New audit trail

src/main/java/it/smartcommunitylab/aac/api/ApiAuditController.java

@@ -18,7 +18,7 @@
 
 import io.swagger.v3.oas.annotations.tags.Tag;
 import it.smartcommunitylab.aac.api.scopes.ApiAuditScope;
-import it.smartcommunitylab.aac.audit.BaseAuditController;
+import it.smartcommunitylab.aac.audit.controller.BaseAuditController;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController

src/main/java/it/smartcommunitylab/aac/audit/AuditManager.java

@@ -17,10 +17,13 @@
 package it.smartcommunitylab.aac.audit;
 
 import it.smartcommunitylab.aac.Config;
+import it.smartcommunitylab.aac.audit.model.ExtendedAuditEvent;
+import it.smartcommunitylab.aac.audit.model.RealmAuditEvent;
 import it.smartcommunitylab.aac.audit.store.AuditEventStore;
 import java.time.Instant;
 import java.util.Date;
 import java.util.List;
+import java.util.stream.Collectors;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -72,7 +75,7 @@ public long countPrincipalEvents(String realm, String principal, String type, Da
         return auditStore.countByPrincipal(principal, a, b, type);
     }
 
-    public List<RealmAuditEvent> findRealmEvents(String realm, String type, Date after, Date before) {
+    public List<AuditEvent> findRealmEvents(String realm, String type, Date after, Date before) {
         Instant a = after == null ? null : after.toInstant();
         Instant b = before == null ? null : before.toInstant();
 

src/main/java/it/smartcommunitylab/aac/audit/OAuth2EventListener.java

@@ -96,13 +96,14 @@ private void onAuthorizationExceptionEvent(OAuth2AuthorizationExceptionEvent eve
         String type = "OAUTH2_" + errorCode.toUpperCase();
 
         Map<String, Object> data = new HashMap<>();
+        data.put("realm", realm);
         data.put("error", errorCode);
         data.put("summary", exception.getSummary());
         data.put("message", exception.getMessage());
         data.put("info", exception.getAdditionalInformation());
 
         // build audit
-        RealmAuditEvent audit = new RealmAuditEvent(realm, Instant.now(), principal, type, data);
+        AuditEvent audit = new AuditEvent(Instant.now(), principal, type, data);
 
         // publish as event, listener will persist to store
         publish(audit);
@@ -125,13 +126,14 @@ private void onTokenExceptionEvent(OAuth2TokenExceptionEvent event) {
         String type = "OAUTH2_" + errorCode.toUpperCase();
 
         Map<String, Object> data = new HashMap<>();
+        data.put("realm", realm);
         data.put("error", errorCode);
         data.put("summary", exception.getSummary());
         data.put("message", exception.getMessage());
         data.put("info", exception.getAdditionalInformation());
 
         // build audit
-        RealmAuditEvent audit = new RealmAuditEvent(realm, Instant.now(), principal, type, data);
+        AuditEvent audit = new AuditEvent(Instant.now(), principal, type, data);
 
         // publish as event, listener will persist to store
         publish(audit);
@@ -171,7 +173,7 @@ public void onTokenGrantEvent(TokenGrantEvent event) {
             }
 
             // build audit
-            RealmAuditEvent audit = new RealmAuditEvent(realm, Instant.now(), principal, TOKEN_GRANT, data);
+            AuditEvent audit = new AuditEvent(Instant.now(), principal, TOKEN_GRANT, data);
 
             // publish as event, listener will persist to store
             publish(audit);

src/main/java/it/smartcommunitylab/aac/audit/BaseAuditController.java → src/main/java/it/smartcommunitylab/aac/audit/controller/BaseAuditController.java

@@ -14,11 +14,12 @@
  * limitations under the License.
  */
 
-package it.smartcommunitylab.aac.audit;
+package it.smartcommunitylab.aac.audit.controller;
 
 import io.swagger.v3.oas.annotations.Operation;
 import it.smartcommunitylab.aac.Config;
 import it.smartcommunitylab.aac.SystemKeys;
+import it.smartcommunitylab.aac.audit.AuditManager;
 import it.smartcommunitylab.aac.common.NoSuchRealmException;
 import java.util.Collection;
 import java.util.Date;
@@ -30,6 +31,7 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.actuate.audit.AuditEvent;
 import org.springframework.format.annotation.DateTimeFormat;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.util.Assert;
@@ -65,7 +67,7 @@ public String getAuthority() {
 
