summaryrefslogtreecommitdiffstats
path: root/base/server
diff options
context:
space:
mode:
Diffstat (limited to 'base/server')
-rw-r--r--base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java15
-rw-r--r--base/server/cms/src/org/dogtagpki/server/rest/AuditService.java117
-rw-r--r--base/server/cmsbundle/src/LogMessages.properties55
-rw-r--r--base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java19
4 files changed, 184 insertions, 22 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
index d2e55b5a3..7ed9c0dc8 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
@@ -259,6 +259,21 @@ public class PKIService {
auditor.log(auditMessage);
}
+ public void auditConfigTokenGeneral(String status, String service, Map<String, String> params, String info) {
+ CMS.debug("PKIService.auditConfigTokenGeneral begins");
+
+ String msg = CMS.getLogMessage(
+ "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5",
+ servletRequest.getUserPrincipal().getName(),
+ status,
+ service,
+ auditor.getParamString(null, params),
+ info);
+ auditor.log(msg);
+
+ CMS.debug("PKIService.auditConfigTokenGeneral ends");
+ }
+
/**
* Get the values of the fields annotated with @FormParam.
*/
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
index e32c36c33..273625e81 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
@@ -21,6 +21,7 @@ package org.dogtagpki.server.rest;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.util.Collection;
+import java.util.HashMap;
import java.util.Map;
import java.util.TreeMap;
import java.util.TreeSet;
@@ -42,6 +43,7 @@ import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.base.PKIException;
import com.netscape.certsrv.logging.AuditConfig;
import com.netscape.certsrv.logging.AuditResource;
+import com.netscape.certsrv.logging.ILogger;
import com.netscape.cms.servlet.base.PKIService;
/**
@@ -66,29 +68,62 @@ public class AuditService extends PKIService implements AuditResource {
}
public AuditConfig createAuditConfig() throws UnsupportedEncodingException, EBaseException {
+ return createAuditConfig(null);
+ }
+
+ public AuditConfig createAuditConfig(Map<String, String> auditParams)
+ throws UnsupportedEncodingException, EBaseException {
IConfigStore cs = CMS.getConfigStore();
AuditConfig auditConfig = new AuditConfig();
- auditConfig.setStatus(cs.getBoolean("log.instance.SignedAudit.enable", false) ? "Enabled" : "Disabled");
- auditConfig.setSigned(cs.getBoolean("log.instance.SignedAudit.logSigning", false));
- auditConfig.setInterval(cs.getInteger("log.instance.SignedAudit.flushInterval", 5));
- auditConfig.setBufferSize(cs.getInteger("log.instance.SignedAudit.bufferSize", 512));
+ String val = null;
+ Boolean boolval = false;
+ Integer integerval;
+
+ val = cs.getBoolean("log.instance.SignedAudit.enable", false) ? "Enabled" : "Disabled";
+ auditConfig.setStatus(val);
+ if (auditParams != null)
+ auditParams.put("enable", val);
+
+ boolval = cs.getBoolean("log.instance.SignedAudit.logSigning", false);
+ if (auditParams != null)
+ auditParams.put("logSigning", boolval ? "true" : "false");
+ auditConfig.setSigned(boolval);
+
+ integerval = cs.getInteger("log.instance.SignedAudit.flushInterval", 5);
+ auditConfig.setInterval(integerval);
+ if (auditParams != null)
+ auditParams.put("flushInterval", integerval.toString());
+
+ integerval = cs.getInteger("log.instance.SignedAudit.bufferSize", 512);
+ auditConfig.setBufferSize(integerval);
+ if (auditParams != null)
+ auditParams.put("bufferSize", integerval.toString());
Map<String, String> eventConfigs = new TreeMap<String, String>();
// unselected optional events
- for (String event : StringUtils.split(cs.getString("log.instance.SignedAudit.unselected.events", ""), ", ")) {
+ val = cs.getString("log.instance.SignedAudit.unselected.events", "");
+ if (auditParams != null)
+ auditParams.put("unselected.events", val);
+ for (String event : StringUtils.split(val, ", ")) {
eventConfigs.put(event.trim(), "disabled");
}
// selected optional events
- for (String event : StringUtils.split(cs.getString("log.instance.SignedAudit.events", ""), ", ")) {
+ val = cs.getString("log.instance.SignedAudit.events", "");
