enabled | `String`    | The default `User`'s username                                          |
-| DEFAULT_USER_EMAIL       | N/A           | `false`                                      | `String`    | The default `User`'s email address                                     |
-| DEFAULT_USER_PASSWORD    | N/A           | `true` if `GENERATE_DEFAULT_USER` is enabled | `String`    | The default `User`'s password                                          |
-| DEFAULT_USER_ENABLED     | N/A           | `true` if `GENERATE_DEFAULT_USER` is enabled | `bool`      | Sets whether the default user is enabled or not                        |
-| ENABLE_OPENAPI           | `true`        | `false`                                      | `bool`      | Enables or disables the OpenAPI endpoint                               |
+| Variable                 | Default       | Required                                     | Type        | Description                                                             |
+|--------------------------|---------------|----------------------------------------------|-------------|-------------------------------------------------------------------------|
+| SERVER_ADDR              | `0.0.0.0`     | `false`                                      | `IPAddress` | The server address                                                      |
+| SERVER_PORT              | `8080`        | `false`                                      | `u16`       | The port that the server will use                                       |
+| MAX_FETCH_LIMIT          | `100`         | `false`                                      | `i64`       | The maximum amount of entity records that can be retrieved in one call  |
+| DB_CONNECTION_STRING     | N/A           | `true`                                       | `String`    | The MongoDB connection string                                           |
+| DB_DATABASE              | N/A           | `true`                                       | `String`    | The MongoDB Database that will be used by `auth-rs`                     |
+| DB_PERMISSION_COLLECTION | `permissions` | `false`                                      | `String`    | The collection that holds the `Permission` entities                     |
+| DB_ROLE_COLLECTION       | `roles`       | `false`                                      | `String`    | The collection that holds the `Role` entities                           |
+| DB_USER_COLLECTION       | `users`       | `false`                                      | `String`    | The collection that holds the `User` entities                           |
+| DB_AUDIT_COLLECTION      | `audits`      | `false`                                      | `String`    | The collection that holds the `Audit` entities                          |
+| DB_CREATE_INDEXES        | `true`        | `false`                                      | `bool`      | Automatically create collection indexes                                 |
+| DB_AUDIT_ENABLED         | `false`       | `false`                                      | `bool`      | Enable or disable audit trails                                          |
+| DB_AUDIT_TTL             | `0`           | `false`                                      | `u64`       | Automatically remove `Audit` entities after a set amount of seconds     |
+| JWT_SECRET               | N/A           | `true`                                       | `String`    | The JWT secret                                                          |
+| JWT_EXPIRATION           | `3600`        | `false`                                      | `usize`     | The JWT expiration time in seconds                                      |
+| RUST_LOG                 | N/A           | `false`                                      | `String`    | The default log level                                                   |
+| RUST_BACKTRACE           | N/A           | `false`                                      | `String`    | Controls whether or not backtraces are displayed when a panic occurs    |
+| GENERATE_DEFAULT_USER    | `true`        | `false`                                      | `bool`      | Sets whether a default administrator `User` should be generated         |
+| DEFAULT_USER_USERNAME    | N/A           | `true` if `GENERATE_DEFAULT_USER` is enabled | `String`    | The default `User`'s username                                           |
+| DEFAULT_USER_EMAIL       | N/A           | `false`                                      | `String`    | The default `User`'s email address                                      |
+| DEFAULT_USER_PASSWORD    | N/A           | `true` if `GENERATE_DEFAULT_USER` is enabled | `String`    | The default `User`'s password                                           |
+| DEFAULT_USER_ENABLED     | N/A           | `true` if `GENERATE_DEFAULT_USER` is enabled | `bool`      | Sets whether the default user is enabled or not                         |
+| ENABLE_OPENAPI           | `true`        | `false`                                      | `bool`      | Enables or disables the OpenAPI endpoint                                |
 
 > *Note*: The audit trail feature is disabled by default and will have a noticeable performance impact when enabled.
+> Audit trails can be set to expire automatically after a set amount of seconds by changing the `DB_AUDIT_TTL` environment variable
+> to the desired amount of seconds (greater than zero), if the `DB_CREATE_INDEXES` variable is also enabled.
 
