feat(admin-log): added logging for security-relevant actions (#3833)

Author: thorsten

CHANGELOG.md

@@ -11,6 +11,7 @@ This is a log of major user-visible changes in each phpMyFAQ release.
 - changed PHP requirement to PHP 8.4 or later (Thorsten)
 - added Symfony Router for frontend (Thorsten)
 - added API for glossary definitions (Thorsten)
+- improved audit and activity log with comprehensive security event tracking (Thorsten)
 - improved API errors with formatted RFC 7807 Problem Details JSON responses (Thorsten)
 - migrated codebase to use PHP 8.4 language features (Thorsten)
 

phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ConfigurationController.php

@@ -19,8 +19,8 @@
 
 namespace phpMyFAQ\Controller\Administration\Api;
 
-use phpMyFAQ\Controller\AbstractController;
 use phpMyFAQ\Core\Exception;
+use phpMyFAQ\Enums\AdminLogType;
 use phpMyFAQ\Enums\PermissionType;
 use phpMyFAQ\Session\Token;
 use phpMyFAQ\Translation;
@@ -30,7 +30,7 @@
 use Symfony\Component\Mailer\Exception\TransportExceptionInterface;
 use Symfony\Component\Routing\Attribute\Route;
 
-final class ConfigurationController extends AbstractController
+final class ConfigurationController extends AbstractAdministrationApiController
 {
     /**
      * @throws Exception|\Exception
@@ -84,6 +84,8 @@ public function activateMaintenanceMode(Request $request): JsonResponse
 
         $this->configuration->set('main.maintenanceMode', 'true');
 
+        $this->adminLog->log($this->currentUser, AdminLogType::SYSTEM_MAINTENANCE_MODE_ENABLED->value);
+
         return $this->json(['success' => Translation::get(key: 'healthCheckOkay')], Response::HTTP_OK);
     }
 }

phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ConfigurationTabController.php

@@ -194,11 +194,102 @@ public function save(Request $request): JsonResponse
         $this->configuration->update($newConfigValues);
 
         $changedKeys = array_keys(array_diff_assoc($newConfigValues, $oldConfigurationData));
+
+        // General configuration change log
         $this->adminLog->log($this->currentUser, AdminLogType::CONFIG_CHANGE->value . ':' . implode(',', $changedKeys));
 
+        // Specific security-related configuration change logs
+        $this->logSecurityConfigChanges($changedKeys, $oldConfigurationData, $newConfigValues);
+
         return $this->json(['success' => Translation::get(key: 'ad_config_saved')], Response::HTTP_OK);
     }
 
+    /**
+     * Log specific security-related configuration changes
+     */
+    private function logSecurityConfigChanges(array $changedKeys, array $oldConfig, array $newConfig): void
+    {
+        // Maintenance mode changes
+        if (in_array('main.maintenanceMode', $changedKeys)) {
+            if ($newConfig['main.maintenanceMode'] === 'false' && $oldConfig['main.maintenanceMode'] === 'true') {
+                $this->adminLog->log($this->currentUser, AdminLogType::SYSTEM_MAINTENANCE_MODE_DISABLED->value);
+            } elseif ($newConfig['main.maintenanceMode'] === 'true' && $oldConfig['main.maintenanceMode'] === 'false') {
+                $this->adminLog->log($this->currentUser, AdminLogType::SYSTEM_MAINTENANCE_MODE_ENABLED->value);
+            }
+        }
+
+        // Security configuration keys
+        $securityKeys = [
+            'security.permLevel',
+            'security.enableLoginOnly',
+            'security.enableRegistration',
+            'security.useSslForLogins',
+            'security.useSslOnly',
+            'security.forcePasswordUpdate',
+            'security.enableWebAuthnSupport',
+            'security.bannedIPs',
+            'security.loginWithEmailAddress',
+            'security.enableSignInWithMicrosoft',
+            'security.domainWhiteListForRegistrations',
+        ];
+
+        $securityChanges = array_intersect($changedKeys, $securityKeys);
+        if ($securityChanges !== []) {
+            $details = [];
+            foreach ($securityChanges as $key) {
+                $details[] = $key . ':' . ($oldConfig[$key] ?? 'null') . '->' . ($newConfig[$key] ?? 'null');
+            }
+            $this->adminLog->log(
+                $this->currentUser,
+                AdminLogType::CONFIG_SECURITY_CHANGED->value . ':' . implode(';', $details),
+            );
+        }
+
+        // LDAP configuration keys
+        $ldapKeys = [
+            'ldap.ldapSupport',
+            'ldap.ldap_server',
+            'ldap.ldap_port',
+            'ldap.ldap_base',
+            'ldap.ldap_groupSupport',
+        ];
+
+        $ldapChanges = array_intersect($changedKeys, $ldapKeys);
+        if ($ldapChanges !== []) {
+            $this->adminLog->log(
+                $this->currentUser,
+                AdminLogType::CONFIG_LDAP_CHANGED->value . ':' . implode(',', $ldapChanges),
+            );
+        }
+
+        // SSO configuration keys
+        $ssoKeys = [
+            'security.ssoSupport',
+            'security.ssoLogoutRedirect',
+        ];
+
+        $ssoChanges = array_intersect($changedKeys, $ssoKeys);
+        if ($ssoChanges !== []) {
+            $this->adminLog->log(
+                $this->currentUser,
+                AdminLogType::CONFIG_SSO_CHANGED->value . ':' . implode(',', $ssoChanges),
+            );
+        }
+
+        // Encryption configuration keys
+        $encryptionKeys = [
+            'security.encryptionType',
+        ];
+
+        $encryptionChanges = array_intersect($changedKeys, $encryptionKeys);
+        if ($encryptionChanges !== []) {
+            $this->adminLog->log(
+                $this->currentUser,
+                AdminLogType::CONFIG_ENCRYPTION_CHANGED->value . ':' . implode(',', $encryptionChanges),
+            );
+        }
+    }
+
     /**
      * @throws \Exception
      */

phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/SessionController.php

@@ -21,7 +21,7 @@
 namespace phpMyFAQ\Controller\Administration\Api;
 
 use Exception;
-use phpMyFAQ\Controller\AbstractController;
+use phpMyFAQ\Enums\AdminLogType;
 use phpMyFAQ\Enums\PermissionType;
 use phpMyFAQ\Session\Token;
 use phpMyFAQ\Translation;
@@ -32,7 +32,7 @@
 use Symfony\Component\HttpFoundation\ResponseHeaderBag;
 use Symfony\Component\Routing\Attribute\Route;
 
-final class SessionController extends AbstractController
+final class SessionController extends AbstractAdministrationApiController
 {
     /**
      * @throws Exception
@@ -57,10 +57,13 @@ public function export(Request $request): BinaryFileResponse|JsonResponse
         $file = fopen($filePath, mode: 'w');
         if ($file) {
             foreach ($data as $row) {
-                fputcsv($file, [$row['ip'], $row['time']], separator: ',', enclosure: '"', escape: '\\', eol: PHP_EOL);
+                fputcsv($file, [$row['ip'], $row['time']], separator: ',', enclosure: '"', eol: PHP_EOL);
             }
 
             fclose($file);
+
+            $this->adminLog->log($this->currentUser, AdminLogType::DATA_EXPORT_SESSIONS->value);
+
             $binaryFileResponse = new BinaryFileResponse($filePath);
             $binaryFileResponse->setContentDisposition(
                 ResponseHeaderBag::DISPOSITION_INLINE,

phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/UserController.php

@@ -131,6 +131,8 @@ public function csvExport(): Response
 
         fclose($handle);
 
+        $this->adminLog->log($this->currentUser, AdminLogType::DATA_EXPORT_USERS->value);
+
         $response = new Response($content);
         $response->headers->set(key: 'Content-Type', values: 'text/csv');
         $response->headers->set(key: 'Content-Disposition', values: 'attachment; filename="users.csv"');
@@ -420,19 +422,34 @@ public function editUser(Request $request): JsonResponse
         $user->getUserById($userId, allowBlockedUsers: true);
 
         $stats = $user->getStatus();
+        $wasSuperAdmin = $user->isSuperAdmin();
 
         // reset two-factor authentication if required
         if ($deleteTwoFactor) {
             $user->setUserData(['secret' => '', 'twofactor_enabled' => 0]);
+            $this->adminLog->log($this->currentUser, AdminLogType::AUTH_2FA_RESET->value . ':' . $userId);
         }
 
         // set a new password and sent email if a user is switched to active
         if ($stats === 'blocked' && $userStatus === 'active' && !$user->activateUser()) {
             $userStatus = 'invalid_status';
         }
 
