Jelajahi Sumber

feature: Improved auth log messages (#476)

James Read 1 tahun lalu
induk
melakukan
655a7f205d

+ 6 - 0
OliveTin.proto

@@ -155,6 +155,12 @@ message WhoAmIRequest {}
 
 message WhoAmIResponse {
 	string authenticated_user = 1;
+    string usergroup = 2;
+    string provider = 3;
+
+    repeated string acls = 4;
+
+    string sid = 5;
 }
 
 message SosReportRequest {}

+ 5 - 5
internal/acl/acl.go

@@ -30,7 +30,7 @@ type AuthenticatedUser struct {
 	Provider string
 	SID      string
 
-	acls []string
+	Acls []string
 }
 
 func (u *AuthenticatedUser) IsGuest() bool {
@@ -166,7 +166,7 @@ func UserFromContext(ctx context.Context, cfg *config.Config) *AuthenticatedUser
 		"username":  ret.Username,
 		"usergroup": ret.Usergroup,
 		"provider":  ret.Provider,
-		"acls":      ret.acls,
+		"acls":      ret.Acls,
 	}).Debugf("UserFromContext")
 
 	return ret
@@ -198,12 +198,12 @@ func UserFromSystem(cfg *config.Config, username string) *AuthenticatedUser {
 func buildUserAcls(cfg *config.Config, user *AuthenticatedUser) {
 	for _, acl := range cfg.AccessControlLists {
 		if slices.Contains(acl.MatchUsernames, user.Username) {
-			user.acls = append(user.acls, acl.Name)
+			user.Acls = append(user.Acls, acl.Name)
 			continue
 		}
 
 		if slices.Contains(acl.MatchUsergroups, user.Usergroup) {
-			user.acls = append(user.acls, acl.Name)
+			user.Acls = append(user.Acls, acl.Name)
 			continue
 
 		}
@@ -211,7 +211,7 @@ func buildUserAcls(cfg *config.Config, user *AuthenticatedUser) {
 }
 
 func isACLRelevantToAction(cfg *config.Config, actionAcls []string, acl *config.AccessControlList, user *AuthenticatedUser) bool {
-	if !slices.Contains(user.acls, acl.Name) {
+	if !slices.Contains(user.Acls, acl.Name) {
 		// If the user does not have this ACL, then it is not relevant
 
 		return false

+ 19 - 1
internal/grpcapi/grpcApi.go

@@ -116,6 +116,14 @@ func (api *oliveTinAPI) LocalUserLogin(ctx ctx.Context, req *pb.LocalUserLoginRe
 	if match {
 		header := metadata.Pairs("set-user", req.Username)
 		grpc.SendHeader(ctx, header)
+
+		log.WithFields(log.Fields{
+			"username": req.Username,
+		}).Info("LocalUserLogin: User logged in successfully.")
+	} else {
+		log.WithFields(log.Fields{
+			"username": req.Username,
+		}).Warn("LocalUserLogin: User login failed.")
 	}
 
 	return &pb.LocalUserLoginResponse{
@@ -303,7 +311,13 @@ func (api *oliveTinAPI) GetDashboardComponents(ctx ctx.Context, req *pb.GetDashb
 	res := buildDashboardResponse(api.executor, cfg, user)
 
 	if len(res.Actions) == 0 {
-		log.Warn("Zero actions found - check that you have some actions defined, with a view permission")
+		log.WithFields(log.Fields{
+			"username":         user.Username,
+			"usergroup":        user.Usergroup,
+			"provider":         user.Provider,
+			"acls":             user.Acls,
+			"availableActions": len(cfg.Actions),
+		}).Warn("Zero actions found for user")
 	}
 
 	log.Tracef("GetDashboardComponents: %v", res)
@@ -364,6 +378,10 @@ func (api *oliveTinAPI) WhoAmI(ctx ctx.Context, req *pb.WhoAmIRequest) (*pb.WhoA
 
 	res := &pb.WhoAmIResponse{
 		AuthenticatedUser: user.Username,
+		Usergroup:         user.Usergroup,
+		Provider:          user.Provider,
+		Sid:               user.SID,
+		Acls:              user.Acls,
 	}
 
 	log.Warnf("usergroup: %v", user.Usergroup)

+ 10 - 0
internal/grpcapi/local_user_login.go

@@ -44,9 +44,19 @@ func checkUserPassword(cfg *config.Config, username, password string) bool {
 
 			if match {
 				return true
+			} else {
+				log.WithFields(log.Fields{
+					"username": username,
+				}).Warn("Password does not match for user")
+
+				return false
 			}
 		}
 	}
 
+	log.WithFields(log.Fields{
+		"username": username,
+	}).Warn("Failed to check password for user, as username was not found")
+
 	return false
 }

+ 4 - 1
internal/httpservers/restapi_auth_local.go

@@ -24,7 +24,10 @@ func parseLocalUserCookie(req *http.Request) (string, string, string) {
 	username, ok := localUserSessions[cookieValue]
 
 	if !ok {
-		log.Warnf("Could not find local user session: %v", cookieValue)
+		log.WithFields(log.Fields{
+			"sid":      cookieValue,
+			"provider": "local",
+		}).Warnf("Stale session")
 		return "", "", ""
 	}
 

+ 5 - 1
internal/httpservers/restapi_auth_oauth2.go

@@ -261,7 +261,11 @@ func parseOAuth2Cookie(r *http.Request) (string, string, string) {
 	serverState, found := registeredStates[cookie.Value]
 
 	if !found {
-		log.Warnf("Failed to find OAuth2 state: %v", cookie.Value)
+		log.WithFields(log.Fields{
+			"sid":      cookie.Value,
+			"provider": "oauth2",
+		}).Warnf("Stale session")
+
 		return "", "", cookie.Value
 	}