Merge branch 'pu/ps/rt/245460' into '2024.11'

text(Tinebase/MFA+SSO): add auth/validation fail logging See merge request tine20/tine20!6606
tine-groupware · Feb 19, 2025 · 78305fc · 78305fc
2 parents 78cc7a9 + 4dbb2ec
commit 78305fc
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 7 deletions.
diff --git a/tine20/SSO/Controller.php b/tine20/SSO/Controller.php
@@ -193,8 +193,10 @@ public static function publicAuthorize(): \Psr\Http\Message\ResponseInterface
                 $request = Tinebase_Core::getContainer()->get(\Psr\Http\Message\RequestInterface::class)
             );
         } catch (League\OAuth2\Server\Exception\OAuthServerException $oauthException) {
-            if (Tinebase_Core::isLogLevel(Zend_Log::NOTICE)) Tinebase_Core::getLogger()->notice(
-                __METHOD__ . '::' . __LINE__ . ' ' . $oauthException->getMessage());
+            if (Tinebase_Core::isLogLevel(Zend_Log::NOTICE)) {
+                Tinebase_Core::getLogger()->notice(
+                    __METHOD__ . '::' . __LINE__ . ' ' . $oauthException->getMessage());
+            }
             return new \Laminas\Diactoros\Response('php://memory', 401);
         }
 
@@ -222,7 +224,14 @@ public static function publicAuthorize(): \Psr\Http\Message\ResponseInterface
                     throw new Tinebase_Exception_Auth_PwdRequired('Wrong username or password!');
                 }
             } catch (Tinebase_Exception_AreaUnlockFailed | Tinebase_Exception_AreaLocked
-                    | Tinebase_Exception_Auth_PwdRequired | Tinebase_Exception_Auth_Redirect $tea) { // 630 + 631 + 650 + 651
+                    | Tinebase_Exception_Auth_PwdRequired | Tinebase_Exception_Auth_Redirect $tea)
+            {
+                // 630 + 631 + 650 + 651
+                if (Tinebase_Core::isLogLevel(Zend_Log::INFO)) {
+                    Tinebase_Core::getLogger()->info(
+                        __METHOD__ . '::' . __LINE__ . ' ' . $tea->getMessage());
+                }
+
                 $response = (new \Laminas\Diactoros\Response())->withHeader('content-type', 'application/json');
                 $response->getBody()->write(json_encode([
                     'jsonrpc' => '2.0',
@@ -790,7 +799,7 @@ public static function passwordLessLogin(string $username): bool
         }
 
         $idp = null;
-        switch(SSO_Config::getInstance()->{SSO_Config::PWD_LESS_LOGIN}) {
+        switch (SSO_Config::getInstance()->{SSO_Config::PWD_LESS_LOGIN}) {
             case SSO_Config::PWD_LESS_LOGIN_BOTH:
             case SSO_Config::PWD_LESS_LOGIN_ONLY_LOCAL:
                 $account = null;
@@ -888,8 +897,10 @@ public static function publicOidAuthResponse(): \Psr\Http\Message\ResponseInterf
                 // TODO FIXME check if we should create!
 
                 if (!isset($data->email) || !($pos = strpos($data->email, '@'))) {
-                    if (Tinebase_Core::isLogLevel(Zend_Log::NOTICE)) Tinebase_Core::getLogger()
-                        ->notice(__METHOD__ . '::' . __LINE__ . ' external idp did not send us an email address to work with');
+                    if (Tinebase_Core::isLogLevel(Zend_Log::NOTICE)) {
+                        Tinebase_Core::getLogger()
+                            ->notice(__METHOD__ . '::' . __LINE__ . ' external idp did not send us an email address to work with');
+                    }
                     return static::publicOidAuthResponseErrorRedirect($authRequest);
                 }
                 $loginName = substr($data->email, 0, $pos);
@@ -939,6 +950,9 @@ public static function publicOidAuthResponse(): \Psr\Http\Message\ResponseInterf
             }
 
             return new \Laminas\Diactoros\Response('php://memory', 302, ['Location' => Tinebase_Core::getUrl()]);
+        } else if (Tinebase_Core::isLogLevel(Zend_Log::INFO)) {
+            Tinebase_Core::getLogger()
+                ->info(__METHOD__ . '::' . __LINE__ . ' OIDC auth failure');
         }
 
         return static::publicOidAuthResponseErrorRedirect($authRequest);

diff --git a/tine20/Tinebase/Auth/MFA.php b/tine20/Tinebase/Auth/MFA.php
@@ -63,7 +63,12 @@ public function sendOut(Tinebase_Model_MFA_UserConfig $_userCfg): bool
     public function validate($_data, Tinebase_Model_MFA_UserConfig $_userCfg): bool
     {
         try {
-            return $this->_adapter->validate($_data, $_userCfg);
+            $result = $this->_adapter->validate($_data, $_userCfg);
+            if (!$result && Tinebase_Core::isLogLevel(Zend_Log::INFO)) {
+                Tinebase_Core::getLogger()
+                    ->info(__METHOD__ . '::' . __LINE__ . ' MFA validation failure for ' . $_userCfg->getTitle());
+            }
+            return $result;
         } catch (Tinebase_Exception $e) {
             $e->setLogToSentry(false);
             $e->setLogLevelMethod('notice');