diff options
author | Christina Fu <cfu@redhat.com> | 2016-03-24 16:23:05 -0700 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2016-03-28 15:46:43 -0700 |
commit | 41a99a5938c6881a978199fe10b0c392eb27d569 (patch) | |
tree | 9de46099b3cc73cd5f691848bba9aa2b523c10aa /base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java | |
parent | 93179af9333197cbdce843f16c02107b8d1db17e (diff) | |
download | pki-41a99a5938c6881a978199fe10b0c392eb27d569.tar.gz pki-41a99a5938c6881a978199fe10b0c392eb27d569.tar.xz pki-41a99a5938c6881a978199fe10b0c392eb27d569.zip |
Ticket #1006 Audit logging for TPS REST operations
This patch adds audit logging to TPS REST wrote-specific operations.
The read-specific operations are already captured by AuditEvent=AUTHZ_*
The affected (new or modified) log messages include:
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6
LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
Diffstat (limited to 'base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java')
-rw-r--r-- | base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java | 180 |
1 files changed, 148 insertions, 32 deletions
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java index 1936b2e2e..769f00f57 100644 --- a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java +++ b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java @@ -22,6 +22,7 @@ import java.io.UnsupportedEncodingException; import java.net.URI; import java.net.URLEncoder; import java.security.Principal; +import java.util.HashMap; import java.util.Iterator; import java.util.Map; @@ -43,6 +44,7 @@ import com.netscape.certsrv.base.BadRequestException; import com.netscape.certsrv.base.ForbiddenException; import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.common.Constants; +import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.tps.connector.ConnectorCollection; import com.netscape.certsrv.tps.connector.ConnectorData; import com.netscape.certsrv.tps.connector.ConnectorResource; @@ -108,7 +110,7 @@ public class ConnectorService extends PKIService implements ConnectorResource { size = size == null ? DEFAULT_SIZE : size; try { - TPSSubsystem subsystem = (TPSSubsystem)CMS.getSubsystem(TPSSubsystem.ID); + TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); ConnectorDatabase database = subsystem.getConnectorDatabase(); Iterator<ConnectorRecord> connections = database.findRecords(filter).iterator(); @@ -117,24 +119,26 @@ public class ConnectorService extends PKIService implements ConnectorResource { int i = 0; // skip to the start of the page - for ( ; i<start && connections.hasNext(); i++) connections.next(); + for (; i < start && connections.hasNext(); i++) + connections.next(); // return entries up to the page size - for ( ; i<start+size && connections.hasNext(); i++) { + for (; i < start + size && connections.hasNext(); i++) { response.addEntry(createConnectorData(connections.next())); } // count the total entries - for ( ; connections.hasNext(); i++) connections.next(); + for (; connections.hasNext(); i++) + connections.next(); response.setTotal(i); if (start > 0) { - URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", Math.max(start-size, 0)).build(); + URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", Math.max(start - size, 0)).build(); response.addLink(new Link("prev", uri)); } - if (start+size < i) { - URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", start+size).build(); + if (start + size < i) { + URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", start + size).build(); response.addLink(new Link("next", uri)); } @@ -153,12 +157,13 @@ public class ConnectorService extends PKIService implements ConnectorResource { @Override public Response getConnector(String connectorID) { - if (connectorID == null) throw new BadRequestException("Connector ID is null."); + if (connectorID == null) + throw new BadRequestException("Connector ID is null."); CMS.debug("ConnectorService.getConnector(\"" + connectorID + "\")"); try { - TPSSubsystem subsystem = (TPSSubsystem)CMS.getSubsystem(TPSSubsystem.ID); + TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); ConnectorDatabase database = subsystem.getConnectorDatabase(); return createOKResponse(createConnectorData(database.getRecord(connectorID))); @@ -175,62 +180,95 @@ public class ConnectorService extends PKIService implements ConnectorResource { @Override public Response addConnector(ConnectorData connectorData) { + String method = "ConnectorService.addConnector"; - if (connectorData == null) throw new BadRequestException("Connector data is null."); + if (connectorData == null) { + auditConfigTokenGeneral(ILogger.FAILURE, method, null, + "Connector data is null."); + throw new BadRequestException("Connector data is null."); + } CMS.debug("ConnectorService.addConnector(\"" + connectorData.getID() + "\")"); try { - TPSSubsystem subsystem = (TPSSubsystem)CMS.getSubsystem(TPSSubsystem.ID); + TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); ConnectorDatabase database = subsystem.getConnectorDatabase(); String status = connectorData.getStatus(); Principal principal = servletRequest.getUserPrincipal(); + boolean statusChanged = false; if (StringUtils.isEmpty(status) || database.requiresApproval() && !database.canApprove(principal)) { // if status is unspecified or user doesn't have rights to approve, the entry is disabled - connectorData.setStatus(Constants.CFG_DISABLED); + status = Constants.CFG_DISABLED; + connectorData.setStatus(status); + statusChanged = true; } database.addRecord(connectorData.getID(), createConnectorRecord(connectorData)); connectorData = createConnectorData(database.getRecord(connectorData.getID())); + Map<String, String> properties = connectorData.getProperties(); + if (statusChanged) { + properties.put("Status", status); + } + auditTPSConnectorChange(ILogger.SUCCESS, method, connectorData.getID(), properties, null); return createCreatedResponse(connectorData, connectorData.getLink().getHref()); } catch (PKIException e) { CMS.debug("ConnectorService: " + e); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorData.getID(), connectorData.getProperties(), e.toString()); throw e; } catch (Exception e) { - CMS.debug(e); + CMS.debug("ConnectorService: " + e); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorData.getID(), connectorData.getProperties(), e.toString()); throw new PKIException(e); } } @Override public Response updateConnector(String connectorID, ConnectorData connectorData) { + String method = "ConnectorService.updateConnector"; - if (connectorID == null) throw new BadRequestException("Connector ID is null."); - if (connectorData == null) throw new BadRequestException("Connector data is null."); + if (connectorID == null) { + auditConfigTokenGeneral(ILogger.FAILURE, method, null, + "Connector id is null."); + throw new BadRequestException("Connector ID is null."); + } + if (connectorData == null) { + auditConfigTokenGeneral(ILogger.FAILURE, method, null, + "Connector data is null."); + throw new BadRequestException("Connector data is null."); + } CMS.debug("ConnectorService.updateConnector(\"" + connectorID + "\")"); try { - TPSSubsystem subsystem = (TPSSubsystem)CMS.getSubsystem(TPSSubsystem.ID); + TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); ConnectorDatabase database = subsystem.getConnectorDatabase(); ConnectorRecord record = database.getRecord(connectorID); // only disabled connector can be updated if (!Constants.CFG_DISABLED.equals(record.getStatus())) { - throw new ForbiddenException("Unable to update connector " + connectorID); + Exception e = new ForbiddenException("Unable to update connector " + connectorID); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorData.getID(), connectorData.getProperties(), e.toString()); + throw e; } // update status if specified String status = connectorData.getStatus(); + boolean statusChanged = false; if (status != null && !Constants.CFG_DISABLED.equals(status)) { if (!Constants.CFG_ENABLED.equals(status)) { - throw new ForbiddenException("Invalid connector status: " + status); + Exception e = new ForbiddenException("Invalid connector status: " + status); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorData.getID(), connectorData.getProperties(), e.toString()); + throw e; } // if user doesn't have rights, set to pending @@ -241,40 +279,60 @@ public class ConnectorService extends PKIService implements ConnectorResource { // enable connector record.setStatus(status); + statusChanged = true; } // update properties if specified Map<String, String> properties = connectorData.getProperties(); if (properties != null) { record.setProperties(properties); + if (statusChanged) { + properties.put("Status", status); + } } database.updateRecord(connectorID, record); connectorData = createConnectorData(database.getRecord(connectorID)); + auditTPSConnectorChange(ILogger.SUCCESS, method, connectorData.getID(), properties, null); return createOKResponse(connectorData); } catch (PKIException e) { CMS.debug("ConnectorService: " + e); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorData.getID(), connectorData.getProperties(), e.toString()); throw e; } catch (Exception e) { - CMS.debug(e); + CMS.debug("ConnectorService: " + e); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorData.getID(), connectorData.getProperties(), e.toString()); throw new PKIException(e); } } @Override public Response changeStatus(String connectorID, String action) { + String method = "ConnectorService.changeStatus"; + Map<String, String> auditModParams = new HashMap<String, String>(); - if (connectorID == null) throw new BadRequestException("Connector ID is null."); - if (action == null) throw new BadRequestException("Action is null."); + if (connectorID == null) { + auditConfigTokenGeneral(ILogger.FAILURE, method, null, + "Connector id is null."); + throw new BadRequestException("Connector ID is null."); + } + if (action == null) { + auditConfigTokenGeneral(ILogger.FAILURE, method, null, + "Action is null."); + throw new BadRequestException("Action is null."); + } + auditModParams.put("Action", action); CMS.debug("ConnectorService.changeStatus(\"" + connectorID + "\", \"" + action + "\")"); try { - TPSSubsystem subsystem = (TPSSubsystem)CMS.getSubsystem(TPSSubsystem.ID); + TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); ConnectorDatabase database = subsystem.getConnectorDatabase(); ConnectorRecord record = database.getRecord(connectorID); @@ -294,7 +352,12 @@ public class ConnectorService extends PKIService implements ConnectorResource { status = Constants.CFG_ENABLED; } else { - throw new BadRequestException("Invalid action: " + action); + Exception e = new BadRequestException("Invalid action: " + action); + auditConfigTokenGeneral(ILogger.FAILURE, method, + auditModParams, e.toString()); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorID, auditModParams, e.toString()); + throw e; } } else { @@ -302,7 +365,10 @@ public class ConnectorService extends PKIService implements ConnectorResource { status = Constants.CFG_ENABLED; } else { - throw new BadRequestException("Invalid action: " + action); + Exception e = new BadRequestException("Invalid action: " + action); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorID, auditModParams, e.toString()); + throw e; } } @@ -312,7 +378,10 @@ public class ConnectorService extends PKIService implements ConnectorResource { status = Constants.CFG_DISABLED; } else { - throw new BadRequestException("Invalid action: " + action); + Exception e = new BadRequestException("Invalid action: " + action); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorID, auditModParams, e.toString()); + throw e; } } else if (Constants.CFG_PENDING_APPROVAL.equals(status)) { @@ -327,59 +396,106 @@ public class ConnectorService extends PKIService implements ConnectorResource { status = Constants.CFG_DISABLED; } else { - throw new BadRequestException("Invalid action: " + action); + Exception e = new BadRequestException("Invalid action: " + action); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorID, auditModParams, e.toString()); + throw e; } } else { - throw new PKIException("Invalid connector status: " + status); + Exception e = new BadRequestException("Invalid connector status: " + status); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorID, auditModParams, e.toString()); + throw e; } record.setStatus(status); database.updateRecord(connectorID, record); ConnectorData connectorData = createConnectorData(database.getRecord(connectorID)); + auditModParams.put("Status", status); + auditTPSConnectorChange(ILogger.SUCCESS, method, connectorData.getID(), auditModParams, null); return createOKResponse(connectorData); } catch (PKIException e) { CMS.debug("ConnectorService: " + e); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorID, auditModParams, e.toString()); throw e; } catch (Exception e) { - CMS.debug(e); + CMS.debug("ConnectorService: " + e); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorID, auditModParams, e.toString()); throw new PKIException(e); } } @Override public Response removeConnector(String connectorID) { + String method = "ConnectorService.removeConnector"; + Map<String, String> auditModParams = new HashMap<String, String>(); - if (connectorID == null) throw new BadRequestException("Connector ID is null."); + if (connectorID == null) { + auditConfigTokenGeneral(ILogger.FAILURE, method, null, + "Connector ID is null."); + throw new BadRequestException("Connector ID is null."); + } + auditModParams.put("connectorID", connectorID); CMS.debug("ConnectorService.removeConnector(\"" + connectorID + "\")"); try { - TPSSubsystem subsystem = (TPSSubsystem)CMS.getSubsystem(TPSSubsystem.ID); + TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); ConnectorDatabase database = subsystem.getConnectorDatabase(); ConnectorRecord record = database.getRecord(connectorID); String status = record.getStatus(); if (!Constants.CFG_DISABLED.equals(status)) { - throw new ForbiddenException("Unable to delete connector " + connectorID); + Exception e = new ForbiddenException("Unable to delete connector " + + connectorID + + "; connector not disabled"); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorID, auditModParams, e.toString()); + throw e; } database.removeRecord(connectorID); + auditTPSConnectorChange(ILogger.SUCCESS, method, connectorID, null, null); return createNoContentResponse(); } catch (PKIException e) { CMS.debug("ConnectorService: " + e); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorID, auditModParams, e.toString()); throw e; } catch (Exception e) { - CMS.debug(e); + CMS.debug("ConnectorService: " + e); + auditTPSConnectorChange(ILogger.FAILURE, method, + connectorID, auditModParams, e.toString()); throw new PKIException(e); } } + + /* + * service can be any of the methods offered + */ + public void auditTPSConnectorChange(String status, String service, String connectorID, Map<String, String> params, + String info) { + + String msg = CMS.getLogMessage( + "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6", + servletRequest.getUserPrincipal().getName(), + status, + service, + connectorID, + auditor.getParamString(null, params), + info); + auditor.log(msg); + + } } |