line
diff --git a/‎docker/requirements.txt‎
Lines changed: 30 additions & 1 deletion b/‎docker/requirements.txt‎
Lines changed: 30 additions & 1 deletion
diff --git a/‎promgen/filters.py‎
Lines changed: 60 additions & 0 deletions b/‎promgen/filters.py‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎promgen/fixtures/testcases.yaml‎
Lines changed: 28 additions & 0 deletions b/‎promgen/fixtures/testcases.yaml‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎promgen/models.py‎
Lines changed: 4 additions & 0 deletions b/‎promgen/models.py‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎promgen/permissions.py‎
Lines changed: 37 additions & 1 deletion b/‎promgen/permissions.py‎
Lines changed: 37 additions & 1 deletion
diff --git a/‎promgen/rest_v2.py‎
Lines changed: 111 additions & 0 deletions b/‎promgen/rest_v2.py‎
Lines changed: 111 additions & 0 deletions
diff --git a/‎promgen/schemas.py‎
Lines changed: 6 additions & 0 deletions b/‎promgen/schemas.py‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎promgen/serializers.py‎
Lines changed: 23 additions & 0 deletions b/‎promgen/serializers.py‎
Lines changed: 23 additions & 0 deletions
@@ -12,6 +12,10 @@ async-timeout==4.0.2
     # via redis
 atomicwrites==1.4.1
     # via promgen (pyproject.toml)
+attrs==26.1.0
+    # via
+    #   jsonschema
+    #   referencing
 billiard==3.6.4.0
     # via celery
 celery[redis]==5.2.7
@@ -49,6 +53,7 @@ django==4.2.26
     #   django-filter
     #   django-guardian
     #   djangorestframework
+    #   drf-spectacular
     #   promgen (pyproject.toml)
     #   social-auth-app-django
 django-environ==0.10.0
@@ -58,11 +63,21 @@ django-filter==23.2
 django-guardian==3.0.0
     # via promgen (pyproject.toml)
 djangorestframework==3.14.0
+    # via
+    #   drf-spectacular
+    #   promgen (pyproject.toml)
+drf-spectacular==0.29.0
     # via promgen (pyproject.toml)
 gunicorn==22.0.0
     # via -r docker/requirements.in
 idna==3.7
     # via requests
+inflection==0.5.1
+    # via drf-spectacular
+jsonschema==4.25.1
+    # via drf-spectacular
+jsonschema-specifications==2025.9.1
+    # via jsonschema
 kombu==5.3.7
     # via
     #   celery
@@ -90,16 +105,26 @@ pytz==2023.3
     #   celery
     #   djangorestframework
 pyyaml==6.0.1
-    # via promgen (pyproject.toml)
+    # via
+    #   drf-spectacular
+    #   promgen (pyproject.toml)
 redis==4.6.0
     # via celery
+referencing==0.36.2
+    # via
+    #   jsonschema
+    #   jsonschema-specifications
 requests==2.32.2
     # via
     #   promgen (pyproject.toml)
     #   requests-oauthlib
     #   social-auth-core
 requests-oauthlib==1.3.1
     # via social-auth-core
+rpds-py==0.27.1
+    # via
+    #   jsonschema
+    #   referencing
 sentry-sdk==1.19.1
     # via -r docker/requirements.in
 six==1.16.0
@@ -113,7 +138,11 @@ sqlparse==0.5.0
 typing-extensions==4.7.1
     # via
     #   asgiref
+    #   drf-spectacular
     #   kombu
+    #   referencing
+uritemplate==4.2.0
+    # via drf-spectacular
 urllib3==2.2.0
     # via
     #   requests
 
@@ -1,4 +1,5 @@
 import django_filters
+from django.contrib.contenttypes.models import ContentType
 
