Commit a2775d14 authored by Romain Ferrari's avatar Romain Ferrari

Fixed #42 Removing all parts of audit logs. A new project have been created...

Fixed #42 Removing all parts of audit logs. A new project have been created https://gitlab.dev.theresis.org/authzforce/audit
parent e5c8c1e2
......@@ -27,7 +27,6 @@
<!-- JDK versions for AspectJ -->
<jdk.source>1.7</jdk.source>
<jdk.target>1.7</jdk.target>
<aspectj.version>1.7.4</aspectj.version>
<debug>false</debug>
</properties>
<dependencies>
......@@ -36,18 +35,6 @@
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
</dependency>
<!-- Dependencies of audit feature only -->
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjrt</artifactId>
<version>${aspectj.version}</version>
</dependency>
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-jaxrs</artifactId>
<version>1.9.13</version>
</dependency>
<!-- END dependencies of audit feature -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
......@@ -267,39 +254,7 @@
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>aspectj-maven-plugin</artifactId>
<version>1.5</version>
<!-- WARNING: to fix Eclipse error "Plugin execution not covered by lifecycle configuration", install
Eclipse plugin "Maven integration for AJDT" from update site: http://dist.springsource.org/release/AJDT/configurator/
DO NOT FIX IT by using eclipse "fake" lifecycle-mapping plugin in pluginManagement section, because Jenkins
will not be able to resolve it as it is not an actual plugin available on public repositories. -->
<dependencies>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjtools</artifactId>
<version>${aspectj.version}</version>
</dependency>
</dependencies>
<executions>
<execution>
<goals>
<goal>compile</goal>
<goal>test-compile</goal>
</goals>
</execution>
</executions>
<configuration>
<verbose>${debug}</verbose>
<showWeaveInfo>${debug}</showWeaveInfo>
<outxml>${debug}</outxml>
<complianceLevel>${jdk.source}</complianceLevel>
<source>${jdk.source}</source>
<target>${jdk.target}</target>
</configuration>
</plugin>
</plugin>
<!-- Maven compiler configuration -->
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
......
......@@ -60,7 +60,6 @@ import com.sun.xacml.finder.PolicyFinderResult;
import com.sun.xacml.finder.ResourceFinder;
import com.sun.xacml.finder.ResourceFinderResult;
import com.thalesgroup.appsec.util.Utils;
import com.thalesgroup.authzforce.audit.annotations.Audit;
import com.thalesgroup.authzforce.xacml.schema.XACMLCategory;
/**
......@@ -208,7 +207,6 @@ public class PDP
* the request to evaluate
* @return a response paired to the request
*/
//@Audit(type = Audit.Type.DISPLAY)
public ResponseCtx evaluate(Request request)
{
/*
......@@ -367,32 +365,6 @@ public class PDP
return new ResponseCtx(results);
}
/**
* Attempts to evaluate the request against the policies known to this PDP. This is really the
* core method of the entire XACML specification, and for most people will provide what you
* want. If you need any special handling, you should look at the version of this method that
* takes an <code>EvaluationCtx</code>.
* <p>
* Note that if the request is somehow invalid (it was missing a required attribute, it was
* using an unsupported scope, etc), then the result will be a decision of INDETERMINATE.
*
* @param request
* the request to evaluate
*
* @return a response paired to the request
*/
// @Audit(type = Audit.Type.DISPLAY)
// public ResponseCtx evaluate(Request request)
// {
// try
// {
// return evaluatePrivate(request);
// } finally
// {
// Utils.THREAD_LOCAL_NS_AWARE_DOC_BUILDER.remove();
// }
// }
/**
* Uses {@code Utils#THREAD_LOCAL_NS_AWARE_DOC_BUILDER } Uses
* {@link Utils#THREAD_LOCAL_NS_AWARE_DOC_BUILDER}. Call
......
