Merge pull request ESAPI#533 from jeremiahjstacey/Logger_Consistency

ESAPI#532 JUL and Log4J match SLF4J class structure and Workflow

Author: xeno6696

configuration/esapi/ESAPI.properties

@@ -67,7 +67,7 @@ ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
 ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
 ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
 # Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
-ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory
+ESAPI.Logger=org.owasp.esapi.logging.log4j.Log4JLogFactory
 #ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
 # To use the new SLF4J logger in ESAPI (see GitHub issue #129), set
 #    ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
@@ -391,7 +391,10 @@ Logger.LogServerIP=true
 Logger.LogFileName=ESAPI_logging_file
 # MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)
 Logger.MaxLogFileSize=10000000
-
+# Determines whether ESAPI should log the user info.
+Logger.UserInfo=true
+# Determines whether ESAPI should log the app info.
+Logger.ClientInfo=true
 
 #===========================================================================
 # ESAPI Intrusion Detection

configuration/log4j.xml

@@ -42,6 +42,6 @@
     <appender-ref ref="console" /> 
   </root>
 
-  <loggerFactory class="org.owasp.esapi.reference.Log4JLoggerFactory"/>
+  <loggerFactory class="org.owasp.esapi.logging.log4j.Log4JLogFactory"/>
 
 </log4j:configuration>

src/main/java/org/owasp/esapi/logging/appender/ClientInfoSupplier.java

@@ -0,0 +1,91 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @created 2019
+ */
+
+package org.owasp.esapi.logging.appender;
+
+import java.util.function.Supplier;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+
+import org.owasp.esapi.ESAPI;
+import org.owasp.esapi.User;
+
+/**
+ * Supplier which can provide a String representing the client-side connection
+ * information.
+ */
+public class ClientInfoSupplier implements Supplier<String> {
+    /** Default Last Host string if the Authenticated user is null.*/
+    private static final String DEFAULT_LAST_HOST = "#UNKNOWN_HOST#";
+    /** Session Attribute containing the ESAPI Session id. */
+    private static final String ESAPI_SESSION_ATTR = "ESAPI_SESSION";
+    /**
+     * Minimum value for generating a random session value if one is not defined.
+     */
+    private static final int ESAPI_SESSION_RAND_MIN = 0;
+    /**
+     * Maximum value for generating a random session value if one is not defined.
+     */
+    private static final int ESAPI_SESSION_RAND_MAX = 1000000;
+
+    /** Format for supplier output. */
+    private static final String USER_INFO_FORMAT = "%s@%s"; // SID, USER_HOST_ADDRESS
+
+    /** Whether to log the user info from this instance. */
+    private boolean logClientInfo = true;
+
+    @Override
+    public String get() {
+        String clientInfo = "";
+
+        if (logClientInfo) {
+            HttpServletRequest request = ESAPI.currentRequest();
+            // create a random session number for the user to represent the user's
+            // 'session', if it doesn't exist already
+            String sid = "";
+            if (request != null) {
+                HttpSession session = request.getSession(false);
+                if (session != null) {
+                    sid = (String) session.getAttribute(ESAPI_SESSION_ATTR);
+                    // if there is no session ID for the user yet, we create one and store it in the
+                    // user's session
+                    if (sid == null) {
+                        sid = "" + ESAPI.randomizer().getRandomInteger(ESAPI_SESSION_RAND_MIN, ESAPI_SESSION_RAND_MAX);
+                        session.setAttribute(ESAPI_SESSION_ATTR, sid);
+                    }
+                }
+            }
+            // log user information - username:session@ipaddr
+            User user = ESAPI.authenticator().getCurrentUser();
+            if (user == null) {
+                clientInfo = String.format(USER_INFO_FORMAT, sid, DEFAULT_LAST_HOST);
+            } else {
+                clientInfo = String.format(USER_INFO_FORMAT, sid, user.getLastHostAddress());
+            }
+        }
+        return clientInfo;
+    }
+
+    /**
+     * Specify whether the instance should record the client info.
+     * 
+     * @param log {@code true} to record
+     */
+    public void setLogClientInfo(boolean log) {
+        this.logClientInfo = log;
+    }
+
+}

src/main/java/org/owasp/esapi/logging/appender/EventTypeLogSupplier.java

@@ -0,0 +1,45 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @created 2019
+ */
+
+package org.owasp.esapi.logging.appender;
+
+import java.util.function.Supplier;
+
+import org.owasp.esapi.Logger;
+import org.owasp.esapi.Logger.EventType;
+
+/**
+ * Supplier implementation which returns a consistent String representation of
+ * an EventType for logging
+ *
+ */
+public class EventTypeLogSupplier implements Supplier<String> {
+    /** EventType reference to supply log representation of. */
+    private final EventType eventType;
+
+    /**
+     * Ctr
+     * 
+     * @param evtyp EventType reference to supply log representation for
+     */
+    public EventTypeLogSupplier(EventType evtyp) {
+        this.eventType = evtyp == null ? Logger.EVENT_UNSPECIFIED : evtyp;
+    }
+
+    @Override
+    public String get() {
+        return eventType.toString();
+    }
+}

src/main/java/org/owasp/esapi/logging/appender/LogAppender.java

@@ -0,0 +1,35 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @created 2019
+ */
+
+package org.owasp.esapi.logging.appender;
+
+import org.owasp.esapi.Logger.EventType;
+
+/**
+ * Contract interface for appending content to a log message.
+ *
+ */
+public interface LogAppender {
+
+    /**
+     * Creates a replacement Log Message and returns it to the caller.
+     * @param logName name of the logger.
+     * @param eventType EventType of the log event being processed.
+     * @param message The original message.
+     * @return Updated replacement message.
+     */
+    public String appendTo(String logName, EventType eventType, String message);
+
+}