 
 class ShardFilter(django_filters.rest_framework.FilterSet):
@@ -24,3 +25,62 @@ class RuleFilter(django_filters.rest_framework.FilterSet):
 class FarmFilter(django_filters.rest_framework.FilterSet):
     name = django_filters.CharFilter(field_name="name", lookup_expr="contains")
     source = django_filters.CharFilter(field_name="source", lookup_expr="exact")
+
+
+def filter_content_type(queryset, name, value):
+    try:
+        if value == "group":
+            content_type_id = ContentType.objects.get(model=value, app_label="auth").id
+        else:
+            content_type_id = ContentType.objects.get(model=value, app_label="promgen").id
+
+        field_name = (
+            "parent_content_type_id" if name == "parent_content_type" else "content_type_id"
+        )
+        return queryset.filter(**{field_name: content_type_id})
+    except ContentType.DoesNotExist:
+        return queryset.none()
+
+
+class AuditFilter(django_filters.rest_framework.FilterSet):
+    object_id = django_filters.NumberFilter(
+        field_name="object_id",
+        lookup_expr="exact",
+        help_text="Filter by exact object ID. Example: object_id=123",
+    )
+    content_type = django_filters.ChoiceFilter(
+        field_name="content_type",
+        choices=[
+            ("exporter", "Exporter"),
+            ("farm", "Farm"),
+            ("group", "Group"),
+            ("host", "Host"),
+            ("project", "Project"),
+            ("rule", "Rule"),
+            ("sender", "Notifier"),
+            ("service", "Service"),
+            ("url", "URL"),
+        ],
+        method=filter_content_type,
+        help_text="Filter by content type model name. Example: content_type=service",
+    )
+    user = django_filters.CharFilter(
+        field_name="user__username",
+        lookup_expr="exact",
+        help_text="Filter by exact owner username. Example: owner=Example Owner",
+    )
+    parent_object_id = django_filters.NumberFilter(
+        field_name="parent_object_id",
+        lookup_expr="exact",
+        help_text="Filter by exact parent object ID. Example: parent_object_id=123",
+    )
+    parent_content_type = django_filters.ChoiceFilter(
+        field_name="parent_content_type",
+        choices=[
+            ("group", "Group"),
+            ("project", "Project"),
+            ("service", "Service"),
+        ],
+        method=filter_content_type,
+        help_text="Filter by parent content type model name. Example: parent_content_type=service",
+    )
@@ -19,6 +19,18 @@
     password: demo
     email: demo@example.com
     is_active: true
+- model: authtoken.token
+  pk: 1
+  fields:
+    user: 1
+    key: admin_token
+    created: 2024-03-18T00:00:00Z
+- model: authtoken.token
+  pk: 2
+  fields:
+    user: 2
+    key: demo_token
+    created: 2024-03-18T00:00:00Z
 - model: promgen.shard
   pk: 1
   fields:
@@ -79,3 +91,19 @@
     project: 1
     probe: 1
     url: probe.example.com
+- model: promgen.audit
+  pk: 1
+  fields:
+    content_type: ["promgen", "service"]
+    object_id: 1
+    body: "Created test-service"
+    user: 1
+    created: 2024-03-19T00:00:00Z
+- model: promgen.audit
+  pk: 2
+  fields:
+    content_type: ["promgen", "project"]
+    object_id: 1
+    body: "Updated test-project"
+    user: 2
+    created: 2024-03-19T01:00:00Z
@@ -625,6 +625,10 @@ def highlight(self):
             return "danger"
         return ""
 
+    @property
+    def parent_content_type(self) -> ContentType:
+        return ContentType.objects.get_for_id(self.parent_content_type_id)
+
     @staticmethod
     def get_parent(obj):
         # The variable's name of the parent object is different depending on the model.
 
@@ -5,7 +5,7 @@
 from django.utils.itercompat import is_iterable
 from guardian.shortcuts import get_objects_for_user
 from rest_framework import permissions
-from rest_framework.permissions import BasePermission
+from rest_framework.permissions import SAFE_METHODS, BasePermission
 
 from promgen import models
 
@@ -197,3 +197,39 @@ def get_highest_role(user: User, obj):
                 return role
 
