Commit 8fa87ea3 authored by Brian Neel's avatar Brian Neel

# This is a combination of 1 commit.

# This is the 1st commit message:
Add logging for all web authentication events

# This is the commit message #2:

Re-add underscore to after_inactive_sign_up_path_for

# This is the commit message #3:

Standardize on username=

# This is the commit message #4:

after_filter -> after_action, _resource -> resource

# This is the commit message #5:

Add two-factor login failures and account lockouts

# This is the commit message #6:

Move logging from two-factor concern to user model

# This is the commit message #7:

Add spaces around default parameter assignments

# This is the commit message #8:

Move logs out of user model

# This is the commit message #9:

Replace filtered_params with user_params

# This is the commit message #10:

Standardize case

# This is the commit message #1:

Fixes for username and AppLogger.info
parent 76b2a127
...@@ -59,6 +59,7 @@ module AuthenticatesWithTwoFactor ...@@ -59,6 +59,7 @@ module AuthenticatesWithTwoFactor
sign_in(user) sign_in(user)
else else
user.increment_failed_attempts! user.increment_failed_attempts!
Gitlab::AppLogger.info("Failed login: user=#{user.username} ip=#{request.remote_ip} method=OTP")
flash.now[:alert] = 'Invalid two-factor code.' flash.now[:alert] = 'Invalid two-factor code.'
prompt_for_two_factor(user) prompt_for_two_factor(user)
end end
...@@ -75,6 +76,7 @@ module AuthenticatesWithTwoFactor ...@@ -75,6 +76,7 @@ module AuthenticatesWithTwoFactor
sign_in(user) sign_in(user)
else else
user.increment_failed_attempts! user.increment_failed_attempts!
Gitlab::AppLogger.info("Failed login: user=#{user.username} ip=#{request.remote_ip} method=U2F")
flash.now[:alert] = 'Authentication via U2F device failed.' flash.now[:alert] = 'Authentication via U2F device failed.'
prompt_for_two_factor(user) prompt_for_two_factor(user)
end end
......
...@@ -14,6 +14,7 @@ class ConfirmationsController < Devise::ConfirmationsController ...@@ -14,6 +14,7 @@ class ConfirmationsController < Devise::ConfirmationsController
if signed_in?(resource_name) if signed_in?(resource_name)
after_sign_in_path_for(resource) after_sign_in_path_for(resource)
else else
Gitlab::AppLogger.info("Email Confirmed: username=#{resource.username} email=#{resource.email} ip=#{request.remote_ip}")
flash[:notice] += " Please sign in." flash[:notice] += " Please sign in."
new_session_path(resource_name) new_session_path(resource_name)
end end
......
...@@ -42,10 +42,12 @@ class RegistrationsController < Devise::RegistrationsController ...@@ -42,10 +42,12 @@ class RegistrationsController < Devise::RegistrationsController
end end
def after_sign_up_path_for(user) def after_sign_up_path_for(user)
Gitlab::AppLogger.info("User Created: username=#{user.username} email=#{user.email} ip=#{request.remote_ip} confirmed:#{user.confirmed?}")
user.confirmed? ? dashboard_projects_path : users_almost_there_path user.confirmed? ? dashboard_projects_path : users_almost_there_path
end end
def after_inactive_sign_up_path_for(_resource) def after_inactive_sign_up_path_for(resource)
Gitlab::AppLogger.info("User Created: username=#{resource.username} email=#{resource.email} ip=#{request.remote_ip} confirmed:false")
users_almost_there_path users_almost_there_path
end end
......
...@@ -13,6 +13,8 @@ class SessionsController < Devise::SessionsController ...@@ -13,6 +13,8 @@ class SessionsController < Devise::SessionsController
before_action :auto_sign_in_with_provider, only: [:new] before_action :auto_sign_in_with_provider, only: [:new]
before_action :load_recaptcha before_action :load_recaptcha
after_action :log_failed_login, only: [:new]
def new def new
set_minimum_password_length set_minimum_password_length
@ldap_servers = Gitlab::LDAP::Config.available_servers @ldap_servers = Gitlab::LDAP::Config.available_servers
...@@ -29,12 +31,13 @@ class SessionsController < Devise::SessionsController ...@@ -29,12 +31,13 @@ class SessionsController < Devise::SessionsController
end end
# hide the signed-in notification # hide the signed-in notification
flash[:notice] = nil flash[:notice] = nil
log_audit_event(current_user, with: authentication_method) log_audit_event(current_user, resource, with: authentication_method)
log_user_activity(current_user) log_user_activity(current_user)
end end
end end
def destroy def destroy
Gitlab::AppLogger.info("User Logout: username=#{current_user.username} ip=#{request.remote_ip}")
super super
# hide the signed_out notice # hide the signed_out notice
flash[:notice] = nil flash[:notice] = nil
...@@ -42,6 +45,14 @@ class SessionsController < Devise::SessionsController ...@@ -42,6 +45,14 @@ class SessionsController < Devise::SessionsController
private private
def log_failed_login
Gitlab::AppLogger.info("Failed login: username=#{user_params[:login]} ip=#{request.remote_ip}") if failed_login?
end
def failed_login?
(options = env["warden.options"]) && options[:action] == "unauthenticated"
end
def login_counter def login_counter
@login_counter ||= Gitlab::Metrics.counter(:user_session_logins_total, 'User sign in count') @login_counter ||= Gitlab::Metrics.counter(:user_session_logins_total, 'User sign in count')
end end
...@@ -123,7 +134,8 @@ class SessionsController < Devise::SessionsController ...@@ -123,7 +134,8 @@ class SessionsController < Devise::SessionsController
user.invalidate_otp_backup_code!(user_params[:otp_attempt]) user.invalidate_otp_backup_code!(user_params[:otp_attempt])
end end
def log_audit_event(user, options = {}) def log_audit_event(user, resource, options = {})
Gitlab::AppLogger.info("User login: username=#{resource.username} ip=#{request.remote_ip} method=#{options[:with]} admin=#{resource.admin?}")
AuditEventService.new(user, user, options) AuditEventService.new(user, user, options)
.for_authentication.security_event .for_authentication.security_event
end end
......
...@@ -1069,6 +1069,12 @@ class User < ActiveRecord::Base ...@@ -1069,6 +1069,12 @@ class User < ActiveRecord::Base
super super
end end
# override, from Devise
def lock_access!
Gitlab::AppLogger.info("Account Locked: username=#{username} reason=invalid_login_attempts")
super
end
private private
def ci_projects_union def ci_projects_union
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment