Add Audit Service to CE and PDP in OE federator

Author: ginaxu1

audit-service/README.md

@@ -221,10 +221,45 @@ go build -o audit-service
 go build -ldflags="-X main.Version=1.0.0 -X main.GitCommit=$(git rev-parse HEAD)" -o audit-service
 ```
 
-## Deployment
+## Optional Deployment
 
-### Docker
+The Audit Service is **optional** and can be deployed separately from the main OpenDIF services. Services (Orchestration Engine, Portal Backend) will function normally without audit logging enabled.
 
+### Enabling/Disabling Audit Logging
+
+#### Option 1: Disable via Environment Variable
+Set `ENABLE_AUDIT=false` in your service configuration:
+```bash
+# In orchestration-engine/.env or portal-backend/.env
+ENABLE_AUDIT=false
+```
+
+#### Option 2: Omit Audit Service URL
+Leave `CHOREO_AUDIT_CONNECTION_SERVICEURL` unset or empty:
+```bash
+# Services will automatically disable audit logging if URL is not configured
+# CHOREO_AUDIT_CONNECTION_SERVICEURL=
+```
+
+#### Option 3: Enable Audit Logging
+Set the audit service URL:
+```bash
+# In orchestration-engine/.env or portal-backend/.env
+CHOREO_AUDIT_CONNECTION_SERVICEURL=http://localhost:3001
+ENABLE_AUDIT=true  # Optional, defaults to true if URL is provided
+```
+
+### Deployment Steps
+
+#### Step 1: Deploy Audit Service (Optional)
+
+**Using Docker Compose:**
+```bash
+cd audit-service
+docker compose up -d
+```
+
+**Using Docker:**
 ```bash
 # Build image
 docker build -t audit-service .
@@ -246,19 +281,73 @@ docker run -d \
   audit-service
 ```
 
-### Docker Compose
+**Using Standalone Binary:**
+```bash
+cd audit-service
+go build -o audit-service
+./audit-service
+```
+
+#### Step 2: Configure Services to Use Audit Service
+
+**For Orchestration Engine:**
+```bash
+# In exchange/orchestration-engine/.env
+CHOREO_AUDIT_CONNECTION_SERVICEURL=http://localhost:3001
+ENABLE_AUDIT=true
+```
 
+**For Portal Backend:**
 ```bash
-# Start service
+# In portal-backend/.env
+CHOREO_AUDIT_CONNECTION_SERVICEURL=http://localhost:3001
+ENABLE_AUDIT=true
+```
+
+#### Step 3: Verify Audit Logging
+
+1. Make a request to Orchestration Engine or Portal Backend
+2. Check audit service logs: `GET http://localhost:3001/api/audit-logs`
+3. Verify events are being logged with trace IDs
+
+### Docker Compose Usage
+
+The audit service has its own `docker-compose.yml` for standalone deployment:
+
+```bash
+# Deploy audit service separately
+cd audit-service
 docker compose up -d
 
