Added CLIs to access audit log files.

New pki audit commands have been added to list and retrieve audit
log files.

Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5

14 files changed, 501 insertions, 1 deletions

diff --git a/base/ca/shared/conf/acl.properties b/base/ca/shared/conf/acl.properties
index c487e4802..a8fe65c2f 100644
--- a/base/ca/shared/conf/acl.properties
+++ b/base/ca/shared/conf/acl.properties
@@ -12,6 +12,9 @@ account.logout = certServer.ca.account,logout
 audit.read = certServer.log.configuration,read
 audit.modify = certServer.log.configuration,modify
 
+# audit logs
+audit-log.read = certServer.log.content.signedAudit,read
+
 certs = certServer.ca.certs,execute
 certrequests = certServer.ca.certrequests,execute
 groups = certServer.ca.groups,execute
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditClient.java b/base/common/src/com/netscape/certsrv/logging/AuditClient.java
index 018850c57..9451e83a8 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditClient.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditClient.java
@@ -20,6 +20,7 @@ package com.netscape.certsrv.logging;
 import java.net.URISyntaxException;
 
 import javax.ws.rs.core.Response;
+import javax.ws.rs.core.StreamingOutput;
 
 import com.netscape.certsrv.client.Client;
 import com.netscape.certsrv.client.PKIClient;
@@ -54,4 +55,14 @@ public class AuditClient extends Client {
         Response response = resource.changeAuditStatus(action);
         return client.getEntity(response, AuditConfig.class);
     }
+
+    public AuditFileCollection findAuditFiles() {
+        Response response = resource.findAuditFiles();
+        return client.getEntity(response, AuditFileCollection.class);
+    }
+
+    public StreamingOutput getAuditFile(String filename) throws Exception {
+        Response response = resource.getAuditFile(filename);
+        return client.getEntity(response, StreamingOutput.class);
+    }
 }
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFile.java b/base/common/src/com/netscape/certsrv/logging/AuditFile.java
new file mode 100644
index 000000000..0edfc3a65
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/AuditFile.java
@@ -0,0 +1,123 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.logging;
+
+import java.io.StringReader;
+import java.io.StringWriter;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Marshaller;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+
+/**
+ * @author Endi S. Dewata
+ */
+@XmlRootElement(name="AuditFile")
+@XmlAccessorType(XmlAccessType.NONE)
+public class AuditFile {
+
+    String name;
+    Long size;
+
+    @XmlAttribute(name="name")
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    @XmlElement(name="Size")
+    public Long getSize() {
+        return size;
+    }
+
+    public void setSize(Long size) {
+        this.size = size;
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 31;
+        int result = 1;
+        result = prime * result + ((name == null) ? 0 : name.hashCode());
+        result = prime * result + ((size == null) ? 0 : size.hashCode());
+        return result;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        AuditFile other = (AuditFile) obj;
+        if (name == null) {
+            if (other.name != null)
+                return false;
+        } else if (!name.equals(other.name))
+            return false;
+        if (size == null) {
+            if (other.size != null)
+                return false;
+        } else if (!size.equals(other.size))
+            return false;
+        return true;
+    }
+
+    public String toString() {
+        try {
+            Marshaller marshaller = JAXBContext.newInstance(AuditFile.class).createMarshaller();
+            marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
+
+            StringWriter sw = new StringWriter();
+            marshaller.marshal(this, sw);
+            return sw.toString();
+
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public static AuditFile valueOf(String string) throws Exception {
+        Unmarshaller unmarshaller = JAXBContext.newInstance(AuditFile.class).createUnmarshaller();
+        return (AuditFile)unmarshaller.unmarshal(new StringReader(string));
+    }
+
+    public static void main(String args[]) throws Exception {
+
+        AuditFile before = new AuditFile();
+        before.setName("audit.log");
+        before.setSize(1024l);
+
+        String string = before.toString();
+        System.out.println(string);
+
+        AuditFile after = AuditFile.valueOf(string);
+        System.out.println(before.equals(after));
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java b/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java
new file mode 100644
index 000000000..e5c4e203c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java
@@ -0,0 +1,38 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.logging;
+
+import java.util.Collection;
+
+import javax.xml.bind.annotation.XmlElementRef;
+import javax.xml.bind.annotation.XmlRootElement;
+
+import com.netscape.certsrv.base.DataCollection;
+
+/**
+ * @author Endi S. Dewata
+ */
+@XmlRootElement(name="AuditFiles")
+public class AuditFileCollection extends DataCollection<AuditFile> {
+
+    @XmlElementRef
+    public Collection<AuditFile> getEntries() {
+        return super.getEntries();
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditResource.java b/base/common/src/com/netscape/certsrv/logging/AuditResource.java
index 9b14986b1..4d3373565 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditResource.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditResource.java
@@ -20,8 +20,12 @@ package com.netscape.certsrv.logging;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
+import javax.ws.rs.core.StreamingOutput;
 
 import org.jboss.resteasy.annotations.ClientResponseType;
 
