diff --git a/zmsadmin/src/Zmsadmin/Oidc.php b/zmsadmin/src/Zmsadmin/Oidc.php index 7c66af9bf..b11e65462 100644 --- a/zmsadmin/src/Zmsadmin/Oidc.php +++ b/zmsadmin/src/Zmsadmin/Oidc.php @@ -19,22 +19,96 @@ public function readResponse( \Psr\Http\Message\ResponseInterface $response, array $args ) { - if ($request->getParam("state") == \BO\Zmsclient\Auth::getKey()) { - $workstation = \App::$http->readGetResult('/workstation/', ['resolveReferences' => 2])->getEntity(); - if (0 == $workstation->getUseraccount()->getDepartmentList()->count()) { - return \BO\Slim\Render::redirect( - 'index', - [], - [ - 'oidclogin' => true - ] - ); + try { + $state = $request->getParam("state"); + $authKey = \BO\Zmsclient\Auth::getKey(); + + // Log state validation attempt + error_log(json_encode([ + 'event' => 'oauth_state_validation', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsadmin', + 'state_match' => ($state == $authKey) + ])); + + if ($state == $authKey) { + try { + $workstation = \App::$http->readGetResult('/workstation/', ['resolveReferences' => 2])->getEntity(); + $username = $workstation->getUseraccount()->id . '@' . \BO\Zmsclient\Auth::getOidcProvider(); + + // Log workstation access with username + error_log(json_encode([ + 'event' => 'oauth_workstation_access', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsadmin', + 'username' => $username, + 'workstation_id' => $workstation->id ?? 'unknown' + ])); + + $departmentCount = $workstation->getUseraccount()->getDepartmentList()->count(); + + // Log department check with username + error_log(json_encode([ + 'event' => 'oauth_department_check', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsadmin', + 'username' => $username, + 'department_count' => $departmentCount, + 'has_departments' => ($departmentCount > 0) + ])); + + if (0 == $departmentCount) { + return \BO\Slim\Render::redirect( + 'index', + [], + [ + 'oidclogin' => true + ] + ); + } + return \BO\Slim\Render::redirect( + 'workstationSelect', + [], + [] + ); + } catch (\Exception $e) { + // Log workstation access error + error_log(json_encode([ + 'event' => 'oauth_workstation_error', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsadmin', + 'error' => $e->getMessage(), + 'code' => $e->getCode() + ])); + throw $e; + } } - return \BO\Slim\Render::redirect( - 'workstationSelect', - [], - [] - ); + + // Log invalid state + error_log(json_encode([ + 'event' => 'oauth_invalid_state', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsadmin' + ])); + + throw new \BO\Slim\Exception\OAuthInvalid(); + + } catch (\Exception $e) { + // Log any uncaught exceptions + error_log(json_encode([ + 'event' => 'oauth_error', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsadmin', + 'error' => $e->getMessage(), + 'code' => $e->getCode() + ])); + throw $e; } } } diff --git a/zmsslim/src/Slim/Middleware/OAuth/Keycloak/Provider.php b/zmsslim/src/Slim/Middleware/OAuth/Keycloak/Provider.php index 69ee50699..b0920aa23 100644 --- a/zmsslim/src/Slim/Middleware/OAuth/Keycloak/Provider.php +++ b/zmsslim/src/Slim/Middleware/OAuth/Keycloak/Provider.php @@ -86,10 +86,10 @@ private function getOptionsFromJsonFile() $realmData = $this->getBasicOptionsFromJsonFile(); $realmData['clientSecret'] = $config_data['credentials']['secret']; $realmData['authServerUrl'] = $config_data['auth-server-url']; - $realmData['verify'] = $config_data['ssl-verify']; + $realmData['verify'] = $config_data['ssl-verify'] ?? true; return $realmData; } - + public function getBasicOptionsFromJsonFile() { $config_data = file_get_contents(\App::APP_PATH . '/'. static::PROVIDERNAME .'.json'); diff --git a/zmsstatistic/src/Zmsstatistic/Oidc.php b/zmsstatistic/src/Zmsstatistic/Oidc.php index 329cfed5c..a62148946 100644 --- a/zmsstatistic/src/Zmsstatistic/Oidc.php +++ b/zmsstatistic/src/Zmsstatistic/Oidc.php @@ -14,27 +14,101 @@ class Oidc extends BaseController * @SuppressWarnings(Param) * @return \Psr\Http\Message\ResponseInterface */ - public function readResponse( +public function readResponse( \Psr\Http\Message\RequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args ) { - if ($request->getParam("state") == \BO\Zmsclient\Auth::getKey()) { - $workstation = \App::$http->readGetResult('/workstation/', ['resolveReferences' => 2])->getEntity(); - if (0 == $workstation->getUseraccount()->getDepartmentList()->count()) { - return \BO\Slim\Render::redirect( - 'index', - [], - [ - 'oidclogin' => true - ] - ); + try { + $state = $request->getParam("state"); + $authKey = \BO\Zmsclient\Auth::getKey(); + + // Log state validation attempt + error_log(json_encode([ + 'event' => 'oauth_state_validation', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsstatistic', + 'state_match' => ($state == $authKey) + ])); + + if ($state == $authKey) { + try { + $workstation = \App::$http->readGetResult('/workstation/', ['resolveReferences' => 2])->getEntity(); + $username = $workstation->getUseraccount()->id . '@' . \BO\Zmsclient\Auth::getOidcProvider(); + + // Log workstation access with username + error_log(json_encode([ + 'event' => 'oauth_workstation_access', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsstatistic', + 'username' => $username, + 'workstation_id' => $workstation->id ?? 'unknown' + ])); + + $departmentCount = $workstation->getUseraccount()->getDepartmentList()->count(); + + // Log department check with username + error_log(json_encode([ + 'event' => 'oauth_department_check', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsstatistic', + 'username' => $username, + 'department_count' => $departmentCount, + 'has_departments' => ($departmentCount > 0) + ])); + + if (0 == $departmentCount) { + return \BO\Slim\Render::redirect( + 'index', + [], + [ + 'oidclogin' => true + ] + ); + } + return \BO\Slim\Render::redirect( + 'workstationSelect', + [], + [] + ); + } catch (\Exception $e) { + // Log workstation access error + error_log(json_encode([ + 'event' => 'oauth_workstation_error', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsstatistic', + 'error' => $e->getMessage(), + 'code' => $e->getCode() + ])); + throw $e; + } } - return \BO\Slim\Render::redirect( - 'workstationSelect', - [], - [] - ); + + // Log invalid state + error_log(json_encode([ + 'event' => 'oauth_invalid_state', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsstatistic' + ])); + + throw new \BO\Slim\Exception\OAuthInvalid(); + + } catch (\Exception $e) { + // Log any uncaught exceptions + error_log(json_encode([ + 'event' => 'oauth_error', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsstatistic', + 'error' => $e->getMessage(), + 'code' => $e->getCode() + ])); + throw $e; } } }