session/service/SessionAuditor.java

	SessionAuditor.java revision 6b6359cabb99ffbe7c788604a533d5686c20e515
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit/*
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit * The contents of this file are subject to the terms of the Common Development and
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit * Distribution License (the License). You may not use this file except in compliance with the
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit * License.
b34025e1e963e60c0f81c01af0f25f1984b9ca54James Phillpotts *
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit * specific language governing permission and limitations under the License.
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit *
685810e390056c123842842f5104daa3179cf2c9Phill Cunnington * When distributing Covered Software, include this CDDL Header Notice in each file and include
685810e390056c123842842f5104daa3179cf2c9Phill Cunnington * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
685810e390056c123842842f5104daa3179cf2c9Phill Cunnington * Header, with the fields enclosed by brackets [] replaced by your own identifying
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit * information: "Portions copyright [year] [name of copyright owner]".
685810e390056c123842842f5104daa3179cf2c9Phill Cunnington *
685810e390056c123842842f5104daa3179cf2c9Phill Cunnington * Copyright 2015 ForgeRock AS.
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit */
685810e390056c123842842f5104daa3179cf2c9Phill Cunningtonpackage com.iplanet.dpro.session.service;
685810e390056c123842842f5104daa3179cf2c9Phill Cunnington
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavitimport static org.forgerock.openam.audit.AMAuditEventBuilderUtils.getUserId;
685810e390056c123842842f5104daa3179cf2c9Phill Cunningtonimport static org.forgerock.openam.audit.AuditConstants.ACTIVITY_TOPIC;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavitimport static org.forgerock.openam.audit.AuditConstants.*;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavitimport static org.forgerock.openam.utils.StringUtils.isEmpty;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavitimport com.iplanet.sso.SSOToken;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavitimport com.sun.identity.shared.Constants;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavitimport com.sun.identity.sm.DNMapper;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavitimport org.forgerock.audit.events.AuditEvent;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavitimport org.forgerock.openam.audit.AuditConstants.EventName;
b34025e1e963e60c0f81c01af0f25f1984b9ca54James Phillpottsimport org.forgerock.openam.audit.AuditEventFactory;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavitimport org.forgerock.openam.audit.AuditEventPublisher;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavitimport org.forgerock.openam.audit.context.AuditRequestContext;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavitimport javax.inject.Inject;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavitimport javax.inject.Singleton;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavitimport java.security.AccessController;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavitimport java.security.PrivilegedAction;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit/**
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit * Responsible for publishing audit activity for changes to {@link InternalSession} objects.
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit *
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit * @since 13.0.0
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit */
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit@Singleton
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavitpublic final class SessionAuditor {
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit    private final AuditEventPublisher auditEventPublisher;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit    private final AuditEventFactory auditEventFactory;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit    private final PrivilegedAction<SSOToken> adminTokenAction;
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit    /**
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit     * Create a new Auditor.
685810e390056c123842842f5104daa3179cf2c9Phill Cunnington     *
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit     * @param auditEventPublisher AuditEventPublisher to which publishing of events can be delegated.
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit     * @param auditEventFactory   AuditEventFactory for audit event builders.
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit     */
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit    @Inject
80802511792d4e59a4ac67ad19677009d332b37dBruno Lavit    public SessionAuditor(
            AuditEventPublisher auditEventPublisher,
            AuditEventFactory auditEventFactory,
            PrivilegedAction<SSOToken> adminTokenAction) {
        this.auditEventPublisher = auditEventPublisher;
        this.auditEventFactory = auditEventFactory;
        this.adminTokenAction = adminTokenAction;
    }

    public void auditActivity(InternalSession session, EventName eventName) {
        String realm = session.getClientDomain();
        realm = isEmpty(realm) ? NO_REALM : DNMapper.orgNameToRealmName(realm);

        if (auditEventPublisher.isAuditing(realm, ACTIVITY_TOPIC)) {

            String contextId = session.getProperty(Constants.AM_CTX_ID);

            AuditEvent auditEvent = auditEventFactory.activityEvent()
                    .transactionId(AuditRequestContext.getTransactionIdValue())
                    .eventName(eventName)
                    .component(Component.SESSION)
                    .userId(session.getProperty(Constants.UNIVERSAL_IDENTIFIER))
                    .trackingId(contextId)
                    .runAs(getUserId(getAdminToken()))
                    .objectId(contextId)
                    .operation(getCrudType(eventName))
                    .realm(realm)
                    .toEvent();
            auditEventPublisher.tryPublish(ACTIVITY_TOPIC, auditEvent);

        }
    }

    private String getCrudType(EventName eventName) {
        switch (eventName) {
            case AM_SESSION_CREATED:
                return "CREATE";
            case AM_SESSION_IDLE_TIMED_OUT:
            case AM_SESSION_MAX_TIMED_OUT:
            case AM_SESSION_LOGGED_OUT:
            case AM_SESSION_DESTROYED:
                return "DELETE";
            case AM_SESSION_REACTIVATED:
            case AM_SESSION_PROPERTY_CHANGED:
                return "UPDATE";
            default:
                return "";
        }
    }

    private SSOToken getAdminToken() {
        return AccessController.doPrivileged(adminTokenAction);
    }

}