Fix missing ROLE_ASSUME events

The ACLInterceptor has been updated to generate a ROLE_ASSUME event after a successful authorization to a protected resource. This will fix missing ROLE_ASSUME events for REST API which is used by PKI CLI and TPS UI. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1549887
dogtagpki · Jun 8, 2023 · c399a63 · c399a63
1 parent 2b84210
commit c399a63
Showing 1 changed file with 19 additions and 3 deletions.
diff --git a/base/server/src/main/java/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/src/main/java/org/dogtagpki/server/rest/ACLInterceptor.java
@@ -45,6 +45,7 @@
 import com.netscape.certsrv.base.ForbiddenException;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.logging.event.AuthzEvent;
+import com.netscape.certsrv.logging.event.RoleAssumeEvent;
 import com.netscape.cms.realm.PKIPrincipal;
 import com.netscape.cmscore.apps.CMS;
 import com.netscape.cmscore.apps.CMSEngine;
@@ -194,14 +195,16 @@ else if (principal instanceof GenericPrincipal) {
 
         // If still not available, it's unprotected, allow request.
         if (!authzRequired) {
-            logger.debug("ACLInterceptor: No ACL mapping; authz not required.");
+            logger.debug("ACLInterceptor: Unprotected resource; access granted");
 
             auditor.log(AuthzEvent.createSuccessEvent(
                         auditSubjectID,
                         null, //resource
                         null, //operation
                         LOGGING_MISSING_ACL_MAPPING + ":" + auditInfo)); //info
 
+            // unprotected resource -> do not generate ROLE_ASSUME event
+
             return;
         }
 
@@ -230,17 +233,21 @@ else if (principal instanceof GenericPrincipal) {
 
         // If no property defined, allow request.
         if (value == null) {
-            logger.debug("ACLInterceptor: No ACL configuration.");
+            logger.debug("ACLInterceptor: Unprotected resource; access granted");
 
             auditor.log(AuthzEvent.createSuccessEvent(
                     auditSubjectID,
                     null, //resource
                     null, //operation
                     LOGGING_NO_ACL_ACCESS_ALLOWED + ":" + auditInfo));
 
+            // unprotected resource -> do not generate ROLE_ASSUME event
+
             return;
         }
 
+        // accessing protected resource
+
         values = value.split(",");
 
         // If invalid mapping, reject request.
@@ -307,14 +314,23 @@ else if (principal instanceof GenericPrincipal) {
             throw new Failure(e);
         }
 
-        // Allow request.
+        logger.debug("ACLInterceptor: Protected resource; access granted");
 
         auditor.log(AuthzEvent.createSuccessEvent(
                     auditSubjectID,
                     values[0], // resource
                     values[1], // operation
                     auditInfo));
 
+        if (principal instanceof PKIPrincipal pkiPrincipal) {
+            String[] roles = pkiPrincipal.getRoles();
+            if (roles != null) {
+                auditor.log(RoleAssumeEvent.createSuccessEvent(
+                        auditSubjectID,
+                        String.join(",", roles)));
+            }
+        }
+
         return;
     }
 }