Add access logs (IC ones) (#17810)

Content.Shared/Access/Components/AccessComponent.cs

@@ -3,58 +3,57 @@ using Robust.Shared.GameStates;
 using Robust.Shared.Prototypes;
 using Robust.Shared.Serialization.TypeSerializers.Implementations.Custom.Prototype.Set;
 
-namespace Content.Shared.Access.Components
+namespace Content.Shared.Access.Components;
+
+/// <summary>
+///     Simple mutable access provider found on ID cards and such.
+/// </summary>
+[RegisterComponent, NetworkedComponent]
+[Access(typeof(SharedAccessSystem))]
+[AutoGenerateComponentState]
+public sealed partial class AccessComponent : Component
 {
     /// <summary>
-    ///     Simple mutable access provider found on ID cards and such.
+    /// True if the access provider is enabled and can grant access.
     /// </summary>
-    [RegisterComponent, NetworkedComponent]
-    [Access(typeof(SharedAccessSystem))]
-    [AutoGenerateComponentState]
-    public sealed partial class AccessComponent : Component
-    {
-        /// <summary>
-        /// True if the access provider is enabled and can grant access.
-        /// </summary>
-        [DataField("enabled"), ViewVariables(VVAccess.ReadWrite)]
-        [AutoNetworkedField]
-        public bool Enabled = true;
+    [DataField, ViewVariables(VVAccess.ReadWrite)]
+    [AutoNetworkedField]
+    public bool Enabled = true;
 
-        [DataField("tags", customTypeSerializer: typeof(PrototypeIdHashSetSerializer<AccessLevelPrototype>))]
-        [Access(typeof(SharedAccessSystem), Other = AccessPermissions.ReadExecute)] // FIXME Friends
-        [AutoNetworkedField]
-        public HashSet<string> Tags = new();
-
-        /// <summary>
-        ///     Access Groups. These are added to the tags during map init. After map init this will have no effect.
-        /// </summary>
-        [DataField("groups", readOnly: true, customTypeSerializer: typeof(PrototypeIdHashSetSerializer<AccessGroupPrototype>))]
-        [AutoNetworkedField]
-        public HashSet<string> Groups = new();
-    }
+    [DataField(customTypeSerializer: typeof(PrototypeIdHashSetSerializer<AccessLevelPrototype>))]
+    [Access(typeof(SharedAccessSystem), Other = AccessPermissions.ReadExecute)] // FIXME Friends
+    [AutoNetworkedField]
+    public HashSet<string> Tags = new();
 
     /// <summary>
-    /// Event raised on an entity to find additional entities which provide access.
+    /// Access Groups. These are added to the tags during map init. After map init this will have no effect.
     /// </summary>
-    [ByRefEvent]
-    public struct GetAdditionalAccessEvent
+    [DataField(readOnly: true, customTypeSerializer: typeof(PrototypeIdHashSetSerializer<AccessGroupPrototype>))]
+    [AutoNetworkedField]
+    public HashSet<string> Groups = new();
+}
+
+/// <summary>
+/// Event raised on an entity to find additional entities which provide access.
+/// </summary>
+[ByRefEvent]
+public struct GetAdditionalAccessEvent
+{
+    public HashSet<EntityUid> Entities = new();
+
+    public GetAdditionalAccessEvent()
     {
-        public HashSet<EntityUid> Entities = new();
-
-        public GetAdditionalAccessEvent()
-        {
-        }
-    }
-
-    [ByRefEvent]
-    public record struct GetAccessTagsEvent(HashSet<string> Tags, IPrototypeManager PrototypeManager)
-    {
-        public void AddGroup(string group)
-        {
-            if (!PrototypeManager.TryIndex<AccessGroupPrototype>(group, out var groupPrototype))
-                return;
-
-            Tags.UnionWith(groupPrototype.Tags);
-        }
+    }
+}
+
+[ByRefEvent]
+public record struct GetAccessTagsEvent(HashSet<string> Tags, IPrototypeManager PrototypeManager)
+{
+    public void AddGroup(string group)
+    {
+        if (!PrototypeManager.TryIndex<AccessGroupPrototype>(group, out var groupPrototype))
+            return;
+
+        Tags.UnionWith(groupPrototype.Tags);
     }
 }

