CommonAuditHttpAccessAuditFilter.java

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
 * or http://forgerock.org/license/CDDLv1.0.html.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at legal-notices/CDDLv1_0.txt.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information:
 *      Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 *
 *
 *      Copyright 2013-2015 ForgeRock AS
 */
package org.opends.server.protocols.http;

import static org.forgerock.audit.events.AccessAuditEventBuilder.accessEvent;
import static org.forgerock.json.resource.Requests.newCreateRequest;
import static org.forgerock.json.resource.ResourcePath.resourcePath;

import java.util.concurrent.TimeUnit;

import org.forgerock.audit.events.AccessAuditEventBuilder;
import org.forgerock.http.Filter;
import org.forgerock.http.Handler;
import org.forgerock.http.MutableUri;
import org.forgerock.http.protocol.Form;
import org.forgerock.http.protocol.Request;
import org.forgerock.http.protocol.Response;
import org.forgerock.http.protocol.Status;
import org.forgerock.json.resource.CreateRequest;
import org.forgerock.json.resource.RequestHandler;
import org.forgerock.services.context.ClientContext;
import org.forgerock.services.context.Context;
import org.forgerock.services.context.RequestAuditContext;
import org.forgerock.util.promise.NeverThrowsException;
import org.forgerock.util.promise.Promise;
import org.forgerock.util.promise.PromiseImpl;
import org.forgerock.util.promise.ResultHandler;
import org.forgerock.util.promise.RuntimeExceptionHandler;
import org.forgerock.util.time.TimeService;

/**
 * This filter aims to send some access audit events to the AuditService managed as a CREST handler.
 */
public class CommonAuditHttpAccessAuditFilter implements Filter {

    private static Response newInternalServerError() {
        return new Response(Status.INTERNAL_SERVER_ERROR);

    }

    private final RequestHandler auditServiceHandler;
    private final TimeService time;
    private final String productName;

    /**
     * Constructs a new HttpAccessAuditFilter.
     *
     * @param productName The name of product generating the event.
     * @param auditServiceHandler The {@link RequestHandler} to publish the events.
     * @param time The {@link TimeService} to use.
     */
    public CommonAuditHttpAccessAuditFilter(String productName, RequestHandler auditServiceHandler, TimeService time) {
        this.productName = productName;
        this.auditServiceHandler = auditServiceHandler;
        this.time = time;
    }

    @Override
    public Promise<Response, NeverThrowsException> filter(Context context, Request request, Handler next) {
        ClientContext clientContext = context.asContext(ClientContext.class);

        AccessAuditEventBuilder<?> accessAuditEventBuilder = accessEvent();

        String protocol = clientContext.isSecure() ? "HTTPS" : "HTTP";
        accessAuditEventBuilder
                .eventName(productName + "-" + protocol + "-ACCESS")
                .timestamp(time.now())
                .transactionIdFromContext(context)
                .serverFromContext(clientContext)
                .clientFromContext(clientContext)
                .httpRequest(clientContext.isSecure(),
                             request.getMethod(),
                             getRequestPath(request.getUri()),
                             new Form().fromRequestQuery(request),
                             request.getHeaders().copyAsMultiMapOfStrings());

        final PromiseImpl<Response, NeverThrowsException> promiseImpl = PromiseImpl.create();
        try {
            next.handle(context, request)
                    .thenOnResult(onResult(context, accessAuditEventBuilder, promiseImpl))
                    .thenOnRuntimeException(
                            onRuntimeException(context, accessAuditEventBuilder, promiseImpl));
        } catch (RuntimeException e) {
            onRuntimeException(context, accessAuditEventBuilder, promiseImpl).handleRuntimeException(e);
        }

        return promiseImpl;
    }

    // See HttpContext.getRequestPath
    private String getRequestPath(MutableUri uri) {
        return new StringBuilder()
            .append(uri.getScheme())
            .append("://")
            .append(uri.getRawAuthority())
            .append(uri.getRawPath()).toString();
    }

    private ResultHandler<? super Response> onResult(final Context context,
                                                     final AccessAuditEventBuilder<?> accessAuditEventBuilder,
                                                     final PromiseImpl<Response, NeverThrowsException> promiseImpl) {
        return new ResultHandler<Response>() {
            @Override
            public void handleResult(Response response) {
                sendAuditEvent(response, context, accessAuditEventBuilder);
                promiseImpl.handleResult(response);
            }

        };
    }

    private RuntimeExceptionHandler onRuntimeException(final Context context,
            final AccessAuditEventBuilder<?> accessAuditEventBuilder,
            final PromiseImpl<Response, NeverThrowsException> promiseImpl) {
        return new RuntimeExceptionHandler() {
            @Override
            public void handleRuntimeException(RuntimeException exception) {
                // TODO How to be sure that the final status code sent back with the response will be a 500 ?
                final Response errorResponse = newInternalServerError();
                sendAuditEvent(errorResponse, context, accessAuditEventBuilder);
                promiseImpl.handleResult(errorResponse.setCause(exception));
            }
        };
    }

    private void sendAuditEvent(final Response response,
                                final Context context,
                                final AccessAuditEventBuilder<?> accessAuditEventBuilder) {
        RequestAuditContext requestAuditContext = context.asContext(RequestAuditContext.class);
        long elapsedTime = time.now() - requestAuditContext.getRequestReceivedTime();
        accessAuditEventBuilder.httpResponse(response.getHeaders().copyAsMultiMapOfStrings());
        accessAuditEventBuilder.response(mapResponseStatus(response.getStatus()),
                                         String.valueOf(response.getStatus().getCode()),
                                         elapsedTime,
                                         TimeUnit.MILLISECONDS);

        CreateRequest request =
            newCreateRequest(resourcePath("/http-access"), accessAuditEventBuilder.toEvent().getValue());
        auditServiceHandler.handleCreate(context, request);
    }

    private static AccessAuditEventBuilder.ResponseStatus mapResponseStatus(Status status) {
        switch(status.getFamily()) {
        case CLIENT_ERROR:
        case SERVER_ERROR:
            return AccessAuditEventBuilder.ResponseStatus.FAILED;
        default:
            return AccessAuditEventBuilder.ResponseStatus.SUCCESSFUL;
        }
    }
}