Add trace logging to SSO methods (#15803)

zeripath · web-flow · commit a2df2654765c · 2021-05-09T18:04:53.000+02:00
It is currenly impossible to detect which "SSO" method is responsible for login. This
PR adds some basic trace logging to these methods.

Signed-off-by: Andrew Thornton &lt;art27@cantab.net&gt;
diff --git a/modules/auth/sso/basic.go b/modules/auth/sso/basic.go
@@ -66,12 +66,16 @@ func (b *Basic) VerifyAuthData(req *http.Request, w http.ResponseWriter, store D
 	// Assume username is token
 	authToken := uname
 	if !isUsernameToken {
+		log.Trace("Basic Authorization: Attempting login for: %s", uname)
 		// Assume password is token
 		authToken = passwd
+	} else {
+		log.Trace("Basic Authorization: Attempting login with username as token")
 	}
 
 	uid := CheckOAuthAccessToken(authToken)
 	if uid != 0 {
+		log.Trace("Basic Authorization: Valid OAuthAccessToken for user[%d]", uid)
 		var err error
 		store.GetData()["IsApiToken"] = true
 
@@ -83,6 +87,8 @@ func (b *Basic) VerifyAuthData(req *http.Request, w http.ResponseWriter, store D
 	}
 	token, err := models.GetAccessTokenBySHA(authToken)
 	if err == nil {
+		log.Trace("Basic Authorization: Valid AccessToken for user[%d]", uid)
+
 		u, err = models.GetUserByID(token.UID)
 		if err != nil {
 			log.Error("GetUserByID:  %v", err)
@@ -98,6 +104,8 @@ func (b *Basic) VerifyAuthData(req *http.Request, w http.ResponseWriter, store D
 	}
 
 	if u == nil {
+		log.Trace("Basic Authorization: Attempting SignIn for %s", uname)
+
 		u, err = models.UserSignIn(uname, passwd)
 		if err != nil {
 			if !models.IsErrUserNotExist(err) {
@@ -109,5 +117,7 @@ func (b *Basic) VerifyAuthData(req *http.Request, w http.ResponseWriter, store D
 		store.GetData()["IsApiToken"] = true
 	}
 
+	log.Trace("Basic Authorization: Logged in user %-v", u)
+
 	return u
 }
diff --git a/modules/auth/sso/oauth2.go b/modules/auth/sso/oauth2.go
@@ -130,6 +130,7 @@ func (o *OAuth2) VerifyAuthData(req *http.Request, w http.ResponseWriter, store
 	if id <= 0 {
 		return nil
 	}
+	log.Trace("OAuth2 Authorization: Found token for user[%d]", id)
 
 	user, err := models.GetUserByID(id)
 	if err != nil {
@@ -139,5 +140,6 @@ func (o *OAuth2) VerifyAuthData(req *http.Request, w http.ResponseWriter, store
 		return nil
 	}
 
+	log.Trace("OAuth2 Authorization: Logged in user %-v", user)
 	return user
 }
diff --git a/modules/auth/sso/reverseproxy.go b/modules/auth/sso/reverseproxy.go
@@ -65,6 +65,7 @@ func (r *ReverseProxy) VerifyAuthData(req *http.Request, w http.ResponseWriter,
 	if len(username) == 0 {
 		return nil
 	}
+	log.Trace("ReverseProxy Authorization: Found username: %s", username)
 
 	user, err := models.GetUserByName(username)
 	if err != nil {
@@ -75,6 +76,7 @@ func (r *ReverseProxy) VerifyAuthData(req *http.Request, w http.ResponseWriter,
 		return nil
 	}
 
+	log.Trace("ReverseProxy Authorization: Logged in user %-v", user)
 	return user
 }
 
diff --git a/modules/auth/sso/sso.go b/modules/auth/sso/sso.go
@@ -77,6 +77,8 @@ func SessionUser(sess SessionStore) *models.User {
 	if uid == nil {
 		return nil
 	}
+	log.Trace("Session Authorization: Found user[%d]", uid)
+
 	id, ok := uid.(int64)
 	if !ok {
 		return nil
@@ -90,6 +92,8 @@ func SessionUser(sess SessionStore) *models.User {
 		}
 		return nil
 	}
+
+	log.Trace("Session Authorization: Logged in user %-v", user)
 	return user
 }
 
diff --git a/modules/auth/sso/sspi_windows.go b/modules/auth/sso/sspi_windows.go
@@ -87,6 +87,7 @@ func (s *SSPI) VerifyAuthData(req *http.Request, w http.ResponseWriter, store Da
 		return nil
 	}
 
