summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2017-04-20 10:20:06 +0200
committerEndi S. Dewata <edewata@redhat.com>2017-04-24 20:43:35 +0200
commitaad80e8775eac61ed9eac2f3f94d2ec90207e827 (patch)
tree0833cbcb184b1a0bce4ecab3905a6bc02c064f94
parent30d1575046065dbd79f537e5f819c405e45af0bc (diff)
downloadpki-aad80e8775eac61ed9eac2f3f94d2ec90207e827.tar.gz
pki-aad80e8775eac61ed9eac2f3f94d2ec90207e827.tar.xz
pki-aad80e8775eac61ed9eac2f3f94d2ec90207e827.zip
Added RoleAssumeEvent.
A new RoleAssumeEvent class of has been added to encapsulate the ROLE_ASSUME events. https://pagure.io/dogtagpki/issue/2641 Change-Id: I12e47ea13198b6532b1fdfee2e20765c0cab15e9
Diffstat
-rw-r--r--base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java39
-rw-r--r--base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java35
-rw-r--r--base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java56
-rw-r--r--base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java15
-rw-r--r--base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java48
5 files changed, 88 insertions, 105 deletions
diff --git a/base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java
new file mode 100644
index 000000000..271589397
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java
@@ -0,0 +1,39 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging.event;
+
+import com.netscape.certsrv.logging.AuditEvent;
+
+public class RoleAssumeEvent extends AuditEvent {
+
+ private static final long serialVersionUID = 1L;
+
+ public RoleAssumeEvent(
+ String subjectID,
+ String outcome,
+ String groups) {
+
+ super(ROLE_ASSUME);
+
+ setParameters(new Object[] {
+ subjectID,
+ outcome,
+ groups
+ });
+ }
+}
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
index ecc6a7d7d..662a3e9da 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
@@ -56,6 +56,7 @@ import com.netscape.certsrv.logging.event.AuthFailEvent;
import com.netscape.certsrv.logging.event.AuthSuccessEvent;
import com.netscape.certsrv.logging.event.AuthzFailEvent;
import com.netscape.certsrv.logging.event.AuthzSuccessEvent;
+import com.netscape.certsrv.logging.event.RoleAssumeEvent;
import com.netscape.certsrv.usrgrp.EUsrGrpException;
import com.netscape.certsrv.usrgrp.IUGSubsystem;
import com.netscape.certsrv.usrgrp.IUser;
@@ -573,7 +574,7 @@ public class AdminServlet extends HttpServlet {
* @return the authorization token
*/
protected AuthzToken authorize(HttpServletRequest req) {
- String auditMessage = null;
+
String auditSubjectID = auditSubjectID();
String auditACLResource = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
String auditOperation = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
@@ -618,14 +619,10 @@ public class AdminServlet extends HttpServlet {
auditACLResource,
auditOperation));
- // store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditSubjectID,
ILogger.FAILURE,
- auditGroups(auditSubjectID));
-
- audit(auditMessage);
+ auditGroups(auditSubjectID)));
return null;
} catch (EBaseException e) {
@@ -637,14 +634,10 @@ public class AdminServlet extends HttpServlet {
auditACLResource,
auditOperation));
- // store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditSubjectID,
ILogger.FAILURE,
- auditGroups(auditSubjectID));
-
- audit(auditMessage);
+ auditGroups(auditSubjectID)));
return null;
} catch (Exception e) {
@@ -655,14 +648,10 @@ public class AdminServlet extends HttpServlet {
auditACLResource,
auditOperation));
- // store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditSubjectID,
ILogger.FAILURE,
- auditGroups(auditSubjectID));
-
- audit(auditMessage);
+ auditGroups(auditSubjectID)));
return null;
}
@@ -673,14 +662,10 @@ public class AdminServlet extends HttpServlet {
auditACLResource,
auditOperation));
- // store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditSubjectID,
ILogger.SUCCESS,
- auditGroups(auditSubjectID));
-
- audit(auditMessage);
+ auditGroups(auditSubjectID)));
return authzTok;
}
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
