Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-07 14:50:55 +03:00
Code Issues Packages Projects Releases Wiki Activity

logs: add a specific log structure for successful logins

Browse Source 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
2024-12-07 10:29:33 +01:00
parent f8bdb84e8d
commit e21c989038
8 changed files with 81 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
internal/ftpd/server.go
View File

@@ -188,20 +188,18 @@ func (s *Server) AuthUser(cc ftpserver.ClientContext, username, password string)
user, err := dataprovider.CheckUserAndPass(username, password, ipAddr, common.ProtocolFTP) user, err := dataprovider.CheckUserAndPass(username, password, ipAddr, common.ProtocolFTP)
if err != nil { if err != nil {
user.Username = username user.Username = username
updateLoginMetrics(&user, ipAddr, loginMethod, err) updateLoginMetrics(&user, ipAddr, loginMethod, err, nil)
return nil, dataprovider.ErrInvalidCredentials return nil, dataprovider.ErrInvalidCredentials
} }
connection, err := s.validateUser(user, cc, loginMethod) connection, err := s.validateUser(user, cc, loginMethod)
defer updateLoginMetrics(&user, ipAddr, loginMethod, err) defer updateLoginMetrics(&user, ipAddr, loginMethod, err, connection)
if err != nil { if err != nil {
return nil, err return nil, err
} }
setStartDirectory(user.Filters.StartDirectory, cc) setStartDirectory(user.Filters.StartDirectory, cc)
connection.Log(logger.LevelInfo, "User %q logged in with %q from ip %q, TLS enabled? %t",
user.Username, loginMethod, ipAddr, cc.HasTLSForControl())
dataprovider.UpdateLastLogin(&user) dataprovider.UpdateLastLogin(&user)
return connection, nil return connection, nil
} }
@@ -246,7 +244,7 @@ func (s *Server) VerifyConnection(cc ftpserver.ClientContext, user string, tlsCo
dbUser, err := dataprovider.CheckUserBeforeTLSAuth(user, ipAddr, common.ProtocolFTP, state.PeerCertificates[0]) dbUser, err := dataprovider.CheckUserBeforeTLSAuth(user, ipAddr, common.ProtocolFTP, state.PeerCertificates[0])
if err != nil { if err != nil {
dbUser.Username = user dbUser.Username = user
updateLoginMetrics(&dbUser, ipAddr, dataprovider.LoginMethodTLSCertificate, err) updateLoginMetrics(&dbUser, ipAddr, dataprovider.LoginMethodTLSCertificate, err, nil)
return nil, dataprovider.ErrInvalidCredentials return nil, dataprovider.ErrInvalidCredentials
} }
if dbUser.IsTLSVerificationEnabled() { if dbUser.IsTLSVerificationEnabled() {
@@ -260,14 +258,12 @@ func (s *Server) VerifyConnection(cc ftpserver.ClientContext, user string, tlsCo
if dbUser.IsLoginMethodAllowed(dataprovider.LoginMethodTLSCertificate, common.ProtocolFTP) { if dbUser.IsLoginMethodAllowed(dataprovider.LoginMethodTLSCertificate, common.ProtocolFTP) {
connection, err := s.validateUser(dbUser, cc, dataprovider.LoginMethodTLSCertificate) connection, err := s.validateUser(dbUser, cc, dataprovider.LoginMethodTLSCertificate)
defer updateLoginMetrics(&dbUser, ipAddr, dataprovider.LoginMethodTLSCertificate, err) defer updateLoginMetrics(&dbUser, ipAddr, dataprovider.LoginMethodTLSCertificate, err, connection)
if err != nil { if err != nil {
return nil, err return nil, err
} }
setStartDirectory(dbUser.Filters.StartDirectory, cc) setStartDirectory(dbUser.Filters.StartDirectory, cc)
connection.Log(logger.LevelInfo, "User id: %d, logged in with FTP using a TLS certificate, username: %q, home_dir: %q remote addr: %q",
dbUser.ID, dbUser.Username, dbUser.HomeDir, ipAddr)
dataprovider.UpdateLastLogin(&dbUser) dataprovider.UpdateLastLogin(&dbUser)
return connection, nil return connection, nil
} }
@@ -417,9 +413,11 @@ func setStartDirectory(startDirectory string, cc ftpserver.ClientContext) {
cc.SetPath(startDirectory) cc.SetPath(startDirectory)
} }
func updateLoginMetrics(user *dataprovider.User, ip, loginMethod string, err error) { func updateLoginMetrics(user *dataprovider.User, ip, loginMethod string, err error, c *Connection) {
metric.AddLoginAttempt(loginMethod) metric.AddLoginAttempt(loginMethod)
if err == nil { if err == nil {
logger.LoginLog(user.Username, ip, loginMethod, common.ProtocolFTP, c.ID, c.GetClientVersion(),
c.clientContext.HasTLSForControl(), "")
plugin.Handler.NotifyLogEvent(notifier.LogEventTypeLoginOK, common.ProtocolFTP, user.Username, ip, "", nil) plugin.Handler.NotifyLogEvent(notifier.LogEventTypeLoginOK, common.ProtocolFTP, user.Username, ip, "", nil)
common.DelayLogin(nil) common.DelayLogin(nil)
} else if err != common.ErrInternalFailure { } else if err != common.ErrInternalFailure {