......@@ -68,7 +68,6 @@ import com.sun.xacml.ctx.Status;
import com.sun.xacml.xacmlv3.AdviceExpressions;
import com.sun.xacml.xacmlv3.IDecidable;
import com.sun.xacml.xacmlv3.Target;
import com.thalesgroup.authzforce.audit.annotations.Audit;
import com.thalesgroup.authzforce.core.PdpModelHandler;
/**
......@@ -386,7 +385,6 @@ public class Rule extends oasis.names.tc.xacml._3_0.core.schema.wd_17.Rule imple
* @return the result of the evaluation
*/
@Override
//@Audit(type = Audit.Type.RULE)
public Result evaluate(EvaluationCtx context)
{
// Do the list of Attribute who needs to be included in result
......
......@@ -42,7 +42,6 @@ import com.sun.xacml.EvaluationCtx;
import com.sun.xacml.attr.BagAttribute;
import com.sun.xacml.cond.xacmlv3.EvaluationResult;
import com.thalesgroup.authz.model.ext._3.AbstractAttributeFinder;
import com.thalesgroup.authzforce.audit.annotations.Audit;
import com.thalesgroup.authzforce.core.IPdpExtension;
......@@ -154,7 +153,6 @@ public abstract class AttributeFinderModule<T extends AbstractAttributeFinder> i
* @return the result of attribute retrieval, which will be a bag of
* attributes or an error
*/
//@Audit(type = Audit.Type.ATTRIBUTE)
public EvaluationResult findAttribute(URI attributeType, URI attributeId,
URI issuer, URI subjectCategory,
EvaluationCtx context,
......
......@@ -61,7 +61,6 @@ import com.sun.xacml.combine.CombiningAlgorithm;
import com.sun.xacml.combine.RuleCombiningAlgorithm;
import com.sun.xacml.cond.VariableManager;
import com.sun.xacml.ctx.Result;
import com.thalesgroup.authzforce.audit.annotations.Audit;
public class Policy extends oasis.names.tc.xacml._3_0.core.schema.wd_17.Policy implements IPolicy
{
......@@ -334,7 +333,6 @@ public class Policy extends oasis.names.tc.xacml._3_0.core.schema.wd_17.Policy i
return ((Target) target).match(context);
}
//@Audit(type = Audit.Type.POLICY)
@Override
public Result evaluate(EvaluationCtx context)
{
......
/**
* Copyright (C) 2011-2015 Thales Services SAS.
*
* This file is part of AuthZForce.
*
* AuthZForce is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* AuthZForce is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with AuthZForce. If not, see <http://www.gnu.org/licenses/>.
*/
package com.thalesgroup.authzforce.audit;
import java.net.URI;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeValueType;
public class AttributesResolved {
private URI attributeId;
private AttributeValueType attributeValue;
public URI getAttributeId() {
return attributeId;
}
public void setAttributeId(URI attributeId) {
this.attributeId = attributeId;
}
public AttributeValueType getAttributeValue() {
return attributeValue;
}
public void setAttributeValue(AttributeValueType attributeValue) {
this.attributeValue = attributeValue;
}
}
/**
* Copyright (C) 2011-2015 Thales Services SAS.
*
* This file is part of AuthZForce.
*
* AuthZForce is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* AuthZForce is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with AuthZForce. If not, see <http://www.gnu.org/licenses/>.
*/
package com.thalesgroup.authzforce.audit;
import java.io.IOException;
import java.io.StringWriter;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.codehaus.jackson.JsonGenerationException;
import org.codehaus.jackson.map.AnnotationIntrospector;
import org.codehaus.jackson.map.JsonMappingException;
import org.codehaus.jackson.map.ObjectMapper;
import org.codehaus.jackson.map.introspect.JacksonAnnotationIntrospector;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.thalesgroup.authzforce.audit.schema.pdp.AuditLog;
import com.thalesgroup.authzforce.audit.schema.pdp.AuditedPolicy;
import com.thalesgroup.authzforce.audit.schema.pdp.AuditedRule;
/**
* Audit logging class
*
* Note: to disable audit logging, just change log level for logger named
* 'com.thalesgroup.authzforce.audit.AuditLogs' in the SLF4J logger
* configuration file. Use level <= INFO to enable, level > INFO to disable.
