Merge pull request #3908 from Cousjava/PAYARA-3111-admin-audit-servic

PAYARA-3111 Security audit service for admin console

appserver/admingui/common/src/main/resources/org/glassfish/common/admingui/Strings.properties

@@ -78,6 +78,8 @@ security.Security=Security
 security.SecurityPageHelp=Set security properties for the entire server.
 security.SecurityManager=Security Manager
 security.SecurityManagerHelp=Enable the security manager for the domain by adding an option in the JVM Settings
+security.AdminAudit=Admin Audit
+security.AdminAuditHelp=Audit admin commands
 security.AuditLogging=Enable Audit Modules
 security.AuditLoggingHelp=Enable server to load and run all audit modules specified in the Audit Modules setting
 security.DefaultRealm=Default Realm
@@ -103,7 +105,6 @@ security.secureAdmin.instancealias=Instance Alias:
 security.secureAdmin.instancealiasHelp=The alias that refers to the SSL/TLS certificate on the instances. This alias is used by the DAS to authenticate against the instances.
 security.secureLabel=Secure Administration:
 
-
 ## Realms
 realm.NewPageTitle=New Realm
 realm.NewPageHelp=Create a new security (authentication) realm. Valid realm types are PAM, OSGi, File, Certificate, LDAP, JDBC, Digest, Oracle Solaris, and Custom.

appserver/admingui/common/src/main/resources/pluginTreeNodeSecurity.jsf

@@ -39,6 +39,7 @@
     holder.
 
 -->
+<!-- Portions Copyright [2019] Payara Foundation and/or affiliates -->
 
 <!-- pluginTreeNodeJVM.jsf -->
 
@@ -50,6 +51,25 @@
 	<sun:imageHyperlink imageURL="/resource/common/security/images/security.gif" url="#{request.contextPath}/common/security/security.jsf?configName=${configName}" 
 	    alt="$resource{i18n.tree.security}" border="0" immediate="true" />
     </facet>
+
+    <!facet image>
+	<sun:imageHyperlink imageURL="/resource/common/security/images/security.gif" url="#{request.contextPath}/common/adminAudit/adminaudit.jsf?configName=${configName}" 
+	    alt="$resource{i18n.tree.adminAudit}" border="0" immediate="true" />
+    </facet>
+
+    <dynamicTreeNode id="adminAudit"
+	    treeAdaptorClass="org.glassfish.admingui.common.tree.ListTreeAdaptor"
+	    children="#{requestScope.child}"
+	    childImageURL="/resource/common/security/images/security.gif"
+	    childExpanded="false"
+	    childURL="#{request.contextPath}/common/security/adminAudit/adminaudit.jsf?name=#{$this{valueBinding}.text}&configName=${configName}"
+	    text="$resource{i18n.tree.adminAudit}"
+	    url="#{request.contextPath}/common/security/adminAudit/adminaudit.jsf?configName=${configName}">
+	<!facet image>
+	    <sun:iconHyperlink id="treeIcon" imageURL="/resource/common/security/images/security.gif" url="#{request.contextPath}/common/security/adminAudit/adminaudit.jsf?configName=${configName}" 
+		alt="$resource{i18n.tree.adminAudit}" border="0" immediate="true" />
+	</facet>
+    </dynamicTreeNode>
 
     <dynamicTreeNode id="realms"
 	    treeAdaptorClass="org.glassfish.admingui.common.tree.ListTreeAdaptor"