+	log.Trace("SSPI Authorization: Attempting to authenticate")
 	userInfo, outToken, err := sspiAuth.Authenticate(req, w)
 	if err != nil {
 		log.Warn("Authentication failed with error: %v\n", err)
@@ -140,6 +141,7 @@ func (s *SSPI) VerifyAuthData(req *http.Request, w http.ResponseWriter, store Da
 		handleSignIn(w, req, sess, user)
 	}
 
+	log.Trace("SSPI Authorization: Logged in user %-v", user)
 	return user
 }
 

Original file line number	Original file line	Diff line number	Diff line change
`@@ -66,12 +66,16 @@ func (b Basic) VerifyAuthData(req http.Request, w http.ResponseWriter, store D`
`66`	`// Assume username is token`	`66`	`// Assume username is token`
`67`	`authToken := uname`	`67`	`authToken := uname`
`68`	`if !isUsernameToken {`	`68`	`if !isUsernameToken {`
		`69`	`+ log.Trace("Basic Authorization: Attempting login for: %s", uname)`
`69`	`// Assume password is token`	`70`	`// Assume password is token`
`70`	`authToken = passwd`	`71`	`authToken = passwd`
		`72`	`+ } else {`
		`73`	`+ log.Trace("Basic Authorization: Attempting login with username as token")`
`71`	`}`	`74`	`}`
`72`		`75`
`73`	`uid := CheckOAuthAccessToken(authToken)`	`76`	`uid := CheckOAuthAccessToken(authToken)`
`74`	`if uid != 0 {`	`77`	`if uid != 0 {`
		`78`	`+ log.Trace("Basic Authorization: Valid OAuthAccessToken for user[%d]", uid)`
`75`	`var err error`	`79`	`var err error`
`76`	`store.GetData()["IsApiToken"] = true`	`80`	`store.GetData()["IsApiToken"] = true`
`77`		`81`
`@@ -83,6 +87,8 @@ func (b Basic) VerifyAuthData(req http.Request, w http.ResponseWriter, store D`
`83`	`}`	`87`	`}`
`84`	`token, err := models.GetAccessTokenBySHA(authToken)`	`88`	`token, err := models.GetAccessTokenBySHA(authToken)`
`85`	`if err == nil {`	`89`	`if err == nil {`
		`90`	`+ log.Trace("Basic Authorization: Valid AccessToken for user[%d]", uid)`
		`91`	`+`
`86`	`u, err = models.GetUserByID(token.UID)`	`92`	`u, err = models.GetUserByID(token.UID)`
`87`	`if err != nil {`	`93`	`if err != nil {`
`88`	`log.Error("GetUserByID: %v", err)`	`94`	`log.Error("GetUserByID: %v", err)`
`@@ -98,6 +104,8 @@ func (b Basic) VerifyAuthData(req http.Request, w http.ResponseWriter, store D`
`98`	`}`	`104`	`}`
`99`		`105`
`100`	`if u == nil {`	`106`	`if u == nil {`
		`107`	`+ log.Trace("Basic Authorization: Attempting SignIn for %s", uname)`
		`108`	`+`
`101`	`u, err = models.UserSignIn(uname, passwd)`	`109`	`u, err = models.UserSignIn(uname, passwd)`
`102`	`if err != nil {`	`110`	`if err != nil {`
`103`	`if !models.IsErrUserNotExist(err) {`	`111`	`if !models.IsErrUserNotExist(err) {`
`@@ -109,5 +117,7 @@ func (b Basic) VerifyAuthData(req http.Request, w http.ResponseWriter, store D`
`109`	`store.GetData()["IsApiToken"] = true`	`117`	`store.GetData()["IsApiToken"] = true`
`110`	`}`	`118`	`}`
`111`		`119`
		`120`	`+ log.Trace("Basic Authorization: Logged in user %-v", u)`
		`121`	`+`
`112`	`return u`	`122`	`return u`
`113`	`}`	`123`	`}`
Original file line number	Original file line	Diff line number	Diff line change
`@@ -130,6 +130,7 @@ func (o OAuth2) VerifyAuthData(req http.Request, w http.ResponseWriter, store`
`130`	`if id <= 0 {`	`130`	`if id <= 0 {`
