first attempt at logging. needs a big refactor some day

isekai
Jonathan Daggerhart 10 years ago
parent bac8b481d6
commit 782e674def

@ -109,10 +109,22 @@ class OpenID_Connect_Generic_Settings {
'section' => 'authorization_settings', 'section' => 'authorization_settings',
), ),
'enforce_privacy' => array( 'enforce_privacy' => array(
'title' => __('Enforce Privacy'), 'title' => __('Enforce Privacy'),
'description' => __('Require users be logged in to see the site.'), 'description' => __('Require users be logged in to see the site.'),
'type' => 'checkbox', 'type' => 'checkbox',
'section' => 'authorization_settings', 'section' => 'authorization_settings',
),
'enable_logging' => array(
'title' => __('Enable Logging'),
'description' => __('Very simple log messages for debugging purposes.'),
'type' => 'checkbox',
'section' => 'log_settings',
),
'log_limit' => array(
'title' => __('Log Limit'),
'description' => __('Number of items to keep in the log. These logs are stored as an option in the database, so space is limited.'),
'type' => 'number',
'section' => 'log_settings',
), ),
); );
@ -154,9 +166,15 @@ class OpenID_Connect_Generic_Settings {
); );
add_settings_section( 'authorization_settings', add_settings_section( 'authorization_settings',
__('Authorization Settings'), __('Authorization Settings'),
array( $this, 'authorization_settings_description' ), array( $this, 'authorization_settings_description' ),
$this->options_page_name $this->options_page_name
);
add_settings_section( 'log_settings',
__('Log Settings'),
array( $this, 'log_settings_description' ),
$this->options_page_name
); );
// preprocess fields and add them to the page // preprocess fields and add them to the page
@ -228,10 +246,39 @@ class OpenID_Connect_Generic_Settings {
submit_button(); submit_button();
?> ?>
</form> </form>
<h4><?php _e('Notes'); ?></h4> <h4><?php _e('Notes'); ?></h4>
<p class="description"> <p class="description">
<strong><?php _e('Redirect URI'); ?></strong> <code><?php print admin_url( 'admin-ajax.php?action=openid-connect-authorize' ); ?></code> <strong><?php _e('Redirect URI'); ?></strong> <code><?php print admin_url( 'admin-ajax.php?action=openid-connect-authorize' ); ?></code>
</p> </p>
<?php
$logs = get_option( 'openid_connect_generic_logs', array() );
if ( !empty( $logs ) ) {
?>
<h4><?php _e('Logs'); ?></h4>
<table class="wp-list-table widefat fixed striped posts">
<thead>
<th>Type</th>
<th>Date</th>
<th>User</th>
<th style="width: 65%;">Data</th>
</thead>
<tbody>
<?php foreach( $logs as $log ){ ?>
<tr>
<td><?php print $log['type']; ?></td>
<td><?php print date( 'Y-m-d H:i:s', $log['time'] ); ?></td>
<td><?php print ( $log['user_ID'] ) ? get_userdata( $log['user_ID'] )->user_login : 'anonymous'; ?></td>
<td><?php print '<pre style="margin:0;">' . print_r( $log['data'], 1 ) . '</pre>'; ?></td>
</tr>
<?php } ?>
</tbody>
</table>
<?php
}
?>
</div> </div>
<?php <?php
} }
@ -243,7 +290,7 @@ class OpenID_Connect_Generic_Settings {
*/ */
public function do_text_field( $field ) { public function do_text_field( $field ) {
?> ?>
<input type="text" <input type="<?php print esc_attr( $field['type'] ); ?>"
id="<?php print esc_attr( $field['key'] ); ?>" id="<?php print esc_attr( $field['key'] ); ?>"
class="large-text" class="large-text"
name="<?php print esc_attr( $field['name'] ); ?>" name="<?php print esc_attr( $field['name'] ); ?>"
@ -308,5 +355,9 @@ class OpenID_Connect_Generic_Settings {
public function authorization_settings_description() { public function authorization_settings_description() {
_e('Control the authorization mechanics of the site'); _e('Control the authorization mechanics of the site');
} }
public function log_settings_description() {
_e('Log information about login attempts through OpenID Connect Generic');
}
} }

@ -50,6 +50,8 @@ class OpenID_Connect_Generic {
'no_sslverify' => 0, 'no_sslverify' => 0,
'enforce_privacy' => 0, 'enforce_privacy' => 0,
'identity_key' => 'sub', 'identity_key' => 'sub',
'enable_logging' => 0,
'log_limit' => 1000,
); );
// storage for plugin settings // storage for plugin settings
@ -60,6 +62,8 @@ class OpenID_Connect_Generic {
private $redirect_uri; private $redirect_uri;
private $logs = null;
/** /**
* Initialize the plugin * Initialize the plugin
*/ */
@ -98,6 +102,58 @@ class OpenID_Connect_Generic {
return $this->settings; return $this->settings;
} }
/**
* Retrieve all log messages
*/
public function get_logs(){
if ( is_null( $this->logs ) ) {
$this->logs = get_option( 'openid_connect_generic_logs', array() );
}
return $this->logs;
}
/**
*
*/
public function log( $data, $type = 'error' ){
