From 4dbb2ecd1d411e71c8fb1bd21e489c823edbae01 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philipp=20Sch=C3=BCle?= <p.schuele@metaways.de>
Date: Tue, 18 Feb 2025 17:55:27 +0100
Subject: [PATCH] text(Tinebase/MFA+SSO): add auth/validation fail logging

---
 tine20/SSO/Controller.php    | 26 ++++++++++++++++++++------
 tine20/Tinebase/Auth/MFA.php |  7 ++++++-
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/tine20/SSO/Controller.php b/tine20/SSO/Controller.php
index 7a3cd5110f6..5d0f467014d 100644
--- a/tine20/SSO/Controller.php
+++ b/tine20/SSO/Controller.php
@@ -193,8 +193,10 @@ public static function publicAuthorize(): \Psr\Http\Message\ResponseInterface
                 $request = Tinebase_Core::getContainer()->get(\Psr\Http\Message\RequestInterface::class)
             );
         } catch (League\OAuth2\Server\Exception\OAuthServerException $oauthException) {
-            if (Tinebase_Core::isLogLevel(Zend_Log::NOTICE)) Tinebase_Core::getLogger()->notice(
-                __METHOD__ . '::' . __LINE__ . ' ' . $oauthException->getMessage());
+            if (Tinebase_Core::isLogLevel(Zend_Log::NOTICE)) {
+                Tinebase_Core::getLogger()->notice(
+                    __METHOD__ . '::' . __LINE__ . ' ' . $oauthException->getMessage());
+            }
             return new \Laminas\Diactoros\Response('php://memory', 401);
         }
 
@@ -222,7 +224,14 @@ public static function publicAuthorize(): \Psr\Http\Message\ResponseInterface
                     throw new Tinebase_Exception_Auth_PwdRequired('Wrong username or password!');
                 }
             } catch (Tinebase_Exception_AreaUnlockFailed | Tinebase_Exception_AreaLocked
-                    | Tinebase_Exception_Auth_PwdRequired | Tinebase_Exception_Auth_Redirect $tea) { // 630 + 631 + 650 + 651
+                    | Tinebase_Exception_Auth_PwdRequired | Tinebase_Exception_Auth_Redirect $tea)
+            {
+                // 630 + 631 + 650 + 651
+                if (Tinebase_Core::isLogLevel(Zend_Log::INFO)) {
+                    Tinebase_Core::getLogger()->info(
+                        __METHOD__ . '::' . __LINE__ . ' ' . $tea->getMessage());
+                }
+
                 $response = (new \Laminas\Diactoros\Response())->withHeader('content-type', 'application/json');
                 $response->getBody()->write(json_encode([
                     'jsonrpc' => '2.0',
@@ -790,7 +799,7 @@ public static function passwordLessLogin(string $username): bool
         }
 
         $idp = null;
-        switch(SSO_Config::getInstance()->{SSO_Config::PWD_LESS_LOGIN}) {
+        switch (SSO_Config::getInstance()->{SSO_Config::PWD_LESS_LOGIN}) {
             case SSO_Config::PWD_LESS_LOGIN_BOTH:
             case SSO_Config::PWD_LESS_LOGIN_ONLY_LOCAL:
                 $account = null;
@@ -888,8 +897,10 @@ public static function publicOidAuthResponse(): \Psr\Http\Message\ResponseInterf
                 // TODO FIXME check if we should create!
 
                 if (!isset($data->email) || !($pos = strpos($data->email, '@'))) {
-                    if (Tinebase_Core::isLogLevel(Zend_Log::NOTICE)) Tinebase_Core::getLogger()
-                        ->notice(__METHOD__ . '::' . __LINE__ . ' external idp did not send us an email address to work with');
+                    if (Tinebase_Core::isLogLevel(Zend_Log::NOTICE)) {
+                        Tinebase_Core::getLogger()
+                            ->notice(__METHOD__ . '::' . __LINE__ . ' external idp did not send us an email address to work with');
+                    }
                     return static::publicOidAuthResponseErrorRedirect($authRequest);
                 }
                 $loginName = substr($data->email, 0, $pos);
@@ -939,6 +950,9 @@ public static function publicOidAuthResponse(): \Psr\Http\Message\ResponseInterf
             }
 
             return new \Laminas\Diactoros\Response('php://memory', 302, ['Location' => Tinebase_Core::getUrl()]);
+        } else if (Tinebase_Core::isLogLevel(Zend_Log::INFO)) {
+            Tinebase_Core::getLogger()
+                ->info(__METHOD__ . '::' . __LINE__ . ' OIDC auth failure');
         }
 
         return static::publicOidAuthResponseErrorRedirect($authRequest);
diff --git a/tine20/Tinebase/Auth/MFA.php b/tine20/Tinebase/Auth/MFA.php
index b8a6097f4bc..5f887386c47 100644
--- a/tine20/Tinebase/Auth/MFA.php
+++ b/tine20/Tinebase/Auth/MFA.php
@@ -63,7 +63,12 @@ public function sendOut(Tinebase_Model_MFA_UserConfig $_userCfg): bool
     public function validate($_data, Tinebase_Model_MFA_UserConfig $_userCfg): bool
     {
         try {
-            return $this->_adapter->validate($_data, $_userCfg);
+            $result = $this->_adapter->validate($_data, $_userCfg);
+            if (!$result && Tinebase_Core::isLogLevel(Zend_Log::INFO)) {
+                Tinebase_Core::getLogger()
+                    ->info(__METHOD__ . '::' . __LINE__ . ' MFA validation failure for ' . $_userCfg->getTitle());
+            }
+            return $result;
         } catch (Tinebase_Exception $e) {
             $e->setLogToSentry(false);
             $e->setLogLevelMethod('notice');