diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2017-04-17 18:35:56 +0200 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2017-04-18 17:17:11 +0200 |
| commit | 749c137b59a9725a4cacdcd191b7e931303981df (patch) | |
| tree | 74617d7a870f78962aa4249c7cbec16500d303c8 /base/server/cms/src | |
| parent | 08edc86f8397543f308818458a320fbbef06c90d (diff) | |
Fixed missing IP addresses and subject ID in audit log.
The PKIServerSocketListener has been modified to use WeakHashMap
to store socket info that might not be available after the socket
has been closed.
https://pagure.io/dogtagpki/issue/2642
Change-Id: I7e86a9bbc46e7bba4cec36664780c52bf0e88416
Diffstat (limited to 'base/server/cms/src')
| -rw-r--r-- | base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java | 104 |
1 files changed, 66 insertions, 38 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java index 093776f6f..d74231755 100644 --- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java +++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java @@ -19,6 +19,9 @@ package org.dogtagpki.server; import java.net.InetAddress; import java.security.Principal; +import java.util.HashMap; +import java.util.Map; +import java.util.WeakHashMap; import org.mozilla.jss.crypto.X509Certificate; import org.mozilla.jss.ssl.SSLAlertDescription; @@ -38,6 +41,15 @@ public class PKIServerSocketListener implements SSLSocketListener { private static Logger logger = LoggerFactory.getLogger(PKIServerSocketListener.class); + /** + * The socketInfos map is a storage for socket information that may not be available + * after the socket has been closed such as client IP address and subject ID. The + * WeakHashMap is used here to allow the map key (i.e. the socket object) to be + * garbage-collected since there is no guarantee that socket will be closed with an + * SSL alert for a proper map entry removal. + */ + Map<SSLSocket,Map<String,Object>> socketInfos = new WeakHashMap<>(); + @Override public void alertReceived(SSLAlertEvent event) { try { @@ -57,9 +69,10 @@ public class PKIServerSocketListener implements SSLSocketListener { String reason = SSLAlertDescription.valueOf(description).toString(); logger.debug("SSL alert received:"); - logger.debug(" - client: " + clientAddress); - logger.debug(" - server: " + serverAddress); logger.debug(" - reason: " + reason); + logger.debug(" - client: " + clientIP); + logger.debug(" - server: " + serverIP); + logger.debug(" - subject: " + subjectID); IAuditor auditor = CMS.getAuditor(); @@ -73,7 +86,7 @@ public class PKIServerSocketListener implements SSLSocketListener { auditor.log(auditMessage); } catch (Exception e) { - e.printStackTrace(); + logger.error(e.getMessage(), e); } } @@ -82,51 +95,59 @@ public class PKIServerSocketListener implements SSLSocketListener { try { SSLSocket socket = event.getSocket(); - InetAddress clientAddress = socket.getInetAddress(); - InetAddress serverAddress = socket.getLocalAddress(); - String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); - String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); - - SSLSecurityStatus status = socket.getStatus(); - X509Certificate peerCertificate = status.getPeerCertificate(); - Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); - String subjectID = subjectDN == null ? "" : subjectDN.toString(); - int description = event.getDescription(); String reason = SSLAlertDescription.valueOf(description).toString(); - logger.debug("SSL alert sent:"); - logger.debug(" - client: " + clientAddress); - logger.debug(" - server: " + serverAddress); - logger.debug(" - reason: " + reason); - - IAuditor auditor = CMS.getAuditor(); + String eventType; + String clientIP; + String serverIP; + String subjectID; if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) { - String auditMessage = CMS.getLogMessage( - AuditEvent.ACCESS_SESSION_TERMINATED, - clientIP, - serverIP, - subjectID, - reason); + eventType = AuditEvent.ACCESS_SESSION_TERMINATED; - auditor.log(auditMessage); + // get socket info from socketInfos map since socket has been closed + Map<String,Object> info = socketInfos.get(socket); + clientIP = (String)info.get("clientIP"); + serverIP = (String)info.get("serverIP"); + subjectID = (String)info.get("subjectID"); } else { - String auditMessage = CMS.getLogMessage( - AuditEvent.ACCESS_SESSION_ESTABLISH_FAILURE, - clientIP, - serverIP, - subjectID, - reason); + eventType = AuditEvent.ACCESS_SESSION_ESTABLISH_FAILURE; - auditor.log(auditMessage); + // get socket info from the socket itself + InetAddress clientAddress = socket.getInetAddress(); + InetAddress serverAddress = socket.getLocalAddress(); + clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); + serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); + + SSLSecurityStatus status = socket.getStatus(); + X509Certificate peerCertificate = status.getPeerCertificate(); + Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); + subjectID = subjectDN == null ? "" : subjectDN.toString(); } + logger.debug("SSL alert sent:"); + logger.debug(" - reason: " + reason); + logger.debug(" - client: " + clientIP); + logger.debug(" - server: " + serverIP); + logger.debug(" - subject: " + subjectID); + + IAuditor auditor = CMS.getAuditor(); + + String auditMessage = CMS.getLogMessage( + eventType, + clientIP, + serverIP, + subjectID, + reason); + + auditor.log(auditMessage); + } catch (Exception e) { - e.printStackTrace(); + logger.error(e.getMessage(), e); } } @@ -146,9 +167,16 @@ public class PKIServerSocketListener implements SSLSocketListener { String subjectID = subjectDN == null ? "" : subjectDN.toString(); logger.debug("Handshake completed:"); - logger.debug(" - client: " + clientAddress); - logger.debug(" - server: " + serverAddress); - logger.debug(" - subject: " + subjectDN); + logger.debug(" - client: " + clientIP); + logger.debug(" - server: " + serverIP); + logger.debug(" - subject: " + subjectID); + + // store socket info in socketInfos map + Map<String,Object> info = new HashMap<>(); + info.put("clientIP", clientIP); + info.put("serverIP", serverIP); + info.put("subjectID", subjectID); + socketInfos.put(socket, info); IAuditor auditor = CMS.getAuditor(); @@ -161,7 +189,7 @@ public class PKIServerSocketListener implements SSLSocketListener { auditor.log(auditMessage); } catch (Exception e) { - e.printStackTrace(); + logger.error(e.getMessage(), e); } } } |