Logging des authentifications #50

wpetit · 2025-03-06T16:02:45+01:00

wpetit commented

2025-03-06 16:02:45 +01:00

Description

Cette pull request vise à ajouter la fonctionnalité de logging des authentifications réussies et échouées pour le projet Cadoles/hydra-sql. Le but est d'améliorer la traçabilité et la sécurité en enregistrant les tentatives d'authentification, que ce soit avec succès ou en cas d'échec. Cela permettra de suivre les accès au système et d'identifier les éventuelles tentatives d'intrusion.

Lié à CNOUS/mse#4707

Changements

Les changements apportés dans cette pull request incluent :

L'ajout de la dépendance symfony/monolog-bundle dans le fichier composer.json pour intégrer les fonctionnalités de logging de Monolog.
La mise à jour du fichier composer.lock pour refléter les nouvelles dépendances.
L'ajout de la configuration pour Monolog dans le fichier config/packages/monolog.yaml.
L'activation du bundle Monolog dans config/bundles.php.
La modification de SQLLoginUserAuthenticator pour logger les tentatives d'authentification réussies et échouées en utilisant l'interface LoggerInterface.
L'ajout de variables d'environnement pour configurer le niveau de log dans config/services.yaml et docker-compose.yml.
Des ajustements mineurs dans les fichiers de configuration et de code pour assurer la compatibilité et la cohérence avec les nouvelles fonctionnalités de logging.

Tester

Démarrer l'environnement de développement
S'identifier sur la mire d'hydra-sql avec une des paires d'identifiants de test. Dans la sortie des logs, vous devriez voir ce type d'entrée s'afficher:

hydra-sql  | [06-Mar-2025 14:59:10] WARNING: [pool www] child 21 said into stdout: "[2025-03-06T14:59:10.445270+00:00] app.WARNING: authentication succeeded {"username":"test1@test.com","remote_address":"172.18.0.1"} []"

Se déconnecter puis retenter une authentification cette fois en utilisant un identifiant/mot de passe erroné. Vous devriez voir ce type d'entrée dans les logs:

hydra-sql  | [06-Mar-2025 14:59:27] WARNING: [pool www] child 21 said into stdout: "[2025-03-06T14:59:27.753563+00:00] app.WARNING: authentication failed {"username":"test1@test.com","remote_address":"172.18.0.1"} []"

## Description Cette pull request vise à ajouter la fonctionnalité de logging des authentifications réussies et échouées pour le projet Cadoles/hydra-sql. Le but est d'améliorer la traçabilité et la sécurité en enregistrant les tentatives d'authentification, que ce soit avec succès ou en cas d'échec. Cela permettra de suivre les accès au système et d'identifier les éventuelles tentatives d'intrusion. Lié à https://forge.cadoles.com/CNOUS/mse/issues/4707 ## Changements Les changements apportés dans cette pull request incluent : - L'ajout de la dépendance `symfony/monolog-bundle` dans le fichier `composer.json` pour intégrer les fonctionnalités de logging de Monolog. - La mise à jour du fichier `composer.lock` pour refléter les nouvelles dépendances. - L'ajout de la configuration pour Monolog dans le fichier `config/packages/monolog.yaml`. - L'activation du bundle Monolog dans `config/bundles.php`. - La modification de `SQLLoginUserAuthenticator` pour logger les tentatives d'authentification réussies et échouées en utilisant l'interface `LoggerInterface`. - L'ajout de variables d'environnement pour configurer le niveau de log dans `config/services.yaml` et `docker-compose.yml`. - Des ajustements mineurs dans les fichiers de configuration et de code pour assurer la compatibilité et la cohérence avec les nouvelles fonctionnalités de logging. ## Tester 1. Démarrer l'environnement de développement 2. S'identifier sur la mire d'hydra-sql avec une des paires d'identifiants de test. Dans la sortie des logs, vous devriez voir ce type d'entrée s'afficher: ``` hydra-sql | [06-Mar-2025 14:59:10] WARNING: [pool www] child 21 said into stdout: "[2025-03-06T14:59:10.445270+00:00] app.WARNING: authentication succeeded {"username":"test1@test.com","remote_address":"172.18.0.1"} []" ``` 3. Se déconnecter puis retenter une authentification cette fois en utilisant un identifiant/mot de passe erroné. Vous devriez voir ce type d'entrée dans les logs: ``` hydra-sql | [06-Mar-2025 14:59:27] WARNING: [pool www] child 21 said into stdout: "[2025-03-06T14:59:27.753563+00:00] app.WARNING: authentication failed {"username":"test1@test.com","remote_address":"172.18.0.1"} []" ```