 # View logs
 docker compose logs -f
 
 # Stop service
 docker compose down
+
+# Or include in your main docker-compose.yml (optional)
+# See audit-service/docker-compose.yml for reference
 ```
 
+**Note:** The main `exchange/docker-compose.yml` does not include audit-service by default. Deploy it separately or add it manually if needed.
+
+### Environment Variables for Enabling/Disabling
+
+| Service | Environment Variable | Default | Description |
+|---------|---------------------|---------|------------|
+| Orchestration Engine | `CHOREO_AUDIT_CONNECTION_SERVICEURL` | Empty | Audit service base URL |
+| Orchestration Engine | `ENABLE_AUDIT` | `true` (if URL set) | Enable/disable audit logging |
+| Portal Backend | `CHOREO_AUDIT_CONNECTION_SERVICEURL` | Empty | Audit service base URL |
+| Portal Backend | `ENABLE_AUDIT` | `true` (if URL set) | Enable/disable audit logging |
+
+### Graceful Degradation
+
+- Services continue to function normally if audit service is unavailable
+- No errors are thrown when audit service URL is not configured
+- Audit operations are asynchronous (fire-and-forget) to avoid blocking requests
+- Services can be started before audit service is ready
+
+
 ### Production Considerations
 
 1. **Database**: Use PostgreSQL for production deployments

audit-service/audit-service

@@ -32,32 +32,34 @@ type Config struct {
 	Enums AuditEnums `yaml:"enums"`
 }
 
-// DefaultEnums provides default enum values if config file is not found
-var DefaultEnums = AuditEnums{
-	EventTypes: []string{
-		"POLICY_CHECK",
-		"MANAGEMENT_EVENT",
-		"USER_MANAGEMENT",
-		"DATA_FETCH",
-		"CONSENT_CHECK",
-	},
-	EventActions: []string{
-		"CREATE",
-		"READ",
-		"UPDATE",
-		"DELETE",
-	},
-	ActorTypes: []string{
-		"SERVICE",
-		"ADMIN",
-		"MEMBER",
-		"SYSTEM",
-	},
-	TargetTypes: []string{
-		"SERVICE",
-		"RESOURCE",
-	},
-}
+var (
+	// DefaultEnums provides default enum values if config file is not found
+	// Note: OpenDIF-specific event types (ORCHESTRATION_REQUEST_RECEIVED, POLICY_CHECK, CONSENT_CHECK, PROVIDER_FETCH)
+	// should be added to config/enums.yaml for project-specific configurations
+	DefaultEnums = AuditEnums{
+		EventTypes: []string{
+			"MANAGEMENT_EVENT",
+			"USER_MANAGEMENT",
+			"DATA_FETCH",
+		},
+		EventActions: []string{
+			"CREATE",
+			"READ",
+			"UPDATE",
+			"DELETE",
+		},
+		ActorTypes: []string{
+			"SERVICE",
+			"ADMIN",
+			"MEMBER",
+			"SYSTEM",
+		},
+		TargetTypes: []string{
+			"SERVICE",
+			"RESOURCE",
+		},
+	}
+)
 
 // LoadEnums loads enum configuration from YAML file
 // If the file is not found or cannot be read, returns default enums

audit-service/config/config.go

@@ -5,12 +5,22 @@
 enums:
   # Event Type: User-defined custom names for event classification
   # Examples: POLICY_CHECK, MANAGEMENT_EVENT, USER_MANAGEMENT, etc.
+  # 
+  # OpenDIF Core specific event types:
+  # - ORCHESTRATION_REQUEST_RECEIVED: GraphQL request received by Orchestration Engine
+  # - POLICY_CHECK: Policy decision result logged by Policy Decision Point (one record per API call)
+  # - CONSENT_CHECK: Consent check result logged by Consent Engine (one record per API call)
+  # - PROVIDER_FETCH: Provider data fetch result logged by Orchestration Engine (one record per API call)
   eventTypes:
+    # OpenDIF Core specific event types
+    - ORCHESTRATION_REQUEST_RECEIVED
     - POLICY_CHECK
+    - CONSENT_CHECK
+    - PROVIDER_FETCH
+    # Generic event types (available by default)
     - MANAGEMENT_EVENT
     - USER_MANAGEMENT
     - DATA_FETCH
-    - CONSENT_CHECK
 
   # Event Action: CRUD operations
   eventActions:

audit-service/config/enums.yaml

@@ -77,6 +77,8 @@ func (r *GormRepository) GetAuditLogs(ctx context.Context, filters *AuditLogFilt
 	}
 
 	// Apply pagination and ordering
+	// Note: Results are ordered by timestamp DESC (newest first) for general queries.