+ if (auditParams != null)
+ auditParams.put("events", val);
+ for (String event : StringUtils.split(val, ", ")) {
eventConfigs.put(event.trim(), "enabled");
}
// always selected mandatory events
- for (String event : StringUtils.split(cs.getString("log.instance.SignedAudit.mandatory.events", ""), ", ")) {
+ val = cs.getString("log.instance.SignedAudit.mandatory.events", "");
+ if (auditParams != null)
+ auditParams.put("mandatory.events", val);
+ for (String event : StringUtils.split(val, ", ")) {
eventConfigs.put(event.trim(), "mandatory");
}
@@ -119,8 +154,14 @@ public class AuditService extends PKIService implements AuditResource {
@Override
public Response updateAuditConfig(AuditConfig auditConfig) {
+ Map<String, String> auditModParams = new HashMap<String, String>();
- if (auditConfig == null) throw new BadRequestException("Audit config is null.");
+ if (auditConfig == null) {
+ BadRequestException e = new BadRequestException("Audit config is null.");
+ auditModParams.put("Info", e.toString());
+ auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams);
+ throw e;
+ }
CMS.debug("AuditService.updateAuditConfig()");
@@ -157,20 +198,29 @@ public class AuditService extends PKIService implements AuditResource {
// make sure no event is added
if (currentValue == null) {
- throw new PKIException("Unable to add event: " + name);
+ PKIException e = new PKIException("Unable to add event: " + name);
+ auditModParams.put("Info", e.toString());
+ auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams);
+ throw e;
}
// make sure no optional event becomes mandatory
if ("mandatory".equals(value)) {
if (!"mandatory".equals(currentValue)) {
- throw new PKIException("Unable to add mandatory event: " + name);
+ PKIException e = new PKIException("Unable to add mandatory event: " + name);
+ auditModParams.put("Info", e.toString());
+ auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams);
+ throw e;
}
continue;
}
// make sure no mandatory event becomes optional
if ("mandatory".equals(currentValue)) {
- throw new PKIException("Unable to remove mandatory event: " + name);
+ PKIException e = new PKIException("Unable to remove mandatory event: " + name);
+ auditModParams.put("Info", e.toString());
+ auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams);
+ throw e;
}
if ("enabled".equals(value)) {
@@ -180,7 +230,10 @@ public class AuditService extends PKIService implements AuditResource {
unselected.add(name);
} else {
- throw new PKIException("Invalid event configuration: " + name + "=" + value);
+ PKIException e = new PKIException("Invalid event configuration: " + name + "=" + value);
+ auditModParams.put("Info", e.toString());
+ auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams);
+ throw e;
}
}
@@ -191,20 +244,28 @@ public class AuditService extends PKIService implements AuditResource {
for (String name : currentEventConfigs.keySet()) {
// make sure no event is removed
if (!eventConfigs.containsKey(name)) {
- throw new PKIException("Unable to remove event: " + name);
+ PKIException e = new PKIException("Unable to remove event: " + name);
+ auditModParams.put("Info", e.toString());
+ auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams);
+ throw e;
}
}
cs.commit(true);
- auditConfig = createAuditConfig();
+ auditConfig = createAuditConfig(auditModParams);
+ auditTPSConfigSignedAudit(ILogger.SUCCESS, auditModParams);
return createOKResponse(auditConfig);
} catch (PKIException e) {
+ auditModParams.put("Info", e.toString());
+ auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams);
throw e;
} catch (Exception e) {
+ auditModParams.put("Info", e.toString());
+ auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams);
e.printStackTrace();
throw new PKIException(e.getMessage());
}
@@ -212,10 +273,12 @@ public class AuditService extends PKIService implements AuditResource {
@Override
public Response changeAuditStatus(String action) {
+ Map<String, String> auditModParams = new HashMap<String, String>();
CMS.debug("AuditService.changeAuditStatus()");
try {
+ auditModParams.put("Action", action);
IConfigStore cs = CMS.getConfigStore();