Content.Shared/Access/Components/AccessReaderComponent.cs

@@ -6,8 +6,8 @@ using Robust.Shared.Serialization.TypeSerializers.Implementations.Custom.Prototy
 namespace Content.Shared.Access.Components;
 
 /// <summary>
-///     Stores access levels necessary to "use" an entity
-///     and allows checking if something or somebody is authorized with these access levels.
+/// Stores access levels necessary to "use" an entity
+/// and allows checking if something or somebody is authorized with these access levels.
 /// </summary>
 [RegisterComponent, NetworkedComponent]
 public sealed partial class AccessReaderComponent : Component
@@ -16,27 +16,28 @@ public sealed partial class AccessReaderComponent : Component
     /// Whether or not the accessreader is enabled.
     /// If not, it will always let people through.
     /// </summary>
-    [DataField("enabled")]
+    [DataField]
     public bool Enabled = true;
 
     /// <summary>
-    ///     The set of tags that will automatically deny an allowed check, if any of them are present.
+    /// The set of tags that will automatically deny an allowed check, if any of them are present.
     /// </summary>
-    [DataField("denyTags", customTypeSerializer: typeof(PrototypeIdHashSetSerializer<AccessLevelPrototype>))]
+    [ViewVariables(VVAccess.ReadWrite)]
+    [DataField(customTypeSerializer: typeof(PrototypeIdHashSetSerializer<AccessLevelPrototype>))]
     public HashSet<string> DenyTags = new();
 
     /// <summary>
     /// List of access groups that grant access to this reader. Only a single matching group is required to gain access.
     /// A group matches if it is a subset of the set being checked against.
     /// </summary>
-    [DataField("access")]
+    [DataField("access")] [ViewVariables(VVAccess.ReadWrite)]
     public List<HashSet<string>> AccessLists = new();
 
     /// <summary>
     /// A list of <see cref="StationRecordKey"/>s that grant access. Only a single matching key is required tp gaim
     /// access.
     /// </summary>
-    [DataField("accessKeys")]
+    [DataField]
     public HashSet<StationRecordKey> AccessKeys = new();
 
     /// <summary>
@@ -48,10 +49,25 @@ public sealed partial class AccessReaderComponent : Component
     /// ignored, though <see cref="Enabled"/> is still respected. Access is denied if there are no valid entities or
     /// they all deny access.
     /// </remarks>
-    [DataField("containerAccessProvider")]
+    [DataField]
     public string? ContainerAccessProvider;
+
+    /// <summary>
+    /// A list of past authentications
+    /// </summary>
+    [DataField]
+    public Queue<AccessRecord> AccessLog = new();
+
+    /// <summary>
+    /// A limit on the max size of <see cref="AccessLog"/>
+    /// </summary>
+    [DataField, ViewVariables(VVAccess.ReadWrite)]
+    public int AccessLogLimit = 20;
 }
 
+[Serializable, NetSerializable]
+public record struct AccessRecord(TimeSpan AccessTime, string Accessor);
+
 [Serializable, NetSerializable]
 public sealed class AccessReaderComponentState : ComponentState
 {
@@ -63,11 +79,17 @@ public sealed class AccessReaderComponentState : ComponentState
 
     public List<(NetEntity, uint)> AccessKeys;
 
-    public AccessReaderComponentState(bool enabled, HashSet<string> denyTags, List<HashSet<string>> accessLists, List<(NetEntity, uint)> accessKeys)
+    public Queue<AccessRecord> AccessLog;
+
+    public int AccessLogLimit;
+
+    public AccessReaderComponentState(bool enabled, HashSet<string> denyTags, List<HashSet<string>> accessLists, List<(NetEntity, uint)> accessKeys, Queue<AccessRecord> accessLog, int accessLogLimit)
     {
         Enabled = enabled;
         DenyTags = denyTags;
         AccessLists = accessLists;
         AccessKeys = accessKeys;
+        AccessLog = accessLog;
+        AccessLogLimit = accessLogLimit;
     }
 }

Content.Shared/Access/Components/IdCardComponent.cs

@@ -34,4 +34,10 @@ public sealed partial class IdCardComponent : Component
     [DataField("jobDepartments")]
     [AutoNetworkedField]
     public List<LocId> JobDepartments = new();
+
+    /// <summary>
+    /// Determines if accesses from this card should be logged by <see cref="AccessReaderComponent"/>
+    /// </summary>
+    [DataField, ViewVariables(VVAccess.ReadWrite)]
+    public bool BypassLogging;
 }

