diff options
Diffstat (limited to 'base/server')
4 files changed, 184 insertions, 22 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java index d2e55b5a3..7ed9c0dc8 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java +++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java @@ -259,6 +259,21 @@ public class PKIService { auditor.log(auditMessage); } + public void auditConfigTokenGeneral(String status, String service, Map<String, String> params, String info) { + CMS.debug("PKIService.auditConfigTokenGeneral begins"); + + String msg = CMS.getLogMessage( + "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5", + servletRequest.getUserPrincipal().getName(), + status, + service, + auditor.getParamString(null, params), + info); + auditor.log(msg); + + CMS.debug("PKIService.auditConfigTokenGeneral ends"); + } + /** * Get the values of the fields annotated with @FormParam. */ diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java index e32c36c33..273625e81 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java @@ -21,6 +21,7 @@ package org.dogtagpki.server.rest; import java.io.UnsupportedEncodingException; import java.net.URI; import java.util.Collection; +import java.util.HashMap; import java.util.Map; import java.util.TreeMap; import java.util.TreeSet; @@ -42,6 +43,7 @@ import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.logging.AuditConfig; import com.netscape.certsrv.logging.AuditResource; +import com.netscape.certsrv.logging.ILogger; import com.netscape.cms.servlet.base.PKIService; /** @@ -66,29 +68,62 @@ public class AuditService extends PKIService implements AuditResource { } public AuditConfig createAuditConfig() throws UnsupportedEncodingException, EBaseException { + return createAuditConfig(null); + } + + public AuditConfig createAuditConfig(Map<String, String> auditParams) + throws UnsupportedEncodingException, EBaseException { IConfigStore cs = CMS.getConfigStore(); AuditConfig auditConfig = new AuditConfig(); - auditConfig.setStatus(cs.getBoolean("log.instance.SignedAudit.enable", false) ? "Enabled" : "Disabled"); - auditConfig.setSigned(cs.getBoolean("log.instance.SignedAudit.logSigning", false)); - auditConfig.setInterval(cs.getInteger("log.instance.SignedAudit.flushInterval", 5)); - auditConfig.setBufferSize(cs.getInteger("log.instance.SignedAudit.bufferSize", 512)); + String val = null; + Boolean boolval = false; + Integer integerval; + + val = cs.getBoolean("log.instance.SignedAudit.enable", false) ? "Enabled" : "Disabled"; + auditConfig.setStatus(val); + if (auditParams != null) + auditParams.put("enable", val); + + boolval = cs.getBoolean("log.instance.SignedAudit.logSigning", false); + if (auditParams != null) + auditParams.put("logSigning", boolval ? "true" : "false"); + auditConfig.setSigned(boolval); + + integerval = cs.getInteger("log.instance.SignedAudit.flushInterval", 5); + auditConfig.setInterval(integerval); + if (auditParams != null) + auditParams.put("flushInterval", integerval.toString()); + + integerval = cs.getInteger("log.instance.SignedAudit.bufferSize", 512); + auditConfig.setBufferSize(integerval); + if (auditParams != null) + auditParams.put("bufferSize", integerval.toString()); Map<String, String> eventConfigs = new TreeMap<String, String>(); // unselected optional events - for (String event : StringUtils.split(cs.getString("log.instance.SignedAudit.unselected.events", ""), ", ")) { + val = cs.getString("log.instance.SignedAudit.unselected.events", ""); + if (auditParams != null) + auditParams.put("unselected.events", val); + for (String event : StringUtils.split(val, ", ")) { eventConfigs.put(event.trim(), "disabled"); } // selected optional events - for (String event : StringUtils.split(cs.getString("log.instance.SignedAudit.events", ""), ", ")) { + val = cs.getString("log.instance.SignedAudit.events", ""); + if (auditParams != null) + auditParams.put("events", val); + for (String event : StringUtils.split(val, ", ")) { eventConfigs.put(event.trim(), "enabled"); } // always selected mandatory events - for (String event : StringUtils.split(cs.getString("log.instance.SignedAudit.mandatory.events", ""), ", ")) { + val = cs.getString("log.instance.SignedAudit.mandatory.events", ""); + if (auditParams != null) + auditParams.put("mandatory.events", val); + for (String event : StringUtils.split(val, ", ")) { eventConfigs.put(event.trim(), "mandatory"); } @@ -119,8 +154,14 @@ public class AuditService extends PKIService implements AuditResource { @Override public Response updateAuditConfig(AuditConfig auditConfig) { + Map<String, String> auditModParams = new HashMap<String, String>(); - if (auditConfig == null) throw new BadRequestException("Audit config is null."); + if (auditConfig == null) { + BadRequestException e = new BadRequestException("Audit config is null."); + auditModParams.put("Info", e.toString()); + auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams); + throw e; + } CMS.debug("AuditService.updateAuditConfig()"); @@ -157,20 +198,29 @@ public class AuditService extends PKIService implements AuditResource { // make sure no event is added if (currentValue == null) { - throw new PKIException("Unable to add event: " + name); + PKIException e = new PKIException("Unable to add event: " + name); + auditModParams.put("Info", e.toString()); + auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams); + throw e; } // make sure no optional event becomes mandatory if ("mandatory".equals(value)) { if (!"mandatory".equals(currentValue)) { - throw new PKIException("Unable to add mandatory event: " + name); + PKIException e = new PKIException("Unable to add mandatory event: " + name); + auditModParams.put("Info", e.toString()); + auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams); + throw e; } continue; } // make sure no mandatory event becomes optional if ("mandatory".equals(currentValue)) { - throw new PKIException("Unable to remove mandatory event: " + name); + PKIException e = new PKIException("Unable to remove mandatory event: " + name); + auditModParams.put("Info", e.toString()); + auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams); + throw e; } if ("enabled".equals(value)) { @@ -180,7 +230,10 @@ public class AuditService extends PKIService implements AuditResource { unselected.add(name); } else { - throw new PKIException("Invalid event configuration: " + name + "=" + value); + PKIException e = new PKIException("Invalid event configuration: " + name + "=" + value); + auditModParams.put("Info", e.toString()); + auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams); + throw e; } } @@ -191,20 +244,28 @@ public class AuditService extends PKIService implements AuditResource { for (String name : currentEventConfigs.keySet()) { // make sure no event is removed if (!eventConfigs.containsKey(name)) { - throw new PKIException("Unable to remove event: " + name); + PKIException e = new PKIException("Unable to remove event: " + name); + auditModParams.put("Info", e.toString()); + auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams); + throw e; } } cs.commit(true); - auditConfig = createAuditConfig(); + auditConfig = createAuditConfig(auditModParams); + auditTPSConfigSignedAudit(ILogger.SUCCESS, auditModParams); return createOKResponse(auditConfig); } catch (PKIException e) { + auditModParams.put("Info", e.toString()); + auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams); throw e; } catch (Exception e) { + auditModParams.put("Info", e.toString()); + auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams); e.printStackTrace(); throw new PKIException(e.getMessage()); } @@ -212,10 +273,12 @@ public class AuditService extends PKIService implements AuditResource { @Override public Response changeAuditStatus(String action) { + Map<String, String> auditModParams = new HashMap<String, String>(); CMS.debug("AuditService.changeAuditStatus()"); try { + auditModParams.put("Action", action); IConfigStore cs = CMS.getConfigStore(); if ("enable".equals(action)) { @@ -225,21 +288,45 @@ public class AuditService extends PKIService implements AuditResource { cs.putBoolean("log.instance.SignedAudit.enable", false); } else { - throw new BadRequestException("Invalid action " + action); + BadRequestException e = new BadRequestException("Invalid action " + action); + auditModParams.put("Info", e.toString()); + auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams); + throw e; } cs.commit(true); AuditConfig auditConfig = createAuditConfig(); + auditTPSConfigSignedAudit(ILogger.SUCCESS, auditModParams); return createOKResponse(auditConfig); } catch (PKIException e) { + auditModParams.put("Info", e.toString()); + auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams); + e.printStackTrace(); throw e; } catch (Exception e) { + auditModParams.put("Info", e.toString()); + auditTPSConfigSignedAudit(ILogger.FAILURE, auditModParams); + e.printStackTrace(); e.printStackTrace(); throw new PKIException(e.getMessage()); } } + + /* + * in case of failure, "info" should be in the params + */ + public void auditTPSConfigSignedAudit(String status, Map<String, String> params) { + + String msg = CMS.getLogMessage( + "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3", + servletRequest.getUserPrincipal().getName(), + status, + auditor.getParamString(null, params)); + auditor.log(msg); + + } } diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index 5f9432e28..433797cbe 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2638,22 +2638,71 @@ LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9=<type=TOKEN_AUTH_SUCCESS>:[AuditEvent= # (where name and value are separated by the delimiter ;;) # separated by + (if more than one name;;value pair) of config params changed # --- secret component (password) MUST NOT be logged --- +# - info in general is used for caturing error info for failed cases # -LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_3=<type=CONFIG_TOKEN_GENERAL>:[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] TPS token configuration parameter(s) change +LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=<type=CONFIG_TOKEN_GENERAL>:[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID={0}][Outcome={1}][Service={2}][ParamNameValPairs={3}][Info={4}] TPS token configuration parameter(s) change # # LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE # - used when configuring token profile +# Service can be any of the methods offered # ParamNameValPairs must be a name;;value pair # (where name and value are separated by the delimiter ;;) # separated by + (if more