Updating Log4J Implementation

Translating the existing Log4J implementation into the updated logging
class structures. Tests for the common aspects are also being provided.

Additional class 'Log4JLoggerFactory.java' is being provided which is a
Service Provider Interface (SPI) contribution at runtime through the
log4j.xml file content.  This will need more tests.

Author: jeremiahjstacey

src/main/java/org/owasp/esapi/logging/log4j/Log4JLogBridge.java

@@ -0,0 +1,42 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @created 2018
+ */
+package org.owasp.esapi.logging.log4j;
+
+import org.apache.log4j.Logger;
+import org.owasp.esapi.Logger.EventType;
+/**
+ * Contract for translating an ESAPI log event into an Log4J log event.
+ * 
+ */
+public interface Log4JLogBridge {
+    /**
+     * Translation for the provided ESAPI level, type, and message to the specified Log4J Logger.
+     * @param logger Logger to receive the translated message.
+     * @param esapiLevel ESAPI level of event.
+     * @param type ESAPI event type
+     * @param message ESAPI event message content.
+     */
+    void log(Logger logger, int esapiLevel, EventType type, String message) ;
+    /**
+     * Translation for the provided ESAPI level, type, message, and Throwable to the specified Log4J Logger.
+     * @param logger Logger to receive the translated message.
+     * @param esapiLevel ESAPI level of event.
+     * @param type ESAPI event type
+     * @param message ESAPI event message content.
+     * @param throwable ESAPI event Throwable content
+     */
+    void log(Logger logger, int esapiLevel, EventType type, String message, Throwable throwable) ;
+      
+}

src/main/java/org/owasp/esapi/logging/log4j/Log4JLogBridgeImpl.java

@@ -0,0 +1,75 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @created 2018
+ */
+
+package org.owasp.esapi.logging.log4j;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.log4j.Logger;
+import org.owasp.esapi.Logger.EventType;
+import org.owasp.esapi.logging.appender.LogAppender;
+import org.owasp.esapi.logging.cleaning.LogScrubber;
+
+/**
+ * Implementation which is intended to bridge the ESAPI Logging API into LOG4J supported Object structures.
+ *
+ */
+public class Log4JLogBridgeImpl implements Log4JLogBridge {
+    /** Configuration providing associations between esapi log levels and LOG4J levels.*/
+    private final Map<Integer,Log4JLogLevelHandler> esapiSlfLevelMap;
+    /** Cleaner used for log content.*/
+    private final LogScrubber scrubber;
+    /** Appender used for assembling default message content for all logs.*/
+    private final LogAppender appender;
+    
+    /**
+     * Constructor.
+     * @param logScrubber  Log message cleaner.
+     * @param esapiSlfHandlerMap Map identifying ESAPI -> LOG4J log level associations.
+     */
+    public Log4JLogBridgeImpl(LogAppender messageAppender, LogScrubber logScrubber, Map<Integer, Log4JLogLevelHandler> esapiSlfHandlerMap) {
+        //Defensive copy to prevent external mutations.
+        this.esapiSlfLevelMap = new HashMap<>(esapiSlfHandlerMap);
+        this.scrubber = logScrubber;
+        this.appender = messageAppender;
+    }
+    @Override
+    public void log(Logger logger, int esapiLevel, EventType type, String message) {
+        Log4JLogLevelHandler handler = esapiSlfLevelMap.get(esapiLevel);
+        if (handler == null) {
+            throw new IllegalArgumentException("Unable to lookup LOG4J level mapping for esapi value of " + esapiLevel);
+        }
+        if (handler.isEnabled(logger)) {
+        	String fullMessage = appender.appendTo(logger.getName(), type, message);
+            String cleanString = scrubber.cleanMessage(fullMessage);
+            
+            handler.log(logger, cleanString);
+        }
+    }
+    @Override
+    public void log(Logger logger, int esapiLevel, EventType type, String message, Throwable throwable) {
+        Log4JLogLevelHandler handler = esapiSlfLevelMap.get(esapiLevel);
+        if (handler == null) {
+            throw new IllegalArgumentException("Unable to lookup LOG4J level mapping for esapi value of " + esapiLevel);
+        }
+        if (handler.isEnabled(logger)) {
+        	String fullMessage = appender.appendTo(logger.getName(), type, message);
+            String cleanString = scrubber.cleanMessage(fullMessage);
+
+            handler.log(logger, cleanString, throwable);
+        }
+    }
+}

