Logging des authentifications #50

Open
wpetit wants to merge 1 commits from issue-4707 into develop
Owner

Description

Cette pull request vise à ajouter la fonctionnalité de logging des authentifications réussies et échouées pour le projet Cadoles/hydra-sql. Le but est d'améliorer la traçabilité et la sécurité en enregistrant les tentatives d'authentification, que ce soit avec succès ou en cas d'échec. Cela permettra de suivre les accès au système et d'identifier les éventuelles tentatives d'intrusion.

Lié à CNOUS/mse#4707

Changements

Les changements apportés dans cette pull request incluent :

  • L'ajout de la dépendance symfony/monolog-bundle dans le fichier composer.json pour intégrer les fonctionnalités de logging de Monolog.
  • La mise à jour du fichier composer.lock pour refléter les nouvelles dépendances.
  • L'ajout de la configuration pour Monolog dans le fichier config/packages/monolog.yaml.
  • L'activation du bundle Monolog dans config/bundles.php.
  • La modification de SQLLoginUserAuthenticator pour logger les tentatives d'authentification réussies et échouées en utilisant l'interface LoggerInterface.
  • L'ajout de variables d'environnement pour configurer le niveau de log dans config/services.yaml et docker-compose.yml.
  • Des ajustements mineurs dans les fichiers de configuration et de code pour assurer la compatibilité et la cohérence avec les nouvelles fonctionnalités de logging.

Tester

  1. Démarrer l'environnement de développement
  2. S'identifier sur la mire d'hydra-sql avec une des paires d'identifiants de test. Dans la sortie des logs, vous devriez voir ce type d'entrée s'afficher:
hydra-sql  | [06-Mar-2025 14:59:10] WARNING: [pool www] child 21 said into stdout: "[2025-03-06T14:59:10.445270+00:00] app.WARNING: authentication succeeded {"username":"test1@test.com","remote_address":"172.18.0.1"} []"
  1. Se déconnecter puis retenter une authentification cette fois en utilisant un identifiant/mot de passe erroné. Vous devriez voir ce type d'entrée dans les logs:
hydra-sql  | [06-Mar-2025 14:59:27] WARNING: [pool www] child 21 said into stdout: "[2025-03-06T14:59:27.753563+00:00] app.WARNING: authentication failed {"username":"test1@test.com","remote_address":"172.18.0.1"} []"
## Description Cette pull request vise à ajouter la fonctionnalité de logging des authentifications réussies et échouées pour le projet Cadoles/hydra-sql. Le but est d'améliorer la traçabilité et la sécurité en enregistrant les tentatives d'authentification, que ce soit avec succès ou en cas d'échec. Cela permettra de suivre les accès au système et d'identifier les éventuelles tentatives d'intrusion. Lié à https://forge.cadoles.com/CNOUS/mse/issues/4707 ## Changements Les changements apportés dans cette pull request incluent : - L'ajout de la dépendance `symfony/monolog-bundle` dans le fichier `composer.json` pour intégrer les fonctionnalités de logging de Monolog. - La mise à jour du fichier `composer.lock` pour refléter les nouvelles dépendances. - L'ajout de la configuration pour Monolog dans le fichier `config/packages/monolog.yaml`. - L'activation du bundle Monolog dans `config/bundles.php`. - La modification de `SQLLoginUserAuthenticator` pour logger les tentatives d'authentification réussies et échouées en utilisant l'interface `LoggerInterface`. - L'ajout de variables d'environnement pour configurer le niveau de log dans `config/services.yaml` et `docker-compose.yml`. - Des ajustements mineurs dans les fichiers de configuration et de code pour assurer la compatibilité et la cohérence avec les nouvelles fonctionnalités de logging. ## Tester 1. Démarrer l'environnement de développement 2. S'identifier sur la mire d'hydra-sql avec une des paires d'identifiants de test. Dans la sortie des logs, vous devriez voir ce type d'entrée s'afficher: ``` hydra-sql | [06-Mar-2025 14:59:10] WARNING: [pool www] child 21 said into stdout: "[2025-03-06T14:59:10.445270+00:00] app.WARNING: authentication succeeded {"username":"test1@test.com","remote_address":"172.18.0.1"} []" ``` 3. Se déconnecter puis retenter une authentification cette fois en utilisant un identifiant/mot de passe erroné. Vous devriez voir ce type d'entrée dans les logs: ``` hydra-sql | [06-Mar-2025 14:59:27] WARNING: [pool www] child 21 said into stdout: "[2025-03-06T14:59:27.753563+00:00] app.WARNING: authentication failed {"username":"test1@test.com","remote_address":"172.18.0.1"} []" ```
wpetit added 1 commit 2025-03-06 16:02:46 +01:00
feat: add authentication success/failure log outputs
Some checks failed
Cadoles/hydra-sql/pipeline/pr-develop There was a failure building this commit
Cadoles/hydra-sql/pipeline/head This commit is unstable
50132d83dc
see CNOUS/mse#4707
Owner

Symfony Security Check Report

5 packages have known vulnerabilities.

symfony/http-client (v5.4.44)

  • CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

symfony/http-foundation (v5.4.44)

symfony/runtime (v5.4.40)

symfony/security-http (v5.4.44)

  • CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie

twig/twig (v3.14.0)

  • CVE-2024-51754: Unguarded calls to __toString() when nesting an object into an array
  • CVE-2024-51755: Unguarded calls to __isset() and to array-accesses when the sandbox is enabled

Note that this checker can only detect vulnerabilities that are referenced in the security advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.

