Add diagnostic logs

components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java

@@ -208,6 +208,31 @@ public static class LogConstants {
 
  public static final String CREATE_SAML_APPLICATION = "CREATE SAML APPLICATION";
  public static final String DELETE_SAML_APPLICATION = "DELETE SAML APPLICATION";
+ public static final String SAML_INBOUND_SERVICE = "saml-inbound-service";
+
+ /**
+ * Define action IDs for diagnostic logs.
+ */
+ public static class ActionIDs {
+
+ public static final String PROCESS_SAML_LOGOUT = "process-saml-logout";
+ public static final String VALIDATE_SAML_REQUEST = "validate-saml-request";
+ public static final String PROCESS_SAML_REQUEST = "process-saml-request";
+ public static final String HAND_OVER_TO_FRAMEWORK = "hand-over-to-framework";
+ }
+
+ /**
+ * Define common and reusable Input keys for diagnostic logs.
+ */
+ public static class InputKeys {
+
+ public static final String SAML_REQUEST = "saml request";
+ public static final String ISSUER = "issuer";
+ public static final String CONSUMER_URL = "consumer url";
+ public static final String AUTH_MODE = "auth mode";
+ public static final String ASSERTION_URL = "assertion url";
+ public static final String QUERY_STRING = "query string";
+ }
  }
 
  public static class SingleLogoutCodes {

components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitLogoutRequestProcessor.java

@@ -21,6 +21,8 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.central.log.mgt.utils.LogConstants;
+import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
 import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
 import org.wso2.carbon.identity.sso.saml.dto.QueryParamDTO;
@@ -29,10 +31,12 @@
 import org.wso2.carbon.identity.sso.saml.session.SessionInfoData;
 import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
 import org.wso2.carbon.user.api.UserStoreException;
+import org.wso2.carbon.utils.DiagnosticLog;
 import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
 
 import java.util.Map;
 
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.SAML_INBOUND_SERVICE;
 import static org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.splitAppendedTenantDomain;
 
 public class IdPInitLogoutRequestProcessor implements IdpInitSSOLogoutRequestProcessor{
@@ -70,6 +74,26 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
 
  init(queryParamDTOs);
 
+ // This finalizeDiagLogBuilder is used to log the final status of the logout flow.
+ DiagnosticLog.DiagnosticLogBuilder finalizeDiagLogBuilder = null;
+ if (LoggerUtils.isDiagnosticLogsEnabled()) {
+ // Initialize finalizeDiagLogBuilder here to avoid initializing it in every if condition.
+ finalizeDiagLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+ SAML_INBOUND_SERVICE, SAMLSSOConstants.LogConstants.ActionIDs.PROCESS_SAML_LOGOUT);
+ DiagnosticLog.DiagnosticLogBuilder initializeDiagLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+ SAML_INBOUND_SERVICE, SAMLSSOConstants.LogConstants.ActionIDs.PROCESS_SAML_LOGOUT);
+ initializeDiagLogBuilder.resultMessage("Processing IDP initiated logout request.")
+ .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+ .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+ .inputParam("server url", serverURL);
+ if (StringUtils.isNotBlank(returnTo)) {
+ initializeDiagLogBuilder.inputParam("return to", returnTo);
+ }
+ if (StringUtils.isNotBlank(spEntityID)) {
+ initializeDiagLogBuilder.inputParam("sp entity id", spEntityID);
+ }
+ LoggerUtils.triggerDiagnosticLogEvent(initializeDiagLogBuilder);
+ }
  SAMLSSOReqValidationResponseDTO validationResponseDTO = new SAMLSSOReqValidationResponseDTO();
 
  try {
@@ -80,6 +104,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
  log.error(SAMLSSOConstants.Notification.INVALID_SESSION);
  validationResponseDTO.setValid(false);
  validationResponseDTO.setLogoutFromAuthFramework(true);
+ if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+ finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+ .resultMessage(SAMLSSOConstants.Notification.INVALID_SESSION);
+ }
  return validationResponseDTO;
  }
 
@@ -93,6 +121,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
  log.error(SAMLSSOConstants.Notification.INVALID_SESSION);
  validationResponseDTO.setValid(false);
  validationResponseDTO.setLogoutFromAuthFramework(true);
+ if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+ finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+ .resultMessage(SAMLSSOConstants.Notification.INVALID_SESSION);
+ }
  return validationResponseDTO;
  }
  validationResponseDTO.setSessionIndex(sessionIndex);
@@ -103,6 +135,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
  if (StringUtils.isNotBlank(returnTo)) {
  log.error(SAMLSSOConstants.Notification.NO_SP_ENTITY_PARAM);
  validationResponseDTO.setValid(false);
+ if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+ finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+ .resultMessage(SAMLSSOConstants.Notification.NO_SP_ENTITY_PARAM);
+ }
  return validationResponseDTO;
  }
 
@@ -114,12 +150,21 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
  if (logoutReqIssuer == null) {
  log.error(String.format(SAMLSSOConstants.Notification.INVALID_SP_ENTITY_ID, spEntityID));
  validationResponseDTO.setValid(false);
+ if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+ finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+ .resultMessage(SAMLSSOConstants.Notification.INVALID_SP_ENTITY_ID);
+ }
  return validationResponseDTO;
  }
 
  if (!logoutReqIssuer.isIdPInitSLOEnabled()) {
- log.error(String.format(SAMLSSOConstants.Notification.IDP_SLO_NOT_ENABLED, spEntityID));
+ String errorMsg = String.format(SAMLSSOConstants.Notification.IDP_SLO_NOT_ENABLED, spEntityID);
+ log.error(errorMsg);
  validationResponseDTO.setValid(false);
+ if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+ finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+ .resultMessage(errorMsg);
+ }
  return validationResponseDTO;
  }
 
