Logging Architecture Updates (JAVA)

Updating the Logging implementation for Java to match the SLF4J class
structures.

Author: jeremiahjstacey

src/main/java/org/owasp/esapi/logging/java/JavaLogBridge.java

@@ -0,0 +1,44 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @created 2018
+ */
+package org.owasp.esapi.logging.java;
+
+import java.util.logging.Logger;
+
+import org.owasp.esapi.Logger.EventType;
+
+/**
+ * Contract for translating an ESAPI log event into an Java log event.
+ * 
+ */
+public interface JavaLogBridge {
+    /**
+     * Translation for the provided ESAPI level, type, and message to the specified Java Logger.
+     * @param logger Logger to receive the translated message.
+     * @param esapiLevel ESAPI level of event.
+     * @param type ESAPI event type
+     * @param message ESAPI event message content.
+     */
+    void log(Logger logger, int esapiLevel, EventType type, String message) ;
+    /**
+     * Translation for the provided ESAPI level, type, message, and Throwable to the specified Java Logger.
+     * @param logger Logger to receive the translated message.
+     * @param esapiLevel ESAPI level of event.
+     * @param type ESAPI event type
+     * @param message ESAPI event message content.
+     * @param throwable ESAPI event Throwable content
+     */
+    void log(Logger logger, int esapiLevel, EventType type, String message, Throwable throwable) ;
+      
+}

src/main/java/org/owasp/esapi/logging/java/JavaLogBridgeImpl.java

@@ -0,0 +1,75 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @created 2018
+ */
+
+package org.owasp.esapi.logging.java;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.logging.Logger;
+
+import org.owasp.esapi.Logger.EventType;
+import org.owasp.esapi.logging.appender.LogAppender;
+import org.owasp.esapi.logging.cleaning.LogScrubber;
+
+/**
+ * Implementation which is intended to bridge the ESAPI Logging API into Java supported Object structures.
+ *
+ */
+public class JavaLogBridgeImpl implements JavaLogBridge {
+    /** Configuration providing associations between esapi log levels and Java levels.*/
+    private final Map<Integer,JavaLogLevelHandler> esapiJavaLevelMap;
+    /** Cleaner used for log content.*/
+    private final LogScrubber scrubber;
+    /** Appender used for assembling default message content for all logs.*/
+    private final LogAppender appender;
+    
+    /**
+     * Constructor.
+     * @param logScrubber  Log message cleaner.
+     * @param esapiJavaHandlerMap Map identifying ESAPI -> Java log level associations.
+     */
+    public JavaLogBridgeImpl(LogAppender messageAppender, LogScrubber logScrubber, Map<Integer, JavaLogLevelHandler> esapiJavaHandlerMap) {
+        //Defensive copy to prevent external mutations.
+        this.esapiJavaLevelMap = new HashMap<>(esapiJavaHandlerMap);
+        this.scrubber = logScrubber;
+        this.appender = messageAppender;
+    }
+    @Override
+    public void log(Logger logger, int esapiLevel, EventType type, String message) {
+        JavaLogLevelHandler handler = esapiJavaLevelMap.get(esapiLevel);
+        if (handler == null) {
+            throw new IllegalArgumentException("Unable to lookup Java level mapping for esapi value of " + esapiLevel);
+        }
+        if (handler.isEnabled(logger)) {
+        	String fullMessage = appender.appendTo(logger.getName(), type, message);
+            String cleanString = scrubber.cleanMessage(fullMessage);
+            
+            handler.log(logger, cleanString);
+        }
+    }
+    @Override
+    public void log(Logger logger, int esapiLevel, EventType type, String message, Throwable throwable) {
+        JavaLogLevelHandler handler = esapiJavaLevelMap.get(esapiLevel);
+        if (handler == null) {
+            throw new IllegalArgumentException("Unable to lookup Java level mapping for esapi value of " + esapiLevel);
+        }
+        if (handler.isEnabled(logger)) {
+        	String fullMessage = appender.appendTo(logger.getName(), type, message);
+            String cleanString = scrubber.cleanMessage(fullMessage);
+
+            handler.log(logger, cleanString, throwable);
+        }
+    }
+}

src/main/java/org/owasp/esapi/logging/java/JavaLogFactory.java

@@ -1,69 +1,115 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @created 2018
+ */
 package org.owasp.esapi.logging.java;
 
