Add name identifiers and assertion IDs to audit log entry - SIDP-203
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Thu, 10 Jul 2008 10:35:53 +0000 (10:35 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Thu, 10 Jul 2008 10:35:53 +0000 (10:35 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/branches/REL_2@2742 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/main/java/edu/internet2/middleware/shibboleth/idp/profile/AbstractSAMLProfileHandler.java
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/AbstractSAML1ProfileHandler.java
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/AbstractSAML2ProfileHandler.java

index c507ea0..9c961af 100644 (file)
@@ -533,27 +533,4 @@ public abstract class AbstractSAMLProfileHandler extends
                     + requestContext.getInboundMessageIssuer(), e);
         }
     }
-
-    /**
-     * Writes an aduit log entry indicating the successful response to the attribute request.
-     * 
-     * @param context current request context
-     */
-    protected void writeAuditLogEntry(BaseSAMLProfileRequestContext context) {
-        AuditLogEntry auditLogEntry = new AuditLogEntry();
-        auditLogEntry.setMessageProfile(getProfileId());
-        auditLogEntry.setPrincipalAuthenticationMethod(context.getPrincipalAuthenticationMethod());
-        auditLogEntry.setPrincipalName(context.getPrincipalName());
-        auditLogEntry.setAssertingPartyId(context.getLocalEntityId());
-        auditLogEntry.setRelyingPartyId(context.getInboundMessageIssuer());
-        auditLogEntry.setRequestBinding(context.getMessageDecoder().getBindingURI());
-        auditLogEntry.setRequestId(context.getInboundSAMLMessageId());
-        auditLogEntry.setResponseBinding(context.getMessageEncoder().getBindingURI());
-        auditLogEntry.setResponseId(context.getOutboundSAMLMessageId());
-        if (context.getReleasedAttributes() != null) {
-            auditLogEntry.getReleasedAttributes().addAll(context.getReleasedAttributes());
-        }
-
-        getAduitLog().info(auditLogEntry.toString());
-    }
 }
\ No newline at end of file
index 2f23c45..1762ea8 100644 (file)
@@ -45,6 +45,7 @@ import org.opensaml.saml1.core.StatusCode;
 import org.opensaml.saml1.core.StatusMessage;
 import org.opensaml.saml1.core.Subject;
 import org.opensaml.saml1.core.SubjectConfirmation;
+import org.opensaml.saml1.core.SubjectStatement;
 import org.opensaml.saml2.metadata.RoleDescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
@@ -66,6 +67,7 @@ import edu.internet2.middleware.shibboleth.common.attribute.encoding.AttributeEn
 import edu.internet2.middleware.shibboleth.common.attribute.encoding.AttributeEncodingException;
 import edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML1NameIdentifierEncoder;
 import edu.internet2.middleware.shibboleth.common.attribute.provider.SAML1AttributeAuthority;
+import edu.internet2.middleware.shibboleth.common.log.AuditLogEntry;
 import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
 import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
 import edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel;
@@ -291,11 +293,11 @@ public abstract class AbstractSAML1ProfileHandler extends AbstractSAMLProfileHan
 
         AudienceRestrictionCondition audienceRestriction = audienceRestrictionConditionBuilder.buildObject();
         conditions.getAudienceRestrictionConditions().add(audienceRestriction);
-        
+
         Audience audience = audienceBuilder.buildObject();
         audience.setUri(requestContext.getInboundMessageIssuer());
         audienceRestriction.getAudiences().add(audience);
-        
+
         // add other audience restrictions
         audiences = profileConfig.getAssertionAudiences();
         if (audiences != null && audiences.size() > 0) {
@@ -429,13 +431,13 @@ public abstract class AbstractSAML1ProfileHandler extends AbstractSAMLProfileHan
             ResponseAbstractType response) {
         response.setID(getIdGenerator().generateIdentifier());
 
-        if(requestContext != null){
+        if (requestContext != null) {
             SAMLObject samlMessage = requestContext.getInboundSAMLMessage();
             if (samlMessage != null && samlMessage instanceof RequestAbstractType) {
                 response.setInResponseTo(((RequestAbstractType) samlMessage).getID());
             }
         }
-        
+
         response.setVersion(SAMLVersion.VERSION_11);
     }
 
