Skip to content

[WIP] Emit logs for authentication failures and successes (local and oidc authenticator plugins #726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: devel
Choose a base branch
from
Open

[WIP] Emit logs for authentication failures and successes (local and oidc authenticator plugins #726

wants to merge 1 commit into from
+35 −0

Conversation

markafarrell
Copy link
Contributor

@markafarrell markafarrell commented May 15, 2025
edited
Loading

Description

  • What is being changed?
    Modifes the local and oidc authentication plugins so that logs are emitted for:
    • Login attempts
    • Login Successes
    • Login Failures
  • Why is this change needed?
    This assist with audit user accesses
  • How does this change address the issue?
    Logs are emitted that can be inspected to audit what users are logging in and if any failed login attempts are occurring

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Test update
  • Refactoring (no functional changes)
  • Development environment change
  • Configuration change

Self-Review Checklist

  • I have performed a self-review of my code
  • I have added relevant comments to complex code sections
  • I have updated documentation where needed
  • I have considered the security impact of these changes
  • I have considered performance implications
  • I have thought about error handling and edge cases
  • I have tested the changes in my local environment

Testing Instructions

Login using either local or oidc and check logs for emitted logs

Prerequisites

N/A

Steps to Test

  1. Login successfully using local user
  2. Confirm logs contain expected logs
  3. Attempt to login using local user with incorrect credentials
  4. Confirm logs contain expected logs
  5. Login using oidc
  6. Confirm logs contain expected logs

Expected Results

Failed local login

2025-05-15 03:47:07,597 WARNING  898d5f6b-45a9-4388-bdb7-afbc43ad77a3 ansible_base.authentication.authenticator_plugins.local Login attempt for user: asdf HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 HTTP_X_FORWARDED_FOR: 10.111.0.10,100.73.10.4 REMOTE_ADDR: 127.0.0.1 REMOTE_HOST: UNKNOWN
2025-05-15 03:47:07,695 WARNING  898d5f6b-45a9-4388-bdb7-afbc43ad77a3 ansible_base.authentication.authenticator_plugins.local Failed login for user: asdf HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 HTTP_X_FORWARDED_FOR: 10.111.0.10,100.73.10.4 REMOTE_ADDR: 127.0.0.1 REMOTE_HOST: UNKNOWN

Successful oidc login

2025-05-15 03:48:20,859 WARNING  caea1e96-239d-4af1-ad1e-0f74a4ffbb72 ansible_base.authentication.authenticator_plugins.oidc Login attempt for HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 HTTP_X_FORWARDED_FOR: 10.111.0.10,100.73.10.4 REMOTE_ADDR: 127.0.0.1 REMOTE_HOST: UNKNOWN
2025-05-15 03:48:21,299 WARNING  caea1e96-239d-4af1-ad1e-0f74a4ffbb72 ansible_base.authentication.authenticator_plugins.oidc Successful login for Mark Farrell HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 HTTP_X_FORWARDED_FOR: 10.111.0.10,100.73.10.4 REMOTE_ADDR: 127.0.0.1 REMOTE_HOST: UNKNOWN

Successful local login

2025-05-15 03:50:12,925 WARNING  90d1301d-6646-4e95-bb17-10950d9eaed2 ansible_base.authentication.authenticator_plugins.local Login attempt for user: admin HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 HTTP_X_FORWARDED_FOR: 10.111.0.10,100.73.10.4 REMOTE_ADDR: 127.0.0.1 REMOTE_HOST: UNKNOWN
2025-05-15 03:50:13,052 WARNING  90d1301d-6646-4e95-bb17-10950d9eaed2 ansible_base.authentication.authenticator_plugins.local Successful login for user: admin HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 HTTP_X_FORWARDED_FOR: 10.111.0.10,100.73.10.4 REMOTE_ADDR: 127.0.0.1 REMOTE_HOST: UNKNOWN

Additional Context

Required Actions

  • Requires documentation updates
  • Requires downstream repository changes
  • Requires infrastructure/deployment changes
  • Requires coordination with other teams
  • Blocked by PR/MR: #XXX

Screenshots/Logs

BrennanPaciorek
BrennanPaciorek reviewed May 20, 2025
View reviewed changes
Copy link
Contributor

@BrennanPaciorek BrennanPaciorek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm alright with logging this information, but would INFO not be a more suitable log level for at least successful logins?

