From 8ca46fa35da7b4ed2a0e9b128b5750d7b8b3f1a9 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Mon, 7 Apr 2014 17:52:45 +0100 Subject: [PATCH] Audit configurable through admin console --- .../META-INF/resources/admin/js/app.js | 15 ++++ .../resources/admin/js/controllers/realm.js | 63 +++++++++++++++- .../META-INF/resources/admin/js/loaders.js | 8 +++ .../META-INF/resources/admin/js/services.js | 10 +++ .../admin/partials/realm-audit-config.html | 71 +++++++++++++++++++ .../resources/admin/partials/realm-audit.html | 7 +- .../resources/admin/partials/realm-menu.html | 2 +- .../org/keycloak/audit/AuditProvider.java | 4 +- .../keycloak/audit/jpa/JpaAuditProvider.java | 8 +-- .../audit/mongo/MongoAuditProvider.java | 12 ++-- .../tests/AbstractAuditProviderTest.java | 24 ++++--- .../idm/RealmAuditRepresentation.java | 37 ++++++++++ .../idm/RealmRepresentation.java | 4 ++ .../java/org/keycloak/models/RealmModel.java | 8 +++ .../org/keycloak/models/jpa/RealmAdapter.java | 22 ++++++ .../models/jpa/entities/RealmEntity.java | 21 +++++- .../mongo/keycloak/adapters/RealmAdapter.java | 22 ++++++ .../mongo/keycloak/entities/RealmEntity.java | 20 ++++++ .../services/managers/AuditManager.java | 57 +++++++++++++++ .../managers/ModelToRepresentation.java | 16 +++++ .../services/managers/RealmManager.java | 10 +++ .../services/resources/RealmsResource.java | 25 +------ .../services/resources/SocialResource.java | 25 +------ .../resources/admin/RealmAdminResource.java | 28 ++++++++ .../admin/ServerInfoAdminResource.java | 23 ++++++ .../testsuite/account/AccountTest.java | 59 +++++++++------ 26 files changed, 509 insertions(+), 92 deletions(-) create mode 100755 admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-audit-config.html create mode 100755 core/src/main/java/org/keycloak/representations/idm/RealmAuditRepresentation.java create mode 100644 services/src/main/java/org/keycloak/services/managers/AuditManager.java diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js b/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js index f8464595b0..4802f1fcd1 100755 --- a/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js +++ b/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js @@ -141,6 +141,21 @@ module.config([ '$routeProvider', function($routeProvider) { return RealmLoader(); } }, + controller : 'RealmAuditEventsCtrl' + }) + .when('/realms/:realm/audit-settings', { + templateUrl : 'partials/realm-audit-config.html', + resolve : { + realm : function(RealmLoader) { + return RealmLoader(); + }, + serverInfo : function(ServerInfoLoader) { + return ServerInfoLoader(); + }, + auditConfig : function(RealmAuditLoader) { + return RealmAuditLoader(); + } + }, controller : 'RealmAuditCtrl' }) .when('/realms/:realm/auth-settings', { diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/realm.js b/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/realm.js index b0642b7018..dc54399968 100755 --- a/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/realm.js +++ b/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/realm.js @@ -1022,7 +1022,65 @@ module.controller('RealmAuthSettingsDetailCtrl', function($scope, $routeParams, }; }); -module.controller('RealmAuditCtrl', function($scope, RealmAudit, realm) { +module.controller('RealmAuditCtrl', function($scope, auditConfig, RealmAudit, RealmAuditEvents, realm, serverInfo, $location, Notifications, TimeUnit, Dialog) { + $scope.realm = realm; + + $scope.auditConfig = auditConfig; + + $scope.auditConfig.expirationUnit = TimeUnit.autoUnit(auditConfig.auditExpiration); + if ($scope.auditConfig.expirationUnit) { + $scope.auditConfig.expirationUnit = 'Hours'; + } + + $scope.auditConfig.auditExpiration = TimeUnit.toUnit(auditConfig.auditExpiration, $scope.auditConfig.expirationUnit); + $scope.$watch('auditConfig.expirationUnit', function(to, from) { + if ($scope.auditConfig.auditExpiration) { + $scope.auditConfig.auditExpiration = TimeUnit.convert($scope.auditConfig.auditExpiration, from, to); + } + }); + + $scope.auditListeners = serverInfo.auditListeners; + + var oldCopy = angular.copy($scope.auditConfig); + $scope.changed = false; + + $scope.