[TASK] Remove IP address from details field of sys_log entry 13/57313/9
authorGeorg Ringer <georg.ringer@gmail.com>
Fri, 22 Jun 2018 20:40:35 +0000 (22:40 +0200)
committerStefan Neufeind <typo3.neufeind@speedpartner.de>
Sat, 23 Jun 2018 10:03:07 +0000 (12:03 +0200)
Avoid persisting the IP address of a login action twice and just use
the one of the IP field.

Additionally the anoymize scheduler task can now remove all unwanted IP
addresses from the logs.

Be aware that the anonymization of the sys_log entries only
works for new entries that were generated after this patch. Older
entries have to be deleted or the details field needs to be
cleared manually.

Resolves: #85316
Releases: master, 8.7, 7.6
Change-Id: I9c5c65d52462a82047324390bc3e6b970a8f8840
Reviewed-on: https://review.typo3.org/57313
Reviewed-by: Andreas Wolf <andreas.wolf@typo3.org>
Tested-by: Andreas Wolf <andreas.wolf@typo3.org>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
typo3/sysext/belog/Classes/Domain/Model/LogEntry.php
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/core/Classes/Authentication/AuthenticationService.php
typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php
typo3/sysext/scheduler/Classes/Task/IpAnonymizationAdditionalFieldProvider.php

index a71818a..2a2c942 100644 (file)
@@ -313,6 +313,9 @@ class LogEntry extends \TYPO3\CMS\Extbase\DomainObject\AbstractEntity
      */
     public function getDetails()
     {
+        if ($this->type === 255) {
+            return str_replace('###IP###', $this->ip, $this->details);
+        }
         return $this->details;
     }
 
index f87f637..af00f7e 100644 (file)
@@ -744,7 +744,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
 
