feat: log successful auth option

this allows admins to configure the api to log successfuly api authentication which is now disabled by default. successful auth logs can cause a lot of syslog noise which can hinder more valuable logs from being seen.
jaredhendrickson13 · Oct 17, 2022 · 307607d · 307607d
1 parent 15713c4
commit 307607d
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 4 deletions.
diff --git a/pfSense-pkg-API/files/etc/inc/api/framework/APIAuth.inc b/pfSense-pkg-API/files/etc/inc/api/framework/APIAuth.inc
@@ -184,12 +184,19 @@ class APIAuth {
 
         # Log authentication attempts if enabled
         if (isset($this->api_config["enable_login_protection"])) {
-            # Only log failed authentication
+            # Log failed authentication
             if (!$authenticated) {
+                # This log entry is required for Login Protection to work, do not change the log text.
                 log_auth(
                     gettext("webConfigurator authentication error for user '{$username}' from: {$ip_address}")
                 );
             }
+            # Log successful authentication if the API is configured to do so. Disabled by default to avoid log spam.
+            elseif (isset($this->api_config["log_successful_auth"])) {
+                log_auth(
+                    gettext("Successful login for user '{$username}' from: {$ip_address} (Local Database)")
+                );
+            }
         }
     }
 }
diff --git a/pfSense-pkg-API/files/etc/inc/api/models/APISystemAPIUpdate.inc b/pfSense-pkg-API/files/etc/inc/api/models/APISystemAPIUpdate.inc
@@ -30,8 +30,9 @@ class APISystemAPIUpdate extends APIModel {
         $this->config["installedpackages"]["package"][APITools\get_api_config()[0]]["conf"] = $this->validated_data;
         $this->write_config();
 
-        # Sync changes to HA nodes if enabled
-        $this->__sync();
+        # Backup and sync changes to HA nodes if enabled
+        $this->backup();
+        $this->sync();
 
         # Remove sensitive values
         unset($this->validated_data["server_key"]);
@@ -76,6 +77,15 @@ class APISystemAPIUpdate extends APIModel {
         }
     }
 
+    private function __validate_log_successful_auth() {
+        # Check for our optional 'log_successful_auth' payload value
+        if ($this->initial_data['log_successful_auth'] === true) {
+            $this->validated_data["log_successful_auth"] = "";
+        } elseif ($this->initial_data['log_successful_auth'] === false) {
+            unset($this->validated_data["log_successful_auth"]);
+        }
+    }
+
     private function __validate_hasync() {
         # Check for our optional 'hasync' payload value
         if ($this->initial_data['hasync'] === true) {
@@ -249,7 +259,13 @@ class APISystemAPIUpdate extends APIModel {
         }
     }
 
-    private function __sync() {
+    public function backup() {
+        if (isset($this->validated_data["persist"])) {
+            shell_exec("/usr/local/share/pfSense-pkg-API/manage.php backup");
+        }
+    }
+
+    public function sync() {
         # Use ob_start()/ob_end_clean() to prevent sync() from printing output
         ob_start();
         APITools\sync();
@@ -269,6 +285,7 @@ class APISystemAPIUpdate extends APIModel {
         $this->__validate_custom_headers();
         $this->__validate_access_list();
         $this->__validate_enable_login_protection();
+        $this->__validate_log_successful_auth();
         $this->__validate_hasync();
         $this->__validate_hasync_hosts();
         $this->__validate_hasync_username();

diff --git a/pfSense-pkg-API/files/usr/local/www/api/documentation/openapi.yml b/pfSense-pkg-API/files/usr/local/www/api/documentation/openapi.yml
@@ -12089,6 +12089,10 @@ paths:
                 enable_login_protection:
                   description: Enable or disable Login Protection for API authentication requests.
                   type: boolean
+                log_successful_auth:
+                  description: Enable or disable logging successful API authentication requests in syslog. This
+                    field is only applicable if `enable_login_protection` is set to `true`.
+                  type: boolean
                 hasync:
                   description: Enable or disable HA sync for API configurations.
                   type: boolean

diff --git a/pfSense-pkg-API/files/usr/local/www/api/index.php b/pfSense-pkg-API/files/usr/local/www/api/index.php
@@ -165,6 +165,12 @@
         unset($pkg_config["enable_login_protection"]);
     }
 
+    if (!empty($_POST["log_successful_auth"])) {
+        $pkg_config["log_successful_auth"] = "";
+    } else {
+        unset($pkg_config["log_successful_auth"]);
+    }
+
     # Validate HA Sync settings if enabled
     if (!empty($_POST["hasync"])) {
         $pkg_config["hasync"] = "";
@@ -338,6 +344,16 @@
     other authentication-based attacks. Login Protection can be configured system-wide under 
     <a href='/system_advanced_admin.php'>System > Advanced</a>."
 );
+$advanced_section->addInput(new Form_Checkbox(
+    'log_successful_auth',
+    'Log All Authentication',
+    'Enable Logging of All API Authentication Attempts',
+    isset($pkg_config["enable_login_protection"])
+))->setHelp(
+    "Log all API authentication attempts, even successful authentication. By default, only failed API authentication
+    attempts are logged (if API Login Protection is enabled above). This setting enforces all API authentication to
+    be logged instead. This may cause a lot of unnecessary syslog entries and is disabled by default."
+);
 $advanced_section->addInput(new Form_Checkbox(
     'hasync',
     'Sync API Configuration',