Enable and disable functionality for token admins

f1a038b0 · michael.simon · f184beb1 · f1a038b0 · f1a038b0 · f1a038b0
Commit f1a038b0 authored Aug 19, 2020 by michael.simon
--- a/bwreg-service/src/main/java/edu/kit/scc/webreg/audit/TokenAuditor.java
+++ b/bwreg-service/src/main/java/edu/kit/scc/webreg/audit/TokenAuditor.java
+/*******************************************************************************
+ * Copyright (c) 2014 Michael Simon.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the GNU Public License v3.0
+ * which accompanies this distribution, and is available at
+ * http://www.gnu.org/licenses/gpl.html
+ * 
+ * Contributors:
+ *     Michael Simon - initial
+ ******************************************************************************/
+package edu.kit.scc.webreg.audit;
+
+import edu.kit.scc.webreg.bootstrap.ApplicationConfig;
+import edu.kit.scc.webreg.dao.audit.AuditDetailDao;
+import edu.kit.scc.webreg.dao.audit.AuditEntryDao;
+import edu.kit.scc.webreg.entity.UserEntity;
+import edu.kit.scc.webreg.entity.audit.AuditUserEntity;
+
+public class TokenAuditor extends AbstractAuditor<AuditUserEntity> {
+
+	private static final long serialVersionUID = 1L;
+
+	public TokenAuditor(AuditEntryDao auditEntryDao,
+			AuditDetailDao auditDetailDao, ApplicationConfig appConfig) {
+
+		super(auditEntryDao, auditDetailDao, appConfig);
+	}
+
+	public void setUser(UserEntity entity) {
+		audit.setUser(entity);
+	}
+
+	@Override
+	protected AuditUserEntity newInstance() {
+		return new AuditUserEntity();
+	}
+}
--- a/bwreg-service/src/main/java/edu/kit/scc/webreg/service/twofa/TwoFaServiceImpl.java
+++ b/bwreg-service/src/main/java/edu/kit/scc/webreg/service/twofa/TwoFaServiceImpl.java
@@ -9,9 +9,14 @@ import javax.inject.Inject;

 import org.slf4j.Logger;

+import edu.kit.scc.webreg.audit.TokenAuditor;
+import edu.kit.scc.webreg.bootstrap.ApplicationConfig;
 import edu.kit.scc.webreg.dao.UserDao;
+import edu.kit.scc.webreg.dao.audit.AuditDetailDao;
+import edu.kit.scc.webreg.dao.audit.AuditEntryDao;
 import edu.kit.scc.webreg.entity.EventType;
 import edu.kit.scc.webreg.entity.UserEntity;
+import edu.kit.scc.webreg.entity.audit.AuditStatus;
 import edu.kit.scc.webreg.event.EventSubmitter;
 import edu.kit.scc.webreg.event.TokenEvent;
 import edu.kit.scc.webreg.exc.EventSubmitException;
@@ -39,6 +44,15 @@ public class TwoFaServiceImpl implements TwoFaService {
 	@Inject
 	private EventSubmitter eventSubmitter;
 	
+	@Inject
+	private AuditEntryDao auditEntryDao;
+
+	@Inject
+	private AuditDetailDao auditDetailDao;
+
+	@Inject
+	private ApplicationConfig appConfig;
+
 	@Override
 	public LinotpTokenResultList findByUserId(Long userId) throws TwoFaException {
 		UserEntity user = userDao.findById(userId);
@@ -110,11 +124,19 @@ public class TwoFaServiceImpl implements TwoFaService {
 	public LinotpSetFieldResult initToken(Long userId, String serial, String executor) throws TwoFaException {
 		UserEntity user = userDao.findById(userId);
 		
+		TokenAuditor auditor = new TokenAuditor(auditEntryDao, auditDetailDao, appConfig);
+		auditor.startAuditTrail(executor, true);
+		auditor.setName(this.getClass().getName() + "-InitToken-Audit");
+		auditor.setUser(user);
+		auditor.setDetail("Init token " + serial + " for user " + user.getEppn());
+		
 		Map<String, String> configMap = configResolver.resolveConfig(user);

