restapi-cli-audit-onos-1.13-manual-cherry-pick Change-Id: I9981f5a9a02fa1b63fa0154693d8038107deb6cd

commit: b6b5414cba1e4274f02625156c1487f894a1d492 [log] [tgz]
author: Arjun E K <arjun.k02@infosys.com> Mon Dec 24 01:11:50 2018 -0500
committer: Pier Luigi Ventre <pier@opennetworking.org> Wed Jan 23 13:28:06 2019 +0000
tree: dc2f57f1805d1cda53ce5931fd48ba1dfaf9cda8
parent: 3304e79256d29b47f4cff8a6b2f39364b604125b [diff]
diff --git a/web/api/src/main/java/org/onosproject/rest/resources/AuditFilter.java b/web/api/src/main/java/org/onosproject/rest/resources/AuditFilter.java
new file mode 100644
index 0000000..81c4f42
--- /dev/null
+++ b/web/api/src/main/java/org/onosproject/rest/resources/AuditFilter.java

@@ -0,0 +1,91 @@
+/*
+ * Copyright 2018-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.rest.resources;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.io.IOUtils;
+import org.onlab.osgi.DefaultServiceDirectory;
+import org.onlab.osgi.ServiceDirectory;
+import org.onosproject.security.AuditService;
+
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.container.ContainerResponseContext;
+import javax.ws.rs.container.ContainerResponseFilter;
+import java.io.IOException;
+
+import static org.onlab.util.Tools.readTreeFromStream;
+
+/**
+ * HTTP Filter for auditing REST API requests.
+ */
+public class AuditFilter implements ContainerRequestFilter, ContainerResponseFilter {
+
+    private ObjectMapper mapper = new ObjectMapper();
+    private final String separator = "\", \"";
+    private final String logCompSeperator = "\" : \"";
+
+    private static boolean disableForTests = false;
+    private static ServiceDirectory services = new DefaultServiceDirectory();
+
+    /**
+     * Disables functionality for unit tests.
+     */
+    public static void disableForTests() {
+        disableForTests = true;
+    }
+
+    @Override
+    public void filter(ContainerRequestContext requestContext) throws IOException {
+        if (auditService() != null) {
+            String requestBody = (requestContext.hasEntity() ?
+                    (readTreeFromStream(mapper, requestContext.getEntityStream()).toString()) : "");
+            requestContext.setProperty("requestBody", requestBody);
+            // FIXME: audit message should be better structured
+            requestContext.setProperty("auditMessage", "{\"Path" + logCompSeperator
+                    + requestContext.getUriInfo().getPath() + separator + "Method"
+                    + logCompSeperator + requestContext.getMethod() + separator
+                    + (requestContext.getMethod().equals("PUT") ?
+                    // FIXME: is there really a need to differentiate based on method?
+                    ("Path_Parameters" + logCompSeperator + requestContext.getUriInfo().getPathParameters().toString()
+                            + separator + "Query_Parameters" + logCompSeperator
+                            + requestContext.getUriInfo().getQueryParameters().toString()
+                            + separator + "Request_Body" + logCompSeperator + requestBody) : ""));
+            requestContext.setEntityStream(IOUtils.toInputStream(requestBody));
+        }
+    }
+
+    @Override
+    public void filter(ContainerRequestContext containerRequestContext,
+                       ContainerResponseContext containerResponseContext) throws IOException {
+        AuditService auditService = auditService();
+        if (auditService != null) {
+            containerRequestContext.setProperty("auditMessage", containerRequestContext.getProperty("auditMessage")
+                    + separator + "Status" + logCompSeperator + containerResponseContext.getStatusInfo().toString()
+                    + "\"}");
+            // FIXME: Audit record should indicate who did it, not just what was done and when
+            String user = containerRequestContext.getSecurityContext().getUserPrincipal().getName();
+            String action = containerRequestContext.getProperty("auditMessage").toString();
+            auditService.logUserAction(user, action);
+        }
+    }
+
+    private AuditService auditService() {
+        AuditService auditService = disableForTests ? null : services.get(AuditService.class);
+        return auditService != null && auditService.isAuditing() ? auditService : null;
+    }
+}

diff --git a/web/api/src/main/java/org/onosproject/rest/resources/CoreWebApplication.java b/web/api/src/main/java/org/onosproject/rest/resources/CoreWebApplication.java
index 67b6c96..36801c5 100644
--- a/web/api/src/main/java/org/onosproject/rest/resources/CoreWebApplication.java
+++ b/web/api/src/main/java/org/onosproject/rest/resources/CoreWebApplication.java

@@ -56,7 +56,8 @@
                 DiagnosticsWebResource.class,
                 UiPreferencesWebResource.class,
                 SystemInfoWebResource.class,
-                PacketProcessorsWebResource.class
+                PacketProcessorsWebResource.class,
+                AuditFilter.class
         );
     }
 }

diff --git a/web/api/src/test/java/org/onosproject/rest/resources/ResourceTest.java b/web/api/src/test/java/org/onosproject/rest/resources/ResourceTest.java
index 9f809f3..54203fd 100644
--- a/web/api/src/test/java/org/onosproject/rest/resources/ResourceTest.java
+++ b/web/api/src/test/java/org/onosproject/rest/resources/ResourceTest.java

@@ -51,6 +51,7 @@
     private void configureProperties() {
         set(TestProperties.CONTAINER_PORT, 0);
         AuthorizationFilter.disableForTests();
+        AuditFilter.disableForTests();
     }
 
     /**
commit	b6b5414cba1e4274f02625156c1487f894a1d492	[log] [tgz]
author	Arjun E K <arjun.k02@infosys.com>	Mon Dec 24 01:11:50 2018 -0500
committer	Pier Luigi Ventre <pier@opennetworking.org>	Wed Jan 23 13:28:06 2019 +0000
tree	dc2f57f1805d1cda53ce5931fd48ba1dfaf9cda8
parent	3304e79256d29b47f4cff8a6b2f39364b604125b [diff]