$watch('auditConfig', function() { + if (!angular.equals($scope.auditConfig, oldCopy)) { + $scope.changed = true; + } + }, true); + + $scope.save = function() { + $scope.changed = false; + + var copy = angular.copy($scope.auditConfig) + delete copy['expirationUnit']; + + copy.auditExpiration = TimeUnit.toSeconds($scope.auditConfig.auditExpiration, $scope.auditConfig.expirationUnit); + + RealmAudit.update({ + id : realm.realm + }, copy, function () { + $location.url("/realms/" + realm.realm + "/audit-settings"); + Notifications.success("Your changes have been saved to the realm."); + }); + }; + + $scope.reset = function() { + $scope.auditConfig = angular.copy(oldCopy); + $scope.changed = false; + }; + + $scope.clearAudit = function() { + Dialog.confirmDelete($scope.realm.realm, 'audit events', function() { + RealmAuditEvents.remove({ id : $scope.realm.realm }, function() { + Notifications.success("The audit events has been cleared."); + }); + }); + }; +}); + +module.controller('RealmAuditEventsCtrl', function($scope, RealmAuditEvents, realm) { $scope.realm = realm; $scope.page = 0; @@ -1038,8 +1096,7 @@ module.controller('RealmAuditCtrl', function($scope, RealmAudit, realm) { delete $scope.query[i]; } } - console.debug($scope.query.first); - $scope.events = RealmAudit.query($scope.query); + $scope.events = RealmAuditEvents.query($scope.query); } $scope.firstPage = function() { diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/js/loaders.js b/admin-ui/src/main/resources/META-INF/resources/admin/js/loaders.js index 84f8dbce8d..e1e6a787df 100755 --- a/admin-ui/src/main/resources/META-INF/resources/admin/js/loaders.js +++ b/admin-ui/src/main/resources/META-INF/resources/admin/js/loaders.js @@ -47,6 +47,14 @@ module.factory('RealmLoader', function(Loader, Realm, $route, $q) { }); }); +module.factory('RealmAuditLoader', function(Loader, RealmAudit, $route, $q) { + return Loader.get(RealmAudit, function() { + return { + id : $route.current.params.realm + } + }); +}); + module.factory('UserListLoader', function(Loader, User, $route, $q) { return Loader.query(User, function() { return { diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/js/services.js b/admin-ui/src/main/resources/META-INF/resources/admin/js/services.js index eabc83a824..81af19b992 100755 --- a/admin-ui/src/main/resources/META-INF/resources/admin/js/services.js +++ b/admin-ui/src/main/resources/META-INF/resources/admin/js/services.js @@ -145,6 +145,16 @@ module.factory('Realm', function($resource) { module.factory('RealmAudit', function($resource) { return $resource(authUrl + '/rest/admin/realms/:id/audit', { id : '@realm' + }, { + update : { + method : 'PUT' + } + }); +}); + +module.factory('RealmAuditEvents', function($resource) { + return $resource(authUrl + '/rest/admin/realms/:id/audit/events', { + id : '@realm' }); }); diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-audit-config.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-audit-config.html new file mode 100755 index 0000000000..befe2dde89 --- /dev/null +++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-audit-config.html @@ -0,0 +1,71 @@ +
+
+ + + +
+
    +
  1. {{realm.realm}}
    2. +
  2. Audit
    3. +
  3. Social
    4. +
+

{{realm.realm}} Audit Config

+ +
+
+
+ +
+ +
+
+
+
+
+ +
+ +
+
+ +
+ +
+
+
+ +
+
+ +
+
+
+
+ +
+ + +
+ +
+
+
+ +
+ + +
+
+
+
+ diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-audit.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-audit.html index f31ab363ae..01543200fb 100755 --- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-audit.html +++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-audit.html @@ -1,6 +1,11 @@
- + + +
  1. {{realm.realm}}
    2. diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-menu.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-menu.html index 5d929c4fe0..6deefac8ad 100755 --- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-menu.html +++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-menu.html @@ -9,5 +9,5 @@
  2. Applications
  3. OAuth Clients
  4. Sessions
    5. -
  5. Audit
    6. +
  6. Audit
    7. \ No newline at end of file diff --git a/audit/api/src/main/java/org/keycloak/audit/AuditProvider.java b/audit/api/src/main/java/org/keycloak/audit/AuditProvider.java index 738b79fb49..9b43c72f41 100644 --- a/audit/api/src/main/java/org/keycloak/audit/AuditProvider.java +++ b/audit/api/src/main/java/org/keycloak/audit/AuditProvider.java @@ -7,8 +7,8 @@ public interface AuditProvider extends AuditListener { public EventQuery createQuery(); - public void clear(); + public void clear(String realmId); - public void clear(long olderThan); + public void clear(String realmId, long olderThan); } diff --git a/audit/jpa/src/main/java/org/keycloak/audit/jpa/JpaAuditProvider.java b/audit/jpa/src/main/java/org/keycloak/audit/jpa/JpaAuditProvider.java index 0432f17828..c54c1b8303 100644 --- a/audit/jpa/src/main/java/org/keycloak/audit/jpa/JpaAuditProvider.java +++ b/audit/jpa/src/main/java/org/keycloak/audit/jpa/JpaAuditProvider.java @@ -29,15 +29,15 @@ public class JpaAuditProvider implements AuditProvider { } @Override - public void clear() { + public void clear(String realmId) { beginTx(); - em.createQuery("delete from