 		LinotpConnection linotpConnection = new LinotpConnection(configMap);
 		linotpConnection.requestAdminSession();
 		LinotpSetFieldResult response = linotpConnection.initToken(serial);
+	
+		auditor.logAction(user.getEppn(), "INIT TOTP TOKEN", "serial-" + serial, "", AuditStatus.SUCCESS);
 		
 		HashMap<String, Object> eventMap = new HashMap<String, Object>();
 		eventMap.put("user", user);
@@ -127,13 +149,21 @@ public class TwoFaServiceImpl implements TwoFaService {
 			logger.warn("Could not submit event", e);
 		}

+		auditor.finishAuditTrail();
+		
 		return response;
 	}
 	
 	@Override
 	public LinotpInitAuthenticatorTokenResponse createAuthenticatorToken(Long userId, String executor) throws TwoFaException {
 		UserEntity user = userDao.findById(userId);
-		
+
+		TokenAuditor auditor = new TokenAuditor(auditEntryDao, auditDetailDao, appConfig);
+		auditor.startAuditTrail(executor, true);
+		auditor.setName(this.getClass().getName() + "-CreateAuthenticatorToken-Audit");
+		auditor.setUser(user);
+		auditor.setDetail("Creating authenticator token for user " + user.getEppn());
+
 		Map<String, String> configMap = configResolver.resolveConfig(user);

 		LinotpConnection linotpConnection = new LinotpConnection(configMap);
@@ -142,7 +172,9 @@ public class TwoFaServiceImpl implements TwoFaService {
 		LinotpInitAuthenticatorTokenResponse response = linotpConnection.createAuthenticatorToken(user);
 		
 		if (response.getResult().isStatus() && response.getResult().isValue()) {
-			// Token succeful created
+			// Token successfully created
+
+			auditor.logAction(user.getEppn(), "CREATE TOTP TOKEN", "serial-" + response.getDetail().getSerial(), "", AuditStatus.SUCCESS);
 			
 			HashMap<String, Object> eventMap = new HashMap<String, Object>();
 			eventMap.put("user", user);
@@ -158,9 +190,15 @@ public class TwoFaServiceImpl implements TwoFaService {
 			
 			// Disable it for once
 			linotpConnection.disableToken(response.getDetail().getSerial());
+			
+			auditor.logAction(user.getEppn(), "DISABLE TOTP TOKEN", "serial-" + response.getDetail().getSerial(), "", AuditStatus.SUCCESS);
+			auditor.finishAuditTrail();
+
 			return response;
 		}
 		else {
+			auditor.logAction(user.getEppn(), "CREATE TOTP TOKEN", "", "", AuditStatus.FAIL);
+			auditor.finishAuditTrail();
 			throw new TwoFaException("Token generation did not succeed!");
 		}
 	}
@@ -168,7 +206,13 @@ public class TwoFaServiceImpl implements TwoFaService {
 	@Override
 	public LinotpInitAuthenticatorTokenResponse createYubicoToken(Long userId, String yubi, String executor) throws TwoFaException {
 		UserEntity user = userDao.findById(userId);
-		
+
+		TokenAuditor auditor = new TokenAuditor(auditEntryDao, auditDetailDao, appConfig);
+		auditor.startAuditTrail(executor, true);
+		auditor.setName(this.getClass().getName() + "-CreateYubicoToken-Audit");
+		auditor.setUser(user);
+		auditor.setDetail("Creating yubico token for user " + user.getEppn());
+
 		Map<String, String> configMap = configResolver.resolveConfig(user);

 		LinotpConnection linotpConnection = new LinotpConnection(configMap);
@@ -177,9 +221,13 @@ public class TwoFaServiceImpl implements TwoFaService {
 		LinotpInitAuthenticatorTokenResponse response = linotpConnection.createYubicoToken(user, yubi);
 		
 		if (response == null) {
+			auditor.logAction(user.getEppn(), "CREATE YUBICO TOKEN", "", "", AuditStatus.FAIL);
+			auditor.finishAuditTrail();
 			throw new TwoFaException("Token generation did not succeed!");
 		}

+		auditor.logAction(user.getEppn(), "CREATE YUBICO TOKEN", "serial-" + response.getDetail().getSerial(), "", AuditStatus.SUCCESS);
+
 		HashMap<String, Object> eventMap = new HashMap<String, Object>();
 		eventMap.put("user", user);
 		eventMap.put("respone", response);
@@ -192,13 +240,20 @@ public class TwoFaServiceImpl implements TwoFaService {
 			logger.warn("Could not submit event", e);
 		}

