Log security related events like password reset, 2FA method added, etc.

src/Command/SetPasswordCommand.php

@@ -43,12 +43,16 @@ declare(strict_types=1);
 namespace App\Command;
 
 use App\Entity\UserSystem\User;
+use App\Events\SecurityEvent;
+use App\Events\SecurityEvents;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\Console\Input\InputArgument;
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Output\OutputInterface;
 use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\EventDispatcher\EventDispatcher;
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
 
 class SetPasswordCommand extends Command
@@ -57,11 +61,13 @@ class SetPasswordCommand extends Command
 
     protected $entityManager;
     protected $encoder;
+    protected $eventDispatcher;
 
-    public function __construct(EntityManagerInterface $entityManager, UserPasswordEncoderInterface $passwordEncoder)
+    public function __construct(EntityManagerInterface $entityManager, UserPasswordEncoderInterface $passwordEncoder, EventDispatcherInterface $eventDispatcher)
     {
         $this->entityManager = $entityManager;
         $this->encoder = $passwordEncoder;
+        $this->eventDispatcher = $eventDispatcher;
 
         parent::__construct();
     }
@@ -126,6 +132,9 @@ class SetPasswordCommand extends Command
 
         $io->success('Password was set successful! You can now log in using the new password.');
 
+        $security_event = new SecurityEvent($user);
+        $this->eventDispatcher->dispatch($security_event, SecurityEvents::PASSWORD_CHANGED);
+
         return 0;
     }
 }

src/Controller/AdminPages/BaseAdminController.php

@@ -46,10 +46,11 @@ use App\DataTables\LogDataTable;
 use App\Entity\Base\AbstractNamedDBElement;
 use App\Entity\Base\AbstractStructuralDBElement;
 use App\Entity\UserSystem\User;
+use App\Events\SecurityEvent;
+use App\Events\SecurityEvents;
 use App\Exceptions\AttachmentDownloadException;
 use App\Form\AdminPages\ImportType;
 use App\Form\AdminPages\MassCreationForm;
-use App\Services\Attachments\AttachmentManager;
 use App\Services\Attachments\AttachmentSubmitHandler;
 use App\Services\EntityExporter;
 use App\Services\EntityImporter;
@@ -61,6 +62,8 @@ use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Omines\DataTablesBundle\DataTableFactory;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\EventDispatcher\EventDispatcher;
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\Form\FormInterface;
 use Symfony\Component\HttpFoundation\File\UploadedFile;
 use Symfony\Component\HttpFoundation\RedirectResponse;
@@ -87,11 +90,13 @@ abstract class BaseAdminController extends AbstractController
     protected $historyHelper;
     protected $timeTravel;
     protected $dataTableFactory;
+    /** @var EventDispatcher */
+    protected $eventDispatcher;
 
     public function __construct(TranslatorInterface $translator, UserPasswordEncoderInterface $passwordEncoder,
         AttachmentSubmitHandler $attachmentSubmitHandler,
         EventCommentHelper $commentHelper, HistoryHelper $historyHelper, TimeTravel $timeTravel,
-        DataTableFactory $dataTableFactory)
+        DataTableFactory $dataTableFactory, EventDispatcherInterface $eventDispatcher)
     {
         if ('' === $this->entity_class || '' === $this->form_class || '' === $this->twig_template || '' === $this->route_base) {
             throw new InvalidArgumentException('You have to override the $entity_class, $form_class, $route_base and $twig_template value in your subclasss!');
@@ -112,6 +117,7 @@ abstract class BaseAdminController extends AbstractController
         $this->historyHelper = $historyHelper;
         $this->timeTravel = $timeTravel;
         $this->dataTableFactory = $dataTableFactory;
+        $this->eventDispatcher = $eventDispatcher;
     }
 
     protected function _edit(AbstractNamedDBElement $entity, Request $request, EntityManagerInterface $em, ?string $timestamp = null): Response
@@ -164,6 +170,9 @@ abstract class BaseAdminController extends AbstractController
                 $entity->setPassword($password);
                 //By default the user must change the password afterwards
                 $entity->setNeedPwChange(true);
+
+                $event = new SecurityEvent($entity);
+                $this->eventDispatcher->dispatch($event, SecurityEvents::PASSWORD_CHANGED);
             }
 
