Add Organizational event logging feature

This PR adds event/audit logging support for organizations. By default this feature is disabled, since it does log a lot and adds extra database transactions. All events are touched except a few, since we do not support those features (yet), like SSO for example. This feature is tested with multiple clients and all database types. Fixes #229
2025-09-10 18:55:57 +03:00 · 2022-11-20 19:15:45 +01:00
parent f3beaea9e9
commit 2ea9b66943
31 changed files with 1887 additions and 240 deletions
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -10,6 +10,7 @@ use serde_json::Value;
 use crate::{
    api::{
        core::accounts::{PreloginData, RegisterData, _prelogin, _register},
+        core::log_user_event,
        core::two_factor::{duo, email, email::EmailTokenData, yubikey},
        ApiResult, EmptyResult, JsonResult, JsonUpcase,
    },
@@ -24,13 +25,16 @@ pub fn routes() -> Vec<Route> {
 }

 #[post("/connect/token", data = "<data>")]
-async fn login(data: Form<ConnectData>, conn: DbConn, ip: ClientIp) -> JsonResult {
+async fn login(data: Form<ConnectData>, mut conn: DbConn, ip: ClientIp) -> JsonResult {
    let data: ConnectData = data.into_inner();

-    match data.grant_type.as_ref() {
+    let mut user_uuid: Option<String> = None;
+    let device_type = data.device_type.clone();
+
+    let login_result = match data.grant_type.as_ref() {
        "refresh_token" => {
            _check_is_some(&data.refresh_token, "refresh_token cannot be blank")?;
-            _refresh_login(data, conn).await
+            _refresh_login(data, &mut conn).await
        }
        "password" => {
            _check_is_some(&data.client_id, "client_id cannot be blank")?;
@@ -42,34 +46,51 @@ async fn login(data: Form<ConnectData>, conn: DbConn, ip: ClientIp) -> JsonResul
            _check_is_some(&data.device_name, "device_name cannot be blank")?;
            _check_is_some(&data.device_type, "device_type cannot be blank")?;

-            _password_login(data, conn, &ip).await
+            _password_login(data, &mut user_uuid, &mut conn, &ip).await
        }
        "client_credentials" => {
            _check_is_some(&data.client_id, "client_id cannot be blank")?;
            _check_is_some(&data.client_secret, "client_secret cannot be blank")?;
            _check_is_some(&data.scope, "scope cannot be blank")?;

-            _api_key_login(data, conn, &ip).await
+            _api_key_login(data, &mut user_uuid, &mut conn, &ip).await
        }
        t => err!("Invalid type", t),
+    };
+
+    if let Some(user_uuid) = user_uuid {
+        // When unknown or unable to parse, return 14, which is 'Unknown Browser'
+        let device_type = util::try_parse_string(device_type).unwrap_or(14);
+        match &login_result {
+            Ok(_) => {
+                log_user_event(EventType::UserLoggedIn as i32, &user_uuid, device_type, &ip.ip, &mut conn).await;
+            }
+            Err(e) => {
+                if let Some(ev) = e.get_event() {
+                    log_user_event(ev.event as i32, &user_uuid, device_type, &ip.ip, &mut conn).await
+                }
+            }
+        }
    }
+
+    login_result
 }

-async fn _refresh_login(data: ConnectData, mut conn: DbConn) -> JsonResult {
+async fn _refresh_login(data: ConnectData, conn: &mut DbConn) -> JsonResult {
    // Extract token
    let token = data.refresh_token.unwrap();

    // Get device by refresh token
-    let mut device = Device::find_by_refresh_token(&token, &mut conn).await.map_res("Invalid refresh token")?;
+    let mut device = Device::find_by_refresh_token(&token, conn).await.map_res("Invalid refresh token")?;

    let scope = "api offline_access";
    let scope_vec = vec!["api".into(), "offline_access".into()];

    // Common
-    let user = User::find_by_uuid(&device.user_uuid, &mut conn).await.unwrap();
-    let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, &mut conn).await;
+    let user = User::find_by_uuid(&device.user_uuid, conn).await.unwrap();
+    let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, conn).await;
    let (access_token, expires_in) = device.refresh_tokens(&user, orgs, scope_vec);
-    device.save(&mut conn).await?;
+    device.save(conn).await?;