+		auditor.finishAuditTrail();
 		return response;
 	}

 	@Override
 	public LinotpInitAuthenticatorTokenResponse createBackupTanList(Long userId, String executor) throws TwoFaException {
 		UserEntity user = userDao.findById(userId);
-		
+
+		TokenAuditor auditor = new TokenAuditor(auditEntryDao, auditDetailDao, appConfig);
+		auditor.startAuditTrail(executor, true);
+		auditor.setName(this.getClass().getName() + "-CreateBackupTanList-Audit");
+		auditor.setUser(user);
+		auditor.setDetail("Creating backup tan list for user " + user.getEppn());
+
 		Map<String, String> configMap = configResolver.resolveConfig(user);

 		LinotpConnection linotpConnection = new LinotpConnection(configMap);
@@ -207,9 +262,13 @@ public class TwoFaServiceImpl implements TwoFaService {
 		LinotpInitAuthenticatorTokenResponse response = linotpConnection.createBackupTanList(user);
 		
 		if (response == null) {
+			auditor.logAction(user.getEppn(), "CREATE BACKUP TAN LIST", "", "", AuditStatus.FAIL);
+			auditor.finishAuditTrail();
 			throw new TwoFaException("Token generation did not succeed!");
 		}

+		auditor.logAction(user.getEppn(), "CREATE BACKUP TAN LIST", "serial-" + response.getDetail().getSerial(), "", AuditStatus.SUCCESS);
+
 		HashMap<String, Object> eventMap = new HashMap<String, Object>();
 		eventMap.put("user", user);
 		eventMap.put("respone", response);
@@ -222,6 +281,8 @@ public class TwoFaServiceImpl implements TwoFaService {
 			logger.warn("Could not submit event", e);
 		}

+		auditor.finishAuditTrail();
+
 		return response;
 	}

@@ -250,12 +311,20 @@ public class TwoFaServiceImpl implements TwoFaService {
 	@Override
 	public LinotpSimpleResponse disableToken(Long userId, String serial, String executor) throws TwoFaException {
 		UserEntity user = userDao.findById(userId);
-		
+
+		TokenAuditor auditor = new TokenAuditor(auditEntryDao, auditDetailDao, appConfig);
+		auditor.startAuditTrail(executor, true);
+		auditor.setName(this.getClass().getName() + "-DisableToken-Audit");
+		auditor.setUser(user);
+		auditor.setDetail("Disable token " + serial + " for user " + user.getEppn());
+
 		Map<String, String> configMap = configResolver.resolveConfig(user);

 		LinotpConnection linotpConnection = new LinotpConnection(configMap);
 		linotpConnection.requestAdminSession();
 		LinotpSimpleResponse response = linotpConnection.disableToken(serial);
+
+		auditor.logAction(user.getEppn(), "DISABLE TOKEN", "serial-" + serial, "", AuditStatus.SUCCESS);
 		
 		HashMap<String, Object> eventMap = new HashMap<String, Object>();
 		eventMap.put("user", user);
@@ -267,6 +336,8 @@ public class TwoFaServiceImpl implements TwoFaService {
 		} catch (EventSubmitException e) {
 			logger.warn("Could not submit event", e);
 		}
+
+		auditor.finishAuditTrail();
 		
 		return response;
 	}
@@ -274,13 +345,21 @@ public class TwoFaServiceImpl implements TwoFaService {
 	@Override
 	public LinotpSimpleResponse enableToken(Long userId, String serial, String executor) throws TwoFaException {
 		UserEntity user = userDao.findById(userId);
-		
+
+		TokenAuditor auditor = new TokenAuditor(auditEntryDao, auditDetailDao, appConfig);
+		auditor.startAuditTrail(executor, true);
+		auditor.setName(this.getClass().getName() + "-EnableToken-Audit");
+		auditor.setUser(user);
+		auditor.setDetail("Enable token " + serial + " for user " + user.getEppn());
+
 		Map<String, String> configMap = configResolver.resolveConfig(user);

