diff options
author | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-03-24 19:29:49 +0000 |
---|---|---|
committer | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-03-24 19:29:49 +0000 |
commit | 9198e50726847c12dd842c075e996115c9cd2e31 (patch) | |
tree | 40a08c9b22ecd232c27087c6f558260645f36633 /pki/base/tps | |
parent | aacc2fa90239c3b613ecb9804e356baaa3fd2ab1 (diff) | |
download | pki-9198e50726847c12dd842c075e996115c9cd2e31.tar.gz pki-9198e50726847c12dd842c075e996115c9cd2e31.tar.xz pki-9198e50726847c12dd842c075e996115c9cd2e31.zip |
Bugzilla 490452 support for signed audit in UI
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@318 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/tps')
-rw-r--r-- | pki/base/tps/doc/CS.cfg | 8 | ||||
-rw-r--r-- | pki/base/tps/src/engine/RA.cpp | 79 | ||||
-rw-r--r-- | pki/base/tps/src/include/engine/RA.h | 18 | ||||
-rw-r--r-- | pki/base/tps/src/include/main/ConfigStore.h | 4 | ||||
-rw-r--r-- | pki/base/tps/src/main/ConfigStore.cpp | 143 | ||||
-rw-r--r-- | pki/base/tps/src/modules/tokendb/mod_tokendb.cpp | 196 |
6 files changed, 422 insertions, 26 deletions
diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg index 46b194ef..7bbba0e8 100644 --- a/pki/base/tps/doc/CS.cfg +++ b/pki/base/tps/doc/CS.cfg @@ -75,6 +75,9 @@ logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit logging.audit.level=10 logging.audit.logSigning=false logging.audit.signedAuditCertNickname=auditSigningCert cert-[INSTANCE_ID] +logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,CONFIG_SIGNED_AUDIT +logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,CONFIG_SIGNED_AUDIT +logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING logging.error.enable=true logging.error.filename=[SERVER_ROOT]/logs/tps-error.log logging.error.level=10 @@ -1388,4 +1391,9 @@ tokendb.searchUserResultTemplate=searchUserResults.template tokendb.searchUserTemplate=searchUser.template tokendb.editUserTemplate=editUser.template tokendb.indexOperatorTemplate=indexOperator.template +tokendb.auditAdminTemplate=auditAdmin.template target.tokenType.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey +log.instance.SignedAudit.selected.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE +log.instance.SignedAudit.selectable.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST +log.instance.SignedAudit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST + diff --git a/pki/base/tps/src/engine/RA.cpp b/pki/base/tps/src/engine/RA.cpp index 0563c1ad..073e6a51 100644 --- a/pki/base/tps/src/engine/RA.cpp +++ b/pki/base/tps/src/engine/RA.cpp @@ -72,12 +72,17 @@ PRLock *RA::m_auth_lock = NULL; PRLock *RA::m_debug_log_lock = NULL; PRLock *RA::m_error_log_lock = NULL; PRLock *RA::m_audit_log_lock = NULL; +bool RA::m_audit_enabled = false; bool RA::m_audit_signed = false; static int m_sa_count = 0; SECKEYPrivateKey *RA::m_audit_signing_key = NULL; NSSUTF8 *RA::m_last_audit_signature = NULL; SECOidTag RA::m_audit_signAlgTag; SecurityLevel RA::m_global_security_level; +char *RA::m_signedAuditSelectedEvents = NULL; +char *RA::m_signedAuditSelectableEvents = NULL; +char *RA::m_signedAuditNonSelectableEvents = NULL; + int RA::m_audit_log_level = (int) LL_PER_SERVER; int RA::m_debug_log_level = (int) LL_PER_SERVER; @@ -129,6 +134,9 @@ const char *RA::CFG_APPLET_NETKEY_OLD_INSTANCE_AID = "applet.aid.netkey_old_inst const char *RA::CFG_APPLET_NETKEY_OLD_FILE_AID = "applet.aid.netkey_old_file"; const char *RA::CFG_APPLET_SO_PIN = "applet.so_pin"; const char *RA::CFG_APPLET_DELETE_NETKEY_OLD = "applet.delete_old"; +const char *RA::CFG_AUDIT_SELECTED_EVENTS="logging.audit.selected.events"; +const char *RA::CFG_AUDIT_NONSELECTABLE_EVENTS="logging.audit.nonselectable.events"; +const char *RA::CFG_AUDIT_SELECTABLE_EVENTS="logging.audit.selectable.events"; const char *RA::CFG_AUTHS_ENABLE="auth.enable"; @@ -315,7 +323,13 @@ TPS_PUBLIC int RA::Initialize(char *cfg_path, RA_Context *ctx) m_audit_log_level = m_cfg->GetConfigAsInt(CFG_AUDIT_LEVEL, (int) LL_PER_SERVER); m_debug_log_level = m_cfg->GetConfigAsInt(CFG_DEBUG_LEVEL, (int) LL_PER_SERVER); - if (m_cfg->GetConfigAsBool(CFG_AUDIT_ENABLE, 0)) { + // get events for audit signing + m_signedAuditSelectedEvents = PL_strdup(m_cfg->GetConfigAsString(CFG_AUDIT_SELECTED_EVENTS, "")); + m_signedAuditSelectableEvents = PL_strdup(m_cfg->GetConfigAsString(CFG_AUDIT_SELECTABLE_EVENTS, "")); + m_signedAuditNonSelectableEvents= PL_strdup(m_cfg->GetConfigAsString(CFG_AUDIT_NONSELECTABLE_EVENTS, "")); + m_audit_enabled = m_cfg->GetConfigAsBool(CFG_AUDIT_ENABLE, false); + + if (m_audit_enabled) { // is audit logSigning on? m_audit_signed = m_cfg->GetConfigAsBool(CFG_AUDIT_SIGNED, false); RA::Debug("RA:: Initialize", "Audit signing is %s", @@ -503,12 +517,48 @@ int RA::testTokendb() { } /* - * returns ture if an audit event is selected, false if not - * -- to be implemented -- + * returns true if item is a value in the comma separated list + * used by audit logging functions and profile selection functions + */ +TPS_PUBLIC bool RA::match_comma_list(const char* item, char *list) +{ + char *pList = PL_strdup(list); + char *sresult = NULL; + + sresult = strtok(pList, ","); + while (sresult != NULL) { + if (PL_strcmp(sresult, item) == 0) { + if (pList != NULL) { + PR_Free(pList); + pList = NULL; + } + return true; + } + sresult = strtok(NULL, ","); + } + if (pList != NULL) { + PR_Free(pList); + pList = NULL; + } + return false; +} + +/* + * returns true if an audit event is valid, false if not + */ +bool RA::IsValidEvent(const char *auditEvent) +{ + return match_comma_list(auditEvent, m_signedAuditNonSelectableEvents) || + match_comma_list(auditEvent, m_signedAuditSelectableEvents); +} + +/* + * returns true if an audit event is selected, false if not */ bool RA::IsAuditEventSelected(const char* auditEvent) { - return true; + return match_comma_list(auditEvent, m_signedAuditNonSelectableEvents) || + match_comma_list(auditEvent, m_signedAuditSelectedEvents); } int RA::IsTokendbInitialized() @@ -2166,6 +2216,27 @@ int RA::InitializeTokendb(char *cfg_path) return status; } +TPS_PUBLIC void RA::update_signed_audit_selected_events(char *new_selected) +{ + char *tmp = NULL; + m_cfg->Add(CFG_AUDIT_SELECTED_EVENTS, new_selected); + + tmp = m_signedAuditSelectedEvents; + m_signedAuditSelectedEvents = PL_strdup(new_selected); + PL_strfree(tmp); +} + +TPS_PUBLIC void RA::update_signed_audit_enable(char *enable) +{ + m_cfg->Add(CFG_AUDIT_ENABLE, enable); +} + + +TPS_PUBLIC void RA::update_signed_audit_logging_enable(char *enable) +{ + m_cfg->Add(CFG_AUDIT_SIGNED, enable); +} + TPS_PUBLIC int RA::ra_find_tus_certificate_entries_by_order_no_vlv (char *filter, LDAPMessage **result, int order) { diff --git a/pki/base/tps/src/include/engine/RA.h b/pki/base/tps/src/include/engine/RA.h index 87b75de7..75c3121e 100644 --- a/pki/base/tps/src/include/engine/RA.h +++ b/pki/base/tps/src/include/engine/RA.h @@ -98,6 +98,7 @@ class RA ~RA(); public: static bool IsAuditEventSelected(const char *auditEvent); + static bool IsValidEvent(const char *auditEvent); static void getLastSignature(); static int IsTokendbInitialized(); static int IsTpsConfigured(); @@ -133,6 +134,7 @@ class RA static Buffer *ComputeHostCryptogram(Buffer &card_challenge, Buffer &host_challenge); public: TPS_PUBLIC static ConfigStore *GetConfigStore(); + TPS_PUBLIC static bool match_comma_list(const char* item, char *list); public: TPS_PUBLIC static void Audit(const char *func_name, const char *fmt, ...); TPS_PUBLIC static void Error(const char *func_name, const char *fmt, ...); @@ -211,6 +213,10 @@ class RA static void SetAuthCurrentIndex(int index); TPS_PUBLIC static PRLock *GetAuthLock(); TPS_PUBLIC static void IncrementAuthCurrentIndex(int len); + TPS_PUBLIC static void update_signed_audit_selected_events(char *new_selected); + TPS_PUBLIC static void update_signed_audit_enable(char *enable); + TPS_PUBLIC static void update_signed_audit_logging_enable(char *enable); + static void SetGlobalSecurityLevel(SecurityLevel sl); static SecurityLevel GetGlobalSecurityLevel(); public: /* default values */ @@ -237,6 +243,9 @@ class RA static const char *CFG_AUDIT_LEVEL; static const char *CFG_AUDIT_SIGNED; static const char *CFG_AUDIT_SIGNING_CERT_NICK; + static const char *CFG_AUDIT_SELECTED_EVENTS; + static const char *CFG_AUDIT_SELECTABLE_EVENTS; + static const char *CFG_AUDIT_NONSELECTABLE_EVENTS; static const char *CFG_ERROR_LEVEL; static const char *CFG_ERROR_ENABLE; static const char *CFG_ERROR_FILENAME; @@ -278,10 +287,14 @@ class RA static int m_audit_log_level; static int m_debug_log_level; static int m_error_log_level; - static bool m_audit_signed; + TPS_PUBLIC static bool m_audit_signed; + TPS_PUBLIC static bool m_audit_enabled; static SECKEYPrivateKey *m_audit_signing_key; static char *m_last_audit_signature; static SECOidTag m_audit_signAlgTag; + TPS_PUBLIC static char *m_signedAuditSelectedEvents; + TPS_PUBLIC static char *m_signedAuditSelectableEvents; + TPS_PUBLIC static char *m_signedAuditNonSelectableEvents; static HttpConnection* m_caConnection[]; static HttpConnection* m_tksConnection[]; static int m_caConns_len; @@ -299,7 +312,8 @@ class RA static int InitializePublishers(); static int InitializeHttpConnections(const char *id, int *len, HttpConnection **conn, RA_Context *ctx); static void CleanupPublishers(); - static int Failover(HttpConnection *&conn, int len); + static int Failover(HttpConnection *&conn, int len); + }; #endif /* RA_H */ diff --git a/pki/base/tps/src/include/main/ConfigStore.h b/pki/base/tps/src/include/main/ConfigStore.h index 2d365cfb..532a0997 100644 --- a/pki/base/tps/src/include/main/ConfigStore.h +++ b/pki/base/tps/src/include/main/ConfigStore.h @@ -65,6 +65,7 @@ class ConfigStore static ConfigStore *CreateFromConfigFile(const char *cfg_path); int IsNameDefined(const char *name); + void SetFilePath(const char* cfg_file_path); void Add(const char *name, const char *value); const char * GetConfig(const char *name); int Size(); @@ -82,6 +83,7 @@ class ConfigStore bool GetConfigAsBool(const char *key); TPS_PUBLIC bool GetConfigAsBool(const char *key, bool def); TOKENDB_PUBLIC const char *GetConfigAsString(const char *key, const char *def); + TPS_PUBLIC int Commit(const bool backup); TPS_PUBLIC const