     return None
+
+
+class PromgenGuardianRestPermission(BasePermission):
+    PERMISSION_MANAGEMENT_ACTIONS = ["assign_user", "remove_user", "assign_group", "remove_group"]
+
+    def has_permission(self, request, view):
+        return bool(request.user and request.user.is_authenticated)
+
+    def has_object_permission(self, request, view, obj):
+        if view.action in self.PERMISSION_MANAGEMENT_ACTIONS:
+            perms = ["project_admin", "service_admin"]
+        elif request.method == "DELETE" and isinstance(obj, (models.Project, models.Service)):
+            perms = ["project_admin", "service_admin"]
+        elif request.method not in SAFE_METHODS:
+            perms = [
+                "project_editor",
+                "project_admin",
+                "service_editor",
+                "service_admin",
+                "group_admin",
+            ]
+        else:
+            # Always allow user to view the site rule
+            if isinstance(obj, models.Rule) and isinstance(obj.content_object, models.Site):
+                return True
+            perms = [
+                "project_viewer",
+                "project_editor",
+                "project_admin",
+                "service_viewer",
+                "service_editor",
+                "service_admin",
+                "group_member",
+                "group_admin",
+            ]
+        return has_perm(request.user, perms, obj)
@@ -0,0 +1,111 @@
+# Copyright (c) 2026 LINE Corporation
+# These sources are released under the terms of the MIT license: see LICENSE
+
+from django.contrib.contenttypes.models import ContentType
+from django.db.models import Q
+from django.urls import re_path
+from drf_spectacular.utils import extend_schema, extend_schema_view
+from drf_spectacular.views import SpectacularAPIView
+from rest_framework import mixins, pagination, routers, viewsets
+from rest_framework.authtoken.models import Token
+from rest_framework.renderers import TemplateHTMLRenderer
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from promgen import filters, models, permissions, serializers
+
+
+class SpectacularRapiDocView(APIView):
+    renderer_classes = [TemplateHTMLRenderer]
+    template_name = "rest_framework/api_v2.html"
+
+    @extend_schema(exclude=True)
+    def get(self, request):
+        api_token = Token.objects.filter(user=self.request.user).first()
+        return Response(
+            data={"api_token": api_token},
+            template_name=self.template_name,
+        )
+
+
+class Router(routers.DefaultRouter):
+    include_root_view = False
+
+    def get_urls(self):
+        urls = super().get_urls()
+
+        urls.append(
+            re_path(
+                rf"^schema{self.trailing_slash}$",
+                SpectacularAPIView.as_view(),
+                name="schema",
+            )
+        )
+
+        urls.append(
+            re_path(
+                rf"^docs{self.trailing_slash}$",
+                SpectacularRapiDocView.as_view(),
+                name="docs",
+            )
+        )
+
+        return urls
+
+
+class PromgenPagination(pagination.PageNumberPagination):
+    page_query_param = "page_number"
+    page_size_query_param = "page_size"
+    page_size = 10
+    max_page_size = 1000
+
+    def __init__(self):
+        super().__init__()
+        self.page_query_description = self.page_query_description + " Starts from 1."
+        self.page_size_query_description = self.page_size_query_description + str.format(
+            " Defaults to {}.", self.page_size
+        )
+
+
+@extend_schema_view(
+    list=extend_schema(summary="List Audit Logs", description="Retrieve a list of all audit logs."),
+)
+@extend_schema(tags=["Log"])
+class AuditViewSet(mixins.ListModelMixin, viewsets.GenericViewSet):
+    queryset = models.Audit.objects.all().order_by("-created")
+    filterset_class = filters.AuditFilter
+    serializer_class = serializers.AuditSerializer
+    lookup_value_regex = "[^/]+"
+    lookup_field = "id"
+    pagination_class = PromgenPagination
+    permission_classes = [permissions.PromgenGuardianRestPermission]
+
+    def get_queryset(self):
+        if self.request.user.is_superuser or self.action != "list":
+            return self.queryset
+        services = permissions.get_accessible_services_for_user(self.request.user)
+        projects = permissions.get_accessible_projects_for_user(self.request.user)
+        groups = permissions.get_accessible_groups_for_user(self.request.user)
+        service_ct = ContentType.objects.get_for_model(models.Service)
+        project_ct = ContentType.objects.get_for_model(models.Project)
+        group_ct = ContentType.objects.get_for_model(models.Group)
+        return self.queryset.filter(
+            Q(
+                content_type__model="service",
+                content_type__app_label="promgen",
+                object_id__in=services,
+            )
+            | Q(
+                content_type__model="project",
+                content_type__app_label="promgen",
+                object_id__in=projects,
+            )
+            | Q(
+                content_type__model="group",
+                content_type__app_label="auth",
+                object_id__in=groups,
+            )
+            | Q(parent_content_type_id=service_ct.id, parent_object_id__in=services)
+            | Q(parent_content_type_id=project_ct.id, parent_object_id__in=projects)
+            | Q(parent_content_type_id=group_ct.id, parent_object_id__in=groups)
+        )
@@ -0,0 +1,6 @@
+from drf_spectacular.openapi import AutoSchema
+
+
+class CustomSchema(AutoSchema):
+    def is_excluded(self):
+        return not self.path.startswith("/rest/v2/") or self.path.startswith("/rest/v2/schema/")
@@ -162,3 +162,26 @@ def validate(self, data):
             raise errors.SilenceError.STARTENDMISMATCH.error()
 
         return data
+
+
+class AuditSerializer(serializers.ModelSerializer):
+    user = serializers.ReadOnlyField(source="user.username")
+    log = serializers.ReadOnlyField(source="body")
+    content_type = serializers.ReadOnlyField(source="content_type.model")
+    new = serializers.ReadOnlyField(source="data")
+    parent_content_type = serializers.ReadOnlyField(source="parent_content_type.model")
+
+    class Meta:
+        model = models.Audit
+        fields = (
+            "id",
+            "user",
+            "content_type",
+            "object_id",
+            "log",
+            "created",
+            "new",
+            "old",
+            "parent_content_type",
+            "parent_object_id",
+        )