cloudfoundry · ikasarov · Aug 11, 2025 · Jul 3, 2025
diff --git a/...ps-controller-core/src/main/java/org/cloudfoundry/multiapps/controller/core/Messages.java b/...ps-controller-core/src/main/java/org/cloudfoundry/multiapps/controller/core/Messages.java
@@ -244,6 +244,14 @@ public final class Messages {
 
     public static final String FETCH_TOKEN_AUDIT_LOG_CONFIG = "Access token fetch";
 
+    public static final String READ_ENV = "Read {0} = \"{1}\" for space with id: {2}";
+
+    public static final String SUBSCRIPTION_CREATE = "Create configuration-subscription in space with id: {0}";
+    public static final String SUBSCRIPTION_UPDATE = "Update configuration-subscription in space with id: {0}";
+
+    public static final String ENTRY_CREATE = "Create configuration-entry in space with id: {0}";
+    public static final String ENTRY_UPDATE = "Update configuration-entry in space with id: {0}";
+
     // Audit log configuration
     public static final String GET_CSRF_TOKEN_AUDIT_LOG_CONFIG = "CSRF token get ";
 
@@ -267,6 +275,14 @@ public final class Messages {
     public static final String MTA_INFO_AUDIT_LOG_CONFIG = "MTA info";
     public static final String MTA_LIST_AUDIT_LOG_CONFIG = "MTA list";
 
+    public static final String ENVIRONMENT_VARIABLE_READ_AUDIT_LOG_CONFIG = "Environment variable read";
+
+    public static final String SUBSCRIPTION_CREATE_AUDIT_LOG_CONFIG = "Configuration subscription create";
+    public static final String SUBSCRIPTION_UPDATE_AUDIT_LOG_CONFIG = "Configuration subscription update";
+
+    public static final String ENTRY_CREATE_AUDIT_LOG_CONFIG = "Configuration entry create";
+    public static final String ENTRY_UPDATE_AUDIT_LOG_CONFIG = "Configuration entry update";
+
     public static final String API_INFO_AUDIT_LOG_CONFIG = "Api info";
     public static final String IGNORING_NAMESPACE_PARAMETERS = "Ignoring parameter \"{0}\" , as the MTA is not deployed with namespace!";
     public static final String NAMESPACE_PARSING_ERROR_MESSAGE = "Cannot parse \"{0}\" flag - expected a boolean format.";

diff --git a/...cloudfoundry/multiapps/controller/core/auditlogging/ApplicationConfigurationAuditLog.java b/...cloudfoundry/multiapps/controller/core/auditlogging/ApplicationConfigurationAuditLog.java
@@ -0,0 +1,22 @@
+package org.cloudfoundry.multiapps.controller.core.auditlogging;
+
+import java.text.MessageFormat;
+
+import org.cloudfoundry.multiapps.controller.core.Messages;
+import org.cloudfoundry.multiapps.controller.core.auditlogging.model.AuditLogConfiguration;
+
+public class ApplicationConfigurationAuditLog {
+
+    private final AuditLoggingFacade auditLoggingFacade;
+
+    public ApplicationConfigurationAuditLog(AuditLoggingFacade auditLoggingFacade) {
+        this.auditLoggingFacade = auditLoggingFacade;
+    }
+
+    public void logEnvironmentVariableRead(String envVariableName, String value, String spaceGuid) {
+        String performedAction = MessageFormat.format(Messages.READ_ENV, envVariableName, value, spaceGuid);
+        auditLoggingFacade.logDataAccessAuditLog(new AuditLogConfiguration(spaceGuid,
+                                                                           performedAction,
+                                                                           Messages.ENVIRONMENT_VARIABLE_READ_AUDIT_LOG_CONFIG));
+    }
+}
diff --git a/...e/src/main/java/org/cloudfoundry/multiapps/controller/core/auditlogging/AuditLogBean.java b/...e/src/main/java/org/cloudfoundry/multiapps/controller/core/auditlogging/AuditLogBean.java
@@ -1,12 +1,12 @@
 package org.cloudfoundry.multiapps.controller.core.auditlogging;
 
+import javax.sql.DataSource;
+
+import jakarta.inject.Inject;
 import org.cloudfoundry.multiapps.controller.core.auditlogging.impl.AuditLoggingFacadeSLImpl;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
-import jakarta.inject.Inject;
-import javax.sql.DataSource;
-
 @Configuration
 public class AuditLogBean {
 
