summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/servlet/csadmin
diff options
context:
space:
mode:
authorvakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2011-06-07 04:38:49 +0000
committervakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2011-06-07 04:38:49 +0000
commit4a7cd900f0f7cda8a44d11baf88fe15075e1d941 (patch)
tree582c72cc78e7a48f6ecc65b8102d0c7623edb8e6 /pki/base/common/src/com/netscape/cms/servlet/csadmin
parent4aa0cc3ed8294117293c59d1dce48304c8033f7c (diff)
downloadpki-4a7cd900f0f7cda8a44d11baf88fe15075e1d941.tar.gz
pki-4a7cd900f0f7cda8a44d11baf88fe15075e1d941.tar.xz
pki-4a7cd900f0f7cda8a44d11baf88fe15075e1d941.zip
Bugzilla BZ 707416 - CC_LAB_EVAL: Security Domain: missing audit msgs for modify/add
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2017 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/csadmin')
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/RegisterUser.java89
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java89
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java45
3 files changed, 210 insertions, 13 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RegisterUser.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RegisterUser.java
index 2bc5f94fc..e7a1286c0 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RegisterUser.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RegisterUser.java
@@ -65,6 +65,9 @@ public class RegisterUser extends CMSServlet {
private final static String FAILED = "1";
private final static String AUTH_FAILURE = "2";
private String mGroupName = null;
+ private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
+ "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
+
public RegisterUser() {
super();
@@ -143,6 +146,14 @@ public class RegisterUser extends CMSServlet {
CMS.debug("RegisterUser got name=" + name);
CMS.debug("RegisterUser got certsString=" + certsString);
+ String auditMessage = null;
+ String auditSubjectID = auditSubjectID();
+ String auditParams = "Scope;;users+Operation;;OP_ADD+source;;RegisterUser" +
+ "+Resource;;"+ uid +
+ "+fullname;;"+ name +
+ "+state;;1" +
+ "+userType;;<null>+email;;<null>+password;;<null>+phone;;<null>";
+
IUGSubsystem ugsys = (IUGSubsystem)CMS.getSubsystem(CMS.SUBSYSTEM_UG);
IUser user = null;
@@ -187,29 +198,95 @@ public class RegisterUser extends CMSServlet {
user.setEmail("");
user.setPhone("");
user.setPassword("");
+
ugsys.addUser(user);
CMS.debug("RegisterUser created user " + uid);
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+ auditSubjectID,
+ ILogger.SUCCESS,
+ auditParams);
+ audit(auditMessage);
}
+ // extract all line separators
+ StringBuffer sb = new StringBuffer();
+ for (int i = 0; i < certsString.length(); i++) {
+ if (!Character.isWhitespace(certsString.charAt(i))) {
+ sb.append(certsString.charAt(i));
+ }
+ }
+ certsString = sb.toString();
+
+ auditParams = "Scope;;certs+Operation;;OP_ADD+source;;RegisterUser" +
+ "+Resource;;"+ uid +
+ "+cert;;"+certsString;
+
user.setX509Certificates(certs);
if (!foundByCert) {
ugsys.addUserCert(user);
CMS.debug("RegisterUser added user certificate");
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+ auditSubjectID,
+ ILogger.SUCCESS,
+ auditParams);
+ audit(auditMessage);
} else
CMS.debug("RegisterUser no need to add user certificate");
- } catch (Exception eee) {
+ } catch (Exception eee) {
CMS.debug("RegisterUser error " + eee.toString());
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditParams);
+
+ audit(auditMessage);
outputError(httpResp, "Error: Certificate malformed");
return;
}
// add user to the group
- Enumeration groups = ugsys.findGroups(mGroupName);
- IGroup group = (IGroup)groups.nextElement();
- group.addMemberName(user.getUserID());
- ugsys.modifyGroup(group);
- CMS.debug("RegisterUser modified group");
+ auditParams = "Scope;;groups+Operation;;OP_MODIFY+source;;RegisterUser" +