3
internal/httpd/api_utils.go
View File

@@ -703,7 +703,7 @@ func handleDefenderEventLoginFailed(ipAddr string, err error) error {
return err return err
} }
func updateLoginMetrics(user *dataprovider.User, loginMethod, ip string, err error) { func updateLoginMetrics(user *dataprovider.User, loginMethod, ip string, err error, r *http.Request) {
metric.AddLoginAttempt(loginMethod) metric.AddLoginAttempt(loginMethod)
var protocol string var protocol string
switch loginMethod { switch loginMethod {
@@ -713,6 +713,7 @@ func updateLoginMetrics(user *dataprovider.User, loginMethod, ip string, err err
protocol = common.ProtocolHTTP protocol = common.ProtocolHTTP
} }
if err == nil { if err == nil {
logger.LoginLog(user.Username, ip, loginMethod, protocol, "", r.UserAgent(), r.TLS != nil, "")
plugin.Handler.NotifyLogEvent(notifier.LogEventTypeLoginOK, protocol, user.Username, ip, "", nil) plugin.Handler.NotifyLogEvent(notifier.LogEventTypeLoginOK, protocol, user.Username, ip, "", nil)
common.DelayLogin(nil) common.DelayLogin(nil)
} else if err != common.ErrInternalFailure && err != common.ErrNoCredentials { } else if err != common.ErrInternalFailure && err != common.ErrNoCredentials {

