3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * The contents of this file are subject to the terms of the Common Development and
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * Distribution License (the License). You may not use this file except in compliance with the
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * specific language governing permission and limitations under the License.
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * When distributing Covered Software, include this CDDL Header Notice in each file and include
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * Header, with the fields enclosed by brackets [] replaced by your own identifying
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * information: "Portions copyright [year] [name of copyright owner]".
c299abfd457a72f3b93d443fe40ad36169e1c0a8Craig McDonnell * Copyright 2015-2016 ForgeRock AS.
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.audit.events.AccessAuditEventBuilder.ResponseStatus;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.guava.common.eventbus.EventBus;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.guava.common.eventbus.Subscribe;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.openam.audit.AMAccessAuditEventBuilder;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.openam.audit.AuditConstants.Component;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.openam.audit.AuditConstants.EventName;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.openam.audit.AuditEventFactory;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.openam.audit.AuditEventPublisher;
8500ab05ee25338b84b6a7938f18d932233dac99jamiebowenimport org.forgerock.openam.audit.context.AuditRequestContext;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.openam.radius.common.PacketType;
8500ab05ee25338b84b6a7938f18d932233dac99jamiebowenimport org.forgerock.openam.radius.server.RadiusRequest;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.openam.radius.server.RadiusRequestContext;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.openam.radius.server.RadiusResponse;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.openam.radius.server.config.RadiusServerConstants;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.openam.radius.server.events.AcceptedRadiusEvent;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.openam.radius.server.events.AuthRequestAcceptedEvent;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.openam.radius.server.events.AuthRequestChallengedEvent;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.openam.radius.server.events.AuthRequestReceivedEvent;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowenimport org.forgerock.openam.radius.server.events.AuthRequestRejectedEvent;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * Makes audit logs on behalf of the Radius Server.
8500ab05ee25338b84b6a7938f18d932233dac99jamiebowenpublic class RadiusAuditLoggerEventBus implements RadiusAuditor {
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen private static final Debug LOG = Debug.getInstance(RadiusServerConstants.RADIUS_SERVER_LOGGER);
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * Factory from which auditEvents can be created.
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen private final AuditEventFactory auditEventFactory;
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * Class to which audit events should be published.
cb241c1aa2096e51864b45398cc15850b0ce4d8cjamiebowen * Constructor.
cb241c1aa2096e51864b45398cc15850b0ce4d8cjamiebowen * @param eventBus - and event bus that the constructed object will register with in order to be notified of RADIUS
cb241c1aa2096e51864b45398cc15850b0ce4d8cjamiebowen * @param eventFactory - a factory from which Audit events may be built.
cb241c1aa2096e51864b45398cc15850b0ce4d8cjamiebowen * @param eventPublisher - the interface through which audit events may be published to the audit handler
cb241c1aa2096e51864b45398cc15850b0ce4d8cjamiebowen * sub-system.
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen public RadiusAuditLoggerEventBus(@Named("RadiusEventBus") EventBus eventBus, AuditEventFactory eventFactory,
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen LOG.message("Entering RadiusAuditLogger.RadiusAuditLogger");
8500ab05ee25338b84b6a7938f18d932233dac99jamiebowen LOG.message("Registering RadiusAuditLogger with the eventBus, hashCode; {}", eventBus.hashCode());
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen LOG.message("Leaving RadiusAuditLogger.RadiusAuditLogger");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen /* (non-Javadoc)
cb241c1aa2096e51864b45398cc15850b0ce4d8cjamiebowen * @see org.forgerock.openam.radius.server.audit.RadiusAuditLogger#recordAccessRequest
cb241c1aa2096e51864b45398cc15850b0ce4d8cjamiebowen * (org.forgerock.openam.radius.server.events.AccessRequestEvent)
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen public void recordAuthRequestReceivedEvent(AuthRequestReceivedEvent authRequestReceivedEvent) {
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen LOG.message("Entering RadiusAuditLoggerEventBus.recordAuthRequestReceivedEvent()");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen makeLogEntry(EventName.AM_ACCESS_ATTEMPT, authRequestReceivedEvent);
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen LOG.message("Leaving RadiusAuditLoggerEventBus.recordAuthRequestReceivedEvent()");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen public void recordAuthRequestAcceptedEvent(AuthRequestAcceptedEvent authRequestAcceptedEvent) {
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen LOG.message("Entering RadiusAuditLoggerEventBus.recordAuthRequestAcceptedEvent()");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen makeLogEntry(EventName.AM_ACCESS_OUTCOME, authRequestAcceptedEvent);
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen LOG.message("Leaving RadiusAuditLoggerEventBus.recordAuthRequestAcceptedEvent()");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen public void recordAuthRequestRejectedEvent(AuthRequestRejectedEvent authRequestRejectedEvent) {
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen LOG.message("Entering RadiusAuditLoggerEventBus.recordAuthRequestRejectedEvent()");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen makeLogEntry(EventName.AM_ACCESS_OUTCOME, authRequestRejectedEvent);
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen LOG.message("Leaving RadiusAuditLoggerEventBus.recordAuthRequestRejectedEvent()");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen public void recordAuthRequestChallengedEvent(AuthRequestChallengedEvent authRequestChallengedEvent) {
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen LOG.message("Entering RadiusAuditLoggerEventBus.recordAuthRequestRejectedEvent()");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen makeLogEntry(EventName.AM_ACCESS_OUTCOME, authRequestChallengedEvent);
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen LOG.message("Leaving RadiusAuditLoggerEventBus.recordAuthRequestRejectedEvent()");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * Makes an 'access' audit log entry.
cb241c1aa2096e51864b45398cc15850b0ce4d8cjamiebowen * @param eventName - the name of the event.
cb241c1aa2096e51864b45398cc15850b0ce4d8cjamiebowen * @param accessRequestEvent - the access request event.