* Other options on this logger may be configured in the logging configuration
* file to customize audit logging.
*
*/
public final class AuditLogs {
/**
* Logger used for all classes
*/
private static final Logger LOGGER = LoggerFactory
.getLogger(AuditLogs.class);
private static final String HASH_ALG = "MD5";
protected static volatile AuditLogs INSTANCE;
protected static ConcurrentHashMap<String, com.thalesgroup.authzforce.audit.schema.pdp.AuditLog> audits;
private AuditLogs() {
audits = new ConcurrentHashMap<>();
}
public synchronized static AuditLogs getInstance() {
if (INSTANCE == null) {
INSTANCE = new AuditLogs();
}
return INSTANCE;
}
public synchronized static AuditLogs remove() {
if (INSTANCE != null) {
INSTANCE = new AuditLogs();
}
return INSTANCE;
}
public synchronized static Map<String, com.thalesgroup.authzforce.audit.schema.pdp.AuditLog> getAudits() {
return audits;
}
public synchronized static void clearAudits() {
audits.clear();
}
public synchronized static void addAudit(
com.thalesgroup.authzforce.audit.schema.pdp.AuditLog audit) {
if (audits == null) {
audits = new ConcurrentHashMap<>();
}
try {
MessageDigest digest = MessageDigest.getInstance(HASH_ALG);
byte[] hash = digest
.digest(String.valueOf(
audit.getDate() + audit.getRequest().hashCode())
.getBytes());
String id = byte2String(hash);
audit.setId(id);
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
if (audits.containsKey(audit.getId())) {
audits.put(audit.getId(), updateAudit(audit));
} else {
audits.put(audit.getId(), audit);
}
}
private static com.thalesgroup.authzforce.audit.schema.pdp.AuditLog updateAudit(
com.thalesgroup.authzforce.audit.schema.pdp.AuditLog newAudit) {
com.thalesgroup.authzforce.audit.schema.pdp.AuditLog updatedAudit = audits
.get(newAudit.getId());
// Updating rules and decision for rules
if (newAudit.getRules().size() > 0) {
int i = 0;
for (AuditedRule ruleElt : newAudit.getRules()) {
// We don't want any doublon. TODO: Maybe use a set ?
if (!updatedAudit.getRules().contains(ruleElt)) {
updatedAudit.getRules().add(ruleElt);
// If we've got a rule, we've got a decision
// updatedAudit.getResultRules().add(newAudit.getResultRules().get(i));
}
i++;
}
}
if (newAudit.getMatchedPolicies().size() > 0) {
int i = 0;
for (AuditedPolicy policyElt : newAudit.getMatchedPolicies()) {
// We don't want any doublon. TODO: Maybe use a set ?
if (!updatedAudit.getMatchedPolicies().contains(policyElt)) {
updatedAudit.getMatchedPolicies().add(policyElt);
// If we've got a rule, we've got a decision
// updatedAudit.getResultPolicies().add(newAudit.getResultPolicies().get(i));
}
i++;
}
}
return updatedAudit;
}
/**
* One part of the method needs to be synchronized as it modify the map
* containing the audits logs. No one should update this map while it's
* being displayed and cleared.