@@ -35,11 +39,11 @@ import com.netscape.certsrv.base.PATCH;
  */
 @Path("audit")
 @AuthMethodMapping("audit")
-@ACLMapping("audit.read")
 public interface AuditResource {
 
     @GET
     @ClientResponseType(entityType=AuditConfig.class)
+    @ACLMapping("audit.read")
     public Response getAuditConfig();
 
     @PATCH
@@ -52,4 +56,17 @@ public interface AuditResource {
     @ACLMapping("audit.modify")
     public Response changeAuditStatus(
             @QueryParam("action") String action);
+
+    @GET
+    @Path("files")
+    @ClientResponseType(entityType=AuditFileCollection.class)
+    @ACLMapping("audit-log.read")
+    public Response findAuditFiles();
+
+    @GET
+    @Path("files/{filename}")
+    @Produces(MediaType.APPLICATION_OCTET_STREAM)
+    @ClientResponseType(entityType=StreamingOutput.class)
+    @ACLMapping("audit-log.read")
+    public Response getAuditFile(@PathParam("filename") String filename);
 }
diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java
index ff489dceb..06ba040ec 100644
--- a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java
@@ -26,6 +26,7 @@ import org.jboss.resteasy.plugins.providers.atom.Link;
 import com.netscape.certsrv.client.PKIClient;
 import com.netscape.certsrv.logging.AuditClient;
 import com.netscape.certsrv.logging.AuditConfig;
+import com.netscape.certsrv.logging.AuditFile;
 import com.netscape.cmstools.cli.CLI;
 import com.netscape.cmstools.cli.SubsystemCLI;
 
@@ -42,8 +43,13 @@ public class AuditCLI extends CLI {
 
         this.subsystemCLI = subsystemCLI;
 
+        // audit configuration
         addModule(new AuditModifyCLI(this));
         addModule(new AuditShowCLI(this));
+
+        // audit files
+        addModule(new AuditFileFindCLI(this));
+        addModule(new AuditFileRetrieveCLI(this));
     }
 