EventEntity").executeUpdate(); + em.createQuery("delete from EventEntity where realmId = :realmId").setParameter("realmId", realmId).executeUpdate(); } @Override - public void clear(long olderThan) { + public void clear(String realmId, long olderThan) { beginTx(); - em.createQuery("delete from EventEntity where time < :time").setParameter("time", olderThan).executeUpdate(); + em.createQuery("delete from EventEntity where realmId = :realmId and time < :time").setParameter("realmId", realmId).setParameter("time", olderThan).executeUpdate(); } @Override diff --git a/audit/mongo/src/main/java/org/keycloak/audit/mongo/MongoAuditProvider.java b/audit/mongo/src/main/java/org/keycloak/audit/mongo/MongoAuditProvider.java index 2aa117605b..3d44a146be 100644 --- a/audit/mongo/src/main/java/org/keycloak/audit/mongo/MongoAuditProvider.java +++ b/audit/mongo/src/main/java/org/keycloak/audit/mongo/MongoAuditProvider.java @@ -1,5 +1,6 @@ package org.keycloak.audit.mongo; +import com.mongodb.BasicDBList; import com.mongodb.BasicDBObject; import com.mongodb.DBCollection; import com.mongodb.DBObject; @@ -27,13 +28,16 @@ public class MongoAuditProvider implements AuditProvider { } @Override - public void clear() { - audit.remove(new BasicDBObject()); + public void clear(String realmId) { + audit.remove(new BasicDBObject("realmId", realmId)); } @Override - public void clear(long olderThan) { - audit.remove(new BasicDBObject("time", new BasicDBObject("$lt", olderThan))); + public void clear(String realmId, long olderThan) { + BasicDBObject q = new BasicDBObject(); + q.put("realmId", realmId); + q.put("time", new BasicDBObject("$lt", olderThan)); + audit.remove(q); } @Override diff --git a/audit/tests/src/main/java/org/keycloak/audit/tests/AbstractAuditProviderTest.java b/audit/tests/src/main/java/org/keycloak/audit/tests/AbstractAuditProviderTest.java index c3ebdaae65..7dada9f806 100644 --- a/audit/tests/src/main/java/org/keycloak/audit/tests/AbstractAuditProviderTest.java +++ b/audit/tests/src/main/java/org/keycloak/audit/tests/AbstractAuditProviderTest.java @@ -34,7 +34,8 @@ public abstract class AbstractAuditProviderTest { @After public void after() { - provider.clear(); + provider.clear("realmId"); + provider.clear("realmId2"); provider.close(); factory.close(); } @@ -51,6 +52,7 @@ public abstract class AbstractAuditProviderTest { provider.onEvent(create("event", "realmId", "clientId", "userId", "127.0.0.1", "error")); provider.onEvent(create(newest, "event2", "realmId", "clientId", "userId", "127.0.0.1", "error")); + provider.onEvent(create(newest, "event2", "realmId", "clientId", "userId2", "127.0.0.1", "error")); provider.onEvent(create("event", "realmId2", "clientId", "userId", "127.0.0.1", "error")); provider.onEvent(create(oldest, "event", "realmId", "clientId2", "userId", "127.0.0.1", "error")); provider.onEvent(create("event", "realmId", "clientId", "userId2", "127.0.0.1", "error")); @@ -58,19 +60,19 @@ public abstract class AbstractAuditProviderTest { provider.close(); provider = factory.create(); - Assert.assertEquals(4, provider.createQuery().client("clientId").getResultList().size()); - Assert.assertEquals(4, provider.createQuery().realm("realmId").getResultList().size()); + Assert.assertEquals(5, provider.createQuery().client("clientId").getResultList().size()); + Assert.assertEquals(5, provider.createQuery().realm("realmId").getResultList().size()); Assert.assertEquals(4, provider.createQuery().event("event").getResultList().size()); - Assert.assertEquals(5, provider.createQuery().event("event", "event2").getResultList().size()); + Assert.assertEquals(6, provider.createQuery().event("event", "event2").getResultList().size()); Assert.assertEquals(4, provider.createQuery().user("userId").getResultList().size()); Assert.assertEquals(1, provider.createQuery().user("userId").event("event2").getResultList().size()); Assert.assertEquals(2, provider.createQuery().maxResults(2).getResultList().size()); - Assert.assertEquals(1, provider.createQuery().firstResult(4).getResultList().size()); + Assert.assertEquals(1, provider.createQuery().firstResult(5).getResultList().size()); Assert.assertEquals(newest, provider.createQuery().maxResults(1).getResultList().get(0).getTime()); - Assert.assertEquals(oldest, provider.createQuery().firstResult(4).maxResults(1).getResultList().get(0).getTime()); + Assert.assertEquals(oldest, provider.createQuery().firstResult(5).maxResults(1).getResultList().get(0).getTime()); } @Test @@ -79,13 +81,14 @@ public abstract class AbstractAuditProviderTest { provider.onEvent(create(System.currentTimeMillis() - 