1 files changed, 89 insertions, 2 deletions

diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
index bd64de148..73fae47fd 100644
--- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
+++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
@@ -9,6 +9,7 @@ import java.util.List;
 import netscape.security.x509.X509CertImpl;
 
 import org.apache.catalina.realm.RealmBase;
+import org.apache.commons.lang.StringUtils;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.IAuthManager;
@@ -16,6 +17,8 @@ import com.netscape.certsrv.authentication.IAuthSubsystem;
 import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authentication.ICertUserDBAuthentication;
 import com.netscape.certsrv.authentication.IPasswdUserDBAuthentication;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.usrgrp.EUsrGrpException;
 import com.netscape.certsrv.usrgrp.IGroup;
 import com.netscape.certsrv.usrgrp.IUGSubsystem;
@@ -31,6 +34,11 @@ import com.netscape.cms.servlet.common.AuthCredentials;
  */
 
 public class PKIRealm extends RealmBase {
+    protected ILogger signedAuditLogger = CMS.getSignedAuditLogger();
+    private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL =
+            "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4";
+    private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3";
 
     @Override
     protected String getName() {
@@ -40,6 +48,9 @@ public class PKIRealm extends RealmBase {
     @Override
     public Principal authenticate(String username, String password) {
         logDebug("Authenticating username "+username+" with password.");
+        String auditMessage = null;
+        String auditSubjectID = ILogger.UNIDENTIFIED;
+        String attemptedAuditUID = username;
 
         try {
             IAuthSubsystem authSub = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
@@ -50,10 +61,28 @@ public class PKIRealm extends RealmBase {
             creds.set(IPasswdUserDBAuthentication.CRED_PWD, password);
 
             IAuthToken authToken = authMgr.authenticate(creds); // throws exception if authentication fails
+            authToken.set(SessionContext.AUTH_MANAGER_ID,IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID);
+            auditSubjectID = authToken.getInString(IAuthToken.USER_ID);
 
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID);
+
+            audit(auditMessage);
             return getPrincipal(username, authToken);
 
         } catch (Throwable e) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID,
+                        attemptedAuditUID);
+            audit(auditMessage);
             e.printStackTrace();
         }
 
@@ -64,6 +93,14 @@ public class PKIRealm extends RealmBase {
     public Principal authenticate(final X509Certificate certs[]) {
         logDebug("Authenticating certificate chain:");
 
+        String auditMessage = null;
+        // get the cert from the ssl client auth
+        // in cert based auth, subject id from cert has already passed SSL authentication
+        // what remains is to see if the user exists in the internal user db
+        // therefore both auditSubjectID and attemptedAuditUID are the same
+        String auditSubjectID = getAuditUserfromCert(certs[0]);
+        String attemptedAuditUID = auditSubjectID;
+
         try {
             X509CertImpl certImpls[] = new X509CertImpl[certs.length];
             for (int i=0; i<certs.length; i++) {
@@ -73,7 +110,6 @@ public class PKIRealm extends RealmBase {
                 // Convert sun.security.x509.X509CertImpl to netscape.security.x509.X509CertImpl
                 certImpls[i] = new X509CertImpl(cert.getEncoded());
             }
-
             IAuthSubsystem authSub = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
             IAuthManager authMgr = authSub.getAuthManager(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID);
 
@@ -81,19 +117,45 @@ public class PKIRealm extends RealmBase {
             creds.set(ICertUserDBAuthentication.CRED_CERT, certImpls);
 
             IAuthToken authToken = authMgr.authenticate(creds); // throws exception if authentication fails
+            authToken.set(SessionContext.AUTH_MANAGER_ID,IAuthSubsystem.CERTUSERDB_AUTHMGR_ID);
 
             String username = authToken.getInString(ICertUserDBAuthentication.TOKEN_USERID);
-            logDebug("User ID: "+username);
+            // reset it to the one authenticated with authManager
+            auditSubjectID = authToken.getInString(IAuthToken.USER_ID);
 
+            logDebug("User ID: "+username);
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
+                        auditSubjectID,
+                        ILogger.SUCCESS,
+                        IAuthSubsystem.CERTUSERDB_AUTHMGR_ID);
+
+            audit(auditMessage);
             return getPrincipal(username, authToken);
 
         } catch (Throwable e) {
+            // store a message in the signed audit log file
+            auditMessage = CMS.getLogMessage(
+                        LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                        auditSubjectID,
+                        ILogger.FAILURE,
+                        IAuthSubsystem.CERTUSERDB_AUTHMGR_ID,
+                        attemptedAuditUID);
+            audit(auditMessage);
             e.printStackTrace();
         }
 
         return null;
     }
 
+    private String getAuditUserfromCert(X509Certificate clientCert) {
+        String certUID = clientCert.getSubjectDN().getName();
+        CMS.debug("PKIRealm.getAuditUserfromCert: certUID=" + certUID);
+
+        return StringUtils.stripToNull(certUID);
+    }
+
     @Override
     protected Principal getPrincipal(String username) {
         return getPrincipal(username, (IAuthToken)null);
@@ -152,9 +214,34 @@ public class PKIRealm extends RealmBase {
      */
     public void logErr(String msg) {
         System.err.println(msg);
+        CMS.debug("PKIRealm.logErr: " + msg);
     }
 
     public void logDebug(String msg) {
         System.out.println("PKIRealm: "+msg);
+        CMS.debug("PKIRealm.logDebug: " + msg);
+    }
+
+    /**
+     * Signed Audit Log
+     *
+     * This method is called to store messages to the signed audit log.
+     * <P>
+     *
+     * @param msg signed audit log message
+     */
+    protected void audit(String msg) {
+        // in this case, do NOT strip preceding/trailing whitespace
+        // from passed-in String parameters
+
+        if (signedAuditLogger == null) {
+            return;
+        }
+
+        signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
+                null,
+                ILogger.S_SIGNED_AUDIT,
+                ILogger.LL_SECURITY,
+                msg);
     }
 }