Admin auditlogs 401s

Author: asloobq

src/main/java/com/uid2/admin/Main.java

@@ -30,6 +30,7 @@
 import com.uid2.admin.vertx.service.*;
 import com.uid2.shared.Const;
 import com.uid2.shared.Utils;
+import com.uid2.shared.audit.Audit;
 import com.uid2.shared.secret.KeyHasher;
 import com.uid2.shared.secret.SecureKeyGenerator;
 import com.uid2.shared.auth.EnclaveIdentifierProvider;
@@ -259,7 +260,7 @@ public void run() {
                     clientSideKeypairService,
                     new ServiceService(auth, writeLock, serviceStoreWriter, serviceProvider, siteProvider, serviceLinkProvider),
                     new ServiceLinkService(auth, writeLock, serviceLinkStoreWriter, serviceLinkProvider, serviceProvider, siteProvider),
-                    new OperatorKeyService(config, auth, writeLock, operatorKeyStoreWriter, operatorKeyProvider, siteProvider, keyGenerator, keyHasher, cloudEncryptionKeyManager),
+                    new OperatorKeyService(config, auth, writeLock, operatorKeyStoreWriter, operatorKeyProvider, siteProvider, keyGenerator, keyHasher, cloudEncryptionKeyManager, new Audit(Main.class.getPackage().getName())),
                     new SaltService(auth, writeLock, saltStoreWriter, saltProvider, saltRotation),
                     new SiteService(auth, writeLock, siteStoreWriter, siteProvider, clientKeyProvider),
                     new PartnerConfigService(auth, writeLock, partnerStoreWriter, partnerConfigProvider),

src/main/java/com/uid2/admin/auth/AdminAuthMiddleware.java

@@ -9,8 +9,6 @@
 import io.vertx.ext.web.RoutingContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import com.uid2.shared.audit.AuditParams;
-import com.uid2.shared.audit.Audit;
 
 import java.util.*;
 
@@ -19,7 +17,6 @@ public class AdminAuthMiddleware {
     private final AuthProvider authProvider;
     private final String environment;
     private final boolean isAuthDisabled;
-    private final Audit audit;
 
     final Map<Role, List<OktaGroup>> roleToOktaGroups = new EnumMap<>(Role.class);
     public AdminAuthMiddleware(AuthProvider authProvider, JsonObject config) {
@@ -29,7 +26,6 @@ public AdminAuthMiddleware(AuthProvider authProvider, JsonObject config) {
         roleToOktaGroups.put(Role.MAINTAINER, parseOktaGroups(config.getString(AdminConst.ROLE_OKTA_GROUP_MAP_MAINTAINER)));
         roleToOktaGroups.put(Role.PRIVILEGED, parseOktaGroups(config.getString(AdminConst.ROLE_OKTA_GROUP_MAP_PRIVILEGED)));
         roleToOktaGroups.put(Role.SUPER_USER, parseOktaGroups(config.getString(AdminConst.ROLE_OKTA_GROUP_MAP_SUPER_USER)));
-        this.audit = new Audit(AdminAuthMiddleware.class.getPackage().getName());
     }
 
     private List<OktaGroup> parseOktaGroups(final String oktaGroups) {
@@ -44,29 +40,16 @@ private List<OktaGroup> parseOktaGroups(final String oktaGroups) {
         return allOktaGroups;
     }
 
-    public Handler<RoutingContext> handle(Handler<RoutingContext> handler, AuditParams params, Role... roles) {
+    public Handler<RoutingContext> handle(Handler<RoutingContext> handler, Role... roles) {
         if (isAuthDisabled) return handler;
         if (roles == null || roles.length == 0) {
             throw new IllegalArgumentException("must specify at least one role");
         }
-        Handler<RoutingContext> loggedHandler = logAndHandle(handler, params);
-        AdminAuthHandler adminAuthHandler = new AdminAuthHandler(loggedHandler, authProvider, Set.of(roles),
+        AdminAuthHandler adminAuthHandler = new AdminAuthHandler(handler, authProvider, Set.of(roles),
                 environment, roleToOktaGroups);
         return adminAuthHandler::handle;
     }
 