@@ -57,4 +57,16 @@ public OperationsApiServiceAuditLog buildOperationsApiServiceAuditLog(AuditLoggi
     public MtaConfigurationPurgerAuditLog buildMtaConfigurationPurgerAuditLog(AuditLoggingFacade auditLoggingFacade) {
         return new MtaConfigurationPurgerAuditLog(auditLoggingFacade);
     }
+
+    @Bean
+    @Inject
+    public ConfigurationSubscriptionServiceAuditLog buildAConfigurationSubscriptionServiceAuditLog(AuditLoggingFacade auditLoggingFacade) {
+        return new ConfigurationSubscriptionServiceAuditLog(auditLoggingFacade);
+    }
+
+    @Bean
+    @Inject
+    public ConfigurationEntryServiceAuditLog buildAConfigurationEntryServiceAuditLog(AuditLoggingFacade auditLoggingFacade) {
+        return new ConfigurationEntryServiceAuditLog(auditLoggingFacade);
+    }
 }
diff --git a/...main/java/org/cloudfoundry/multiapps/controller/core/auditlogging/AuditLoggingFacade.java b/...main/java/org/cloudfoundry/multiapps/controller/core/auditlogging/AuditLoggingFacade.java
@@ -1,11 +1,20 @@
 package org.cloudfoundry.multiapps.controller.core.auditlogging;
 
-import org.cloudfoundry.multiapps.controller.core.auditlogging.model.ConfigurationChangeActions;
 import org.cloudfoundry.multiapps.controller.core.auditlogging.model.AuditLogConfiguration;
+import org.cloudfoundry.multiapps.controller.core.auditlogging.model.ConfigurationChangeActions;
+import org.cloudfoundry.multiapps.mta.model.AuditableConfiguration;
 
