From c476a6210264387a608a772b21e7d84e9bc815fa Mon Sep 17 00:00:00 2001 From: Thomas Fink <53316058+ThomasAFink@users.noreply.github.com> Date: Tue, 21 Jan 2025 10:18:42 +0100 Subject: [PATCH 1/6] hotfix(ZMS): Add more logging to oauth login (#781) * Update README.md * fix(ZMS): Add more logging to OAuthMiddleware.php * fix(ZMS): Add logging to Oidc.php * fix(ZMS): Add logging to Oidc.php * fix(ZMS): Add logging to Oidc.php --- zmsadmin/src/Zmsadmin/Oidc.php | 100 ++++++++++++++--- .../src/Slim/Middleware/OAuthMiddleware.php | 60 +++++++++-- zmsstatistic/src/Zmsstatistic/Oidc.php | 101 +++++++++++++++--- 3 files changed, 224 insertions(+), 37 deletions(-) diff --git a/zmsadmin/src/Zmsadmin/Oidc.php b/zmsadmin/src/Zmsadmin/Oidc.php index 7c66af9bf..b59f01861 100644 --- a/zmsadmin/src/Zmsadmin/Oidc.php +++ b/zmsadmin/src/Zmsadmin/Oidc.php @@ -19,22 +19,92 @@ public function readResponse( \Psr\Http\Message\ResponseInterface $response, array $args ) { - if ($request->getParam("state") == \BO\Zmsclient\Auth::getKey()) { - $workstation = \App::$http->readGetResult('/workstation/', ['resolveReferences' => 2])->getEntity(); - if (0 == $workstation->getUseraccount()->getDepartmentList()->count()) { - return \BO\Slim\Render::redirect( - 'index', - [], - [ - 'oidclogin' => true - ] - ); + try { + $state = $request->getParam("state"); + $authKey = \BO\Zmsclient\Auth::getKey(); + + // Log state validation attempt + error_log(json_encode([ + 'event' => 'oauth_state_validation', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsadmin', + 'state_match' => ($state == $authKey) + ])); + + if ($state == $authKey) { + try { + $workstation = \App::$http->readGetResult('/workstation/', ['resolveReferences' => 2])->getEntity(); + + // Log workstation access + error_log(json_encode([ + 'event' => 'oauth_workstation_access', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsadmin', + 'workstation_id' => $workstation->id ?? 'unknown' + ])); + + $departmentCount = $workstation->getUseraccount()->getDepartmentList()->count(); + + // Log department check + error_log(json_encode([ + 'event' => 'oauth_department_check', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsadmin', + 'department_count' => $departmentCount, + 'has_departments' => ($departmentCount > 0) + ])); + + if (0 == $departmentCount) { + return \BO\Slim\Render::redirect( + 'index', + [], + [ + 'oidclogin' => true + ] + ); + } + return \BO\Slim\Render::redirect( + 'workstationSelect', + [], + [] + ); + } catch (\Exception $e) { + // Log workstation access error + error_log(json_encode([ + 'event' => 'oauth_workstation_error', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsadmin', + 'error' => $e->getMessage(), + 'code' => $e->getCode() + ])); + throw $e; + } } - return \BO\Slim\Render::redirect( - 'workstationSelect', - [], - [] - ); + + // Log invalid state + error_log(json_encode([ + 'event' => 'oauth_invalid_state', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider() + ])); + + throw new \BO\Slim\Exception\OAuthInvalid(); + + } catch (\Exception $e) { + // Log any uncaught exceptions + error_log(json_encode([ + 'event' => 'oauth_error', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsadmin', + 'error' => $e->getMessage(), + 'code' => $e->getCode() + ])); + throw $e; } } } diff --git a/zmsslim/src/Slim/Middleware/OAuthMiddleware.php b/zmsslim/src/Slim/Middleware/OAuthMiddleware.php index e799817ec..8d9a6840c 100644 --- a/zmsslim/src/Slim/Middleware/OAuthMiddleware.php +++ b/zmsslim/src/Slim/Middleware/OAuthMiddleware.php @@ -72,26 +72,72 @@ public function __invoke( private function handleLogin(ServerRequestInterface $request, ResponseInterface $response, $instance, $next) { if (! $request->getParam("code") && '' == \BO\Zmsclient\Auth::getKey()) { + // Log initial OAuth request + \App::$log->info('OAuth login initiated', [ + 'provider' => $request->getQueryParams()['provider'] ?? \BO\Zmsclient\Auth::getOidcProvider(), + 'event' => 'oauth_login_start' + ]); return $response->withRedirect($this->getAuthUrl($request, $instance), 301); } elseif ($request->getParam("state") !