 		LinotpConnection linotpConnection = new LinotpConnection(configMap);
 		linotpConnection.requestAdminSession();
 		LinotpSimpleResponse response = linotpConnection.enableToken(serial);
-		
+
+		auditor.logAction(user.getEppn(), "ENABLE TOKEN", "serial-" + serial, "", AuditStatus.SUCCESS);
+
 		HashMap<String, Object> eventMap = new HashMap<String, Object>();
 		eventMap.put("user", user);
 		eventMap.put("respone", response);
@@ -292,12 +371,20 @@ public class TwoFaServiceImpl implements TwoFaService {
 			logger.warn("Could not submit event", e);
 		}

+		auditor.finishAuditTrail();
+		
 		return response;
 	}
 	
 	@Override
 	public LinotpSimpleResponse deleteToken(Long userId, String serial, String executor) throws TwoFaException {
 		UserEntity user = userDao.findById(userId);
+
+		TokenAuditor auditor = new TokenAuditor(auditEntryDao, auditDetailDao, appConfig);
+		auditor.startAuditTrail(executor, true);
+		auditor.setName(this.getClass().getName() + "-DeleteToken-Audit");
+		auditor.setUser(user);
+		auditor.setDetail("Delete token " + serial + " for user " + user.getEppn());
 		
 		Map<String, String> configMap = configResolver.resolveConfig(user);

@@ -305,6 +392,8 @@ public class TwoFaServiceImpl implements TwoFaService {
 		linotpConnection.requestAdminSession();
 		LinotpSimpleResponse response = linotpConnection.deleteToken(serial);

+		auditor.logAction(user.getEppn(), "DELETE TOKEN", "serial-" + serial, "", AuditStatus.SUCCESS);
+
 		HashMap<String, Object> eventMap = new HashMap<String, Object>();
 		eventMap.put("user", user);
 		eventMap.put("respone", response);
@@ -316,6 +405,8 @@ public class TwoFaServiceImpl implements TwoFaService {
 			logger.warn("Could not submit event", e);
 		}

+		auditor.finishAuditTrail();
+
 		return response;
 	}
 	

--- a/bwreg-webapp/src/main/java/edu/kit/scc/webreg/bean/TwoFaUserBean.java
+++ b/bwreg-webapp/src/main/java/edu/kit/scc/webreg/bean/TwoFaUserBean.java
@@ -225,7 +225,7 @@ public class TwoFaUserBean implements Serializable {
 				tokenList = twoFaService.findByUserId(sessionManager.getUserId());
 				if ((response.getResult() != null) && response.getResult().isStatus() &&
 						response.getResult().isValue()) {
-					messageGenerator.addInfoMessage("Info", "Token " + serial + " disable");
+					messageGenerator.addInfoMessage("Info", "Token " + serial + " disabled");
 				}
 				else {
 					messageGenerator.addWarningMessage("Warn", "Token " + serial + " could not be disable");

--- a/bwreg-webapp/src/main/java/edu/kit/scc/webreg/bean/tadm/TokenAdminIndexBean.java
+++ b/bwreg-webapp/src/main/java/edu/kit/scc/webreg/bean/tadm/TokenAdminIndexBean.java
@@ -20,6 +20,8 @@ import javax.faces.bean.ViewScoped;
 import javax.faces.event.ComponentSystemEvent;
 import javax.inject.Inject;

+import org.slf4j.Logger;
+
 import edu.kit.scc.webreg.dao.GenericSortOrder;
 import edu.kit.scc.webreg.dao.ops.MultipathOrPredicate;
 import edu.kit.scc.webreg.dao.ops.OrPredicate;
@@ -29,6 +31,7 @@ import edu.kit.scc.webreg.sec.AuthorizationBean;
 import edu.kit.scc.webreg.service.UserService;
 import edu.kit.scc.webreg.service.twofa.TwoFaException;
 import edu.kit.scc.webreg.service.twofa.TwoFaService;
+import edu.kit.scc.webreg.service.twofa.linotp.LinotpSimpleResponse;
 import edu.kit.scc.webreg.service.twofa.linotp.LinotpTokenResultList;
 import edu.kit.scc.webreg.session.SessionManager;
 import edu.kit.scc.webreg.util.FacesMessageGenerator;
@@ -39,6 +42,9 @@ public class TokenAdminIndexBean implements Serializable {

 	private static final long serialVersionUID = 1L;