 public interface AuditLoggingFacade {
 
     void logSecurityIncident(AuditLogConfiguration configuration);
+
     void logDataAccessAuditLog(AuditLogConfiguration configuration);
+
     void logConfigurationChangeAuditLog(AuditLogConfiguration configuration, ConfigurationChangeActions configurationAction);
+
+    void logConfigurationChangeAuditLog(AuditLogConfiguration configuration,
+                                        ConfigurationChangeActions configurationAction,
+                                        AuditableConfiguration oldValue,
+                                        AuditableConfiguration newValue);
+
 }
diff --git a/...loudfoundry/multiapps/controller/core/auditlogging/ConfigurationEntryServiceAuditLog.java b/...loudfoundry/multiapps/controller/core/auditlogging/ConfigurationEntryServiceAuditLog.java
@@ -0,0 +1,71 @@
+package org.cloudfoundry.multiapps.controller.core.auditlogging;
+
+import java.text.MessageFormat;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+
+import org.cloudfoundry.multiapps.controller.core.Messages;
+import org.cloudfoundry.multiapps.controller.core.auditlogging.model.AuditLogConfiguration;
+import org.cloudfoundry.multiapps.controller.core.auditlogging.model.ConfigurationChangeActions;
+import org.cloudfoundry.multiapps.controller.persistence.model.ConfigurationEntry;
+
+public class ConfigurationEntryServiceAuditLog {
+
+    private static final String PROVIDER_ID_PROPERTY_NAME = "providerId";
+    private static final String PROVIDER_NID_PROPERTY_NAME = "providerNid";
+    private static final String PROVIDER_VERSION_PROPERTY_NAME = "providerVersion";
+    private static final String PROVIDER_NAMESPACE_PROPERTY_NAME = "providerNamespace";
+    private static final String PROVIDER_TARGET_PROPERTY_NAME = "providerTarget";
+    private static final String PROVIDER_CONTENT_PROPERTY_NAME = "providerContent";
+    private static final String PROVIDER_CONTENT_ID_PROPERTY_NAME = "providerContentId";
+
+    private static final String PROVIDER_TARGET_TEMPLATE = "{0}/{1}";
+
+    private final AuditLoggingFacade auditLoggingFacade;
+
+    public ConfigurationEntryServiceAuditLog(AuditLoggingFacade auditLoggingFacade) {
+        this.auditLoggingFacade = auditLoggingFacade;
+    }
+
+    public void logAddConfigurationEntry(String username, String spaceGuid, ConfigurationEntry entry) {
+        String performedAction = MessageFormat.format(Messages.ENTRY_CREATE, spaceGuid);
+        auditLoggingFacade.logConfigurationChangeAuditLog(new AuditLogConfiguration(username,
+                                                                                    spaceGuid,
+                                                                                    performedAction,
+                                                                                    Messages.ENTRY_CREATE_AUDIT_LOG_CONFIG,
+                                                                                    buildAddConfigEntryParameters(entry)),
+                                                          ConfigurationChangeActions.CONFIGURATION_CREATE);
+    }
+
+    public void logUpdateConfigurationEntry(String username, String spaceGuid, ConfigurationEntry oldEntry, ConfigurationEntry newEntry) {
+        String performedAction = MessageFormat.format(Messages.ENTRY_UPDATE, spaceGuid);
+
+        auditLoggingFacade.logConfigurationChangeAuditLog(new AuditLogConfiguration(username,
+                                                                                    spaceGuid,
+                                                                                    performedAction,
+                                                                                    Messages.ENTRY_UPDATE_AUDIT_LOG_CONFIG),
+                                                          ConfigurationChangeActions.CONFIGURATION_UPDATE, oldEntry, newEntry);
+
+    }
+
+    private Map<String, String> buildAddConfigEntryParameters(ConfigurationEntry entry) {
+        Map<String, String> identifiers = new HashMap<>();
+        String providerTarget = MessageFormat.format(PROVIDER_TARGET_TEMPLATE,
+                                                     entry.getTargetSpace()
+                                                          .getOrganizationName(),
+                                                     entry.getTargetSpace()
+                                                          .getSpaceName());
+
+        identifiers.put(PROVIDER_ID_PROPERTY_NAME, entry.getProviderId());
+        identifiers.put(PROVIDER_NID_PROPERTY_NAME, entry.getProviderNid());
+        identifiers.put(PROVIDER_VERSION_PROPERTY_NAME, Objects.toString(entry.getProviderVersion()));
+        identifiers.put(PROVIDER_NAMESPACE_PROPERTY_NAME, entry.getProviderNamespace());
+        identifiers.put(PROVIDER_TARGET_PROPERTY_NAME, providerTarget);
+        identifiers.put(PROVIDER_CONTENT_PROPERTY_NAME, entry.getContent());
+        identifiers.put(PROVIDER_CONTENT_ID_PROPERTY_NAME, entry.getContentId());
+
+        return identifiers;
+    }
+
+}
diff --git a/...ndry/multiapps/controller/core/auditlogging/ConfigurationSubscriptionServiceAuditLog.java b/...ndry/multiapps/controller/core/auditlogging/ConfigurationSubscriptionServiceAuditLog.java
@@ -0,0 +1,58 @@
+package org.cloudfoundry.multiapps.controller.core.auditlogging;
+
+import java.text.MessageFormat;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.cloudfoundry.multiapps.controller.core.Messages;
+import org.cloudfoundry.multiapps.controller.core.auditlogging.model.AuditLogConfiguration;
+import org.cloudfoundry.multiapps.controller.core.auditlogging.model.ConfigurationChangeActions;
+import org.cloudfoundry.multiapps.controller.persistence.model.ConfigurationSubscription;
+
+public class ConfigurationSubscriptionServiceAuditLog {
+
+    private static final String SUBSCRIPTION_ID_PROPERTY_NAME = "subscriptionId";
+    private static final String APPLICATION_ID_PROPERTY_NAME = "applicationId";
+    private static final String MTA_ID_PROPERTY_NAME = "mtaId";
+
+    private final AuditLoggingFacade auditLoggingFacade;
+
+    public ConfigurationSubscriptionServiceAuditLog(AuditLoggingFacade auditLoggingFacade) {
+        this.auditLoggingFacade = auditLoggingFacade;
+    }
+
+    public void logAddConfigurationSubscription(String username, String spaceGuid, ConfigurationSubscription subscription) {
+        String performedAction = MessageFormat.format(Messages.SUBSCRIPTION_CREATE, spaceGuid);
+        auditLoggingFacade.logConfigurationChangeAuditLog(new AuditLogConfiguration(username,
+                                                                                    spaceGuid,
+                                                                                    performedAction,
+                                                                                    Messages.SUBSCRIPTION_CREATE_AUDIT_LOG_CONFIG,
+                                                                                    buildAddConfigSubscriptionParameters(
+                                                                                        subscription)),
+                                                          ConfigurationChangeActions.CONFIGURATION_CREATE);
+    }
+
+    public void logUpdateConfigurationSubscription(String username, String spaceGuid, ConfigurationSubscription oldSubscription,
+                                                   ConfigurationSubscription updatedSubscription) {
+
+        String performedAction = MessageFormat.format(Messages.SUBSCRIPTION_UPDATE, spaceGuid);
+
+        auditLoggingFacade.logConfigurationChangeAuditLog(new AuditLogConfiguration(username,
+                                                                                    spaceGuid,
+                                                                                    performedAction,
+                                                                                    Messages.SUBSCRIPTION_UPDATE_AUDIT_LOG_CONFIG),
+                                                          ConfigurationChangeActions.CONFIGURATION_UPDATE, oldSubscription,
+                                                          updatedSubscription);
+    }
+
+    private Map<String, String> buildAddConfigSubscriptionParameters(ConfigurationSubscription subscription) {
+        Map<String, String> identifiers = new HashMap<>();
+
+        identifiers.put(APPLICATION_ID_PROPERTY_NAME, subscription.getAppName());
+        identifiers.put(MTA_ID_PROPERTY_NAME, subscription.getMtaId());
+        identifiers.put(SUBSCRIPTION_ID_PROPERTY_NAME, String.valueOf(subscription.getId()));
+
+        return identifiers;
+    }
+
+}
diff --git a/...rg/cloudfoundry/multiapps/controller/core/auditlogging/impl/AuditLoggingFacadeSLImpl.java b/...rg/cloudfoundry/multiapps/controller/core/auditlogging/impl/AuditLoggingFacadeSLImpl.java
@@ -1,5 +1,7 @@
 package org.cloudfoundry.multiapps.controller.core.auditlogging.impl;
 