== \BO\Zmsclient\Auth::getKey()) { + // Log invalid state parameter + \App::$log->warning('OAuth state mismatch', [ + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'event' => 'oauth_state_mismatch' + ]); \BO\Zmsclient\Auth::removeKey(); \BO\Zmsclient\Auth::removeOidcProvider(); return $response->withRedirect($this->getAuthUrl($request, $instance), 301); } + if ('login' == $request->getAttribute('authentificationHandler')) { - $instance->doLogin($request, $response); - $response = $next->handle($request); - return $response; + try { + // Attempt login + $instance->doLogin($request, $response); + + // Log successful login with username + $resourceOwner = $instance->getProvider()->getResourceOwner($instance->getAccessToken()); + \App::$log->info('OAuth login successful', [ + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'username' => $resourceOwner->getUsername(), + 'event' => 'oauth_login_success' + ]); + + $response = $next->handle($request); + return $response; + } catch (\Exception $e) { + // Log login failures with details + \App::$log->error('OAuth login failed', [ + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'error' => $e->getMessage(), + 'error_code' => $e->getCode(), + 'event' => 'oauth_login_error' + ]); + throw $e; + } } return $response; } private function handleLogout(ServerRequestInterface $request, ResponseInterface $response, $instance) { - if ('logout' == $request->getAttribute('authentificationHandler') && - ! $request->getParam('state') - ) { - return $instance->doLogout($response); + if ('logout' == $request->getAttribute('authentificationHandler') && ! $request->getParam('state')) { + try { + // Log logout event + $resourceOwner = $instance->getProvider()->getResourceOwner($instance->getAccessToken()); + \App::$log->info('OAuth logout', [ + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'username' => $resourceOwner->getUsername(), + 'event' => 'oauth_logout' + ]); + return $instance->doLogout($response); + } catch (\Exception $e) { + \App::$log->error('OAuth logout failed', [ + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'error' => $e->getMessage(), + 'event' => 'oauth_logout_error' + ]); + throw $e; + } } return $response; } diff --git a/zmsstatistic/src/Zmsstatistic/Oidc.php b/zmsstatistic/src/Zmsstatistic/Oidc.php index 329cfed5c..0650ba3fc 100644 --- a/zmsstatistic/src/Zmsstatistic/Oidc.php +++ b/zmsstatistic/src/Zmsstatistic/Oidc.php @@ -19,22 +19,93 @@ public function readResponse( \Psr\Http\Message\ResponseInterface $response, array $args ) { - if ($request->getParam("state") == \BO\Zmsclient\Auth::getKey()) { - $workstation = \App::$http->readGetResult('/workstation/', ['resolveReferences' => 2])->getEntity(); - if (0 == $workstation->getUseraccount()->getDepartmentList()->count()) { - return \BO\Slim\Render::redirect( - 'index', - [], - [ - 'oidclogin' => true - ] - ); + try { + $state = $request->getParam("state"); + $authKey = \BO\Zmsclient\Auth::getKey(); + + // Log state validation attempt + error_log(json_encode([ + 'event' => 'oauth_state_validation', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsstatistic', + 'state_match' => ($state == $authKey) + ])); + + if ($state == $authKey) { + try { + $workstation = \App::$http->readGetResult('/workstation/', ['resolveReferences' => 2])->getEntity(); + + // Log workstation access + error_log(json_encode([ + 'event' => 'oauth_workstation_access', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsstatistic', + 'workstation_id' => $workstation->id ?? 