@@ -650,4 +652,91 @@ public abstract class AbstractSAML1ProfileHandler extends AbstractSAMLProfileHan
             throw new ProfileException("Unable to sign assertion", e);
         }
     }
+
+    /**
+     * Writes an audit log entry indicating the successful response to the attribute request.
+     * 
+     * @param context current request context
+     */
+    protected void writeAuditLogEntry(BaseSAMLProfileRequestContext context) {
+        SAML1AuditLogEntry auditLogEntry = new SAML1AuditLogEntry();
+        auditLogEntry.setSAMLResponse((Response) context.getOutboundMessage());
+        auditLogEntry.setMessageProfile(getProfileId());
+        auditLogEntry.setPrincipalAuthenticationMethod(context.getPrincipalAuthenticationMethod());
+        auditLogEntry.setPrincipalName(context.getPrincipalName());
+        auditLogEntry.setAssertingPartyId(context.getLocalEntityId());
+        auditLogEntry.setRelyingPartyId(context.getInboundMessageIssuer());
+        auditLogEntry.setRequestBinding(context.getMessageDecoder().getBindingURI());
+        auditLogEntry.setRequestId(context.getInboundSAMLMessageId());
+        auditLogEntry.setResponseBinding(context.getMessageEncoder().getBindingURI());
+        auditLogEntry.setResponseId(context.getOutboundSAMLMessageId());
+        if (context.getReleasedAttributes() != null) {
+            auditLogEntry.getReleasedAttributes().addAll(context.getReleasedAttributes());
+        }
+
+        getAduitLog().info(auditLogEntry.toString());
+    }
+
+    /** SAML 1 specific audit log entry. */
+    protected class SAML1AuditLogEntry extends AuditLogEntry {
+
+        /** The response to the SAML 1 request. */
+        private Response samlResponse;
+
+        /**
+         * Gets the response to the SAML 1 request.
+         * 
+         * @return the response to the SAML 1 request
+         */
+        public Response getSAMLResponse() {
+            return samlResponse;
+        }
+
+        /**
+         * Sets the response to the SAML 1 request.
+         * 
+         * @param response the response to the SAML 1 request
+         */
+        public void setSAMLResponse(Response response) {
+            samlResponse = response;
+        }
+
+        /** {@inheritDoc} */
+        public String toString() {
+            StringBuilder entryString = new StringBuilder(super.toString());
+            
+            NameIdentifier nameIdentifier = null;
+            StringBuilder assertionIds = new StringBuilder();
+            List<Assertion> assertions = samlResponse.getAssertions();
+            if(assertions != null && !assertions.isEmpty()){
+                for(Assertion assertion : assertions){
+                    assertionIds.append(assertion.getID());
+                    assertionIds.append(",");
+                    
+                    if(nameIdentifier == null){
+                        List<Statement> statements = assertion.getStatements();
+                        if(statements != null && !statements.isEmpty()){
+                            for(Statement statement : statements){
+                                if(statement instanceof SubjectStatement){
+                                    if(((SubjectStatement)statement).getSubject() != null){
+                                        nameIdentifier = ((SubjectStatement)statement).getSubject().getNameIdentifier();
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+            
+            if(nameIdentifier != null){
+                entryString.append(nameIdentifier.getNameIdentifier());
+            }
+            entryString.append("|");
+            
+            entryString.append(assertionIds.toString());
+            entryString.append("|");
+            
+            return entryString.toString();
+        }
+    }
 }
\ No newline at end of file
index 9a70225..e9b5581 100644 (file)
@@ -16,7 +16,6 @@
 
 package edu.internet2.middleware.shibboleth.idp.profile.saml2;
 