     @Override
@@ -83,4 +89,9 @@ public class AuditCLI extends CLI {
             System.out.println("  Link: " + link.getHref());
         }
     }
+
+    public static void printAuditFile(AuditFile auditFile) {
+        System.out.println("  File name: " + auditFile.getName());
+        System.out.println("  Size: " + auditFile.getSize());
+    }
 }
diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java
new file mode 100644
index 000000000..5ae9ce735
--- /dev/null
+++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java
@@ -0,0 +1,90 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cmstools.logging;
+
+import java.util.Collection;
+
+import org.apache.commons.cli.CommandLine;
+
+import com.netscape.certsrv.logging.AuditClient;
+import com.netscape.certsrv.logging.AuditFile;
+import com.netscape.certsrv.logging.AuditFileCollection;
+import com.netscape.cmstools.cli.CLI;
+import com.netscape.cmstools.cli.MainCLI;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class AuditFileFindCLI extends CLI {
+
+    public AuditCLI auditCLI;
+
+    public AuditFileFindCLI(AuditCLI auditCLI) {
+        super("file-find", "Find audit files", auditCLI);
+        this.auditCLI = auditCLI;
+
+        createOptions();
+    }
+
+    public void printHelp() {
+        formatter.printHelp(getFullName() + " [OPTIONS...]", options);
+    }
+
+    public void createOptions() {
+        options.addOption(null, "help", false, "Show help message.");
+    }
+
+    public void execute(String[] args) throws Exception {
+
+        CommandLine cmd = parser.parse(options, args);
+
+        if (cmd.hasOption("help")) {
+            printHelp();
+            return;
+        }
+
+        String[] cmdArgs = cmd.getArgs();
+
+        if (cmdArgs.length > 0) {
+            throw new Exception("Too many arguments specified.");
+        }
+
+        AuditClient auditClient = auditCLI.getAuditClient();
+        AuditFileCollection response = auditClient.findAuditFiles();
+
+        MainCLI.printMessage(response.getTotal() + " entries matched");
+        if (response.getTotal() == 0) return;
+
+        Collection<AuditFile> entries = response.getEntries();
+        boolean first = true;
+
+        for (AuditFile auditFile : entries) {
+
+            if (first) {
+                first = false;
+            } else {
+                System.out.println();
+            }
+
+            AuditCLI.printAuditFile(auditFile);
+        }
+
+        MainCLI.printMessage("Number of entries returned " + entries.size());
+    }
+}
diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java
new file mode 100644
index 000000000..07af3a416
--- /dev/null
+++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java
@@ -0,0 +1,87 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cmstools.logging;
+
+import java.io.FileOutputStream;
+import java.io.OutputStream;
+
+import javax.ws.rs.core.StreamingOutput;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.Option;
+
+import com.netscape.certsrv.logging.AuditClient;
+import com.netscape.cmstools.cli.CLI;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class AuditFileRetrieveCLI extends CLI {
+
+    public AuditCLI auditCLI;
+
+    public AuditFileRetrieveCLI(AuditCLI auditCLI) {
+        super("file-retrieve", "Retrieve audit file", auditCLI);
+        this.auditCLI = auditCLI;
+
+        createOptions();
+    }
+
+    public void printHelp() {
+        formatter.printHelp(getFullName() + " <filename> [OPTIONS...]", options);
+    }
+
+    public void createOptions() {
+        Option option = new Option(null, "output", true, "Output file.");
+        option.setArgName("path");
+        options.addOption(option);
+
+        options.addOption(null, "help", false, "Show help message.");
+    }
+
+    public void execute(String[] args) throws Exception {
+
+        CommandLine cmd = parser.parse(options, args);
+
+        if (cmd.hasOption("help")) {
+            printHelp();
+            return;
+        }
+
+        String[] cmdArgs = cmd.getArgs();
+
+        if (cmdArgs.length < 1) {
+            throw new Exception("Missing audit file name.");
+
+        } if (cmdArgs.length > 1) {
+            throw new Exception("Too many arguments specified.");
+        }
+
+        String filename = cmdArgs[0];
+        String output = cmd.getOptionValue("output");
+        if (output == null) output = filename;
+
+        AuditClient auditClient = auditCLI.getAuditClient();
+        StreamingOutput so = auditClient.getAuditFile(filename);
+
+        try (OutputStream out = new FileOutputStream(output)) {
+            so.write(out);
+        }
+    }
+}
diff --git a/base/kra/shared/conf/acl.properties b/base/kra/shared/conf/acl.properties
index 8cac3ee63..bcb1456b5 100644
--- a/base/kra/shared/conf/acl.properties
+++ b/base/kra/shared/conf/acl.properties
@@ -12,6 +12,9 @@ account.logout = certServer.kra.account,logout
 audit.read = certServer.log.configuration,read
 audit.modify = certServer.log.configuration,modify
 
+# audit logs
+audit-log.read = certServer.log.content.signedAudit,read
+
 groups = certServer.kra.groups,execute
 keys = certServer.kra.keys,execute
 keyrequests = certServer.kra.keyrequests,execute
diff --git a/base/ocsp/shared/conf/acl.properties b/base/ocsp/shared/conf/acl.properties
index 26b212d9d..e8188b87c 100644
--- a/base/ocsp/shared/conf/acl.properties
+++ b/base/ocsp/shared/conf/acl.properties
@@ -12,6 +12,9 @@ account.logout = certServer.ocsp.account,logout
 audit.read = certServer.log.configuration,read
 audit.modify = certServer.log.configuration,modify
 
+# audit logs
+audit-log.read = certServer.log.content.signedAudit,read
+
 groups = certServer.ocsp.groups,execute
 selftests.read = certServer.ocsp.selftests,read
 selftests.execute = certServer.ocsp.selftests,execute
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
index 8dfbef1e5..e023aa682 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
@@ -59,6 +59,7 @@ public class PKIService {
             MediaType.APPLICATION_XML_TYPE,
             MediaType.APPLICATION_JSON_TYPE,
             MediaType.APPLICATION_FORM_URLENCODED_TYPE,
+            MediaType.APPLICATION_OCTET_STREAM_TYPE,
             MediaType.valueOf("application/pkix-cert"),
             MediaType.valueOf("application/pkcs7-mime"),
             MediaType.valueOf("application/x-pem-file")
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
index 9af95d992..7bb048f19 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
@@ -18,16 +18,27 @@
 
 package org.dogtagpki.server.rest;
 
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
+import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.TreeMap;
 import java.util.TreeSet;
 
+import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Response;
+import javax.ws.rs.core.StreamingOutput;
 
