Skip to content

Commit

Permalink
RavenDB-22265 Audit log on client certificates management operations
Browse files Browse the repository at this point in the history
  • Loading branch information
@ml054 @ppekrol
ml054 authored and ppekrol committed Dec 4, 2024
1 parent 6a29cb1 commit 2d5439c
Showing 1 changed file with 41 additions and 6 deletions.
47 changes: 41 additions & 6 deletions src/Raven.Server/Web/Authentication/AdminCertificatesHandler.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,14 @@ public async Task Generate()
throw new InvalidOperationException($"Cannot generate the client certificate '{certificate.Name}' with 'Cluster Admin' security clearance because the current client certificate being used has a lower clearance: {clientCertDef.SecurityClearance}");
}

if (LoggingSource.AuditLog.IsInfoEnabled)
{
var permissions = FormatPermissions(certificate);

LogAuditFor("Certificates", "ADD",
$"Generate certificate {certificate?.Name}. Security Clearance: {certificate?.SecurityClearance}. Permissions: {permissions}. TwoFactor: {string.IsNullOrEmpty(twoFactorAuthenticationKey)}");
}

byte[] certs = null;
await ServerStore.Operations.AddLocalOperation(
operationId.Value,
Expand Down Expand Up @@ -218,12 +226,10 @@ public async Task Put()

if (LoggingSource.AuditLog.IsInfoEnabled)
{
var permissions = certificate?.Permissions != null
? Environment.NewLine + string.Join(Environment.NewLine, certificate.Permissions.Select(kvp => kvp.Key + ": " + kvp.Value.ToString()))
: string.Empty;
LogAuditFor("Certificates",
"ADD",
$"New certificate {certificate?.Name} ['{certificate?.Thumbprint}']. Security Clearance: {certificate?.SecurityClearance}. Permissions:{permissions}.");
var permissions = FormatPermissions(certificate);

LogAuditFor("Certificates", "ADD",
$"New certificate {certificate?.Name} ['{certificate?.Thumbprint}']. Security Clearance: {certificate?.SecurityClearance}. Permissions:{permissions}. TwoFactor: {string.IsNullOrEmpty(twoFactorAuthenticationKey)}");
}

try
Expand All @@ -239,6 +245,14 @@ public async Task Put()
}
}

private string FormatPermissions(CertificateDefinition certificate)
{
return certificate?.Permissions != null
? Environment.NewLine + string.Join(Environment.NewLine, certificate.Permissions.Select(kvp => kvp.Key + ": " + kvp.Value.ToString()))
: string.Empty;
;
}

public static async Task PutCertificateCollectionInCluster(CertificateDefinition certDef, byte[] certBytes, string password, ServerStore serverStore,
TransactionOperationContext ctx, string twoFactorAuthenticationKey, string raftRequestId)
{
Expand Down Expand Up @@ -355,6 +369,14 @@ public async Task PurgeExpired()
if (cert.Value.TryGet(nameof(CertificateDefinition.NotAfter), out DateTime notAfter) && DateTime.UtcNow > notAfter)
keysToDelete.Add(cert.Key);
}

if (LoggingSource.AuditLog.IsInfoEnabled)
{
foreach (string keyToDelete in keysToDelete)
{
LogAuditFor("Certificates", "DELETE", $"Certificate '{keyToDelete}'.");
}
}

await DeleteInternal(keysToDelete, GetRaftRequestIdFromQuery());
}
Expand Down Expand Up @@ -748,6 +770,14 @@ public async Task Edit()

ServerStore.Cluster.DeleteLocalState(ctx, newCertificate.Thumbprint);
}

if (LoggingSource.AuditLog.IsInfoEnabled)
{
var permissions = FormatPermissions(newCertificate);

LogAuditFor("Certificates", "CHANGE",
$"Edit certificate {newCertificate?.Name}. Security Clearance: {newCertificate?.SecurityClearance}. Permissions: {permissions}. TwoFactor: {string.IsNullOrEmpty(twoFactorAuthenticationKey)}");
}

var cmd = new PutCertificateCommand(newCertificate.Thumbprint,
new CertificateDefinition
Expand Down Expand Up @@ -971,6 +1001,11 @@ public async Task ForceRenew()
if (Server.Certificate.Certificate == null)
throw new InvalidOperationException("Cannot force renew this Let's Encrypt server certificate. The server certificate is not loaded.");

if (LoggingSource.AuditLog.IsInfoEnabled)
{
LogAuditFor("Certificates", "RENEW", "Renew server certificate");
}

try
{
var success = Server.RefreshClusterCertificate(true, GetRaftRequestIdFromQuery());
Expand Down

0 comments on commit 2d5439c

Please sign in to comment.