if ("enable".equals(action)) {
@@ -225,21 +288,45 @@ public class AuditService extends PKIService implements AuditResource {
cs.putBoolean("log.instance.SignedAudit.enable", false);
} else {
- throw new BadRequestException("Invalid action " + action);
+ BadRequestException e = new BadRequestException("Invalid action " + action);
+ auditModParams.put("Info", e.toString());
+ auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams);
+ throw e;
}
cs.commit(true);
AuditConfig auditConfig = createAuditConfig();
+ auditTPSConfigSignedAudit(ILogger.SUCCESS, auditModParams);
return createOKResponse(auditConfig);
} catch (PKIException e) {
+ auditModParams.put("Info", e.toString());
+ auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams);
+ e.printStackTrace();
throw e;
} catch (Exception e) {
+ auditModParams.put("Info", e.toString());
+ auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams);
+ e.printStackTrace();
e.printStackTrace();
throw new PKIException(e.getMessage());
}
}
+
+ /*
+ * in case of failure, "info" should be in the params
+ */
+ public void auditTPSConfigSignedAudit(String status, Map<String, String> params) {
+
+ String msg = CMS.getLogMessage(
+ "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3",
+ servletRequest.getUserPrincipal().getName(),
+ status,
+ auditor.getParamString(null, params));
+ auditor.log(msg);
+
+ }
}
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index 5f9432e28..433797cbe 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2638,22 +2638,71 @@ LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9=<type=TOKEN_AUTH_SUCCESS>:[AuditEvent=
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name;;value pair) of config params changed
# --- secret component (password) MUST NOT be logged ---
+# - info in general is used for caturing error info for failed cases
#
-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_3=<type=CONFIG_TOKEN_GENERAL>:[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] TPS token configuration parameter(s) change
+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=<type=CONFIG_TOKEN_GENERAL>:[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID={0}][Outcome={1}][Service={2}][ParamNameValPairs={3}][Info={4}] TPS token configuration parameter(s) change
#
# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE
# - used when configuring token profile
+# Service can be any of the methods offered
# ParamNameValPairs must be a name;;value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name;;value pair) of config params changed
# --- secret component (password) MUST NOT be logged ---
+# - info in general is used for caturing error info for failed cases
#
-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_3=<type=CONFIG_TOKEN_PROFILE>:[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] token profile configuration parameter(s) change
+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=<type=CONFIG_TOKEN_PROFILE>:[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID={0}][Outcome={1}][Service={2}][ProfileID={3}][ParamNameValPairs={4}][Info={5}] token profile configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER
+# ParamNameValPairs must be a name;;value pair
+# (where name and value are separated by the delimiter ;;)
+# separated by + (if more than one name;;value pair) of config params changed
+# --- secret component (password) MUST NOT be logged ---
+# - info in general is used for caturing error info for failed cases
+#
+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=<type=CONFIG_TOKEN_MAPPING_RESOLVER>:[AuditEvent=CONFIG_TOKEN_MAPPING_RESOLVER][SubjectID={0}][Outcome={1}][Service={2}][MappingResolverID={3}][ParamNameValPairs={4}][Info={5}] token mapping resolver configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR
+# - used when configuring token authenticators
+# Service can be any of the methods offered
+# ParamNameValPairs must be a name;;value pair
+# (where name and value are separated by the delimiter ;;)
+# separated by + (if more than one name;;value pair) of config params changed
