diff options
author | Endi S. Dewata <edewata@redhat.com> | 2017-04-20 16:49:28 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2017-04-24 20:41:19 +0200 |
commit | 30d1575046065dbd79f537e5f819c405e45af0bc (patch) | |
tree | 3043907073e9e092763cf5fa8570b485d24dde28 | |
parent | fdcb514b0711f10eab47c81837138192207e44b4 (diff) | |
download | pki-30d1575046065dbd79f537e5f819c405e45af0bc.tar.gz pki-30d1575046065dbd79f537e5f819c405e45af0bc.tar.xz pki-30d1575046065dbd79f537e5f819c405e45af0bc.zip |
Added AuthzFailEvent.
A new AuthzFailEvent class of has been added to encapsulate the
AUTHZ_FAIL events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: Id4ab9bd889a1a9314264c0ef2ff7b2389aed8f9c
5 files changed, 118 insertions, 98 deletions
diff --git a/base/common/src/com/netscape/certsrv/logging/event/AuthzFailEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AuthzFailEvent.java new file mode 100644 index 000000000..1e4491954 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/AuthzFailEvent.java @@ -0,0 +1,59 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.logging.AuditEvent; + +public class AuthzFailEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + public AuthzFailEvent( + String subjectID, + String outcome, + String aclResource, + String operation) { + + super(AUTHZ_FAIL); + + setParameters(new Object[] { + subjectID, + outcome, + aclResource, + operation + }); + } + + public AuthzFailEvent( + String subjectID, + String outcome, + String aclResource, + String operation, + String info) { + + super(AUTHZ_FAIL_INFO); + + setParameters(new Object[] { + subjectID, + outcome, + aclResource, + operation, + info + }); + } +} diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java index adf942422..ecc6a7d7d 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java @@ -54,6 +54,7 @@ import com.netscape.certsrv.logging.IAuditor; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.AuthFailEvent; import com.netscape.certsrv.logging.event.AuthSuccessEvent; +import com.netscape.certsrv.logging.event.AuthzFailEvent; import com.netscape.certsrv.logging.event.AuthzSuccessEvent; import com.netscape.certsrv.usrgrp.EUsrGrpException; import com.netscape.certsrv.usrgrp.IUGSubsystem; @@ -611,15 +612,11 @@ public class AdminServlet extends HttpServlet { } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL, + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, auditACLResource, - auditOperation); - - audit(auditMessage); + auditOperation)); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( @@ -634,15 +631,11 @@ public class AdminServlet extends HttpServlet { } catch (EBaseException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL, + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, auditACLResource, - auditOperation); - - audit(auditMessage); + auditOperation)); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( @@ -655,15 +648,12 @@ public class AdminServlet extends HttpServlet { return null; } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL, + + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, auditACLResource, - auditOperation); - - audit(auditMessage); + auditOperation)); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java index c70f55ae6..afb109a68 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java @@ -68,6 +68,7 @@ import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.AuthFailEvent; import com.netscape.certsrv.logging.event.AuthSuccessEvent; +import com.netscape.certsrv.logging.event.AuthzFailEvent; import com.netscape.certsrv.logging.event.AuthzSuccessEvent; import com.netscape.certsrv.ra.IRegistrationAuthority; import com.netscape.certsrv.request.IRequest; @@ -1839,14 +1840,12 @@ public abstract class CMSServlet extends HttpServlet { audit(auditMessage); } else { - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL, + + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, auditACLResource, - auditOperation); - - audit(auditMessage); + auditOperation)); auditMessage = CMS.getLogMessage( AuditEvent.ROLE_ASSUME, @@ -1858,14 +1857,12 @@ public abstract class CMSServlet extends HttpServlet { } return authzToken; } catch (Exception e) { - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL, + + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, auditACLResource, - auditOperation); - - audit(auditMessage); + auditOperation)); auditMessage = CMS.getLogMessage( AuditEvent.ROLE_ASSUME, @@ -1970,15 +1967,12 @@ public abstract class CMSServlet extends HttpServlet { audit(auditMessage); } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL, + + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, auditACLResource, - auditOperation); - - audit(auditMessage); + auditOperation)); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( @@ -1992,15 +1986,12 @@ public abstract class CMSServlet extends HttpServlet { return authzTok; } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL, + + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, auditACLResource, - auditOperation); - - audit(auditMessage); + auditOperation)); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( @@ -2013,15 +2004,12 @@ public abstract class CMSServlet extends HttpServlet { return null; } catch (Exception eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL, + + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, auditACLResource, - auditOperation); - - audit(auditMessage); + auditOperation)); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java