diff options
author | Christina Fu <cfu@redhat.com> | 2015-05-07 12:14:19 -0700 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2015-05-13 09:05:38 -0700 |
commit | ccf2eb507471a9f19a1768befadeff404c96635e (patch) | |
tree | 98a40027631ce6c577558c563906f9a28ac49c25 /base/server/cms/src/com/netscape | |
parent | a21f3139a3fa2cecf7a0f782e2a40b83279a80fa (diff) | |
download | pki-ccf2eb507471a9f19a1768befadeff404c96635e.tar.gz pki-ccf2eb507471a9f19a1768befadeff404c96635e.tar.xz pki-ccf2eb507471a9f19a1768befadeff404c96635e.zip |
Ticket 1160 audit logging needed: REST API auth/authz; kra for getKeyInfo
- (1) REST API auth/authz - this patch addresses the first part of this
ticket where auditing is completely missing for authentication and
authorization at the REST interface.
Diffstat (limited to 'base/server/cms/src/com/netscape')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/realm/PKIRealm.java | 91 |
1 files changed, 89 insertions, 2 deletions
diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java index bd64de148..73fae47fd 100644 --- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java +++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java @@ -9,6 +9,7 @@ import java.util.List; import netscape.security.x509.X509CertImpl; import org.apache.catalina.realm.RealmBase; +import org.apache.commons.lang.StringUtils; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthManager; @@ -16,6 +17,8 @@ import com.netscape.certsrv.authentication.IAuthSubsystem; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authentication.ICertUserDBAuthentication; import com.netscape.certsrv.authentication.IPasswdUserDBAuthentication; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.usrgrp.EUsrGrpException; import com.netscape.certsrv.usrgrp.IGroup; import com.netscape.certsrv.usrgrp.IUGSubsystem; @@ -31,6 +34,11 @@ import com.netscape.cms.servlet.common.AuthCredentials; */ public class PKIRealm extends RealmBase { + protected ILogger signedAuditLogger = CMS.getSignedAuditLogger(); + private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL = + "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4"; + private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS = + "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3"; @Override protected String getName() { @@ -40,6 +48,9 @@ public class PKIRealm extends RealmBase { @Override public Principal authenticate(String username, String password) { logDebug("Authenticating username "+username+" with password."); + String auditMessage = null; + String auditSubjectID = ILogger.UNIDENTIFIED; + String attemptedAuditUID = username; try { IAuthSubsystem authSub = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); @@ -50,10 +61,28 @@ public class PKIRealm extends RealmBase { creds.set(IPasswdUserDBAuthentication.CRED_PWD, password); IAuthToken authToken = authMgr.authenticate(creds); // throws exception if authentication fails + authToken.set(SessionContext.AUTH_MANAGER_ID,IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID); + auditSubjectID = authToken.getInString(IAuthToken.USER_ID); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, + auditSubjectID, + ILogger.SUCCESS, + IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID); + + audit(auditMessage); return getPrincipal(username, authToken); } catch (Throwable e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + auditSubjectID, + ILogger.FAILURE, + IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID, + attemptedAuditUID); + audit(auditMessage); e.printStackTrace(); } @@ -64,6 +93,14 @@ public class PKIRealm extends RealmBase { public Principal authenticate(final X509Certificate certs[]) { logDebug("Authenticating certificate chain:"); + String auditMessage = null; + // get the cert from the ssl client auth + // in cert based auth, subject id from cert has already passed SSL authentication + // what remains is to see if the user exists in the internal user db + // therefore both auditSubjectID and attemptedAuditUID are the same + String auditSubjectID = getAuditUserfromCert(certs[0]); + String attemptedAuditUID = auditSubjectID; + try { X509CertImpl certImpls[] = new X509CertImpl[certs.length]; for (int i=0; i<certs.length; i++) { @@ -73,7 +110,6 @@ public class PKIRealm extends RealmBase { // Convert sun.security.x509.X509CertImpl to netscape.security.x509.X509CertImpl certImpls[i] = new X509CertImpl(cert.getEncoded()); } - IAuthSubsystem authSub = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); IAuthManager authMgr = authSub.getAuthManager(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID); @@ -81,19 +117,45 @@ public class PKIRealm extends RealmBase { creds.set(ICertUserDBAuthentication.CRED_CERT, certImpls); IAuthToken authToken = authMgr.authenticate(creds); // throws exception if authentication fails + authToken.set(SessionContext.AUTH_MANAGER_ID,IAuthSubsystem.CERTUSERDB_AUTHMGR_ID); String username = authToken.getInString(ICertUserDBAuthentication.TOKEN_USERID); - logDebug("User ID: "+username); + // reset it to the one authenticated with authManager + auditSubjectID = authToken.getInString(IAuthToken.USER_ID); + logDebug("User ID: "+username); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, + auditSubjectID, + ILogger.SUCCESS, + IAuthSubsystem.CERTUSERDB_AUTHMGR_ID); + + audit(auditMessage); return getPrincipal(username, authToken); } catch (Throwable e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + auditSubjectID, + ILogger.FAILURE, + IAuthSubsystem.CERTUSERDB_AUTHMGR_ID, + attemptedAuditUID); + audit(auditMessage); e.printStackTrace(); } return null; } + private String getAuditUserfromCert(X509Certificate clientCert) { + String certUID = clientCert.getSubjectDN().getName(); + CMS.debug("PKIRealm.getAuditUserfromCert: certUID=" + certUID); + + return StringUtils.stripToNull(certUID); + } + @Override protected Principal getPrincipal(String username) { return getPrincipal(username, (IAuthToken)null); @@ -152,9 +214,34 @@ public class PKIRealm extends RealmBase { */ public void logErr(String msg) { System.err.println(msg); + CMS.debug("PKIRealm.logErr: " + msg); } public void logDebug(String msg) { System.out.println("PKIRealm: "+msg); + CMS.debug("PKIRealm.logDebug: " + msg); + } + + /** + * Signed Audit Log + * + * This method is called to store messages to the signed audit log. + * <P> + * + * @param msg signed audit log message + */ + protected void audit(String msg) { + // in this case, do NOT strip preceding/trailing whitespace + // from passed-in String parameters + + if (signedAuditLogger == null) { + return; + } + + signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); } } |