-    public Handler<RoutingContext> handle(Handler<RoutingContext> handler, Role... roles) {
-        return this.handle(handler, new AuditParams(), roles);
-    }
-
-
-    private Handler<RoutingContext> logAndHandle(Handler<RoutingContext> handler, AuditParams params) {
-        return ctx -> {
-            ctx.addBodyEndHandler(v -> this.audit.log(ctx, params));
-            handler.handle(ctx);
-        };
-    }
-
     private static class AdminAuthHandler {
         private final String environment;
         private final Handler<RoutingContext> innerHandler;
@@ -125,6 +108,7 @@ public void handle(RoutingContext rc) {
             }
             if(idToken != null) {
                 validateIdToken(rc, idToken);
+                rc.next();
                 return;
             }
 
@@ -133,9 +117,11 @@ public void handle(RoutingContext rc) {
             String accessToken = extractBearerToken(authHeaderValue);
             if(accessToken == null) {
                 rc.response().putHeader("REQUIRES_AUTH", "1").setStatusCode(401).end();
+                rc.next();
                 return;
             }
             validateAccessToken(rc, accessToken);
+
         }
 
         private void validateAccessToken(RoutingContext rc, String accessToken) {
@@ -160,6 +146,7 @@ private void validateAccessToken(RoutingContext rc, String accessToken) {
             } else {
                 rc.response().setStatusCode(401).end();
             }
+            rc.next();
         }
 
         private void validateIdToken(RoutingContext rc, String idToken) {

src/main/java/com/uid2/admin/vertx/service/ClientKeyService.java

@@ -91,53 +91,53 @@ public void setupRoutes(Router router) {
         router.get(API_CLIENT_REVEAL.toString()).handler(
             auth.handle(this::handleClientReveal, Role.PRIVILEGED));
 
