diff options
author | Endi S. Dewata <edewata@redhat.com> | 2017-03-28 21:02:22 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2017-04-04 22:07:54 +0200 |
commit | 88cd07655268831e14e7cd4f6f6a65e331f86583 (patch) | |
tree | 9519b55cfa1638746423e7e5a227783a42a2af73 | |
parent | 6a682f8e56c982ed0e0810326e71f9de23347590 (diff) | |
download | pki-88cd07655268831e14e7cd4f6f6a65e331f86583.tar.gz pki-88cd07655268831e14e7cd4f6f6a65e331f86583.tar.xz pki-88cd07655268831e14e7cd4f6f6a65e331f86583.zip |
Added CLIs to access audit log files.
New pki audit commands have been added to list and retrieve audit
log files.
Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
14 files changed, 501 insertions, 1 deletions
diff --git a/base/ca/shared/conf/acl.properties b/base/ca/shared/conf/acl.properties index c487e4802..a8fe65c2f 100644 --- a/base/ca/shared/conf/acl.properties +++ b/base/ca/shared/conf/acl.properties @@ -12,6 +12,9 @@ account.logout = certServer.ca.account,logout audit.read = certServer.log.configuration,read audit.modify = certServer.log.configuration,modify +# audit logs +audit-log.read = certServer.log.content.signedAudit,read + certs = certServer.ca.certs,execute certrequests = certServer.ca.certrequests,execute groups = certServer.ca.groups,execute diff --git a/base/common/src/com/netscape/certsrv/logging/AuditClient.java b/base/common/src/com/netscape/certsrv/logging/AuditClient.java index 018850c57..9451e83a8 100644 --- a/base/common/src/com/netscape/certsrv/logging/AuditClient.java +++ b/base/common/src/com/netscape/certsrv/logging/AuditClient.java @@ -20,6 +20,7 @@ package com.netscape.certsrv.logging; import java.net.URISyntaxException; import javax.ws.rs.core.Response; +import javax.ws.rs.core.StreamingOutput; import com.netscape.certsrv.client.Client; import com.netscape.certsrv.client.PKIClient; @@ -54,4 +55,14 @@ public class AuditClient extends Client { Response response = resource.changeAuditStatus(action); return client.getEntity(response, AuditConfig.class); } + + public AuditFileCollection findAuditFiles() { + Response response = resource.findAuditFiles(); + return client.getEntity(response, AuditFileCollection.class); + } + + public StreamingOutput getAuditFile(String filename) throws Exception { + Response response = resource.getAuditFile(filename); + return client.getEntity(response, StreamingOutput.class); + } } diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFile.java b/base/common/src/com/netscape/certsrv/logging/AuditFile.java new file mode 100644 index 000000000..0edfc3a65 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/AuditFile.java @@ -0,0 +1,123 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.certsrv.logging; + +import java.io.StringReader; +import java.io.StringWriter; + +import javax.xml.bind.JAXBContext; +import javax.xml.bind.Marshaller; +import javax.xml.bind.Unmarshaller; +import javax.xml.bind.annotation.XmlAccessType; +import javax.xml.bind.annotation.XmlAccessorType; +import javax.xml.bind.annotation.XmlAttribute; +import javax.xml.bind.annotation.XmlElement; +import javax.xml.bind.annotation.XmlRootElement; + +/** + * @author Endi S. Dewata + */ +@XmlRootElement(name="AuditFile") +@XmlAccessorType(XmlAccessType.NONE) +public class AuditFile { + + String name; + Long size; + + @XmlAttribute(name="name") + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + @XmlElement(name="Size") + public Long getSize() { + return size; + } + + public void setSize(Long size) { + this.size = size; + } + + @Override + public int hashCode() { + final int prime = 31; + int result = 1; + result = prime * result + ((name == null) ? 0 : name.hashCode()); + result = prime * result + ((size == null) ? 0 : size.hashCode()); + return result; + } + + @Override + public boolean equals(Object obj) { + if (this == obj) + return true; + if (obj == null) + return false; + if (getClass() != obj.getClass()) + return false; + AuditFile other = (AuditFile) obj; + if (name == null) { + if (other.name != null) + return false; + } else if (!name.equals(other.name)) + return false; + if (size == null) { + if (other.size != null) + return false; + } else if (!size.equals(other.size)) + return false; + return true; + } + + public String toString() { + try { + Marshaller marshaller = JAXBContext.newInstance(AuditFile.class).createMarshaller(); + marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); + + StringWriter sw = new StringWriter(); + marshaller.marshal(this, sw); + return sw.toString(); + + } catch (Exception e) { + throw new RuntimeException(e); + } + } + + public static AuditFile valueOf(String string) throws Exception { + Unmarshaller unmarshaller = JAXBContext.newInstance(AuditFile.class).createUnmarshaller(); + return (AuditFile)unmarshaller.unmarshal(new StringReader(string)); + } + + public static void main(String args[]) throws Exception { + + AuditFile before = new AuditFile(); + before.setName("audit.log"); + before.setSize(1024l); + + String string = before.toString(); + System.out.println(string); + + AuditFile after = AuditFile.valueOf(string); + System.out.println(before.equals(after)); + } +} diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java b/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java new file mode 100644 index 000000000..e5c4e203c --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java @@ -0,0 +1,38 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.certsrv.logging; + +import java.util.Collection; + +import javax.xml.bind.annotation.XmlElementRef; +import javax.xml.bind.annotation.XmlRootElement; + +import com.netscape.certsrv.base.DataCollection; + +/** + * @author Endi S. Dewata + */ +@XmlRootElement(name="AuditFiles") +public class AuditFileCollection extends DataCollection<AuditFile> { + + @XmlElementRef + public Collection<AuditFile> getEntries() { + return super.getEntries(); + } +} diff --git a/base/common/src/com/netscape/certsrv/logging/AuditResource.java b/base/common/src/com/netscape/certsrv/logging/AuditResource.java index 9b14986b1..4d3373565 100644 --- a/base/common/src/com/netscape/certsrv/logging/AuditResource.java +++ b/base/common/src/com/netscape/certsrv/logging/AuditResource.java @@ -20,8 +20,12 @@ package com.netscape.certsrv.logging; import javax.ws.rs.GET; import javax.ws.rs.POST; import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; import javax.ws.rs.QueryParam; +import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; +import javax.ws.rs.core.StreamingOutput; import org.jboss.resteasy.annotations.ClientResponseType; @@ -35,11 +39,11 @@ import com.netscape.certsrv.base.PATCH; */ @Path("audit") @AuthMethodMapping("audit") -@ACLMapping("audit.read") public interface AuditResource { @GET @ClientResponseType(entityType=AuditConfig.class) + @ACLMapping("audit.read") public Response getAuditConfig(); @PATCH @@ -52,4 +56,17 @@ public interface AuditResource { @ACLMapping("audit.modify") public Response changeAuditStatus( @QueryParam("action") String action); + + @GET + @Path("files") + @ClientResponseType(entityType=AuditFileCollection.class) + @ACLMapping("audit-log.read") + public Response findAuditFiles(); + + @GET + @Path("files/{filename}") + @Produces(MediaType.APPLICATION_OCTET_STREAM) + @ClientResponseType(entityType=StreamingOutput.class) + @ACLMapping("audit-log.read") + public Response getAuditFile(@PathParam("filename") String filename); } diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java index ff489dceb..06ba040ec 100644 --- a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java @@ -26,6 +26,7 @@ import org.jboss.resteasy.plugins.providers.atom.Link; import com.netscape.certsrv.client.PKIClient; import com.netscape.certsrv.logging.AuditClient; import com.netscape.certsrv.logging.AuditConfig; +import com.netscape.certsrv.logging.AuditFile; import com.netscape.cmstools.cli.CLI; import com.netscape.cmstools.cli.SubsystemCLI; @@ -42,8 +43,13 @@ public class AuditCLI extends CLI { this.subsystemCLI = subsystemCLI; + // audit configuration addModule(new AuditModifyCLI(this)); addModule(new AuditShowCLI(this)); + + // audit files + addModule(new AuditFileFindCLI(this)); + addModule(new AuditFileRetrieveCLI(this)); } @Override @@ -83,4 +89,9 @@ public class AuditCLI extends CLI { System.out.println(" Link: " + link.getHref()); } } + + public static void printAuditFile(AuditFile auditFile) { + System.out.println(" File name: " + auditFile.getName()); + System.out.println(" Size: " + auditFile.getSize()); + } } diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java new file mode 100644 index 000000000..5ae9ce735 --- /dev/null +++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java @@ -0,0 +1,90 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.cmstools.logging; + +import java.util.Collection; + +import org.apache.commons.cli.CommandLine; + +import com.netscape.certsrv.logging.AuditClient; +import com.netscape.certsrv.logging.AuditFile; +import com.netscape.certsrv.logging.AuditFileCollection; +import com.netscape.cmstools.cli.CLI; +import com.netscape.cmstools.cli.MainCLI; + +/** + * @author Endi S. Dewata + */ +public class AuditFileFindCLI extends CLI { + + public AuditCLI auditCLI; + + public AuditFileFindCLI(AuditCLI auditCLI) { + super("file-find", "Find audit files", auditCLI); + this.auditCLI = auditCLI; + + createOptions(); + } + + public void printHelp() { + formatter.printHelp(getFullName() + " [OPTIONS...]", options); + } + + public