20000, "event", "realmId", "clientId", "userId", "127.0.0.1", "error")); provider.onEvent(create(System.currentTimeMillis(), "event", "realmId", "clientId", "userId", "127.0.0.1", "error")); provider.onEvent(create(System.currentTimeMillis(), "event", "realmId", "clientId", "userId", "127.0.0.1", "error")); + provider.onEvent(create(System.currentTimeMillis() - 30000, "event", "realmId2", "clientId", "userId", "127.0.0.1", "error")); provider.close(); provider = factory.create(); - provider.clear(); + provider.clear("realmId"); - Assert.assertEquals(0, provider.createQuery().getResultList().size()); + Assert.assertEquals(1, provider.createQuery().getResultList().size()); } @Test @@ -94,13 +97,14 @@ public abstract class AbstractAuditProviderTest { provider.onEvent(create(System.currentTimeMillis() - 20000, "event", "realmId", "clientId", "userId", "127.0.0.1", "error")); provider.onEvent(create(System.currentTimeMillis(), "event", "realmId", "clientId", "userId", "127.0.0.1", "error")); provider.onEvent(create(System.currentTimeMillis(), "event", "realmId", "clientId", "userId", "127.0.0.1", "error")); + provider.onEvent(create(System.currentTimeMillis() - 30000, "event", "realmId2", "clientId", "userId", "127.0.0.1", "error")); provider.close(); provider = factory.create(); - provider.clear(System.currentTimeMillis() - 10000); + provider.clear("realmId", System.currentTimeMillis() - 10000); - Assert.assertEquals(2, provider.createQuery().getResultList().size()); + Assert.assertEquals(3, provider.createQuery().getResultList().size()); } private Event create(String event, String realmId, String clientId, String userId, String ipAddress, String error) { diff --git a/core/src/main/java/org/keycloak/representations/idm/RealmAuditRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/RealmAuditRepresentation.java new file mode 100755 index 0000000000..9a4d019f01 --- /dev/null +++ b/core/src/main/java/org/keycloak/representations/idm/RealmAuditRepresentation.java @@ -0,0 +1,37 @@ +package org.keycloak.representations.idm; + +import java.util.List; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class RealmAuditRepresentation { + protected boolean auditEnabled; + protected Long auditExpiration; + protected List auditListeners; + + public boolean isAuditEnabled() { + return auditEnabled; + } + + public void setAuditEnabled(boolean auditEnabled) { + this.auditEnabled = auditEnabled; + } + + public Long getAuditExpiration() { + return auditExpiration; + } + + public void setAuditExpiration(Long auditExpiration) { + this.auditExpiration = auditExpiration; + } + + public List getAuditListeners() { + return auditListeners; + } + + public void setAuditListeners(List auditListeners) { + this.auditListeners = auditListeners; + } +} diff --git a/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java index a4278d254f..ac57c7ea1c 100755 --- a/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java +++ b/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java @@ -1,6 +1,7 @@ package org.keycloak.representations.idm; import java.util.ArrayList; +import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; @@ -47,6 +48,9 @@ public class RealmRepresentation { protected List authenticationProviders; protected String loginTheme; protected String accountTheme; + protected boolean auditEnabled; + protected long auditExpiration; + protected List auditListeners; public String getSelf() { return self; diff --git a/model/api/src/main/java/org/keycloak/models/RealmModel.java b/model/api/src/main/java/org/keycloak/models/RealmModel.java index db271f2555..6e2060505f 100755 --- a/model/api/src/main/java/org/keycloak/models/RealmModel.java +++ b/model/api/src/main/java/org/keycloak/models/RealmModel.java @@ -208,6 +208,14 @@ public interface RealmModel extends RoleContainerModel, RoleMapperModel, ScopeMa boolean removeRoleById(String id); + boolean isAuditEnabled(); + + void setAuditEnabled(boolean enabled); + + long getAuditExpiration(); + + void setAuditExpiration(long expiration); + Set getAuditListeners(); void setAuditListeners(Set listeners); diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java b/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java index 0275f40b15..fce9a3d9f2 100755 --- a/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java +++ b/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java @@ -1184,6 +1184,28 @@ public class RealmAdapter implements RealmModel { em.flush(); } + @Override + public boolean isAuditEnabled() { + return realm.isAuditEnabled(); + } + + @Override + public void setAuditEnabled(boolean enabled) { + realm.setAuditEnabled(enabled); + em.flush(); + } + + @Override + public long getAuditExpiration() { + return realm.getAuditExpiration(); + } + + @Override + public void setAuditExpiration(long