src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java

@@ -0,0 +1,96 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @created 2019
+ */
+
+package org.owasp.esapi.logging.appender;
+
+import org.owasp.esapi.Logger.EventType;
+
+/**
+ * LogAppender Implementation which can prefix the common logger information for
+ * EventType, Client data, and server data.
+ */
+public class LogPrefixAppender implements LogAppender {
+    /** Output format used to assemble return values. */
+    private static final String RESULT_FORMAT = "[%s] %s"; //Assembled Prefix, MSG
+
+    /** Whether or not to record user information. */
+    private final boolean logUserInfo;
+    /** Whether or not to record client information. */
+    private final boolean logClientInfo;
+    /** Whether or not to record server ip information. */
+    private final boolean logServerIp;
+    /** Whether or not to record application name. */
+    private final boolean logApplicationName;
+    /** Application Name to record. */
+    private final String appName;
+
+    /**
+     * Ctr.
+     * 
+     * @param logUserInfo      Whether or not to record user information
+     * @param logClientInfo      Whether or not to record client information
+     * @param logServerIp        Whether or not to record server ip information
+     * @param logApplicationName Whether or not to record application name
+     * @param appName            Application Name to record.
+     */
+    public LogPrefixAppender(boolean logUserInfo, boolean logClientInfo, boolean logServerIp, boolean logApplicationName, String appName) {
+        this.logUserInfo = logUserInfo;
+        this.logClientInfo = logClientInfo;
+        this.logServerIp = logServerIp;
+        this.logApplicationName = logApplicationName;
+        this.appName = appName;
+    }
+
+    @Override
+    public String appendTo(String logName, EventType eventType, String message) {
+        EventTypeLogSupplier eventTypeSupplier = new EventTypeLogSupplier(eventType);
+
+        UserInfoSupplier userInfoSupplier = new UserInfoSupplier();
+        userInfoSupplier.setLogUserInfo(logUserInfo);
+        
+        ClientInfoSupplier clientInfoSupplier = new ClientInfoSupplier();
+        clientInfoSupplier.setLogClientInfo(logClientInfo);
+        
+        ServerInfoSupplier serverInfoSupplier = new ServerInfoSupplier(logName);
+        serverInfoSupplier.setLogServerIp(logServerIp);
+        serverInfoSupplier.setLogApplicationName(logApplicationName, appName);
+
+        String eventTypeMsg = eventTypeSupplier.get().trim();
+        String userInfoMsg = userInfoSupplier.get().trim();
+        String clientInfoMsg = clientInfoSupplier.get().trim();
+        String serverInfoMsg = serverInfoSupplier.get().trim();
+        
+        //If both user and client have content, then postfix the semicolon to the userInfoMsg at this point to simplify the StringBuilder operations later.
+        userInfoMsg = (!userInfoMsg.isEmpty() && !clientInfoMsg.isEmpty()) ? userInfoMsg + ":" : userInfoMsg;
+      
+        //If both server has content, then prefix the arrow to the serverInfoMsg at this point to simplify the StringBuilder operations later.
+        serverInfoMsg = (!serverInfoMsg.isEmpty()) ? "-> " + serverInfoMsg: serverInfoMsg;
+
+        String[] optionalPrefixContent = new String[] {userInfoMsg + clientInfoMsg, serverInfoMsg};
+
+        StringBuilder logPrefix = new StringBuilder();
+        //EventType is always appended
+        logPrefix.append(eventTypeMsg);
+        
+        for (String element : optionalPrefixContent) {
+            if (!element.isEmpty()) {
+                logPrefix.append(" ");
+                logPrefix.append(element);
+            }
+        }
+      
+        return String.format(RESULT_FORMAT, logPrefix.toString(), message);
+    }
+}

src/main/java/org/owasp/esapi/logging/appender/ServerInfoSupplier.java

@@ -0,0 +1,83 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @created 2019
+ */
+
+package org.owasp.esapi.logging.appender;
+
+import java.util.function.Supplier;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.owasp.esapi.ESAPI;
+
+/**
+ * Supplier which can provide a String representing the server-side connection
+ * information.
+ */
+public class ServerInfoSupplier implements Supplier<String> {
+    /** Whether to log the server connection info. */
+    private boolean logServerIP = true;
+    /** Whether to log the application name. */
+    private boolean logAppName = true;
+    /** The application name to log. */
+    private String applicationName = "";
+
+    /** Reference to the associated logname/module name. */
+    private final String logName;
+
+    /**
+     * Ctr.
+     * 
+     * @param logName Reference to the logName to record as the module information
+     */
+    public ServerInfoSupplier(String logName) {
+        this.logName = logName;
+    }
+
+    @Override
+    public String get() {
+        // log server, port, app name, module name -- server:80/app/module
+        StringBuilder appInfo = new StringBuilder();
+        HttpServletRequest request = ESAPI.currentRequest();
+        if (request != null && logServerIP) {
+            appInfo.append(request.getLocalAddr()).append(":").append(request.getLocalPort());
+        }
+        if (logAppName) {
+            appInfo.append("/").append(applicationName);
+        }
+        appInfo.append("/").append(logName);
+
+        return appInfo.toString();
+    }
+
+    /**
+     * Specify whether the instance should record the server connection info.
+     * 
+     * @param log {@code true} to record
+     */
+    public void setLogServerIp(boolean log) {
+        this.logServerIP = log;
+    }
+
+    /**
+     * Specify whether the instance should record the application name
+     * 
+     * @param log     {@code true} to record
+     * @param appName String to record as the application name
+     */
+    public void setLogApplicationName(boolean log, String appName) {
+        this.logAppName = log;
+        this.applicationName = appName;
+    }
+}