20
internal/httpd/middleware.go
View File

@@ -455,7 +455,7 @@ func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope)
logger.Debug(logSender, "", "unable to authenticate user %q associated with api key %q: %v", logger.Debug(logSender, "", "unable to authenticate user %q associated with api key %q: %v",
apiUser, apiKey, err) apiUser, apiKey, err)
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: apiUser}}, updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: apiUser}},
dataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), err) dataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), err, r)
code := http.StatusUnauthorized code := http.StatusUnauthorized
if errors.Is(err, common.ErrInternalFailure) { if errors.Is(err, common.ErrInternalFailure) {
code = http.StatusInternalServerError code = http.StatusInternalServerError
@@ -465,7 +465,7 @@ func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope)
return return
} }
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: apiUser}}, updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: apiUser}},
dataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), nil) dataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), nil, r)
} }
dataprovider.UpdateAPIKeyLastUse(&k) //nolint:errcheck dataprovider.UpdateAPIKeyLastUse(&k) //nolint:errcheck
@@ -529,7 +529,7 @@ func authenticateUserWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTAu
if username == "" { if username == "" {
err := errors.New("the provided key is not associated with any user and no username was provided") err := errors.New("the provided key is not associated with any user and no username was provided")
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
dataprovider.LoginMethodPassword, ipAddr, err) dataprovider.LoginMethodPassword, ipAddr, err, r)
return err return err
} }
if err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil { if err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil {
@@ -538,27 +538,27 @@ func authenticateUserWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTAu
user, err := dataprovider.GetUserWithGroupSettings(username, "") user, err := dataprovider.GetUserWithGroupSettings(username, "")
if err != nil { if err != nil {
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
dataprovider.LoginMethodPassword, ipAddr, err) dataprovider.LoginMethodPassword, ipAddr, err, r)
return err return err
} }
if !user.Filters.AllowAPIKeyAuth { if !user.Filters.AllowAPIKeyAuth {
err := fmt.Errorf("API key authentication disabled for user %q", user.Username) err := fmt.Errorf("API key authentication disabled for user %q", user.Username)
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)
return err return err
} }
if err := user.CheckLoginConditions(); err != nil { if err := user.CheckLoginConditions(); err != nil {
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)
return err return err
} }
connectionID := fmt.Sprintf("%v_%v", protocol, xid.New().String()) connectionID := fmt.Sprintf("%v_%v", protocol, xid.New().String())
if err := checkHTTPClientUser(&user, r, connectionID, true); err != nil { if err := checkHTTPClientUser(&user, r, connectionID, true); err != nil {
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)
return err return err
} }
defer user.CloseFs() //nolint:errcheck defer user.CloseFs() //nolint:errcheck
err = user.CheckFsRoot(connectionID) err = user.CheckFsRoot(connectionID)
if err != nil { if err != nil {
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)
return common.ErrInternalFailure return common.ErrInternalFailure
} }
c := jwtTokenClaims{ c := jwtTokenClaims{
@@ -571,12 +571,12 @@ func authenticateUserWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTAu
resp, err := c.createTokenResponse(tokenAuth, tokenAudienceAPIUser, ipAddr) resp, err := c.createTokenResponse(tokenAuth, tokenAudienceAPIUser, ipAddr)
if err != nil { if err != nil {
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)
return err return err
} }
r.Header.Set("Authorization", fmt.Sprintf("Bearer %v", resp["access_token"])) r.Header.Set("Authorization", fmt.Sprintf("Bearer %v", resp["access_token"]))
dataprovider.UpdateLastLogin(&user) dataprovider.UpdateLastLogin(&user)
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, nil) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, nil, r)
return nil return nil
} }

10
internal/httpd/oidc.go
View File

@@ -452,26 +452,26 @@ func (t *oidcToken) getUser(r *http.Request) error {
user = &u user = &u
} }
if err := common.Config.ExecutePostConnectHook(ipAddr, common.ProtocolOIDC); err != nil { if err := common.Config.ExecutePostConnectHook(ipAddr, common.ProtocolOIDC); err != nil {
updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err) updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err, r)
return fmt.Errorf("access denied: %w", err) return fmt.Errorf("access denied: %w", err)
} }
if err := user.CheckLoginConditions(); err != nil { if err := user.CheckLoginConditions(); err != nil {
updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err) updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err, r)
return err return err
} }
connectionID := fmt.Sprintf("%s_%s", common.ProtocolOIDC, xid.New().String()) connectionID := fmt.Sprintf("%s_%s", common.ProtocolOIDC, xid.New().String())
if err := checkHTTPClientUser(user, r, connectionID, true); err != nil { if err := checkHTTPClientUser(user, r, connectionID, true); err != nil {
updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err) updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err, r)
return err return err
} }
defer user.CloseFs() //nolint:errcheck defer user.CloseFs() //nolint:errcheck
err = user.CheckFsRoot(connectionID) err = user.CheckFsRoot(connectionID)
if err != nil { if err != nil {
logger.Warn(logSender, connectionID, "unable to check fs root: %v", err) logger.Warn(logSender, connectionID, "unable to check fs root: %v", err)
updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, common.ErrInternalFailure) updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, common.ErrInternalFailure, r)
return err return err
} }
updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, nil) updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, nil, r)
dataprovider.UpdateLastLogin(user) dataprovider.UpdateLastLogin(user)
t.Permissions = user.Filters.WebClient t.Permissions = user.Filters.WebClient
t.TokenRole = user.Role t.TokenRole = user.Role