expiration) { + realm.setAuditExpiration(expiration); + em.flush(); + } + @Override public Set getAuditListeners() { return realm.getAuditListeners(); diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java index 1e3a9d723d..6885a7006f 100755 --- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java +++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java @@ -99,8 +99,11 @@ public class RealmEntity { @JoinTable(name="RealmDefaultRoles") Collection defaultRoles = new ArrayList(); + private boolean auditEnabled; + private long auditExpiration; + @ElementCollection - protected Set auditListeners= new HashSet(); + private Set auditListeners= new HashSet(); public String getId() { return id; @@ -349,6 +352,22 @@ public class RealmEntity { this.bruteForceProtected = bruteForceProtected; } + public boolean isAuditEnabled() { + return auditEnabled; + } + + public void setAuditEnabled(boolean auditEnabled) { + this.auditEnabled = auditEnabled; + } + + public long getAuditExpiration() { + return auditExpiration; + } + + public void setAuditExpiration(long auditExpiration) { + this.auditExpiration = auditExpiration; + } + public Set getAuditListeners() { return auditListeners; } diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java index 10a748f4ed..3fc43f24d4 100755 --- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java +++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java @@ -1141,6 +1141,28 @@ public class RealmAdapter extends AbstractMongoAdapter implements R updateRealm(); } + @Override + public boolean isAuditEnabled() { + return realm.isAuditEnabled(); + } + + @Override + public void setAuditEnabled(boolean enabled) { + realm.setAuditEnabled(enabled); + updateRealm(); + } + + @Override + public long getAuditExpiration() { + return realm.getAuditExpiration(); + } + + @Override + public void setAuditExpiration(long expiration) { + realm.setAuditExpiration(expiration); + updateRealm(); + } + @Override public Set getAuditListeners() { return new HashSet(realm.getAuditListeners()); diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/RealmEntity.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/RealmEntity.java index 627af226ea..6786c9013f 100755 --- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/RealmEntity.java +++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/RealmEntity.java @@ -57,6 +57,8 @@ public class RealmEntity extends AbstractMongoIdentifiableEntity implements Mong private Map socialConfig = new HashMap(); private Map ldapServerConfig; + private boolean auditEnabled; + private long auditExpiration; private List auditListeners = new ArrayList(); @MongoField @@ -302,6 +304,24 @@ public class RealmEntity extends AbstractMongoIdentifiableEntity implements Mong this.ldapServerConfig = ldapServerConfig; } + @MongoField + public boolean isAuditEnabled() { + return auditEnabled; + } + + public void setAuditEnabled(boolean auditEnabled) { + this.auditEnabled = auditEnabled; + } + + @MongoField + public long getAuditExpiration() { + return auditExpiration; + } + + public void setAuditExpiration(long auditExpiration) { + this.auditExpiration = auditExpiration; + } + @MongoField public List getAuditListeners() { return auditListeners; diff --git a/services/src/main/java/org/keycloak/services/managers/AuditManager.java b/services/src/main/java/org/keycloak/services/managers/AuditManager.java new file mode 100644 index 0000000000..ae90e1c6d3 --- /dev/null +++ b/services/src/main/java/org/keycloak/services/managers/AuditManager.java @@ -0,0 +1,57 @@ +package org.keycloak.services.managers; + +import org.jboss.logging.Logger; +import org.keycloak.audit.Audit; +import org.keycloak.audit.AuditListener; +import org.keycloak.audit.AuditProvider; +import org.keycloak.models.RealmModel; +import org.keycloak.services.ClientConnection; +import org.keycloak.services.ProviderSession; + +import java.util.LinkedList; +import java.util.List; + +/** + * @author Stian Thorgersen + */ +public class AuditManager { + + private Logger log = Logger.getLogger(AuditManager.class); + + private RealmModel realm; + private ProviderSession providers; + private ClientConnection clientConnection; + + public AuditManager(RealmModel realm, ProviderSession providers, ClientConnection clientConnection) { + this.realm = realm; + this.providers = providers; + this.clientConnection = clientConnection; + } + + public Audit createAudit() { + List listeners = new LinkedList(); + + if (realm.isAuditEnabled()) { + AuditProvider auditProvider = providers.getProvider(AuditProvider.class); + if (auditProvider != null) { + listeners.add(auditProvider); + } else { + log.error("Audit enabled, but no audit provider