             //Upload passed files

src/Controller/SecurityController.php

@@ -42,7 +42,11 @@ declare(strict_types=1);
 
 namespace App\Controller;
 
+use App\Entity\UserSystem\User;
+use App\Events\SecurityEvent;
+use App\Events\SecurityEvents;
 use App\Services\PasswordResetManager;
+use Doctrine\ORM\EntityManagerInterface;
 use Gregwar\CaptchaBundle\Type\CaptchaType;
 use RuntimeException;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
@@ -56,6 +60,7 @@ use Symfony\Component\Routing\Annotation\Route;
 use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
 use Symfony\Component\Validator\Constraints\Length;
 use Symfony\Component\Validator\Constraints\NotBlank;
+use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
 use Symfony\Contracts\Translation\TranslatorInterface;
 
 class SecurityController extends AbstractController
@@ -137,7 +142,7 @@ class SecurityController extends AbstractController
      *
      * @return \Symfony\Component\HttpFoundation\RedirectResponse|\Symfony\Component\HttpFoundation\Response
      */
-    public function pwResetNewPw(PasswordResetManager $passwordReset, Request $request, ?string $user = null, ?string $token = null)
+    public function pwResetNewPw(PasswordResetManager $passwordReset, Request $request, EntityManagerInterface $em, EventDispatcherInterface $eventDispatcher, ?string $user = null, ?string $token = null)
     {
         if (! $this->allow_email_pw_reset) {
             throw new AccessDeniedHttpException('The password reset via email is disabled!');
@@ -189,6 +194,11 @@ class SecurityController extends AbstractController
             } else {
                 $this->addFlash('success', 'pw_reset.new_pw.success');
 
+                $repo = $em->getRepository(User::class);
+                $u = $repo->findOneBy(['name' => $data['username']]);
+                $event = new SecurityEvent($u);
+                $eventDispatcher->dispatch($event, SecurityEvents::PASSWORD_RESET);
+
                 return $this->redirectToRoute('login');
             }
         }

src/Controller/UserController.php

@@ -44,6 +44,8 @@ namespace App\Controller;
 
 use App\Entity\Attachments\UserAttachment;
 use App\Entity\UserSystem\User;
+use App\Events\SecurityEvent;
+use App\Events\SecurityEvents;
 use App\Form\Permissions\PermissionsType;
 use App\Form\UserAdminForm;
 use App\Services\EntityExporter;
@@ -52,6 +54,7 @@ use App\Services\StructuralElementRecursionHelper;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Symfony\Component\Asset\Packages;
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
@@ -97,6 +100,9 @@ class UserController extends AdminPages\BaseAdminController
                 $entity->invalidateTrustedDeviceTokens();
                 $em->flush();
 
+                $event = new SecurityEvent($entity);
+                $this->eventDispatcher->dispatch($event, SecurityEvents::TFA_ADMIN_RESET);
+
                 $this->addFlash('success', 'user.edit.reset_success');
             } else {
                 $this->addFlash('danger', 'csfr_invalid');

src/Controller/UserSettingsController.php

@@ -44,6 +44,8 @@ namespace App\Controller;
 
 use App\Entity\UserSystem\U2FKey;
 use App\Entity\UserSystem\User;
+use App\Events\SecurityEvent;
+use App\Events\SecurityEvents;
 use App\Form\TFAGoogleSettingsType;
 use App\Form\UserSettingsType;
 use App\Services\TFA\BackupCodeManager;
@@ -51,6 +53,8 @@ use Doctrine\ORM\EntityManagerInterface;
 use RuntimeException;
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Google\GoogleAuthenticator;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\EventDispatcher\EventDispatcher;
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\Form\Extension\Core\Type\PasswordType;
 use Symfony\Component\Form\Extension\Core\Type\RepeatedType;
 use Symfony\Component\Form\Extension\Core\Type\SubmitType;
@@ -68,10 +72,13 @@ use Symfony\Component\Validator\Constraints\Length;
 class UserSettingsController extends AbstractController
 {
     protected $demo_mode;
+    /** @var EventDispatcher */
+    protected $eventDispatcher;
 