src/main/java/org/owasp/esapi/logging/log4j/Log4JLogFactory.java

@@ -0,0 +1,138 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @created 2018
+ */
+package org.owasp.esapi.logging.log4j;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.log4j.LogManager;
+import org.apache.log4j.PropertyConfigurator;
+import org.owasp.esapi.ESAPI;
+import org.owasp.esapi.LogFactory;
+import org.owasp.esapi.Logger;
+import org.owasp.esapi.codecs.HTMLEntityCodec;
+import org.owasp.esapi.logging.appender.LogAppender;
+import org.owasp.esapi.logging.appender.LogPrefixAppender;
+import org.owasp.esapi.logging.cleaning.CodecLogScrubber;
+import org.owasp.esapi.logging.cleaning.CompositeLogScrubber;
+import org.owasp.esapi.logging.cleaning.LogScrubber;
+import org.owasp.esapi.logging.cleaning.NewlineLogScrubber;
+import org.owasp.esapi.logging.java.JavaLogFactory;
+import org.owasp.esapi.reference.DefaultSecurityConfiguration;
+/**
+ * LogFactory implementation which creates Log4J supporting Loggers.
+ *
+ */
+public class Log4JLogFactory implements LogFactory {
+	 /** Immune characters for the codec log scrubber for JAVA context.*/
+    private static final char[] IMMUNE_LOG4J_HTML = {',', '.', '-', '_', ' ' };
+    /** Codec being used to clean messages for logging.*/
+    private static final HTMLEntityCodec HTML_CODEC = new HTMLEntityCodec();
+    /** Log appender instance.*/
+    private static LogAppender Log4J_LOG_APPENDER;
+    /** Log cleaner instance.*/
+    private static LogScrubber Log4J_LOG_SCRUBBER;
+    /** Bridge class for mapping esapi -> log4j log levels.*/
+    private static Log4JLogBridge LOG_BRIDGE;
+    
+    static {
+        boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_ENCODING_REQUIRED);
+        Log4J_LOG_SCRUBBER = createLogScrubber(encodeLog);
+        
+    	boolean logClientInfo = true;
+		boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_APPLICATION_NAME);
+		String appName = ESAPI.securityConfiguration().getStringProp(DefaultSecurityConfiguration.APPLICATION_NAME);
+		boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_SERVER_IP);
+        Log4J_LOG_APPENDER = createLogAppender(logClientInfo, logServerIp, logApplicationName, appName);
+        
+        Map<Integer, Log4JLogLevelHandler> levelLookup = new HashMap<>();
+        levelLookup.put(Logger.ALL, Log4JLogLevelHandlers.TRACE);
+        levelLookup.put(Logger.TRACE, Log4JLogLevelHandlers.TRACE);
+        levelLookup.put(Logger.DEBUG, Log4JLogLevelHandlers.DEBUG);
+        levelLookup.put(Logger.INFO, Log4JLogLevelHandlers.INFO);
+        levelLookup.put(Logger.ERROR, Log4JLogLevelHandlers.ERROR);
+        levelLookup.put(Logger.WARNING, Log4JLogLevelHandlers.WARN);
+        levelLookup.put(Logger.FATAL, Log4JLogLevelHandlers.FATAL);
+        //LEVEL.OFF not used.  If it's off why would we try to log it?
+        
+        LOG_BRIDGE = new Log4JLogBridgeImpl(Log4J_LOG_APPENDER, Log4J_LOG_SCRUBBER, levelLookup);
+        
+        try (InputStream stream = Log4JLogFactory.class.getClassLoader().
+        		getResourceAsStream("log4j.xml")) {
+        	PropertyConfigurator.configure(stream);
+        } catch (IOException ioe) {
+        	System.err.print(new IOException("Failed to load log4j.xml.", ioe));        	
+        }
+        
+        OutputStream nullOutputStream = new OutputStream() {
+			@Override
+			public void write(int b) throws IOException {
+				//No Op
+			}
+		};
+        
+       System.setOut(new PrintStream(nullOutputStream));
+    }
+    
+    /**
+     * Populates the default log scrubber for use in factory-created loggers.
+     * @param requiresEncoding {@code true} if encoding is required for log content.
+     * @return LogScrubber instance.
+     */
+    /*package*/ static LogScrubber createLogScrubber(boolean requiresEncoding) {
+        List<LogScrubber> messageScrubber = new ArrayList<>();
+        messageScrubber.add(new NewlineLogScrubber());
+        
+        if (requiresEncoding) {
+            messageScrubber.add(new CodecLogScrubber(HTML_CODEC, IMMUNE_LOG4J_HTML));
+        }
+        
+        return new CompositeLogScrubber(messageScrubber);
+        
+    }
+    
+    /**
+     * Populates the default log appender for use in factory-created loggers.
+     * @param appName 
+     * @param logApplicationName 
+     * @param logServerIp 
+     * @param logClientInfo 
+     * 
+     * @return LogAppender instance.
+     */
+    /*package*/ static LogAppender createLogAppender(boolean logClientInfo, boolean logServerIp, boolean logApplicationName, String appName) {
+       return new LogPrefixAppender(logClientInfo, logServerIp, logApplicationName, appName);       
+    }
+    
+    
+    @Override
+    public Logger getLogger(String moduleName) {
+    	org.apache.log4j.Logger log4JLogger = org.apache.log4j.Logger.getLogger(moduleName);
+        return new Log4JLogger(log4JLogger, LOG_BRIDGE, Logger.ALL);
+    }
+
+    @Override
+    public Logger getLogger(@SuppressWarnings("rawtypes") Class clazz) {
+    	org.apache.log4j.Logger log4JLogger = org.apache.log4j.Logger.getLogger(clazz);
+        return new Log4JLogger(log4JLogger, LOG_BRIDGE, Logger.ALL);
+    }
+
+}

