Log security related events like password reset, 2FA method added, etc.

2025-06-24 10:49:00 +02:00 · 2020-04-03 18:27:47 +02:00 · 2020-04-03 18:27:47 +02:00 · 470cd2af9e
commit 470cd2af9e
parent 1b21bf5ddd
13 changed files with 485 additions and 8 deletions
--- a/src/Controller/AdminPages/BaseAdminController.php
+++ b/src/Controller/AdminPages/BaseAdminController.php
@ -46,10 +46,11 @@ use App\DataTables\LogDataTable;
 use App\Entity\Base\AbstractNamedDBElement;
 use App\Entity\Base\AbstractStructuralDBElement;
 use App\Entity\UserSystem\User;
+use App\Events\SecurityEvent;
+use App\Events\SecurityEvents;
 use App\Exceptions\AttachmentDownloadException;
 use App\Form\AdminPages\ImportType;
 use App\Form\AdminPages\MassCreationForm;
-use App\Services\Attachments\AttachmentManager;
 use App\Services\Attachments\AttachmentSubmitHandler;
 use App\Services\EntityExporter;
 use App\Services\EntityImporter;
@ -61,6 +62,8 @@ use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Omines\DataTablesBundle\DataTableFactory;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\EventDispatcher\EventDispatcher;
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\Form\FormInterface;
 use Symfony\Component\HttpFoundation\File\UploadedFile;
 use Symfony\Component\HttpFoundation\RedirectResponse;
@ -87,11 +90,13 @@ abstract class BaseAdminController extends AbstractController
    protected $historyHelper;
    protected $timeTravel;
    protected $dataTableFactory;
+    /** @var EventDispatcher */
+    protected $eventDispatcher;

    public function __construct(TranslatorInterface $translator, UserPasswordEncoderInterface $passwordEncoder,
        AttachmentSubmitHandler $attachmentSubmitHandler,
        EventCommentHelper $commentHelper, HistoryHelper $historyHelper, TimeTravel $timeTravel,
-        DataTableFactory $dataTableFactory)
+        DataTableFactory $dataTableFactory, EventDispatcherInterface $eventDispatcher)
    {
        if ('' === $this->entity_class || '' === $this->form_class || '' === $this->twig_template || '' === $this->route_base) {
            throw new InvalidArgumentException('You have to override the $entity_class, $form_class, $route_base and $twig_template value in your subclasss!');
@ -112,6 +117,7 @@ abstract class BaseAdminController extends AbstractController
        $this->historyHelper = $historyHelper;
        $this->timeTravel = $timeTravel;
        $this->dataTableFactory = $dataTableFactory;
+        $this->eventDispatcher = $eventDispatcher;
    }

    protected function _edit(AbstractNamedDBElement $entity, Request $request, EntityManagerInterface $em, ?string $timestamp = null): Response
@ -164,6 +170,9 @@ abstract class BaseAdminController extends AbstractController
                $entity->setPassword($password);
                //By default the user must change the password afterwards
                $entity->setNeedPwChange(true);
+
+                $event = new SecurityEvent($entity);
+                $this->eventDispatcher->dispatch($event, SecurityEvents::PASSWORD_CHANGED);
            }

            //Upload passed files
--- a/src/Controller/SecurityController.php
+++ b/src/Controller/SecurityController.php
@ -42,7 +42,11 @@ declare(strict_types=1);

 namespace App\Controller;

+use App\Entity\UserSystem\User;
+use App\Events\SecurityEvent;
+use App\Events\SecurityEvents;
 use App\Services\PasswordResetManager;
+use Doctrine\ORM\EntityManagerInterface;
 use Gregwar\CaptchaBundle\Type\CaptchaType;
 use RuntimeException;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
@ -56,6 +60,7 @@ use Symfony\Component\Routing\Annotation\Route;
 use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
 use Symfony\Component\Validator\Constraints\Length;
 use Symfony\Component\Validator\Constraints\NotBlank;
+use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
 use Symfony\Contracts\Translation\TranslatorInterface;

 class SecurityController extends AbstractController
@ -137,7 +142,7 @@ class SecurityController extends AbstractController
     *
     * @return \Symfony\Component\HttpFoundation\RedirectResponse|\Symfony\Component\HttpFoundation\Response
     */
-    public function pwResetNewPw(PasswordResetManager $passwordReset, Request $request, ?string $user = null, ?string $token = null)
+    public function pwResetNewPw(PasswordResetManager $passwordReset, Request $request, EntityManagerInterface $em, EventDispatcherInterface $eventDispatcher, ?string $user = null, ?string $token = null)
    {
        if (! $this->allow_email_pw_reset) {
            throw new AccessDeniedHttpException('The password reset via email is disabled!');
@ -189,6 +194,11 @@ class SecurityController extends AbstractController
            } else {
                $this->addFlash('success', 'pw_reset.new_pw.success');