Symfony Security Check Report ============================= 5 packages have known vulnerabilities. symfony/http-client (v5.4.44) ----------------------------- * [CVE-2024-50342][]: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient symfony/http-foundation (v5.4.44) --------------------------------- * [CVE-2024-50345][]: Open redirect via browser-sanitized URLs symfony/runtime (v5.4.40) ------------------------- * [CVE-2024-50340][]: Ability to change environment from query symfony/security-http (v5.4.44) ------------------------------- * [CVE-2024-51996][]: Authentication Bypass via persisted RememberMe cookie twig/twig (v3.14.0) ------------------- * [CVE-2024-51754][]: Unguarded calls to __toString() when nesting an object into an array * [CVE-2024-51755][]: Unguarded calls to __isset() and to array-accesses when the sandbox is enabled [CVE-2024-50342]: https://symfony.com/cve-2024-50342 [CVE-2024-50345]: https://symfony.com/cve-2024-50345 [CVE-2024-50340]: https://symfony.com/cve-2024-50340 [CVE-2024-51996]: https://symfony.com/cve-2024-51996 [CVE-2024-51754]: https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array [CVE-2024-51755]: https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled Note that this checker can only detect vulnerabilities that are referenced in the security advisories database. Execute this command regularly to check the newly discovered vulnerabilities.
Owner

Test report

PHP CS Fixer

Overview

State Total
Passed 0
Skipped 0
Failed 1
Error 0

Total duration: 0s

See details
Status Name Class
src/Security/SQLLoginUserAuthenticator

Errors

`src/Security/SQLLoginUserAuthenticator`

Output

applied fixers:
---------------
* single_quote
* concat_space
* global_namespace_import
* trailing_comma_in_multiline
* types_spaces
* no_unused_imports```

</details>





# Test report ## PHP CS Fixer ### Overview | State | Total | |-------|-------| | Passed | 0 | | Skipped | 0 | | Failed | 1 | | Error | 0 | **Total duration**: 0s <details> <summary>See details</summary> | Status | Name | Class | |--------|------|-------| | &#10799; | `src/Security/SQLLoginUserAuthenticator` || </details> <br /> #### Errors <details> <summary>`src/Security/SQLLoginUserAuthenticator`</summary> **Output** ``` applied fixers: --------------- * single_quote * concat_space * global_namespace_import * trailing_comma_in_multiline * types_spaces * no_unused_imports``` </details>
Owner

Rapport PHPStan


 [OK] No errors                                                                 


## Rapport PHPStan ``` [OK] No errors ```
wpetit changed title from feat: add authentication success/failure log outputs to Ajout de la fonctionnalité de logging des authentifications 2025-03-06 16:39:59 +01:00
wpetit changed title from Ajout de la fonctionnalité de logging des authentifications to Logging des authentifications 2025-03-06 16:40:19 +01:00
mlamalle requested changes 2025-03-06 16:42:26 +01:00
@ -111,11 +116,13 @@ class SQLLoginUserAuthenticator extends AbstractLoginFormAuthenticator
}
$passport->setAttribute('attributes', $user->getAttributes());
$this->logger->warning("authentication scceeded", ['username' => $login, "remote_address" => $request->getClientIp()]);
Owner

typo :/

typo :/
Author
Owner

Corrigé :)

Corrigé :)
wpetit marked this conversation as resolved
wpetit force-pushed issue-4707 from 50132d83dc to f007dcf6d8 2025-03-07 09:11:32 +01:00 Compare
Owner

Symfony Security Check Report

5 packages have known vulnerabilities.

symfony/http-client (v5.4.44)

  • CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

symfony/http-foundation (v5.4.44)

symfony/runtime (v5.4.40)

symfony/security-http (v5.4.44)

  • CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie

twig/twig (v3.14.0)

  • CVE-2024-51754: Unguarded calls to __toString() when nesting an object into an array
  • CVE-2024-51755: Unguarded calls to __isset() and to array-accesses when the sandbox is enabled

Note that this checker can only detect vulnerabilities that are referenced in the security advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.