char *GetConfigAsString(const char *key); /** * operator[] is used to look up config strings in the ConfigStore. @@ -96,6 +98,8 @@ class ConfigStore private: char *m_substore_name; ConfigStoreRoot *m_root; + char *m_cfg_file_path; + PRLock *m_lock; }; class ConfigStoreRoot diff --git a/pki/base/tps/src/main/ConfigStore.cpp b/pki/base/tps/src/main/ConfigStore.cpp index ce06091d..d22d176b 100644 --- a/pki/base/tps/src/main/ConfigStore.cpp +++ b/pki/base/tps/src/main/ConfigStore.cpp @@ -28,6 +28,7 @@ #include "main/ConfigStore.h" #include "main/Memory.h" #include "main/Util.h" +#include "engine/RA.h" #ifdef XP_WIN32 #define TPS_PUBLIC __declspec(dllexport) @@ -147,6 +148,7 @@ ConfigStore::ConfigStore(ConfigStoreRoot* root, const char *subStoreName) m_substore_name = PL_strdup(subStoreName); m_root = root; root->addref(); + m_lock = PR_NewLock(); } ConfigStore::~ConfigStore () @@ -154,8 +156,14 @@ ConfigStore::~ConfigStore () if (m_substore_name != NULL) { PR_Free(m_substore_name); } + if (m_cfg_file_path != NULL) { + PR_Free(m_cfg_file_path); + } m_root->release(); delete m_root; + + if (m_lock != NULL ) + PR_DestroyLock(m_lock); } @@ -221,8 +229,8 @@ ConfigStore *ConfigStore::CreateFromConfigFile(const char *cfg_path) PRFileDesc *f = NULL; int removed_return; char line[MAX_CFG_LINE_LEN]; - ConfigStoreRoot *root = NULL; - ConfigStore *cfg = NULL; + ConfigStoreRoot *root = NULL; + ConfigStore *cfg = NULL; f = PR_Open(cfg_path, PR_RDWR, 00400|00200); if (f == NULL) @@ -256,6 +264,7 @@ ConfigStore *ConfigStore::CreateFromConfigFile(const char *cfg_path) PR_Close( f ); f = NULL; } + cfg->SetFilePath(cfg_path); loser: return cfg; @@ -312,6 +321,12 @@ typedef struct { char *key; } Criteria; +typedef struct { + PRCList list; + char *key; +} OrderedEntry_t; + + #ifdef __cplusplus extern "C" { @@ -335,6 +350,41 @@ static PRIntn Loop(PLHashEntry *he, PRIntn index, void *arg) } } +/** + * Called from PL_HashTableEnumerateEntries + * A pointer to a PRCList (circular linked list) is passed in. + * Once enumeration is complete, the PRCList will contain a lexically + * ordered list of a copy of the keys in the hash. + * The caller needs to free the copies + */ +static PRIntn OrderLoop(PLHashEntry *he, PRIntn index, void *arg) +{ + PRCList *qp = (PRCList *)arg; + OrderedEntry_t *entry; + + if (he != NULL) { + entry = (OrderedEntry_t *) PR_Malloc(sizeof(OrderedEntry_t)); + entry->key = PL_strdup((char *) he->key); + if (index ==0) { + PR_APPEND_LINK((PRCList *)entry, qp); + return HT_ENUMERATE_NEXT; + } + PRCList *head = PR_LIST_HEAD(qp); + PRCList *next; + while (head != qp) { + OrderedEntry_t *current = (OrderedEntry_t *) head; + if (strcmp((char *) he->key, (char *) current->key) <=0) + break; + next = PR_NEXT_LINK(head); + head = next; + } + PR_INSERT_BEFORE((PRCList*) entry, head); + return HT_ENUMERATE_NEXT; + } else { + return HT_ENUMERATE_STOP; + } +} + #ifdef __cplusplus } #endif @@ -344,7 +394,11 @@ int ConfigStore::Size() Criteria criteria; criteria.index = 0; criteria.key = NULL; + + PR_Lock(m_lock); PL_HashTableEnumerateEntries(m_root->getSet(), &CountLoop, &criteria); + PR_Unlock(m_lock); + return criteria.index; } @@ -353,7 +407,11 @@ const char *ConfigStore::GetNameAt(int pos) Criteria criteria; criteria.index = pos; criteria.key = NULL; + + PR_Lock(m_lock); PL_HashTableEnumerateEntries(m_root->getSet(), &Loop, &criteria); + PR_Unlock(m_lock); + return criteria.key; } @@ -363,25 +421,35 @@ const char *ConfigStore::GetNameAt(int pos) int ConfigStore::IsNameDefined(const char *name) { if (m_root->getSet()!