+# --- secret component (password) MUST NOT be logged ---
+# - info in general is used for caturing error info for failed cases
+#
+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=<type=CONFIG_TOKEN_AUTHENTICATOR>:[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID={0}][Outcome={1}][OP={2}][Authenticator={3}][ParamNameValPairs={4}][Info={5}] token authenticator configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR
+# - used when configuring token connectors
+# Service can be any of the methods offered
+# ParamNameValPairs must be a name;;value pair
+# (where name and value are separated by the delimiter ;;)
+# separated by + (if more than one name;;value pair) of config params changed
+# --- secret component (password) MUST NOT be logged ---
+# - info in general is used for caturing error info for failed cases
+#
+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=<type=CONFIG_TOKEN_CONNECTOR>:[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID={0}][Outcome={1}][Service={2}][Connector={3}][ParamNameValPairs={4}][Info={5}] token connector configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD
+# - used when token state changed
+# ParamNameValPairs must be a name;;value pair
+# (where name and value are separated by the delimiter ;;)
+# separated by + (if more than one name;;value pair) of config params changed
+# --- secret component (password) MUST NOT be logged ---
+# - info in general is used for caturing error info for failed cases
+#
+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=<type=CONFIG_TOKEN_RECORD>:[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID={0}][Outcome={1}][OP={2}][TokenID={3}][ParamNameValPairs={4}][Info={5}] token record configuration parameter(s) change
#
# LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE
# - used when token state changed
+# ParamNameValPairs must be a name;;value pair
+# (where name and value are separated by the delimiter ;;)
+# separated by + (if more than one name;;value pair) of config params changed
+# --- secret component (password) MUST NOT be logged ---
+# - info in general is used for caturing error info for failed cases
#
-LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_5=<type=TOKEN_STATE_CHANGE>:[AuditEvent=TOKEN_STATE_CHANGE][SubjectID={0}][Outcome={1}][CUID={2}][oldState={3}][newState={4}] token state changed
+LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8=<type=TOKEN_STATE_CHANGE>:[AuditEvent=TOKEN_STATE_CHANGE][SubjectID={0}][Outcome={1}][oldState={2}][oldReason={3}][newState={4}][newReason={5}][ParamNameValPairs={6}][Info={7}] token state changed
#
# LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG
# - used when configuring lightweight authorities
diff --git a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java
index f0bcb5bee..8c99e676c 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java
@@ -95,7 +95,8 @@ public class Auditor implements IAuditor {
public String getParamString(String scope, String type, String id, Map<String, String> params) {
// if no signed audit object exists, bail
- if (signedAuditLogger == null) return null;
+ if (signedAuditLogger == null)
+ return null;
StringBuilder parameters = new StringBuilder();
// always identify the scope of the request
@@ -124,16 +125,26 @@ public class Auditor implements IAuditor {
+ SIGNED_AUDIT_NAME_VALUE_DELIMITER
+ id);
}
+ return getParamString(parameters, params);
+ }
+
+ @Override
+ public String getParamString(StringBuilder parameters, Map<String, String> params) {
- if (params == null) return parameters.toString();
+ if (parameters == null) {
+ parameters = new StringBuilder();
+ }
+ if (params == null)
+ return parameters.toString();
// identify any remaining request parameters
- for (Map.Entry<String,String> entry : params.entrySet() ) {
+ for (Map.Entry<String, String> entry : params.entrySet()) {
String name = entry.getKey();
// skip "RULENAME" parameter
- if (name.equals(SIGNED_AUDIT_RULENAME)) continue;
+ if (name.equals(SIGNED_AUDIT_RULENAME))
+ continue;
parameters.append(SIGNED_AUDIT_NAME_VALUE_PAIRS_DELIMITER);
generated by cgit (git 2.34.1) at 2024-06-10 22:17:37 +0000