50
internal/httpd/server.go
View File

@@ -246,34 +246,34 @@ func (s *httpdServer) handleWebClientLoginPost(w http.ResponseWriter, r *http.Re
password := strings.TrimSpace(r.Form.Get("password")) password := strings.TrimSpace(r.Form.Get("password"))
if username == "" || password == "" { if username == "" || password == "" {
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials) dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials, r)
s.renderClientLoginPage(w, r, s.renderClientLoginPage(w, r,
util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials)) util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))
return return
} }
if err := verifyLoginCookieAndCSRFToken(r, s.csrfTokenAuth); err != nil { if err := verifyLoginCookieAndCSRFToken(r, s.csrfTokenAuth); err != nil {
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
dataprovider.LoginMethodPassword, ipAddr, err) dataprovider.LoginMethodPassword, ipAddr, err, r)
s.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF)) s.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))
} }
if err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil { if err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil {
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
dataprovider.LoginMethodPassword, ipAddr, err) dataprovider.LoginMethodPassword, ipAddr, err, r)
s.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nError403Message)) s.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nError403Message))
return return
} }
user, err := dataprovider.CheckUserAndPass(username, password, ipAddr, protocol) user, err := dataprovider.CheckUserAndPass(username, password, ipAddr, protocol)
if err != nil { if err != nil {
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)
s.renderClientLoginPage(w, r, s.renderClientLoginPage(w, r,
util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials)) util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))
return return
} }
connectionID := fmt.Sprintf("%v_%v", protocol, xid.New().String()) connectionID := fmt.Sprintf("%v_%v", protocol, xid.New().String())
if err := checkHTTPClientUser(&user, r, connectionID, true); err != nil { if err := checkHTTPClientUser(&user, r, connectionID, true); err != nil {
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)
s.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nError403Message)) s.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nError403Message))
return return
} }
@@ -282,7 +282,7 @@ func (s *httpdServer) handleWebClientLoginPost(w http.ResponseWriter, r *http.Re
err = user.CheckFsRoot(connectionID) err = user.CheckFsRoot(connectionID)
if err != nil { if err != nil {
logger.Warn(logSender, connectionID, "unable to check fs root: %v", err) logger.Warn(logSender, connectionID, "unable to check fs root: %v", err)
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)
s.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nErrorFsGeneric)) s.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nErrorFsGeneric))
return return
} }
@@ -408,39 +408,39 @@ func (s *httpdServer) handleWebClientTwoFactorPost(w http.ResponseWriter, r *htt
passcode := strings.TrimSpace(r.Form.Get("passcode")) passcode := strings.TrimSpace(r.Form.Get("passcode"))
if username == "" || passcode == "" { if username == "" || passcode == "" {
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials) dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials, r)
s.renderClientTwoFactorPage(w, r, s.renderClientTwoFactorPage(w, r,
util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials)) util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))
return return
} }
if err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil { if err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
dataprovider.LoginMethodPassword, ipAddr, err) dataprovider.LoginMethodPassword, ipAddr, err, r)
s.renderClientTwoFactorPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF)) s.renderClientTwoFactorPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))
return return
} }
user, err := dataprovider.GetUserWithGroupSettings(username, "") user, err := dataprovider.GetUserWithGroupSettings(username, "")
if err != nil { if err != nil {
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
dataprovider.LoginMethodPassword, ipAddr, err) dataprovider.LoginMethodPassword, ipAddr, err, r)
s.renderClientTwoFactorPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCredentials)) s.renderClientTwoFactorPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCredentials))
return return
} }