-        // Set the super-admin flag
+        // Log status change
+        if ($stats !== $userStatus) {
+            $this->adminLog->log(
+                $this->currentUser,
+                AdminLogType::USER_STATUS_CHANGED->value . ':' . $userId . ' (' . $stats . ' -> ' . $userStatus . ')',
+            );
+        }
+
+        // Set the super-admin flag and log changes
         $user->setSuperAdmin((bool) $isSuperAdmin);
+        if (!$wasSuperAdmin && (bool) $isSuperAdmin) {
+            $this->adminLog->log($this->currentUser, AdminLogType::USER_SUPERADMIN_GRANTED->value . ':' . $userId);
+        } elseif ($wasSuperAdmin && !(bool) $isSuperAdmin) {
+            $this->adminLog->log($this->currentUser, AdminLogType::USER_SUPERADMIN_REVOKED->value . ':' . $userId);
+        }
 
         if (!$user->userdata->set(array_keys($userData), array_values($userData)) || !$user->setStatus($userStatus)) {
             return $this->json(['error' => 'ad_msg_mysqlerr'], Response::HTTP_BAD_REQUEST);

phpmyfaq/src/phpMyFAQ/Controller/Administration/AuthenticationController.php

@@ -20,6 +20,7 @@
 namespace phpMyFAQ\Controller\Administration;
 
 use phpMyFAQ\Core\Exception;
+use phpMyFAQ\Enums\AdminLogType;
 use phpMyFAQ\Filter;
 use phpMyFAQ\Session\Token;
 use phpMyFAQ\Translation;
@@ -33,7 +34,7 @@
 final class AuthenticationController extends AbstractAdministrationController
 {
     #[Route(path: '/authenticate', name: 'admin.auth.authenticate', methods: ['POST'])]
-    public function authenticate(Request $request): \Symfony\Component\HttpFoundation\RedirectResponse
+    public function authenticate(Request $request): RedirectResponse
     {
         if ($this->currentUser->isLoggedIn()) {
             return new RedirectResponse(url: './');
@@ -63,12 +64,18 @@ public function authenticate(Request $request): \Symfony\Component\HttpFoundatio
             try {
                 $this->currentUser = $userAuthentication->authenticate($username, $password);
                 if ($userAuthentication->hasTwoFactorAuthentication()) {
+                    $this->adminLog->log(
+                        $this->currentUser,
+                        AdminLogType::AUTH_LOGIN_SUCCESS->value . ' (2FA required):' . $username,
+                    );
                     return new RedirectResponse(url: './token?user-id=' . $this->currentUser->getUserId());
                 }
+
+                $this->adminLog->log($this->currentUser, AdminLogType::AUTH_LOGIN_SUCCESS->value . ':' . $username);
             } catch (Exception) {
                 $this->adminLog->log(
                     $this->currentUser,
-                    'Login-error\nLogin: ' . $username . '\nErrors: '
+                    AdminLogType::AUTH_LOGIN_FAILED->value . ':' . $username . ' - '
                         . implode(separator: ', ', array: $this->currentUser->errors),
                 );
                 return new RedirectResponse(url: './login');
@@ -124,7 +131,7 @@ public function login(Request $request): Response
      * @throws \Exception
      */
     #[Route(path: '/logout', name: 'admin.auth.logout', methods: ['GET'])]
-    public function logout(Request $request): \Symfony\Component\HttpFoundation\RedirectResponse
+    public function logout(Request $request): RedirectResponse
     {
         $this->userIsAuthenticated();
 
@@ -137,6 +144,11 @@ public function logout(Request $request): \Symfony\Component\HttpFoundation\Redi
             return $redirectResponse->send();
         }
 
+        $this->adminLog->log(
+            $this->currentUser,
+            AdminLogType::AUTH_LOGOUT->value . ':' . $this->currentUser->getLogin(),
+        );
+
         $this->currentUser->deleteFromSession(deleteCookie: true);
         $ssoLogout = $this->configuration->get(item: 'security.ssoLogoutRedirect');
         if ($this->configuration->get(item: 'security.ssoSupport') && (string) $ssoLogout !== '') {
@@ -179,7 +191,7 @@ public function token(Request $request): Response
      * @throws \Exception
      */
     #[Route(path: '/check', name: 'admin.auth.check', methods: ['POST'])]
-    public function check(Request $request): \Symfony\Component\HttpFoundation\RedirectResponse
+    public function check(Request $request): RedirectResponse
     {
         if ($this->currentUser->isLoggedIn()) {
             return new RedirectResponse(url: './');
@@ -197,8 +209,11 @@ public function check(Request $request): \Symfony\Component\HttpFoundation\Redir
 
             if ($result) {
                 $user->twoFactorSuccess();
+                $this->adminLog->log($user, AdminLogType::AUTH_2FA_SUCCESS->value . ':' . $user->getLogin());
                 return new RedirectResponse(url: './');
             }
+
+            $this->adminLog->log($user, AdminLogType::AUTH_2FA_FAILED->value . ':' . $user->getLogin());
         }
 
