diff --git a/internal/ftpd/server.go b/internal/ftpd/server.go index 7ce2b8ca..3593a932 100644 --- a/internal/ftpd/server.go +++ b/internal/ftpd/server.go @@ -188,20 +188,18 @@ func (s *Server) AuthUser(cc ftpserver.ClientContext, username, password string) user, err := dataprovider.CheckUserAndPass(username, password, ipAddr, common.ProtocolFTP) if err != nil { user.Username = username - updateLoginMetrics(&user, ipAddr, loginMethod, err) + updateLoginMetrics(&user, ipAddr, loginMethod, err, nil) return nil, dataprovider.ErrInvalidCredentials } connection, err := s.validateUser(user, cc, loginMethod) - defer updateLoginMetrics(&user, ipAddr, loginMethod, err) + defer updateLoginMetrics(&user, ipAddr, loginMethod, err, connection) if err != nil { return nil, err } setStartDirectory(user.Filters.StartDirectory, cc) - connection.Log(logger.LevelInfo, "User %q logged in with %q from ip %q, TLS enabled? %t", - user.Username, loginMethod, ipAddr, cc.HasTLSForControl()) dataprovider.UpdateLastLogin(&user) return connection, nil } @@ -246,7 +244,7 @@ func (s *Server) VerifyConnection(cc ftpserver.ClientContext, user string, tlsCo dbUser, err := dataprovider.CheckUserBeforeTLSAuth(user, ipAddr, common.ProtocolFTP, state.PeerCertificates[0]) if err != nil { dbUser.Username = user - updateLoginMetrics(&dbUser, ipAddr, dataprovider.LoginMethodTLSCertificate, err) + updateLoginMetrics(&dbUser, ipAddr, dataprovider.LoginMethodTLSCertificate, err, nil) return nil, dataprovider.ErrInvalidCredentials } if dbUser.IsTLSVerificationEnabled() { @@ -260,14 +258,12 @@ func (s *Server) VerifyConnection(cc ftpserver.ClientContext, user string, tlsCo if dbUser.IsLoginMethodAllowed(dataprovider.LoginMethodTLSCertificate, common.ProtocolFTP) { connection, err := s.validateUser(dbUser, cc, dataprovider.LoginMethodTLSCertificate) - defer updateLoginMetrics(&dbUser, ipAddr, dataprovider.LoginMethodTLSCertificate, err) + defer updateLoginMetrics(&dbUser, ipAddr, dataprovider.LoginMethodTLSCertificate, err, connection) if err != nil { return nil, err } setStartDirectory(dbUser.Filters.StartDirectory, cc) - connection.Log(logger.LevelInfo, "User id: %d, logged in with FTP using a TLS certificate, username: %q, home_dir: %q remote addr: %q", - dbUser.ID, dbUser.Username, dbUser.HomeDir, ipAddr) dataprovider.UpdateLastLogin(&dbUser) return connection, nil } @@ -417,9 +413,11 @@ func setStartDirectory(startDirectory string, cc ftpserver.ClientContext) { cc.SetPath(startDirectory) } -func updateLoginMetrics(user *dataprovider.User, ip, loginMethod string, err error) { +func updateLoginMetrics(user *dataprovider.User, ip, loginMethod string, err error, c *Connection) { metric.AddLoginAttempt(loginMethod) if err == nil { + logger.LoginLog(user.Username, ip, loginMethod, common.ProtocolFTP, c.ID, c.GetClientVersion(), + c.clientContext.HasTLSForControl(), "") plugin.Handler.NotifyLogEvent(notifier.LogEventTypeLoginOK, common.ProtocolFTP, user.Username, ip, "", nil) common.DelayLogin(nil) } else if err != common.ErrInternalFailure { diff --git a/internal/httpd/api_utils.go b/internal/httpd/api_utils.go index 41a8be27..49e51af2 100644 --- a/internal/httpd/api_utils.go +++ b/internal/httpd/api_utils.go @@ -703,7 +703,7 @@ func handleDefenderEventLoginFailed(ipAddr string, err error) error { return err } -func updateLoginMetrics(user *dataprovider.User, loginMethod, ip string, err error) { +func updateLoginMetrics(user *dataprovider.User, loginMethod, ip string, err error, r *http.Request) { metric.AddLoginAttempt(loginMethod) var protocol string switch loginMethod { @@ -713,6 +713,7 @@ func updateLoginMetrics(user *dataprovider.User, loginMethod, ip string, err err protocol = common.ProtocolHTTP } if err == nil { + logger.LoginLog(user.Username, ip, loginMethod, protocol, "", r.UserAgent(), r.TLS != nil, "") plugin.Handler.NotifyLogEvent(notifier.LogEventTypeLoginOK, protocol, user.Username, ip, "", nil) common.DelayLogin(nil) } else if err != common.ErrInternalFailure && err != common.ErrNoCredentials { diff --git a/internal/httpd/middleware.go b/internal/httpd/middleware.go index e282916e..fcd51915 100644 --- a/internal/httpd/middleware.go +++ b/internal/httpd/middleware.go @@ -455,7 +455,7 @@ func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope) logger.Debug(logSender, "", "unable to authenticate user %q associated with api key %q: %v", apiUser, apiKey, err) updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: apiUser}}, - dataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), err) + dataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), err, r) code := http.StatusUnauthorized if errors.Is(err, common.ErrInternalFailure) { code = http.StatusInternalServerError @@ -465,7 +465,7 @@ func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope) return } updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: apiUser}}, - dataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), nil) + dataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), nil, r) } dataprovider.UpdateAPIKeyLastUse(&k) //nolint:errcheck @@ -529,7 +529,7 @@ func authenticateUserWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTAu if username == "" { err := errors.New("the provided key is not associated with any user and no username was provided") updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, - dataprovider.LoginMethodPassword, ipAddr, err) + dataprovider.LoginMethodPassword, ipAddr, err, r) return err } if err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil { @@ -538,27 +538,27 @@ func authenticateUserWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTAu user, err := dataprovider.GetUserWithGroupSettings(username, "") if err != nil { updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, - dataprovider.LoginMethodPassword, ipAddr, err) + dataprovider.LoginMethodPassword, ipAddr, err, r) return err } if !user.Filters.AllowAPIKeyAuth { err := fmt.Errorf("API key authentication disabled for user %q", user.Username) - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r) return err } if err := user.CheckLoginConditions(); err != nil { - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r) return err } connectionID := fmt.Sprintf("%v_%v", protocol, xid.New().String()) if err := checkHTTPClientUser(&user, r, connectionID, true); err != nil { - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r) return err } defer user.CloseFs() //nolint:errcheck err = user.CheckFsRoot(connectionID) if err != nil { - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r) return common.ErrInternalFailure } c := jwtTokenClaims{ @@ -571,12 +571,12 @@ func authenticateUserWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTAu resp, err := c.createTokenResponse(tokenAuth, tokenAudienceAPIUser, ipAddr) if err != nil { - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r) return err } r.Header.Set("Authorization", fmt.Sprintf("Bearer %v", resp["access_token"])) dataprovider.UpdateLastLogin(&user) - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, nil) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, nil, r) return nil } diff --git a/internal/httpd/oidc.go b/internal/httpd/oidc.go index 1bdaccab..e6248350 100644 --- a/internal/httpd/oidc.go +++ b/internal/httpd/oidc.go @@ -452,26 +452,26 @@ func (t *oidcToken) getUser(r *http.Request) error { user = &u } if err := common.Config.ExecutePostConnectHook(ipAddr, common.ProtocolOIDC); err != nil { - updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err) + updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err, r) return fmt.Errorf("access denied: %w", err) } if err := user.CheckLoginConditions(); err != nil { - updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err) + updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err, r) return err } connectionID := fmt.Sprintf("%s_%s", common.ProtocolOIDC, xid.New().String()) if err := checkHTTPClientUser(user, r, connectionID, true); err != nil { - updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err) + updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err, r) return err } defer user.CloseFs() //nolint:errcheck err = user.CheckFsRoot(connectionID) if err != nil { logger.Warn(logSender, connectionID, "unable to check fs root: %v", err) - updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, common.ErrInternalFailure) + updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, common.ErrInternalFailure, r) return err } - updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, nil) + updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, nil, r) dataprovider.UpdateLastLogin(user) t.Permissions = user.Filters.WebClient t.TokenRole = user.Role diff --git a/internal/httpd/server.go b/internal/httpd/server.go index 04597fa2..ae107723 100644 --- a/internal/httpd/server.go +++ b/internal/httpd/server.go @@ -246,34 +246,34 @@ func (s *httpdServer) handleWebClientLoginPost(w http.ResponseWriter, r *http.Re password := strings.TrimSpace(r.Form.Get("password")) if username == "" || password == "" { updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, - dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials) + dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials, r) s.renderClientLoginPage(w, r, util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials)) return } if err := verifyLoginCookieAndCSRFToken(r, s.csrfTokenAuth); err != nil { updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, - dataprovider.LoginMethodPassword, ipAddr, err) + dataprovider.LoginMethodPassword, ipAddr, err, r) s.