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen public void makeLogEntry(EventName eventName, AcceptedRadiusEvent accessRequestEvent) {
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen LOG.message("Entering RadiusAuditLoggerEventBus.makeLogEntry()");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen trackingIds.add(accessRequestEvent.getRequest().getContextHolderKey());
8500ab05ee25338b84b6a7938f18d932233dac99jamiebowen // This sets the request context so that when the OpenAM auth chains etc call AuditRequestContext.get they
8500ab05ee25338b84b6a7938f18d932233dac99jamiebowen // will use the same transaction id. This means log entries across the audit logs can be tied up.
8500ab05ee25338b84b6a7938f18d932233dac99jamiebowen AuditRequestContext.set(new AuditRequestContext(new TransactionId(accessRequestEvent.getRequestId())));
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen AMAccessAuditEventBuilder builder = auditEventFactory.accessEvent(accessRequestEvent.getRealm())
8500ab05ee25338b84b6a7938f18d932233dac99jamiebowen .transactionId(accessRequestEvent.getRequestId())
c72a257507602f1216d9367518c13b9db9e385a8jamiebowen String uid = accessRequestEvent.getUniversalId();
c72a257507602f1216d9367518c13b9db9e385a8jamiebowen LOG.message("Not setting authentication to universal Id. None available.");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen setClientDetails(builder, accessRequestEvent.getRequestContext());
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen RadiusResponse response = accessRequestEvent.getResponse();
8500ab05ee25338b84b6a7938f18d932233dac99jamiebowen LOG.warning("Failed to set client details on access audit event. Reason; {}", e.getMessage());
c299abfd457a72f3b93d443fe40ad36169e1c0a8Craig McDonnell this.auditEventPublisher.tryPublish(AuditConstants.ACCESS_TOPIC, builder.toEvent());
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen LOG.message("Leaving RadiusAuditLoggerEventBus.makeLogEntry()");
8500ab05ee25338b84b6a7938f18d932233dac99jamiebowen private void setRequestDetails(AMAccessAuditEventBuilder builder, AcceptedRadiusEvent accessRequestEvent) {
8500ab05ee25338b84b6a7938f18d932233dac99jamiebowen LOG.message("Entering RadiusAuditLoggerEventBus.setRequestDetails()");
8500ab05ee25338b84b6a7938f18d932233dac99jamiebowen RadiusRequest request = accessRequestEvent.getRequest();
8500ab05ee25338b84b6a7938f18d932233dac99jamiebowen builder.request("RADIUS", operationName, requestId);
8500ab05ee25338b84b6a7938f18d932233dac99jamiebowen LOG.message("Leaving RadiusAuditLoggerEventBus.setRequestDetails()");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * Sets the client details via the access event builder.
cb241c1aa2096e51864b45398cc15850b0ce4d8cjamiebowen * @param builder - the AccessAuditEventBuilder to which the client details should be added.
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * @param radiusRequestContext
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * @throws RadiusAuditLoggingException
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen private void setClientDetails(AMAccessAuditEventBuilder builder, RadiusRequestContext radiusRequestContext)
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen InetSocketAddress source = radiusRequestContext.getSource();
8500ab05ee25338b84b6a7938f18d932233dac99jamiebowen throw new RadiusAuditLoggingException("Could not obtain the source address from the request context.");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen throw new RadiusAuditLoggingException("Could not obtain the address from the InetSocketAddress.");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen throw new RadiusAuditLoggingException("String representation of client's ip address is blank.");
cb241c1aa2096e51864b45398cc15850b0ce4d8cjamiebowen * Sets the response details of the builder, using the details provided in the <code>RadiusResponse</code>.
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * @param builder
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen * @param response
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen private void setResponseDetails(AMAccessAuditEventBuilder builder, RadiusResponse response) {
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen LOG.message("Entering RadiusAuditLoggerEventBus.setResponseDetails()");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen PacketType packetType = response.getResponsePacket().getType();
cb241c1aa2096e51864b45398cc15850b0ce4d8cjamiebowen || (packetType == PacketType.ACCESS_CHALLENGE)) {
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen } else if (packetType == PacketType.ACCESS_REJECT) {
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen LOG.warning("Unexpected packet type in RadiusAuditLoggerEventBus.setResponseDetails()");
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen response.getTimeToServiceRequestInMilliSeconds(),
3e7992560027364f56fb4fb0ef645623bd020c3bjamiebowen LOG.message("Leaving RadiusAuditLoggerEventBus.setResponseDetails()");