         return new RedirectResponse('./token?user-id=' . $userId);

phpmyfaq/src/phpMyFAQ/Enums/AdminLogType.php

@@ -54,17 +54,71 @@ enum AdminLogType: string
 
     // Configuration
     case CONFIG_CHANGE = 'config-change';
+    case CONFIG_SECURITY_CHANGED = 'config-security-changed';
+    case CONFIG_LDAP_CHANGED = 'config-ldap-changed';
+    case CONFIG_SSO_CHANGED = 'config-sso-changed';
+    case CONFIG_ENCRYPTION_CHANGED = 'config-encryption-changed';
 
     // User management
     case USER_ADD = 'user-add';
     case USER_EDIT = 'user-edit';
     case USER_DELETE = 'user-delete';
     case USER_CHANGE_PASSWORD = 'user-change-password';
     case USER_CHANGE_PERMISSIONS = 'user-change-permissions';
+    case USER_PASSWORD_RESET_REQUESTED = 'user-password-reset-requested';
+    case USER_PASSWORD_RESET_COMPLETED = 'user-password-reset-completed';
+    case USER_STATUS_CHANGED = 'user-status-changed';
+    case USER_SUPERADMIN_GRANTED = 'user-superadmin-granted';
+    case USER_SUPERADMIN_REVOKED = 'user-superadmin-revoked';
 
     // Group management
     case GROUP_ADD = 'group-add';
     case GROUP_EDIT = 'group-edit';
     case GROUP_DELETE = 'group-delete';
     case GROUP_CHANGE_PERMISSIONS = 'group-change-permissions';
+
+    // Authentication & Authorization
+    case AUTH_LOGIN_SUCCESS = 'auth-login-success';
+    case AUTH_LOGIN_FAILED = 'auth-login-failed';
+    case AUTH_LOGOUT = 'auth-logout';
+    case AUTH_SESSION_TIMEOUT = 'auth-session-timeout';
+    case AUTH_SESSION_TERMINATED = 'auth-session-terminated';
+
+    // Two-Factor Authentication
+    case AUTH_2FA_ENABLED = 'auth-2fa-enabled';
+    case AUTH_2FA_DISABLED = 'auth-2fa-disabled';
+    case AUTH_2FA_SUCCESS = 'auth-2fa-success';
+    case AUTH_2FA_FAILED = 'auth-2fa-failed';
+    case AUTH_2FA_RESET = 'auth-2fa-reset';
+
+    // WebAuthn
+    case AUTH_WEBAUTHN_REGISTER = 'auth-webauthn-register';
+    case AUTH_WEBAUTHN_LOGIN_SUCCESS = 'auth-webauthn-login-success';
+    case AUTH_WEBAUTHN_LOGIN_FAILED = 'auth-webauthn-login-failed';
+    case AUTH_WEBAUTHN_REMOVED = 'auth-webauthn-removed';
+
+    // Security Events
+    case SECURITY_UNAUTHORIZED_ACCESS = 'security-unauthorized-access';
+    case SECURITY_CSRF_VIOLATION = 'security-csrf-violation';
+    case SECURITY_PERMISSION_VIOLATION = 'security-permission-violation';
+    case SECURITY_SUSPICIOUS_ACTIVITY = 'security-suspicious-activity';
+    case SECURITY_RATE_LIMIT_EXCEEDED = 'security-rate-limit-exceeded';
+
+    // Data Exports
+    case DATA_EXPORT_USERS = 'data-export-users';
+    case DATA_EXPORT_SESSIONS = 'data-export-sessions';
+    case DATA_EXPORT_FAQS = 'data-export-faqs';
+    case DATA_EXPORT_LOGS = 'data-export-logs';
+
+    // API Security
+    case API_KEY_CREATED = 'api-key-created';
+    case API_KEY_REVOKED = 'api-key-revoked';
+    case API_UNAUTHORIZED_ACCESS = 'api-unauthorized-access';
+
+    // System Security
+    case SYSTEM_MAINTENANCE_MODE_ENABLED = 'system-maintenance-mode-enabled';
+    case SYSTEM_MAINTENANCE_MODE_DISABLED = 'system-maintenance-mode-disabled';
+    case SYSTEM_UPDATE_STARTED = 'system-update-started';
+    case SYSTEM_UPDATE_COMPLETED = 'system-update-completed';
+    case SYSTEM_UPDATE_FAILED = 'system-update-failed';
 }