if !user.Filters.TOTPConfig.Enabled || !slices.Contains(user.Filters.TOTPConfig.Protocols, common.ProtocolHTTP) { if !user.Filters.TOTPConfig.Enabled || !slices.Contains(user.Filters.TOTPConfig.Protocols, common.ProtocolHTTP) {
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)
s.renderClientTwoFactorPage(w, r, util.NewI18nError(common.ErrInternalFailure, util.I18n2FADisabled)) s.renderClientTwoFactorPage(w, r, util.NewI18nError(common.ErrInternalFailure, util.I18n2FADisabled))
return return
} }
err = user.Filters.TOTPConfig.Secret.Decrypt() err = user.Filters.TOTPConfig.Secret.Decrypt()
if err != nil { if err != nil {
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)
s.renderClientInternalServerErrorPage(w, r, err) s.renderClientInternalServerErrorPage(w, r, err)
return return
} }
match, err := mfa.ValidateTOTPPasscode(user.Filters.TOTPConfig.ConfigName, passcode, match, err := mfa.ValidateTOTPPasscode(user.Filters.TOTPConfig.ConfigName, passcode,
user.Filters.TOTPConfig.Secret.GetPayload()) user.Filters.TOTPConfig.Secret.GetPayload())
if !match || err != nil { if !match || err != nil {
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, dataprovider.ErrInvalidCredentials) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, dataprovider.ErrInvalidCredentials, r)
s.renderClientTwoFactorPage(w, r, s.renderClientTwoFactorPage(w, r,
util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials)) util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))
return return
@@ -754,7 +754,7 @@ func (s *httpdServer) loginUser(
err := c.createAndSetCookie(w, r, s.tokenAuth, audience, ipAddr) err := c.createAndSetCookie(w, r, s.tokenAuth, audience, ipAddr)
if err != nil { if err != nil {
logger.Warn(logSender, connectionID, "unable to set user login cookie %v", err) logger.Warn(logSender, connectionID, "unable to set user login cookie %v", err)
updateLoginMetrics(user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) updateLoginMetrics(user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)
errorFunc(w, r, util.NewI18nError(err, util.I18nError500Message)) errorFunc(w, r, util.NewI18nError(err, util.I18nError500Message))
return return
} }
@@ -767,7 +767,7 @@ func (s *httpdServer) loginUser(
http.Redirect(w, r, redirectPath, http.StatusFound) http.Redirect(w, r, redirectPath, http.StatusFound)
return return
} }
updateLoginMetrics(user, dataprovider.LoginMethodPassword, ipAddr, err) updateLoginMetrics(user, dataprovider.LoginMethodPassword, ipAddr, err, r)
dataprovider.UpdateLastLogin(user) dataprovider.UpdateLastLogin(user)
if next := r.URL.Query().Get("next"); strings.HasPrefix(next, webClientFilesPath) { if next := r.URL.Query().Get("next"); strings.HasPrefix(next, webClientFilesPath) {
http.Redirect(w, r, next, http.StatusFound) http.Redirect(w, r, next, http.StatusFound)
@@ -833,35 +833,35 @@ func (s *httpdServer) getUserToken(w http.ResponseWriter, r *http.Request) {
protocol := common.ProtocolHTTP protocol := common.ProtocolHTTP
if !ok { if !ok {
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials) dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials, r)
w.Header().Set(common.HTTPAuthenticationHeader, basicRealm) w.Header().Set(common.HTTPAuthenticationHeader, basicRealm)
sendAPIResponse(w, r, nil, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) sendAPIResponse(w, r, nil, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
return return
} }
if username == "" || password == "" { if username == "" || password == "" {
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials) dataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials, r)
w.Header().Set(common.HTTPAuthenticationHeader, basicRealm) w.Header().Set(common.HTTPAuthenticationHeader, basicRealm)
sendAPIResponse(w, r, nil, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) sendAPIResponse(w, r, nil, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
return return
} }
if err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil { if err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil {
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
dataprovider.LoginMethodPassword, ipAddr, err) dataprovider.LoginMethodPassword, ipAddr, err, r)
sendAPIResponse(w, r, err, http.StatusText(http.StatusForbidden), http.StatusForbidden) sendAPIResponse(w, r, err, http.StatusText(http.StatusForbidden), http.StatusForbidden)
return return
} }
user, err := dataprovider.CheckUserAndPass(username, password, ipAddr, protocol) user, err := dataprovider.CheckUserAndPass(username, password, ipAddr, protocol)
if err != nil { if err != nil {