*/
@Override
public String toString() {
StringWriter sw = new StringWriter();
Map<String, AuditLog> tmpMap;
synchronized (INSTANCE) {
tmpMap = getAudits();
}
try {
for (String hash : tmpMap.keySet()) {
// JAXBContext.newInstance(AuditLog.class).createMarshaller().marshal(getAudits().get(hash),
// sw);
ObjectMapper mapper = new ObjectMapper();
AnnotationIntrospector introspector = new JacksonAnnotationIntrospector();
// make serializer use JAXB annotations (only)
mapper.getSerializationConfig().withAnnotationIntrospector(
introspector);
synchronized (INSTANCE) {
mapper.writeValue(sw, getAudits().get(hash));
}
}
} catch (JsonGenerationException e) {
e.printStackTrace();
} catch (JsonMappingException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
synchronized (INSTANCE) {
clearAudits();
}
return sw.toString();
}
private static String byte2String(byte[] hash) {
StringBuffer id = new StringBuffer();
for (int i = 0; i < hash.length; i++) {
if ((0xff & hash[i]) < 0x10) {
id.append("0" + Integer.toHexString((0xFF & hash[i])));
} else {
id.append(Integer.toHexString(0xFF & hash[i]));
}
}
return id.toString();
}
}
/**
* Copyright (C) 2011-2015 Thales Services SAS.
*
* This file is part of AuthZForce.
*
* AuthZForce is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* AuthZForce is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with AuthZForce. If not, see <http://www.gnu.org/licenses/>.
*/
package com.thalesgroup.authzforce.audit;
public class MatchPolicies {
protected String policyId;
protected String policyVersion;
public String getPolicyId() {
return policyId;
}
public void setPolicyId(String policyId) {
this.policyId = policyId;
}
public String getPolicyVersion() {
return policyVersion;
}
public void setPolicyVersion(String policyVersion) {
this.policyVersion = policyVersion;
}
}
/**
* Copyright (C) 2011-2015 Thales Services SAS.
*
* This file is part of AuthZForce.
*
* AuthZForce is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* AuthZForce is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with AuthZForce. If not, see <http://www.gnu.org/licenses/>.
*/
package com.thalesgroup.authzforce.audit;
import java.util.List;
import java.util.Map;
public class Request {
protected List<Map<String,String>> subjects;
protected List<Map<String,String>> resources;
protected List<Map<String,String>> actions;
protected List<Map<String,String>> environments;
public List<Map<String, String>> getSubjects() {
return subjects;
}
public void setSubjects(List<Map<String, String>> subjects) {
this.subjects = subjects;
}
public List<Map<String, String>> getResources() {
return resources;
}
public void setResources(List<Map<String, String>> resources) {
this.resources = resources;
}
public List<Map<String, String>> getActions() {
return actions;
}
public void setActions(List<Map<String, String>> actions) {
this.actions = actions;
}
public List<Map<String, String>> getEnvironments() {
return environments;
}
public void setEnvironments(List<Map<String, String>> environments) {
this.environments = environments;
}
}
/**
* Copyright (C) 2011-2015 Thales Services SAS.
*
* This file is part of AuthZForce.
*
* AuthZForce is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* AuthZForce is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with AuthZForce. If not, see <http://www.gnu.org/licenses/>.
*/
package com.thalesgroup.authzforce.audit.annotations;
import java.lang.annotation.Documented;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
/**
*
* @author Romain Ferrari
*
* Theses annotations are used to generate audit log based on the aspect
* <code>com.thalesgroup.authzforce.audit.aspect.AuditAspect</code>. You
* can use theses annotations on combination algorithm for:
* - PolicySet (TODO: Not Implemented)
* - Policy
* - Rules
* on:
* - Attribute retrieving status(TODO: Not Implemented)
*/
@Documented
@Retention(RetentionPolicy.RUNTIME)
public @interface Audit {
Type type();
/**
*
* @author Romain Ferrari
*
* POLICYSET is to be used on a evaluate method for a policyset
* POLICY is to be used on a evaluate method for a policy
* RULE is to be used on a evaluate method for a rule
* ATTRIBUTE
*
* DISPLAY is a little different, is to be used on a method who is
* the entry point of the PDP. I use it over the
* </code>PDP.evaluate</code> method
*/
public static enum Type {
POLICYSET, POLICY, RULE, ATTRIBUTE, DISPLAY;
};
}
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment