refactor audit system: update schema, support multiple formats, add s…

…igned audit - wip
scc-digitalhub · Jan 3, 2024 · 2893fb1 · 2893fb1
1 parent 5da66a7
commit 2893fb1
Show file tree

Hide file tree

Showing 30 changed files with 1,027 additions and 207 deletions.
diff --git a/src/main/java/it/smartcommunitylab/aac/api/ApiAuditController.java b/src/main/java/it/smartcommunitylab/aac/api/ApiAuditController.java
@@ -18,7 +18,7 @@
 
 import io.swagger.v3.oas.annotations.tags.Tag;
 import it.smartcommunitylab.aac.api.scopes.ApiAuditScope;
-import it.smartcommunitylab.aac.audit.BaseAuditController;
+import it.smartcommunitylab.aac.audit.controller.BaseAuditController;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController

diff --git a/src/main/java/it/smartcommunitylab/aac/audit/AuditManager.java b/src/main/java/it/smartcommunitylab/aac/audit/AuditManager.java
@@ -17,10 +17,12 @@
 package it.smartcommunitylab.aac.audit;
 
 import it.smartcommunitylab.aac.Config;
+import it.smartcommunitylab.aac.audit.model.RealmAuditEvent;
 import it.smartcommunitylab.aac.audit.store.AuditEventStore;
 import java.time.Instant;
 import java.util.Date;
 import java.util.List;
+import java.util.stream.Collectors;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -86,7 +88,11 @@ public List<RealmAuditEvent> findRealmEvents(String realm, String type, Date aft
             " before " +
             String.valueOf(b)
         );
-        return auditStore.findByRealm(realm, a, b, type);
+        return auditStore
+            .findByRealm(realm, a, b, type)
+            .stream()
+            .map(e -> new RealmAuditEvent(e.getTimestamp(), e.getPrincipal(), e.getType(), e.getData()))
+            .collect(Collectors.toList());
     }
 
     public List<AuditEvent> findPrincipalEvents(String realm, String principal, String type, Date after, Date before) {

diff --git a/src/main/java/it/smartcommunitylab/aac/audit/ExtendedAuthenticationEventPublisher.java b/src/main/java/it/smartcommunitylab/aac/audit/ExtendedAuthenticationEventPublisher.java
@@ -17,6 +17,8 @@
 package it.smartcommunitylab.aac.audit;
 
 import it.smartcommunitylab.aac.SystemKeys;
+import it.smartcommunitylab.aac.audit.events.UserAuthenticationFailureEvent;
+import it.smartcommunitylab.aac.audit.events.UserAuthenticationSuccessEvent;
 import it.smartcommunitylab.aac.core.auth.ExtendedAuthenticationToken;
 import it.smartcommunitylab.aac.core.auth.ProviderWrappedAuthenticationToken;
 import it.smartcommunitylab.aac.core.auth.RealmWrappedAuthenticationToken;

diff --git a/src/main/java/it/smartcommunitylab/aac/audit/OAuth2EventListener.java b/src/main/java/it/smartcommunitylab/aac/audit/OAuth2EventListener.java
@@ -16,6 +16,7 @@
 
 package it.smartcommunitylab.aac.audit;
 
+import it.smartcommunitylab.aac.audit.model.RealmAuditEvent;
 import it.smartcommunitylab.aac.oauth.AACOAuth2AccessToken;
 import it.smartcommunitylab.aac.oauth.event.OAuth2AuthorizationExceptionEvent;
 import it.smartcommunitylab.aac.oauth.event.OAuth2Event;

diff --git a/...itylab/aac/audit/BaseAuditController.java → ...audit/controller/BaseAuditController.java b/...itylab/aac/audit/BaseAuditController.java → ...audit/controller/BaseAuditController.java
@@ -14,11 +14,13 @@
  * limitations under the License.
  */
 
-package it.smartcommunitylab.aac.audit;
+package it.smartcommunitylab.aac.audit.controller;
 
 import io.swagger.v3.oas.annotations.Operation;
 import it.smartcommunitylab.aac.Config;
 import it.smartcommunitylab.aac.SystemKeys;
+import it.smartcommunitylab.aac.audit.AuditManager;
+import it.smartcommunitylab.aac.audit.model.RealmAuditEvent;
 import it.smartcommunitylab.aac.common.NoSuchRealmException;
 import java.util.Collection;
 import java.util.Date;

diff --git a/...audit/UserAuthenticationFailureEvent.java → ...vents/UserAuthenticationFailureEvent.java b/...audit/UserAuthenticationFailureEvent.java → ...vents/UserAuthenticationFailureEvent.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package it.smartcommunitylab.aac.audit;
+package it.smartcommunitylab.aac.audit.events;
 
 import it.smartcommunitylab.aac.SystemKeys;
 import it.smartcommunitylab.aac.core.auth.WebAuthenticationDetails;

diff --git a/...audit/UserAuthenticationSuccessEvent.java → ...vents/UserAuthenticationSuccessEvent.java b/...audit/UserAuthenticationSuccessEvent.java → ...vents/UserAuthenticationSuccessEvent.java
@@ -14,11 +14,12 @@
  * limitations under the License.
  */
 
-package it.smartcommunitylab.aac.audit;
+package it.smartcommunitylab.aac.audit.events;
 
 import it.smartcommunitylab.aac.SystemKeys;
 import it.smartcommunitylab.aac.core.auth.UserAuthentication;
 import it.smartcommunitylab.aac.core.auth.WebAuthenticationDetails;
+import it.smartcommunitylab.aac.model.Subject;
 import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
 import org.springframework.util.Assert;
 
