Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add diagnostic logs #402

Merged
merged 9 commits into from
Aug 22, 2023
Merged
Show file tree
Hide file tree
Changes from 8 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,32 @@ public static class LogConstants {

public static final String CREATE_SAML_APPLICATION = "CREATE SAML APPLICATION";
public static final String DELETE_SAML_APPLICATION = "DELETE SAML APPLICATION";
public static final String SAML_INBOUND_SERVICE = "saml-inbound-service";

/**
* Define action IDs for diagnostic logs.
*/
public static class ActionIDs {

public static final String PROCESS_SAML_LOGOUT = "process-saml-logout";
sahandilshan marked this conversation as resolved.
Show resolved Hide resolved
public static final String SAML_REQUEST_VALIDATION = "saml-request-validation";
public static final String SAML_LOGOUT_PROCESSING = "saml-logout-processing";
public static final String PROCESS_SAML_REQUEST = "process-saml-request";
public static final String HAND_OVER_TO_FRAMEWORK = "hand-over-to-framework";
}

/**
* Define common and reusable Input keys for diagnostic logs.
*/
public static class InputKeys {

public static final String SAML_REQUEST = "saml request";
public static final String ISSUER = "issuer";
public static final String CONSUMER_URL = "consumer url";
public static final String AUTH_MODE = "auth mode";
public static final String ASSERTION_URL = "assertion url";
public static final String QUERY_STRING = "query string";
}
}

public static class SingleLogoutCodes {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.central.log.mgt.utils.LogConstants;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.dto.QueryParamDTO;
Expand All @@ -29,10 +31,12 @@
import org.wso2.carbon.identity.sso.saml.session.SessionInfoData;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.utils.DiagnosticLog;
import org.wso2.carbon.utils.multitenancy.MultitenantConstants;

import java.util.Map;

import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.SAML_INBOUND_SERVICE;
import static org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.splitAppendedTenantDomain;

public class IdPInitLogoutRequestProcessor implements IdpInitSSOLogoutRequestProcessor{
Expand Down Expand Up @@ -70,6 +74,26 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]

init(queryParamDTOs);

// This finalizeDiagLogBuilder is used to log the final status of the logout flow.
DiagnosticLog.DiagnosticLogBuilder finalizeDiagLogBuilder = null;
if (LoggerUtils.isDiagnosticLogsEnabled()) {
// Initialize finalizeDiagLogBuilder here to avoid initializing it in every if condition.
finalizeDiagLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
SAML_INBOUND_SERVICE, SAMLSSOConstants.LogConstants.ActionIDs.PROCESS_SAML_LOGOUT);
DiagnosticLog.DiagnosticLogBuilder initializeDiagLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
SAML_INBOUND_SERVICE, SAMLSSOConstants.LogConstants.ActionIDs.PROCESS_SAML_LOGOUT);
initializeDiagLogBuilder.resultMessage("Processing IDP initiated logout request.")
.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
.resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
.inputParam("server url", serverURL);
if (StringUtils.isNotBlank(returnTo)) {
initializeDiagLogBuilder.inputParam("return to", returnTo);
}
if (StringUtils.isNotBlank(spEntityID)) {
initializeDiagLogBuilder.inputParam("sp entity id", spEntityID);
}
LoggerUtils.triggerDiagnosticLogEvent(initializeDiagLogBuilder);
}
SAMLSSOReqValidationResponseDTO validationResponseDTO = new SAMLSSOReqValidationResponseDTO();

try {
Expand All @@ -80,6 +104,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
log.error(SAMLSSOConstants.Notification.INVALID_SESSION);
validationResponseDTO.setValid(false);
validationResponseDTO.setLogoutFromAuthFramework(true);
if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
.resultMessage(SAMLSSOConstants.Notification.INVALID_SESSION);
}
return validationResponseDTO;
}

Expand All @@ -93,6 +121,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
log.error(SAMLSSOConstants.Notification.INVALID_SESSION);
validationResponseDTO.setValid(false);
validationResponseDTO.setLogoutFromAuthFramework(true);
if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
.resultMessage(SAMLSSOConstants.Notification.INVALID_SESSION);
}
return validationResponseDTO;
}
validationResponseDTO.setSessionIndex(sessionIndex);
Expand All @@ -103,6 +135,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
if (StringUtils.isNotBlank(returnTo)) {
log.error(SAMLSSOConstants.Notification.NO_SP_ENTITY_PARAM);
validationResponseDTO.setValid(false);
if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
.resultMessage(SAMLSSOConstants.Notification.NO_SP_ENTITY_PARAM);
}
return validationResponseDTO;
}

