Search in sources :

Example 1 with AuditingEvent

use of org.bf2.srs.fleetmanager.operation.auditing.AuditingEvent in project srs-fleet-manager by bf2fc6cc711aee1a0c2a.

the class AuditingServletFilter method doFilter.

@Override
@ActivateRequestContext
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    // Activate Operation Context
    if (opCtx.isContextDataLoaded()) {
        throw new IllegalStateException("Unexpected state: Operation Context is already loaded");
    }
    opCtx.loadNewContextData();
    var req = (HttpServletRequest) request;
    var res = (HttpServletResponse) response;
    // TODO Unify logic to extract this using parameter extractors
    auditing.addTraceMetadata(KEY_REQUEST_SOURCE_IP, req.getRemoteAddr());
    auditing.addTraceMetadata(KEY_REQUEST_FORWARDED_FOR, req.getHeader(HEADER_X_FORWARDED_FOR));
    auditing.addTraceMetadata(KEY_REQUEST_METHOD, req.getMethod());
    auditing.addTraceMetadata(KEY_REQUEST_PATH, req.getRequestURI());
    AccountInfo accountInfo = authService.extractAccountInfo();
    auditing.addTraceMetadata(KEY_USER_ACCOUNT_ID, accountInfo.getAccountId());
    auditing.addTraceMetadata(KEY_USER_ACCOUNT_NAME, accountInfo.getAccountUsername());
    auditing.addTraceMetadata(KEY_USER_ORG_ID, accountInfo.getOrganizationId());
    auditing.addTraceMetadata(KEY_USER_IS_ORG_ADMIN, accountInfo.isAdmin());
    chain.doFilter(request, response);
    if (res.getStatus() >= 400) {
        var event = new AuditingEvent();
        event.setEventId("request_failure");
        event.addData(KEY_RESPONSE_CODE, res.getStatus());
        event.setSuccessful(false);
        auditing.recordEvent(event);
    }
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpServletResponse(javax.servlet.http.HttpServletResponse) AccountInfo(org.bf2.srs.fleetmanager.spi.common.model.AccountInfo) AuditingEvent(org.bf2.srs.fleetmanager.operation.auditing.AuditingEvent) ActivateRequestContext(javax.enterprise.context.control.ActivateRequestContext)

Example 2 with AuditingEvent

use of org.bf2.srs.fleetmanager.operation.auditing.AuditingEvent in project srs-fleet-manager by bf2fc6cc711aee1a0c2a.

the class AuditingAuthenticationMechanism method authenticate.