-    public function __construct(bool $demo_mode)
+    public function __construct(bool $demo_mode, EventDispatcherInterface $eventDispatcher)
     {
         $this->demo_mode = $demo_mode;
+        $this->eventDispatcher = $eventDispatcher;
     }
 
     /**
@@ -142,6 +149,9 @@ class UserSettingsController extends AbstractController
                 $entityManager->remove($u2f);
                 $entityManager->flush();
                 $this->addFlash('success', 'tfa.u2f.u2f_delete.success');
+
+                $security_event = new SecurityEvent($user);
+                $this->eventDispatcher->dispatch($security_event, SecurityEvents::U2F_REMOVED);
             }
         } else {
             $this->addFlash('error', 'csfr_invalid');
@@ -174,6 +184,9 @@ class UserSettingsController extends AbstractController
             $user->invalidateTrustedDeviceTokens();
             $entityManager->flush();
             $this->addFlash('success', 'tfa_trustedDevice.invalidate.success');
+
+            $security_event = new SecurityEvent($user);
+            $this->eventDispatcher->dispatch($security_event, SecurityEvents::TRUSTED_DEVICE_RESET);
         } else {
             $this->addFlash('error', 'csfr_invalid');
         }
@@ -200,6 +213,8 @@ class UserSettingsController extends AbstractController
             throw new RuntimeException('This controller only works only for Part-DB User objects!');
         }
 
+        $security_event = new SecurityEvent($user);
+
         /***************************
          * User settings form
          ***************************/
@@ -278,6 +293,7 @@ class UserSettingsController extends AbstractController
             $em->persist($user);
             $em->flush();
             $this->addFlash('success', 'user.settings.pw_changed_flash');
+            $this->eventDispatcher->dispatch($security_event, SecurityEvents::PASSWORD_CHANGED);
         }
 
         //Handle 2FA things
@@ -294,9 +310,12 @@ class UserSettingsController extends AbstractController
                 //Save 2FA settings (save secrets)
                 $user->setGoogleAuthenticatorSecret($google_form->get('googleAuthenticatorSecret')->getData());
                 $backupCodeManager->enableBackupCodes($user);
+
                 $em->flush();
                 $this->addFlash('success', 'user.settings.2fa.google.activated');
 
+                $this->eventDispatcher->dispatch($security_event, SecurityEvents::GOOGLE_ENABLED);
+
                 return $this->redirectToRoute('user_settings');
             }
 
@@ -305,6 +324,7 @@ class UserSettingsController extends AbstractController
             $backupCodeManager->disableBackupCodesIfUnused($user);
             $em->flush();
             $this->addFlash('success', 'user.settings.2fa.google.disabled');
+            $this->eventDispatcher->dispatch($security_event, SecurityEvents::GOOGLE_DISABLED);
 
             return $this->redirectToRoute('user_settings');
         }
@@ -322,6 +342,7 @@ class UserSettingsController extends AbstractController
             $backupCodeManager->regenerateBackupCodes($user);
             $em->flush();
             $this->addFlash('success', 'user.settings.2fa.backup_codes.regenerated');
+            $this->eventDispatcher->dispatch($security_event, SecurityEvents::BACKUP_KEYS_RESET);
         }
 