appserver/admingui/common/src/main/resources/security/adminAudit/adminaudit.jsf

@@ -0,0 +1,153 @@
+<!--
+
+DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+
+   Copyright (c) [2019] Payara Foundation and/or its affiliates. All rights reserved.
+
+    The contents of this file are subject to the terms of either the GNU
+    General Public License Version 2 only ("GPL") or the Common Development
+    and Distribution License("CDDL") (collectively, the "License").  You
+    may not use this file except in compliance with the License.  You can
+    obtain a copy of the License at
+    https://github.com/payara/Payara/blob/master/LICENSE.txt
+    See the License for the specific
+    language governing permissions and limitations under the License.
+
+    When distributing the software, include this License Header Notice in each
+    file and include the License file at glassfish/legal/LICENSE.txt.
+
+    GPL Classpath Exception:
+    The Payara Foundation designates this particular file as subject to the "Classpath"
+    exception as provided by the Payara Foundation in the GPL Version 2 section of the License
+    file that accompanied this code.
+
+    Modifications:
+    If applicable, add the following below the License Header, with the fields
+    enclosed by brackets [] replaced by your own identifying information:
+    "Portions Copyright [year] [name of copyright owner]"
+
+    Contributor(s):
+    If you wish your version of this file to be governed by only the CDDL or
+    only the GPL Version 2, indicate your decision by adding "[Contributor]
+    elects to include this software in this distribution under the [CDDL or GPL
+    Version 2] license."  If you don't indicate a single choice of license, a
+    recipient has the option to distribute your version of this file under
+    either the CDDL, the GPL Version 2 or to extend the choice of license to
+    its licensees as provided above.  However, if you add GPL Version 2 code
+    and therefore, elected the GPL Version 2 license, then the option applies
+    only if the new code is made subject to such option by the copyright
+    holder.
+-->
+
+<!initPage
+    setResourceBundle(key="i18n" bundle="org.glassfish.common.admingui.Strings");
+    setResourceBundle(key="i18nc" bundle="org.glassfish.admingui.core.Strings");
+/>
+
+<!composition template="/templates/default.layout" guiTitle="$resource{i18nc.adminAudit.PageTitle}"
+    guiTemplateOnLoad="admingui.nav.refreshTree('treeForm:tree:configurations:#{pageSession.encodedConfigName}:security:adminAudit');"
+>
+<!define name="content">
+    <event>
+        <!beforeCreate
+
+        getRequestValue(key="configName" value="#{pageSession.configName}");
+         setPageSessionAttribute(key="ADMIN_AUDIT_URL", 
+                value="#{sessionScope.REST_URL}/configs/config/#{pageSession.configName}/admin-audit-configuration"); 
+
+        gf.restRequest(endpoint="#{pageSession.ADMIN_AUDIT_URL}/get-admin-audit-configuration?target=#{pageSession.configName}" method="GET" result="#{requestScope.resp}"); 
+
+        setPageSessionAttribute(key="valueMap", value="#{requestScope.resp.data.extraProperties.adminauditConfiguration}");
+        setPageSessionAttribute(key="valueNotifierMap", value="#{requestScope.resp.data.extraProperties.notifierListLOG}");
+        mapPut(map="#{pageSession.valueMap}" key="target" value="#{pageSession.configName}");
+
+        setPageSessionAttribute(key="convertToFalseList", value={"enabled", "dynamic"});
+        if (#{pageSession.valueMap['enabled']}=true) {
+            setPageSessionAttribute(key="enabledSelected", value="true");
+        }
+
+        setPageSessionAttribute(key="dynamic", value="true");
+        setPageSessionAttribute(key="hasPropertyTable" value="#{true}" );
+
+        gf.restRequest(endpoint="#{sessionScope.REST_URL}/notifier-list-services" method="GET" result="#{requestScope.respAllNotifiers}");
+        setPageSessionAttribute(key="allservices", value="#{requestScope.respAllNotifiers.data.extraProperties.avaliableServices}");
+        if (not empty "#{requestScope.respAllNotifiers.data.extraProperties.avaliableservices}"){
+            convertListToArray(list="#{requestScope.respAllNotifiers.data.extraProperties.avaliableServices}" array="#{pageSession.allNotifiersArray}");
+            gf.convertListToOptionArray(list="#{pageSession.allservices}", optionArray="#{pageSession.allNotifiers}");
+        }
+        py.sortHealthcheckEnabledNotifierStatus(specifiedNotifiers="#{requestScope.resp.data.extraProperties}" avaliableNotifiers="#{pageSession.allservices}"
+            enabled="#{pageSession.enabledNotifiersList}" disabled="#{pageSession.disabledNotifiersList}");