configured"); + } + } + + if (realm.getAuditListeners() != null) { + for (String id : realm.getAuditListeners()) { + AuditListener listener = providers.getProvider(AuditListener.class, id); + if (listener != null) { + listeners.add(listener); + } else { + log.error("Audit listener '" + id + "' registered, but not found"); + } + } + } + + return new Audit(listeners, realm, clientConnection.getRemoteAddr()); + } + +} diff --git a/services/src/main/java/org/keycloak/services/managers/ModelToRepresentation.java b/services/src/main/java/org/keycloak/services/managers/ModelToRepresentation.java index 5f43390866..8562bd850f 100755 --- a/services/src/main/java/org/keycloak/services/managers/ModelToRepresentation.java +++ b/services/src/main/java/org/keycloak/services/managers/ModelToRepresentation.java @@ -13,6 +13,7 @@ import org.keycloak.models.UserModel; import org.keycloak.representations.idm.AuthenticationProviderRepresentation; import org.keycloak.representations.idm.ClaimRepresentation; import org.keycloak.representations.idm.CredentialRepresentation; +import org.keycloak.representations.idm.RealmAuditRepresentation; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RoleRepresentation; import org.keycloak.representations.idm.UserRepresentation; @@ -20,6 +21,7 @@ import org.keycloak.representations.idm.UserRepresentation; import java.util.ArrayList; import java.util.HashMap; import java.util.HashSet; +import java.util.LinkedList; import java.util.List; import java.util.Map; @@ -124,6 +126,20 @@ public class ModelToRepresentation { return rep; } + public static RealmAuditRepresentation toAuditReprensetation(RealmModel realm) { + RealmAuditRepresentation rep = new RealmAuditRepresentation(); + rep.setAuditEnabled(realm.isAuditEnabled()); + + if (realm.getAuditExpiration() != 0) { + rep.setAuditExpiration(realm.getAuditExpiration()); + } + + if (realm.getAuditListeners() != null) { + rep.setAuditListeners(new LinkedList(realm.getAuditListeners())); + } + return rep; + } + public static CredentialRepresentation toRepresentation(UserCredentialModel cred) { CredentialRepresentation rep = new CredentialRepresentation(); rep.setType(CredentialRepresentation.SECRET); diff --git a/services/src/main/java/org/keycloak/services/managers/RealmManager.java b/services/src/main/java/org/keycloak/services/managers/RealmManager.java index d9d40d2926..bed88674ce 100755 --- a/services/src/main/java/org/keycloak/services/managers/RealmManager.java +++ b/services/src/main/java/org/keycloak/services/managers/RealmManager.java @@ -24,6 +24,7 @@ import org.keycloak.representations.idm.AuthenticationLinkRepresentation; import org.keycloak.representations.idm.AuthenticationProviderRepresentation; import org.keycloak.representations.idm.CredentialRepresentation; import org.keycloak.representations.idm.OAuthClientRepresentation; +import org.keycloak.representations.idm.RealmAuditRepresentation; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RoleRepresentation; import org.keycloak.representations.idm.ScopeMappingRepresentation; @@ -39,6 +40,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; import java.util.HashMap; +import java.util.HashSet; import java.util.List; import java.util.Map; @@ -166,6 +168,14 @@ public class RealmManager { } } + public void updateRealmAudit(RealmAuditRepresentation rep, RealmModel realm) { + realm.setAuditEnabled(rep.isAuditEnabled()); + realm.setAuditExpiration(rep.getAuditExpiration()); + if (rep.getAuditListeners() != null) { + realm.setAuditListeners(new HashSet(rep.getAuditListeners())); + } + } + private void setupAdminManagement(RealmModel realm) { RealmModel adminRealm; RoleModel adminRole; diff --git a/services/src/main/java/org/keycloak/services/resources/RealmsResource.java b/services/src/main/java/org/keycloak/services/resources/RealmsResource.java index cb11ed517e..1056378c75 100755 --- a/services/src/main/java/org/keycloak/services/resources/RealmsResource.java +++ b/services/src/main/java/org/keycloak/services/resources/RealmsResource.java @@ -10,6 +10,7 @@ import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.services.ClientConnection; import org.keycloak.services.ProviderSession; +import org.keycloak.services.managers.AuditManager; import org.keycloak.services.managers.RealmManager; import org.keycloak.services.managers.SocialRequestManager; import org.keycloak.services.managers.TokenManager; @@ -68,7 +69,7 @@ public class RealmsResource { public TokenService getTokenService(final @PathParam("realm") String name) { RealmManager realmManager = new RealmManager(session); RealmModel realm = locateRealm(name, realmManager); - Audit audit = createAudit(realm); + Audit audit = new