wpetit added 1 commit 2025-03-06 16:02:46 +01:00

feat: add authentication success/failure log outputs

Cadoles/hydra-sql/pipeline/pr-develop There was a failure building this commit

Details

Cadoles/hydra-sql/pipeline/head This commit is unstable

Details

50132d83dc

see CNOUS/mse#4707

jenkins commented

2025-03-06 16:04:53 +01:00

Symfony Security Check Report

5 packages have known vulnerabilities.

symfony/http-client (v5.4.44)

CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

symfony/http-foundation (v5.4.44)

CVE-2024-50345: Open redirect via browser-sanitized URLs

symfony/runtime (v5.4.40)

CVE-2024-50340: Ability to change environment from query

symfony/security-http (v5.4.44)

CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie

twig/twig (v3.14.0)

CVE-2024-51754: Unguarded calls to __toString() when nesting an object into an array
CVE-2024-51755: Unguarded calls to __isset() and to array-accesses when the sandbox is enabled

Note that this checker can only detect vulnerabilities that are referenced in the security advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.

Symfony Security Check Report ============================= 5 packages have known vulnerabilities. symfony/http-client (v5.4.44) ----------------------------- * [CVE-2024-50342][]: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient symfony/http-foundation (v5.4.44) --------------------------------- * [CVE-2024-50345][]: Open redirect via browser-sanitized URLs symfony/runtime (v5.4.40) ------------------------- * [CVE-2024-50340][]: Ability to change environment from query symfony/security-http (v5.4.44) ------------------------------- * [CVE-2024-51996][]: Authentication Bypass via persisted RememberMe cookie twig/twig (v3.14.0) ------------------- * [CVE-2024-51754][]: Unguarded calls to __toString() when nesting an object into an array * [CVE-2024-51755][]: Unguarded calls to __isset() and to array-accesses when the sandbox is enabled [CVE-2024-50342]: https://symfony.com/cve-2024-50342 [CVE-2024-50345]: https://symfony.com/cve-2024-50345 [CVE-2024-50340]: https://symfony.com/cve-2024-50340 [CVE-2024-51996]: https://symfony.com/cve-2024-51996 [CVE-2024-51754]: https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array [CVE-2024-51755]: https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled Note that this checker can only detect vulnerabilities that are referenced in the security advisories database. Execute this command regularly to check the newly discovered vulnerabilities.

jenkins commented

2025-03-06 16:05:05 +01:00

Test report

PHP CS Fixer

Overview

State	Total
Passed	0
Skipped	0
Failed	1
Error	0

Total duration: 0s

See details

Status	Name	Class
⨯	`src/Security/SQLLoginUserAuthenticator`

Errors

`src/Security/SQLLoginUserAuthenticator`

Output

applied fixers:
---------------
* single_quote
* concat_space
* global_namespace_import
* trailing_comma_in_multiline
* types_spaces
* no_unused_imports```

</details>

# Test report ## PHP CS Fixer ### Overview | State | Total | |-------|-------| | Passed | 0 | | Skipped | 0 | | Failed | 1 | | Error | 0 | **Total duration**: 0s <details> <summary>See details</summary> | Status | Name | Class | |--------|------|-------| | ⨯ | `src/Security/SQLLoginUserAuthenticator` || </details> <br /> #### Errors <details> <summary>`src/Security/SQLLoginUserAuthenticator`</summary> **Output** ``` applied fixers: --------------- * single_quote * concat_space * global_namespace_import * trailing_comma_in_multiline * types_spaces * no_unused_imports``` </details>

jenkins commented

2025-03-06 16:05:11 +01:00

Rapport PHPStan


 [OK] No errors

## Rapport PHPStan ``` [OK] No errors ```

wpetit changed title from ~~feat: add authentication success/failure log outputs~~ to Ajout de la fonctionnalité de logging des authentifications