-import java.io.Serializable;
+import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 
+import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.LogFactory;
 import org.owasp.esapi.Logger;
-
+import org.owasp.esapi.codecs.HTMLEntityCodec;
+import org.owasp.esapi.logging.appender.LogAppender;
+import org.owasp.esapi.logging.appender.LogPrefixAppender;
+import org.owasp.esapi.logging.cleaning.CodecLogScrubber;
+import org.owasp.esapi.logging.cleaning.CompositeLogScrubber;
+import org.owasp.esapi.logging.cleaning.LogScrubber;
+import org.owasp.esapi.logging.cleaning.NewlineLogScrubber;
+import org.owasp.esapi.reference.DefaultSecurityConfiguration;
 /**
- * Reference implementation of the LogFactory and Logger interfaces. This implementation uses the Java logging package, and marks each
- * log message with the currently logged in user and the word "SECURITY" for security related events. See the 
- * <a href="JavaLogFactory.JavaLogger.html">JavaLogFactory.JavaLogger</a> Javadocs for the details on the JavaLogger reference implementation.
- * 
- * @author Mike Fauzy ([email protected]) <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @since June 1, 2007
- * @see org.owasp.esapi.LogFactory
- * @see org.owasp.esapi.logging.java.JavaLogFactory.JavaLogger
+ * LogFactory implementation which creates JAVA supporting Loggers.
+ *
  */
 public class JavaLogFactory implements LogFactory {
-	private static volatile LogFactory singletonInstance;
-
-    public static LogFactory getInstance() {
-        if ( singletonInstance == null ) {
-            synchronized ( JavaLogFactory.class ) {
-                if ( singletonInstance == null ) {
-                    singletonInstance = new JavaLogFactory();
-                }
-            }
-        }
-        return singletonInstance;
+    /** Immune characters for the codec log scrubber for JAVA context.*/
+    private static final char[] IMMUNE_JAVA_HTML = {',', '.', '-', '_', ' ' };
+    /** Codec being used to clean messages for logging.*/
+    private static final HTMLEntityCodec HTML_CODEC = new HTMLEntityCodec();
+    /** Log appender instance.*/
+    private static LogAppender JAVA_LOG_APPENDER;
+    /** Log cleaner instance.*/
+    private static LogScrubber JAVA_LOG_SCRUBBER;
+    /** Bridge class for mapping esapi -> java log levels.*/
+    private static JavaLogBridge LOG_BRIDGE;
+    
+    static {
+        boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_ENCODING_REQUIRED);
+        JAVA_LOG_SCRUBBER = createLogScrubber(encodeLog);
+        
+    	boolean logClientInfo = true;
+		boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_APPLICATION_NAME);
+		String appName = ESAPI.securityConfiguration().getStringProp(DefaultSecurityConfiguration.APPLICATION_NAME);
+		boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_SERVER_IP);
+        JAVA_LOG_APPENDER = createLogAppender(logClientInfo, logServerIp, logApplicationName, appName);
+        
+        Map<Integer, JavaLogLevelHandler> levelLookup = new HashMap<>();
+        levelLookup.put(Logger.ALL, JavaLogLevelHandlers.ALL);
+        levelLookup.put(Logger.TRACE, JavaLogLevelHandlers.FINEST);
+        levelLookup.put(Logger.DEBUG, JavaLogLevelHandlers.FINE);
+        levelLookup.put(Logger.INFO, JavaLogLevelHandlers.INFO);
+        levelLookup.put(Logger.ERROR, JavaLogLevelHandlers.ERROR);
+        levelLookup.put(Logger.WARNING, JavaLogLevelHandlers.WARNING);
+        levelLookup.put(Logger.FATAL, JavaLogLevelHandlers.SEVERE);
+        //LEVEL.OFF not used.  If it's off why would we try to log it?
+        
+        LOG_BRIDGE = new JavaLogBridgeImpl(JAVA_LOG_APPENDER, JAVA_LOG_SCRUBBER, levelLookup);
     }
-
-	private HashMap<Serializable, Logger> loggersMap = new HashMap<Serializable, Logger>();
-	
-	/**
-	* Null argument constructor for this implementation of the LogFactory interface
-	* needed for dynamic configuration.
-	*/
-	public JavaLogFactory() {}
-	
-	/**
-	* {@inheritDoc}
-	*/
-	public Logger getLogger(Class clazz) {
-	    return getLogger(clazz.getName());
+    
+    /**
+     * Populates the default log scrubber for use in factory-created loggers.
+     * @param requiresEncoding {@code true} if encoding is required for log content.
+     * @return LogScrubber instance.
+     */
+    /*package*/ static LogScrubber createLogScrubber(boolean requiresEncoding) {
+        List<LogScrubber> messageScrubber = new ArrayList<>();
+        messageScrubber.add(new NewlineLogScrubber());
+        
+        if (requiresEncoding) {
+            messageScrubber.add(new CodecLogScrubber(HTML_CODEC, IMMUNE_JAVA_HTML));
+        }
+        
+        return new CompositeLogScrubber(messageScrubber);
+        
     }
-
+    
     /**
-	* {@inheritDoc}
-	*/
+     * Populates the default log appender for use in factory-created loggers.
+     * @param appName 
+     * @param logApplicationName 
+     * @param logServerIp 
+     * @param logClientInfo 
+     * 
+     * @return LogAppender instance.
+     */
+    /*package*/ static LogAppender createLogAppender(boolean logClientInfo, boolean logServerIp, boolean logApplicationName, String appName) {
+       return new LogPrefixAppender(logClientInfo, logServerIp, logApplicationName, appName);       
+    }
+    
+    
+    @Override
     public Logger getLogger(String moduleName) {
-    	
-        synchronized (loggersMap) {
-            // If a logger for this module already exists, we return the same one, otherwise we create a new one.
-            Logger moduleLogger = loggersMap.get(moduleName);
-
-            if (moduleLogger == null) {
-                moduleLogger = new JavaLogger(moduleName);
-                loggersMap.put(moduleName, moduleLogger);    		
-            }
-            return moduleLogger;
-        }
+    	java.util.logging.Logger javaLogger = java.util.logging.Logger.getLogger(moduleName); 
+        return new JavaLogger(javaLogger, LOG_BRIDGE, Logger.ALL);
     }
 