AuditManager(realm, providers, clientConnection).createAudit(); TokenService tokenService = new TokenService(realm, tokenManager, audit); resourceContext.initResource(tokenService); return tokenService; @@ -93,7 +94,7 @@ public class RealmsResource { throw new NotFoundException(); } - Audit audit = createAudit(realm); + Audit audit = new AuditManager(realm, providers, clientConnection).createAudit(); AccountService accountService = new AccountService(realm, application, tokenManager, socialRequestManager, audit); resourceContext.initResource(accountService); accountService.init(); @@ -109,24 +110,4 @@ public class RealmsResource { return realmResource; } - private Audit createAudit(RealmModel realm) { - List listeners = new LinkedList(); - - AuditProvider auditProvider = providers.getProvider(AuditProvider.class); - if (auditProvider != null) { - listeners.add(auditProvider); - } - - if (realm.getAuditListeners() != null) { - for (String id : realm.getAuditListeners()) { - AuditListener listener = providers.getProvider(AuditListener.class, id); - if (listener != null) { - listeners.add(listener); - } - } - } - - return new Audit(listeners, realm, clientConnection.getRemoteAddr()); - } - } diff --git a/services/src/main/java/org/keycloak/services/resources/SocialResource.java b/services/src/main/java/org/keycloak/services/resources/SocialResource.java index 4204ff975c..74d3889c9c 100755 --- a/services/src/main/java/org/keycloak/services/resources/SocialResource.java +++ b/services/src/main/java/org/keycloak/services/resources/SocialResource.java @@ -40,6 +40,7 @@ import org.keycloak.models.UserModel; import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.services.ClientConnection; import org.keycloak.services.ProviderSession; +import org.keycloak.services.managers.AuditManager; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.RealmManager; import org.keycloak.services.managers.SocialRequestManager; @@ -129,7 +130,7 @@ public class SocialResource { RealmManager realmManager = new RealmManager(session); RealmModel realm = realmManager.getRealmByName(realmName); - Audit audit = createAudit(realm) + Audit audit = new AuditManager(realm, providers, clientConnection).createAudit() .event(Events.LOGIN) .detail(Details.RESPONSE_TYPE, "code") .detail(Details.AUTH_METHOD, "social@" + provider.getId()); @@ -268,7 +269,7 @@ public class SocialResource { RealmManager realmManager = new RealmManager(session); RealmModel realm = realmManager.getRealmByName(realmName); - Audit audit = createAudit(realm) + Audit audit = new AuditManager(realm, providers, clientConnection).createAudit() .event(Events.LOGIN).client(clientId) .detail(Details.REDIRECT_URI, redirectUri) .detail(Details.RESPONSE_TYPE, "code") @@ -335,24 +336,4 @@ public class SocialResource { return queryParams; } - private Audit createAudit(RealmModel realm) { - List listeners = new LinkedList(); - - AuditProvider auditProvider = providers.getProvider(AuditProvider.class); - if (auditProvider != null) { - listeners.add(auditProvider); - } - - if (realm.getAuditListeners() != null) { - for (String id : realm.getAuditListeners()) { - AuditListener listener = providers.getProvider(AuditListener.class, id); - if (listener != null) { - listeners.add(listener); - } - } - } - - return new Audit(listeners, realm, clientConnection.getRemoteAddr()); - } - } diff --git a/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java b/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java index 4194e612d8..76fa388f22 100755 --- a/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java @@ -9,6 +9,7 @@ import org.keycloak.models.ApplicationModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.representations.adapters.action.SessionStats; +import org.keycloak.representations.idm.RealmAuditRepresentation; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.services.ProviderSession; import org.keycloak.services.managers.ModelToRepresentation; @@ -148,7 +149,26 @@ public class RealmAdminResource { return stats; } + @GET @Path("audit") + @Produces("application/json") + public RealmAuditRepresentation getRealmAudit() { + auth.init(RealmAuth.Resource.AUDIT).requireView(); + + return ModelToRepresentation.toAuditReprensetation(realm); + } + + @PUT + @Path("audit") + @Consumes("application/json") + public void updateRealmAudit(final RealmAuditRepresentation rep) { + auth.init(RealmAuth.Resource.AUDIT).requireManage(); + + logger.debug("updating realm audit: " + realm.getName()); + new RealmManager(session).updateRealmAudit(rep, realm); + } + + @Path("audit/events") @GET @NoCache @Produces(MediaType.APPLICATION_JSON) @@ -181,4 +201,12 @@ public class RealmAdminResource { return query.getResultList(); } + @Path("audit/events") + @DELETE + public void clearAudit() { + auth.init(RealmAuth.Resource.AUDIT).requireManage(); + + AuditProvider audit = providers.getProvider(AuditProvider.class); + audit.clear(realm.getId()); + } } diff --git a/services/src/main/java/org/keycloak/services/resources/admin/ServerInfoAdminResource.java b/services/src/main/java/org/keycloak/services/resources/admin/ServerInfoAdminResource.java index 46449f3d62..d0ffbfad69 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/ServerInfoAdminResource.