@Override
public Uni<SecurityIdentity> authenticate(RoutingContext context, IdentityProviderManager identityProviderManager) {
    BiConsumer<RoutingContext, Throwable> failureHandler = context.get(QuarkusHttpUser.AUTH_FAILURE_HANDLER);
    BiConsumer<RoutingContext, Throwable> auditWrapper = (ctx, ex) -> {
        // this sends the http response
        failureHandler.accept(ctx, ex);
        // if it was an error response log it
        if (ctx.response().getStatusCode() >= 400) {
            var event = new AuditingEvent();
            event.setEventId("authentication_failure");
            event.addData(KEY_REQUEST_SOURCE_IP, ctx.request().remoteAddress());
            event.addData(KEY_REQUEST_FORWARDED_FOR, ctx.request().getHeader(HEADER_X_FORWARDED_FOR));
            event.addData(KEY_REQUEST_METHOD, ctx.request().method().name());
            event.addData(KEY_REQUEST_PATH, ctx.request().path());
            event.addData(KEY_RESPONSE_CODE, ctx.response().getStatusCode());
            event.setSuccessful(false);
            if (ex != null) {
                event.addData(KEY_ERROR_MESSAGE, ex.getMessage());
            }
            // Request Context does not exist at this point
            AuditingServiceImpl.recordEventNoContext(event);
        }
    };
    context.put(QuarkusHttpUser.AUTH_FAILURE_HANDLER, auditWrapper);
    Timer.Sample sample = timerService.start();
    return oidcAuthenticationMechanism.authenticate(context, identityProviderManager).onItemOrFailure().invoke((securityIdentity, throwable) -> {
        timerService.record(AUTH_TIMER, AUTH_TIMER_DESCRIPTION, throwable == null ? null : List.of(Tag.of(TAG_STATUS_CODE_FAMILY, "4xx")), sample);
    });
}
Also used : BearerAuthenticationMechanism(io.quarkus.oidc.runtime.BearerAuthenticationMechanism) KEY_RESPONSE_CODE(org.bf2.srs.fleetmanager.common.operation.auditing.AuditingConstants.KEY_RESPONSE_CODE) KEY_REQUEST_METHOD(org.bf2.srs.fleetmanager.common.operation.auditing.AuditingConstants.KEY_REQUEST_METHOD) UnlessBuildProfile(io.quarkus.arc.profile.UnlessBuildProfile) Alternative(javax.enterprise.inject.Alternative) KEY_ERROR_MESSAGE(org.bf2.srs.fleetmanager.common.operation.auditing.AuditingConstants.KEY_ERROR_MESSAGE) KEY_REQUEST_FORWARDED_FOR(org.bf2.srs.fleetmanager.common.operation.auditing.AuditingConstants.KEY_REQUEST_FORWARDED_FOR) OidcAuthenticationMechanism(io.quarkus.oidc.runtime.OidcAuthenticationMechanism) RoutingContext(io.vertx.ext.web.RoutingContext) KEY_REQUEST_PATH(org.bf2.srs.fleetmanager.common.operation.auditing.AuditingConstants.KEY_REQUEST_PATH) Uni(io.smallrye.mutiny.Uni) Inject(javax.inject.Inject) AuditingEvent(org.bf2.srs.fleetmanager.operation.auditing.AuditingEvent) Timer(io.micrometer.core.instrument.Timer) HttpAuthenticationMechanism(io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism) BiConsumer(java.util.function.BiConsumer) SecurityIdentity(io.quarkus.security.identity.SecurityIdentity) Tag(io.micrometer.core.instrument.Tag) Set(java.util.Set) HttpCredentialTransport(io.quarkus.vertx.http.runtime.security.HttpCredentialTransport) KEY_REQUEST_SOURCE_IP(org.bf2.srs.fleetmanager.common.operation.auditing.AuditingConstants.KEY_REQUEST_SOURCE_IP) HEADER_X_FORWARDED_FOR(org.bf2.srs.fleetmanager.AuditingServletFilter.HEADER_X_FORWARDED_FOR) Constants(org.bf2.srs.fleetmanager.common.metrics.Constants) Priority(javax.annotation.Priority) List(java.util.List) ChallengeData(io.quarkus.vertx.http.runtime.security.ChallengeData) QuarkusHttpUser(io.quarkus.vertx.http.runtime.security.QuarkusHttpUser) ApplicationScoped(javax.enterprise.context.ApplicationScoped) IdentityProviderManager(io.quarkus.security.identity.IdentityProviderManager) AuthenticationRequest(io.quarkus.security.identity.request.AuthenticationRequest) TokenAuthenticationRequest(io.quarkus.security.identity.request.TokenAuthenticationRequest) Collections(java.util.Collections) TimerService(org.bf2.srs.fleetmanager.operation.metrics.TimerService) RoutingContext(io.vertx.ext.web.RoutingContext) Timer(io.micrometer.core.instrument.Timer) AuditingEvent(org.bf2.srs.fleetmanager.operation.auditing.AuditingEvent)

Example 3 with AuditingEvent

use of org.bf2.srs.fleetmanager.operation.auditing.AuditingEvent in project srs-fleet-manager by bf2fc6cc711aee1a0c2a.

the class AuditingInterceptor method intercept.