+        convertListToArray(list="#{pageSession.enabledNotifiersList}" array="#{pageSession.enabledNotifiersArr}");
+
+        />
+    </event>
+<sun:form id="propertyForm">
+#include "/common/shared/alertMsg.inc"
+        <!-- Page Title -->
+    <sun:title id="propertyContentPage" title="$resource{i18nc.adminaudit.Title}" helpText="$resource{i18nc.adminaudit.PageHelp}">
+                <!facet pageButtonsTop>
+        <sun:panelGroup id="topButtons">
+            <sun:button id="saveButton"  text="$resource{i18n.button.Save}"
+                        onClick="if (guiValidate('#{reqMsg}','#{reqInt}','#{reqPort}')) 
+                        submitAndDisable(this, '$resource{i18n.button.Processing}'); return false;" >
+                        <!command
+                            mapPut(map="#{pageSession.valueMap}" key="enabled" value="#{pageSession.enabledSelected}");
+                            mapPut(map="#{pageSession.valueMap}" key="dynamic" value="#{pageSession.dynamic}");
+                            mapRemove(map="#{pageSession.valueMap}" key="Audit Level");
+                            prepareSuccessfulMsg();
+                            gf.updateEntity(endpoint="#{pageSession.ADMIN_AUDIT_URL}/set-admin-audit-configuration?target=#{pageSession.configName}" 
+                            attrs="#{pageSession.valueMap}" convertToFalse="#{pageSession.convertToFalseList}");
+
+                            py.updateNotifiers(endpoint="#{pageSession.ADMIN_AUDIT_URL}" dynamic="#{pageSession.dynamic}" target="#{pageSession.configName}" 
+                                selected="#{pageSession.enabledNotifiersArr}" notifiers="#{pageSession.allNotifiersArray}");
+
+                        />
+            </sun:button>
+        </sun:panelGroup>
+        </facet>
+    </sun:title>
+    <!-- PropertySheet .... -->
+    <sun:propertySheet id="propertySheet">			 
+        <!-- Text Field section -->
+#include "/common/shared/configNameSection.inc"
+        <sun:propertySheetSection id="propertSectionTextField">
+
+            <sun:property id="enabledProp"  labelAlign="left" noWrap="#{true}" overlapLabel="#{false}" label="$resource{i18nc.adminaudit.Enabled}" helpText="$resource{i18nc.adminaudit.EnabledHelp}">
+                <sun:checkbox label="$resource{i18nc.common.Enabled}" selected="#{pageSession.enabledSelected}" selectedValue="true"/>
+            </sun:property>
+            <sun:property id="dynamicProp"  labelAlign="left" noWrap="#{true}" overlapLabel="#{false}" label="$resource{i18nc.adminaudit.Dynamic}" helpText="$resource{i18nc.adminaudit.DynamicHelp}">
+                <sun:checkbox label="$resource{i18nc.common.Enabled}" selected="#{pageSession.dynamic}" selectedValue="true"/>
+            </sun:property>
+            <sun:property id="auditLevelProp" labelAlign="left" noWrap="#{true}" overlapLabel="#{false}" label="$resource{i18nc.adminaudit.UnitLabel}" helpText="$resource{i18nc.adminaudit.UnitLabelHelp}">
+                <sun:dropDown id="unitDropdown" selected="#{pageSession.valueMap['auditLevel']}" 
+                              labels={"MODIFIERS","ACCESSORS","INTERNAL"} />
+            </sun:property>   
+            "<br /><br />
+        </sun:propertySheetSection>
+
+        <sun:propertySheetSection id="notifiers">
+            <sun:property id="avaliableNotifiers" labelAlign="left" noWrap="#{true}" overlapLabel="#{true}">
+                <sun:addRemove id="notifiersAddRemove"
+                               selectAll="$boolean{true}"
+                               items="#{pageSession.allNotifiers}"
+                               selected="#{pageSession.enabledNotifiersArr}"
+                               availableItemsLabel="$resource{i18nc.adminaudit.configuration.availableNotifiers}"
+                               selectedItemsLabel="$resource{i18nc.adminaudit.configuration.selectedNotifiers}">
+                </sun:addRemove>
+            </sun:property>
+
+            <sun:property>
+                <sun:staticText text="$resource{i18nc.adminaudit.link.to.notification.page.text.prefix}" />
+                <sun:hyperlink
+                    toolTip="$resource{i18nc.adminaudit.link.to.notification.page.text}"
+                    url="/payaraExtras/notification/notification.jsf?configName=#{configName}">
+                    <sun:staticText text="$resource{i18nc.adminaudit.link.to.notification.page.text}" />
+                </sun:hyperlink>
+                <sun:staticText text="$resource{i18nc.adminaudit.link.to.notification.page.text.suffix}" />
+            </sun:property>      
+        </sun:propertySheetSection>
+    </sun:propertySheet>
+    <sun:hidden id="helpKey" value="$resource{help_common.auditModules}" />
+</sun:form>
+</define>
+</composition>