2025-03-06 16:39:59 +01:00

wpetit changed title from ~~Ajout de la fonctionnalité de logging des authentifications~~ to Logging des authentifications

2025-03-06 16:40:19 +01:00

mlamalle requested changes 2025-03-06 16:42:26 +01:00

src/Security/SQLLoginUserAuthenticator.php Outdated

						
				@ -111,11 +116,13 @@ class SQLLoginUserAuthenticator extends AbstractLoginFormAuthenticator

				        }

				        $passport->setAttribute('attributes', $user->getAttributes());

				        $this->logger->warning("authentication scceeded", ['username' => $login, "remote_address" => $request->getClientIp()]);

mlamalle commented

2025-03-06 16:42:07 +01:00

typo :/

wpetit commented

2025-03-07 09:11:38 +01:00

Corrigé :)

wpetit marked this conversation as resolved

wpetit force-pushed issue-4707 from 50132d83dc to f007dcf6d8

2025-03-07 09:11:32 +01:00

Compare

jenkins commented

2025-03-07 09:15:49 +01:00

Symfony Security Check Report

5 packages have known vulnerabilities.

symfony/http-client (v5.4.44)

CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

symfony/http-foundation (v5.4.44)

CVE-2024-50345: Open redirect via browser-sanitized URLs

symfony/runtime (v5.4.40)

CVE-2024-50340: Ability to change environment from query

symfony/security-http (v5.4.44)

CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie

twig/twig (v3.14.0)

CVE-2024-51754: Unguarded calls to __toString() when nesting an object into an array
CVE-2024-51755: Unguarded calls to __isset() and to array-accesses when the sandbox is enabled

Note that this checker can only detect vulnerabilities that are referenced in the security advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.

Symfony Security Check Report ============================= 5 packages have known vulnerabilities. symfony/http-client (v5.4.44) ----------------------------- * [CVE-2024-50342][]: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient symfony/http-foundation (v5.4.44) --------------------------------- * [CVE-2024-50345][]: Open redirect via browser-sanitized URLs symfony/runtime (v5.4.40) ------------------------- * [CVE-2024-50340][]: Ability to change environment from query symfony/security-http (v5.4.44) ------------------------------- * [CVE-2024-51996][]: Authentication Bypass via persisted RememberMe cookie twig/twig (v3.14.0) ------------------- * [CVE-2024-51754][]: Unguarded calls to __toString() when nesting an object into an array * [CVE-2024-51755][]: Unguarded calls to __isset() and to array-accesses when the sandbox is enabled [CVE-2024-50342]: https://symfony.com/cve-2024-50342 [CVE-2024-50345]: https://symfony.com/cve-2024-50345 [CVE-2024-50340]: https://symfony.com/cve-2024-50340 [CVE-2024-51996]: https://symfony.com/cve-2024-51996 [CVE-2024-51754]: https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array [CVE-2024-51755]: https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled Note that this checker can only detect vulnerabilities that are referenced in the security advisories database. Execute this command regularly to check the newly discovered vulnerabilities.

jenkins commented

2025-03-07 09:15:52 +01:00

Test report

PHP CS Fixer

Overview

State	Total
Passed	0
Skipped	0
Failed	1
Error	0

Total duration: 0s

See details

Status	Name	Class
⨯	`src/Security/SQLLoginUserAuthenticator`

Errors

`src/Security/SQLLoginUserAuthenticator`

Output

applied fixers:
---------------
* single_quote
* concat_space
* global_namespace_import
* trailing_comma_in_multiline
* types_spaces
* no_unused_imports```