'unknown' + ])); + + $departmentCount = $workstation->getUseraccount()->getDepartmentList()->count(); + + // Log department check + error_log(json_encode([ + 'event' => 'oauth_department_check', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsstatistic', + 'department_count' => $departmentCount, + 'has_departments' => ($departmentCount > 0) + ])); + + if (0 == $departmentCount) { + return \BO\Slim\Render::redirect( + 'index', + [], + [ + 'oidclogin' => true + ] + ); + } + return \BO\Slim\Render::redirect( + 'workstationSelect', + [], + [] + ); + } catch (\Exception $e) { + // Log workstation access error + error_log(json_encode([ + 'event' => 'oauth_workstation_error', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsstatistic', + 'error' => $e->getMessage(), + 'code' => $e->getCode() + ])); + throw $e; + } } - return \BO\Slim\Render::redirect( - 'workstationSelect', - [], - [] - ); + + // Log invalid state + error_log(json_encode([ + 'event' => 'oauth_invalid_state', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsstatistic' + ])); + + throw new \BO\Slim\Exception\OAuthInvalid(); + + } catch (\Exception $e) { + // Log any uncaught exceptions + error_log(json_encode([ + 'event' => 'oauth_error', + 'timestamp' => date('c'), + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'application' => 'zmsstatistic', + 'error' => $e->getMessage(), + 'code' => $e->getCode() + ])); + throw $e; } } } From 439b31b170be63076281d06ce17c3532b983a305 Mon Sep 17 00:00:00 2001 From: Thomas Fink <53316058+ThomasAFink@users.noreply.github.com> Date: Tue, 21 Jan 2025 10:30:55 +0100 Subject: [PATCH 2/6] fix(ZMS): revert add logging OAuthMiddleware.php --- .../src/Slim/Middleware/OAuthMiddleware.php | 60 +++---------------- 1 file changed, 7 insertions(+), 53 deletions(-) diff --git a/zmsslim/src/Slim/Middleware/OAuthMiddleware.php b/zmsslim/src/Slim/Middleware/OAuthMiddleware.php index 8d9a6840c..e799817ec 100644 --- a/zmsslim/src/Slim/Middleware/OAuthMiddleware.php +++ b/zmsslim/src/Slim/Middleware/OAuthMiddleware.php @@ -72,72 +72,26 @@ public function __invoke( private function handleLogin(ServerRequestInterface $request, ResponseInterface $response, $instance, $next) { if (! $request->getParam("code") && '' == \BO\Zmsclient\Auth::getKey()) { - // Log initial OAuth request - \App::$log->info('OAuth login initiated', [ - 'provider' => $request->getQueryParams()['provider'] ?? \BO\Zmsclient\Auth::getOidcProvider(), - 'event' => 'oauth_login_start' - ]); return $response->withRedirect($this->getAuthUrl($request, $instance), 301); } elseif ($request->getParam("state") !== \BO\Zmsclient\Auth::getKey()) { - // Log invalid state parameter - \App::$log->warning('OAuth state mismatch', [ - 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), - 'event' => 'oauth_state_mismatch' - ]); \BO\Zmsclient\Auth::removeKey(); \BO\Zmsclient\Auth::removeOidcProvider(); return $response->withRedirect($this->getAuthUrl($request, $instance), 301); } - if ('login' == $request->getAttribute('authentificationHandler')) { - try { - // Attempt login - $instance->doLogin($request, $response); - - // Log successful login with username - $resourceOwner = $instance->getProvider()->getResourceOwner($instance->getAccessToken()); - \App::$log->info('OAuth login successful', [ - 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), - 'username' => $resourceOwner->getUsername(), - 'event' => 'oauth_login_success' - ]); - - $response = $next->handle($request); - return $response; - } catch (\Exception $e) { - // Log login failures with details - \App::$log->error('OAuth login failed', [ - 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), - 'error' => $e->getMessage(), - 'error_code' => $e->getCode(), - 'event' => 'oauth_login_error' - ]); - throw $e; - } + $instance->doLogin($request, $response); + $response = $next->handle($request); + return $response; } return $response; } private function handleLogout(ServerRequestInterface $request, ResponseInterface $response, $instance) { - if ('logout' == $request->getAttribute('authentificationHandler') && ! $request->getParam('state')) { - try { - // Log logout event - $resourceOwner = $instance->getProvider()->getResourceOwner($instance->getAccessToken()); - \App::$log->info('OAuth logout', [ - 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), - 'username' => $resourceOwner->getUsername(), - 'event' => 'oauth_logout' - ]); - return $instance->doLogout($response); - } catch (\Exception $e) { - \App::$log->error('OAuth logout failed', [ - 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), - 'error' => $e->getMessage(), - 'event' => 'oauth_logout_error' - ]); - throw $e; - } + if ('logout' == $request->getAttribute('authentificationHandler') && + ! $request->getParam('state') + ) { + return $instance->doLogout($response); } return $response; } From fd642b04b67b4f9ccf0bad91fa10cd335323edf2 Mon Sep 17 00:00:00 2001 From: Thomas Fink <53316058+ThomasAFink@users.noreply.github.com> Date: Tue, 21 Jan 2025 11:15:00 +0100 Subject: [PATCH 3/6] fix(ZMS): warnings missing default values Update Provider.php --- zmsslim/src/Slim/Middleware/OAuth/Keycloak/Provider.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/zmsslim/src/Slim/Middleware/OAuth/Keycloak/Provider.php b/zmsslim/src/Slim/Middleware/OAuth/Keycloak/Provider.php index 69ee50699..b0920aa23 100644 --- a/zmsslim/src/Slim/Middleware/OAuth/Keycloak/Provider.php +++ b/zmsslim/src/Slim/Middleware/OAuth/Keycloak/Provider.php @@ -86,10 +86,10 @@ private function getOptionsFromJsonFile() $realmData = $this->getBasicOptionsFromJsonFile(); $realmData['clientSecret'] = $config_data['credentials']['secret']; $realmData['authServerUrl'] = $config_data['auth-server-url']; - $realmData['verify'] = $config_data['ssl-verify']; + $realmData['verify'] = $config_data['ssl-verify'] ?? true; return $realmData; } - + public function getBasicOptionsFromJsonFile() { $config_data = file_get_contents(\App::APP_PATH . '/'. static::PROVIDERNAME .'.json'); From 2c3129894cc98589bec285f38a4bb1b1839f4168 Mon Sep 17 00:00:00 2001 From: Thomas Fink <53316058+ThomasAFink@users.noreply.github.com> Date: Tue, 21 Jan 2025 11:46:35 +0100 Subject: [PATCH 4/6] fix(ZMS): Add username logging to Oidc.php (#782) * fix(ZMS): Add username logging to Oidc.php * fix(ZMS): Add username logging to Oidc.php --- zmsadmin/src/Zmsadmin/Oidc.php | 30 ++++++++++++++++++-------- zmsstatistic/src/Zmsstatistic/Oidc.php | 27 ++++++++++++++++------- 2 files changed, 40 insertions(+), 17 deletions(-) diff --git a/zmsadmin/src/Zmsadmin/Oidc.php b/zmsadmin/src/Zmsadmin/Oidc.php index b59f01861..47b6e3dfa 100644 --- a/zmsadmin/src/Zmsadmin/Oidc.php +++ b/zmsadmin/src/Zmsadmin/Oidc.php @@ -23,40 +23,49 @@ public function readResponse( $state = $request->getParam("state"); $authKey = \BO\Zmsclient\Auth::getKey(); - // Log state validation attempt + // Get the instance and username first + $instance = new \BO\Slim\Middleware\OAuth\KeycloakInstance(); + $accessToken = $instance->getAccessToken($request->getParam("code")); + $ownerData = $instance->getProvider()->getResourceOwnerData($accessToken); + $username = $ownerData['username'] ?? 