-        router.post(API_CLIENT_ADD.toString()).blockingHandler(auth.handle((ctx) -> {
-            synchronized (writeLock) {
-                this.handleClientAdd(ctx);
-            }
-        }, new AuditParams(List.of("name", "roles", "site_id"), Collections.emptyList()), Role.MAINTAINER, Role.SHARING_PORTAL));
-
-        router.post(API_CLIENT_DEL.toString()).blockingHandler(auth.handle((ctx) -> {
-            synchronized (writeLock) {
-                this.handleClientDel(ctx);
-            }
-        }, new AuditParams(List.of("contact"), Collections.emptyList()), Role.SUPER_USER));
-
-        router.post(API_CLIENT_UPDATE.toString()).blockingHandler(auth.handle((ctx) -> {
-            synchronized (writeLock) {
-                this.handleClientUpdate(ctx);
-            }
-        }, new AuditParams(List.of("contact"), Collections.emptyList()), Role.MAINTAINER));
-
-        router.post(API_CLIENT_DISABLE.toString()).blockingHandler(auth.handle((ctx) -> {
-            synchronized (writeLock) {
-                this.handleClientDisable(ctx);
-            }
-        }, new AuditParams(List.of("contact"), Collections.emptyList()), Role.MAINTAINER, Role.SHARING_PORTAL));
-
-        router.post(API_CLIENT_ENABLE.toString()).blockingHandler(auth.handle((ctx) -> {
-            synchronized (writeLock) {
-                this.handleClientEnable(ctx);
-            }
-        }, new AuditParams(List.of("contact"), Collections.emptyList()), Role.MAINTAINER));
-
-        router.post(API_CLIENT_ROLES.toString()).blockingHandler(auth.handle((ctx) -> {
-            synchronized (writeLock) {
-                this.handleClientRoles(ctx);
-            }
-        }, new AuditParams(List.of("contact", "roles"), Collections.emptyList()), Role.PRIVILEGED, Role.SHARING_PORTAL));
-
-        router.post(API_CLIENT_CONTACT.toString()).blockingHandler(auth.handle((ctx) -> {
-            synchronized (writeLock) {
-                this.handleClientContact(ctx);
-            }
-        }, Role.MAINTAINER));
-
-        router.post(API_CLIENT_RENAME.toString()).blockingHandler(auth.handle((ctx) -> {
-            synchronized (writeLock) {
-                this.handleClientRename(ctx);
-            }
-        }, new AuditParams(List.of("contact", "newName"), Collections.emptyList()), Role.MAINTAINER, Role.SHARING_PORTAL));
+//        router.post(API_CLIENT_ADD.toString()).blockingHandler(auth.handle((ctx) -> {
+//            synchronized (writeLock) {
+//                this.handleClientAdd(ctx);
+//            }
+//        }, new AuditParams(List.of("name", "roles", "site_id"), Collections.emptyList()), Role.MAINTAINER, Role.SHARING_PORTAL));
+//
+//        router.post(API_CLIENT_DEL.toString()).blockingHandler(auth.handle((ctx) -> {
+//            synchronized (writeLock) {
+//                this.handleClientDel(ctx);
+//            }
+//        }, new AuditParams(List.of("contact"), Collections.emptyList()), Role.SUPER_USER));
+//
+//        router.post(API_CLIENT_UPDATE.toString()).blockingHandler(auth.handle((ctx) -> {
+//            synchronized (writeLock) {
+//                this.handleClientUpdate(ctx);
+//            }
+//        }, new AuditParams(List.of("contact"), Collections.emptyList()), Role.MAINTAINER));
+//
+//        router.post(API_CLIENT_DISABLE.toString()).blockingHandler(auth.handle((ctx) -> {
+//            synchronized (writeLock) {
+//                this.handleClientDisable(ctx);
+//            }
+//        }, new AuditParams(List.of("contact"), Collections.emptyList()), Role.MAINTAINER, Role.SHARING_PORTAL));
+//
+//        router.post(API_CLIENT_ENABLE.toString()).blockingHandler(auth.handle((ctx) -> {
+//            synchronized (writeLock) {
+//                this.handleClientEnable(ctx);
+//            }
+//        }, new AuditParams(List.of("contact"), Collections.emptyList()), Role.MAINTAINER));
+//
+//        router.post(API_CLIENT_ROLES.toString()).blockingHandler(auth.handle((ctx) -> {
+//            synchronized (writeLock) {
+//                this.handleClientRoles(ctx);
+//            }
+//        }, new AuditParams(List.of("contact", "roles"), Collections.emptyList()), Role.PRIVILEGED, Role.SHARING_PORTAL));
+//
+//        router.post(API_CLIENT_CONTACT.toString()).blockingHandler(auth.handle((ctx) -> {
+//            synchronized (writeLock) {
+//                this.handleClientContact(ctx);
+//            }
+//        }, Role.MAINTAINER));
+//
+//        router.post(API_CLIENT_RENAME.toString()).blockingHandler(auth.handle((ctx) -> {
+//            synchronized (writeLock) {
+//                this.handleClientRename(ctx);
+//            }
+//        }, new AuditParams(List.of("contact", "newName"), Collections.emptyList()), Role.MAINTAINER, Role.SHARING_PORTAL));
     }
 
