Merge pull request #402 from sahandilshan/master

Add diagnostic logs

components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java

@@ -208,6 +208,31 @@ public static class LogConstants {
 
         public static final String CREATE_SAML_APPLICATION = "CREATE SAML APPLICATION";
         public static final String DELETE_SAML_APPLICATION = "DELETE SAML APPLICATION";
+        public static final String SAML_INBOUND_SERVICE = "saml-inbound-service";
+
+        /**
+         * Define action IDs for diagnostic logs.
+         */
+        public static class ActionIDs {
+
+            public static final String PROCESS_SAML_LOGOUT = "process-saml-logout";
+            public static final String VALIDATE_SAML_REQUEST = "validate-saml-request";
+            public static final String PROCESS_SAML_REQUEST = "process-saml-request";
+            public static final String HAND_OVER_TO_FRAMEWORK = "hand-over-to-framework";
+        }
+
+        /**
+         * Define common and reusable Input keys for diagnostic logs.
+         */
+        public static class InputKeys {
+
+            public static final String SAML_REQUEST = "saml request";
+            public static final String ISSUER = "issuer";
+            public static final String CONSUMER_URL = "consumer url";
+            public static final String AUTH_MODE = "auth mode";
+            public static final String ASSERTION_URL = "assertion url";
+            public static final String QUERY_STRING = "query string";
+        }
     }
 
     public static class SingleLogoutCodes {

components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitLogoutRequestProcessor.java

@@ -21,6 +21,8 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.central.log.mgt.utils.LogConstants;
+import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
 import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
 import org.wso2.carbon.identity.sso.saml.dto.QueryParamDTO;
@@ -29,10 +31,12 @@
 import org.wso2.carbon.identity.sso.saml.session.SessionInfoData;
 import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
 import org.wso2.carbon.user.api.UserStoreException;
+import org.wso2.carbon.utils.DiagnosticLog;
 import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
 
 import java.util.Map;
 
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.SAML_INBOUND_SERVICE;
 import static org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.splitAppendedTenantDomain;
 
 public class IdPInitLogoutRequestProcessor implements IdpInitSSOLogoutRequestProcessor{
@@ -70,6 +74,26 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
 
         init(queryParamDTOs);
 
+        // This finalizeDiagLogBuilder is used to log the final status of the logout flow.
+        DiagnosticLog.DiagnosticLogBuilder finalizeDiagLogBuilder = null;
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            // Initialize finalizeDiagLogBuilder here to avoid initializing it in every if condition.
+            finalizeDiagLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, SAMLSSOConstants.LogConstants.ActionIDs.PROCESS_SAML_LOGOUT);
+            DiagnosticLog.DiagnosticLogBuilder initializeDiagLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, SAMLSSOConstants.LogConstants.ActionIDs.PROCESS_SAML_LOGOUT);
+            initializeDiagLogBuilder.resultMessage("Processing IDP initiated logout request.")
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+                    .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                    .inputParam("server url", serverURL);
+            if (StringUtils.isNotBlank(returnTo)) {
+                initializeDiagLogBuilder.inputParam("return to", returnTo);
+            }
+            if (StringUtils.isNotBlank(spEntityID)) {
+                initializeDiagLogBuilder.inputParam("sp entity id", spEntityID);
+            }
+            LoggerUtils.triggerDiagnosticLogEvent(initializeDiagLogBuilder);
+        }
         SAMLSSOReqValidationResponseDTO validationResponseDTO = new SAMLSSOReqValidationResponseDTO();
 
         try {
@@ -80,6 +104,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 log.error(SAMLSSOConstants.Notification.INVALID_SESSION);
                 validationResponseDTO.setValid(false);
                 validationResponseDTO.setLogoutFromAuthFramework(true);
+                if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+                    finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                            .resultMessage(SAMLSSOConstants.Notification.INVALID_SESSION);
+                }
                 return validationResponseDTO;
             }
 
@@ -93,6 +121,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 log.error(SAMLSSOConstants.Notification.INVALID_SESSION);
                 validationResponseDTO.setValid(false);
                 validationResponseDTO.setLogoutFromAuthFramework(true);
+                if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+                    finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                            .resultMessage(SAMLSSOConstants.Notification.INVALID_SESSION);
+                }
                 return validationResponseDTO;
             }
             validationResponseDTO.setSessionIndex(sessionIndex);
@@ -103,6 +135,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 if (StringUtils.isNotBlank(returnTo)) {
                     log.error(SAMLSSOConstants.Notification.NO_SP_ENTITY_PARAM);
                     validationResponseDTO.setValid(false);
+                    if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+                        finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                                .resultMessage(SAMLSSOConstants.Notification.NO_SP_ENTITY_PARAM);
+                    }
                     return validationResponseDTO;
                 }
 