</details>

# Test report ## PHP CS Fixer ### Overview | State | Total | |-------|-------| | Passed | 0 | | Skipped | 0 | | Failed | 1 | | Error | 0 | **Total duration**: 0s <details> <summary>See details</summary> | Status | Name | Class | |--------|------|-------| | ⨯ | `src/Security/SQLLoginUserAuthenticator` || </details> <br /> #### Errors <details> <summary>`src/Security/SQLLoginUserAuthenticator`</summary> **Output** ``` applied fixers: --------------- * single_quote * concat_space * global_namespace_import * trailing_comma_in_multiline * types_spaces * no_unused_imports``` </details>

jenkins commented

2025-03-07 09:15:59 +01:00

Rapport PHPStan


 [OK] No errors

## Rapport PHPStan ``` [OK] No errors ```

jenkins commented

2025-03-08 12:17:14 +01:00

Symfony Security Check Report

5 packages have known vulnerabilities.

symfony/http-client (v5.4.44)

CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

symfony/http-foundation (v5.4.44)

CVE-2024-50345: Open redirect via browser-sanitized URLs

symfony/runtime (v5.4.40)

CVE-2024-50340: Ability to change environment from query

symfony/security-http (v5.4.44)

CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie

twig/twig (v3.14.0)

CVE-2024-51754: Unguarded calls to __toString() when nesting an object into an array
CVE-2024-51755: Unguarded calls to __isset() and to array-accesses when the sandbox is enabled

Note that this checker can only detect vulnerabilities that are referenced in the security advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.

Symfony Security Check Report ============================= 5 packages have known vulnerabilities. symfony/http-client (v5.4.44) ----------------------------- * [CVE-2024-50342][]: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient symfony/http-foundation (v5.4.44) --------------------------------- * [CVE-2024-50345][]: Open redirect via browser-sanitized URLs symfony/runtime (v5.4.40) ------------------------- * [CVE-2024-50340][]: Ability to change environment from query symfony/security-http (v5.4.44) ------------------------------- * [CVE-2024-51996][]: Authentication Bypass via persisted RememberMe cookie twig/twig (v3.14.0) ------------------- * [CVE-2024-51754][]: Unguarded calls to __toString() when nesting an object into an array * [CVE-2024-51755][]: Unguarded calls to __isset() and to array-accesses when the sandbox is enabled [CVE-2024-50342]: https://symfony.com/cve-2024-50342 [CVE-2024-50345]: https://symfony.com/cve-2024-50345 [CVE-2024-50340]: https://symfony.com/cve-2024-50340 [CVE-2024-51996]: https://symfony.com/cve-2024-51996 [CVE-2024-51754]: https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array [CVE-2024-51755]: https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled Note that this checker can only detect vulnerabilities that are referenced in the security advisories database. Execute this command regularly to check the newly discovered vulnerabilities.

jenkins commented

2025-03-08 12:17:25 +01:00

Test report

PHP CS Fixer

Overview

State	Total
Passed	0
Skipped	0
Failed	1
Error	0

Total duration: 0s

See details

Status	Name	Class
⨯	`src/Service/SQLLoginService`

Errors

`src/Service/SQLLoginService`

Output

applied fixers:
---------------
* global_namespace_import
* trailing_comma_in_multiline
* no_unused_imports```

</details>

# Test report ## PHP CS Fixer ### Overview | State | Total | |-------|-------| | Passed | 0 | | Skipped | 0 | | Failed | 1 | | Error | 0 | **Total duration**: 0s <details> <summary>See details</summary> | Status | Name | Class | |--------|------|-------| | ⨯ | `src/Service/SQLLoginService` || </details> <br /> #### Errors <details> <summary>`src/Service/SQLLoginService`</summary> **Output** ``` applied fixers: --------------- * global_namespace_import * trailing_comma_in_multiline * no_unused_imports``` </details>

jenkins commented

2025-03-08 12:17:35 +01:00

Rapport PHPStan


 [OK] No errors

## Rapport PHPStan ``` [OK] No errors ```

Cadoles/hydra-sql/pipeline/pr-develop There was a failure building this commit

Details

This pull request can be merged automatically.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions.

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin issue-4707:issue-4707

git checkout issue-4707

Sign in to join this conversation.

3 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Cadoles/hydra-sql#50