+ 	@Inject
+ 	private Logger logger;
+ 	
 	@Inject
 	private UserService userService;
 	
@@ -94,6 +100,44 @@ public class TokenAdminIndexBean implements Serializable {
 		));
 		return userService.findAllPaging(0, 10, "eppn", GenericSortOrder.ASC, filterMap);
 	}
+
+	public void enableToken(String serial) {
+		if (! getReadOnly()) {
+			try {
+				LinotpSimpleResponse response = twoFaService.enableToken(selectedUser.getId(), serial, "user-" + session.getUserId());
+				userTokenList = twoFaService.findByUserId(selectedUser.getId());
+				if ((response.getResult() != null) && response.getResult().isStatus() &&
+						response.getResult().isValue()) {
+					messageGenerator.addInfoMessage("Info", "Token " + serial + " enabled");
+				}
+				else {
+					messageGenerator.addWarningMessage("Warn", "Token " + serial + " could not be enabled");
+				}
+			} catch (TwoFaException e) {
+				logger.warn("TwoFaException", e);
+				messageGenerator.addErrorMessage("Error", e.toString());
+			}
+		}
+	}
+
+	public void disableToken(String serial) {
+		if (! getReadOnly()) {
+			try {
+				LinotpSimpleResponse response = twoFaService.disableToken(selectedUser.getId(), serial, "user-" + session.getUserId());
+				userTokenList = twoFaService.findByUserId(selectedUser.getId());
+				if ((response.getResult() != null) && response.getResult().isStatus() &&
+						response.getResult().isValue()) {
+					messageGenerator.addInfoMessage("Info", "Token " + serial + " disabled");
+				}
+				else {
+					messageGenerator.addWarningMessage("Warn", "Token " + serial + " could not be disable");
+				}
+			} catch (TwoFaException e) {
+				logger.warn("TwoFaException", e);
+				messageGenerator.addErrorMessage("Error", e.toString());
+			}
+		}
+	}
 	
 	public Boolean getReadOnly() {
 		if (userTokenList != null)

--- a/bwreg-webapp/src/main/webapp/token-admin/index.xhtml
+++ b/bwreg-webapp/src/main/webapp/token-admin/index.xhtml
@@ -43,7 +43,7 @@
 		                <h:outputText value="#{u.givenName}" />
 		            </p:column>
 		        </p:autoComplete>
-						
+				<p:focus for="userAutocompl" />
 			</p:panelGrid>
 		
 			<p:outputPanel style="margin-bottom: 16px;">
@@ -88,17 +88,10 @@
 							<p:panel style="margin: 8px;" rendered="#{! token.isactive and (token.tokenDesc.contains('INIT'))}">
 								<h:outputText value="#{messages.twofa_token_not_init}" style="color:red;" />
 							</p:panel>
-							<p:commandButton action="#{twoFaUserBean.disableToken(token.serial)}" value="#{messages.disable}" 
+							<p:commandButton action="#{tokenAdminIndexBean.disableToken(token.serial)}" value="#{messages.disable}" 
 								update="@form" rendered="#{token.isactive}"/>
-							<p:commandButton action="#{twoFaUserBean.enableToken(token.serial)}" value="#{messages.enable}" 
+							<p:commandButton action="#{tokenAdminIndexBean.enableToken(token.serial)}" value="#{messages.enable}" 
 								update="@form" rendered="#{! token.isactive and (! token.tokenDesc.contains('INIT'))}"/>
-							<p:commandButton action="#{twoFaUserBean.deleteToken(token.serial)}" value="#{messages.delete}" 
-								update="@form" rendered="#{! token.isactive and (token.tokenDesc.contains('DELABLE'))}" style="color:red;">
-								<p:confirm header="#{messages.confirm_header}" message="#{messages.confirm}" />
-							</p:commandButton>
-							<p:commandButton action="#{twoFaUserBean.getBackupTanList(token.serial)}" value="#{messages.token_get_tanlist_values}" 
-								update="@form" rendered="#{token.isactive and token.tokenType == 'HMAC'}"
-								oncomplete="PF('showBackupTanDlg').show();"/>
 						</p:outputPanel>
 					</p:panelGrid>
 				</p:panel>