From f116c2f09e544f210faede7ba9aa6b5ca7ae529c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <jan.h.boehmer@gmx.de>
Date: Fri, 10 Apr 2020 12:28:15 +0200
Subject: [PATCH] Log AccessDeniedExceptions to event log.

---
 .../Column/LogEntryTargetColumn.php           |  6 ++
 .../LogSystem/UserNotAllowedLogEntry.php      | 16 ++++-
 .../LogSystem/LogAccessDeniedSubscriber.php   | 67 +++++++++++++++++++
 translations/messages.en.xlf                  | 12 ++++
 4 files changed, 98 insertions(+), 3 deletions(-)
 create mode 100644 src/EventSubscriber/LogSystem/LogAccessDeniedSubscriber.php

diff --git a/src/DataTables/Column/LogEntryTargetColumn.php b/src/DataTables/Column/LogEntryTargetColumn.php
index e332edd5..f4e8a62b 100644
--- a/src/DataTables/Column/LogEntryTargetColumn.php
+++ b/src/DataTables/Column/LogEntryTargetColumn.php
@@ -46,6 +46,7 @@ use App\Entity\Attachments\Attachment;
 use App\Entity\Base\AbstractDBElement;
 use App\Entity\Contracts\NamedElementInterface;
 use App\Entity\LogSystem\AbstractLogEntry;
+use App\Entity\LogSystem\UserNotAllowedLogEntry;
 use App\Entity\Parameters\AbstractParameter;
 use App\Entity\Parts\PartLot;
 use App\Entity\PriceInformations\Orderdetail;
@@ -86,12 +87,17 @@ class LogEntryTargetColumn extends AbstractColumn
     {
         parent::configureOptions($resolver);
         $resolver->setDefault('show_associated', true);
+        $resolver->setDefault('showAccessDeniedPath', true);
 
         return $this;
     }
 
     public function render($value, $context)
     {
+        if ($context instanceof UserNotAllowedLogEntry && $this->options['showAccessDeniedPath']) {
+            return htmlspecialchars($context->getPath());
+        }
+
         /** @var AbstractLogEntry $context */
         $target = $this->entryRepository->getTargetElement($context);
 
diff --git a/src/Entity/LogSystem/UserNotAllowedLogEntry.php b/src/Entity/LogSystem/UserNotAllowedLogEntry.php
index dff04f75..18100b66 100644
--- a/src/Entity/LogSystem/UserNotAllowedLogEntry.php
+++ b/src/Entity/LogSystem/UserNotAllowedLogEntry.php
@@ -52,11 +52,21 @@ class UserNotAllowedLogEntry extends AbstractLogEntry
 {
     protected $typeString = 'user_not_allowed';
 
-    public function __construct()
+    public function __construct(string $path)
     {
         parent::__construct();
-        //Obsolete, use server log now.
-        throw new LogEntryObsoleteException();
+        $this->level = static::LEVEL_WARNING;
+
+        $this->extra['a'] = $path;
+    }
+
+    /**
+     * Returns the path the user tried to accessed and what was denied.
+     * @return string
+     */
+    public function getPath(): string
+    {
+        return $this->extra['a'] ?? 'legacy';
     }
 
     public function getMessage(): string
diff --git a/src/EventSubscriber/LogSystem/LogAccessDeniedSubscriber.php b/src/EventSubscriber/LogSystem/LogAccessDeniedSubscriber.php
new file mode 100644
index 00000000..5e08f178
--- /dev/null
+++ b/src/EventSubscriber/LogSystem/LogAccessDeniedSubscriber.php
@@ -0,0 +1,67 @@
+<?php
+/**
+ * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
+ *
+ * Copyright (C) 2019 - 2020 Jan Böhmer (https://github.com/jbtronics)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+namespace App\EventSubscriber\LogSystem;
+
+
+use App\Entity\LogSystem\UserNotAllowedLogEntry;
+use App\Services\LogSystem\EventLogger;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpKernel\Event\ExceptionEvent;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+/**
+ * Write to event log when a user tries to access an forbidden page and recevies an 403 Access Denied message.
+ * @package App\EventSubscriber\LogSystem
+ */
+class LogAccessDeniedSubscriber implements EventSubscriberInterface
+{
+    private $logger;
+
+    public function __construct(EventLogger $logger)
+    {
+        $this->logger = $logger;
+    }
+
+    public function onKernelException(ExceptionEvent $event)
+    {
+        $throwable = $event->getThrowable();
+        if ($throwable instanceof AccessDeniedHttpException) {
+            $throwable = $throwable->getPrevious();
+        }
+        //Ignore everything except AccessDeniedExceptions
+        if (!$throwable instanceof AccessDeniedException) {
+            return;
+        }
+
+        $path = $event->getRequest()->getPathInfo();
+        $log_entry = new UserNotAllowedLogEntry($path);
+        $this->logger->logAndFlush($log_entry);
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public static function getSubscribedEvents()
+    {
+        return ['kernel.exception' => 'onKernelException'];
+    }
+}
\ No newline at end of file
diff --git a/translations/messages.en.xlf b/translations/messages.en.xlf
index 9ba59655..7eb12a7c 100644
--- a/translations/messages.en.xlf
+++ b/translations/messages.en.xlf
@@ -8244,5 +8244,17 @@ Element 3</target>
         <target>Duplicate element</target>
       </segment>
     </unit>
+    <unit id="bJ.EAvM" name="log.type.user_not_allowed">
+      <segment>
+        <source>log.type.user_not_allowed</source>
+        <target>Unauthorised access attempt</target>
+      </segment>
+    </unit>
+    <unit id="Z28oTau" name="log.database_updated.success">
+      <segment>
+        <source>log.database_updated.success</source>
+        <target>Sucess</target>
+      </segment>
+    </unit>
   </file>
 </xliff>