`131`	`return nil`	`131`	`return nil`
`132`	`}`	`132`	`}`
		`133`	`+ log.Trace("OAuth2 Authorization: Found token for user[%d]", id)`
`133`		`134`
`134`	`user, err := models.GetUserByID(id)`	`135`	`user, err := models.GetUserByID(id)`
`135`	`if err != nil {`	`136`	`if err != nil {`
`@@ -139,5 +140,6 @@ func (o OAuth2) VerifyAuthData(req http.Request, w http.ResponseWriter, store`
`139`	`return nil`	`140`	`return nil`
`140`	`}`	`141`	`}`
`141`		`142`
		`143`	`+ log.Trace("OAuth2 Authorization: Logged in user %-v", user)`
`142`	`return user`	`144`	`return user`
`143`	`}`	`145`	`}`
Original file line number	Original file line	Diff line number	Diff line change
`@@ -65,6 +65,7 @@ func (r ReverseProxy) VerifyAuthData(req http.Request, w http.ResponseWriter,`
`65`	`if len(username) == 0 {`	`65`	`if len(username) == 0 {`
`66`	`return nil`	`66`	`return nil`
`67`	`}`	`67`	`}`
		`68`	`+ log.Trace("ReverseProxy Authorization: Found username: %s", username)`
`68`		`69`
`69`	`user, err := models.GetUserByName(username)`	`70`	`user, err := models.GetUserByName(username)`
`70`	`if err != nil {`	`71`	`if err != nil {`
`@@ -75,6 +76,7 @@ func (r ReverseProxy) VerifyAuthData(req http.Request, w http.ResponseWriter,`
`75`	`return nil`	`76`	`return nil`
`76`	`}`	`77`	`}`
`77`		`78`
		`79`	`+ log.Trace("ReverseProxy Authorization: Logged in user %-v", user)`
`78`	`return user`	`80`	`return user`
`79`	`}`	`81`	`}`
`80`		`82`
Original file line number	Original file line	Diff line number	Diff line change
`@@ -77,6 +77,8 @@ func SessionUser(sess SessionStore) *models.User {`
`77`	`if uid == nil {`	`77`	`if uid == nil {`
`78`	`return nil`	`78`	`return nil`
`79`	`}`	`79`	`}`
		`80`	`+ log.Trace("Session Authorization: Found user[%d]", uid)`
		`81`	`+`
`80`	`id, ok := uid.(int64)`	`82`	`id, ok := uid.(int64)`
`81`	`if !ok {`	`83`	`if !ok {`
`82`	`return nil`	`84`	`return nil`
`@@ -90,6 +92,8 @@ func SessionUser(sess SessionStore) *models.User {`
`90`	`}`	`92`	`}`
`91`	`return nil`	`93`	`return nil`
`92`	`}`	`94`	`}`
		`95`	`+`
		`96`	`+ log.Trace("Session Authorization: Logged in user %-v", user)`
`93`	`return user`	`97`	`return user`
`94`	`}`	`98`	`}`
`95`		`99`
Original file line number	Original file line	Diff line number	Diff line change
`@@ -87,6 +87,7 @@ func (s SSPI) VerifyAuthData(req http.Request, w http.ResponseWriter, store Da`
`87`	`return nil`	`87`	`return nil`
`88`	`}`	`88`	`}`
`89`		`89`
		`90`	`+ log.Trace("SSPI Authorization: Attempting to authenticate")`
`90`	`userInfo, outToken, err := sspiAuth.Authenticate(req, w)`	`91`	`userInfo, outToken, err := sspiAuth.Authenticate(req, w)`
`91`	`if err != nil {`	`92`	`if err != nil {`
`92`	`log.Warn("Authentication failed with error: %v\n", err)`	`93`	`log.Warn("Authentication failed with error: %v\n", err)`
`@@ -140,6 +141,7 @@ func (s SSPI) VerifyAuthData(req http.Request, w http.ResponseWriter, store Da`
`140`	`handleSignIn(w, req, sess, user)`	`141`	`handleSignIn(w, req, sess, user)`
`141`	`}`	`142`	`}`
`142`		`143`
		`144`	`+ log.Trace("SSPI Authorization: Logged in user %-v", user)`
`143`	`return user`	`145`	`return user`
`144`	`}`	`146`	`}`
`145`		`147`