[PATCH] pki-cfu-0058-Ticket-1160-audit-logging-needed-REST-API-auth-authz.patch

Thursday, 7 May 2015

Please review.  This patch address the missing REST API auth/authz 
auditing part of the ticket https://fedorahosted.org/pki/ticket/1160

The kra for getKeyInfo will come as a separate patch after this.

here are sample signed audit log messages resulted from my test cases:

pki -d . -c netscape -h kraHost -p 28443 -P https -n "PKI Administrator 
for kraHost" key-find --maxResults -5

== case when running the above request as a kraadmin with valid cert ==
0.http-bio-28443-exec-1 - [07/May/2015:14:30:26 EDT] [14] [6] 
[AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr]

authentication success
0.http-bio-28443-exec-1 - [07/May/2015:14:30:27 EDT] [14] [6] 
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login]

authorization success
0.http-bio-28443-exec-2 - [07/May/2015:14:30:27 EDT] [14] [6] 
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=null][Op=null][Info=ACL

mapping not found; OK:SystemCertResource.getTransportCert] authorization 
success
0.http-bio-28443-exec-3 - [07/May/2015:14:30:28 EDT] [14] [6] 
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.keys][Op=execute][Info=KeyResource.listKeys]

authorization success
0.http-bio-28443-exec-4 - [07/May/2015:14:30:28 EDT] [14] [6] 
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout]

authorization success

== case when running the above request as a caadmin with ca admin cert ==
0.http-bio-28443-exec-6 - [07/May/2015:14:31:24 EDT] [14] [6] 
[AuditEvent=AUTH_FAIL][SubjectID=CN=PKI Administrator, 
EMAILADDRESS=caadmin(a)idm.lab.bos.redhat.com, O=idm.lab.bos.redhat.com 
Security 
Domain][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=$Unidentified$] 
authentication failure

== case when creating a caadmin in the kra user db but not given any 
group privilege ==
0.http-bio-28443-exec-18 - [07/May/2015:14:48:31 EDT] [14] [6] 
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] 
authentication success
0.http-bio-28443-exec-18 - [07/May/2015:14:48:31 EDT] [14] [6] 
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login]

authorization success
0.http-bio-28443-exec-19 - [07/May/2015:14:48:31 EDT] [14] [6] 
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=null][Op=null][Info=ACL

mapping not found; OK:SystemCertResource.getTransportCert] authorization 
success
0.http-bio-28443-exec-2 - [07/May/2015:14:48:32 EDT] [14] [6] 
[AuditEvent=AUTHZ_FAIL][SubjectID=caadmin][Outcome=Failure][aclResource=certServer.kra.keys][Op=execute][Info=Authorization

Error] authorization failure
0.http-bio-28443-exec-3 - [07/May/2015:14:48:32 EDT] [14] [6] 
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout]

authorization success

thanks,
Christina

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008