Symfony Security Check Report ============================= 5 packages have known vulnerabilities. symfony/http-client (v5.4.44) ----------------------------- * [CVE-2024-50342][]: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient symfony/http-foundation (v5.4.44) --------------------------------- * [CVE-2024-50345][]: Open redirect via browser-sanitized URLs symfony/runtime (v5.4.40) ------------------------- * [CVE-2024-50340][]: Ability to change environment from query symfony/security-http (v5.4.44) ------------------------------- * [CVE-2024-51996][]: Authentication Bypass via persisted RememberMe cookie twig/twig (v3.14.0) ------------------- * [CVE-2024-51754][]: Unguarded calls to __toString() when nesting an object into an array * [CVE-2024-51755][]: Unguarded calls to __isset() and to array-accesses when the sandbox is enabled [CVE-2024-50342]: https://symfony.com/cve-2024-50342 [CVE-2024-50345]: https://symfony.com/cve-2024-50345 [CVE-2024-50340]: https://symfony.com/cve-2024-50340 [CVE-2024-51996]: https://symfony.com/cve-2024-51996 [CVE-2024-51754]: https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array [CVE-2024-51755]: https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled Note that this checker can only detect vulnerabilities that are referenced in the security advisories database. Execute this command regularly to check the newly discovered vulnerabilities.
Owner

Test report

PHP CS Fixer

Overview

State Total
Passed 0
Skipped 0
Failed 1
Error 0

Total duration: 0s

See details
Status Name Class
src/Security/SQLLoginUserAuthenticator

Errors

`src/Security/SQLLoginUserAuthenticator`

Output

applied fixers:
---------------
* single_quote
* concat_space
* global_namespace_import
* trailing_comma_in_multiline
* types_spaces
* no_unused_imports```

</details>





# Test report ## PHP CS Fixer ### Overview | State | Total | |-------|-------| | Passed | 0 | | Skipped | 0 | | Failed | 1 | | Error | 0 | **Total duration**: 0s <details> <summary>See details</summary> | Status | Name | Class | |--------|------|-------| | &#10799; | `src/Security/SQLLoginUserAuthenticator` || </details> <br /> #### Errors <details> <summary>`src/Security/SQLLoginUserAuthenticator`</summary> **Output** ``` applied fixers: --------------- * single_quote * concat_space * global_namespace_import * trailing_comma_in_multiline * types_spaces * no_unused_imports``` </details>
Owner

Rapport PHPStan


 [OK] No errors                                                                 


## Rapport PHPStan ``` [OK] No errors ```
Owner

Symfony Security Check Report

5 packages have known vulnerabilities.

symfony/http-client (v5.4.44)

  • CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

symfony/http-foundation (v5.4.44)

symfony/runtime (v5.4.40)

symfony/security-http (v5.4.44)

  • CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie

twig/twig (v3.14.0)

  • CVE-2024-51754: Unguarded calls to __toString() when nesting an object into an array
  • CVE-2024-51755: Unguarded calls to __isset() and to array-accesses when the sandbox is enabled

Note that this checker can only detect vulnerabilities that are referenced in the security advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.

Symfony Security Check Report ============================= 5 packages have known vulnerabilities. symfony/http-client (v5.4.44) ----------------------------- * [CVE-2024-50342][]: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient symfony/http-foundation (v5.4.44) --------------------------------- * [CVE-2024-50345][]: Open redirect via browser-sanitized URLs symfony/runtime (v5.4.40) ------------------------- * [CVE-2024-50340][]: Ability to change environment from query symfony/security-http (v5.4.44) ------------------------------- * [CVE-2024-51996][]: Authentication Bypass via persisted RememberMe cookie twig/twig (v3.14.0) ------------------- * [CVE-2024-51754][]: Unguarded calls to __toString() when nesting an object into an array * [CVE-2024-51755][]: Unguarded calls to __isset() and to array-accesses when the sandbox is enabled [CVE-2024-50342]: https://symfony.com/cve-2024-50342 [CVE-2024-50345]: https://symfony.com/cve-2024-50345 [CVE-2024-50340]: https://symfony.com/cve-2024-50340 [CVE-2024-51996]: https://symfony.com/cve-2024-51996 [CVE-2024-51754]: https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array [CVE-2024-51755]: https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled Note that this checker can only detect vulnerabilities that are referenced in the security advisories database. Execute this command regularly to check the newly discovered vulnerabilities.
Owner

Test report

PHP CS Fixer

Overview

State Total
Passed 0
Skipped 0
Failed 1
Error 0

Total duration: 0s

See details
Status Name Class
src/Service/SQLLoginService

Errors

`src/Service/SQLLoginService`

Output

applied fixers:
---------------
* global_namespace_import
* trailing_comma_in_multiline
* no_unused_imports```

</details>





# Test report ## PHP CS Fixer ### Overview | State | Total | |-------|-------| | Passed | 0 | | Skipped | 0 | | Failed | 1 | | Error | 0 | **Total duration**: 0s <details> <summary>See details</summary> | Status | Name | Class | |--------|------|-------| | &#10799; | `src/Service/SQLLoginService` || </details> <br /> #### Errors <details> <summary>`src/Service/SQLLoginService`</summary> **Output** ``` applied fixers: --------------- * global_namespace_import * trailing_comma_in_multiline * no_unused_imports``` </details>
Owner

Rapport PHPStan


 [OK] No errors                                                                 


## Rapport PHPStan ``` [OK] No errors ```
Some checks failed
Cadoles/hydra-sql/pipeline/pr-develop There was a failure building this commit
This pull request can be merged automatically.
This branch is out-of-date with the base branch
You are not authorized to merge this pull request.

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin issue-4707:issue-4707
git checkout issue-4707
Sign in to join this conversation.
No Reviewers
No Label
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Cadoles/hydra-sql#50
No description provided.