Added extra logging support via Monolog.

orware · orware · commit 75e8c4ba605d · 2021-03-13T08:18:17.000-08:00
diff --git a/composer.json b/composer.json
@@ -1,5 +1,6 @@
 {
     "require": {
-        "directorytree/ldaprecord": "^2.2"
+        "directorytree/ldaprecord": "^2.2",
+        "monolog/monolog": "^2.2"
     }
 }
diff --git a/composer.lock b/composer.lock
diff --git a/configuration.example.php b/configuration.example.php
@@ -1,9 +1,17 @@
 <?php
 defined('_SFTPGO') or die;
 define('_SFTPGO_CLI', PHP_SAPI === 'cli');
-define("_SFTPGO_DEBUG", false);
+define('_SFTPGO_LOG', false);
+define('_SFTPGO_DEBUG', false);
+define('_SFTPGO_DEBUG_ENV', false);
 
 use LdapRecord\Connection;
+use Monolog\Logger;
+use Monolog\Handler\RotatingFileHandler;
+
+// create a log channel
+$log = new Logger('name');
+$log->pushHandler(new RotatingFileHandler('logs/sftpgo-ldap.log', 30, Logger::DEBUG));
 
 // If the debug flag is set to true, please set the username/password directly for the LDAP user you want to test below:
 $debug_object = '{"username":"test","password":"test","ip":"::1","keyboard_interactive":"","protocol":"SSH","public_key":""}';
diff --git a/functions.php b/functions.php
@@ -4,21 +4,28 @@
 function isAllowedIP() {
     global $allowed_ips;
 
-    if (_SFTPGO_CLI) {
+    logMessage('Starting Execution Process');
+    if (defined('_SFTPGO_CLI') && _SFTPGO_CLI === true) {
+        logMessage('CLI Execution Mode...skipping Allowed IP check');
         return true;
     }
 
     $remoteIP = $_SERVER['REMOTE_ADDR'];
 
     if (array_search($remoteIP, $allowed_ips) !== false) {
+        logMessage('Web Execution Mode...' . $remoteIP . ' is allowed.');
         return true;
     }
 
+    logMessage('Web Execution Mode...' . $remoteIP . ' is not allowed.');
+
     denyRequest();
 }
 
 function authenticateUser() {
+    logMessage('Before getData()');
     $data = getData();
+    logMessage('After getData()');
 
     if (!empty($data)) {
 
@@ -27,7 +34,9 @@ function authenticateUser() {
 
             foreach($connections as $connectionName => $connection) {
 
+                logMessage('Before connection attempt to ' . $connectionName);
                 $connection->connect();
+                logMessage('After connection attempt to ' . $connectionName);
 
                 $configuration = $connection->getConfiguration();
                 $baseDn = $configuration->get('base_dn');
@@ -40,18 +49,25 @@ function authenticateUser() {
                     ->first();
 
                 if ($user) {
+                    logMessage('Username exists: ' . $data['username']);
                     // Our user is a member of one of the allowed groups.
                     // Continue with authentication.
                     $userDistinguishedName = $user['distinguishedname'][0];
+
+                    logMessage('Before authentication attempt for: ' . $data['username']);
                     if ($connection->auth()->attempt($userDistinguishedName, $data['password'])) {
                         // User has been successfully authenticated.
+                        logMessage('After authentication attempt for: ' . $data['username'] . ' (success!)');
                         $output = createResponseObject($connectionName, $data['username']);
                         createResponse($output);
                     } else {
                         // Username or password is incorrect.
+                        logMessage('After authentication attempt for: ' . $data['username'] . ' (failed!)');
                         denyRequest();
                     }
                 }
+
+                logMessage('User lookup failed for: ' . $data['username']);
             }
 