         /******************************

src/Entity/LogSystem/AbstractLogEntry.php

@@ -83,7 +83,8 @@ use Psr\Log\LogLevel;
  *  8 = "ConfigChangedLogEntry",
  *  9 = "InstockChangedLogEntry",
  *  10 = "DatabaseUpdatedLogEntry",
- *  11 = "CollectionElementDeleted"
+ *  11 = "CollectionElementDeleted",
+ *  12 = "SecurityEventLogEntry",
  * })
  */
 abstract class AbstractLogEntry extends AbstractDBElement

src/Entity/LogSystem/SecurityEventLogEntry.php

@@ -0,0 +1,126 @@
+<?php
+/**
+ * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
+ *
+ * Copyright (C) 2019 - 2020 Jan Böhmer (https://github.com/jbtronics)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+namespace App\Entity\LogSystem;
+
+
+use App\Entity\Base\AbstractDBElement;
+use App\Entity\UserSystem\User;
+use App\Events\SecurityEvents;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\HttpFoundation\IpUtils;
+
+/**
+ * This log entry is created when something security related to a user happens.
+ *
+ * @ORM\Entity()
+ */
+class SecurityEventLogEntry extends AbstractLogEntry
+{
+    public const SECURITY_TYPE_MAPPING = [
+        0 => SecurityEvents::PASSWORD_CHANGED,
+        1 => SecurityEvents::PASSWORD_RESET,
+        2 => SecurityEvents::BACKUP_KEYS_RESET,
+        3 => SecurityEvents::U2F_ADDED,
+        4 => SecurityEvents::U2F_REMOVED,
+        5 => SecurityEvents::GOOGLE_ENABLED,
+        6 => SecurityEvents::GOOGLE_DISABLED,
+        7 => SecurityEvents::TRUSTED_DEVICE_RESET,
+        8 => SecurityEvents::TFA_ADMIN_RESET,
+    ];
+
+    public function __construct(string $type, string $ip_address, bool $anonymize = true)
+    {
+        parent::__construct();
+        $this->level = self::LEVEL_INFO;
+        $this->setIPAddress($ip_address, $anonymize);
+        $this->setEventType($type);
+        $this->level = self::LEVEL_NOTICE;
+    }
+
+    public function setTargetElement(?AbstractDBElement $element): AbstractLogEntry
+    {
+        if (!$element instanceof User) {
+            throw new \InvalidArgumentException('Target element must be a User object!');
+        }
+        return parent::setTargetElement($element);
+    }
+
+    /**
+     * Sets the type of this log entry.
+     * @param  string  $type
+     * @return $this
+     */
+    public function setEventType(string $type): self
+    {
+        $key = array_search($type, static::SECURITY_TYPE_MAPPING);
+        if ($key === false) {
+            throw new \InvalidArgumentException('Given event type is not existing!');
+        }
+        $this->extra['e'] = $key;
+        return $this;
+    }
+
+    public function getType(): string
+    {
+        return $this->getEventType();
+    }
+
+    /**
+     * Return what event this log entry represents (e.g. password_reset)
+     * @return string
+     */
+    public function getEventType(): string
+    {
+        $key = $this->extra['e'];
+        if (isset(static::SECURITY_TYPE_MAPPING[$key])) {
+            return static::SECURITY_TYPE_MAPPING[$key];
+        }
+
+        return 'unkown';
+    }
+
+    /**
+     * Return the (anonymized) IP address used to login the user.
+     *
+     * @return string
+     */
+    public function getIPAddress(): string
+    {
+        return $this->extra['i'];
+    }
+
+    /**
+     * Sets the IP address used to login the user.
+     *
+     * @param string $ip        The IP address used to login the user.
+     * @param bool   $anonymize Anonymize the IP address (remove last block) to be GPDR compliant
+     *
+     * @return $this
+     */
+    public function setIPAddress(string $ip, bool $anonymize = true): self
+    {
+        if ($anonymize) {
+            $ip = IpUtils::anonymize($ip);
+        }
+        $this->extra['i'] = $ip;
+        return $this;
+    }
+}

