From 1c8c61ef235bb57e744e9a8cfa5e1ff0cebb06a2 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 16 May 2017 17:29:45 -0400 Subject: Encapsulate the archival audit log This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events. The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the SECURITY_DATA ones to simplify the whole structure. They used to provide an archivalID parameter which was pretty much meaningless as it was at best just the same as the request id which is alreadty logged. So this is now dropped. Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2 --- .../cms/profile/common/CAEnrollProfile.java | 40 ++++++---------------- .../cms/servlet/base/SubsystemService.java | 10 ++++++ 2 files changed, 20 insertions(+), 30 deletions(-) (limited to 'base/server/cms/src') diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java index 02aa8c8c0..85db2cb75 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java @@ -29,9 +29,9 @@ import com.netscape.certsrv.ca.AuthorityID; import com.netscape.certsrv.ca.ICAService; import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.connector.IConnector; -import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.AuditFormat; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; import com.netscape.certsrv.profile.EProfileException; import com.netscape.certsrv.profile.ERejectException; import com.netscape.certsrv.profile.IProfileUpdater; @@ -80,15 +80,10 @@ public class CAEnrollProfile extends EnrollProfile { throw new EProfileException("Profile Not Enabled"); } - String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditRequesterID = auditRequesterID(request); - String auditArchiveID = ILogger.UNIDENTIFIED; - String id = request.getRequestId().toString(); - if (id != null) { - auditArchiveID = id.trim(); - } + CMS.debug("CAEnrollProfile: execute request ID " + id); @@ -117,29 +112,21 @@ public class CAEnrollProfile extends EnrollProfile { CMS.debug("CAEnrollProfile: KRA connector " + "not configured"); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); - - audit(auditMessage); - + auditRequesterID)); } else { CMS.debug("CAEnrollProfile: execute send request"); kraConnector.send(request); // check response if (!request.isSuccess()) { - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); if (request.getError(getLocale(request)) != null && (request.getError(getLocale(request))).equals(CMS.getUserMessage("CMS_KRA_INVALID_TRANSPORT_CERT"))) { CMS.debug("CAEnrollProfile: execute set request status: REJECTED"); @@ -150,14 +137,10 @@ public class CAEnrollProfile extends EnrollProfile { request.getError(getLocale(request))); } - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.SUCCESS, - auditRequesterID, - auditArchiveID); - - audit(auditMessage); + auditRequesterID)); } } catch (Exception e) { @@ -167,14 +150,11 @@ public class CAEnrollProfile extends EnrollProfile { CMS.debug("CAEnrollProfile: " + e); CMS.debug(e); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); throw new EProfileException(e); } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java index 30d6b9cdc..2bcde64e9 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java +++ b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java @@ -81,6 +81,16 @@ public class SubsystemService extends PKIService { getClass().getSimpleName() + ": " + message); } + protected void audit(AuditEvent event) { + + String template = event.getMessage(); + Object[] params = event.getParameters(); + + String message = CMS.getLogMessage(template, params); + + auditor.log(message); + } + public void audit(String message, String scope, String type, String id, Map params, String status) { String auditMessage = CMS.getLogMessage( -- cgit