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/ServerInfoAdminResource.java @@ -1,30 +1,38 @@ package org.keycloak.services.resources.admin; +import org.keycloak.audit.AuditListener; import org.keycloak.freemarker.Theme; import org.keycloak.freemarker.ThemeProvider; +import org.keycloak.services.ProviderSession; import org.keycloak.social.SocialProvider; import org.keycloak.spi.authentication.AuthenticationProvider; import org.keycloak.spi.authentication.AuthenticationProviderManager; import org.keycloak.util.ProviderLoader; import javax.ws.rs.GET; +import javax.ws.rs.core.Context; import java.util.Collections; import java.util.HashMap; import java.util.LinkedList; import java.util.List; import java.util.Map; +import java.util.Set; /** * @author Stian Thorgersen */ public class ServerInfoAdminResource { + @Context + private ProviderSession providers; + @GET public ServerInfoRepresentation getInfo() { ServerInfoRepresentation info = new ServerInfoRepresentation(); setSocialProviders(info); setThemes(info); setAuthProviders(info); + setAuditListeners(info); return info; } @@ -57,6 +65,15 @@ public class ServerInfoAdminResource { } } + private void setAuditListeners(ServerInfoRepresentation info) { + info.auditListeners = new LinkedList(); + + Set providers = this.providers.listProviderIds(AuditListener.class); + if (providers != null) { + info.auditListeners.addAll(providers); + } + } + public static class ServerInfoRepresentation { private Map> themes; @@ -65,6 +82,8 @@ public class ServerInfoAdminResource { private Map> authProviders; + private List auditListeners; + public ServerInfoRepresentation() { } @@ -79,6 +98,10 @@ public class ServerInfoAdminResource { public Map> getAuthProviders() { return authProviders; } + + public List getAuditListeners() { + return auditListeners; + } } } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/account/AccountTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/account/AccountTest.java index 981781f705..5300cfa3e9 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/account/AccountTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/account/AccountTest.java @@ -334,41 +334,56 @@ public class AccountTest { @Test public void viewLog() { - List e = new LinkedList(); + keycloakRule.configure(new KeycloakSetup() { + @Override + public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { + appRealm.setAuditEnabled(true); + } + }); - loginPage.open(); - loginPage.clickRegister(); + try { + List e = new LinkedList(); - registerPage.register("view", "log", "view-log@localhost", "view-log", "password", "password"); + loginPage.open(); + loginPage.clickRegister(); - e.add(events.poll()); - e.add(events.poll()); + registerPage.register("view", "log", "view-log@localhost", "view-log", "password", "password"); - profilePage.open(); - profilePage.updateProfile("view", "log2", "view-log@localhost"); + e.add(events.poll()); + e.add(events.poll()); - e.add(events.poll()); + profilePage.open(); + profilePage.updateProfile("view", "log2", "view-log@localhost"); - logPage.open(); + e.add(events.poll()); - e.add(events.poll()); + logPage.open(); - Collections.reverse(e); + e.add(events.poll()); - Assert.assertTrue(logPage.isCurrent()); + Collections.reverse(e); - List> actual = logPage.getEvents(); + Assert.assertTrue(logPage.isCurrent()); - Assert.assertEquals(e.size(), actual.size()); + List> actual = logPage.getEvents(); - Iterator> itr = actual.iterator(); - for (Event event : e) { - List a = itr.next(); - Assert.assertEquals(event.getEvent().replace('_', ' '), a.get(1)); - Assert.assertEquals(event.getIpAddress(), a.get(2)); - Assert.assertEquals(event.getClientId(), a.get(3)); + Assert.assertEquals(e.size(), actual.size()); + + Iterator> itr = actual.iterator(); + for (Event event : e) { + List a = itr.next(); + Assert.assertEquals(event.getEvent().replace('_', ' '), a.get(1)); + Assert.assertEquals(event.getIpAddress(), a.get(2)); + Assert.assertEquals(event.getClientId(), a.get(3)); + } + } finally { + keycloakRule.configure(new KeycloakSetup() { + @Override + public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { + appRealm.setAuditEnabled(false); + } + }); } - } }