src/EventSubscriber/SecurityEventLoggerSubscriber.php

@@ -0,0 +1,126 @@
+<?php
+/**
+ * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
+ *
+ * Copyright (C) 2019 - 2020 Jan Böhmer (https://github.com/jbtronics)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+namespace App\EventSubscriber;
+
+
+use App\Entity\LogSystem\SecurityEventLogEntry;
+use App\Events\SecurityEvent;
+use App\Events\SecurityEvents;
+use App\Services\LogSystem\EventLogger;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+
+final class SecurityEventLoggerSubscriber implements EventSubscriberInterface
+{
+
+    private $requestStack;
+    private $gpdr_compliant;
+    private $eventLogger;
+
+    public function __construct(RequestStack $requestStack, EventLogger $eventLogger, bool $gpdr_compliance)
+    {
+        $this->requestStack = $requestStack;
+        $this->gpdr_compliant = $gpdr_compliance;
+        $this->eventLogger = $eventLogger;
+    }
+
+    protected function addLog(string $type, SecurityEvent $event): void
+    {
+        $anonymize = $this->gpdr_compliant;
+
+        $request = $this->requestStack->getCurrentRequest();
+        if ($request !== null) {
+            $ip = $request->getClientIp() ?? 'unknown';
+        } else {
+            $ip = "Console";
+            //Dont try to apply IP filter rules to non numeric string
+            $anonymize = false;
+        }
+
+        $log = new SecurityEventLogEntry($type, $ip, $anonymize);
+        $log->setTargetElement($event->getTargetUser());
+        $this->eventLogger->logAndFlush($log);
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public static function getSubscribedEvents()
+    {
+        return [
+            SecurityEvents::U2F_ADDED => 'u2f_added',
+            SecurityEvents::PASSWORD_CHANGED => 'password_changed',
+            SecurityEvents::TRUSTED_DEVICE_RESET => 'trusted_device_reset',
+            SecurityEvents::U2F_REMOVED => 'u2f_removed',
+            SecurityEvents::BACKUP_KEYS_RESET => 'backup_keys_reset',
+            SecurityEvents::PASSWORD_RESET => 'password_reset',
+            SecurityEvents::GOOGLE_DISABLED => 'google_disabled',
+            SecurityEvents::GOOGLE_ENABLED => 'google_enabled',
+            SecurityEvents::TFA_ADMIN_RESET => 'tfa_admin_reset',
+        ];
+    }
+
+    public function tfa_admin_reset(SecurityEvent $event): void
+    {
+        $this->addLog(SecurityEvents::TFA_ADMIN_RESET, $event);
+    }
+
+    public function google_enabled(SecurityEvent $event): void
+    {
+        $this->addLog(SecurityEvents::GOOGLE_ENABLED, $event);
+    }
+
+    public function google_disabled(SecurityEvent $event): void
+    {
+        $this->addLog(SecurityEvents::GOOGLE_DISABLED, $event);
+    }
+
+    public function password_reset(SecurityEvent $event): void
+    {
+        $this->addLog(SecurityEvents::PASSWORD_RESET, $event);
+    }
+
+    public function backup_keys_reset(SecurityEvent $event): void
+    {
+        $this->addLog(SecurityEvents::BACKUP_KEYS_RESET, $event);
+    }
+
+    public function u2f_removed(SecurityEvent $event): void
+    {
+        $this->addLog(SecurityEvents::U2F_REMOVED, $event);
+    }
+
+    public function u2f_added(SecurityEvent $event): void
+    {
+        $this->addLog(SecurityEvents::U2F_ADDED, $event);
+    }
+
+    public function password_changed(SecurityEvent $event): void
+    {
+        $this->addLog(SecurityEvents::PASSWORD_CHANGED, $event);
+    }
+
+    public function trusted_device_reset(SecurityEvent $event): void
+    {
+        $this->addLog(SecurityEvents::TRUSTED_DEVICE_RESET, $event);
+    }
+}