void createOptions() { + options.addOption(null, "help", false, "Show help message."); + } + + public void execute(String[] args) throws Exception { + + CommandLine cmd = parser.parse(options, args); + + if (cmd.hasOption("help")) { + printHelp(); + return; + } + + String[] cmdArgs = cmd.getArgs(); + + if (cmdArgs.length > 0) { + throw new Exception("Too many arguments specified."); + } + + AuditClient auditClient = auditCLI.getAuditClient(); + AuditFileCollection response = auditClient.findAuditFiles(); + + MainCLI.printMessage(response.getTotal() + " entries matched"); + if (response.getTotal() == 0) return; + + Collection<AuditFile> entries = response.getEntries(); + boolean first = true; + + for (AuditFile auditFile : entries) { + + if (first) { + first = false; + } else { + System.out.println(); + } + + AuditCLI.printAuditFile(auditFile); + } + + MainCLI.printMessage("Number of entries returned " + entries.size()); + } +} diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java new file mode 100644 index 000000000..07af3a416 --- /dev/null +++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java @@ -0,0 +1,87 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.cmstools.logging; + +import java.io.FileOutputStream; +import java.io.OutputStream; + +import javax.ws.rs.core.StreamingOutput; + +import org.apache.commons.cli.CommandLine; +import org.apache.commons.cli.Option; + +import com.netscape.certsrv.logging.AuditClient; +import com.netscape.cmstools.cli.CLI; + +/** + * @author Endi S. Dewata + */ +public class AuditFileRetrieveCLI extends CLI { + + public AuditCLI auditCLI; + + public AuditFileRetrieveCLI(AuditCLI auditCLI) { + super("file-retrieve", "Retrieve audit file", auditCLI); + this.auditCLI = auditCLI; + + createOptions(); + } + + public void printHelp() { + formatter.printHelp(getFullName() + " <filename> [OPTIONS...]", options); + } + + public void createOptions() { + Option option = new Option(null, "output", true, "Output file."); + option.setArgName("path"); + options.addOption(option); + + options.addOption(null, "help", false, "Show help message."); + } + + public void execute(String[] args) throws Exception { + + CommandLine cmd = parser.parse(options, args); + + if (cmd.hasOption("help")) { + printHelp(); + return; + } + + String[] cmdArgs = cmd.getArgs(); + + if (cmdArgs.length < 1) { + throw new Exception("Missing audit file name."); + + } if (cmdArgs.length > 1) { + throw new Exception("Too many arguments specified."); + } + + String filename = cmdArgs[0]; + String output = cmd.getOptionValue("output"); + if (output == null) output = filename; + + AuditClient auditClient = auditCLI.getAuditClient(); + StreamingOutput so = auditClient.getAuditFile(filename); + + try (OutputStream out = new FileOutputStream(output)) { + so.write(out); + } + } +} diff --git a/base/kra/shared/conf/acl.properties b/base/kra/shared/conf/acl.properties index 8cac3ee63..bcb1456b5 100644 --- a/base/kra/shared/conf/acl.properties +++ b/base/kra/shared/conf/acl.properties @@ -12,6 +12,9 @@ account.logout = certServer.kra.account,logout audit.read = certServer.log.configuration,read audit.modify = certServer.log.configuration,modify +# audit logs +audit-log.read = certServer.log.content.signedAudit,read + groups = certServer.kra.groups,execute keys = certServer.kra.keys,execute keyrequests = certServer.kra.keyrequests,execute diff --git a/base/ocsp/shared/conf/acl.properties b/base/ocsp/shared/conf/acl.properties index 26b212d9d..e8188b87c 100644 --- a/base/ocsp/shared/conf/acl.properties +++ b/base/ocsp/shared/conf/acl.properties @@ -12,6 +12,9 @@ account.logout = certServer.ocsp.account,logout audit.read = certServer.log.configuration,read audit.modify = certServer.log.configuration,modify +# audit logs +audit-log.read = certServer.log.content.signedAudit,read + groups = certServer.ocsp.groups,execute selftests.read = certServer.ocsp.selftests,read selftests.execute = certServer.ocsp.selftests,execute diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java index 8dfbef1e5..e023aa682 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java +++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java @@ -59,6 +59,7 @@ public class PKIService { MediaType.APPLICATION_XML_TYPE, MediaType.APPLICATION_JSON_TYPE, MediaType.APPLICATION_FORM_URLENCODED_TYPE, + MediaType.APPLICATION_OCTET_STREAM_TYPE, MediaType.valueOf("application/pkix-cert"), MediaType.valueOf("application/pkcs7-mime"), MediaType.valueOf("application/x-pem-file") diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java index 9af95d992..7bb048f19 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java @@ -18,16 +18,27 @@ package org.dogtagpki.server.rest; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; import java.io.UnsupportedEncodingException; import java.net.URI; +import java.util.ArrayList; import java.util.Collection; +import java.util.Collections; import java.util.HashMap; +import java.util.List; import java.util.Map; import java.util.TreeMap; import java.util.TreeSet; +import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Response; +import javax.ws.rs.core.StreamingOutput; +import org.apache.commons.io.IOUtils; import org.apache.commons.lang.StringUtils; import org.jboss.resteasy.plugins.providers.atom.Link; @@ -36,7 +47,10 @@ import com.netscape.certsrv.base.BadRequestException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.PKIException; +import com.netscape.certsrv.base.ResourceNotFoundException; import com.netscape.certsrv.logging.AuditConfig; +import com.netscape.certsrv.logging.AuditFile; +import com.netscape.certsrv.logging.AuditFileCollection; import com.netscape.certsrv.logging.AuditResource; import com.netscape.certsrv.logging.ILogger; import com.netscape.cms.servlet.base.SubsystemService; @@ -299,6 +313,99 @@ public class AuditService extends SubsystemService implements AuditResource { } } + public File getCurrentLogFile() { + IConfigStore cs = CMS.getConfigStore(); + String filename = cs.get("log.instance.SignedAudit.fileName"); + return new File(filename); + } + + public File getLogDirectory() { + File file = getCurrentLogFile(); + return file.getParentFile(); + } + + public List<File> getLogFiles() { + + List<String> filenames = new ArrayList<>(); + + File currentFile = getCurrentLogFile(); + String currentFilename = currentFile.getName(); + File logDir = currentFile.getParentFile(); + + // add all log files except the current one + for (String filename : logDir.list()) { + if (filename.equals(currentFilename)) continue; + filenames.add(filename); + } + + // sort log files in ascending order + Collections.sort(filenames); + + // add the current log file last (i.e. newest) + filenames.add(currentFilename); + + List<File> files = new ArrayList<>(); + for (String filename : filenames) { + files.add(new File(logDir, filename)); + } + + return files; + } + + @Override + public Response findAuditFiles() { + + AuditFileCollection response = new AuditFileCollection(); + + List<File> files = getLogFiles(); + + CMS.debug("Audit files:"); + for (File file : files) { + String name = file.getName(); + CMS.debug(" - " + name); + + AuditFile auditFile = new AuditFile(); + auditFile.setName(name); + auditFile.setSize(file.length()); + + response.addEntry(auditFile); + } + + response.setTotal(files.size()); + + return createOKResponse(response); + } + + @Override + public Response getAuditFile(String filename) { + + // make sure filename does not contain path + if (!new File(filename).getName().equals(filename)) { + CMS.debug("Invalid file name: " + filename); + throw new BadRequestException("Invalid file name: " + filename); + } + + File logDir = getLogDirectory(); + File file = new File(logDir, filename); + + if (!file.exists()) { + throw new ResourceNotFoundException("File not found: " + filename); + } + + StreamingOutput so = new StreamingOutput() { + + @Override + public void write(OutputStream out) throws IOException, WebApplicationException { + + try (InputStream is = new FileInputStream(file)) { + IOUtils.copy(is, out); + } + } + }; + + return createOKResponse(so); + } + /* * in case of failure, "info" should be in the params */ diff --git a/base/tks/shared/conf/acl.properties b/base/tks/shared/conf/acl.properties index 7146d3869..5c072c7c6 100644 --- a/base/tks/shared/conf/acl.properties +++ b/base/tks/shared/conf/acl.properties @@ -12,6 +12,9 @@ account.logout = certServer.tks.account,logout audit.read = certServer.log.configuration,read audit.modify = certServer.log.configuration,modify +# audit logs +audit-log.read = certServer.log.content.signedAudit,read + groups = certServer.tks.groups,execute selftests.read = certServer.tks.selftests,read selftests.execute = certServer.tks.selftests,execute diff --git a/base/tps/shared/conf/acl.properties b/base/tps/shared/conf/acl.properties index 1c581b372..6b5148564 100644 --- a/base/tps/shared/conf/acl.properties +++ b/base/tps/shared/conf/acl.properties @@ -13,6 +13,9 @@ account.logout = certServer.tps.account,logout audit.read = certServer.log.configuration,read audit.modify = certServer.log.configuration,modify +# audit logs +audit-log.read = certServer.log.content.signedAudit,read + authenticators.read = certServer.tps.authenticators,read authenticators.add = certServer.tps.authenticators,add authenticators.modify = certServer.tps.authenticators,modify |