From b91927c48cdb9ddd85a62255d078d48cef81cc27 Mon Sep 17 00:00:00 2001
From: Will Abson <will.abson@alfresco.com>
Date: Wed, 3 Sep 2014 15:12:17 +0000
Subject: [PATCH] Merged HEAD-BUG-FIX (5.0/Cloud) to HEAD (5.0/Cloud)    79033:
 Merged V4.2-BUG-FIX (4.2.4) to HEAD-BUG-FIX (5.0/Cloud)       78970: Merged
 DEV to V4.2-BUG-FIX (4.2.4)          78847: MNT-11760 : No auditing entries
 generated for failed logins with audit.alfresco-access.enabled=true
 configured          Fixed audit logging for failed logins.          78848:
 MNT-11760 : No auditing entries generated for failed logins with
 audit.alfresco-access.enabled=true configured          Fixed tests to
 highlight the issue.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@82681 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../org/alfresco/repo/audit/AuditComponent.java   | 13 +++++++++++++
 .../alfresco/repo/audit/AuditComponentImpl.java   | 14 +++++++++-----
 .../repo/audit/AuditMethodInterceptor.java        | 15 +++++++++++++--
 .../alfresco/repo/audit/AuditComponentTest.java   |  9 +++++++--
 4 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/source/java/org/alfresco/repo/audit/AuditComponent.java b/source/java/org/alfresco/repo/audit/AuditComponent.java
index b2ef856122..cd7152b6df 100644
--- a/source/java/org/alfresco/repo/audit/AuditComponent.java
+++ b/source/java/org/alfresco/repo/audit/AuditComponent.java
@@ -207,6 +207,19 @@ public interface AuditComponent
      */
     Map<String, Serializable> recordAuditValues(String rootPath, Map<String, Serializable> values);
     
+    /**
+     * The same as {@link AuditComponent#recordAuditValues(String, Map)}, but with controlled usage of userFilter
+     * 
+     * @param rootPath          a base path of {@link AuditPath} key entries concatenated with the path separator
+     *                          '/' ({@link AuditApplication#AUDIT_PATH_SEPARATOR})
+     * @param values            the values to audit mapped by {@link AuditPath} key relative to root path
+     *                          (may be <tt>null</tt>)
+     * @param useUserFilter     if <tt>false<tt> the user filter is disabled.
+     * @return                  Returns the values that were actually persisted, keyed by their full path.
+     * @throws IllegalStateException if the transaction state could not be determined
+     */
+    Map<String, Serializable> recordAuditValuesWithUserFilter(String rootPath, Map<String, Serializable> values, boolean useUserFilter);
+    
     /**
      * Find audit entries using the given parameters
      * 
diff --git a/source/java/org/alfresco/repo/audit/AuditComponentImpl.java b/source/java/org/alfresco/repo/audit/AuditComponentImpl.java
index 791ac068a2..ee496c85ef 100644
--- a/source/java/org/alfresco/repo/audit/AuditComponentImpl.java
+++ b/source/java/org/alfresco/repo/audit/AuditComponentImpl.java
@@ -484,17 +484,21 @@ public class AuditComponentImpl implements AuditComponent
         }
     }
 
-    /**
-     * {@inheritDoc}
-     * @since 3.2
-     */
+    @Override
     public Map<String, Serializable> recordAuditValues(String rootPath, Map<String, Serializable> values)
+    {
+        return recordAuditValuesWithUserFilter(rootPath, values, true);
+    }
+    
+    @Override
+    public Map<String, Serializable> recordAuditValuesWithUserFilter(String rootPath, Map<String, Serializable> values, boolean useUserFilter)
     {
         ParameterCheck.mandatory("rootPath", rootPath);
         AuditApplication.checkPathFormat(rootPath);
         