@@ -114,12 +150,21 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 if (logoutReqIssuer == null) {
                     log.error(String.format(SAMLSSOConstants.Notification.INVALID_SP_ENTITY_ID, spEntityID));
                     validationResponseDTO.setValid(false);
+                    if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+                        finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                                .resultMessage(SAMLSSOConstants.Notification.INVALID_SP_ENTITY_ID);
+                    }
                     return validationResponseDTO;
                 }
 
                 if (!logoutReqIssuer.isIdPInitSLOEnabled()) {
-                    log.error(String.format(SAMLSSOConstants.Notification.IDP_SLO_NOT_ENABLED, spEntityID));
+                    String errorMsg = String.format(SAMLSSOConstants.Notification.IDP_SLO_NOT_ENABLED, spEntityID);
+                    log.error(errorMsg);
                     validationResponseDTO.setValid(false);
+                    if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+                        finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                                .resultMessage(errorMsg);
+                    }
                     return validationResponseDTO;
                 }
 
@@ -128,6 +173,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                             .getAssertionConsumerUrlList().contains(returnTo)) {
                         log.error(SAMLSSOConstants.Notification.INVALID_RETURN_TO_URL);
                         validationResponseDTO.setValid(false);
+                        if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+                            finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                                    .resultMessage(SAMLSSOConstants.Notification.INVALID_RETURN_TO_URL);
+                        }
                         return validationResponseDTO;
                     }
                     validationResponseDTO.setReturnToURL(returnTo);
@@ -138,9 +187,24 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 SAMLSSOUtil.setTenantDomainInThreadLocal(logoutReqIssuer.getTenantDomain());
             }
             validationResponseDTO.setValid(true);
+            if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+                finalizeDiagLogBuilder.resultMessage("Successfully processed IDP initiated logout request.")
+                        .resultStatus(DiagnosticLog.ResultStatus.SUCCESS);
+
+            }
 
         } catch (UserStoreException | IdentityException e) {
+            if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+                finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                        .resultMessage("Error while processing IDP initiated logout request.")
+                        .inputParam(LogConstants.InputKeys.ERROR_MESSAGE, e.getMessage());
+            }
             throw IdentityException.error(SAMLSSOConstants.Notification.IDP_SLO_VALIDATE_ERROR, e);
+        } finally {
+            if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+                finalizeDiagLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
+                LoggerUtils.triggerDiagnosticLogEvent(finalizeDiagLogBuilder);
+            }
         }
         return validationResponseDTO;
     }

components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java

@@ -23,6 +23,8 @@
 import org.opensaml.saml.saml2.core.Response;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.central.log.mgt.utils.LogConstants;
+import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
 import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
 import org.wso2.carbon.identity.sso.saml.SSOServiceProviderConfigManager;
@@ -34,17 +36,34 @@
 import org.wso2.carbon.identity.sso.saml.internal.IdentitySAMLSSOServiceComponentHolder;
 import org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager;
 import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
+import org.wso2.carbon.utils.DiagnosticLog;
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Optional;
 import java.util.UUID;
 
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.VALIDATE_SAML_REQUEST;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.InputKeys.SAML_REQUEST;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.SAML_INBOUND_SERVICE;
+
 public class IdPInitSSOAuthnRequestProcessor implements SSOAuthnRequestProcessor {
 
     private static final Log log = LogFactory.getLog(IdPInitSSOAuthnRequestProcessor.class);
 
     public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
                                   boolean isAuthenticated, String authenticators, String authMode) throws Exception {
+
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, VALIDATE_SAML_REQUEST);
+            diagnosticLogBuilder.resultMessage("Validating IDP initiated SAML Authentication Request.")
+                    .inputParam(SAML_REQUEST, authnReqDTO.getRequestMessageString())
+                    .inputParam("auth mode", authMode)
+                    .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+        }
         try {
             SAMLSSOServiceProviderDO serviceProviderConfigs = getServiceProviderConfig(authnReqDTO);
 
@@ -196,6 +215,24 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
                     log.debug(samlssoRespDTO.getRespString());
                 }
             }
+            if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                        SAML_INBOUND_SERVICE, VALIDATE_SAML_REQUEST);
+                diagnosticLogBuilder.resultMessage("SAML Request validation successful.")
+                        .inputParam(SAMLSSOConstants.LogConstants.InputKeys.CONSUMER_URL,
+                                samlssoRespDTO.getAssertionConsumerURL())
+                        .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER, authnReqDTO.getIssuer())
+                        .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                        .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
+                Optional.ofNullable(samlssoRespDTO.getSubject()).ifPresent(subject -> {
+                            String userName = LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(
+                                    subject.getUserName()) : subject.getUserName();
+                            diagnosticLogBuilder.inputParam(LogConstants.InputKeys.USER_ID,
+                                            SAMLSSOUtil.getUserId(subject))
+                                    .inputParam(LogConstants.InputKeys.USER, userName);
+                        });
+                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+            }
             return samlssoRespDTO;
         } catch (Exception e) {
             log.error("Error processing the authentication request", e);
@@ -312,6 +349,16 @@ private SAMLSSORespDTO buildErrorResponse(String id, List<String> statusCodeList
 
         samlSSORespDTO.setRespString(encodedResponse);
         samlSSORespDTO.setSessionEstablished(false);
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, VALIDATE_SAML_REQUEST);
+            diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+                    .inputParam(SAML_REQUEST, id)
+                    .inputParam("error saml response", encodedResponse)
+                    .resultMessage("An error occurred while processing the SAML request.")
+                    .resultStatus(DiagnosticLog.ResultStatus.FAILED);
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+        }
         return samlSSORespDTO;
     }
 }