Add more configuration audit logging, including on some encrypted fie…

…lds, and change audit logging so that newValueText and oldValueText are encrypted for encrypted fields
moqui · Oct 1, 2021 · 8e5e122 · 8e5e122
1 parent be2ad5b
commit 8e5e122
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 18 deletions.
diff --git a/framework/entity/BasicEntities.xml b/framework/entity/BasicEntities.xml
@@ -605,19 +605,19 @@ along with this software (see the LICENSE.md file). If not, see
     </entity>
     <entity entity-name="EmailServer" package="moqui.basic.email" use="configuration" cache="true">
         <field name="emailServerId" type="id" is-pk="true"/>
-        <field name="smtpHost" type="text-medium"/>
+        <field name="smtpHost" type="text-medium" enable-audit-log="update"/>
         <field name="smtpPort" type="text-short"/>
         <field name="smtpStartTls" type="text-indicator"/>
         <field name="smtpSsl" type="text-indicator"/>
-        <field name="storeHost" type="text-medium"/>
+        <field name="storeHost" type="text-medium" enable-audit-log="update"/>
         <field name="storePort" type="text-short"/>
         <field name="storeProtocol" type="text-short"/>
         <field name="storeFolder" type="text-medium"><description>Defaults to INBOX</description></field>
         <field name="storeDelete" type="text-indicator"/>
         <field name="storeMarkSeen" type="text-indicator"/>
         <field name="storeSkipSeen" type="text-indicator"/>
-        <field name="mailUsername" type="text-medium"/>
-        <field name="mailPassword" type="text-medium" encrypt="true"/>
+        <field name="mailUsername" type="text-medium" enable-audit-log="update"/>
+        <field name="mailPassword" type="text-medium" encrypt="true" enable-audit-log="update"/>
         <seed-data>
             <!-- The MOQUI_LOCAL EmailServer is used by SubEthaSmtpToolFactory for the local SMTP server to setup the server, and
                 for use by send#EmailTemplate if this emailServerId is used to send email -->
@@ -646,14 +646,17 @@ along with this software (see the LICENSE.md file). If not, see
     <entity entity-name="EmailTemplate" package="moqui.basic.email" use="configuration" short-alias="emailTemplates" cache="true">
         <field name="emailTemplateId" type="id" is-pk="true"/>
         <field name="description" type="text-medium"/>
-        <field name="emailServerId" type="id"/>
+        <field name="emailServerId" type="id" enable-audit-log="update"/>
         <field name="emailTypeEnumId" type="id"/>
-        <field name="fromAddress" type="text-medium"/>
+        <field name="fromAddress" type="text-medium" enable-audit-log="update"/>
         <field name="fromName" type="text-medium"/>
-        <field name="replyToAddresses" type="text-medium"><description>Comma separated list of reply to email addresses</description></field>
-        <field name="bounceAddress" type="text-medium"/>
-        <field name="ccAddresses" type="text-medium"><description>Comma separated list of CC email addresses</description></field>
-        <field name="bccAddresses" type="text-medium"><description>Comma separated list of BCC email addresses</description></field>
+        <field name="replyToAddresses" type="text-medium" enable-audit-log="update">
+            <description>Comma separated list of reply to email addresses</description></field>
+        <field name="bounceAddress" type="text-medium" enable-audit-log="update"/>
+        <field name="ccAddresses" type="text-medium" enable-audit-log="update">
+            <description>Comma separated list of CC email addresses</description></field>
+        <field name="bccAddresses" type="text-medium" enable-audit-log="update">
+            <description>Comma separated list of BCC email addresses</description></field>
         <field name="subject" type="text-long"/>
         <field name="bodyScreenLocation" type="text-medium"/>
         <field name="webappName" type="text-medium"/>

