From 5d7ae1f38c9d78040fde8d862bfbd1a0016c4b97 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Wed, 4 Nov 2020 16:12:13 +0100 Subject: [PATCH] api: factor out auth logger and use for all API authentication failures we have information here not available in the access log, especially if the /api2/extjs formatter is used, which encapsulates errors in a 200 response. So keep the auth log for now, but extend it use from create ticket calls to all authentication failures for API calls, this ensures one can also fail2ban tokens. Do that logging in a central place, which makes it simple but means that we do not have the user ID information available to include in the log. Signed-off-by: Thomas Lamprecht --- src/server/rest.rs | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/server/rest.rs b/src/server/rest.rs index 0749b891..ea87c9c8 100644 --- a/src/server/rest.rs +++ b/src/server/rest.rs @@ -164,6 +164,15 @@ fn log_response( )); } } +pub fn auth_logger() -> Result { + let logger_options = tools::FileLogOptions { + append: true, + prefix_time: true, + owned_by_backup: true, + ..Default::default() + }; + FileLogger::new(crate::buildcfg::API_AUTH_LOG_FN, logger_options) +} fn get_proxied_peer(headers: &HeaderMap) -> Option { lazy_static! { @@ -687,6 +696,10 @@ async fn handle_request( match auth_result { Ok(authid) => rpcenv.set_auth_id(Some(authid.to_string())), Err(err) => { + let peer = peer.ip(); + auth_logger()? + .log(format!("authentication failure; rhost={} msg={}", peer, err)); + // always delay unauthorized calls by 3 seconds (from start of request) let err = http_err!(UNAUTHORIZED, "authentication failed - {}", err); tokio::time::delay_until(Instant::from_std(delay_unauth_time)).await;