-import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
@@ -49,14 +48,8 @@ import org.opensaml.saml2.core.SubjectConfirmation;
 import org.opensaml.saml2.core.SubjectConfirmationData;
 import org.opensaml.saml2.encryption.Encrypter;
 import org.opensaml.saml2.encryption.Encrypter.KeyPlacement;
-import org.opensaml.saml2.metadata.AttributeAuthorityDescriptor;
-import org.opensaml.saml2.metadata.AuthnAuthorityDescriptor;
 import org.opensaml.saml2.metadata.Endpoint;
-import org.opensaml.saml2.metadata.NameIDFormat;
-import org.opensaml.saml2.metadata.PDPDescriptor;
-import org.opensaml.saml2.metadata.RoleDescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.opensaml.saml2.metadata.SSODescriptor;
 import org.opensaml.security.MetadataCredentialResolver;
 import org.opensaml.security.MetadataCriteria;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
@@ -88,6 +81,7 @@ import edu.internet2.middleware.shibboleth.common.attribute.encoding.AttributeEn
 import edu.internet2.middleware.shibboleth.common.attribute.encoding.AttributeEncodingException;
 import edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder;
 import edu.internet2.middleware.shibboleth.common.attribute.provider.SAML2AttributeAuthority;
+import edu.internet2.middleware.shibboleth.common.log.AuditLogEntry;
 import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
 import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
 import edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel;
@@ -877,4 +871,85 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
 
         return kekCredentialResolver.resolveSingle(criteriaSet);
     }
+    
+
+    /**
+     * Writes an audit log entry indicating the successful response to the attribute request.
+     * 
+     * @param context current request context
+     */
+    protected void writeAuditLogEntry(BaseSAMLProfileRequestContext context) {
+        SAML2AuditLogEntry auditLogEntry = new SAML2AuditLogEntry();
+        auditLogEntry.setSAMLResponse((Response) context.getOutboundMessage());
+        auditLogEntry.setMessageProfile(getProfileId());
+        auditLogEntry.setPrincipalAuthenticationMethod(context.getPrincipalAuthenticationMethod());
+        auditLogEntry.setPrincipalName(context.getPrincipalName());
+        auditLogEntry.setAssertingPartyId(context.getLocalEntityId());
+        auditLogEntry.setRelyingPartyId(context.getInboundMessageIssuer());
+        auditLogEntry.setRequestBinding(context.getMessageDecoder().getBindingURI());
+        auditLogEntry.setRequestId(context.getInboundSAMLMessageId());
+        auditLogEntry.setResponseBinding(context.getMessageEncoder().getBindingURI());
+        auditLogEntry.setResponseId(context.getOutboundSAMLMessageId());
+        if (context.getReleasedAttributes() != null) {
+            auditLogEntry.getReleasedAttributes().addAll(context.getReleasedAttributes());
+        }
+
+        getAduitLog().info(auditLogEntry.toString());
+    }
+    
+    /** SAML 1 specific audit log entry. */
+    protected class SAML2AuditLogEntry extends AuditLogEntry {
+
+        /** The response to the SAML request. */
+        private Response samlResponse;
+
+        /**
+         * Gets the response to the SAML request.
+         * 
+         * @return the response to the SAML request
+         */
+        public Response getSAMLResponse() {
+            return samlResponse;
+        }
+
+        /**
+         * Sets the response to the SAML request.
+         * 
+         * @param response the response to the SAML request
+         */
+        public void setSAMLResponse(Response response) {
+            samlResponse = response;
+        }
+
+        /** {@inheritDoc} */
+        public String toString() {
+            StringBuilder entryString = new StringBuilder(super.toString());
+            
+            NameID nameIdentifier = null;
+            StringBuilder assertionIds = new StringBuilder();
+            List<Assertion> assertions = samlResponse.getAssertions();
+            if(assertions != null && !assertions.isEmpty()){
+                for(Assertion assertion : assertions){
+                    assertionIds.append(assertion.getID());
+                    assertionIds.append(",");
+                    
+                    if(nameIdentifier == null){
+                        if(assertion.getSubject() != null){
+                            nameIdentifier = assertion.getSubject().getNameID();
+                        }
+                    }
+                }
+            }
+            
+            if(nameIdentifier != null){
+                entryString.append(nameIdentifier.getValue());
+            }
+            entryString.append("|");
+            
+            entryString.append(assertionIds.toString());
+            entryString.append("|");
+            
+            return entryString.toString();
+        }
+    }
 }
\ No newline at end of file