Add audit logging for new security data operations in kra

Ticket 97
author: Ade Lee <alee@redhat.com> 2013-10-03 12:58:34 -0400
committer: Ade Lee <alee@redhat.com> 2013-10-07 22:17:04 -0400
commit: 99def3060c7c59ea5727a5555adb7b4af3fc4887 (patch)
tree: 2c239f6e56451bb174f9cdbccfec7439eb9183a3 /base/kra/src
parent: f2a85c09689cb09e6a0996125c112552599c717c (diff)
download: pki-99def3060c7c59ea5727a5555adb7b4af3fc4887.tar.gz
pki-99def3060c7c59ea5727a5555adb7b4af3fc4887.tar.xz
pki-99def3060c7c59ea5727a5555adb7b4af3fc4887.zip
2 files changed, 139 insertions, 11 deletions
diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
index afe4ed6ea..0ec4ed335 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
@@ -52,13 +52,16 @@ import org.mozilla.jss.util.Password;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.dbs.keydb.IKeyRecord;
 import com.netscape.certsrv.dbs.keydb.IKeyRepository;
 import com.netscape.certsrv.key.KeyRequestResource;
 import com.netscape.certsrv.kra.EKRAException;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.request.IRequest;
 import com.netscape.certsrv.request.IService;
+import com.netscape.certsrv.request.RequestId;
 import com.netscape.certsrv.security.IStorageKeyUnit;
 import com.netscape.certsrv.security.ITransportKeyUnit;
 import com.netscape.cmscore.dbs.KeyRecord;
@@ -78,7 +81,10 @@ public class SecurityDataRecoveryService implements IService {
     private IKeyRepository mStorage = null;
     private IStorageKeyUnit mStorageUnit = null;
     private ITransportKeyUnit mTransportUnit = null;
+    private ILogger signedAuditLogger = CMS.getSignedAuditLogger();
 
+    private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5";
     public static final String ATTR_SERIALNO = "serialNumber";
     public static final String ATTR_KEY_RECORD = "keyRecord";
 
@@ -112,18 +118,22 @@ public class SecurityDataRecoveryService implements IService {
         byte iv_default[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
         byte iv_in[] = null;
 
+        String subjectID = auditSubjectID();
+
         Hashtable<String, Object> params = mKRA.getVolatileRequest(
                 request.getRequestId());
 
+        BigInteger serialno = request.getExtDataInBigInteger(ATTR_SERIALNO);
+        request.setExtData(ATTR_KEY_RECORD, serialno);
+        RequestId requestID = request.getRequestId();
+
         if (params == null) {
             CMS.debug("Can't get volatile params.");
+            auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, serialno.toString(),
+                    "cannot get volatile params");
             throw new EBaseException("Can't obtain volatile params!");
         }
 
-        BigInteger serialno = request.getExtDataInBigInteger(ATTR_SERIALNO);
-
-        request.setExtData(ATTR_KEY_RECORD, serialno);
-
         byte[] wrappedPassPhrase = null;
         byte[] wrappedSessKey = null;
 
@@ -202,6 +212,8 @@ public class SecurityDataRecoveryService implements IService {
                 params.put(IRequest.SECURITY_DATA_PASS_WRAPPED_DATA, pbeWrappedData);
 
             } catch (Exception e) {
+                auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, serialno.toString(),
+                        "Cannot unwrap passphrase");
                 throw new EBaseException("Can't unwrap pass phase! " + e.toString());
             } finally {
                 if ( pass != null) {
@@ -222,6 +234,8 @@ public class SecurityDataRecoveryService implements IService {
                     wrapper.initWrap(unwrappedSess, new IVParameterSpec(iv));
                     key_data = wrapper.wrap(symKey);
                 } catch (Exception e) {
+                    auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, serialno.toString(),
+                            "Cannot wrap symmetric key");
                     throw new EBaseException("Can't wrap symmetric key! " + e.toString());
                 }
 
