bn8/ldapsaisie
1
0
Fork 0
mirror of https://gitlab.easter-eggs.com/ee/ldapsaisie.git synced 2024-11-18 00:09:06 +01:00
Code Issues Projects Releases Wiki Activity

Add LSaddon accesslog

Browse source
This commit is contained in:
Emmanuel Saracco 2022-06-16 13:15:28 +02:00
parent 855bcc8564
commit 2adbdb62c7
12 changed files with 2669 additions and 1545 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
doc/conf/LSaddon.docbook
View file

@ -9,6 +9,7 @@
<literal>config.LSaddons.[addon name].php</literal>.
</para>
&conf-LSaddon_accesslog;
&conf-LSaddon_asterisk;
&conf-LSaddon_exportSearchResultAsCSV;
&conf-LSaddon_LSaccessRightsMatrixView;

1
doc/conf/LSaddon/LSaddon.entities.xml
View file

@ -1,4 +1,5 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!ENTITY conf-LSaddon_accesslog SYSTEM "LSaddon_accesslog.docbook">
<!ENTITY conf-LSaddon_asterisk SYSTEM "LSaddon_asterisk.docbook">
<!ENTITY conf-LSaddon_exportSearchResultAsCSV SYSTEM "LSaddon_exportSearchResultAsCSV.docbook">
<!ENTITY conf-LSaddon_LSaccessRightsMatrixView SYSTEM "LSaddon_LSaccessRightsMatrixView.docbook">

46
doc/conf/LSaddon/LSaddon_accesslog.docbook Normal file
View file

@ -0,0 +1,46 @@
<sect2 id="config-LSaddon_accesslog">
<title>LSaddon_accesslog</title>
<para>Cet &LSaddon; fournit la fonction <literal>showObjectAccessLogs()</literal> pouvant être utilisée comme &customActions; et permettant d'afficher les logs d'accès produits par <ulink url="https://www.openldap.org/doc/admin24/overlays.html#Access%20Logging">l'overlay OpenLDAP accesslog</ulink> sur un objet de l'annuaire.</para>
<para>La constante <literal>LS_ACCESSLOG_BASEDN</literal> du fichier de configuration de l'addon (<literal>conf/LSaddons/config.LSaddons.accesslog.php</literal>) permet d'indiquer le base DN de la base stockant les logs :</para>
<programlisting linenumbering="unnumbered">
<citetitle>Configuration accesslog</citetitle>
<![CDATA[// Accesslog base DN
define('LS_ACCESSLOG_BASEDN', 'cn=ldapsaisie-accesslog');]]>
</programlisting>
<warning>
<para>LdapSaisie se connectera à la base stockant les logs d'accès de l'annuaire avec les mêmes paramètres de connexion que pour la base principale (excepté le base DN). Pensez à ajuster les ACLs de la base stockant les logs d'accès pour autoriser l'utilisateur d'LdapSaisie à se connecter et lire les informations qu'elle contient.</para>
<programlisting linenumbering="unnumbered">
<citetitle>Exemple d'ACL à mettre en place</citetitle><![CDATA[to *
by dn.exact=uid=ldapsaisie,ou=sysaccounts,o=ls read
by * break
]]>
</programlisting>
</warning>
<para>Ci-dessous, vous trouverez un exemple de configuration de la fonction <literal>showObjectAccessLogs()</literal> comme &customActions; :</para>
<programlisting linenumbering="unnumbered">
<citetitle>Exemple d'utilisation</citetitle><![CDATA[$GLOBALS['LSobjects']['LSpeople'] = array (
[...]
'customActions' => array (
'showObjectAccessLogs' => array (
'function' => 'showObjectAccessLogs',
'label' => 'Show access logs',
'hideLabel' => true,
'noConfirmation' => true,
'disableOnSuccessMsg' => true,
'icon' => 'clock',
'rights' => array (
'admin'
),
),
),
[...]
);]]>
</programlisting>
</sect2>