+import javax.sql.DataSource;
+
 import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.core.Logger;
@@ -8,8 +10,7 @@
 import org.cloudfoundry.multiapps.controller.core.auditlogging.UserInfoProvider;
 import org.cloudfoundry.multiapps.controller.core.auditlogging.model.AuditLogConfiguration;
 import org.cloudfoundry.multiapps.controller.core.auditlogging.model.ConfigurationChangeActions;
-
-import javax.sql.DataSource;
+import org.cloudfoundry.multiapps.mta.model.AuditableConfiguration;
 
 public class AuditLoggingFacadeSLImpl implements AuditLoggingFacade {
 
@@ -35,6 +36,14 @@ public void logConfigurationChangeAuditLog(AuditLogConfiguration configuration,
         writeMessage(auditLogManager.getConfigLogger(), configuration.getPerformedAction(), Level.WARN);
     }
 
+    @Override
+    public void logConfigurationChangeAuditLog(AuditLogConfiguration configuration,
+                                               ConfigurationChangeActions configurationAction,
+                                               AuditableConfiguration oldValue,
+                                               AuditableConfiguration newValue) {
+        writeMessage(auditLogManager.getConfigLogger(), configuration.getPerformedAction(), Level.WARN);
+    }
+
     private void writeMessage(Logger logger, String message, Level level) {
         Exception loggingException = null;
         synchronized (auditLogManager) {

diff --git a/.../org/cloudfoundry/multiapps/controller/core/auditlogging/model/AuditLogConfiguration.java b/.../org/cloudfoundry/multiapps/controller/core/auditlogging/model/AuditLogConfiguration.java
@@ -3,8 +3,6 @@
 import java.time.LocalDateTime;
 import java.util.ArrayList;
 import java.util.Collections;
-import java.util.Date;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -36,6 +34,10 @@ public AuditLogConfiguration(String userId, String spaceId, String performedActi
         this.parameters = parameters;
     }
 
+    public AuditLogConfiguration(String spaceId, String performedAction, String configuration) {
+        this(null, spaceId, performedAction, configuration);
+    }
+
     public String getPerformedAction() {
         return performedAction;
     }
@@ -59,7 +61,8 @@ public String getUserId() {
     }
 
     public String getTimeOfPerformedAction() {
-        return LocalDateTime.now().toString();
+        return LocalDateTime.now()
+                            .toString();
     }
 
     @Override

diff --git a/...main/java/org/cloudfoundry/multiapps/controller/core/liquibase/RecoveringLockService.java b/...main/java/org/cloudfoundry/multiapps/controller/core/liquibase/RecoveringLockService.java
@@ -1,18 +1,17 @@
 package org.cloudfoundry.multiapps.controller.core.liquibase;
 
-import static java.text.MessageFormat.format;
-
 import java.util.Date;
 import java.util.concurrent.TimeUnit;
 
+import liquibase.exception.LockException;
+import liquibase.lockservice.DatabaseChangeLogLock;
+import liquibase.lockservice.StandardLockService;
 import org.cloudfoundry.multiapps.controller.core.Messages;
 import org.cloudfoundry.multiapps.controller.core.util.ApplicationConfiguration;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import liquibase.exception.LockException;
-import liquibase.lockservice.DatabaseChangeLogLock;
-import liquibase.lockservice.StandardLockService;
+import static java.text.MessageFormat.format;
 
 public class RecoveringLockService extends StandardLockService {
 
@@ -31,7 +30,7 @@ public RecoveringLockService() {
     @Override
     public int getPriority() {
         return super.getPriority() + 1; // Liquibase chooses which LockService to use based on its priority. This line makes sure that our
-                                        // custom lock service has a higher priority than the standard one (which it extends).
+        // custom lock service has a higher priority than the standard one (which it extends).
     }
 
     @Override