Skip to content

Commit

Permalink
Add audit logs improvements
Browse files Browse the repository at this point in the history
  • Loading branch information
piraveena committed Jul 26, 2023
1 parent f079438 commit bff5251
Show file tree
Hide file tree
Showing 4 changed files with 145 additions and 7 deletions.
5 changes: 5 additions & 0 deletions components/org.wso2.carbon.identity.sso.saml/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,11 @@
<artifactId>slf4j-api</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.felix</groupId>
<artifactId>org.apache.felix.scr.ds-annotations</artifactId>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,15 @@ private StatusCodes() {
}
}

/**
* Group the constants related to logs.
*/
public static class LogConstants {

public static final String CREATE_SAML_APPLICATION = "CREATE SAML APPLICATION";
public static final String DELETE_SAML_APPLICATION = "DELETE SAML APPLICATION";
}

public static class SingleLogoutCodes {
public static final String LOGOUT_USER = "urn:oasis:names:tc:SAML:2.0:logout:user";
public static final String LOGOUT_ADMIN = "urn:oasis:names:tc:SAML:2.0:logout:admin";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,20 +18,25 @@

package org.wso2.carbon.identity.sso.saml.admin;

import com.google.gson.Gson;
import com.google.gson.reflect.TypeToken;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.saml.saml1.core.NameIdentifier;
import org.wso2.carbon.base.MultitenantConstants;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.mgt.ApplicationMgtUtil;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.sp.metadata.saml2.exception.InvalidMetadataException;
import org.wso2.carbon.identity.sp.metadata.saml2.util.Parser;
import org.wso2.carbon.identity.sso.saml.Error;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.SSOServiceProviderConfigManager;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOServiceProviderDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOServiceProviderInfoDTO;
Expand All @@ -41,10 +46,18 @@
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
import org.wso2.carbon.registry.core.Registry;
import org.wso2.carbon.registry.core.session.UserRegistry;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.AuditLog;

import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;

import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.LogConstants.USER;
import static org.wso2.carbon.identity.application.mgt.ApplicationConstants.LogConstants.TARGET_APPLICATION;
import static org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils.triggerAuditLogEvent;
import static org.wso2.carbon.identity.sso.saml.Error.CONFLICTING_SAML_ISSUER;
import static org.wso2.carbon.identity.sso.saml.Error.INVALID_REQUEST;

Expand Down Expand Up @@ -86,8 +99,22 @@ public boolean addRelyingPartyServiceProvider(SAMLSSOServiceProviderDTO serviceP
log.error(message);
return false;
}
return IdentitySAMLSSOServiceComponentHolder.getInstance().getSAMLSSOServiceProviderManager()
boolean isSuccess = IdentitySAMLSSOServiceComponentHolder.getInstance().getSAMLSSOServiceProviderManager()
.addServiceProvider(serviceProviderDO, tenantId);
if (isSuccess && ApplicationMgtUtil.isLegacyAuditLogsDisabledInAppMgt()) {
Optional<String> initiatorId = getInitiatorId();
if (initiatorId.isPresent()) {
AuditLog.AuditLogBuilder auditLogBuilder = new AuditLog.AuditLogBuilder(
initiatorId.get(), USER,
issuer, TARGET_APPLICATION,
SAMLSSOConstants.LogConstants.CREATE_SAML_APPLICATION)
.data(buildSPData(serviceProviderDO));
triggerAuditLogEvent(auditLogBuilder, true);
} else {
log.error("Error getting the logged in userId");
}
}
return isSuccess;
} catch (IdentityException e) {
String message = "Error obtaining a registry for adding a new service provider";
throw new IdentityException(message, e);
Expand Down Expand Up @@ -140,7 +167,21 @@ public SAMLSSOServiceProviderDTO addSAMLServiceProvider(SAMLSSOServiceProviderDT
String message = "A Service Provider with the name: " + issuer + " is already loaded from the file system.";
throw buildClientException(CONFLICTING_SAML_ISSUER, message);
}
return persistSAMLServiceProvider(serviceProviderDO);
SAMLSSOServiceProviderDTO samlssoServiceProviderDTO = persistSAMLServiceProvider(serviceProviderDO);
if (ApplicationMgtUtil.isLegacyAuditLogsDisabledInAppMgt()) {
Optional<String> initiatorId = getInitiatorId();
if (initiatorId.isPresent()) {
AuditLog.AuditLogBuilder auditLogBuilder = new AuditLog.AuditLogBuilder(
initiatorId.get(), USER,
issuer, TARGET_APPLICATION,
SAMLSSOConstants.LogConstants.CREATE_SAML_APPLICATION)
.data(buildSPData(serviceProviderDO));
triggerAuditLogEvent(auditLogBuilder, true);
} else {
log.error("Error getting the logged in userId");
}
}
return samlssoServiceProviderDTO;
} catch (IdentitySAML2ClientException e){
throw e;
} catch (IdentityException e) {
Expand All @@ -149,6 +190,47 @@ public SAMLSSOServiceProviderDTO addSAMLServiceProvider(SAMLSSOServiceProviderDT
}
}

private static Map<String, Object> buildSPData(SAMLSSOServiceProviderDO app) {

if (app == null) {
return new HashMap<>();
}

Gson gson = new Gson();
String json = gson.toJson(app);
return gson.fromJson(json, new TypeToken<Map<String, Object>>() {
}.getType());
}