'unknown'; + + // Log state validation attempt with username error_log(json_encode([ 'event' => 'oauth_state_validation', 'timestamp' => date('c'), 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), 'application' => 'zmsadmin', + 'username' => $username, 'state_match' => ($state == $authKey) ])); - + if ($state == $authKey) { try { $workstation = \App::$http->readGetResult('/workstation/', ['resolveReferences' => 2])->getEntity(); - // Log workstation access + // Log workstation access with username error_log(json_encode([ 'event' => 'oauth_workstation_access', 'timestamp' => date('c'), 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), 'application' => 'zmsadmin', + 'username' => $username, 'workstation_id' => $workstation->id ?? 'unknown' ])); - + $departmentCount = $workstation->getUseraccount()->getDepartmentList()->count(); - // Log department check + // Log department check with username error_log(json_encode([ 'event' => 'oauth_department_check', 'timestamp' => date('c'), 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), 'application' => 'zmsadmin', + 'username' => $username, 'department_count' => $departmentCount, 'has_departments' => ($departmentCount > 0) ])); - + if (0 == $departmentCount) { return \BO\Slim\Render::redirect( 'index', @@ -72,12 +81,13 @@ public function readResponse( [] ); } catch (\Exception $e) { - // Log workstation access error + // Log workstation access error with username error_log(json_encode([ 'event' => 'oauth_workstation_error', 'timestamp' => date('c'), 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), 'application' => 'zmsadmin', + 'username' => $username, 'error' => $e->getMessage(), 'code' => $e->getCode() ])); @@ -85,11 +95,13 @@ public function readResponse( } } - // Log invalid state + // Log invalid state with username error_log(json_encode([ 'event' => 'oauth_invalid_state', 'timestamp' => date('c'), - 'provider' => \BO\Zmsclient\Auth::getOidcProvider() + 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'username' => $username, + 'application' => 'zmsadmin' ])); throw new \BO\Slim\Exception\OAuthInvalid(); diff --git a/zmsstatistic/src/Zmsstatistic/Oidc.php b/zmsstatistic/src/Zmsstatistic/Oidc.php index 0650ba3fc..11ccd4bff 100644 --- a/zmsstatistic/src/Zmsstatistic/Oidc.php +++ b/zmsstatistic/src/Zmsstatistic/Oidc.php @@ -23,40 +23,49 @@ public function readResponse( $state = $request->getParam("state"); $authKey = \BO\Zmsclient\Auth::getKey(); - // Log state validation attempt + // Get the instance and username first + $instance = new \BO\Slim\Middleware\OAuth\KeycloakInstance(); + $accessToken = $instance->getAccessToken($request->getParam("code")); + $ownerData = $instance->getProvider()->getResourceOwnerData($accessToken); + $username = $ownerData['username'] ?? 'unknown'; + + // Log state validation attempt with username error_log(json_encode([ 'event' => 'oauth_state_validation', 'timestamp' => date('c'), 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), 'application' => 'zmsstatistic', + 'username' => $username, 'state_match' => ($state == $authKey) ])); - + if ($state == $authKey) { try { $workstation = \App::$http->readGetResult('/workstation/', ['resolveReferences' => 2])->getEntity(); - // Log workstation access + // Log workstation access with username error_log(json_encode([ 'event' => 'oauth_workstation_access', 'timestamp' => date('c'), 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), 'application' => 'zmsstatistic', + 'username' => $username, 'workstation_id' => $workstation->id ?? 