    Ok(Json(json!({
        "access_token": access_token,
@@ -87,7 +108,12 @@ async fn _refresh_login(data: ConnectData, mut conn: DbConn) -> JsonResult {
    })))
 }

-async fn _password_login(data: ConnectData, mut conn: DbConn, ip: &ClientIp) -> JsonResult {
+async fn _password_login(
+    data: ConnectData,
+    user_uuid: &mut Option<String>,
+    conn: &mut DbConn,
+    ip: &ClientIp,
+) -> JsonResult {
    // Validate scope
    let scope = data.scope.as_ref().unwrap();
    if scope != "api offline_access" {
@@ -100,20 +126,35 @@ async fn _password_login(data: ConnectData, mut conn: DbConn, ip: &ClientIp) ->

    // Get the user
    let username = data.username.as_ref().unwrap().trim();
-    let user = match User::find_by_mail(username, &mut conn).await {
+    let user = match User::find_by_mail(username, conn).await {
        Some(user) => user,
        None => err!("Username or password is incorrect. Try again", format!("IP: {}. Username: {}.", ip.ip, username)),
    };

+    // Set the user_uuid here to be passed back used for event logging.
+    *user_uuid = Some(user.uuid.clone());
+
    // Check password
    let password = data.password.as_ref().unwrap();
    if !user.check_valid_password(password) {
-        err!("Username or password is incorrect. Try again", format!("IP: {}. Username: {}.", ip.ip, username))
+        err!(
+            "Username or password is incorrect. Try again",
+            format!("IP: {}. Username: {}.", ip.ip, username),
+            ErrorEvent {
+                event: EventType::UserFailedLogIn,
+            }
+        )
    }

    // Check if the user is disabled
    if !user.enabled {
-        err!("This user has been disabled", format!("IP: {}. Username: {}.", ip.ip, username))
+        err!(
+            "This user has been disabled",
+            format!("IP: {}. Username: {}.", ip.ip, username),
+            ErrorEvent {
+                event: EventType::UserFailedLogIn
+            }
+        )
    }

    let now = Utc::now().naive_utc();
@@ -131,7 +172,7 @@ async fn _password_login(data: ConnectData, mut conn: DbConn, ip: &ClientIp) ->
                user.last_verifying_at = Some(now);
                user.login_verify_count += 1;

-                if let Err(e) = user.save(&mut conn).await {
+                if let Err(e) = user.save(conn).await {
                    error!("Error updating user: {:#?}", e);
                }

@@ -142,27 +183,38 @@ async fn _password_login(data: ConnectData, mut conn: DbConn, ip: &ClientIp) ->
        }

        // We still want the login to fail until they actually verified the email address
-        err!("Please verify your email before trying again.", format!("IP: {}. Username: {}.", ip.ip, username))
+        err!(
+            "Please verify your email before trying again.",
+            format!("IP: {}. Username: {}.", ip.ip, username),
+            ErrorEvent {
+                event: EventType::UserFailedLogIn
+            }
+        )
    }

-    let (mut device, new_device) = get_device(&data, &mut conn, &user).await;
+    let (mut device, new_device) = get_device(&data, conn, &user).await;

-    let twofactor_token = twofactor_auth(&user.uuid, &data, &mut device, ip, &mut conn).await?;
+    let twofactor_token = twofactor_auth(&user.uuid, &data, &mut device, ip, conn).await?;

    if CONFIG.mail_enabled() && new_device {
        if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &now, &device.name).await {
            error!("Error sending new device email: {:#?}", e);

            if CONFIG.require_device_email() {
-                err!("Could not send login notification email. Please contact your administrator.")
+                err!(
+                    "Could not send login notification email. Please contact your administrator.",
+                    ErrorEvent {
+                        event: EventType::UserFailedLogIn
+                    }
+                )
            }
        }
    }

    // Common
-    let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, &mut conn).await;
+    let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, conn).await;
    let (access_token, expires_in) = device.refresh_tokens(&user, orgs, scope_vec);
-    device.save(&mut conn).await?;
+    device.save(conn).await?;

    let mut result = json!({
        "access_token": access_token,
@@ -188,7 +240,12 @@ async fn _password_login(data: ConnectData, mut conn: DbConn, ip: &ClientIp) ->
    Ok(Json(result))
 }