@@ -32,19 +33,22 @@ public class UserAuthenticationSuccessEvent extends AuthenticationSuccessEvent {
     private final String authority;
     private final String provider;
     private final String realm;
+    private final Subject subject;
 
     public UserAuthenticationSuccessEvent(String authority, String provider, String realm, UserAuthentication auth) {
         super(auth);
+        Assert.notNull(auth, "user auth is required");
         Assert.hasText(authority, "authority is required");
         Assert.notNull(provider, "provider is required");
         Assert.notNull(realm, "realm is required");
 
         this.authority = authority;
         this.provider = provider;
         this.realm = realm;
+        this.subject = auth.getSubject();
     }
 
-    public UserAuthentication getAuthenticationToken() {
+    public UserAuthentication getUserAuthentication() {
         return (UserAuthentication) super.getAuthentication();
     }
 
@@ -60,7 +64,11 @@ public String getRealm() {
         return realm;
     }
 
+    public Subject getSubject() {
+        return subject;
+    }
+
     public WebAuthenticationDetails getDetails() {
-        return getAuthenticationToken().getWebAuthenticationDetails();
+        return getUserAuthentication().getWebAuthenticationDetails();
     }
 }
diff --git a/...aac/audit/AuthorizationEventListener.java → ...listeners/AuthorizationEventListener.java b/...aac/audit/AuthorizationEventListener.java → ...listeners/AuthorizationEventListener.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package it.smartcommunitylab.aac.audit;
+package it.smartcommunitylab.aac.audit.listeners;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -35,13 +35,12 @@ public void onApplicationEvent(AbstractAuthorizationEvent event) {
         // each request without authentication triggers an unauthorized event which ends
         // in store, we don't want those in db
         try {
-            if (event instanceof AuthorizationFailureEvent) {
-                AuthorizationFailureEvent failureEvent = (AuthorizationFailureEvent) event;
-
-                if (logger.isTraceEnabled()) {
-                    failureEvent.getAccessDeniedException().printStackTrace();
-                }
-            }
+            // if (event instanceof AuthorizationFailureEvent) {
+            //     AuthorizationFailureEvent failureEvent = (AuthorizationFailureEvent) event;
+            //     // if (logger.isTraceEnabled()) {
+            //     //     failureEvent.getAccessDeniedException().printStackTrace();
+            //     // }
+            // }
 
             logger.trace("authorization event " + event.toString());
         } catch (Exception e) {

diff --git a/...main/java/it/smartcommunitylab/aac/audit/listeners/ClientAuthenticationEventListener.java b/...main/java/it/smartcommunitylab/aac/audit/listeners/ClientAuthenticationEventListener.java
@@ -0,0 +1,97 @@
+/*
+ * Copyright 2023 the original author or authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package it.smartcommunitylab.aac.audit.listeners;
+
+import it.smartcommunitylab.aac.core.auth.ClientAuthentication;
+import java.util.HashMap;
+import java.util.Map;
+import org.springframework.boot.actuate.audit.AuditEvent;
+import org.springframework.boot.actuate.security.AbstractAuthenticationAuditListener;
+import org.springframework.security.authentication.event.AbstractAuthenticationEvent;
+import org.springframework.security.authentication.event.AbstractAuthenticationFailureEvent;
+import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
+import org.springframework.security.core.AuthenticationException;
+
+public class ClientAuthenticationEventListener extends AbstractAuthenticationAuditListener {
+
+    public static final String CLIENT_AUTHENTICATION_FAILURE = "CLIENT_AUTHENTICATION_FAILURE";
+    public static final String CLIENT_AUTHENTICATION_SUCCESS = "CLIENT_AUTHENTICATION_SUCCESS";
+
+    @Override
+    public void onApplicationEvent(AbstractAuthenticationEvent event) {
+        if (event instanceof AuthenticationSuccessEvent) {
+            onAuthenticationSuccessEvent((AuthenticationSuccessEvent) event);
+        } else if (event instanceof AbstractAuthenticationFailureEvent) {
+            onAuthenticationFailureEvent((AbstractAuthenticationFailureEvent) event);
+        }
+    }
+
+    private void onAuthenticationFailureEvent(AbstractAuthenticationFailureEvent event) {
+        AuthenticationException ex = event.getException();
+        if (!(event.getAuthentication() instanceof ClientAuthentication)) {
+            return;
+        }
+
+        ClientAuthentication auth = (ClientAuthentication) event.getAuthentication();
+        String principal = auth.getPrincipal();
+        Object details = auth.getDetails();
+        String eventType = CLIENT_AUTHENTICATION_FAILURE;
+
+        // build data
+        Map<String, Object> data = new HashMap<>();
+        data.put("type", ex.getClass().getName());
+        data.put("message", ex.getMessage());
+        data.put("auth", auth.getClass().getName());
+
+        // persist details, should be safe to store
+        if (details != null) {
+            data.put("details", details);
+        }
+
+        // build audit
+        AuditEvent audit = new AuditEvent(principal, eventType, data);
+
+        // publish as event, listener will persist to store
+        publish(audit);
+    }
+
+    private void onAuthenticationSuccessEvent(AuthenticationSuccessEvent event) {
+        if (!(event.getAuthentication() instanceof ClientAuthentication)) {
+            return;
+        }
+
+        ClientAuthentication auth = (ClientAuthentication) event.getAuthentication();
+        String principal = auth.getName();
+        Object details = auth.getDetails();
+        String eventType = CLIENT_AUTHENTICATION_SUCCESS;
+
+        Map<String, Object> data = new HashMap<>();
+        data.put("auth", auth.getClass().getName());
+        data.put("realm", auth.getRealm());
+
+        // persist details, should be safe to store
+        if (details != null) {
+            data.put("details", details);
+        }
+
+        // build audit
+        AuditEvent audit = new AuditEvent(principal, eventType, data);
+
+        // publish as event, listener will persist to store
+        publish(audit);
+    }
+}