src/EventSubscriber/U2FRegistrationSubscriber.php

@@ -44,12 +44,16 @@ namespace App\EventSubscriber;
 
 use App\Entity\UserSystem\U2FKey;
 use App\Entity\UserSystem\User;
+use App\Events\SecurityEvent;
+use App\Events\SecurityEvents;
 use Doctrine\ORM\EntityManagerInterface;
 use R\U2FTwoFactorBundle\Event\RegisterEvent;
+use Symfony\Component\EventDispatcher\EventDispatcher;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Session\Flash\FlashBagInterface;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
 
 final class U2FRegistrationSubscriber implements EventSubscriberInterface
 {
@@ -62,12 +66,16 @@ final class U2FRegistrationSubscriber implements EventSubscriberInterface
      */
     private $router;
 
-    public function __construct(UrlGeneratorInterface $router, EntityManagerInterface $entityManager, FlashBagInterface $flashBag, bool $demo_mode)
+    /** @var EventDispatcher */
+    private $eventDispatcher;
+
+    public function __construct(UrlGeneratorInterface $router, EntityManagerInterface $entityManager, FlashBagInterface $flashBag, EventDispatcherInterface $eventDispatcher, bool $demo_mode)
     {
         $this->router = $router;
         $this->em = $entityManager;
         $this->demo_mode = $demo_mode;
         $this->flashBag = $flashBag;
+        $this->eventDispatcher = $eventDispatcher;
     }
 
     public static function getSubscribedEvents(): array
@@ -96,6 +104,9 @@ final class U2FRegistrationSubscriber implements EventSubscriberInterface
             $this->em->persist($newKey);
             $this->em->flush();
             $this->flashBag->add('success', 'tfa_u2f.key_added_successful');
+
+            $security_event = new SecurityEvent($user);
+            $this->eventDispatcher->dispatch($security_event, SecurityEvents::U2F_ADDED);
         }
 
         // generate new response, here we redirect the user to the fos user

src/Events/SecurityEvent.php

@@ -0,0 +1,50 @@
+<?php
+/**
+ * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
+ *
+ * Copyright (C) 2019 - 2020 Jan Böhmer (https://github.com/jbtronics)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+namespace App\Events;
+
+
+use App\Entity\UserSystem\User;
+use Symfony\Contracts\EventDispatcher\Event;
+
+/**
+ * This event is triggered when something security related to a user happens.
+ * For example when the password is reset or the an two factor authentication method was disabled.
+ * @package App\Events
+ */
+class SecurityEvent extends Event
+{
+    protected $targetUser;
+    protected $from_cli;
+
+    public function __construct(User $targetUser)
+    {
+        $this->targetUser = $targetUser;
+    }
+
+    /**
+     * Returns the affected user.
+     * @return User
+     */
+    public function getTargetUser()
+    {
+        return $this->targetUser;
+    }
+}

src/Events/SecurityEvents.php

@@ -0,0 +1,35 @@
+<?php
+/**
+ * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
+ *
+ * Copyright (C) 2019 - 2020 Jan Böhmer (https://github.com/jbtronics)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+namespace App\Events;
+
+
+class SecurityEvents
+{
+    public const PASSWORD_CHANGED = 'security.password_changed';
+    public const PASSWORD_RESET = 'security.password_reset';
+    public const BACKUP_KEYS_RESET = 'security.backup_keys_reset';
+    public const U2F_ADDED = 'security.u2f_added';
+    public const U2F_REMOVED = 'security.u2f_removed';
+    public const GOOGLE_ENABLED = 'security.google_enabled';
+    public const GOOGLE_DISABLED = 'security.google_disabled';
+    public const TRUSTED_DEVICE_RESET = 'security.trusted_device_reset';
+    public const TFA_ADMIN_RESET = 'security.2fa_admin_reset';
+}