@@ -233,10 +247,14 @@ public class SecurityDataRecoveryService implements IService {
                         encryptor.initEncrypt(unwrappedSess, new IVParameterSpec(iv));
                         key_data = encryptor.doFinal(unwrappedSecData);
                     } else {
+                        auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID,
+                                serialno.toString(), "Failed to create cipher");
                         throw new IOException("Failed to create cipher");
                     }
                 } catch (Exception e) {
                     e.printStackTrace();
+                    auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID,
+                            serialno.toString(), "Cannot wrap pass phrase");
                     throw new EBaseException("Can't wrap pass phrase!");
                 }
             }
@@ -246,7 +264,8 @@ public class SecurityDataRecoveryService implements IService {
             params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr);
 
         }
-        return false;
+        auditRecoveryRequestProcessed(subjectID, ILogger.SUCCESS, requestID, serialno.toString(), "None");
+        return false; //return true ? TODO
     }
 
     public SymmetricKey recoverSymKey(KeyRecord keyRecord)
@@ -385,4 +404,47 @@ public class SecurityDataRecoveryService implements IService {
         return retData;
     }
 
+    private void audit(String msg) {
+        if (signedAuditLogger == null)
+            return;
+
+        signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
+                null,
+                ILogger.S_SIGNED_AUDIT,
+                ILogger.LL_SECURITY,
+                msg);
+    }
+
+    private String auditSubjectID() {
+        if (signedAuditLogger == null) {
+            return null;
+        }
+
+        String subjectID = null;
+
+        // Initialize subjectID
+        SessionContext auditContext = SessionContext.getExistingContext();
+
+        if (auditContext != null) {
+            subjectID = (String) auditContext.get(SessionContext.USER_ID);
+            subjectID = (subjectID != null) ? subjectID.trim() : ILogger.NONROLEUSER;
+        } else {
+            subjectID = ILogger.UNIDENTIFIED;
+        }
+
+        return subjectID;
+    }
+
+    private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID,
+            String keyID, String reason) {
+        String auditMessage = CMS.getLogMessage(
+                LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,
+                subjectID,
+                status,
+                requestID.toString(),
+                keyID,
+                reason);
+        audit(auditMessage);
+    }
+
 }
diff --git a/base/kra/src/com/netscape/kra/SecurityDataService.java b/base/kra/src/com/netscape/kra/SecurityDataService.java
index 8a5886fa5..9fc737529 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataService.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataService.java
@@ -18,20 +18,23 @@
 package com.netscape.kra;
 
 import java.math.BigInteger;
+
 import org.mozilla.jss.crypto.SymmetricKey;
 
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.dbs.keydb.IKeyRecord;
+import com.netscape.certsrv.dbs.keydb.IKeyRepository;
 import com.netscape.certsrv.key.KeyRequestResource;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.IEnrollProfile;
-import com.netscape.certsrv.request.IService;
 import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IService;
+import com.netscape.certsrv.request.RequestId;
 import com.netscape.certsrv.security.IStorageKeyUnit;
 import com.netscape.certsrv.security.ITransportKeyUnit;
-import com.netscape.certsrv.base.EBaseException;
-import com.netscape.certsrv.dbs.keydb.IKeyRecord;
-import com.netscape.certsrv.dbs.keydb.IKeyRepository;
-import com.netscape.certsrv.apps.CMS;
 import com.netscape.cmscore.dbs.KeyRecord;
 import com.netscape.cmsutil.util.Utils;
 
@@ -50,6 +53,11 @@ public class SecurityDataService implements IService {
     private IKeyRecoveryAuthority mKRA = null;
     private ITransportKeyUnit mTransportUnit = null;
     private IStorageKeyUnit mStorageUnit = null;
+    private ILogger signedAuditLogger = CMS.getSignedAuditLogger();
+
+    private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6";
+
 
     public SecurityDataService(IKeyRecoveryAuthority kra) {
         mKRA = kra;
@@ -82,9 +90,12 @@ public class SecurityDataService implements IService {
         CMS.debug("SecurityDataService.serviceRequest wrappedSecurityData: " + wrappedSecurityData);
 
         String owner = getOwnerName(request);
+        String subjectID = auditSubjectID();
 