w.Header().Set(common.HTTPAuthenticationHeader, basicRealm) w.Header().Set(common.HTTPAuthenticationHeader, basicRealm)
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)
sendAPIResponse(w, r, dataprovider.ErrInvalidCredentials, http.StatusText(http.StatusUnauthorized), sendAPIResponse(w, r, dataprovider.ErrInvalidCredentials, http.StatusText(http.StatusUnauthorized),
http.StatusUnauthorized) http.StatusUnauthorized)
return return
} }
connectionID := fmt.Sprintf("%v_%v", protocol, xid.New().String()) connectionID := fmt.Sprintf("%v_%v", protocol, xid.New().String())
if err := checkHTTPClientUser(&user, r, connectionID, true); err != nil { if err := checkHTTPClientUser(&user, r, connectionID, true); err != nil {
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)
sendAPIResponse(w, r, err, http.StatusText(http.StatusForbidden), http.StatusForbidden) sendAPIResponse(w, r, err, http.StatusText(http.StatusForbidden), http.StatusForbidden)
return return
} }
@@ -871,14 +871,14 @@ func (s *httpdServer) getUserToken(w http.ResponseWriter, r *http.Request) {
if passcode == "" { if passcode == "" {
logger.Debug(logSender, "", "TOTP enabled for user %q and not passcode provided, authentication refused", user.Username) logger.Debug(logSender, "", "TOTP enabled for user %q and not passcode provided, authentication refused", user.Username)
w.Header().Set(common.HTTPAuthenticationHeader, basicRealm) w.Header().Set(common.HTTPAuthenticationHeader, basicRealm)
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, dataprovider.ErrInvalidCredentials) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, dataprovider.ErrInvalidCredentials, r)
sendAPIResponse(w, r, dataprovider.ErrInvalidCredentials, http.StatusText(http.StatusUnauthorized), sendAPIResponse(w, r, dataprovider.ErrInvalidCredentials, http.StatusText(http.StatusUnauthorized),
http.StatusUnauthorized) http.StatusUnauthorized)
return return
} }
err = user.Filters.TOTPConfig.Secret.Decrypt() err = user.Filters.TOTPConfig.Secret.Decrypt()
if err != nil { if err != nil {
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)
sendAPIResponse(w, r, fmt.Errorf("unable to decrypt TOTP secret: %w", err), http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) sendAPIResponse(w, r, fmt.Errorf("unable to decrypt TOTP secret: %w", err), http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return return
} }
@@ -887,7 +887,7 @@ func (s *httpdServer) getUserToken(w http.ResponseWriter, r *http.Request) {
if !match || err != nil { if !match || err != nil {
logger.Debug(logSender, "invalid passcode for user %q, match? %v, err: %v", user.Username, match, err) logger.Debug(logSender, "invalid passcode for user %q, match? %v, err: %v", user.Username, match, err)
w.Header().Set(common.HTTPAuthenticationHeader, basicRealm) w.Header().Set(common.HTTPAuthenticationHeader, basicRealm)
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, dataprovider.ErrInvalidCredentials) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, dataprovider.ErrInvalidCredentials, r)
sendAPIResponse(w, r, dataprovider.ErrInvalidCredentials, http.StatusText(http.StatusUnauthorized), sendAPIResponse(w, r, dataprovider.ErrInvalidCredentials, http.StatusText(http.StatusUnauthorized),
http.StatusUnauthorized) http.StatusUnauthorized)
return return
@@ -898,7 +898,7 @@ func (s *httpdServer) getUserToken(w http.ResponseWriter, r *http.Request) {
err = user.CheckFsRoot(connectionID) err = user.CheckFsRoot(connectionID)
if err != nil { if err != nil {
logger.Warn(logSender, connectionID, "unable to check fs root: %v", err) logger.Warn(logSender, connectionID, "unable to check fs root: %v", err)
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)
sendAPIResponse(w, r, err, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) sendAPIResponse(w, r, err, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return return
} }
@@ -919,11 +919,11 @@ func (s *httpdServer) generateAndSendUserToken(w http.ResponseWriter, r *http.Re
resp, err := c.createTokenResponse(s.tokenAuth, tokenAudienceAPIUser, ipAddr) resp, err := c.createTokenResponse(s.tokenAuth, tokenAudienceAPIUser, ipAddr)
if err != nil { if err != nil {
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)
sendAPIResponse(w, r, err, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) sendAPIResponse(w, r, err, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return return
} }
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err) updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)
dataprovider.UpdateLastLogin(&user) dataprovider.UpdateLastLogin(&user)
render.JSON(w, r, resp) render.JSON(w, r, resp)