diff --git a/framework/entity/ServiceEntities.xml b/framework/entity/ServiceEntities.xml
@@ -307,8 +307,8 @@ along with this software (see the LICENSE.md file). If not, see
     <entity entity-name="SystemMessageRemote" package="moqui.service.message" use="configuration" cache="true">
         <field name="systemMessageRemoteId" type="id" is-pk="true"/>
         <field name="description" type="text-medium"/>
-        <field name="sendUrl" type="text-medium"/>
-        <field name="receiveUrl" type="text-medium"/>
+        <field name="sendUrl" type="text-medium" enable-audit-log="update"/>
+        <field name="receiveUrl" type="text-medium" enable-audit-log="update"/>
         <field name="remoteCharset" type="text-short"/>
         <field name="remoteAttributes" type="text-indicator"><description>May be useful for other transports, for SFTP servers
             that do not support setting file attributes after put/upload set to N</description></field>
@@ -321,17 +321,19 @@ along with this software (see the LICENSE.md file). If not, see
             service, ie the user should be in a group that has authz for the SystemMessageServices ArtifactGroup such as the
             SYSMSG_RECEIVE user group (see SecurityTypeData.xml).
         </description></field>
-        <field name="password" type="text-medium" encrypt="true">
+        <field name="password" type="text-medium" encrypt="true" enable-audit-log="update">
             <description>Username for basic auth when sending to the remote system.</description></field>
         <field name="publicKey" type="text-long" enable-audit-log="update">
             <description>Public Key for key based authentication, generally RSA PEM format</description></field>
-        <field name="privateKey" type="text-long" encrypt="true">
+        <field name="privateKey" type="text-long" encrypt="true" enable-audit-log="update">
             <description>Private Key for key based authentication, generally RSA PEM PKCS #8 format like OpenSSH</description></field>
         <field name="remotePublicKey" type="text-long" enable-audit-log="update">
             <description>Remote System's Public Key for decryption, signature validation, etc; generally RSA PEM or X.509 Certificate format</description></field>
         <!-- potential future use, restrict receive message: <field name="authorizedIpAddresses" type="text-medium"/> -->
-        <field name="sharedSecret" type="text-medium" encrypt="true"><description>Shared secret for auth on receive and/or sign on send.</description></field>
-        <field name="sendSharedSecret" type="text-medium" encrypt="true"><description>Shared secret for auth on send if different from secret used to authorize on receive.</description></field>
+        <field name="sharedSecret" type="text-medium" encrypt="true" enable-audit-log="update">
+            <description>Shared secret for auth on receive and/or sign on send.</description></field>
+        <field name="sendSharedSecret" type="text-medium" encrypt="true" enable-audit-log="update">
+            <description>Shared secret for auth on send if different from secret used to authorize on receive.</description></field>
         <field name="authHeaderName" type="text-medium"/>
         <field name="messageAuthEnumId" type="id"/>
         <field name="sendAuthEnumId" type="id"><description>If send and receive auth mechanisms are different specify send auth method here</description></field>

diff --git a/framework/src/main/groovy/org/moqui/impl/entity/EntityValueBase.java b/framework/src/main/groovy/org/moqui/impl/entity/EntityValueBase.java
@@ -707,13 +707,27 @@ private void handleAuditLog(boolean isUpdate, LiteStringMap<Object> oldValues, E
                 LinkedHashMap<String, Object> parms = new LinkedHashMap<>();
                 parms.put("changedEntityName", getEntityName());
                 parms.put("changedFieldName", fieldName);
-                parms.put("newValueText", ObjectUtilities.toPlainString(value));
                 if (changeReason != null) parms.put("changeReason", changeReason);
                 parms.put("changedDate", nowTimestamp);
                 parms.put("changedByUserId", ec.getUser().getUserId());
                 parms.put("changedInVisitId", ec.getUser().getVisitId());
                 parms.put("artifactStack", stackNameString);
-                if (oldValue != null) parms.put("oldValueText", ObjectUtilities.toPlainString(oldValue));
+
+                // prep values, encrypt if needed
+                if (value != null) {
+                    String newValueText = ObjectUtilities.toPlainString(value);
+                    if (fieldInfo.encrypt) newValueText = EntityJavaUtil.enDeCrypt(newValueText, true, ec.getEntityFacade());
+                    if (newValueText.length() > 4000) newValueText = newValueText.substring(0, 4000);
+                    parms.put("newValueText", newValueText);
+                }
+                if (oldValue != null) {
+                    String oldValueText = ObjectUtilities.toPlainString(oldValue);
+                    if (fieldInfo.encrypt) oldValueText = EntityJavaUtil.enDeCrypt(oldValueText, true, ec.getEntityFacade());
+                    if (oldValueText.length() > 4000) oldValueText = oldValueText.substring(0, 4000);
+                    parms.put("oldValueText", oldValueText);
+                }
+
+                // set all pk fields by name to support EntityAuditLog extensions for specific pk fields, will usually all get ignored
                 parms.putAll(pksValueMap);
 
                 // logger.warn("TOREMOVE: in handleAuditLog for [${ed.entityName}.${fieldName}] value=[${value}], oldValue=[${oldValue}], oldValues=[${oldValues}]", new Exception("AuditLog location"))