than one name;;value pair) of config params changed # --- secret component (password) MUST NOT be logged --- +# - info in general is used for caturing error info for failed cases # -LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_3=<type=CONFIG_TOKEN_PROFILE>:[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] token profile configuration parameter(s) change +LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=<type=CONFIG_TOKEN_PROFILE>:[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID={0}][Outcome={1}][Service={2}][ProfileID={3}][ParamNameValPairs={4}][Info={5}] token profile configuration parameter(s) change +# +# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# --- secret component (password) MUST NOT be logged --- +# - info in general is used for caturing error info for failed cases +# +LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=<type=CONFIG_TOKEN_MAPPING_RESOLVER>:[AuditEvent=CONFIG_TOKEN_MAPPING_RESOLVER][SubjectID={0}][Outcome={1}][Service={2}][MappingResolverID={3}][ParamNameValPairs={4}][Info={5}] token mapping resolver configuration parameter(s) change +# +# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR +# - used when configuring token authenticators +# Service can be any of the methods offered +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# --- secret component (password) MUST NOT be logged --- +# - info in general is used for caturing error info for failed cases +# +LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=<type=CONFIG_TOKEN_AUTHENTICATOR>:[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID={0}][Outcome={1}][OP={2}][Authenticator={3}][ParamNameValPairs={4}][Info={5}] token authenticator configuration parameter(s) change +# +# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR +# - used when configuring token connectors +# Service can be any of the methods offered +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# --- secret component (password) MUST NOT be logged --- +# - info in general is used for caturing error info for failed cases +# +LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=<type=CONFIG_TOKEN_CONNECTOR>:[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID={0}][Outcome={1}][Service={2}][Connector={3}][ParamNameValPairs={4}][Info={5}] token connector configuration parameter(s) change +# +# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD +# - used when token state changed +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# --- secret component (password) MUST NOT be logged --- +# - info in general is used for caturing error info for failed cases +# +LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=<type=CONFIG_TOKEN_RECORD>:[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID={0}][Outcome={1}][OP={2}][TokenID={3}][ParamNameValPairs={4}][Info={5}] token record configuration parameter(s) change # # LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE # - used when token state changed +# ParamNameValPairs must be a name;;value pair +# (where name and value are separated by the delimiter ;;) +# separated by + (if more than one name;;value pair) of config params changed +# --- secret component (password) MUST NOT be logged --- +# - info in general is used for caturing error info for failed cases # -LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_5=<type=TOKEN_STATE_CHANGE>:[AuditEvent=TOKEN_STATE_CHANGE][SubjectID={0}][Outcome={1}][CUID={2}][oldState={3}][newState={4}] token state changed +LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8=<type=TOKEN_STATE_CHANGE>:[AuditEvent=TOKEN_STATE_CHANGE][SubjectID={0}][Outcome={1}][oldState={2}][oldReason={3}][newState={4}][newReason={5}][ParamNameValPairs={6}][Info={7}] token state changed # # LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG # - used when configuring lightweight authorities diff --git a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java index f0bcb5bee..8c99e676c 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java +++ b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java @@ -95,7 +95,8 @@ public class Auditor implements IAuditor { public String getParamString(String scope, String type, String id, Map<String, String> params) { // if no signed audit object exists, bail - if (signedAuditLogger == null) return null; + if (signedAuditLogger == null) + return null; StringBuilder parameters = new StringBuilder(); // always identify the scope of the request @@ -124,16 +125,26 @@ public class Auditor implements IAuditor { + SIGNED_AUDIT_NAME_VALUE_DELIMITER + id); } + return getParamString(parameters, params); + } + + @Override + public String getParamString(StringBuilder parameters, Map<String, String> params) { - if (params == null) return parameters.toString(); + if (parameters == null) { + parameters = new StringBuilder(); + } + if (params == null) + return parameters.toString(); // identify any remaining request parameters - for (Map.Entry<String,String> entry : params.entrySet() ) { + for (Map.Entry<String, String> entry : params.entrySet()) { String name = entry.getKey(); // skip "RULENAME" parameter - if (name.equals(SIGNED_AUDIT_RULENAME)) continue; + if (name.equals(SIGNED_AUDIT_RULENAME)) + continue; parameters.append(SIGNED_AUDIT_NAME_VALUE_PAIRS_DELIMITER); |