25
src/conf/LSaddons/config.LSaddons.accesslog.php Normal file
View file

@ -0,0 +1,25 @@
<?php
/*******************************************************************************
* Copyright (C) 2022 Easter-eggs
* https://ldapsaisie.org
*
* Author: See AUTHORS file in top-level directory.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
******************************************************************************/
// Accesslog base DN
define('LS_ACCESSLOG_BASEDN', 'cn=ldapsaisie-accesslog');

11
src/conf/LSobjects/config.LSobjects.LSpeople.php
View file

@ -59,6 +59,17 @@ $GLOBALS['LSobjects']['LSpeople'] = array (
'admin',
),
),
'showObjectAccessLogs' => array (
'function' => 'showObjectAccessLogs',
'label' => 'Show access logs',
'hideLabel' => True,
'noConfirmation' => true,
'disableOnSuccessMsg' => true,
'icon' => 'clock',
'rights' => array (
'admin'
),
),
),
'ioFormat' => array (

BIN
src/images/default/clock.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 882 B

198
src/includes/addons/LSaddons.accesslog.php Normal file
View file

@ -0,0 +1,198 @@
<?php
/*******************************************************************************
* Copyright (C) 2022 Easter-eggs
* http://ldapsaisie.labs.libre-entreprise.org
*
* Author: See AUTHORS file in top-level directory.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
******************************************************************************/
LSerror :: defineError('ACCESSLOG_SUPPORT_01',
___("accesslog Support : The constant %{const} is not defined.")
);
$GLOBALS['accesslog_reqTypes'] = array(
'add' => _('Add'),
'bind' => _('Log in'),
'compare' => _('Compare'),
'delete' => _('Delete'),
'extended' => _('Extended'),
'modify' => _('Modify'),
'modrdn' => _('Modify RDN'),
'search' => _('Search'),
'unbind' => _('Log out'),
);
$GLOBALS['accesslog_modOps'] = array(
'+' => _('Add'),
'-' => _('Delete'),
'=' => _('Replace'),
'' => _('Replace'),
'#' => _('Increment'),
);
function LSaddon_accesslog_support() {
if (!defined('LS_ACCESSLOG_BASEDN')) {
LSerror :: addErrorCode('ACCESSLOG_SUPPORT_01', 'LS_ACCESSLOG_BASEDN');
return false;
}
if (php_sapi_name() === 'cli') {
LScli::add_command(
'getEntryAccessLog',
'cli_getEntryAccessLog',
'Get entry access log',
'[entry DN] [page]',
);
}
return true;
}
function mapAccessLogEntry(&$entry) {
$attrs = $entry['attrs'];
$entry['start'] = LSldap::parseDate(LSldap::getAttr($attrs, 'reqStart'));
$entry['end'] = LSldap::parseDate(LSldap::getAttr($attrs, 'reqEnd'));
$entry['type'] = LSldap::getAttr($attrs, 'reqType');
$entry['result'] = ldap_err2str(LSldap::getAttr($attrs, 'reqResult'));
$entry['message'] = LSldap::getAttr($attrs, 'reqMessage');
if ($entry['type'] === 'modify' && LSldap::getAttr($attrs, 'reqMod', true)) {
$mods = array();
foreach(LSldap::getAttr($attrs, 'reqMod', true) as $mod) {
if (preg_match('/^([^\:]+)\:([^ ]?) (.*)$/', $mod, $m)) {
$attr = $m[1];
$op = $m[2];
$value = $m[3];
if (!array_key_exists($attr, $mods)) {