= NULL) { - if (GetConfig(name) != NULL) + if (GetConfig(name) != NULL) return 1; } return 0; } +void ConfigStore::SetFilePath(const char* cfg_file_path) +{ + m_cfg_file_path = PL_strdup(cfg_file_path); +} + void ConfigStore::Add(const char *name, const char *value) { if (IsNameDefined(name)) { + PR_Lock(m_lock); PL_HashTableRemove(m_root->getSet(), name); PL_HashTableAdd(m_root->getSet(), PL_strdup(name), PL_strdup(value)); + PR_Unlock(m_lock); } else { + PR_Lock(m_lock); PL_HashTableAdd(m_root->getSet(), PL_strdup(name), PL_strdup(value)); + PR_Unlock(m_lock); } } const char *ConfigStore::GetConfig(const char *name) { char buf[256]; + char *ret; if (m_root->getSet() ==NULL) { return NULL; } @@ -390,7 +458,12 @@ const char *ConfigStore::GetConfig(const char *name) } else { PR_snprintf(buf,256,"%s.%s",m_substore_name,name); } - return (char *)PL_HashTableLookupConst(m_root->getSet(), buf); + + PR_Lock(m_lock); + ret = (char *)PL_HashTableLookupConst(m_root->getSet(), buf); + PR_Unlock(m_lock); + + return ret; } /** @@ -399,7 +472,6 @@ const char *ConfigStore::GetConfig(const char *name) int ConfigStore::GetConfigAsInt(const char *name) { char *value = NULL; - value = (char *)GetConfig(name); if (value == NULL) return 0; @@ -552,3 +624,64 @@ Buffer *ConfigStore::GetConfigAsBuffer(const char *key, const char *def) } } +/** + * Commits changes to the config file + */ +TPS_PUBLIC int ConfigStore::Commit(const bool backup) +{ + char name_tmp[256], cdate[256], name_bak[256]; + PRFileDesc *ftmp = NULL; + PRExplodedTime time; + PRTime now; + + if (m_cfg_file_path == NULL) + return 1; + + now = PR_Now(); + PR_ExplodeTime(now, PR_LocalTimeParameters, &time); + PR_snprintf(cdate, 16, "%04d%02d%02d%02d%02d%02dZ", + time.tm_year, (time.tm_month + 1), time.tm_mday, + time.tm_hour, time.tm_min, time.tm_sec); + PR_snprintf(name_tmp, 256, "%s.%s.tmp", m_cfg_file_path,cdate); + PR_snprintf(name_bak, 256, "%s.%s", m_cfg_file_path, cdate); + + ftmp = PR_Open(name_tmp, PR_WRONLY| PR_CREATE_FILE, 00400|00200); + if (ftmp == NULL) { + // unable to create temporary config file + return 1; + } + + PRCList order_list; + PR_INIT_CLIST(&order_list); + + PR_Lock(m_lock); + PL_HashTableEnumerateEntries(m_root->getSet(), &OrderLoop, &order_list); + PR_Unlock(m_lock); + + PRCList *current = PR_LIST_HEAD(&order_list); + PRCList *next; + + while (current != &order_list) { + OrderedEntry_t *entry = (OrderedEntry_t *) current; + PR_Write(ftmp, entry->key, PL_strlen(entry->key)); + PR_Write(ftmp, "=", 1); + const char *value = GetConfigAsString(entry->key, ""); + PR_Write(ftmp, value, PL_strlen(value)); + PR_Write(ftmp, "\n", 1); + + // free the memory for the Ordered Entry + if (entry->key != NULL) PL_strfree(entry->key); + + next = PR_NEXT_LINK(current); + PR_REMOVE_AND_INIT_LINK(current); + current = next; + } + + PR_Close(ftmp); + + PR_Rename(m_cfg_file_path, name_bak); + PR_Rename(name_tmp, m_cfg_file_path); + + return 0; +} + diff --git a/pki/base/tps/src/modules/tokendb/mod_tokendb.cpp b/pki/base/tps/src/modules/tokendb/mod_tokendb.cpp index 0cfe07b0..8ac1fa8d 100644 --- a/pki/base/tps/src/modules/tokendb/mod_tokendb.cpp +++ b/pki/base/tps/src/modules/tokendb/mod_tokendb.cpp @@ -127,6 +127,28 @@ extern TOKENDB_PUBLIC char *nss_var_lookup( apr_pool_t *p, server_rec *s, APLOG_ERR, 0, rq->server, \ (const char *) msg, ldap_err2string( status ) ); +#define get_cfg_string(cname, vname) \ + if( ( s = PL_strstr( buf, cname ) ) != NULL ) { \ + s += PL_strlen( cname ); \ + v = s; \ + while( *s != '\x0D' && *s != '\x0A' && *s != '\0' && \ + ( PRUint32 ) ( s - buf ) < size ) { \ + s++; \ + } \ + n = s - v; \ + s = PL_strndup( v, n ); \ + if( s != NULL ) { \ + if( vname != NULL ) { \ + PL_strfree( vname ); \ + vname = NULL; \ + } \ + vname = s; \ + } else { \ + do_free(buf); \ + return 0; \ + } \ + } + /** * Provide reasonable defaults for some defines. */ @@ -176,6 +198,8 @@ static char *searchUserResultTemplate = NULL; static char *searchUserTemplate = NULL; static char *newUserTemplate = NULL; static char *userDeleteTemplate = NULL; +static char *auditAdminTemplate = NULL; + static char *profileList = NULL; static int sendInPieces = 0; @@ -375,21 +399,9 @@ char *get_encoded_post_field(apr_table_t *post, const char *fname, int len) */ bool match_profile(const char *profile) { - char *pList = PL_strdup(profileList); - char *sresult = NULL; - - sresult = strtok(pList, ","); - while (sresult != NULL) { - if (PL_strcmp(sresult, profile) == 0) { - do_free(pList); - return true; - } - sresult = strtok(NULL, ","); - } - do_free(pList); - return false; + return RA::match_comma_list(profile, profileList); } - + char *getTemplateFile( char *fileName, int *injectionTagOffset ) { char *buf = NULL; @@ -1219,7 +1231,6 @@ LDAPMod **getModifications( char *query ) return mods; } - int get_tus_config( char *name ) { PRFileDesc *fd = NULL; @@ -2177,6 +2188,7 @@ int get_tus_config( char *name ) } } + get_cfg_string("tokendb.auditAdminTemplate=", auditAdminTemplate); if( buf != NULL ) { PR_Free( buf ); @@ -4910,6 +4922,160 @@ mod_tokendb_handler( request_rec *rq ) getTemplateName( template1, query ); buf = getData( template1, injection ); + } else if ( PL_strstr( query, "op=audit_admin") ) { + tokendbDebug( "authorization for op=audit_admin\n" ); + + if (!is_admin ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); + + return DONE; + } + + PR_snprintf (injection, MAX_INJECTION_SIZE, + "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s", JS_START, + "var uriBase = \"", uri, "\";\n", + "var userid = \"", userid, "\";\n", + "var signedAuditEnable = \"", RA::m_audit_enabled ? "true": "false", "\";\n", + "var logSigningEnable = \"", RA::m_audit_signed ? "true" : "false", "\";\n", + "var signedAuditSelectedEvents = \"", RA::m_signedAuditSelectedEvents, "\";\n", + "var signedAuditSelectableEvents = \"", RA::m_signedAuditSelectableEvents, "\";\n", + "var signedAuditNonSelectableEvents = \"", RA::m_signedAuditNonSelectableEvents, "\";\n"); + + RA::Debug( "mod_tokendb::mod_tokendb_handler", + "signedAudit: %s %s %s %s %s", + RA::m_audit_enabled ? "true": "false", + RA::m_audit_signed ? "true": "false", + RA::m_signedAuditSelectedEvents, + RA::m_signedAuditSelectableEvents, + RA::m_signedAuditNonSelectableEvents); + + char *flash = get_field(query, "flash=", SHORT_LEN); + if (flash != NULL) { + PL_strcat(injection, "var flash = \""); + PL_strcat(injection, flash); + PL_strcat(injection, "\";\n"); + do_free(flash); + } + + add_authorization_data(userid, is_admin, is_operator, is_agent, injection); + PL_strcat(injection, JS_STOP); + buf = getData(auditAdminTemplate, injection); + } else if (PL_strstr( query, "op=update_audit_admin") ) { + tokendbDebug( "authorization