         //Check here even though restful layer checks for this.
         if(wrappedSecurityData == null || clientId == null || dataType == null) {
+            auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(),
+                    clientId, null, "Bad data in request");
             throw new EBaseException("Bad data in SecurityDataService.serviceRequest");
         }
         //We need some info from the PKIArchiveOptions wrapped security data
@@ -95,7 +106,9 @@ public class SecurityDataService implements IService {
 
         //Check here just in case a null ArchiveOptions makes it this far
         if(options == null) {
-            throw new EBaseException("Problem decofing PKIArchiveOptions.");
+            auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(),
+                    clientId, null, "Problem decoding PKIArchiveOptions");
+            throw new EBaseException("Problem decoding PKIArchiveOptions.");
         }
 
         String algStr = options.getSymmAlgOID();
@@ -129,6 +142,8 @@ public class SecurityDataService implements IService {
         } else if (securityData != null) {
             privateSecurityData = mStorageUnit.encryptInternalPrivate(securityData);
         } else { // We have no data.
+            auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(),
+                    clientId, null, "Failed to create security data to archive");
             throw new EBaseException("Failed to create security data to archive!");
         }
         // create key record
@@ -141,6 +156,8 @@ public class SecurityDataService implements IService {
         //Now we need a serial number for our new key.
 
         if (rec.getSerialNumber() != null) {
+            auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(),
+                    clientId, null, CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
             throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
         }
 
@@ -150,6 +167,8 @@ public class SecurityDataService implements IService {
         if (serialNo == null) {
             mKRA.log(ILogger.LL_FAILURE,
                     CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL"));
+            auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(),
+                    clientId, null, "Failed to get  next Key ID");
             throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
         }
 
@@ -162,6 +181,9 @@ public class SecurityDataService implements IService {
 
         storage.addKeyRecord(rec);
 
+        auditArchivalRequestProcessed(subjectID, ILogger.SUCCESS, request.getRequestId(),
+                clientId, serialNo.toString(), "None");
+
         return true;
 
     }
@@ -169,4 +191,48 @@ public class SecurityDataService implements IService {
     private String getOwnerName(IRequest request) {
         return DEFAULT_OWNER;
     }
+
+    private void audit(String msg) {
+        if (signedAuditLogger == null)
+            return;
+
+        signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
+                null,
+                ILogger.S_SIGNED_AUDIT,
+                ILogger.LL_SECURITY,
+                msg);
+    }
+
+    private String auditSubjectID() {
+        if (signedAuditLogger == null) {
+            return null;
+        }
+
+        String subjectID = null;
+
+        // Initialize subjectID
+        SessionContext auditContext = SessionContext.getExistingContext();
+
+        if (auditContext != null) {
+            subjectID = (String) auditContext.get(SessionContext.USER_ID);
+            subjectID = (subjectID != null) ? subjectID.trim() : ILogger.NONROLEUSER;
+        } else {
+            subjectID = ILogger.UNIDENTIFIED;
+        }
+
+        return subjectID;
+    }
+
+    private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientID,
+            String keyID, String reason) {
+        String auditMessage = CMS.getLogMessage(
+                LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,
+                subjectID,
+                status,
+                requestID.toString(),
+                clientID,
+                keyID != null ? keyID : "None",
+                reason);
+        audit(auditMessage);
+    }
 }
 \ No newline at end of file
author	Ade Lee <alee@redhat.com>	2013-10-03 12:58:34 -0400
committer	Ade Lee <alee@redhat.com>	2013-10-07 22:17:04 -0400
commit	99def3060c7c59ea5727a5555adb7b4af3fc4887 (patch)
tree	2c239f6e56451bb174f9cdbccfec7439eb9183a3 /base/kra/src
parent	f2a85c09689cb09e6a0996125c112552599c717c (diff)
download	pki-99def3060c7c59ea5727a5555adb7b4af3fc4887.tar.gz pki-99def3060c7c59ea5727a5555adb7b4af3fc4887.tar.xz pki-99def3060c7c59ea5727a5555adb7b4af3fc4887.zip