+                $repo = $em->getRepository(User::class);
+                $u = $repo->findOneBy(['name' => $data['username']]);
+                $event = new SecurityEvent($u);
+                $eventDispatcher->dispatch($event, SecurityEvents::PASSWORD_RESET);
+
                return $this->redirectToRoute('login');
            }
        }
--- a/src/Controller/UserController.php
+++ b/src/Controller/UserController.php
@ -44,6 +44,8 @@ namespace App\Controller;

 use App\Entity\Attachments\UserAttachment;
 use App\Entity\UserSystem\User;
+use App\Events\SecurityEvent;
+use App\Events\SecurityEvents;
 use App\Form\Permissions\PermissionsType;
 use App\Form\UserAdminForm;
 use App\Services\EntityExporter;
@ -52,6 +54,7 @@ use App\Services\StructuralElementRecursionHelper;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Symfony\Component\Asset\Packages;
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
@ -97,6 +100,9 @@ class UserController extends AdminPages\BaseAdminController
                $entity->invalidateTrustedDeviceTokens();
                $em->flush();

+                $event = new SecurityEvent($entity);
+                $this->eventDispatcher->dispatch($event, SecurityEvents::TFA_ADMIN_RESET);
+
                $this->addFlash('success', 'user.edit.reset_success');
            } else {
                $this->addFlash('danger', 'csfr_invalid');
--- a/src/Controller/UserSettingsController.php
+++ b/src/Controller/UserSettingsController.php
@ -44,6 +44,8 @@ namespace App\Controller;

 use App\Entity\UserSystem\U2FKey;
 use App\Entity\UserSystem\User;
+use App\Events\SecurityEvent;
+use App\Events\SecurityEvents;
 use App\Form\TFAGoogleSettingsType;
 use App\Form\UserSettingsType;
 use App\Services\TFA\BackupCodeManager;
@ -51,6 +53,8 @@ use Doctrine\ORM\EntityManagerInterface;
 use RuntimeException;
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Google\GoogleAuthenticator;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\EventDispatcher\EventDispatcher;
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\Form\Extension\Core\Type\PasswordType;
 use Symfony\Component\Form\Extension\Core\Type\RepeatedType;
 use Symfony\Component\Form\Extension\Core\Type\SubmitType;
@ -68,10 +72,13 @@ use Symfony\Component\Validator\Constraints\Length;
 class UserSettingsController extends AbstractController
 {
    protected $demo_mode;
+    /** @var EventDispatcher */
+    protected $eventDispatcher;

-    public function __construct(bool $demo_mode)
+    public function __construct(bool $demo_mode, EventDispatcherInterface $eventDispatcher)
    {
        $this->demo_mode = $demo_mode;
+        $this->eventDispatcher = $eventDispatcher;
    }

    /**
@ -142,6 +149,9 @@ class UserSettingsController extends AbstractController
                $entityManager->remove($u2f);
                $entityManager->flush();
                $this->addFlash('success', 'tfa.u2f.u2f_delete.success');
+
+                $security_event = new SecurityEvent($user);
+                $this->eventDispatcher->dispatch($security_event, SecurityEvents::U2F_REMOVED);
            }
        } else {
            $this->addFlash('error', 'csfr_invalid');
@ -174,6 +184,9 @@ class UserSettingsController extends AbstractController
            $user->invalidateTrustedDeviceTokens();
            $entityManager->flush();
            $this->addFlash('success', 'tfa_trustedDevice.invalidate.success');
+
+            $security_event = new SecurityEvent($user);
+            $this->eventDispatcher->dispatch($security_event, SecurityEvents::TRUSTED_DEVICE_RESET);
        } else {
            $this->addFlash('error', 'csfr_invalid');
        }
@ -200,6 +213,8 @@ class UserSettingsController extends AbstractController
            throw new RuntimeException('This controller only works only for Part-DB User objects!');
        }

+        $security_event = new SecurityEvent($user);
+
        /***************************
         * User settings form
         ***************************/
@ -278,6 +293,7 @@ class UserSettingsController extends AbstractController
            $em->persist($user);
            $em->flush();
            $this->addFlash('success', 'user.settings.pw_changed_flash');
+            $this->eventDispatcher->dispatch($security_event, SecurityEvents::PASSWORD_CHANGED);
        }

        //Handle 2FA things
@ -294,9 +310,12 @@ class UserSettingsController extends AbstractController
                //Save 2FA settings (save secrets)
                $user->setGoogleAuthenticatorSecret($google_form->get('googleAuthenticatorSecret')->getData());
                $backupCodeManager->enableBackupCodes($user);
+
                $em->flush();
                $this->addFlash('success', 'user.settings.2fa.google.activated');

+                $this->eventDispatcher->dispatch($security_event, SecurityEvents::GOOGLE_ENABLED);
+
                return $this->redirectToRoute('user_settings');
            }

@ -305,6 +324,7 @@ class UserSettingsController extends AbstractController
            $backupCodeManager->disableBackupCodesIfUnused($user);
            $em->flush();
            $this->addFlash('success', 'user.settings.2fa.google.disabled');
+            $this->eventDispatcher->dispatch($security_event, SecurityEvents::GOOGLE_DISABLED);

            return $this->redirectToRoute('user_settings');
        }
@ -322,6 +342,7 @@ class UserSettingsController extends AbstractController
            $backupCodeManager->regenerateBackupCodes($user);
            $em->flush();
            $this->addFlash('success', 'user.settings.2fa.backup_codes.regenerated');
+            $this->eventDispatcher->dispatch($security_event, SecurityEvents::BACKUP_KEYS_RESET);
        }

        /******************************