         } catch (\LdapRecord\Auth\BindException $e) {
@@ -90,20 +106,29 @@ function createResponseObject($connectionName, $username) {
 function getData() {
     if (defined('_SFTPGO_DEBUG') && _SFTPGO_DEBUG === true) {
         global $debug_object;
+        logMessage('Using $debug_object from configuration.php (authentication may fail if this object does not have correct credentials at the moment.)');
         $data = $debug_object;
     }
 
     if (!isset($data)) {
         $data = [];
-        if (_SFTPGO_CLI) {
-            if (isset($_ENV['SFTPGO_AUTHD_USERNAME']) && isset($_ENV['SFTPGO_AUTHD_PASSWORD'])) {
-                $username = $_ENV['SFTPGO_AUTHD_USERNAME'];
-                $password = $_ENV['SFTPGO_AUTHD_PASSWORD'];
-                $ip = $_ENV['SFTPGO_AUTHD_IP'];
-                $protocol = $_ENV['SFTPGO_AUTHD_PROTOCOL'];
-                $public_key = $_ENV['SFTPGO_AUTHD_PUBLIC_KEY'];
-                $keyboard_interactive = $_ENV['SFTPGO_AUTHD_KEYBOARD_INTERACTIVE'];
-                $tls_cert = $_ENV['SFTPGO_AUTHD_TLS_CERT'];
+        if (defined('_SFTPGO_CLI') && _SFTPGO_CLI === true) {
+            $environment = getenv();
+
+            if (defined('_SFTPGO_DEBUG_ENV') && _SFTPGO_DEBUG_ENV === true) {
+                echo json_encode($environment, true);
+                sleep(15);
+                exit;
+            }
+
+            if (isset($environment['SFTPGO_AUTHD_USERNAME']) && isset($environment['SFTPGO_AUTHD_PASSWORD'])) {
+                $username = $environment['SFTPGO_AUTHD_USERNAME'];
+                $password = $environment['SFTPGO_AUTHD_PASSWORD'];
+                $ip = $environment['SFTPGO_AUTHD_IP'];
+                $protocol = $environment['SFTPGO_AUTHD_PROTOCOL'];
+                $public_key = $environment['SFTPGO_AUTHD_PUBLIC_KEY'];
+                $keyboard_interactive = $environment['SFTPGO_AUTHD_KEYBOARD_INTERACTIVE'];
+                $tls_cert = $environment['SFTPGO_AUTHD_TLS_CERT'];
 
                 $data = [
                     'username' => $username,
@@ -128,19 +153,20 @@ function getData() {
 }
 
 function createResponse($output) {
-    if (_SFTPGO_CLI) {
+    if (defined('_SFTPGO_CLI') && _SFTPGO_CLI === true) {
         echo json_encode($output);
     } else {
         http_response_code(200);
         header('Content-Type: application/json');
         echo json_encode($output);
     }
 
+    logMessage('Authentication Successful');
     exit;
 }
 
 function denyRequest() {
-    if (_SFTPGO_CLI) {
+    if (defined('_SFTPGO_CLI') && _SFTPGO_CLI === true) {
         $output = [
             'username' => ''
         ];
@@ -149,6 +175,7 @@ function denyRequest() {
         http_response_code(500);
     }
 
+    logMessage('Authentication Failed');
     exit;
 }
 
@@ -185,4 +212,12 @@ function homeDirectoryEntriesExist() {
             echo "Missing Home Directory Entry for: " . $connectionName . '<br />';
         }
     }
+}
+
+function logMessage($message, $extra = []) {
+    if (defined('_SFTPGO_LOG') && _SFTPGO_LOG === true) {
+        global $log;
+
+        $log->info($message, $extra);
+    }
 }
diff --git a/logs/.htaccess b/logs/.htaccess
@@ -0,0 +1 @@
+deny from all

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"require": {`
`3`		`- "directorytree/ldaprecord": "^2.2"`
	`3`	`+ "directorytree/ldaprecord": "^2.2",`
	`4`	`+ "monolog/monolog": "^2.2"`
`4`	`5`	`}`
`5`	`6`	`}`