             // User logged in - write that to the log!
             if ($this->writeStdLog && $activeLogin) {
-                $this->writelog(255, 1, 0, 1, 'User %s logged in from %s (%s)', [$tempuser[$this->username_column], GeneralUtility::getIndpEnv('REMOTE_ADDR'), GeneralUtility::getIndpEnv('REMOTE_HOST')], '', '', '');
+                $this->writelog(255, 1, 0, 1, 'User %s logged in from ###IP### (%s)', [$tempuser[$this->username_column], GeneralUtility::getIndpEnv('REMOTE_HOST')], '', '', '');
             }
             if ($activeLogin) {
                 $this->logger->info('User ' . $tempuser[$this->username_column] . ' logged in from ' . GeneralUtility::getIndpEnv('REMOTE_ADDR') . ' (' . GeneralUtility::getIndpEnv('REMOTE_HOST') . ')');
index d74411f..4c8f28f 100644 (file)
@@ -54,8 +54,8 @@ class AuthenticationService extends AbstractAuthenticationService
         }
         if ((string)$this->login['uident_text'] === '') {
             // Failed Login attempt (no password given)
-            $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s) for username \'%s\' with an empty password!', [
-                $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']
+            $this->writelog(255, 3, 3, 2, 'Login-attempt from ###IP### (%s) for username \'%s\' with an empty password!', [
+                $this->authInfo['REMOTE_HOST'], $this->login['uname']
             ]);
             $this->logger->warning(sprintf('Login-attempt from %s (%s), for username \'%s\' with an empty password!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']));
             return false;
@@ -64,7 +64,7 @@ class AuthenticationService extends AbstractAuthenticationService
         $user = $this->fetchUserRecord($this->login['uname']);
         if (!is_array($user)) {
             // Failed login attempt (no username found)
-            $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s), username \'%s\' not found!!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']]);
+            $this->writelog(255, 3, 3, 2, 'Login-attempt from ###IP### (%s), username \'%s\' not found!!', [$this->authInfo['REMOTE_HOST'], $this->login['uname']]);
             $this->logger->info('Login-attempt from username \'' . $this->login['uname'] . '\' not found!', [
                 'REMOTE_ADDR' => $this->authInfo['REMOTE_ADDR'],
                 'REMOTE_HOST' => $this->authInfo['REMOTE_HOST'],
@@ -102,7 +102,7 @@ class AuthenticationService extends AbstractAuthenticationService
             if (!$OK) {
                 // Failed login attempt (wrong password) - write that to the log!
                 if ($this->writeAttemptLog) {
-                    $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', password not accepted!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']]);
+                    $this->writelog(255, 3, 3, 1, 'Login-attempt from ###IP### (%s), username \'%s\', password not accepted!', [$this->authInfo['REMOTE_HOST'], $this->login['uname']]);
                     $this->logger->info('Login-attempt username \'' . $this->login['uname'] . '\', password not accepted!', [
                         'REMOTE_ADDR' => $this->authInfo['REMOTE_ADDR'],
                         'REMOTE_HOST' => $this->authInfo['REMOTE_HOST'],
@@ -114,7 +114,7 @@ class AuthenticationService extends AbstractAuthenticationService
             if ($OK && $user['lockToDomain'] && $user['lockToDomain'] !== $this->authInfo['HTTP_HOST']) {
                 // Lock domain didn't match, so error:
                 if ($this->writeAttemptLog) {
-                    $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']]);
+                    $this->writelog(255, 3, 3, 1, 'Login-attempt from ###IP### (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', [$this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']]);
                     $this->logger->info('Login-attempt from username \'' . $user[$this->db_user['username_column']] . '\', locked domain did not match!', [
                         'HTTP_HOST' => $this->authInfo['HTTP_HOST'],
                         'REMOTE_ADDR' => $this->authInfo['REMOTE_ADDR'],
index dc204c2..93c311c 100644 (file)
@@ -164,7 +164,7 @@ class SaltedPasswordService extends AbstractAuthenticationService
             $validPasswd = $this->compareUident($user, $this->login);
             if (!$validPasswd) {
                 // Failed login attempt (wrong password)
-                $errorMessage = 'Login-attempt from %s (%s), username \'%s\', password not accepted!';
+                $errorMessage = 'Login-attempt from ###IP### (%s), username \'%s\', password not accepted!';
                 // No delegation to further services
                 if ((int)$this->extConf['onlyAuthService'] || $this->authenticationFailed) {
                     $this->writeLogMessage(TYPO3_MODE . ' Authentication failed - wrong password for username \'%s\'', $this->login['uname']);
@@ -173,17 +173,15 @@ class SaltedPasswordService extends AbstractAuthenticationService
                     $this->writeLogMessage($errorMessage, $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']);
                 }
                 $this->writelog(255, 3, 3, 1, $errorMessage, [
-                    $this->authInfo['REMOTE_ADDR'],
                     $this->authInfo['REMOTE_HOST'],
                     $this->login['uname']
                 ]);
                 $this->logger->info(sprintf($errorMessage, $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']));
             } elseif ($validPasswd && $user['lockToDomain'] && strcasecmp($user['lockToDomain'], $this->authInfo['HTTP_HOST'])) {
                 // Lock domain didn't match, so error:
-                $errorMessage = 'Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!';
+                $errorMessage = 'Login-attempt from ###IP### (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!';
                 $this->writeLogMessage($errorMessage, $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']);
                 $this->writelog(255, 3, 3, 1, $errorMessage, [
-                    $this->authInfo['REMOTE_ADDR'],
                     $this->authInfo['REMOTE_HOST'],
                     $user[$this->db_user['username_column']],
                     $user['lockToDomain'],
index 059e74d..73dd38a 100644 (file)
@@ -205,7 +205,7 @@ class IpAnonymizationAdditionalFieldProvider implements AdditionalFieldProviderI
     public function saveAdditionalFields(array $submittedData, \TYPO3\CMS\Scheduler\Task\AbstractTask $task)
     {
         $task->table = $submittedData['scheduler_ipAnonymization_table'];
-        $task->mask = $submittedData['scheduler_ipAnonymization_mask'];
+        $task->mask = (int)$submittedData['scheduler_ipAnonymization_mask'];
         $task->numberOfDays = (int)$submittedData['scheduler_ipAnonymization_numberOfDays'];
     }