if ( (bool) $this->settings['enable_logging'] ) {
$this->add_log_message( $data, $type );
}
}
/**
* Add a new message to the log
*
* @param $data array - extra data about the message
* @param $type string - simple message type string, defaults to error
*/
public function add_log_message( $data = array(), $type = 'error' ){
// construct our message
$message = array(
'type' => $type,
'time' => time(),
'user_ID' => get_current_user_id(),
'data' => is_array( $data ) ? $data : array( $data ),
);
// add our message to the logs
$logs = $this->get_logs();
$logs[] = $message;
// keep our log count under the limit
$items_to_remove = count( $logs ) - (int) $this->settings['log_limit'];
while ( $items_to_remove > 0 ) {
array_shift( $logs );
$items_to_remove--;
}
// save our logs
$this->logs = $logs;
update_option( 'openid_connect_generic_logs', $logs, false );
}
/** /**
* Implements hook init * Implements hook init
* - hook plugin into WP as needed * - hook plugin into WP as needed
@ -182,12 +238,12 @@ class OpenID_Connect_Generic {
// look for an existing error of some kind // look for an existing error of some kind
if ( isset( $_GET['error'] ) ) { if ( isset( $_GET['error'] ) ) {
$this->error_redirect( 99 ); $this->error( 99 );
} }
// make sure we have a legitimate authentication code and valid state // make sure we have a legitimate authentication code and valid state
if ( !isset( $_GET['code'] ) || !isset( $_GET['state'] ) || !$this->check_state( $_GET['state'] ) ) { if ( !isset( $_GET['code'] ) || !isset( $_GET['state'] ) || !$this->check_state( $_GET['state'] ) ) {
$this->error_redirect( 1 ); $this->error( 1 );
} }
// we have an authorization code, make sure it is good by // we have an authorization code, make sure it is good by
@ -196,7 +252,7 @@ class OpenID_Connect_Generic {
// ensure the token is not an error generated by wp // ensure the token is not an error generated by wp
if ( is_wp_error( $token_result ) ){ if ( is_wp_error( $token_result ) ){
$this->error_redirect( 2 ); $this->error( 2, $token_result );
} }
// extract token response from token // extract token response from token
@ -207,7 +263,7 @@ class OpenID_Connect_Generic {
if ( ! isset( $token_response['id_token'] ) || ! isset( $token_response['access_token'] ) || if ( ! isset( $token_response['id_token'] ) || ! isset( $token_response['access_token'] ) ||
! isset( $token_response['token_type'] ) || $token_response['token_type'] !== 'Bearer' ) ! isset( $token_response['token_type'] ) || $token_response['token_type'] !== 'Bearer' )
{ {
$this->error_redirect( 4 ); $this->error( 4 );
} }
// - end authentication // - end authentication
@ -225,7 +281,7 @@ class OpenID_Connect_Generic {
// make sure we can find our identification data and that it has a value // make sure we can find our identification data and that it has a value
if ( ! isset( $id_token_claim[ $settings['identity_key'] ] ) || empty( $id_token_claim[ $settings['identity_key'] ] ) ) { if ( ! isset( $id_token_claim[ $settings['identity_key'] ] ) || empty( $id_token_claim[ $settings['identity_key'] ] ) ) {
$this->error_redirect( 5 ); $this->error( 5 );
} }
// if desired, admins can use regex to determine if the identity value is valid // if desired, admins can use regex to determine if the identity value is valid
@ -233,7 +289,7 @@ class OpenID_Connect_Generic {
if ( isset( $settings['allowed_regex'] ) && !empty( $settings['allowed_regex'] ) && if ( isset( $settings['allowed_regex'] ) && !empty( $settings['allowed_regex'] ) &&
preg_match( $settings['allowed_regex'], $id_token_claim[ $settings['identity_key'] ] ) !== 1) preg_match( $settings['allowed_regex'], $id_token_claim[ $settings['identity_key'] ] ) !== 1)
{ {
$this->error_redirect( 5 ); $this->error( 5 );
} }
// send a userinfo request to get user claim // send a userinfo request to get user claim
@ -241,14 +297,14 @@ class OpenID_Connect_Generic {
// make sure we didn't get an error, and that the response body exists // make sure we didn't get an error, and that the response body exists
if ( is_wp_error( $user_claim_result ) || ! isset( $user_claim_result['body'] ) ) { if ( is_wp_error( $user_claim_result ) || ! isset( $user_claim_result['body'] ) ) {
$this->error_redirect( 3 ); $this->error( 3, $user_claim_result );
} }
$user_claim = json_decode( $user_claim_result['body'], true ); $user_claim = json_decode( $user_claim_result['body'], true );
// make sure the id_token sub === user_claim sub, according to spec // make sure the id_token sub === user_claim sub, according to spec
if ( $id_token_claim[ $settings['identity_key'] ] !== $user_claim['sub'] ) { if ( $id_token_claim[ $settings['identity_key'] ] !== $user_claim['sub'] ) {