@@ -128,6 +173,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
  .getAssertionConsumerUrlList().contains(returnTo)) {
  log.error(SAMLSSOConstants.Notification.INVALID_RETURN_TO_URL);
  validationResponseDTO.setValid(false);
+ if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+ finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+ .resultMessage(SAMLSSOConstants.Notification.INVALID_RETURN_TO_URL);
+ }
  return validationResponseDTO;
  }
  validationResponseDTO.setReturnToURL(returnTo);
@@ -138,9 +187,24 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
  SAMLSSOUtil.setTenantDomainInThreadLocal(logoutReqIssuer.getTenantDomain());
  }
  validationResponseDTO.setValid(true);
+ if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+ finalizeDiagLogBuilder.resultMessage("Successfully processed IDP initiated logout request.")
+ .resultStatus(DiagnosticLog.ResultStatus.SUCCESS);
+
+ }
 
  } catch (UserStoreException | IdentityException e) {
+ if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+ finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+ .resultMessage("Error while processing IDP initiated logout request.")
+ .inputParam(LogConstants.InputKeys.ERROR_MESSAGE, e.getMessage());
+ }
  throw IdentityException.error(SAMLSSOConstants.Notification.IDP_SLO_VALIDATE_ERROR, e);
+ } finally {
+ if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
+ finalizeDiagLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
+ LoggerUtils.triggerDiagnosticLogEvent(finalizeDiagLogBuilder);
+ }
  }
  return validationResponseDTO;
  }

components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java

@@ -23,6 +23,8 @@
 import org.opensaml.saml.saml2.core.Response;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.central.log.mgt.utils.LogConstants;
+import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
 import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
 import org.wso2.carbon.identity.sso.saml.SSOServiceProviderConfigManager;
@@ -34,17 +36,34 @@
 import org.wso2.carbon.identity.sso.saml.internal.IdentitySAMLSSOServiceComponentHolder;
 import org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager;
 import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
+import org.wso2.carbon.utils.DiagnosticLog;
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Optional;
 import java.util.UUID;
 
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.VALIDATE_SAML_REQUEST;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.InputKeys.SAML_REQUEST;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.SAML_INBOUND_SERVICE;
+
 public class IdPInitSSOAuthnRequestProcessor implements SSOAuthnRequestProcessor {
 
  private static final Log log = LogFactory.getLog(IdPInitSSOAuthnRequestProcessor.class);
 
  public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
  boolean isAuthenticated, String authenticators, String authMode) throws Exception {
+
+ if (LoggerUtils.isDiagnosticLogsEnabled()) {
+ DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+ SAML_INBOUND_SERVICE, VALIDATE_SAML_REQUEST);
+ diagnosticLogBuilder.resultMessage("Validating IDP initiated SAML Authentication Request.")
+ .inputParam(SAML_REQUEST, authnReqDTO.getRequestMessageString())
+ .inputParam("auth mode", authMode)
+ .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+ .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
+ LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+ }
  try {
  SAMLSSOServiceProviderDO serviceProviderConfigs = getServiceProviderConfig(authnReqDTO);
 
@@ -196,6 +215,24 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
  log.debug(samlssoRespDTO.getRespString());
  }
  }
+ if (LoggerUtils.isDiagnosticLogsEnabled()) {
+ DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+ SAML_INBOUND_SERVICE, VALIDATE_SAML_REQUEST);
+ diagnosticLogBuilder.resultMessage("SAML Request validation successful.")
+ .inputParam(SAMLSSOConstants.LogConstants.InputKeys.CONSUMER_URL,
+ samlssoRespDTO.getAssertionConsumerURL())
+ .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER, authnReqDTO.getIssuer())
+ .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+ .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
+ Optional.ofNullable(samlssoRespDTO.getSubject()).ifPresent(subject -> {
+ String userName = LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(
+ subject.getUserName()) : subject.getUserName();
+ diagnosticLogBuilder.inputParam(LogConstants.InputKeys.USER_ID,
+ SAMLSSOUtil.getUserId(subject))
+ .inputParam(LogConstants.InputKeys.USER, userName);
+ });
+ LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+ }
  return samlssoRespDTO;
  } catch (Exception e) {
  log.error("Error processing the authentication request", e);
@@ -312,6 +349,16 @@ private SAMLSSORespDTO buildErrorResponse(String id, List<String> statusCodeList
 
  samlSSORespDTO.setRespString(encodedResponse);
  samlSSORespDTO.setSessionEstablished(false);
+ if (LoggerUtils.isDiagnosticLogsEnabled()) {
+ DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+ SAML_INBOUND_SERVICE, VALIDATE_SAML_REQUEST);
+ diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+ .inputParam(SAML_REQUEST, id)
+ .inputParam("error saml response", encodedResponse)
+ .resultMessage("An error occurred while processing the SAML request.")
+ .resultStatus(DiagnosticLog.ResultStatus.FAILED);
+ LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+ }
  return samlSSORespDTO;
  }
 }