src/Services/LogSystem/LogEntryExtraFormatter.php

@@ -52,6 +52,7 @@ use App\Entity\LogSystem\ElementDeletedLogEntry;
 use App\Entity\LogSystem\ElementEditedLogEntry;
 use App\Entity\LogSystem\ExceptionLogEntry;
 use App\Entity\LogSystem\InstockChangedLogEntry;
+use App\Entity\LogSystem\SecurityEventLogEntry;
 use App\Entity\LogSystem\UserLoginLogEntry;
 use App\Entity\LogSystem\UserLogoutLogEntry;
 use App\Entity\LogSystem\UserNotAllowedLogEntry;
@@ -127,7 +128,7 @@ class LogEntryExtraFormatter
     protected function getInternalFormat(AbstractLogEntry $context): array
     {
         $array = [];
-        if ($context instanceof UserLoginLogEntry || $context instanceof UserLogoutLogEntry) {
+        if ($context instanceof UserLoginLogEntry || $context instanceof UserLogoutLogEntry || $context instanceof SecurityEventLogEntry) {
             $array['log.user_login.ip'] = htmlspecialchars($context->getIPAddress());
         }
 

translations/messages.en.xlf

@@ -8166,5 +8166,77 @@ Element 3</target>
         <target>Preview picture</target>
       </segment>
     </unit>
+    <unit id="WjnV7iC" name="tfa_u2f.key_added_successful">
+      <segment>
+        <source>tfa_u2f.key_added_successful</source>
+        <target>Security key added successfully.</target>
+      </segment>
+    </unit>
+    <unit id="47ienTP" name="Username">
+      <segment>
+        <source>Username</source>
+        <target>Username</target>
+      </segment>
+    </unit>
+    <unit id="dVu9PKe" name="log.type.security.google_disabled">
+      <segment>
+        <source>log.type.security.google_disabled</source>
+        <target>Authenticator App disabled</target>
+      </segment>
+    </unit>
+    <unit id="HfccXTr" name="log.type.security.u2f_removed">
+      <segment>
+        <source>log.type.security.u2f_removed</source>
+        <target>Security key removed</target>
+      </segment>
+    </unit>
+    <unit id="zl1WXuM" name="log.type.security.u2f_added">
+      <segment>
+        <source>log.type.security.u2f_added</source>
+        <target>Security key added</target>
+      </segment>
+    </unit>
+    <unit id="9_jzHX6" name="log.type.security.backup_keys_reset">
+      <segment>
+        <source>log.type.security.backup_keys_reset</source>
+        <target>Backup keys regenerated</target>
+      </segment>
+    </unit>
+    <unit id="h6zwXNp" name="log.type.security.google_enabled">
+      <segment>
+        <source>log.type.security.google_enabled</source>
+        <target>Authenticator App enabled</target>
+      </segment>
+    </unit>
+    <unit id="XbsoHIr" name="log.type.security.password_changed">
+      <segment>
+        <source>log.type.security.password_changed</source>
+        <target>Password changed</target>
+      </segment>
+    </unit>
+    <unit id="2q0_b3P" name="log.type.security.trusted_device_reset">
+      <segment>
+        <source>log.type.security.trusted_device_reset</source>
+        <target>Trusted devices resetted</target>
+      </segment>
+    </unit>
+    <unit id="n8flY2e" name="log.type.collection_element_deleted">
+      <segment>
+        <source>log.type.collection_element_deleted</source>
+        <target>Element of Collection deleted</target>
+      </segment>
+    </unit>
+    <unit id="yNm8PCN" name="log.type.security.password_reset">
+      <segment>
+        <source>log.type.security.password_reset</source>
+        <target>Password reset</target>
+      </segment>
+    </unit>
+    <unit id="CsjgnTI" name="log.type.security.2fa_admin_reset">
+      <segment>
+        <source>log.type.security.2fa_admin_reset</source>
+        <target>Two Factor Reset by Administrator</target>
+      </segment>
+    </unit>
   </file>
 </xliff>