+ "+Resource;;"+ mGroupName;
+ try {
+ Enumeration groups = ugsys.findGroups(mGroupName);
+ IGroup group = (IGroup)groups.nextElement();
+
+ auditParams += "+user;;";
+ Enumeration members = group.getMemberNames();
+ while (members.hasMoreElements()) {
+ auditParams += (String) members.nextElement();
+ if (members.hasMoreElements()) {
+ auditParams +=",";
+ }
+ }
+
+ if (!group.isMember(user.getUserID())) {
+ auditParams += "," + user.getUserID();
+ group.addMemberName(user.getUserID());
+ ugsys.modifyGroup(group);
+ CMS.debug("RegisterUser modified group");
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+ auditSubjectID,
+ ILogger.SUCCESS,
+ auditParams);
+
+ audit(auditMessage);
+ }
+ } catch (Exception e) {
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditParams);
+
+ audit(auditMessage);
+ }
// send success status back to the requestor
try {
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
index 6de314284..78763dfb2 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
@@ -54,6 +54,10 @@ public class UpdateDomainXML extends CMSServlet {
private final static String SUCCESS = "0";
private final static String FAILED = "1";
+ private final static String LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE =
+ "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1";
+ private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
+ "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
public UpdateDomainXML() {
super();
@@ -194,6 +198,7 @@ public class UpdateDomainXML extends CMSServlet {
protected void process(CMSRequest cmsReq) throws EBaseException {
CMS.debug("UpdateDomainXML: processing...");
String status = SUCCESS;
+ String status2 = SUCCESS;
HttpServletRequest httpReq = cmsReq.getHttpReq();
HttpServletResponse httpResp = cmsReq.getHttpResp();
@@ -264,16 +269,31 @@ public class UpdateDomainXML extends CMSServlet {
if ((sport == null) || sport.equals("")) {
missing += " sport ";
}
+ if ((type == null) || type.equals("")) {
+ missing += " type ";
+ }
if ((clone == null) || clone.equals("")) {
clone = "false";
}
if (! missing.equals("")) {
- CMS.debug("UpdateDomainXML process: required parameters:" + missing + "not provided in request");
- outputError(httpResp, "Error: required parameters: " + missing + "not provided in request");
+ CMS.debug("UpdateDomainXML process: required parameters:" + missing +
+ "not provided in request");
+ outputError(httpResp, "Error: required parameters: " + missing +
+ "not provided in request");
return;
}
+ String auditMessage = null;
+ String auditSubjectID = auditSubjectID();
+ String auditParams = "host;;"+host+"+name;;"+name+"+sport;;"+sport+
+ "+clone;;"+clone+"+type;;"+type;
+ if (operation != null) {
+ auditParams += "+operation;;"+operation;
+ } else {
+ auditParams += "+operation;;add";
+ }
+
String basedn = null;
String secstore = null;
@@ -340,21 +360,53 @@ public class UpdateDomainXML extends CMSServlet {
} else {
adminUserDN = "uid=" + type + "-" + host + "-" + sport + ",ou=People," + basedn;
}
+ String userAuditParams = "Scope;;users+Operation;;OP_DELETE+source;;UpdateDomainXML" +
+ "+resource;;"+adminUserDN;
if (status.equals(SUCCESS)) {
- // remove the client cert for this subsystem's admin
- status = remove_from_ldap(adminUserDN);
- if (status.equals(SUCCESS)) {
+ // remove the user for this subsystem's admin
+ status2 = remove_from_ldap(adminUserDN);
+ if (status2.equals(SUCCESS)) {
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+ auditSubjectID,
+ ILogger.SUCCESS,
+ userAuditParams);
+ audit(auditMessage);
+
// remove this user from the subsystem group
+ userAuditParams = "Scope;;groups+Operation;;OP_DELETE_USER" +
+ "+source;;UpdateDomainXML" +
+ "+resource;;Subsystem Group+user;;"+adminUserDN;
dn = "cn=Subsystem Group, ou=groups," + basedn;
LDAPModification mod = new LDAPModification(LDAPModification.DELETE,