     private void handleRewriteMetadata(RoutingContext rc) {

src/main/java/com/uid2/admin/vertx/service/ClientSideKeypairService.java

@@ -66,21 +66,21 @@ public ClientSideKeypairService(JsonObject config,
 
     @Override
     public void setupRoutes(Router router) {
-        router.post(API_CLIENT_SIDE_KEYPAIRS_ADD.toString()).blockingHandler(auth.handle((ctx) -> {
-            synchronized (writeLock) {
-                this.handleAddKeypair(ctx);
-            }
-        }, new AuditParams(Collections.emptyList(), List.of("site_id", "name", "contact", "disabled")), Role.MAINTAINER, Role.SHARING_PORTAL));
-        router.post(API_CLIENT_SIDE_KEYPAIRS_UPDATE.toString()).blockingHandler(auth.handle((ctx) -> {
-            synchronized (writeLock) {
-                this.handleUpdateKeypair(ctx);
-            }
-        }, new AuditParams(Collections.emptyList(), List.of("subscription_id", "name", "contact", "disabled")), Role.MAINTAINER, Role.SHARING_PORTAL));
-        router.post(API_CLIENT_SIDE_KEYPAIRS_DELETE.toString()).blockingHandler(auth.handle((ctx) -> {
-            synchronized (writeLock) {
-                this.handleDeleteKeypair(ctx);
-            }
-        }, new AuditParams(Collections.emptyList(), List.of("subscription_id")), Role.PRIVILEGED, Role.SHARING_PORTAL));
+//        router.post(API_CLIENT_SIDE_KEYPAIRS_ADD.toString()).blockingHandler(auth.handle((ctx) -> {
+//            synchronized (writeLock) {
+//                this.handleAddKeypair(ctx);
+//            }
+//        }, new AuditParams(Collections.emptyList(), List.of("site_id", "name", "contact", "disabled")), Role.MAINTAINER, Role.SHARING_PORTAL));
+//        router.post(API_CLIENT_SIDE_KEYPAIRS_UPDATE.toString()).blockingHandler(auth.handle((ctx) -> {
+//            synchronized (writeLock) {
+//                this.handleUpdateKeypair(ctx);
+//            }
+//        }, new AuditParams(Collections.emptyList(), List.of("subscription_id", "name", "contact", "disabled")), Role.MAINTAINER, Role.SHARING_PORTAL));
+//        router.post(API_CLIENT_SIDE_KEYPAIRS_DELETE.toString()).blockingHandler(auth.handle((ctx) -> {
+//            synchronized (writeLock) {
+//                this.handleDeleteKeypair(ctx);
+//            }
+//        }, new AuditParams(Collections.emptyList(), List.of("subscription_id")), Role.PRIVILEGED, Role.SHARING_PORTAL));
         router.get(API_CLIENT_SIDE_KEYPAIRS_LIST.toString()).handler(
             auth.handle(this::handleListAllKeypairs, Role.MAINTAINER, Role.METRICS_EXPORT));
         router.get(API_CLIENT_SIDE_KEYPAIRS_SUBSCRIPTIONID.toString()).handler(

src/main/java/com/uid2/admin/vertx/service/CloudEncryptionKeyService.java

@@ -42,9 +42,9 @@ public void setupRoutes(Router router) {
                 auth.handle(this::handleList, Role.MAINTAINER)
         );
 
-        router.post(Endpoints.CLOUD_ENCRYPTION_KEY_ROTATE.toString()).handler(
-                auth.handle(this::handleRotate, new AuditParams(List.of("fail"), Collections.emptyList()), Role.MAINTAINER, Role.SECRET_ROTATION)
-        );
+//        router.post(Endpoints.CLOUD_ENCRYPTION_KEY_ROTATE.toString()).handler(
+//                auth.handle(this::handleRotate, new AuditParams(List.of("fail"), Collections.emptyList()), Role.MAINTAINER, Role.SECRET_ROTATION)
+//        );
     }
 
     private void handleMetadata(RoutingContext rc) {

src/main/java/com/uid2/admin/vertx/service/EnclaveIdService.java

@@ -53,16 +53,16 @@ public void setupRoutes(Router router) {
         router.get(API_ENCLAVE_LIST.toString()).handler(
             auth.handle(this::handleEnclaveList, Role.MAINTAINER));
 