$mods[$attr] = array(
'mods' => array(),
'old_values' => array(),
);
}
$mods[$attr]['changes'][] = array(
'op' => array_key_exists($op, $GLOBALS['accesslog_modOps']) ? $GLOBALS['accesslog_modOps'][$op] : $op,
'value' => $value,
);
}
}
if (LSldap::getAttr($attrs, 'reqOld', true)) {
foreach(LSldap::getAttr($attrs, 'reqOld', true) as $old) {
if (preg_match('/^([^\:]+)\: (.*)$/', $old, $m) && array_key_exists($m[1], $mods)) {
$mods[$m[1]]['old_values'][] = $m[2];
}
}
}
$entry['mods'] = $mods;
}
if (array_key_exists($entry['type'], $GLOBALS['accesslog_reqTypes'])) {
$entry['type'] = $GLOBALS['accesslog_reqTypes'][$entry['type']];
}
}
function sortLogEntryByDate($a, $b) {
return ($a['start'] === $b['start']) ? 0 : ($a['start'] < $b['start']) ? -1 : 1;
}
function getEntryAccessLog($dn) {
$data = LSldap::search(
Net_LDAP2_Filter::create('reqDn', 'equals', $dn),
LS_ACCESSLOG_BASEDN,
array(
'attributes' => array(
'reqStart',
'reqEnd',
'reqType',
'reqResult',
'reqMessage',
'reqMod',
'reqOld',
),
),
);
if (!is_array($data)) {
return;
}
$logs = array();
foreach($data as $entry) {
foreach($entry['attrs'] as $attr => $values) {
$entry['attrs'][$attr] = ensureIsArray($values);
}
mapAccessLogEntry($entry);
$logs[] = $entry;
}
usort($logs, 'sortLogEntryByDate');
return array_reverse($logs);
}
function getEntryAccessLogPage($dn, $page = false, $nbByPage = 30) {
if (!isset($_SESSION['entryAccessLogPages'])) {
$_SESSION['entryAccessLogPages'] = array();
}
if (!isset($_SESSION['entryAccessLogPages'][$dn]) || isset($_REQUEST['refresh'])) {
$_SESSION['entryAccessLogPages'][$dn] = getEntryAccessLog($dn);
}
if (!is_int($page)) {
$page = 1;
}
return array(
'nb' => $page,
'nbPages' => ceil(count($_SESSION['entryAccessLogPages'][$dn]) / $nbByPage),
'logs' => array_slice(
$_SESSION['entryAccessLogPages'][$dn],
$page > 1 ? (($page - 1) * $nbByPage) - 1 : 0,
$nbByPage,
)
);
}
function showObjectAccessLogs($obj) {
$pageNb = isset($_REQUEST['page']) ? intval($_REQUEST['page']) : 1;
$dn = $obj->getDn();
$page = getEntryAccessLogPage($dn, $pageNb);
if (!is_array($page)) {
return;
}
LStemplate::assign('page', $page);
$LSview_actions = array();
$LSview_actions['refresh'] = array (
'label' => _('Refresh'),
'url' => 'object/'.$obj->getType().'/'.urlencode($dn).'/customAction/showObjectAccessLogs?refresh',
'action' => 'refresh',
);
$LSview_actions['return'] = array (
'label' => _('Go back'),
'url' => 'object/'.$obj->getType().'/'.urlencode($dn),
'action' => 'view',
);
LStemplate::assign('LSview_actions', $LSview_actions);
LSsession::setTemplate('showObjectAccessLogs.tpl');
LSsession::displayTemplate();
exit();
}
if (php_sapi_name() !== 'cli') {
return true;
}
function cli_getEntryAccessLog($command_args) {
if (count($command_args) < 1) {
LSlog::fatal('You must specify entry DN as first parameter');
}
$dn = $command_args[0];
$page = isset($command_args[1]) ? intval($command_args[1]) : 1;
echo json_encode(
getEntryAccessLogPage($dn, $page),
JSON_PRETTY_PRINT,
);
}