@AroundInvoke
public Object intercept(InvocationContext context) throws Exception {
    Audited annotation = context.getMethod().getAnnotation(Audited.class);
    if (annotation.extractParameters().length % 2 != 0)
        throw new IllegalStateException("Field @Audited.extractParameters on method '" + context.getMethod().getName() + "' must contain an even number of elements.");
    var event = new AuditingEvent();
    if (securityIdentity != null && !securityIdentity.isAnonymous()) {
        event.addData(KEY_PRINCIPAL_ID, securityIdentity.getPrincipal().getName());
    }
    // Event ID
    var eventId = annotation.eventId();
    if (eventId.isBlank()) {
        eventId = EVENT_ID_METHOD_CALL_PREFIX + context.getMethod().getName();
    }
    event.setEventId(eventId);
    event.addData(KEY_CLASS, context.getTarget().getClass().getCanonicalName());
    // Event Description
    var eventDescription = annotation.eventDescription();
    if (!eventDescription.isBlank()) {
        event.setEventDescription(eventDescription);
    }
    // Parameter extraction via annotation
    var annotationParams = annotation.extractParameters();
    if (annotationParams.length > 0) {
        for (int i = 0; i <= annotationParams.length - 2; i += 2) {
            var key = annotationParams[i + 1];
            var value = context.getParameters()[Integer.parseInt(annotationParams[i])];
            event.addData(key, value);
        }
    }
    // Parameter extraction via extractors
    for (Object param : context.getParameters()) {
        if (param != null) {
            var extractor = PARAMETER_EXTRACTORS.get(param.getClass());
            if (extractor != null) {
                extractor.accept(param, event);
            }
        }
    }
    try {
        var result = context.proceed();
        event.setSuccessful(true);
        if (result != null) {
            // Return value extraction via annotation
            if (!annotation.extractResult().isBlank()) {
                var key = annotation.extractResult();
                event.addData(key, result);
            }
            // Return value extraction via extractors
            var extractor = PARAMETER_EXTRACTORS.get(result.getClass());
            if (extractor != null) {
                extractor.accept(result, event);
            }
        }
        return result;
    } catch (Exception ex) {
        event.setSuccessful(false);
        var message = ex.getClass().getCanonicalName() + (ex.getMessage() != null ? ": " + ex.getMessage() : "");
        event.addData(KEY_ERROR_MESSAGE, shorten(message, 120));
        throw ex;
    } finally {
        auditing.recordEvent(event);
    }
}
Also used : Audited(org.bf2.srs.fleetmanager.common.operation.auditing.Audited) AuditingEvent(org.bf2.srs.fleetmanager.operation.auditing.AuditingEvent) AroundInvoke(javax.interceptor.AroundInvoke)

Aggregations

AuditingEvent (org.bf2.srs.fleetmanager.operation.auditing.AuditingEvent)3 Tag (io.micrometer.core.instrument.Tag)1 Timer (io.micrometer.core.instrument.Timer)1 UnlessBuildProfile (io.quarkus.arc.profile.UnlessBuildProfile)1 BearerAuthenticationMechanism (io.quarkus.oidc.runtime.BearerAuthenticationMechanism)1 OidcAuthenticationMechanism (io.quarkus.oidc.runtime.OidcAuthenticationMechanism)1 IdentityProviderManager (io.quarkus.security.identity.IdentityProviderManager)1 SecurityIdentity (io.quarkus.security.identity.SecurityIdentity)1 AuthenticationRequest (io.quarkus.security.identity.request.AuthenticationRequest)1 TokenAuthenticationRequest (io.quarkus.security.identity.request.TokenAuthenticationRequest)1 ChallengeData (io.quarkus.vertx.http.runtime.security.ChallengeData)1 HttpAuthenticationMechanism (io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism)1 HttpCredentialTransport (io.quarkus.vertx.http.runtime.security.HttpCredentialTransport)1 QuarkusHttpUser (io.quarkus.vertx.http.runtime.security.QuarkusHttpUser)1 Uni (io.smallrye.mutiny.Uni)1 RoutingContext (io.vertx.ext.web.RoutingContext)1 Collections (java.util.Collections)1 List (java.util.List)1 Set (java.util.Set)1 BiConsumer (java.util.function.BiConsumer)1