mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-21 09:35:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Write to event log, when a user gets impersonated

Browse source
This commit is contained in:
Jan Böhmer 2023-07-08 23:07:06 +02:00
parent cc1595e048
commit 8a4ede9d43
5 changed files with 80 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
src/Entity/LogSystem/SecurityEventLogEntry.php
View file

@ -64,6 +64,7 @@ class SecurityEventLogEntry extends AbstractLogEntry
6 => SecurityEvents::GOOGLE_DISABLED, 6 => SecurityEvents::GOOGLE_DISABLED,
7 => SecurityEvents::TRUSTED_DEVICE_RESET, 7 => SecurityEvents::TRUSTED_DEVICE_RESET,
8 => SecurityEvents::TFA_ADMIN_RESET, 8 => SecurityEvents::TFA_ADMIN_RESET,
9 => SecurityEvents::USER_IMPERSONATED,
]; ];
public function __construct(string $type, string $ip_address, bool $anonymize = true) public function __construct(string $type, string $ip_address, bool $anonymize = true)

7
src/EventSubscriber/LogSystem/SecurityEventLoggerSubscriber.php
View file

@ -48,6 +48,7 @@ use App\Events\SecurityEvents;
use App\Services\LogSystem\EventLogger; use App\Services\LogSystem\EventLogger;
use Symfony\Component\EventDispatcher\EventSubscriberInterface; use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\RequestStack; use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Http\Event\SwitchUserEvent;
/** /**
* This subscriber writes entries to log if a security related event happens (e.g. the user changes its password). * This subscriber writes entries to log if a security related event happens (e.g. the user changes its password).
@ -70,6 +71,7 @@ final class SecurityEventLoggerSubscriber implements EventSubscriberInterface
SecurityEvents::GOOGLE_DISABLED => 'google_disabled', SecurityEvents::GOOGLE_DISABLED => 'google_disabled',
SecurityEvents::GOOGLE_ENABLED => 'google_enabled', SecurityEvents::GOOGLE_ENABLED => 'google_enabled',
SecurityEvents::TFA_ADMIN_RESET => 'tfa_admin_reset', SecurityEvents::TFA_ADMIN_RESET => 'tfa_admin_reset',
SecurityEvents::USER_IMPERSONATED => 'user_impersonated',
]; ];
} }
@ -103,6 +105,11 @@ final class SecurityEventLoggerSubscriber implements EventSubscriberInterface
$this->addLog(SecurityEvents::U2F_REMOVED, $event); $this->addLog(SecurityEvents::U2F_REMOVED, $event);
} }
public function user_impersonated(SecurityEvent $event): void
{
$this->addLog(SecurityEvents::USER_IMPERSONATED, $event);
}
public function u2f_added(SecurityEvent $event): void public function u2f_added(SecurityEvent $event): void
{ {
$this->addLog(SecurityEvents::U2F_ADDED, $event); $this->addLog(SecurityEvents::U2F_ADDED, $event);

64
src/EventSubscriber/SwitchUserEventSubscriber.php Normal file
View file

@ -0,0 +1,64 @@
<?php
/*
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
*
* Copyright (C) 2019 - 2023 Jan Böhmer (https://github.com/jbtronics)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published
* by the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
declare(strict_types=1);
namespace App\EventSubscriber;
use App\Entity\UserSystem\User;
use App\Events\SecurityEvent;
use App\Events\SecurityEvents;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
use Symfony\Component\Security\Http\Event\SwitchUserEvent;
use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
class SwitchUserEventSubscriber implements EventSubscriberInterface
{
public function __construct(private readonly EventDispatcherInterface $eventDispatcher)
{
}
public static function getSubscribedEvents()
{
return [
'security.switch_user' => 'onSwitchUser',
];
}
public function onSwitchUser(SwitchUserEvent $event): void
{
$target_user = $event->getTargetUser();
// We can only handle User objects
if (!$target_user instanceof User) {
return;
}
//We are only interested in impersonation (not unimpersonation)
if (!$event->getToken() instanceof SwitchUserToken) {
return;
}
$security_event = new SecurityEvent($target_user);
$this->eventDispatcher->dispatch($security_event, SecurityEvents::USER_IMPERSONATED);
}
}

2
src/Events/SecurityEvents.php
View file

@ -52,4 +52,6 @@ class SecurityEvents
final public const GOOGLE_DISABLED = 'security.google_disabled'; final public const GOOGLE_DISABLED = 'security.google_disabled';
final public const TRUSTED_DEVICE_RESET = 'security.trusted_device_reset'; final public const TRUSTED_DEVICE_RESET = 'security.trusted_device_reset';
final public const TFA_ADMIN_RESET = 'security.2fa_admin_reset'; final public const TFA_ADMIN_RESET = 'security.2fa_admin_reset';
final public const USER_IMPERSONATED = 'security.user_impersonated';
} }

6
translations/messages.en.xlf
View file

@ -11429,5 +11429,11 @@ Element 3</target>
Please note, that you can not impersonate a disabled user. If you try you will get an "Access Denied" message.</target> Please note, that you can not impersonate a disabled user. If you try you will get an "Access Denied" message.</target>
</segment> </segment>
</unit> </unit>
<unit id="df2ac87" name="log.type.security.user_impersonated">
<segment>
<source>log.type.security.user_impersonated</source>
<target>User impersonated</target>
</segment>
</unit>
</file> </file>
</xliff> </xliff>