+	// For trace-specific queries, use GetAuditLogsByTraceID which orders by ASC (chronological).
 	limit := filters.Limit
 	if limit <= 0 {
 		limit = 100 // default

audit-service/v1/database/gorm_repository.go

@@ -2,6 +2,7 @@ package testutil
 
 import (
 	"context"
+	"sort"
 
 	"github.com/google/uuid"
 	"github.com/gov-dx-sandbox/audit-service/v1/database"
@@ -30,14 +31,121 @@ func (m *MockRepository) CreateAuditLog(ctx context.Context, log *v1models.Audit
 	return log, nil
 }
 
-// GetAuditLogsByTraceID returns empty results (can be extended for more complex test scenarios)
+// GetAuditLogsByTraceID retrieves all audit logs for a given trace ID
+// Results are ordered by timestamp ASC (chronological order)
 func (m *MockRepository) GetAuditLogsByTraceID(ctx context.Context, traceID string) ([]v1models.AuditLog, error) {
-	return nil, nil
+	// Parse traceID string to UUID for comparison
+	traceUUID, err := uuid.Parse(traceID)
+	if err != nil {
+		return []v1models.AuditLog{}, nil // Return empty slice for invalid UUID
+	}
+
+	var filteredLogs []v1models.AuditLog
+	for _, log := range m.logs {
+		if log.TraceID != nil && *log.TraceID == traceUUID {
+			filteredLogs = append(filteredLogs, *log)
+		}
+	}
+
+	// Sort by timestamp ASC (chronological order)
+	sort.Slice(filteredLogs, func(i, j int) bool {
+		return filteredLogs[i].Timestamp.Before(filteredLogs[j].Timestamp)
+	})
+
+	if filteredLogs == nil {
+		return []v1models.AuditLog{}, nil
+	}
+
+	return filteredLogs, nil
 }
 
-// GetAuditLogs returns empty results (can be extended for more complex test scenarios)
+// GetAuditLogs retrieves audit logs with optional filtering
+// Results are ordered by timestamp DESC (newest first) and paginated
 func (m *MockRepository) GetAuditLogs(ctx context.Context, filters *database.AuditLogFilters) ([]v1models.AuditLog, int64, error) {
-	return nil, 0, nil
+	if filters == nil {
+		filters = &database.AuditLogFilters{}
+	}
+
+	// Filter logs based on provided criteria
+	var filteredLogs []v1models.AuditLog
+	for _, log := range m.logs {
+		matches := true
+
+		// Filter by TraceID
+		if filters.TraceID != nil && *filters.TraceID != "" {
+			traceUUID, err := uuid.Parse(*filters.TraceID)
+			if err != nil {
+				continue // Skip if traceID is invalid
+			}
+			if log.TraceID == nil || *log.TraceID != traceUUID {
+				matches = false
+			}
+		}
+
+		// Filter by EventType
+		if matches && filters.EventType != nil && *filters.EventType != "" {
+			if log.EventType == nil || *log.EventType != *filters.EventType {
+				matches = false
+			}
+		}
+
+		// Filter by EventAction
+		if matches && filters.EventAction != nil && *filters.EventAction != "" {
+			if log.EventAction == nil || *log.EventAction != *filters.EventAction {
+				matches = false
+			}
+		}
+
+		// Filter by Status
+		if matches && filters.Status != nil && *filters.Status != "" {
+			if log.Status != *filters.Status {
+				matches = false
+			}
+		}
+
+		if matches {
+			filteredLogs = append(filteredLogs, *log)
+		}
+	}
+
+	// Get total count before pagination
+	total := int64(len(filteredLogs))
+
+	// Sort by timestamp DESC (newest first)
+	sort.Slice(filteredLogs, func(i, j int) bool {
+		return filteredLogs[i].Timestamp.After(filteredLogs[j].Timestamp)
+	})
+
+	// Apply pagination
+	limit := filters.Limit
+	if limit <= 0 {
+		limit = 100 // default
+	}
+	if limit > 1000 {
+		limit = 1000 // max
+	}
+
+	offset := filters.Offset
+	if offset < 0 {
+		offset = 0
+	}
+
+	// Apply offset and limit
+	start := offset
+	end := offset + limit
+	if start > len(filteredLogs) {
+		start = len(filteredLogs)
+	}
+	if end > len(filteredLogs) {
+		end = len(filteredLogs)
+	}
+
+	if start >= end {
+		return []v1models.AuditLog{}, total, nil
+	}
+
+	paginatedLogs := filteredLogs[start:end]
+	return paginatedLogs, total, nil
 }
 
 // GetLogs returns all logs stored in the mock (useful for test assertions)