/**
* This method is used to retrieve logged in tenant domain.
* @return logged in tenant domain.
*/
private String getLoggedInTenantDomain() {

if (!IdentityTenantUtil.isTenantedSessionsEnabled()) {
return getTenantDomain();
}
return IdentityTenantUtil.getTenantDomainFromContext();
}

private Optional<AuthenticatedUser> getLoggedInUser(String tenantDomain) {

String tenantAwareLoggedInUsername = CarbonContext.getThreadLocalCarbonContext().getUsername();
return Optional.ofNullable(tenantAwareLoggedInUsername)
.filter(StringUtils::isNotEmpty)
.map(username -> buildAuthenticatedUser(username, tenantDomain));
}

private AuthenticatedUser buildAuthenticatedUser(String tenantAwareUser, String tenantDomain) {

AuthenticatedUser user = new AuthenticatedUser();
user.setUserName(UserCoreUtil.removeDomainFromName(tenantAwareUser));
user.setTenantDomain(tenantDomain);
user.setUserStoreDomain(IdentityUtil.extractDomainFromName(tenantAwareUser));
return user;
}

/**
* Update a service provider if it exists.
*
Expand Down Expand Up @@ -283,8 +365,21 @@ public SAMLSSOServiceProviderDTO uploadRelyingPartyServiceProvider(String metada
throw new IdentityException("Error occurred while setting certificate and alias", e);
}
}

return persistSAMLServiceProvider(samlssoServiceProviderDO);
SAMLSSOServiceProviderDTO samlssoServiceProviderDTO = persistSAMLServiceProvider(samlssoServiceProviderDO);
if (ApplicationMgtUtil.isLegacyAuditLogsDisabledInAppMgt()) {
Optional<String> initiatorId = getInitiatorId();
if (initiatorId.isPresent()) {
AuditLog.AuditLogBuilder auditLogBuilder = new AuditLog.AuditLogBuilder(
initiatorId.get(), USER,
samlssoServiceProviderDO.getIssuer(), TARGET_APPLICATION,
SAMLSSOConstants.LogConstants.CREATE_SAML_APPLICATION)
.data(buildSPData(samlssoServiceProviderDO));
triggerAuditLogEvent(auditLogBuilder, true);
} else {
log.error("Error getting the logged in userId");
}
}
return samlssoServiceProviderDTO;
}

/**
Expand Down Expand Up @@ -599,13 +694,36 @@ public SAMLSSOServiceProviderInfoDTO getServiceProviders() throws IdentityExcept
*/
public boolean removeServiceProvider(String issuer) throws IdentityException {
try {
return IdentitySAMLSSOServiceComponentHolder.getInstance()
boolean isSuccess = IdentitySAMLSSOServiceComponentHolder.getInstance()
.getSAMLSSOServiceProviderManager().removeServiceProvider(issuer, tenantId);
if (isSuccess) {
if (ApplicationMgtUtil.isLegacyAuditLogsDisabledInAppMgt()) {
Optional<String> initiatorId = getInitiatorId();
if (initiatorId.isPresent()) {
AuditLog.AuditLogBuilder auditLogBuilder = new AuditLog.AuditLogBuilder(initiatorId.get(),
USER, issuer, TARGET_APPLICATION,
SAMLSSOConstants.LogConstants.DELETE_SAML_APPLICATION);
triggerAuditLogEvent(auditLogBuilder, true);
} else {
log.error("Error getting the logged in userId");
}
}
}
return isSuccess;
} catch (IdentityException e) {
throw new IdentityException("Error removing a Service Provider with issuer: " + issuer, e);
}
}

private Optional<String> getInitiatorId(){

return Optional.ofNullable(CarbonContext.getThreadLocalCarbonContext().getUserId())
.filter(StringUtils::isNotBlank)
.or(() -> getLoggedInUser(getLoggedInTenantDomain())
.map(loggedInUser -> IdentityUtil.getInitiatorId(loggedInUser.getUserName(),
getLoggedInTenantDomain())));
}

protected String getTenantDomain() {

return CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
Expand Down
10 changes: 8 additions & 2 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,11 @@
<artifactId>axis2-client</artifactId>
<version>${axis2.wso2.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>${com.fasterxml.jackson.version}</version>
</dependency>
<dependency>
<groupId>org.wso2.carbon.identity.inbound.auth.saml2</groupId>
<artifactId>org.wso2.carbon.identity.sso.saml.common</artifactId>
Expand Down Expand Up @@ -450,9 +455,9 @@
</modules>

<properties>
<carbon.kernel.version>4.9.0</carbon.kernel.version>
<carbon.kernel.version>4.9.10</carbon.kernel.version>
<carbon.kernel.feature.version>4.9.0</carbon.kernel.feature.version>
<carbon.identity.framework.version>5.25.247</carbon.identity.framework.version>
<carbon.identity.framework.version>5.25.258</carbon.identity.framework.version>
<carbon.identity.framework.imp.pkg.version.range>[5.25.234, 7.0.0)
</carbon.identity.framework.imp.pkg.version.range>
<carbon.identity.organization.management.core.version>1.0.0</carbon.identity.organization.management.core.version>
Expand All @@ -470,6 +475,7 @@
<encoder.wso2.version>1.2.0.wso2v1</encoder.wso2.version>
<axis2.wso2.version>1.6.1.wso2v12</axis2.wso2.version>
<joda.wso2.version>2.9.4.wso2v1</joda.wso2.version>
<com.fasterxml.jackson.version>2.13.2</com.fasterxml.jackson.version>

<maven.bundle.plugin.version>3.2.0</maven.bundle.plugin.version>
<maven.compiler.plugin.version>2.3.1</maven.compiler.plugin.version>
Expand Down

0 comments on commit bff5251

Please sign in to comment.