index 8760caf4d..1d04f3a85 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java @@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.AuthFailEvent; import com.netscape.certsrv.logging.event.AuthSuccessEvent; +import com.netscape.certsrv.logging.event.AuthzFailEvent; import com.netscape.certsrv.logging.event.AuthzSuccessEvent; import com.netscape.certsrv.profile.IProfile; import com.netscape.certsrv.profile.IProfileAuthenticator; @@ -724,14 +725,12 @@ public class CAProcessor extends Processor { audit(auditMessage); } else { - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL, + + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, auditACLResource, - auditOperation); - - audit(auditMessage); + auditOperation)); auditMessage = CMS.getLogMessage( AuditEvent.ROLE_ASSUME, @@ -743,14 +742,12 @@ public class CAProcessor extends Processor { } return authzToken; } catch (EBaseException e) { - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL, + + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, auditACLResource, - auditOperation); - - audit(auditMessage); + auditOperation)); auditMessage = CMS.getLogMessage( AuditEvent.ROLE_ASSUME, @@ -854,15 +851,12 @@ public class CAProcessor extends Processor { audit(auditMessage); } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL, + + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, auditACLResource, - auditOperation); - - audit(auditMessage); + auditOperation)); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( @@ -876,15 +870,12 @@ public class CAProcessor extends Processor { return authzTok; } catch (Exception eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL, + + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, auditACLResource, - auditOperation); - - audit(auditMessage); + auditOperation)); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java index 490eaed7c..b4f75f1c8 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java @@ -47,6 +47,7 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.ForbiddenException; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.AuthzFailEvent; import com.netscape.certsrv.logging.event.AuthzSuccessEvent; import com.netscape.cms.realm.PKIPrincipal; @@ -108,7 +109,6 @@ public class ACLInterceptor implements ContainerRequestFilter { String auditInfo = clazz.getSimpleName() + "." + method.getName(); CMS.debug("ACLInterceptor: " + auditInfo + "()"); - String auditMessage = null; String auditSubjectID = ILogger.UNIDENTIFIED; /* @@ -174,14 +174,13 @@ public class ACLInterceptor implements ContainerRequestFilter { CMS.debug("ACLInterceptor: No authentication token present."); // store a message in the signed audit log file // although if it didn't pass authentication, it should not have gotten here - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL_INFO, + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, null, // resource null, // operation - LOGGING_MISSING_AUTH_TOKEN + ":" + auditInfo); - audit(auditMessage); + LOGGING_MISSING_AUTH_TOKEN + ":" + auditInfo)); + throw new ForbiddenException("No authorization token present."); } if (authToken != null) @@ -213,16 +212,14 @@ public class ACLInterceptor implements ContainerRequestFilter { value = properties.getProperty(name); } catch (IOException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL_INFO, + + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, null, //resource null, //operation - LOGGING_ACL_PARSING_ERROR + ":" + auditInfo); + LOGGING_ACL_PARSING_ERROR + ":" + auditInfo)); - audit(auditMessage); e.printStackTrace(); throw new Failure(e); } @@ -246,16 +243,14 @@ public class ACLInterceptor implements ContainerRequestFilter { // If invalid mapping, reject request. if (values.length != 2) { CMS.debug("ACLInterceptor: Invalid ACL mapping."); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL_INFO, + + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, null, //resource null, //operation - LOGGING_INVALID_ACL_MAPPING + ":" + auditInfo); + LOGGING_INVALID_ACL_MAPPING + ":" + auditInfo)); - audit(auditMessage); throw new ForbiddenException("Invalid ACL mapping."); } @@ -273,15 +268,14 @@ public class ACLInterceptor implements ContainerRequestFilter { if (authzToken == null) { String info = "No authorization token present."; CMS.debug("ACLInterceptor: " + info); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL_INFO, + + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, values[0], // resource values[1], // operation - info); - audit(auditMessage); + info)); + throw new ForbiddenException("No authorization token present."); } @@ -290,28 +284,26 @@ public class ACLInterceptor implements ContainerRequestFilter { } catch (EAuthzAccessDenied e) { String info = e.getMessage(); CMS.debug("ACLInterceptor: " + info); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL_INFO, + + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, values[0], // resource values[1], // operation - info); - audit(auditMessage); + info)); + throw new ForbiddenException(e.toString()); } catch (EBaseException e) { String info = e.getMessage(); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.AUTHZ_FAIL_INFO, + + audit(new AuthzFailEvent( auditSubjectID, ILogger.FAILURE, values[0], // resource values[1], // operation - info); - audit(auditMessage); + info)); + e.printStackTrace(); throw new Failure(e); } |