-        router.post(API_ENCLAVE_ADD.toString()).blockingHandler(auth.handle((ctx) -> {
-            synchronized (writeLock) {
-                this.handleEnclaveAdd(ctx);
-            }
-        }, new AuditParams(List.of("name", "protocol", "enclave_id"), Collections.emptyList()), Role.PRIVILEGED));
-        router.post(API_ENCLAVE_DEL.toString()).blockingHandler(auth.handle((ctx) -> {
-            synchronized (writeLock) {
-                this.handleEnclaveDel(ctx);
-            }
-        }, new AuditParams(List.of("name"), Collections.emptyList()), Role.SUPER_USER));
+//        router.post(API_ENCLAVE_ADD.toString()).blockingHandler(auth.handle((ctx) -> {
+//            synchronized (writeLock) {
+//                this.handleEnclaveAdd(ctx);
+//            }
+//        }, new AuditParams(List.of("name", "protocol", "enclave_id"), Collections.emptyList()), Role.PRIVILEGED));
+//        router.post(API_ENCLAVE_DEL.toString()).blockingHandler(auth.handle((ctx) -> {
+//            synchronized (writeLock) {
+//                this.handleEnclaveDel(ctx);
+//            }
+//        }, new AuditParams(List.of("name"), Collections.emptyList()), Role.SUPER_USER));
     }
 
     private void handleEnclaveMetadata(RoutingContext rc) {

src/main/java/com/uid2/admin/vertx/service/EncryptionKeyService.java

@@ -144,25 +144,25 @@ public void setupRoutes(Router router) {
             }
         }, Role.MAINTAINER, Role.SECRET_ROTATION));
 
-        router.post(API_KEY_ADD.toString()).blockingHandler(auth.handle((ctx) -> {
-            synchronized (writeLock) {
-                this.handleAddSiteKey(ctx);
-            }
-        }, new AuditParams(List.of("site_id", "activates_in_seconds"), Collections.emptyList()), Role.MAINTAINER));
-
-        router.post(API_KEY_ROTATE_SITE.toString()).blockingHandler(auth.handle((ctx) -> {
-            synchronized (writeLock) {
-                this.handleRotateSiteKey(ctx);
-            }
-        }, new AuditParams(List.of("site_id"), Collections.emptyList()), Role.MAINTAINER));
-
-        if(enableKeysets) {
-            router.post(API_KEY_ROTATE_KEYSET_KEY.toString()).blockingHandler(auth.handle((ctx) -> {
-                synchronized (writeLock) {
-                    this.handleRotateKeysetKey(ctx);
-                }
-            }, new AuditParams(List.of("keyset_id"), Collections.emptyList()), Role.MAINTAINER));
-        }
+//        router.post(API_KEY_ADD.toString()).blockingHandler(auth.handle((ctx) -> {
+//            synchronized (writeLock) {
+//                this.handleAddSiteKey(ctx);
+//            }
+//        }, new AuditParams(List.of("site_id", "activates_in_seconds"), Collections.emptyList()), Role.MAINTAINER));
+//
+//        router.post(API_KEY_ROTATE_SITE.toString()).blockingHandler(auth.handle((ctx) -> {
+//            synchronized (writeLock) {
+//                this.handleRotateSiteKey(ctx);
+//            }
+//        }, new AuditParams(List.of("site_id"), Collections.emptyList()), Role.MAINTAINER));
+//
+//        if(enableKeysets) {
+//            router.post(API_KEY_ROTATE_KEYSET_KEY.toString()).blockingHandler(auth.handle((ctx) -> {
+//                synchronized (writeLock) {
+//                    this.handleRotateKeysetKey(ctx);
+//                }
+//            }, new AuditParams(List.of("keyset_id"), Collections.emptyList()), Role.MAINTAINER));
+//        }
 
         router.post(API_KEY_ROTATE_ALL_SITES.toString()).blockingHandler(auth.handle((ctx) -> {
             synchronized (writeLock) {