     @GetMapping("/audit/{realm}")
     @Operation(summary = "find audit events from a given realm")
-    public Collection<RealmAuditEvent> findEvents(
+    public Collection<AuditEvent> findEvents(
         @PathVariable @Valid @NotNull @Pattern(regexp = SystemKeys.SLUG_PATTERN) String realm,
         @RequestParam(required = false, name = "type") Optional<String> type,
         @RequestParam(required = false, name = "after") @DateTimeFormat(
@@ -75,7 +77,7 @@ public Collection<RealmAuditEvent> findEvents(
             iso = DateTimeFormat.ISO.DATE_TIME
         ) Optional<Date> before
     ) throws NoSuchRealmException {
-        logger.debug("find audit events for realm [}", StringUtils.trimAllWhitespace(realm));
+        logger.debug("find audit events for realm {}", StringUtils.trimAllWhitespace(realm));
 
         return auditManager.findRealmEvents(realm, type.orElse(null), after.orElse(null), before.orElse(null));
     }

src/main/java/it/smartcommunitylab/aac/audit/AuthorizationEventListener.java → src/main/java/it/smartcommunitylab/aac/audit/listeners/AuthorizationEventListener.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package it.smartcommunitylab.aac.audit;
+package it.smartcommunitylab.aac.audit.listeners;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -35,13 +35,12 @@ public void onApplicationEvent(AbstractAuthorizationEvent event) {
         // each request without authentication triggers an unauthorized event which ends
         // in store, we don't want those in db
         try {
-            if (event instanceof AuthorizationFailureEvent) {
-                AuthorizationFailureEvent failureEvent = (AuthorizationFailureEvent) event;
-
-                if (logger.isTraceEnabled()) {
-                    failureEvent.getAccessDeniedException().printStackTrace();
-                }
-            }
+            // if (event instanceof AuthorizationFailureEvent) {
+            //     AuthorizationFailureEvent failureEvent = (AuthorizationFailureEvent) event;
+            //     // if (logger.isTraceEnabled()) {
+            //     //     failureEvent.getAccessDeniedException().printStackTrace();
+            //     // }
+            // }
 
             logger.trace("authorization event " + event.toString());
         } catch (Exception e) {

src/main/java/it/smartcommunitylab/aac/audit/listeners/ClientAuthenticationEventListener.java

@@ -0,0 +1,97 @@
+/*
+ * Copyright 2023 the original author or authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package it.smartcommunitylab.aac.audit.listeners;
+
+import it.smartcommunitylab.aac.core.auth.ClientAuthentication;
+import java.util.HashMap;
+import java.util.Map;
+import org.springframework.boot.actuate.audit.AuditEvent;
+import org.springframework.boot.actuate.security.AbstractAuthenticationAuditListener;
+import org.springframework.security.authentication.event.AbstractAuthenticationEvent;
+import org.springframework.security.authentication.event.AbstractAuthenticationFailureEvent;
+import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
+import org.springframework.security.core.AuthenticationException;
+
+public class ClientAuthenticationEventListener extends AbstractAuthenticationAuditListener {
+
+    public static final String CLIENT_AUTHENTICATION_FAILURE = "CLIENT_AUTHENTICATION_FAILURE";
+    public static final String CLIENT_AUTHENTICATION_SUCCESS = "CLIENT_AUTHENTICATION_SUCCESS";
+
+    @Override
+    public void onApplicationEvent(AbstractAuthenticationEvent event) {
+        if (event instanceof AuthenticationSuccessEvent) {
+            onAuthenticationSuccessEvent((AuthenticationSuccessEvent) event);
+        } else if (event instanceof AbstractAuthenticationFailureEvent) {
+            onAuthenticationFailureEvent((AbstractAuthenticationFailureEvent) event);
+        }
+    }
+
+    private void onAuthenticationFailureEvent(AbstractAuthenticationFailureEvent event) {
+        AuthenticationException ex = event.getException();
+        if (!(event.getAuthentication() instanceof ClientAuthentication)) {
+            return;
+        }
+
+        ClientAuthentication auth = (ClientAuthentication) event.getAuthentication();
+        String principal = auth.getPrincipal();
+        Object details = auth.getDetails();
+        String eventType = CLIENT_AUTHENTICATION_FAILURE;
+
+        // build data
+        Map<String, Object> data = new HashMap<>();
+        data.put("type", ex.getClass().getName());
+        data.put("message", ex.getMessage());
+        data.put("auth", auth.getClass().getName());
+
+        // persist details, should be safe to store
+        if (details != null) {
+            data.put("details", details);
+        }
+
+        // build audit
+        AuditEvent audit = new AuditEvent(principal, eventType, data);
+
+        // publish as event, listener will persist to store
+        publish(audit);
+    }
+
+    private void onAuthenticationSuccessEvent(AuthenticationSuccessEvent event) {
+        if (!(event.getAuthentication() instanceof ClientAuthentication)) {
+            return;
+        }
+
+        ClientAuthentication auth = (ClientAuthentication) event.getAuthentication();
+        String principal = auth.getName();
+        Object details = auth.getDetails();
+        String eventType = CLIENT_AUTHENTICATION_SUCCESS;
+
+        Map<String, Object> data = new HashMap<>();
+        data.put("auth", auth.getClass().getName());
+        data.put("realm", auth.getRealm());
+
+        // persist details, should be safe to store
+        if (details != null) {
+            data.put("details", details);
+        }
+
+        // build audit
+        AuditEvent audit = new AuditEvent(principal, eventType, data);
+
+        // publish as event, listener will persist to store
+        publish(audit);
+    }
+}