20
internal/logger/logger.go
View File

@@ -268,6 +268,26 @@ func ConnectionFailedLog(user, ip, loginType, protocol, errorString string) {
Send() Send()
} }
// LoginLog logs successful logins.
func LoginLog(user, ip, loginMethod, protocol, connectionID, clientVersion string, encrypted bool, info string) {
ev := logger.Info()
ev.Timestamp().
Str("sender", "login").
Str("ip", ip).
Str("username", user).
Str("method", loginMethod).
Str("protocol", protocol)
if connectionID != "" {
ev.Str("connection_id", connectionID)
}
ev.Str("client", clientVersion).
Bool("encrypted", encrypted)
if info != "" {
ev.Str("info", info)
}
ev.Send()
}
func isLogFilePathValid(logFilePath string) bool { func isLogFilePathValid(logFilePath string) bool {
cleanInput := filepath.Clean(logFilePath) cleanInput := filepath.Clean(logFilePath)
if cleanInput == "." || cleanInput == ".." { if cleanInput == "." || cleanInput == ".." {

8
internal/sftpd/server.go
View File

@@ -609,10 +609,10 @@ func (c *Configuration) AcceptInboundConnection(conn net.Conn, config *ssh.Serve
return return
} }
logger.Log(logger.LevelInfo, common.ProtocolSSH, connectionID, logger.LoginLog(user.Username, ipAddr, loginType, common.ProtocolSSH, connectionID,
"User %q logged in with %q, from ip %q, client version %q, negotiated algorithms: %+v", util.BytesToString(sconn.ClientVersion()), true,
user.Username, loginType, ipAddr, util.BytesToString(sconn.ClientVersion()), fmt.Sprintf("negotiated algorithms: %+v", sconn.Conn.(ssh.AlgorithmsConnMetadata).Algorithms()))
sconn.Conn.(ssh.AlgorithmsConnMetadata).Algorithms())
dataprovider.UpdateLastLogin(&user) dataprovider.UpdateLastLogin(&user)
sshConnection := common.NewSSHConnection(connectionID, conn) sshConnection := common.NewSSHConnection(connectionID, conn)

