Log security related events like password reset, 2FA method added, etc.

2025-06-25 19:28:51 +02:00 · 2020-04-03 18:27:47 +02:00 · 2020-04-03 18:27:47 +02:00 · 470cd2af9e
commit 470cd2af9e
parent 1b21bf5ddd
13 changed files with 485 additions and 8 deletions
--- a/src/Entity/LogSystem/AbstractLogEntry.php
+++ b/src/Entity/LogSystem/AbstractLogEntry.php
@ -83,7 +83,8 @@ use Psr\Log\LogLevel;
 *  8 = "ConfigChangedLogEntry",
 *  9 = "InstockChangedLogEntry",
 *  10 = "DatabaseUpdatedLogEntry",
- *  11 = "CollectionElementDeleted"
+ *  11 = "CollectionElementDeleted",
+ *  12 = "SecurityEventLogEntry",
 * })
 */
 abstract class AbstractLogEntry extends AbstractDBElement
--- a/src/Entity/LogSystem/SecurityEventLogEntry.php
+++ b/src/Entity/LogSystem/SecurityEventLogEntry.php
@ -0,0 +1,126 @@
+<?php
+/**
+ * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
+ *
+ * Copyright (C) 2019 - 2020 Jan Böhmer (https://github.com/jbtronics)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+namespace App\Entity\LogSystem;
+
+
+use App\Entity\Base\AbstractDBElement;
+use App\Entity\UserSystem\User;
+use App\Events\SecurityEvents;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\HttpFoundation\IpUtils;
+
+/**
+ * This log entry is created when something security related to a user happens.
+ *
+ * @ORM\Entity()
+ */
+class SecurityEventLogEntry extends AbstractLogEntry
+{
+    public const SECURITY_TYPE_MAPPING = [
+        0 => SecurityEvents::PASSWORD_CHANGED,
+        1 => SecurityEvents::PASSWORD_RESET,
+        2 => SecurityEvents::BACKUP_KEYS_RESET,
+        3 => SecurityEvents::U2F_ADDED,
+        4 => SecurityEvents::U2F_REMOVED,
+        5 => SecurityEvents::GOOGLE_ENABLED,
+        6 => SecurityEvents::GOOGLE_DISABLED,
+        7 => SecurityEvents::TRUSTED_DEVICE_RESET,
+        8 => SecurityEvents::TFA_ADMIN_RESET,
+    ];
+
+    public function __construct(string $type, string $ip_address, bool $anonymize = true)
+    {
+        parent::__construct();
+        $this->level = self::LEVEL_INFO;
+        $this->setIPAddress($ip_address, $anonymize);
+        $this->setEventType($type);
+        $this->level = self::LEVEL_NOTICE;
+    }
+
+    public function setTargetElement(?AbstractDBElement $element): AbstractLogEntry
+    {
+        if (!$element instanceof User) {
+            throw new \InvalidArgumentException('Target element must be a User object!');
+        }
+        return parent::setTargetElement($element);
+    }
+
+    /**
+     * Sets the type of this log entry.
+     * @param  string  $type
+     * @return $this
+     */
+    public function setEventType(string $type): self
+    {
+        $key = array_search($type, static::SECURITY_TYPE_MAPPING);
+        if ($key === false) {
+            throw new \InvalidArgumentException('Given event type is not existing!');
+        }
+        $this->extra['e'] = $key;
+        return $this;
+    }
+
+    public function getType(): string
+    {
+        return $this->getEventType();
+    }
+
+    /**
+     * Return what event this log entry represents (e.g. password_reset)
+     * @return string
+     */
+    public function getEventType(): string
+    {
+        $key = $this->extra['e'];
+        if (isset(static::SECURITY_TYPE_MAPPING[$key])) {
+            return static::SECURITY_TYPE_MAPPING[$key];
+        }
+
+        return 'unkown';
+    }
+
+    /**
+     * Return the (anonymized) IP address used to login the user.
+     *
+     * @return string
+     */
+    public function getIPAddress(): string
+    {
+        return $this->extra['i'];
+    }
+
+    /**
+     * Sets the IP address used to login the user.
+     *
+     * @param string $ip        The IP address used to login the user.
+     * @param bool   $anonymize Anonymize the IP address (remove last block) to be GPDR compliant
+     *
+     * @return $this
+     */
+    public function setIPAddress(string $ip, bool $anonymize = true): self
+    {
+        if ($anonymize) {
+            $ip = IpUtils::anonymize($ip);
+        }
+        $this->extra['i'] = $ip;
+        return $this;
+    }
+}