new LDAPAttribute("uniqueMember", adminUserDN));
- status = modify_ldap(dn, mod);
+ status2 = modify_ldap(dn, mod);
+ if (status2.equals(SUCCESS)) {
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+ auditSubjectID,
+ ILogger.SUCCESS,
+ userAuditParams);
+ } else {
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+ auditSubjectID,
+ ILogger.FAILURE,
+ userAuditParams);
+ }
+ audit(auditMessage);
+ } else { // error deleting user
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+ auditSubjectID,
+ ILogger.FAILURE,
+ userAuditParams);
+ audit(auditMessage);
}
}
} else {
status = add_to_ldap(entry, dn);
}
-
}
else {
// update the domain.xml file
@@ -439,8 +491,31 @@ public class UpdateDomainXML extends CMSServlet {
CMS.debug("Failed to update domain.xml file" + e.toString());
status = FAILED;
}
+
}
+ if (status.equals(SUCCESS)) {
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
+ auditSubjectID,
+ ILogger.SUCCESS,
+ auditParams);
+ } else {
+ // what if already exists or already deleted
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditParams);
+ }
+ audit(auditMessage);
+
+ if (status.equals(SUCCESS) && status2.equals(SUCCESS)) {
+ status = SUCCESS;
+ } else {
+ status = FAILED;
+ }
+
try {
// send success status back to the requestor
CMS.debug("UpdateDomainXML: Sending response");
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
index 890d6dfb1..77650dbfd 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
@@ -58,6 +58,8 @@ public class UpdateNumberRange extends CMSServlet {
private final static String SUCCESS = "0";
private final static String FAILED = "1";
private final static String AUTH_FAILURE = "2";
+ private final static String LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER =
+ "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1";
public UpdateNumberRange() {
super();
@@ -116,11 +118,17 @@ public class UpdateNumberRange extends CMSServlet {
return;
}
+ String auditMessage = null;
+ String auditSubjectID = auditSubjectID();
+ String auditParams = "source;;updateNumberRange";
+
try {
String type = httpReq.getParameter("type");
IConfigStore cs = CMS.getConfigStore();
String cstype = cs.getString("cs.type", "");
+ auditParams += "+type;;" + type;
+
BigInteger beginNum = null;
BigInteger endNum = null;
BigInteger oneNum = new BigInteger("1");
@@ -201,6 +209,12 @@ public class UpdateNumberRange extends CMSServlet {
if (endNum2 == null) {
CMS.debug("UpdateNumberRange::process() - " +
"Unused requests less than cloneTransferNumber!" );
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditParams);
+ audit(auditMessage);
return;
} else {
CMS.debug("Transferring from the end of on-deck range");
@@ -221,12 +235,24 @@ public class UpdateNumberRange extends CMSServlet {
if( beginNum == null ) {
CMS.debug( "UpdateNumberRange::process() - " +
"beginNum is null!" );
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditParams);
+ audit(auditMessage);
return;
}
if( endNum == null ) {
CMS.debug( "UpdateNumberRange::process() - " +
"endNum is null!" );
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditParams);
+ audit(auditMessage);
return;
}
@@ -249,8 +275,27 @@ public class UpdateNumberRange extends CMSServlet {
outputResult(httpResp, "application/xml", cb);
cs.commit(false);
+
+ auditParams += "+beginNumber;;" + beginNum.toString(radix) +
+ "+endNumber;;" + endNum.toString(radix);
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER,
+ auditSubjectID,
+ ILogger.SUCCESS,
+ auditParams);
+ audit(auditMessage);
+
} catch (Exception e) {
CMS.debug("UpdateNumberRange: Failed to update number range. Exception: "+e.toString());
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditParams);
+ audit(auditMessage);
+
outputError(httpResp, "Error: Failed to update number range.");
}
}
generated by cgit (git 2.34.1) at 2024-06-22 01:25:04 +0000