 ## Changing the default configuration
 
@@ -54,7 +57,7 @@ You can add environment variables when running the container using the `-e` flag
 An example of running the container using Docker:
 
 ```bash
-docker run -d -p 8080:8080 -e DB_CONNECTION_STRING=mongodb://localhost:27017 -e DB_DATABASE=auth-rs -e HASH_SALT=mysalt -e JWT_SECRET=mysecret -e DEFAULT_USER_USERNAME=admin -e DEFAULT_USER_PASSWORD=secret -e DEFAULT_USER_ENABLED=true opserva/auth-rs
+docker run -d -p 8080:8080 -e DB_CONNECTION_STRING=mongodb://localhost:27017 -e DB_DATABASE=auth-rs -e -e JWT_SECRET=mysecret -e DEFAULT_USER_USERNAME=admin -e DEFAULT_USER_PASSWORD=secret -e DEFAULT_USER_ENABLED=true opserva/auth-rs
 ```
 
 Alternatively, you can provide an `.env` file to the container using the `--env-file` flag:

docs/CONFIGURATION.md

@@ -147,6 +147,14 @@ impl EnvReader {
             Err(_) => false,
         };
 
+        let audit_ttl = match env::var("DB_AUDIT_TTL") {
+            Ok(d) => {
+                let res: u64 = d.trim().parse().expect("DB_AUDIT_TTL must be a number");
+                res
+            }
+            Err(_) => 0,
+        };
+
         let create_indexes = match env::var("DB_CREATE_INDEXES") {
             Ok(d) => {
                 let res: bool = d
@@ -182,6 +190,7 @@ impl EnvReader {
             audit_collection,
             create_indexes,
             audit_enabled,
+            audit_ttl,
         );
 
         let server_config = ServerConfig::new(addr, port, max_limit);

src/components/env_reader.rs

@@ -20,6 +20,7 @@ use crate::services::Services;
 use log::{error, info};
 use mongodb::bson::doc;
 use mongodb::bson::oid::ObjectId;
+use mongodb::error::ErrorKind;
 use mongodb::options::{ClientOptions, IndexOptions, ServerApi, ServerApiVersion};
 use mongodb::{Client, Database, IndexModel};
 use regex::Regex;
@@ -127,6 +128,8 @@ impl Config {
             cfg.create_role_indexes(&db_config.role_collection).await;
             cfg.create_user_indexes(&db_config.user_collection).await;
             cfg.create_audit_indexes(&db_config.audit_collection).await;
+            cfg.create_or_delete_audit_ttl_index(db_config.audit_ttl, &db_config.audit_collection)
+                .await;
         }
 
         cfg
@@ -507,6 +510,67 @@ impl Config {
             .expect("Creating an index should succeed");
     }
 
+    /// # Summary
+    ///
+    /// Create or delete a TTL index for the Audit collection.
+    ///
+    /// # Arguments
+    ///
+    /// * `expire_after` - A u64 that holds the TTL in seconds.
+    /// * `audit_collection` - A string slice that holds the name of the Audit collection.
+    ///
+    /// # Panics
+    ///
+    /// This method will panic if the index could not be created or deleted (unless Error Command code 27 applies).
+    pub async fn create_or_delete_audit_ttl_index(
+        &self,
+        expire_after: u64,
+        audit_collection: &str,
+    ) {
+        if expire_after > 0 {
+            info!("Creating TTL index for the Audit collection");
+
+            let duration = std::time::Duration::from_secs(expire_after);
+
+            // Define the TTL index model
+            let model = IndexModel::builder()
+                .keys(doc! {
+                    "createdAt": 1
+                })
+                .options(IndexOptions::builder().expire_after(Some(duration)).build())
+                .build();
+
+            self.database
+                .collection::<Audit>(audit_collection)
+                .create_index(model, None)
+                .await
+                .expect("Creating an index should succeed");
+        } else {
+            info!("Deleting TTL index for the Audit collection");
+
+            match self
+                .database
+                .collection::<Audit>(audit_collection)
+                .drop_index("createdAt_1", None)
+                .await
+            {
+                Ok(_) => {}
+                Err(e) => match e.kind.as_ref() {
+                    ErrorKind::Command(e) => {
+                        if e.code == 27 {
+                            info!("TTL index for the Audit collection does not exist");
+                        } else {
+                            panic!("Failed to delete TTL index: {:?}", e);
+                        }
+                    }
+                    _ => {
+                        panic!("Failed to delete TTL index: {:?}", e);
+                    }
+                },
+            }
+        }
+    }
+
     /// # Summary
     ///
     /// Initialize the database.