Expand All @@ -114,12 +150,21 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
if (logoutReqIssuer == null) {
log.error(String.format(SAMLSSOConstants.Notification.INVALID_SP_ENTITY_ID, spEntityID));
validationResponseDTO.setValid(false);
if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
.resultMessage(SAMLSSOConstants.Notification.INVALID_SP_ENTITY_ID);
}
return validationResponseDTO;
}

if (!logoutReqIssuer.isIdPInitSLOEnabled()) {
log.error(String.format(SAMLSSOConstants.Notification.IDP_SLO_NOT_ENABLED, spEntityID));
String errorMsg = String.format(SAMLSSOConstants.Notification.IDP_SLO_NOT_ENABLED, spEntityID);
log.error(errorMsg);
validationResponseDTO.setValid(false);
if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
.resultMessage(errorMsg);
}
return validationResponseDTO;
}

Expand All @@ -128,6 +173,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
.getAssertionConsumerUrlList().contains(returnTo)) {
log.error(SAMLSSOConstants.Notification.INVALID_RETURN_TO_URL);
validationResponseDTO.setValid(false);
if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
.resultMessage(SAMLSSOConstants.Notification.INVALID_RETURN_TO_URL);
}
return validationResponseDTO;
}
validationResponseDTO.setReturnToURL(returnTo);
Expand All @@ -138,9 +187,24 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
SAMLSSOUtil.setTenantDomainInThreadLocal(logoutReqIssuer.getTenantDomain());
}
validationResponseDTO.setValid(true);
if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
finalizeDiagLogBuilder.resultMessage("Successfully processed IDP initiated logout request.")
.resultStatus(DiagnosticLog.ResultStatus.SUCCESS);

}

} catch (UserStoreException | IdentityException e) {
if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
.resultMessage("Error while processing IDP initiated logout request.")
.inputParam(LogConstants.InputKeys.ERROR_MESSAGE, e.getMessage());
}
throw IdentityException.error(SAMLSSOConstants.Notification.IDP_SLO_VALIDATE_ERROR, e);
} finally {
if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
finalizeDiagLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
LoggerUtils.triggerDiagnosticLogEvent(finalizeDiagLogBuilder);
}
}
return validationResponseDTO;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@
import org.opensaml.saml.saml2.core.Response;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.central.log.mgt.utils.LogConstants;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.SSOServiceProviderConfigManager;
Expand All @@ -34,17 +36,34 @@
import org.wso2.carbon.identity.sso.saml.internal.IdentitySAMLSSOServiceComponentHolder;
import org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
import org.wso2.carbon.utils.DiagnosticLog;

import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import java.util.UUID;

import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.SAML_REQUEST_VALIDATION;
import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.InputKeys.SAML_REQUEST;
import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.SAML_INBOUND_SERVICE;

public class IdPInitSSOAuthnRequestProcessor implements SSOAuthnRequestProcessor {

private static final Log log = LogFactory.getLog(IdPInitSSOAuthnRequestProcessor.class);

public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
boolean isAuthenticated, String authenticators, String authMode) throws Exception {

if (LoggerUtils.isDiagnosticLogsEnabled()) {
DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
diagnosticLogBuilder.resultMessage("Validating IDP initiated SAML Authentication Request.")
.inputParam(SAML_REQUEST, authnReqDTO.getRequestMessageString())
.inputParam("auth mode", authMode)
.resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
}
try {
SAMLSSOServiceProviderDO serviceProviderConfigs = getServiceProviderConfig(authnReqDTO);

Expand Down Expand Up @@ -196,6 +215,24 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
log.debug(samlssoRespDTO.getRespString());
}
}
if (LoggerUtils.isDiagnosticLogsEnabled()) {
DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
diagnosticLogBuilder.resultMessage("SAML Request validation successful.")
.inputParam(SAMLSSOConstants.LogConstants.InputKeys.CONSUMER_URL,
samlssoRespDTO.getAssertionConsumerURL())
.inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER, authnReqDTO.getIssuer())
.resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
Optional.ofNullable(samlssoRespDTO.getSubject()).ifPresent(subject -> {
String userName = LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(
subject.getUserName()) : subject.getUserName();
diagnosticLogBuilder.inputParam(LogConstants.InputKeys.USER_ID,
SAMLSSOUtil.getUserId(subject))
.inputParam(LogConstants.InputKeys.USER, userName);
});
LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
}
return samlssoRespDTO;
} catch (Exception e) {
log.error("Error processing the authentication request", e);
Expand Down Expand Up @@ -312,6 +349,16 @@ private SAMLSSORespDTO buildErrorResponse(String id, List<String> statusCodeList

samlSSORespDTO.setRespString(encodedResponse);
samlSSORespDTO.setSessionEstablished(false);
if (LoggerUtils.isDiagnosticLogsEnabled()) {
DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
.inputParam(SAML_REQUEST, id)
.inputParam("error saml response", encodedResponse)
.resultMessage("An error occurred while processing the SAML request.")
.resultStatus(DiagnosticLog.ResultStatus.FAILED);
LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
}
return samlSSORespDTO;
}
}
Loading
Loading