for op=audit_admin\n" ); + + if (!is_admin ) { + error_out("Authorization Failure", "Failed to authorize request"); + do_free(buf); + do_free(uri); + do_free(query); + + return DONE; + } + + int need_update=0; + + char *auditEnable = get_post_field(post, "auditEnable", SHORT_LEN); + if (PL_strcmp(auditEnable, "true") == 0) { + if (! RA::m_audit_enabled) { + need_update = 1; + RA::m_audit_enabled = true; + RA::update_signed_audit_enable("true"); + + PR_snprintf((char *)msg, 512, "'%s' has enabled audit logging", userid); + RA::tdb_activity(rq->connection->remote_ip, "", "enable_audit_logging", "success", msg, userid, NO_TOKEN_TYPE); + + // we need to sleep or not all our actvity logs will be written + PR_Sleep(PR_SecondsToInterval(1)); + } + } + + if (PL_strcmp(auditEnable, "false") == 0) { + if (RA::m_audit_enabled) { + need_update = 1; + RA::m_audit_enabled = false; + RA::update_signed_audit_enable("false"); + + PR_snprintf((char *)msg, 512, "'%s' has disabled audit logging", userid); + RA::tdb_activity(rq->connection->remote_ip, "", "disable_audit_logging", "success", msg, userid, NO_TOKEN_TYPE); + PR_Sleep(PR_SecondsToInterval(1)); + } + } + do_free(auditEnable); + + char *logSigning = get_post_field(post, "logSigningEnable", SHORT_LEN); + if (PL_strcmp(logSigning, "true") == 0) { + if (! RA::m_audit_signed) { + need_update = 1; + RA::m_audit_signed = true; + RA::update_signed_audit_logging_enable("true"); + + PR_snprintf((char *)msg, 512, "'%s' has enabled audit log signing", userid); + RA::tdb_activity(rq->connection->remote_ip, "", "enable_audit_log_signing", "success", msg, userid, NO_TOKEN_TYPE); + PR_Sleep(PR_SecondsToInterval(1)); + } + } + + if (PL_strcmp(logSigning, "false") == 0) { + if (RA::m_audit_signed) { + need_update = 1; + RA::m_audit_signed = false; + RA::update_signed_audit_logging_enable("false"); + + PR_snprintf((char *)msg, 512, "'%s' has disabled audit log signing", userid); + RA::tdb_activity(rq->connection->remote_ip, "", "disable_audit_log_signing", "success", msg, userid, NO_TOKEN_TYPE); + PR_Sleep(PR_SecondsToInterval(1)); + } + } + do_free(logSigning); + + int nEvents = atoi (get_post_field(post, "nEvents", SHORT_LEN)); + + char new_selected[MAX_INJECTION_SIZE]; + + int first_match = 1; + for (int i=0; i< nEvents; i++) { + char e_name[256]; + PR_snprintf(e_name, 256, "event_%d", i); + char *event = get_post_field(post, e_name, SHORT_LEN); + if ((event != NULL) && RA::IsValidEvent(event)) { + if (first_match != 1) { + PL_strcat(new_selected, ","); + } + first_match = 0; + PL_strcat(new_selected, event); + } + do_free(event); + } + + if (PL_strcmp(new_selected, RA::m_signedAuditSelectedEvents) != 0) { + need_update = 1; + RA::update_signed_audit_selected_events(new_selected); + + PR_snprintf((char *)msg, 512, + "'%s' has modified audit signing configuration", userid); + RA::tdb_activity(rq->connection->remote_ip, "", "modify_audit_signing", "success", msg, userid, NO_TOKEN_TYPE); + + } + + if (need_update == 1) { + tokendbDebug("Updating signed audit events in CS.cfg"); + RA::GetConfigStore()->Commit(true); + } + + PR_snprintf(injection, MAX_INJECTION_SIZE, + "/tus/tus?op=audit_admin&flash=Signed+Audit+configuration+has+been+updated"); + do_free(buf); + do_free(uri); + do_free(query); + + rq->method = apr_pstrdup(rq->pool, "GET"); + rq->method_number = M_GET; + + ap_internal_redirect_handler(injection, rq); + return OK; } if( buf != NULL ) { |