From 5b35185afa81b787bece6c85f93f488e7b7d35c9 Mon Sep 17 00:00:00 2001 From: Jules LEIDELINGER <11395311+julio75012@users.noreply.github.com> Date: Fri, 6 Mar 2026 11:29:50 +0800 Subject: [PATCH] server: implement security audit logging functions Implements security logging infrastructure with date-based file rotation and JSON-formatted audit events. Uses existing common_log system for minimal code footprint. Provides thread-safe initialization, cleanup, and audit event logging functions. --- tools/server/server-common.cpp | 119 +++++++++++++++++++++++++++++++++ tools/server/server-common.h | 21 ++++-- 2 files changed, 134 insertions(+), 6 deletions(-) diff --git a/tools/server/server-common.cpp b/tools/server/server-common.cpp index ff3c6d3c2b..0860f61840 100644 --- a/tools/server/server-common.cpp +++ b/tools/server/server-common.cpp @@ -9,6 +9,10 @@ #include "server-common.h" +#include +#include +#include +#include #include #include #include @@ -613,6 +617,7 @@ json json_get_nested_values(const std::vector & paths, const json & result[path] = current; } } + return result; } @@ -763,9 +768,18 @@ static server_tokens tokenize_input_subprompt(const llama_vocab * vocab, mtmd_co llama_tokens tmp = tokenize_mixed(vocab, json_prompt.at(JSON_STRING_PROMPT_KEY), add_special, parse_special); return server_tokens(tmp, false); } +<<<<<<< HEAD } else { throw std::runtime_error("\"prompt\" elements must be a string, a list of tokens, a JSON object containing a prompt string, or a list of mixed strings & tokens."); } +======= + } else { + throw std::runtime_error( + "\"prompt\" elements must be a string, a list of tokens, a JSON object containing a prompt string, or " + "a " + "list of mixed strings & tokens."); + } +>>>>>>> 6325a9c4 (server: implement security audit logging functions) } std::vector tokenize_input_prompts(const llama_vocab * vocab, mtmd_context * mctx, const json & json_prompt, bool add_special, bool parse_special) { @@ -2038,3 +2052,108 @@ server_tokens format_prompt_rerank( return result; } + +// security logging implementation +static struct common_log * g_security_log = nullptr; +static std::string g_security_log_folder; +static std::string g_current_log_file; +static std::mutex g_security_log_mutex; + +static std::string get_current_date_string() { + std::time_t t = std::time(nullptr); + std::tm tm = *std::localtime(&t); + char buffer[11]; + std::strftime(buffer, sizeof(buffer), "%Y-%m-%d", &tm); + return std::string(buffer); +} + +static void rotate_security_log_if_needed() { + std::lock_guard lock(g_security_log_mutex); + + if (g_security_log_folder.empty() || !g_security_log) { + return; + } + + std::string current_date = get_current_date_string(); + std::string new_log_file = g_security_log_folder + "/security_" + current_date + ".log"; + + if (new_log_file != g_current_log_file) { + // Close old file if any + if (!g_current_log_file.empty()) { + common_log_set_file(g_security_log, nullptr); + } + + // Create directory if it doesn't exist + std::filesystem::create_directories(g_security_log_folder); + + // Set new log file + common_log_set_file(g_security_log, new_log_file.c_str()); + common_log_set_prefix(g_security_log, false); + common_log_set_timestamps(g_security_log, true); + + g_current_log_file = new_log_file; + + LOG_INF("Security logging started: %s\n", new_log_file.c_str()); + } +} + +void security_log_init(const std::string & folder_path) { + std::lock_guard lock(g_security_log_mutex); + + if (folder_path.empty()) { + return; + } + + g_security_log_folder = folder_path; + g_security_log = common_log_init(); + + if (!g_security_log) { + LOG_ERR("Failed to initialize security log\n"); + return; + } + + // Set initial log file + rotate_security_log_if_needed(); +} + +void security_log_cleanup() { + std::lock_guard lock(g_security_log_mutex); + + if (g_security_log) { + common_log_free(g_security_log); + g_security_log = nullptr; + } + + g_security_log_folder.clear(); + g_current_log_file.clear(); +} + +void security_log_audit_event(const std::string & event_type, + const std::string & endpoint, + const std::string & method, + const std::string & remote_addr, + const std::string & api_key_name, + const std::string & details) { + std::lock_guard lock(g_security_log_mutex); + + if (!g_security_log) { + return; + } + + // Rotate log file if date changed + rotate_security_log_if_needed(); + + // Create JSON log entry + json log_entry = { + {"timestamp", std::time(nullptr)}, + { "event_type", event_type }, + { "endpoint", endpoint }, + { "method", method }, + { "remote_addr", remote_addr }, + { "api_key_name", api_key_name }, + { "details", details } + }; + + // Write as JSON line + common_log_add(g_security_log, GGML_LOG_LEVEL_NONE, "%s\n", log_entry.dump().c_str()); +} diff --git a/tools/server/server-common.h b/tools/server/server-common.h index 4fb9e488df..6566915f7a 100644 --- a/tools/server/server-common.h +++ b/tools/server/server-common.h @@ -363,9 +363,18 @@ llama_tokens format_prompt_infill( const llama_tokens & tokens_prompt); // format rerank task: [BOS]query[EOS][SEP]doc[EOS]. -server_tokens format_prompt_rerank( - const struct llama_model * model, - const struct llama_vocab * vocab, - mtmd_context * mctx, - const std::string & query, - const std::string & doc); +server_tokens format_prompt_rerank(const struct llama_model * model, + const struct llama_vocab * vocab, + mtmd_context * mctx, + const std::string & query, + const std::string & doc); + +// security logging +void security_log_init(const std::string & folder_path); +void security_log_cleanup(); +void security_log_audit_event(const std::string & event_type, + const std::string & endpoint, + const std::string & method, + const std::string & remote_addr, + const std::string & api_key_name, + const std::string & details);