appserver/admingui/core/src/main/resources/org/glassfish/admingui/core/Strings.properties

@@ -131,6 +131,7 @@ tree.security=Security
 tree.security.tooltip=Security
 tree.availabilityService=Availability Service
 tree.availabilityService.tooltip=Availability Service
+tree.adminAudit=Admin Audit
 tree.realms=Realms
 tree.jaccProviders=JACC Providers
 tree.auditModules=Audit Modules
@@ -1203,3 +1204,25 @@ cdi.cdiServicePageTitle=CDI Service Configuration
 cdi.cdiServicePageTitleHelp=
 cdi.implicitScanning=Implicit CDI Scanning
 cdi.implicitScanningHelp=
+
+# Admin audit service
+adminaudit.PageTitle=Admin Audit Service
+adminaudit.PageHelp=Admin AuditPageHelp
+adminAudit.PageTitle=Admin Audit
+adminaudit.PageHelp=Options for the admin commands audit system
+adminAudit.Title=AdminAudit
+adminaudit.Title=Admin Audit
+adminAudit.PageTitle=Admin Audit
+adminaudit.PageHelp=Options for the admin commands audit system
+adminaudit.Title=Admin Audit
+adminaudit.Enabled=Enabled
+adminaudit.EnabledHelp=Enable the admin audit service
+adminaudit.Dynamic=Dynamic
+adminaudit.DynamicHelp=Make the changes take effect immediately
+adminaudit.UnitLabel=Audit Level
+adminaudit.UnitLabelHelp=The level of admin commands to audit
+adminaudit.configuration.availableNotifiers=Available Notifiers
+adminaudit.configuration.selectedNotifiers=Selected Notifiers
+adminaudit.link.to.notification.page.text.prefix=Selected Notifiers need to be enabled also in the 
+adminaudit.link.to.notification.page.text=Notification Service 
+adminaudit.link.to.notification.page.text.suffix=to receive notifications.

appserver/admingui/core/src/main/resources/templates/menu.inc

@@ -39,6 +39,7 @@
     holder.
 
 -->
+<!-- Portions Copyright [2019] Payara Foundation and/or affiliates -->
 
 <sc:subMenu value="Deploy" id="deployMenu">
 <sc:menuItem value="Web Application" url="#{request.contextPath}/web/webApp/upload.jsf?appType=webApp" />
@@ -77,6 +78,7 @@
     <sc:subMenu value="Security">
 	    <sc:menuItem value="Security Settings" url="#{request.contextPath}/common/security/security.jsf" />
 	    <sc:menuItem value="Realms" url="#{request.contextPath}/common/security/realms/realms.jsf" />
+            <sc:menuItem value="Admin Audit" url="#{request.contextPath}/common/security/adminAudit/adminAudit.jsf" />
 	    <sc:menuItem value="Audit Modules" url="#{request.contextPath}/common/security/auditModules/auditModules.jsf" />
 	    <sc:menuItem value="JACC Providers" url="#{request.contextPath}/layouttest.jsf?page=JACC+Providers" />
 	    <sc:menuItem value="Thread Pools" url="#{request.contextPath}/layouttest.jsf?page=Thread+Pools" />

appserver/admingui/payara-console-extras/src/main/java/fish/payara/admingui/extras/rest/PayaraRestApiHandlers.java