@markafarrell markafarrell force-pushed the feature/log-authentication-attempts branch from b3d8fd0 to 243713d Compare May 20, 2025 23:09
@markafarrell markafarrell force-pushed the feature/log-authentication-attempts branch from 243713d to 737b931 Compare May 20, 2025 23:11
@github-actions GitHub Actions
Copy link

DVCS PR Check Results:

Could not find JIRA key(s) in PR title, branch name, or commit messages

@markafarrell
Copy link
Contributor Author

I'm alright with logging this information, but would INFO not be a more suitable log level for at least successful logins?

I'm alright with logging this information, but would INFO not be a more suitable log level for at least successful logins?

@BrennanPaciorek Changed to info log level

john-westcott-iv
john-westcott-iv reviewed May 21, 2025
View reviewed changes
ansible_base/authentication/authenticator_plugins/local.py
f"REMOTE_HOST: {request.META['REMOTE_HOST'] if 'REMOTE_HOST' in request.META else 'UNKNOWN'}"
)

logger.info(f"Login attempt for user: {username} {auth_log_headers}")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we make this a debug log level or do we feel like these headers are info level worthy?

ansible_base/authentication/authenticator_plugins/local.py
Comment on lines +81 to +83
logger.info(f"Successful login for user: {username} {auth_log_headers}")
else:
logger.info(f"Failed login for user: {username} {auth_log_headers}")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are logging the auth headers here again, I think we can drop it out of these messages.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think its valuable to have the status and the headers in a single log entry. It lets you easily determine where the successes/failures are coming from. I think we can probably drop the attempt log to debug

ansible_base/authentication/authenticator_plugins/oidc.py
Comment on lines +224 to +246
def authenticate(self, *args, **kwargs):
request = args[0]

auth_log_headers = (
f"HTTP_USER_AGENT: {request.META['HTTP_USER_AGENT'] if 'HTTP_USER_AGENT' in request.META else 'UNKNOWN'} "
f"HTTP_X_FORWARDED_FOR: {request.META['HTTP_X_FORWARDED_FOR'] if 'HTTP_X_FORWARDED_FOR' in request.META else 'UNKNOWN'} "
f"REMOTE_ADDR: {request.META['REMOTE_ADDR'] if 'REMOTE_ADDR' in request.META else 'UNKNOWN'} "
f"REMOTE_HOST: {request.META['REMOTE_HOST'] if 'REMOTE_HOST' in request.META else 'UNKNOWN'}"
)

if "backend" in kwargs and kwargs["backend"].name == self.name:
logger.info(f"Login attempt for {auth_log_headers}")

user = super().authenticate(*args, **kwargs)

if "backend" in kwargs and kwargs["backend"].name == self.name:
if user:
logger.info(f"Successful login for {user} {auth_log_headers}")
else:
logger.info(f"Failed login {auth_log_headers}")

return user

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we move this to the SocialAuthMixin so that all of the classes derived from that get this logging? Same comments about logging the auth_log_headers as debug and removing it from the "Successful/Failed" login messages.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably a good idea.

@john-westcott-iv john-westcott-iv changed the title Emit logs for authentication failures and successes (local and oidc authenticator plugins [WIP] Emit logs for authentication failures and successes (local and oidc authenticator plugins Jul 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@john-westcott-iv john-westcott-iv john-westcott-iv left review comments

+1 more reviewer

@BrennanPaciorek BrennanPaciorek BrennanPaciorek left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@markafarrell @john-westcott-iv @BrennanPaciorek