21
src/includes/class/class.LSldap.php
View file

@ -271,6 +271,18 @@ class LSldap extends LSlog_staticLoggerClass {
return false;
}
/**
* Return a date string
*
* @param[in] string LDAP date
*
* @retval string Date YYYY/MM/DD HH:mm:ss
*/
public static function parseDate($value) {
$datetime = date_create_from_format('YmdHis.uO', $value);
return ($datetime instanceof DateTime) ? $datetime -> setTimezone(timezone_open(date_default_timezone_get())) : $datetime;
}
/**
* Return a attribute value
*
@ -296,17 +308,18 @@ class LSldap extends LSlog_staticLoggerClass {
*
* @param[in] $attrs array Array of LDAP attributes
* @param[in] $name array Name of a attribute
* @param[in] $multiple boolean true if we must return array
*
* @retval mixed Found value or null
* @retval mixed Found value (or array of values) or null
*/
public static function getAttr($attrs, $name) {
public static function getAttr($attrs, $name, $multiple = false) {
$name = strtolower($name);
foreach ($attrs as $k => $v) {
if (strtolower($k) === $name) {
return $v;
return $multiple ? $v : $v[0];
}
}
return null;
return $multiple ? array() : null;
}
/**

BIN
src/lang/fr_FR.UTF8/LC_MESSAGES/ldapsaisie.mo
View file

Binary file not shown.

740
src/lang/fr_FR.UTF8/LC_MESSAGES/ldapsaisie.po
View file

File diff suppressed because it is too large Load diff

3095
src/lang/ldapsaisie.pot
View file

File diff suppressed because it is too large Load diff

76
src/templates/default/showObjectAccessLogs.tpl Normal file
View file

@ -0,0 +1,76 @@
{extends file='ls:base_connected.tpl'}
{block name="content"}
<h1>{$pagetitle}</h1>
{include file='ls:LSview_actions.tpl'}
<table class='LStable'>
<thead>
<tr>
<th>{tr msg="Date"}</th>
<th>{tr msg="Operation"}</th>
<th>{tr msg="Result"}</th>
<th>{tr msg="Details"}</th>
</tr>
</thead>
<tbody>
{foreach $page.logs as $log}
<tr>
<td>{$log.start->format('Y/m/d H:i:s')}</td>
<td class="center">{$log.type}</td>
<td class="center">{$log.result}{if $log.message} <img class='LStips' src="{img name='help'}" alt="?" title='{$log.message|escape:quotes}'/>{/if}</td>
<td>
{if $log.mods}
<table style='margin: auto'>
<thead>
<tr>
<th>{tr msg="Attribute"}</th>
<th>{tr msg="Operation"}</th>
<th>{tr msg="Value"}</th>
<th>{tr msg="Old value(s)"}</th>
</tr>
</thead>
<tbody>
{foreach $log.mods as $attr => $info}
<tr>
<td class="center" {if count($info.changes)>1}rowspan={$info.changes|count}{/if}>{$attr}</td>
<td class="center">{$info.changes.0.op|escape:htmlall}</td>
<td>{$info.changes.0.value|escape:htmlall}</td>
<td {if count($info.changes)>1}rowspan={$info.changes|count}{/if}>
{if $info.old_values}
{if count($info.old_values) == 1}
{$info.old_values[0]|escape:'htmlall'}
{else}
<ul>
{foreach $info.old_values as $old_value}
<li>{$old_value|escape:'htmlall'}</li>
{/foreach}
</ul>
{/if}
{/if}
</td>
</tr>
{if count($info.changes) > 1}
{section name=change loop=$info.changes step=1 start=1}
<tr>
<td>{$info.changes[change].op|escape:htmlall}</td>
<td>{$info.changes[change].value|escape:htmlall}</td>
</tr>
{/section}
{/if}
{/foreach}
</tbody>
</table>
{/if}
</td>
</tr>
{foreachelse}
<tr>
<td class="center" colspan="4">{tr msg="No access log found for this object."}</td>
</tr>
{/foreach}
</tbody>
</table>
<p style='text-align: right; padding: 1em;'>{count($page.logs)} {tr msg="event(s) found for this object."}</p>
{include file='ls:pagination.tpl'}
{/block}