@@ -1,5 +1,5 @@
 /* 
- *     Copyright (c) [2016-2018] Payara Foundation and/or its affiliates. All rights reserved.
+ *     Copyright (c) [2016-2019] Payara Foundation and/or its affiliates. All rights reserved.
  * 
  *     The contents of this file are subject to the terms of either the GNU
  *     General Public License Version 2 only ("GPL") or the Common Development
@@ -574,10 +574,12 @@ public static void updateNotifiers(HandlerContext handlerCtx) {
         boolean forRequestTracing = false;
         boolean forHealthCheck = false;
         boolean forMonitoring = false;
+        boolean forAdminAudit = false;
 
         for (String notifier : notifiers){
             String name = notifier.split("-")[1];
             String restEndpoint;
+            Map<String, Object> attributes = new HashMap<>();
             if (endpoint.contains("request-tracing-service-configuration")){
                 restEndpoint = endpoint + "/requesttracing-" + name + "-notifier-configure";
                 forRequestTracing = true;
@@ -587,21 +589,29 @@ public static void updateNotifiers(HandlerContext handlerCtx) {
             } else if (endpoint.contains("monitoring-service-configuration")){
                 restEndpoint = endpoint + "/monitoring-" + name + "-notifier-configure";
                 forMonitoring = true;
+            } else if (endpoint.contains("admin-audit-configuration")) {
+                restEndpoint = endpoint + "/set-admin-audit-service-notifier-configuration";
+                attributes.put("notifier", name);
+                forAdminAudit = true;
             } else {
                 //Unknown service being configured
                 throw new UnknownConfigurationException();
             }
 
-            HashMap<String, Object> attrs = new HashMap<>();
+
             if (enabledNotifiers.contains(notifier)){
-                attrs.put("enabled", "true");                
+                attributes.put("enabled", "true");                
+            } else {
+                attributes.put("enabled", "false");
+            }
+            if (!forAdminAudit) {
+                //PAYARA-1616 go silent, bootstrap will take place after iteration.
+                attributes.put("dynamic", "false");
             } else {
-                attrs.put("enabled", "false");
+                attributes.put("dynamic", "true");
             }
-            //PAYARA-1616 go silent, bootstrap will take place after iteration.
-            attrs.put("dynamic", "false");
-            attrs.put("target", target);
-            RestUtil.restRequest(restEndpoint, attrs, "post", handlerCtx, quiet, throwException);
+            attributes.put("target", target);
+            RestUtil.restRequest(restEndpoint, attributes, "post", handlerCtx, quiet, throwException);
         }
         // PAYARA-1616
         // manually bootstrap healthCheck and requestTracing services for once so that it doesn't get bootstrapped each time for enabled notifier.
@@ -814,4 +824,4 @@ public static void createDeploymentGroupInstances(HandlerContext handlerCtx) {
         }
 
     }
-}
+}

appserver/payara-appserver-modules/notification-datadog-core/src/main/java/fish/payara/notification/datadog/DatadogNotifierService.java

@@ -1,7 +1,7 @@
 /*
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
  *
- * Copyright (c) 2017 Payara Foundation and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017-2019 Payara Foundation and/or its affiliates. All rights reserved.
  *
  * The contents of this file are subject to the terms of either the GNU
  * General Public License Version 2 only ("GPL") or the Common Development
@@ -66,7 +66,7 @@ public class DatadogNotifierService extends QueueBasedNotifierService<DatadogNot
     @Override
     @Subscribe
     public void handleNotification(DatadogNotificationEvent event) {
-        if (executionOptions.isEnabled()) {
+        if (executionOptions != null && executionOptions.isEnabled()) {
             DatadogMessage message = new DatadogMessage(event, event.getSubject(), event.getMessage());
             queue.addMessage(message);
         }

nucleus/admin/rest/rest-service/pom.xml

@@ -153,6 +153,11 @@
             <scope>provided</scope>
         </dependency>
 
+        <dependency>
+            <groupId>fish.payara.payara-modules</groupId>
+            <artifactId>asadmin-audit</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>fish.payara.payara-modules</groupId>
             <artifactId>asadmin-recorder</artifactId>