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF)) } if err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil { updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, - dataprovider.LoginMethodPassword, ipAddr, err) + dataprovider.LoginMethodPassword, ipAddr, err, r) s.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nError403Message)) return } user, err := dataprovider.CheckUserAndPass(username, password, ipAddr, protocol) if err != nil { - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r) s.renderClientLoginPage(w, r, util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials)) return } connectionID := fmt.Sprintf("%v_%v", protocol, xid.New().String()) if err := checkHTTPClientUser(&user, r, connectionID, true); err != nil { - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r) s.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nError403Message)) return } @@ -282,7 +282,7 @@ func (s *httpdServer) handleWebClientLoginPost(w http.ResponseWriter, r *http.Re err = user.CheckFsRoot(connectionID) if err != nil { logger.Warn(logSender, connectionID, "unable to check fs root: %v", err) - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r) s.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nErrorFsGeneric)) return } @@ -408,39 +408,39 @@ func (s *httpdServer) handleWebClientTwoFactorPost(w http.ResponseWriter, r *htt passcode := strings.TrimSpace(r.Form.Get("passcode")) if username == "" || passcode == "" { updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, - dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials) + dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials, r) s.renderClientTwoFactorPage(w, r, util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials)) return } if err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil { updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, - dataprovider.LoginMethodPassword, ipAddr, err) + dataprovider.LoginMethodPassword, ipAddr, err, r) s.renderClientTwoFactorPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF)) return } user, err := dataprovider.GetUserWithGroupSettings(username, "") if err != nil { updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, - dataprovider.LoginMethodPassword, ipAddr, err) + dataprovider.LoginMethodPassword, ipAddr, err, r) s.renderClientTwoFactorPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCredentials)) return } if !user.Filters.TOTPConfig.Enabled || !slices.Contains(user.Filters.TOTPConfig.Protocols, common.ProtocolHTTP) { - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r) s.renderClientTwoFactorPage(w, r, util.NewI18nError(common.ErrInternalFailure, util.I18n2FADisabled)) return } err = user.Filters.TOTPConfig.Secret.Decrypt() if err != nil { - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r) s.renderClientInternalServerErrorPage(w, r, err) return } match, err := mfa.ValidateTOTPPasscode(user.Filters.TOTPConfig.ConfigName, passcode, user.Filters.TOTPConfig.Secret.GetPayload()) if !match || err != nil { - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, dataprovider.ErrInvalidCredentials) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, dataprovider.ErrInvalidCredentials, r) s.renderClientTwoFactorPage(w, r, util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials)) return @@ -754,7 +754,7 @@ func (s *httpdServer) loginUser( err := c.createAndSetCookie(w, r, s.tokenAuth, audience, ipAddr) if err != nil { logger.Warn(logSender, connectionID, "unable to set user login cookie %v", err) - updateLoginMetrics(user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) + updateLoginMetrics(user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r) errorFunc(w, r, util.NewI18nError(err, util.I18nError500Message)) return } @@ -767,7 +767,7 @@ func (s *httpdServer) loginUser( http.Redirect(w, r, redirectPath, http.StatusFound) return } - updateLoginMetrics(user, dataprovider.LoginMethodPassword, ipAddr, err) + updateLoginMetrics(user, dataprovider.LoginMethodPassword, ipAddr, err, r) dataprovider.UpdateLastLogin(user) if next := r.URL.Query().Get("next"); strings.HasPrefix(next, webClientFilesPath) { http.Redirect(w, r, next, http.StatusFound) @@ -833,35 +833,35 @@ func (s *httpdServer) getUserToken(w http.ResponseWriter, r *http.Request) { protocol := common.ProtocolHTTP if !ok { updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, - dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials) + dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials, r) w.Header().Set(common.HTTPAuthenticationHeader, basicRealm) sendAPIResponse(w, r, nil, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) return } if username == "" || password == "" { updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, - dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials) + dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials, r) w.Header().Set(common.HTTPAuthenticationHeader, basicRealm) sendAPIResponse(w, r, nil, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) return } if err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil { updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, - dataprovider.LoginMethodPassword, ipAddr, err) + dataprovider.LoginMethodPassword, ipAddr, err, r) sendAPIResponse(w, r, err, http.StatusText(http.StatusForbidden), http.StatusForbidden) return } user, err := dataprovider.CheckUserAndPass(username, password, ipAddr, protocol) if err != nil { w.Header().Set(common.HTTPAuthenticationHeader, basicRealm) - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r) sendAPIResponse(w, r, dataprovider.ErrInvalidCredentials, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) return } connectionID := fmt.Sprintf("%v_%v", protocol, xid.New().String()) if err := checkHTTPClientUser(&user, r, connectionID, true); err != nil { - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r) sendAPIResponse(w, r, err, http.StatusText(http.StatusForbidden), http.StatusForbidden) return } @@ -871,14 +871,14 @@ func (s *httpdServer) getUserToken(w http.ResponseWriter, r *http.Request) { if passcode == "" { logger.Debug(logSender, "", "TOTP enabled for user %q and not passcode provided, authentication refused", user.Username) w.Header().Set(common.HTTPAuthenticationHeader, basicRealm) - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, dataprovider.ErrInvalidCredentials) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, dataprovider.ErrInvalidCredentials, r) sendAPIResponse(w, r, dataprovider.ErrInvalidCredentials, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) return } err = user.Filters.TOTPConfig.Secret.Decrypt() if err != nil { - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r) sendAPIResponse(w, r, fmt.Errorf("unable to decrypt TOTP secret: %w", err), http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } @@ -887,7 +887,7 @@ func (s *httpdServer) getUserToken(w http.ResponseWriter, r *http.Request) { if !match || err != nil { logger.Debug(logSender, "invalid passcode for user %q, match? %v, err: %v", user.Username, match, err) w.Header().Set(common.HTTPAuthenticationHeader, basicRealm) - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, dataprovider.ErrInvalidCredentials) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, dataprovider.ErrInvalidCredentials, r) sendAPIResponse(w, r, dataprovider.ErrInvalidCredentials, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) return @@ -898,7 +898,7 @@ func (s *httpdServer) getUserToken(w http.ResponseWriter, r *http.Request) { err = user.CheckFsRoot(connectionID) if err != nil { logger.Warn(logSender, connectionID, "unable to check fs root: %v", err) - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r) sendAPIResponse(w, r, err, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } @@ -919,11 +919,11 @@ func (s *httpdServer) generateAndSendUserToken(w http.ResponseWriter, r *http.Re resp, err := c.createTokenResponse(s.tokenAuth, tokenAudienceAPIUser, ipAddr) if err != nil { - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r) sendAPIResponse(w, r, err, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } - updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) + updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r) dataprovider.UpdateLastLogin(&user) render.JSON(w, r, resp) diff --git a/internal/logger/logger.go b/internal/logger/logger.go index 853c7f09..629236dd 100644 --- a/internal/logger/logger.go +++ b/internal/logger/logger.go @@ -268,6 +268,26 @@ func ConnectionFailedLog(user, ip, loginType, protocol, errorString string) { Send() } +// LoginLog logs successful logins. +func LoginLog(user, ip, loginMethod, protocol, connectionID, clientVersion string, encrypted bool, info string) { + ev := logger.Info() + ev.Timestamp(). + Str("sender", "login"). + Str("ip", ip). + Str("username", user). + Str("method", loginMethod). + Str("protocol", protocol) + if connectionID != "" { + ev.Str("connection_id", connectionID) + } + ev.Str("client", clientVersion). + Bool("encrypted", encrypted) + if info != "" { + ev.Str("info", info) + } + ev.Send() +} + func isLogFilePathValid(logFilePath string) bool { cleanInput := filepath.Clean(logFilePath) if cleanInput == "." || cleanInput == ".." { diff --git a/internal/sftpd/server.go b/internal/sftpd/server.go index e201d566..e88454ea 100644 --- a/internal/sftpd/server.go +++ b/internal/sftpd/server.go @@ -609,10 +609,10 @@ func (c *Configuration) AcceptInboundConnection(conn net.Conn, config *ssh.Serve return } - logger.Log(logger.LevelInfo, common.ProtocolSSH, connectionID, - "User %q logged in with %q, from ip %q, client version %q, negotiated algorithms: %+v", - user.Username, loginType, ipAddr, util.BytesToString(sconn.ClientVersion()), - sconn.Conn.(ssh.AlgorithmsConnMetadata).Algorithms()) + logger.LoginLog(user.Username, ipAddr, loginType, common.ProtocolSSH, connectionID, + util.BytesToString(sconn.ClientVersion()), true, + fmt.Sprintf("negotiated algorithms: %+v", sconn.Conn.(ssh.AlgorithmsConnMetadata).Algorithms())) + dataprovider.UpdateLastLogin(&user) sshConnection := common.NewSSHConnection(connectionID, conn) diff --git a/internal/webdavd/server.go b/internal/webdavd/server.go index b271af49..de99490f 100644 --- a/internal/webdavd/server.go +++ b/internal/webdavd/server.go @@ -210,7 +210,7 @@ func (s *webDavServer) ServeHTTP(w http.ResponseWriter, r *http.Request) { if err != nil { // remove the cached user, we have not yet validated its filesystem dataprovider.RemoveCachedWebDAVUser(user.Username) - updateLoginMetrics(&user, ipAddr, loginMethod, err) + updateLoginMetrics(&user, ipAddr, loginMethod, err, r) http.Error(w, err.Error(), http.StatusForbidden) return } @@ -223,7 +223,7 @@ func (s *webDavServer) ServeHTTP(w http.ResponseWriter, r *http.Request) { if err != nil { errClose := user.CloseFs() logger.Warn(logSender, connectionID, "unable to check fs root: %v close fs error: %v", err, errClose) - updateLoginMetrics(&user, ipAddr, loginMethod, common.ErrInternalFailure) + updateLoginMetrics(&user, ipAddr, loginMethod, common.ErrInternalFailure, r) http.Error(w, err.Error(), http.StatusInternalServerError) return } @@ -236,13 +236,13 @@ func (s *webDavServer) ServeHTTP(w http.ResponseWriter, r *http.Request) { if err = common.Connections.Add(connection); err != nil { errClose := user.CloseFs() logger.Warn(logSender, connectionID, "unable add connection: %v close fs error: %v", err, errClose) - updateLoginMetrics(&user, ipAddr, loginMethod, err) + updateLoginMetrics(&user, ipAddr, loginMethod, err, r) http.Error(w, err.Error(), http.StatusTooManyRequests) return } defer common.Connections.Remove(connection.GetID()) - updateLoginMetrics(&user, ipAddr, loginMethod, err) + updateLoginMetrics(&user, ipAddr, loginMethod, err, r) ctx := context.WithValue(r.Context(), requestIDKey, connectionID) ctx = context.WithValue(ctx, requestStartKey, time.Now()) @@ -319,7 +319,7 @@ func (s *webDavServer) authenticate(r *http.Request, ip string) (dataprovider.Us dataprovider.CacheWebDAVUser(cachedUser) return cachedUser.User, false, cachedUser.LockSystem, loginMethod, nil } - updateLoginMetrics(&cachedUser.User, ip, loginMethod, dataprovider.ErrInvalidCredentials) + updateLoginMetrics(&cachedUser.User, ip, loginMethod, dataprovider.ErrInvalidCredentials, r) return user, false, nil, loginMethod, dataprovider.ErrInvalidCredentials } } @@ -327,7 +327,7 @@ func (s *webDavServer) authenticate(r *http.Request, ip string) (dataprovider.Us common.ProtocolWebDAV, tlsCert) if err != nil { user.Username = username - updateLoginMetrics(&user, ip, loginMethod, err) + updateLoginMetrics(&user, ip, loginMethod, err, r) return user, false, nil, loginMethod, dataprovider.ErrInvalidCredentials } lockSystem := webdav.NewMemLS() @@ -438,9 +438,10 @@ func writeLog(r *http.Request, status int, err error) { Send() } -func updateLoginMetrics(user *dataprovider.User, ip, loginMethod string, err error) { +func updateLoginMetrics(user *dataprovider.User, ip, loginMethod string, err error, r *http.Request) { metric.AddLoginAttempt(loginMethod) if err == nil { + logger.LoginLog(user.Username, ip, loginMethod, common.ProtocolWebDAV, "", r.UserAgent(), r.TLS != nil, "") plugin.Handler.NotifyLogEvent(notifier.LogEventTypeLoginOK, common.ProtocolWebDAV, user.Username, ip, "", nil) common.DelayLogin(nil) } else if err != common.ErrInternalFailure && err != common.ErrNoCredentials {