         String username = AuthenticationUtil.getFullyAuthenticatedUser();
-        if (values == null || values.isEmpty() || !areAuditValuesRequired() || !userAuditFilter.acceptUser(username) || !auditFilter.accept(rootPath, values))
+        if (values == null || values.isEmpty() || !areAuditValuesRequired()
+                || !(userAuditFilter.acceptUser(username) || !useUserFilter) || !auditFilter.accept(rootPath, values))
         {
             return Collections.emptyMap();
         }
diff --git a/source/java/org/alfresco/repo/audit/AuditMethodInterceptor.java b/source/java/org/alfresco/repo/audit/AuditMethodInterceptor.java
index 1d71005f1c..5db543ca3b 100644
--- a/source/java/org/alfresco/repo/audit/AuditMethodInterceptor.java
+++ b/source/java/org/alfresco/repo/audit/AuditMethodInterceptor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2012 Alfresco Software Limited.
+ * Copyright (C) 2005-2014 Alfresco Software Limited.
  *
  * This file is part of Alfresco
  *
@@ -36,6 +36,7 @@ import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.error.StackTraceUtil;
 import org.alfresco.repo.audit.model.AuditApplication;
 import org.alfresco.repo.domain.schema.SchemaBootstrap;
+import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
 import org.alfresco.service.Auditable;
@@ -517,7 +518,17 @@ public class AuditMethodInterceptor implements MethodInterceptor
 		            {
 		                public Map<String, Serializable> execute() throws Throwable
 		                {
-		                    return auditComponent.recordAuditValues(rootPath, auditData);
+                            // Record thrown exceptions regardless of userFilter in case of failed authentication
+                            // see MNT-11760
+                            if (thrown instanceof AuthenticationException)
+                            {
+                                  return auditComponent.recordAuditValuesWithUserFilter(rootPath, auditData, false);
+                            }
+                            else
+                            {
+                                  return auditComponent.recordAuditValues(rootPath, auditData);
+                            }
+
 		                }
 		            };
 		            try
diff --git a/source/test-java/org/alfresco/repo/audit/AuditComponentTest.java b/source/test-java/org/alfresco/repo/audit/AuditComponentTest.java
index b5f86b2493..98e3cfb008 100644
--- a/source/test-java/org/alfresco/repo/audit/AuditComponentTest.java
+++ b/source/test-java/org/alfresco/repo/audit/AuditComponentTest.java
@@ -108,7 +108,7 @@ public class AuditComponentTest extends TestCase
         auditModelRegistry = (AuditModelRegistryImpl) ctx.getBean("auditModel.modelRegistry");
         //MNT-10807 : Auditing does not take into account audit.filter.alfresco-access.transaction.user
         UserAuditFilter userAuditFilter = new UserAuditFilter();
-        userAuditFilter.setUserFilterPattern("System;.*");
+        userAuditFilter.setUserFilterPattern("~System;~null;.*");
         userAuditFilter.afterPropertiesSet();
         auditComponent = (AuditComponent) ctx.getBean("auditComponent");
         auditComponent.setUserAuditFilter(userAuditFilter);
@@ -647,6 +647,7 @@ public class AuditComponentTest extends TestCase
         {
             try
             {
+                AuthenticationUtil.pushAuthentication();
                 authenticationService.authenticate("banana", "****".toCharArray());
                 fail("Invalid authentication attempt should fail");
             }
@@ -654,6 +655,10 @@ public class AuditComponentTest extends TestCase
             {
                 // Expected
             }
+            finally
+            {
+                AuthenticationUtil.popAuthentication();
+            }
         }
 
         // ALF-3055 : auditing of failures is now asynchronous, so loop up to 60 times with
@@ -811,7 +816,7 @@ public class AuditComponentTest extends TestCase
      */
     public void testAuditSubordinateCall() throws Exception
     {
-        AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil.getSystemUserName());
+        AuthenticationUtil.setAdminUserAsFullyAuthenticatedUser();
 
         AuditQueryParameters params = new AuditQueryParameters();
         params.setForward(true);