$this->error_redirect( 4 ); $this->error( 4 );
} }
// retrieve the identity from the id_token // retrieve the identity from the id_token
@ -262,7 +318,7 @@ class OpenID_Connect_Generic {
$login_user = apply_filters( 'openid-connect-generic-user-login-test', true, $user_claim ); $login_user = apply_filters( 'openid-connect-generic-user-login-test', true, $user_claim );
if ( ! $login_user ){ if ( ! $login_user ){
$this->error_redirect( 8 ); $this->error( 8 );
} }
// look for user by their openid-connect-generic-user-identity value // look for user by their openid-connect-generic-user-identity value
@ -298,7 +354,7 @@ class OpenID_Connect_Generic {
// make sure we didn't get an error // make sure we didn't get an error
if ( is_wp_error( $user_claim_result ) ) { if ( is_wp_error( $user_claim_result ) ) {
$this->error_redirect( 3 ); $this->error( 3, $user_claim_result );
} }
$user_claim = json_decode( $user_claim_result['body'], true ); $user_claim = json_decode( $user_claim_result['body'], true );
@ -314,7 +370,7 @@ class OpenID_Connect_Generic {
$create_user = apply_filters( 'openid-connect-generic-user-creation-test', true, $user_claim ); $create_user = apply_filters( 'openid-connect-generic-user-creation-test', true, $user_claim );
if ( ! $create_user ) { if ( ! $create_user ) {
$this->error_redirect( 9 ); $this->error( 9 );
} }
// create the new user // create the new user
@ -322,9 +378,13 @@ class OpenID_Connect_Generic {
// make sure we didn't fail in creating the user // make sure we didn't fail in creating the user
if ( is_wp_error( $uid ) ) { if ( is_wp_error( $uid ) ) {
$this->error_redirect( 6 ); $this->error( 6, $uid );
} }
$this->log(array(
'message' => 'New user created: '. $uid
), 'success' );
$user = get_user_by( 'id', $uid ); $user = get_user_by( 'id', $uid );
// save some meta data about this new user for the future // save some meta data about this new user for the future
@ -337,7 +397,7 @@ class OpenID_Connect_Generic {
// ensure our found user is a real WP_User // ensure our found user is a real WP_User
if ( ! is_a( $user, 'WP_User' ) || ! $user->exists() ) { if ( ! is_a( $user, 'WP_User' ) || ! $user->exists() ) {
$this->error_redirect( 7 ); $this->error( 7, $user );
} }
// hey, we made it! // hey, we made it!
@ -352,6 +412,11 @@ class OpenID_Connect_Generic {
// get a cookie and go home! // get a cookie and go home!
wp_set_auth_cookie( $user->ID, false ); wp_set_auth_cookie( $user->ID, false );
$this->log(array(
'message' => "Successful login for: {$user->user_login} ({$user->ID})"
), 'success' );
wp_redirect( home_url() ); wp_redirect( home_url() );
// - end user handling // - end user handling
} }
@ -500,7 +565,7 @@ class OpenID_Connect_Generic {
// errors and auto login can't happen at the same time // errors and auto login can't happen at the same time
if ( isset( $_GET['login-error'] ) ) { if ( isset( $_GET['login-error'] ) ) {
$message = $this->error_message( $_GET['login-error'] ); $message = $this->get_error_message( $_GET['login-error'] );
} }
else if ( $settings['login_type'] == 'auto' ) { else if ( $settings['login_type'] == 'auto' ) {
wp_redirect( $this->make_authentication_url() ); wp_redirect( $this->make_authentication_url() );
@ -519,11 +584,27 @@ class OpenID_Connect_Generic {
* Handle errors by redirecting the user to the login form * Handle errors by redirecting the user to the login form
* along with an error code * along with an error code
* *
* @param $error_number * @param $error_number - required
*/ */
function error_redirect( $error_number ){ function error( $error_number ) {
$args = func_get_args();
$error_number = array_shift($args);
$url = wp_login_url() . '?login-error=' . $error_number; $url = wp_login_url() . '?login-error=' . $error_number;
$error = array(
'error id' => $error_number,
'error message' => $this->errors[ $error_number ],
);
// allow for additional error details
if ( !empty( $args ) ){
$error['details'] = $args;
}
// attempt to log the error
$this->log( $error );
// redirect user back to login page
wp_redirect( $url ); wp_redirect( $url );
exit; exit;
} }
@ -534,7 +615,7 @@ class OpenID_Connect_Generic {
* @param $error_number * @param $error_number
* @return string * @return string
*/ */
function error_message( $error_number ){ function get_error_message( $error_number ){
// fallback to unknown error // fallback to unknown error
if ( ! isset( $this->errors[ $error_number ] ) ) { if ( ! isset( $this->errors[ $error_number ] ) ) {
$error_number = 99; $error_number = 99;

Loading…
Cancel
Save