-
-  
+    @Override
+    public Logger getLogger(@SuppressWarnings("rawtypes") Class clazz) {
+    	java.util.logging.Logger javaLogger = java.util.logging.Logger.getLogger(clazz.getName());
+        return new JavaLogger(javaLogger, LOG_BRIDGE, Logger.ALL);
+    }
 
 }

src/main/java/org/owasp/esapi/logging/java/JavaLogLevelHandler.java

@@ -0,0 +1,42 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @created 2018
+ */
+package org.owasp.esapi.logging.java;
+
+import java.util.logging.Logger;
+
+/**
+ * Contract used to isolate translations for each Java Logging Level.
+ * 
+ * @see JavaLogLevelHandlers
+ * @see JavaLogBridgeImpl
+ *
+ */
+ interface JavaLogLevelHandler {
+     /** Check if the logging level is enabled for the specified logger.*/
+    boolean isEnabled(Logger logger);
+    /**
+     * Calls the appropriate log level event on the specified logger.
+     * @param logger Logger to invoke.
+     * @param msg Message to log.
+     */
+    void log(Logger logger, String msg);
+    /**
+     * Calls the appropriate log level event on the specified logger.
+     * @param logger Logger to invoke
+     * @param msg Message to log
+     * @param th Throwable to log.
+     */
+    void log(Logger logger, String msg, Throwable th);
+}

src/main/java/org/owasp/esapi/logging/java/JavaLogLevelHandlers.java

@@ -0,0 +1,38 @@
+package org.owasp.esapi.logging.java;
+
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+public enum JavaLogLevelHandlers implements JavaLogLevelHandler {
+
+	SEVERE(Level.SEVERE),
+	WARNING(Level.WARNING),
+	INFO(Level.INFO),
+	CONFIG(Level.CONFIG),
+	FINE(Level.FINE),
+	FINER(Level.FINER),
+	FINEST(Level.FINEST),
+	ALL(Level.ALL),
+	ERROR(JavaLoggerLevel.ERROR_LEVEL);
+
+	private final Level level;
+	
+	private JavaLogLevelHandlers(Level lvl) {
+		this.level = lvl;
+	}
+	
+	@Override
+	public boolean isEnabled(Logger logger) {
+		return logger.isLoggable(level);
+	}
+
+	@Override
+	public void log(Logger logger, String msg) {
+		logger.log(level, msg);
+	}
+
+	@Override
+	public void log(Logger logger, String msg, Throwable th) {
+		logger.log(level, msg, th);
+	}
+}