-async fn _api_key_login(data: ConnectData, mut conn: DbConn, ip: &ClientIp) -> JsonResult {
+async fn _api_key_login(
+    data: ConnectData,
+    user_uuid: &mut Option<String>,
+    conn: &mut DbConn,
+    ip: &ClientIp,
+) -> JsonResult {
    // Validate scope
    let scope = data.scope.as_ref().unwrap();
    if scope != "api" {
@@ -201,27 +258,42 @@ async fn _api_key_login(data: ConnectData, mut conn: DbConn, ip: &ClientIp) -> J

    // Get the user via the client_id
    let client_id = data.client_id.as_ref().unwrap();
-    let user_uuid = match client_id.strip_prefix("user.") {
+    let client_user_uuid = match client_id.strip_prefix("user.") {
        Some(uuid) => uuid,
        None => err!("Malformed client_id", format!("IP: {}.", ip.ip)),
    };
-    let user = match User::find_by_uuid(user_uuid, &mut conn).await {
+    let user = match User::find_by_uuid(client_user_uuid, conn).await {
        Some(user) => user,
        None => err!("Invalid client_id", format!("IP: {}.", ip.ip)),
    };

+    // Set the user_uuid here to be passed back used for event logging.
+    *user_uuid = Some(user.uuid.clone());
+
    // Check if the user is disabled
    if !user.enabled {
-        err!("This user has been disabled (API key login)", format!("IP: {}. Username: {}.", ip.ip, user.email))
+        err!(
+            "This user has been disabled (API key login)",
+            format!("IP: {}. Username: {}.", ip.ip, user.email),
+            ErrorEvent {
+                event: EventType::UserFailedLogIn
+            }
+        )
    }

    // Check API key. Note that API key logins bypass 2FA.
    let client_secret = data.client_secret.as_ref().unwrap();
    if !user.check_valid_api_key(client_secret) {
-        err!("Incorrect client_secret", format!("IP: {}. Username: {}.", ip.ip, user.email))
+        err!(
+            "Incorrect client_secret",
+            format!("IP: {}. Username: {}.", ip.ip, user.email),
+            ErrorEvent {
+                event: EventType::UserFailedLogIn
+            }
+        )
    }

-    let (mut device, new_device) = get_device(&data, &mut conn, &user).await;
+    let (mut device, new_device) = get_device(&data, conn, &user).await;

    if CONFIG.mail_enabled() && new_device {
        let now = Utc::now().naive_utc();
@@ -229,15 +301,20 @@ async fn _api_key_login(data: ConnectData, mut conn: DbConn, ip: &ClientIp) -> J
            error!("Error sending new device email: {:#?}", e);

            if CONFIG.require_device_email() {
-                err!("Could not send login notification email. Please contact your administrator.")
+                err!(
+                    "Could not send login notification email. Please contact your administrator.",
+                    ErrorEvent {
+                        event: EventType::UserFailedLogIn
+                    }
+                )
            }
        }
    }

    // Common
-    let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, &mut conn).await;
+    let orgs = UserOrganization::find_confirmed_by_user(&user.uuid, conn).await;
    let (access_token, expires_in) = device.refresh_tokens(&user, orgs, scope_vec);
-    device.save(&mut conn).await?;
+    device.save(conn).await?;

    info!("User {} logged in successfully via API key. IP: {}", user.email, ip.ip);

@@ -261,7 +338,8 @@ async fn _api_key_login(data: ConnectData, mut conn: DbConn, ip: &ClientIp) -> J
 /// Retrieves an existing device or creates a new device from ConnectData and the User
 async fn get_device(data: &ConnectData, conn: &mut DbConn, user: &User) -> (Device, bool) {
    // On iOS, device_type sends "iOS", on others it sends a number
-    let device_type = util::try_parse_string(data.device_type.as_ref()).unwrap_or(0);
+    // When unknown or unable to parse, return 14, which is 'Unknown Browser'
+    let device_type = util::try_parse_string(data.device_type.as_ref()).unwrap_or(14);
    let device_id = data.device_identifier.clone().expect("No device id provided");
    let device_name = data.device_name.clone().expect("No device name provided");

@@ -338,7 +416,12 @@ async fn twofactor_auth(
                }
            }
        }
-        _ => err!("Invalid two factor provider"),
+        _ => err!(
+            "Invalid two factor provider",
+            ErrorEvent {
+                event: EventType::UserFailedLogIn2fa
+            }
+        ),
    }

    TwoFactorIncomplete::mark_complete(user_uuid, &device.uuid, conn).await?;