src/main/java/org/owasp/esapi/logging/log4j/Log4JLogLevelHandler.java

@@ -0,0 +1,42 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @created 2018
+ */
+package org.owasp.esapi.logging.log4j;
+
+import org.apache.log4j.Logger;
+
+/**
+ * Contract used to isolate translations for each SLF4J Logging Level.
+ * 
+ * @see Log4JLogLevelHandlers
+ * @see Log4JLogBridgeImpl
+ *
+ */
+ interface Log4JLogLevelHandler {
+     /** Check if the logging level is enabled for the specified logger.*/
+    boolean isEnabled(Logger logger);
+    /**
+     * Calls the appropriate log level event on the specified logger.
+     * @param logger Logger to invoke.
+     * @param msg Message to log.
+     */
+    void log(Logger logger, String msg);
+    /**
+     * Calls the appropriate log level event on the specified logger.
+     * @param logger Logger to invoke
+     * @param msg Message to log
+     * @param th Throwable to log.
+     */
+    void log(Logger logger, String msg, Throwable th);
+}

src/main/java/org/owasp/esapi/logging/log4j/Log4JLogLevelHandlers.java

@@ -0,0 +1,55 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @created 2018
+ */
+
+package org.owasp.esapi.logging.log4j;
+
+
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+
+/**
+ * Enumeration capturing the propagation of Log4J level events.
+ *
+ */
+public enum Log4JLogLevelHandlers implements Log4JLogLevelHandler {
+	FATAL(Level.FATAL),
+	ERROR(Level.ERROR),
+	WARN(Level.WARN),
+	INFO(Level.INFO),
+	DEBUG(Level.DEBUG),
+	TRACE(Level.TRACE),
+	ALL(Level.ALL);
+
+	private final Level level;
+	
+	private Log4JLogLevelHandlers(Level lvl) {
+		this.level = lvl;
+	}
+	
+	@Override
+	public boolean isEnabled(Logger logger) {
+		return logger.isEnabledFor(level);
+	}
+
+	@Override
+	public void log(Logger logger, String msg) {
+		logger.log(level, msg);
+	}
+
+	@Override
+	public void log(Logger logger, String msg, Throwable th) {
+		logger.log(level, msg, th);
+	}    
+}