index afb109a68..9dc74701a 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
@@ -70,6 +70,7 @@ import com.netscape.certsrv.logging.event.AuthFailEvent;
import com.netscape.certsrv.logging.event.AuthSuccessEvent;
import com.netscape.certsrv.logging.event.AuthzFailEvent;
import com.netscape.certsrv.logging.event.AuthzSuccessEvent;
+import com.netscape.certsrv.logging.event.RoleAssumeEvent;
import com.netscape.certsrv.ra.IRegistrationAuthority;
import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.IRequestQueue;
@@ -1815,7 +1816,7 @@ public abstract class CMSServlet extends HttpServlet {
public AuthzToken authorize(String authzMgrName, String resource, IAuthToken authToken,
String exp) throws EBaseException {
AuthzToken authzToken = null;
- String auditMessage = null;
+
String auditSubjectID = auditSubjectID();
String auditGroupID = auditGroupID();
String auditACLResource = resource;
@@ -1831,14 +1832,11 @@ public abstract class CMSServlet extends HttpServlet {
auditACLResource,
auditOperation));
- // store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditSubjectID,
ILogger.SUCCESS,
- auditGroupID);
+ auditGroupID));
- audit(auditMessage);
} else {
audit(new AuthzFailEvent(
@@ -1847,13 +1845,10 @@ public abstract class CMSServlet extends HttpServlet {
auditACLResource,
auditOperation));
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditSubjectID,
ILogger.FAILURE,
- auditGroupID);
-
- audit(auditMessage);
+ auditGroupID));
}
return authzToken;
} catch (Exception e) {
@@ -1864,13 +1859,11 @@ public abstract class CMSServlet extends HttpServlet {
auditACLResource,
auditOperation));
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditSubjectID,
ILogger.FAILURE,
- auditGroupID);
+ auditGroupID));
- audit(auditMessage);
throw new EBaseException(e.toString());
}
}
@@ -1900,7 +1893,7 @@ public abstract class CMSServlet extends HttpServlet {
public AuthzToken authorize(String authzMgrName, IAuthToken authToken,
String resource, String operation)
throws EBaseException {
- String auditMessage = null;
+
String auditSubjectID = auditSubjectID();
String auditGroupID = auditGroupID();
String auditID = auditSubjectID;
@@ -1958,14 +1951,11 @@ public abstract class CMSServlet extends HttpServlet {
auditACLResource,
auditOperation));
- // store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditID,
ILogger.SUCCESS,
- auditGroups(auditSubjectID));
+ auditGroups(auditSubjectID)));
- audit(auditMessage);
} else {
audit(new AuthzFailEvent(
@@ -1974,14 +1964,10 @@ public abstract class CMSServlet extends HttpServlet {
auditACLResource,
auditOperation));
- // store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditID,
ILogger.FAILURE,
- auditGroups(auditSubjectID));
-
- audit(auditMessage);
+ auditGroups(auditSubjectID)));
}
return authzTok;
@@ -1993,14 +1979,10 @@ public abstract class CMSServlet extends HttpServlet {
auditACLResource,
auditOperation));
- // store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditID,
ILogger.FAILURE,
- auditGroups(auditSubjectID));
-
- audit(auditMessage);
+ auditGroups(auditSubjectID)));
return null;
} catch (Exception eAudit1) {
@@ -2011,14 +1993,10 @@ public abstract class CMSServlet extends HttpServlet {
auditACLResource,
auditOperation));
- // store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditSubjectID,
ILogger.FAILURE,
- auditGroups(auditSubjectID));
-
- audit(auditMessage);
+ auditGroups(auditSubjectID)));
return null;
}
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
index cd769db15..dc28a7c32 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
@@ -45,6 +45,7 @@ import com.netscape.certsrv.base.UnauthorizedException;
import com.netscape.certsrv.ldap.ILdapConnFactory;
import com.netscape.certsrv.logging.AuditEvent;
import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.event.RoleAssumeEvent;
import com.netscape.certsrv.system.DomainInfo;
import com.netscape.certsrv.system.InstallToken;
import com.netscape.certsrv.system.SecurityDomainHost;
@@ -89,22 +90,19 @@ public class SecurityDomainProcessor extends CAProcessor {
