Encapsulate recovery request approval audit logs

The audit logs where an agent grants an asynchronous recovery request
and the case where recovery request is appproved from the REST API
are consolidated and encapsulated in a class.

Change-Id: I237c1dcfc413012d421f3ccc64e21c7caf5a7701

5 files changed, 61 insertions, 62 deletions

diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index 45907d0b7..891398d10 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -164,8 +164,6 @@ public class AuditEvent implements IBundleLogEvent {
     public final static String CONFIG_SERIAL_NUMBER =
             "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1";
 
-    public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE =
-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4";
     public final static String KEY_STATUS_CHANGE =
             "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6";
     public final static String SYMKEY_GENERATION_REQUEST_PROCESSED =
diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java
new file mode 100644
index 000000000..d0e97f8bf
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java
@@ -0,0 +1,45 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging.event;
+
+import com.netscape.certsrv.logging.AuditEvent;
+import com.netscape.certsrv.request.RequestId;
+
+public class SecurityDataRecoveryStateChangeEvent extends AuditEvent {
+
+    private static final long serialVersionUID = 1L;
+
+    private static final String LOGGING_PROPERTY =
+            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE";
+
+    public SecurityDataRecoveryStateChangeEvent(
+            String subjectID,
+            String outcome,
+            RequestId recoveryID,
+            String operation) {
+
+        super(LOGGING_PROPERTY);
+
+        setParameters(new Object[] {
+                subjectID,
+                outcome,
+                recoveryID,
+                operation
+        });
+    }
+}
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
index a2d01f17c..12040e0ed 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
@@ -52,6 +52,7 @@ import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
 import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent;
+import com.netscape.certsrv.logging.event.SecurityDataRecoveryStateChangeEvent;
 import com.netscape.certsrv.request.RequestId;
 import com.netscape.certsrv.request.RequestNotFoundException;
 import com.netscape.cms.realm.PKIPrincipal;
@@ -336,13 +337,11 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
     }
 
     public void auditRecoveryRequestChange(RequestId requestId, String status, String operation) {
-        String msg = CMS.getLogMessage(
-                AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,
+        audit(new SecurityDataRecoveryStateChangeEvent(
                 getRequestor(),
                 status,
-                requestId.toString(),
-                operation);
-        auditor.log(msg);
+                requestId,
+                operation));
     }
 
     public void auditRecoveryRequestMade(RequestId requestId, String status, KeyId dataId) {
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java
index c41052554..2a5006787 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java
@@ -34,8 +34,9 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IArgBlock;
 import com.netscape.certsrv.common.ICMSRequest;
 import com.netscape.certsrv.kra.IKeyService;
-import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.event.SecurityDataRecoveryStateChangeEvent;
+import com.netscape.certsrv.request.RequestId;
 import com.netscape.cms.servlet.base.CMSServlet;
 import com.netscape.cms.servlet.common.CMSRequest;
 import com.netscape.cms.servlet.common.CMSTemplate;
@@ -194,32 +195,7 @@ public class GrantAsyncRecovery extends CMSServlet {
             String agentID,
             HttpServletRequest req, HttpServletResponse resp,
             Locale locale) {
-        String auditMessage = null;
         String auditSubjectID = auditSubjectID();
-        String auditRequestID = reqID;
-        String auditAgentID = agentID;
-
-        // "normalize" the "reqID"
-        if (auditRequestID != null) {
-            auditRequestID = auditRequestID.trim();
-
-            if (auditRequestID.equals("")) {
-                auditRequestID = ILogger.UNIDENTIFIED;
-            }
-        } else {
-            auditRequestID = ILogger.UNIDENTIFIED;
-        }
-
-        // "normalize" the "auditAgentID"
-        if (auditAgentID != null) {
-            auditAgentID = auditAgentID.trim();
-
-            if (auditAgentID.equals("")) {
-                auditAgentID = ILogger.UNIDENTIFIED;
-            }
-        } else {
-            auditAgentID = ILogger.UNIDENTIFIED;
-        }
 
         try {
             header.addStringValue(OUT_OP,
@@ -233,40 +209,21 @@ public class GrantAsyncRecovery extends CMSServlet {
             header.addStringValue("requestID", reqID);
             header.addStringValue("agentID", agentID);
 
-            // store a message in the signed audit log file
-            auditMessage = CMS.getLogMessage(
-                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
-                        auditSubjectID,
-                        ILogger.SUCCESS,
-                        auditRequestID,
-                        auditAgentID);
 
-            audit(auditMessage);
-
-        } catch (EBaseException e) {
-            header.addStringValue(OUT_ERROR, e.toString(locale));
-
-            // store a message in the signed audit log file
-            auditMessage = CMS.getLogMessage(
-                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
+            audit(new SecurityDataRecoveryStateChangeEvent(
                         auditSubjectID,
-                        ILogger.FAILURE,
-                        auditRequestID,
-                        auditAgentID);
+                        ILogger.SUCCESS,
+                        new RequestId(reqID),
+                        "approve"));
 
-            audit(auditMessage);
         } catch (Exception e) {
             header.addStringValue(OUT_ERROR, e.toString());
 
-            // store a message in the signed audit log file
-            auditMessage = CMS.getLogMessage(
-                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
-                        auditSubjectID,
-                        ILogger.FAILURE,
-                        auditRequestID,
-                        auditAgentID);
-
-            audit(auditMessage);
+            audit(new SecurityDataRecoveryStateChangeEvent(
+                    auditSubjectID,
+                    ILogger.FAILURE,
+                    new RequestId(reqID),
+                    "approve"));
         }
     }
 }
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index 3b998d99c..44eec2347 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2449,7 +2449,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=<type=SECURITY_DATA_RECOVERY
 # RecoveryID must be the recovery request ID
 # Operation is the operation performed (approve, reject, cancel etc.)
 #
-LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4=<type=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID={0}][Outcome={1}][RecoveryID={2}][Operation={3}] security data recovery request state change
+LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=<type=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID={0}][Outcome={1}][RecoveryID={2}][Operation={3}] security data recovery request state change
 #
 # LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY
 # - used when user attempts to retrieve key after the recovery request