+import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.StringUtils;
 import org.jboss.resteasy.plugins.providers.atom.Link;
 
@@ -36,7 +47,10 @@ import com.netscape.certsrv.base.BadRequestException;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.PKIException;
+import com.netscape.certsrv.base.ResourceNotFoundException;
 import com.netscape.certsrv.logging.AuditConfig;
+import com.netscape.certsrv.logging.AuditFile;
+import com.netscape.certsrv.logging.AuditFileCollection;
 import com.netscape.certsrv.logging.AuditResource;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.cms.servlet.base.SubsystemService;
@@ -299,6 +313,99 @@ public class AuditService extends SubsystemService implements AuditResource {
         }
     }
 
+    public File getCurrentLogFile() {
+        IConfigStore cs = CMS.getConfigStore();
+        String filename = cs.get("log.instance.SignedAudit.fileName");
+        return new File(filename);
+    }
+
+    public File getLogDirectory() {
+        File file = getCurrentLogFile();
+        return file.getParentFile();
+    }
+
+    public List<File> getLogFiles() {
+
+        List<String> filenames = new ArrayList<>();
+
+        File currentFile = getCurrentLogFile();
+        String currentFilename = currentFile.getName();
+        File logDir = currentFile.getParentFile();
+
+        // add all log files except the current one
+        for (String filename : logDir.list()) {
+            if (filename.equals(currentFilename)) continue;
+            filenames.add(filename);
+        }
+
+        // sort log files in ascending order
+        Collections.sort(filenames);
+
+        // add the current log file last (i.e. newest)
+        filenames.add(currentFilename);
+
+        List<File> files = new ArrayList<>();
+        for (String filename : filenames) {
+            files.add(new File(logDir, filename));
+        }
+
+        return files;
+    }
+
+    @Override
+    public Response findAuditFiles() {
+
+        AuditFileCollection response = new AuditFileCollection();
+
+        List<File> files = getLogFiles();
+
+        CMS.debug("Audit files:");
+        for (File file : files) {
+            String name = file.getName();
+            CMS.debug(" - " + name);
+
+            AuditFile auditFile = new AuditFile();
+            auditFile.setName(name);
+            auditFile.setSize(file.length());
+
+            response.addEntry(auditFile);
+        }
+
+        response.setTotal(files.size());
+
+        return createOKResponse(response);
+    }
+
+    @Override
+    public Response getAuditFile(String filename) {
+
+        // make sure filename does not contain path
+        if (!new File(filename).getName().equals(filename)) {
+            CMS.debug("Invalid file name: " + filename);
+            throw new BadRequestException("Invalid file name: " + filename);
+        }
+
+        File logDir = getLogDirectory();
+        File file = new File(logDir, filename);
+
+        if (!file.exists()) {
+            throw new ResourceNotFoundException("File not found: " + filename);
+        }
+
+        StreamingOutput so = new StreamingOutput() {
+
+            @Override
+            public void write(OutputStream out) throws IOException, WebApplicationException {
+
+                try (InputStream is = new FileInputStream(file)) {
+                    IOUtils.copy(is, out);
+                }
+            }
+        };
+
+        return createOKResponse(so);
+    }
+
     /*
      * in case of failure, "info" should be in the params
      */
diff --git a/base/tks/shared/conf/acl.properties b/base/tks/shared/conf/acl.properties
index 7146d3869..5c072c7c6 100644
--- a/base/tks/shared/conf/acl.properties
+++ b/base/tks/shared/conf/acl.properties
@@ -12,6 +12,9 @@ account.logout = certServer.tks.account,logout
 audit.read = certServer.log.configuration,read
 audit.modify = certServer.log.configuration,modify
 
+# audit logs
+audit-log.read = certServer.log.content.signedAudit,read
+
 groups = certServer.tks.groups,execute
 selftests.read = certServer.tks.selftests,read
 selftests.execute = certServer.tks.selftests,execute
diff --git a/base/tps/shared/conf/acl.properties b/base/tps/shared/conf/acl.properties
index 1c581b372..6b5148564 100644
--- a/base/tps/shared/conf/acl.properties
+++ b/base/tps/shared/conf/acl.properties
@@ -13,6 +13,9 @@ account.logout = certServer.tps.account,logout
 audit.read = certServer.log.configuration,read
 audit.modify = certServer.log.configuration,modify
 
+# audit logs
+audit-log.read = certServer.log.content.signedAudit,read
+
 authenticators.read = certServer.tps.authenticators,read
 authenticators.add = certServer.tps.authenticators,add
 authenticators.modify = certServer.tps.authenticators,modify