Feature: Audit Trail (#4425)

Adds new feature for optionally enabling change tracking for possible audit purposes
---------

Co-authored-by: shamoon <4887959+shamoon@users.noreply.github.com>
Co-authored-by: Trenton Holmes <797416+stumpylog@users.noreply.github.com>

src/paperless/__init__.py

@@ -1,4 +1,5 @@
 from paperless.celery import app as celery_app
+from paperless.checks import audit_log_check
 from paperless.checks import binaries_check
 from paperless.checks import paths_check
 from paperless.checks import settings_values_check
@@ -8,4 +9,5 @@ __all__ = [
     "binaries_check",
     "paths_check",
     "settings_values_check",
+    "audit_log_check",
 ]

src/paperless/checks.py

@@ -5,9 +5,11 @@ import shutil
 import stat
 
 from django.conf import settings
+from django.core.checks import Critical
 from django.core.checks import Error
 from django.core.checks import Warning
 from django.core.checks import register
+from django.db import connections
 
 exists_message = "{} is set but doesn't exist."
 exists_hint = "Create a directory at {}"
@@ -195,3 +197,19 @@ def settings_values_check(app_configs, **kwargs):
         + _barcode_scanner_validate()
         + _email_certificate_validate()
     )
+
+
+@register()
+def audit_log_check(app_configs, **kwargs):
+    db_conn = connections["default"]
+    all_tables = db_conn.introspection.table_names()
+
+    if ("auditlog_logentry" in all_tables) and not (settings.AUDIT_LOG_ENABLED):
+        return [
+            Critical(
+                (
+                    "auditlog table was found but PAPERLESS_AUDIT_LOG_ENABLED"
+                    " is not active.  This setting cannot be disabled after enabling"
+                ),
+            ),
+        ]

src/paperless/settings.py

@@ -933,6 +933,11 @@ TIKA_GOTENBERG_ENDPOINT = os.getenv(
 if TIKA_ENABLED:
     INSTALLED_APPS.append("paperless_tika.apps.PaperlessTikaConfig")
 
+AUDIT_LOG_ENABLED = __get_boolean("PAPERLESS_AUDIT_LOG_ENABLED", "NO")
+if AUDIT_LOG_ENABLED:
+    INSTALLED_APPS.append("auditlog")
+    MIDDLEWARE.append("auditlog.middleware.AuditlogMiddleware")
+
 
 def _parse_ignore_dates(
     env_ignore: str,

src/paperless/tests/test_checks.py

@@ -1,11 +1,13 @@
 import os
 from pathlib import Path
+from unittest import mock
 
 from django.test import TestCase
 from django.test import override_settings
 
 from documents.tests.utils import DirectoriesMixin
 from documents.tests.utils import FileSystemAssertsMixin
+from paperless.checks import audit_log_check
 from paperless.checks import binaries_check
 from paperless.checks import debug_mode_check
 from paperless.checks import paths_check
@@ -231,3 +233,35 @@ class TestEmailCertSettingsChecks(DirectoriesMixin, FileSystemAssertsMixin, Test
         msg = msgs[0]
 
         self.assertIn("Email cert /tmp/not_actually_here.pem is not a file", msg.msg)
+
+
+class TestAuditLogChecks(TestCase):
+    def test_was_enabled_once(self):
+        """
+        GIVEN:
+            - Audit log is not enabled
+        WHEN:
+            - Database tables contain audit log entry
+        THEN:
+            - system check error reported for disabling audit log
+        """
+        introspect_mock = mock.MagicMock()
+        introspect_mock.introspection.table_names.return_value = ["auditlog_logentry"]
+        with override_settings(AUDIT_LOG_ENABLED=False):
+            with mock.patch.dict(
+                "paperless.checks.connections",
+                {"default": introspect_mock},
+            ):
+                msgs = audit_log_check(None)
+
+                self.assertEqual(len(msgs), 1)
+
+                msg = msgs[0]
+
+                self.assertIn(
+                    (
+                        "auditlog table was found but PAPERLESS_AUDIT_LOG_ENABLED"
+                        " is not active."
+                    ),
+                    msg.msg,
+                )