CMS.debug("SecurityDomainProcessor: group: " + group);
if (!ugSubsystem.isMemberOf(user, group)) {
- String message = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+
+ audit(new RoleAssumeEvent(
user,
ILogger.FAILURE,
- group);
- audit(message);
+ group));
throw new UnauthorizedException("User " + user + " is not a member of " + group + " group.");
}
- String message = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
user,
ILogger.SUCCESS,
- group);
- audit(message);
+ group));
String ip = "";
try {
@@ -123,6 +121,7 @@ public class SecurityDomainProcessor extends CAProcessor {
ISecurityDomainSessionTable ctable = CMS.getSecurityDomainSessionTable();
int status = ctable.addEntry(sessionID, ip, user, group);
+ String message;
if (status == ISecurityDomainSessionTable.SUCCESS) {
message = CMS.getLogMessage(
diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
index 1d04f3a85..74f501f59 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
@@ -57,6 +57,7 @@ import com.netscape.certsrv.logging.event.AuthFailEvent;
import com.netscape.certsrv.logging.event.AuthSuccessEvent;
import com.netscape.certsrv.logging.event.AuthzFailEvent;
import com.netscape.certsrv.logging.event.AuthzSuccessEvent;
+import com.netscape.certsrv.logging.event.RoleAssumeEvent;
import com.netscape.certsrv.profile.IProfile;
import com.netscape.certsrv.profile.IProfileAuthenticator;
import com.netscape.certsrv.profile.IProfileSubsystem;
@@ -700,7 +701,7 @@ public class CAProcessor extends Processor {
public AuthzToken authorize(String authzMgrName, String resource, IAuthToken authToken,
String exp) throws EBaseException {
AuthzToken authzToken = null;
- String auditMessage = null;
+
String auditSubjectID = auditSubjectID();
String auditGroupID = auditGroupID();
String auditACLResource = resource;
@@ -716,14 +717,11 @@ public class CAProcessor extends Processor {
auditACLResource,
auditOperation));
- // store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditSubjectID,
ILogger.SUCCESS,
- auditGroupID);
+ auditGroupID));
- audit(auditMessage);
} else {
audit(new AuthzFailEvent(
@@ -732,13 +730,10 @@ public class CAProcessor extends Processor {
auditACLResource,
auditOperation));
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditSubjectID,
ILogger.FAILURE,
- auditGroupID);
-
- audit(auditMessage);
+ auditGroupID));
}
return authzToken;
} catch (EBaseException e) {
@@ -749,13 +744,11 @@ public class CAProcessor extends Processor {
auditACLResource,
auditOperation));
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditSubjectID,
ILogger.FAILURE,
- auditGroupID);
+ auditGroupID));
- audit(auditMessage);
throw e;
}
}
@@ -784,7 +777,7 @@ public class CAProcessor extends Processor {
*/
public AuthzToken authorize(String authzMgrName, IAuthToken authToken,
String resource, String operation) {
- String auditMessage = null;
+
String auditSubjectID = auditSubjectID();
String auditGroupID = auditGroupID();
String auditID = auditSubjectID;
@@ -842,14 +835,11 @@ public class CAProcessor extends Processor {
auditACLResource,
auditOperation));
- // store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditID,
ILogger.SUCCESS,
- auditGroups(auditSubjectID));
+ auditGroups(auditSubjectID)));
- audit(auditMessage);
} else {
audit(new AuthzFailEvent(
@@ -858,14 +848,10 @@ public class CAProcessor extends Processor {
auditACLResource,
auditOperation));
- // store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditID,
ILogger.FAILURE,
- auditGroups(auditSubjectID));
-
- audit(auditMessage);
+ auditGroups(auditSubjectID)));
}
return authzTok;
@@ -877,14 +863,10 @@ public class CAProcessor extends Processor {
auditACLResource,
auditOperation));
- // store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.ROLE_ASSUME,
+ audit(new RoleAssumeEvent(
auditID,
ILogger.FAILURE,
- auditGroups(auditSubjectID));
-
- audit(auditMessage);
+ auditGroups(auditSubjectID)));
return null;
}
generated by cgit (git 2.34.1) at 2024-06-08 02:45:06 +0000