Content.Shared/Access/Systems/AccessReaderSystem.cs

@@ -10,8 +10,10 @@ using Robust.Shared.Containers;
 using Robust.Shared.GameStates;
 using System.Diagnostics.CodeAnalysis;
 using System.Linq;
+using Content.Shared.GameTicking;
 using Robust.Shared.Collections;
 using Robust.Shared.Prototypes;
+using Robust.Shared.Timing;
 
 namespace Content.Shared.Access.Systems;
 
@@ -19,7 +21,10 @@ public sealed class AccessReaderSystem : EntitySystem
 {
     [Dependency] private readonly IPrototypeManager _prototype = default!;
     [Dependency] private readonly InventorySystem _inventorySystem = default!;
+    [Dependency] private readonly IGameTiming _gameTiming = default!;
+    [Dependency] private readonly SharedGameTicker _gameTicker = default!;
     [Dependency] private readonly SharedHandsSystem _handsSystem = default!;
+    [Dependency] private readonly SharedIdCardSystem _idCardSystem = default!;
     [Dependency] private readonly SharedContainerSystem _containerSystem = default!;
     [Dependency] private readonly SharedStationRecordsSystem _records = default!;
 
@@ -37,7 +42,7 @@ public sealed class AccessReaderSystem : EntitySystem
     private void OnGetState(EntityUid uid, AccessReaderComponent component, ref ComponentGetState args)
     {
         args.State = new AccessReaderComponentState(component.Enabled, component.DenyTags, component.AccessLists,
-            _records.Convert(component.AccessKeys));
+            _records.Convert(component.AccessKeys), component.AccessLog, component.AccessLogLimit);
     }
 
     private void OnHandleState(EntityUid uid, AccessReaderComponent component, ref ComponentHandleState args)
@@ -57,6 +62,8 @@ public sealed class AccessReaderSystem : EntitySystem
 
         component.AccessLists = new(state.AccessLists);
         component.DenyTags = new(state.DenyTags);
+        component.AccessLog = new(state.AccessLog);
+        component.AccessLogLimit = state.AccessLogLimit;
     }
 
     private void OnLinkAttempt(EntityUid uid, AccessReaderComponent component, LinkAttemptEvent args)
@@ -71,6 +78,7 @@ public sealed class AccessReaderSystem : EntitySystem
     {
         args.Handled = true;
         reader.Enabled = false;
+        reader.AccessLog.Clear();
         Dirty(uid, reader);
     }
 
@@ -93,7 +101,13 @@ public sealed class AccessReaderSystem : EntitySystem
         var access = FindAccessTags(user, accessSources);
         FindStationRecordKeys(user, out var stationKeys, accessSources);
 
-        return IsAllowed(access, stationKeys, target, reader);
+        if (IsAllowed(access, stationKeys, target, reader))
+        {
+            LogAccess((target, reader), user);
+            return true;
+        }
+
+        return false;
     }
 
     /// <summary>
@@ -326,4 +340,27 @@ public sealed class AccessReaderSystem : EntitySystem
         key = null;
         return false;
     }
+
+    /// <summary>
+    /// Logs an access
+    /// </summary>
+    /// <param name="ent">The reader to log the access on</param>
+    /// <param name="accessor">The accessor to log</param>
+    private void LogAccess(Entity<AccessReaderComponent> ent, EntityUid accessor)
+    {
+        if (ent.Comp.AccessLog.Count >= ent.Comp.AccessLogLimit)
+            ent.Comp.AccessLog.Dequeue();
+
+        string? name = null;
+        // TODO pass the ID card on IsAllowed() instead of using this expensive method
+        // Set name if the accessor has a card and that card has a name and allows itself to be recorded
+        if (_idCardSystem.TryFindIdCard(accessor, out var idCard)
+            && idCard.Comp is { BypassLogging: false, FullName: not null })
+            name = idCard.Comp.FullName;
+
+        name ??= Loc.GetString("access-reader-unknown-id");
+
+        var stationTime = _gameTiming.CurTime.Subtract(_gameTicker.RoundStartTimeSpan);
+        ent.Comp.AccessLog.Enqueue(new AccessRecord(stationTime, name));
+    }
 }