15
internal/webdavd/server.go
View File

@@ -210,7 +210,7 @@ func (s *webDavServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if err != nil { if err != nil {
// remove the cached user, we have not yet validated its filesystem // remove the cached user, we have not yet validated its filesystem
dataprovider.RemoveCachedWebDAVUser(user.Username) dataprovider.RemoveCachedWebDAVUser(user.Username)
updateLoginMetrics(&user, ipAddr, loginMethod, err) updateLoginMetrics(&user, ipAddr, loginMethod, err, r)
http.Error(w, err.Error(), http.StatusForbidden) http.Error(w, err.Error(), http.StatusForbidden)
return return
} }
@@ -223,7 +223,7 @@ func (s *webDavServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if err != nil { if err != nil {
errClose := user.CloseFs() errClose := user.CloseFs()
logger.Warn(logSender, connectionID, "unable to check fs root: %v close fs error: %v", err, errClose) logger.Warn(logSender, connectionID, "unable to check fs root: %v close fs error: %v", err, errClose)
updateLoginMetrics(&user, ipAddr, loginMethod, common.ErrInternalFailure) updateLoginMetrics(&user, ipAddr, loginMethod, common.ErrInternalFailure, r)
http.Error(w, err.Error(), http.StatusInternalServerError) http.Error(w, err.Error(), http.StatusInternalServerError)
return return
} }
@@ -236,13 +236,13 @@ func (s *webDavServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if err = common.Connections.Add(connection); err != nil { if err = common.Connections.Add(connection); err != nil {
errClose := user.CloseFs() errClose := user.CloseFs()
logger.Warn(logSender, connectionID, "unable add connection: %v close fs error: %v", err, errClose) logger.Warn(logSender, connectionID, "unable add connection: %v close fs error: %v", err, errClose)
updateLoginMetrics(&user, ipAddr, loginMethod, err) updateLoginMetrics(&user, ipAddr, loginMethod, err, r)
http.Error(w, err.Error(), http.StatusTooManyRequests) http.Error(w, err.Error(), http.StatusTooManyRequests)
return return
} }
defer common.Connections.Remove(connection.GetID()) defer common.Connections.Remove(connection.GetID())
updateLoginMetrics(&user, ipAddr, loginMethod, err) updateLoginMetrics(&user, ipAddr, loginMethod, err, r)
ctx := context.WithValue(r.Context(), requestIDKey, connectionID) ctx := context.WithValue(r.Context(), requestIDKey, connectionID)
ctx = context.WithValue(ctx, requestStartKey, time.Now()) ctx = context.WithValue(ctx, requestStartKey, time.Now())
@@ -319,7 +319,7 @@ func (s *webDavServer) authenticate(r *http.Request, ip string) (dataprovider.Us
dataprovider.CacheWebDAVUser(cachedUser) dataprovider.CacheWebDAVUser(cachedUser)
return cachedUser.User, false, cachedUser.LockSystem, loginMethod, nil return cachedUser.User, false, cachedUser.LockSystem, loginMethod, nil
} }
updateLoginMetrics(&cachedUser.User, ip, loginMethod, dataprovider.ErrInvalidCredentials) updateLoginMetrics(&cachedUser.User, ip, loginMethod, dataprovider.ErrInvalidCredentials, r)
return user, false, nil, loginMethod, dataprovider.ErrInvalidCredentials return user, false, nil, loginMethod, dataprovider.ErrInvalidCredentials
} }
} }
@@ -327,7 +327,7 @@ func (s *webDavServer) authenticate(r *http.Request, ip string) (dataprovider.Us
common.ProtocolWebDAV, tlsCert) common.ProtocolWebDAV, tlsCert)
if err != nil { if err != nil {
user.Username = username user.Username = username
updateLoginMetrics(&user, ip, loginMethod, err) updateLoginMetrics(&user, ip, loginMethod, err, r)
return user, false, nil, loginMethod, dataprovider.ErrInvalidCredentials return user, false, nil, loginMethod, dataprovider.ErrInvalidCredentials
} }
lockSystem := webdav.NewMemLS() lockSystem := webdav.NewMemLS()
@@ -438,9 +438,10 @@ func writeLog(r *http.Request, status int, err error) {
Send() Send()
} }
func updateLoginMetrics(user *dataprovider.User, ip, loginMethod string, err error) { func updateLoginMetrics(user *dataprovider.User, ip, loginMethod string, err error, r *http.Request) {
metric.AddLoginAttempt(loginMethod) metric.AddLoginAttempt(loginMethod)
if err == nil { if err == nil {
logger.LoginLog(user.Username, ip, loginMethod, common.ProtocolWebDAV, "", r.UserAgent(), r.TLS != nil, "")
plugin.Handler.NotifyLogEvent(notifier.LogEventTypeLoginOK, common.ProtocolWebDAV, user.Username, ip, "", nil) plugin.Handler.NotifyLogEvent(notifier.LogEventTypeLoginOK, common.ProtocolWebDAV, user.Username, ip, "", nil)
common.DelayLogin(nil) common.DelayLogin(nil)
} else if err != common.ErrInternalFailure && err != common.ErrNoCredentials { } else if err != common.ErrInternalFailure && err != common.ErrNoCredentials {