'unknown' ])); - + $departmentCount = $workstation->getUseraccount()->getDepartmentList()->count(); - // Log department check + // Log department check with username error_log(json_encode([ 'event' => 'oauth_department_check', 'timestamp' => date('c'), 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), 'application' => 'zmsstatistic', + 'username' => $username, 'department_count' => $departmentCount, 'has_departments' => ($departmentCount > 0) ])); - + if (0 == $departmentCount) { return \BO\Slim\Render::redirect( 'index', @@ -72,12 +81,13 @@ public function readResponse( [] ); } catch (\Exception $e) { - // Log workstation access error + // Log workstation access error with username error_log(json_encode([ 'event' => 'oauth_workstation_error', 'timestamp' => date('c'), 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), 'application' => 'zmsstatistic', + 'username' => $username, 'error' => $e->getMessage(), 'code' => $e->getCode() ])); @@ -85,11 +95,12 @@ public function readResponse( } } - // Log invalid state + // Log invalid state with username error_log(json_encode([ 'event' => 'oauth_invalid_state', 'timestamp' => date('c'), 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), + 'username' => $username, 'application' => 'zmsstatistic' ])); From 002083b7ac92c43b5d27b083c0d6a0aec7b2e081 Mon Sep 17 00:00:00 2001 From: Thomas Fink <53316058+ThomasAFink@users.noreply.github.com> Date: Tue, 21 Jan 2025 12:14:03 +0100 Subject: [PATCH 5/6] Hotfix add more login logging (#783) * fix(ZMS): Add username logging to Oidc.php * fix(ZMS): Add username logging to Oidc.php * Update Oidc.php * Update Oidc.php * Update Oidc.php * Update Oidc.php --- zmsadmin/src/Zmsadmin/Oidc.php | 16 ++++------------ zmsstatistic/src/Zmsstatistic/Oidc.php | 18 +++++------------- 2 files changed, 9 insertions(+), 25 deletions(-) diff --git a/zmsadmin/src/Zmsadmin/Oidc.php b/zmsadmin/src/Zmsadmin/Oidc.php index 47b6e3dfa..efbe29e4f 100644 --- a/zmsadmin/src/Zmsadmin/Oidc.php +++ b/zmsadmin/src/Zmsadmin/Oidc.php @@ -23,25 +23,19 @@ public function readResponse( $state = $request->getParam("state"); $authKey = \BO\Zmsclient\Auth::getKey(); - // Get the instance and username first - $instance = new \BO\Slim\Middleware\OAuth\KeycloakInstance(); - $accessToken = $instance->getAccessToken($request->getParam("code")); - $ownerData = $instance->getProvider()->getResourceOwnerData($accessToken); - $username = $ownerData['username'] ?? 'unknown'; - - // Log state validation attempt with username + // Log state validation attempt error_log(json_encode([ 'event' => 'oauth_state_validation', 'timestamp' => date('c'), 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), 'application' => 'zmsadmin', - 'username' => $username, 'state_match' => ($state == $authKey) ])); if ($state == $authKey) { try { $workstation = \App::$http->readGetResult('/workstation/', ['resolveReferences' => 2])->getEntity(); + $username = $workstation->getUseraccount()->getLogin() . '@' . \BO\Zmsclient\Auth::getOidcProvider(); // Log workstation access with username error_log(json_encode([ @@ -81,13 +75,12 @@ public function readResponse( [] ); } catch (\Exception $e) { - // Log workstation access error with username + // Log workstation access error error_log(json_encode([ 'event' => 'oauth_workstation_error', 'timestamp' => date('c'), 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), 'application' => 'zmsadmin', - 'username' => $username, 'error' => $e->getMessage(), 'code' => $e->getCode() ])); @@ -95,12 +88,11 @@ public function readResponse( } } - // Log invalid state with username + // Log invalid state error_log(json_encode([ 'event' => 'oauth_invalid_state', 'timestamp' => date('c'), 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), - 'username' => $username, 'application' => 'zmsadmin' ])); diff --git a/zmsstatistic/src/Zmsstatistic/Oidc.php b/zmsstatistic/src/Zmsstatistic/Oidc.php index 11ccd4bff..2ea7d630f 100644 --- a/zmsstatistic/src/Zmsstatistic/Oidc.php +++ b/zmsstatistic/src/Zmsstatistic/Oidc.php @@ -14,7 +14,7 @@ class Oidc extends BaseController * @SuppressWarnings(Param) * @return \Psr\Http\Message\ResponseInterface */ - public function readResponse( +public function readResponse( \Psr\Http\Message\RequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args @@ -23,25 +23,19 @@ public function readResponse( $state = $request->getParam("state"); $authKey = \BO\Zmsclient\Auth::getKey(); - // Get the instance and username first - $instance = new \BO\Slim\Middleware\OAuth\KeycloakInstance(); - $accessToken = $instance->getAccessToken($request->getParam("code")); - $ownerData = $instance->getProvider()->getResourceOwnerData($accessToken); - $username = $ownerData['username'] ?? 'unknown'; - - // Log state validation attempt with username + // Log state validation attempt error_log(json_encode([ 'event' => 'oauth_state_validation', 'timestamp' => date('c'), 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), 'application' => 'zmsstatistic', - 'username' => $username, 'state_match' => ($state == $authKey) ])); if ($state == $authKey) { try { $workstation = \App::$http->readGetResult('/workstation/', ['resolveReferences' => 2])->getEntity(); + $username = $workstation->getUseraccount()->getLogin() . '@' . \BO\Zmsclient\Auth::getOidcProvider(); // Log workstation access with username error_log(json_encode([ @@ -81,13 +75,12 @@ public function readResponse( [] ); } catch (\Exception $e) { - // Log workstation access error with username + // Log workstation access error error_log(json_encode([ 'event' => 'oauth_workstation_error', 'timestamp' => date('c'), 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), 'application' => 'zmsstatistic', - 'username' => $username, 'error' => $e->getMessage(), 'code' => $e->getCode() ])); @@ -95,12 +88,11 @@ public function readResponse( } } - // Log invalid state with username + // Log invalid state error_log(json_encode([ 'event' => 'oauth_invalid_state', 'timestamp' => date('c'), 'provider' => \BO\Zmsclient\Auth::getOidcProvider(), - 'username' => $username, 'application' => 'zmsstatistic' ])); From 9f2afb1a374512237c5e5e79e697f6250693a4f1 Mon Sep 17 00:00:00 2001 From: Thomas Fink <53316058+ThomasAFink@users.noreply.github.com> Date: Tue, 21 Jan 2025 12:35:09 +0100 Subject: [PATCH 6/6] Hotfix add more login logging (#784) * Update Oidc.php * Update Oidc.php --- zmsadmin/src/Zmsadmin/Oidc.php | 2 +- zmsstatistic/src/Zmsstatistic/Oidc.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/zmsadmin/src/Zmsadmin/Oidc.php b/zmsadmin/src/Zmsadmin/Oidc.php index efbe29e4f..b11e65462 100644 --- a/zmsadmin/src/Zmsadmin/Oidc.php +++ b/zmsadmin/src/Zmsadmin/Oidc.php @@ -35,7 +35,7 @@ public function readResponse( if ($state == $authKey) { try { $workstation = \App::$http->readGetResult('/workstation/', ['resolveReferences' => 2])->getEntity(); - $username = $workstation->getUseraccount()->getLogin() . '@' . \BO\Zmsclient\Auth::getOidcProvider(); + $username = $workstation->getUseraccount()->id . '@' . \BO\Zmsclient\Auth::getOidcProvider(); // Log workstation access with username error_log(json_encode([ diff --git a/zmsstatistic/src/Zmsstatistic/Oidc.php b/zmsstatistic/src/Zmsstatistic/Oidc.php index 2ea7d630f..a62148946 100644 --- a/zmsstatistic/src/Zmsstatistic/Oidc.php +++ b/zmsstatistic/src/Zmsstatistic/Oidc.php @@ -35,7 +35,7 @@ public function readResponse( if ($state == $authKey) { try { $workstation = \App::$http->readGetResult('/workstation/', ['resolveReferences' => 2])->getEntity(); - $username = $workstation->getUseraccount()->getLogin() . '@' . \BO\Zmsclient\Auth::getOidcProvider(); + $username = $workstation->getUseraccount()->id . '@' . \BO\Zmsclient\Auth::getOidcProvider(); // Log workstation access with username error_log(json_encode([