Failed login attempts not logged correctly

[simone-viozzi]

Describe the bug

Following the guide to set up Fail2Ban I noticed that I don't have any log entry with "message":"invalid credentials".

I also asked if the documentation was up-to-date (https://github.com/owncloud/docs-ocis/issues/421#issuecomment-1642368946) and It is. So I should have failed login attempts logged, same as in the guide.

Steps to reproduce

Steps to reproduce the behavior:

1. Set the env vars for the OCIS container OCIS_LOG_FILE: /var/lib/ocis/logs/ocis.log & OCIS_LOG_LEVEL: info
2. Mount the log to a file in the host - ./logs:/var/lib/ocis/logs
3. Run a command to follow and filter the logs: tail -f -n 50 logs/ocis.log | grep -C 5 --line-buffered "xxx.xxx.xxx.xxx" with the IP from which you will do the failed login attempts. With grep -C it will print 5 lines above and 5 below as context.
4. Do some failed login attempts.
5. There is no "invalid credential" in the log:

{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-001480","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":201.423496,"bytes":0,"time":"2023-07-20T14:19:59.685640131Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-001482","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":175.416267,"bytes":0,"time":"2023-07-20T14:20:03.615679404Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-001484","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":223.350343,"bytes":0,"time":"2023-07-20T14:20:05.187650668Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-001486","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":84.03417,"bytes":0,"time":"2023-07-20T14:20:05.927240737Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"auth-machine","pkg":"rgrpc","traceid":"00000000000000000000000000000000","time":"2023-07-20T14:20:06.750741625Z","line":"github.com/cs3org/reva/v2@v2.14.0/internal/grpc/services/authprovider/authprovider.go:141","message":"user idp:\"https://ocis.simoserver.it\" opaque_id:\"c2199d77-1ee0-4856-a6b3-28a3d8ef52a0\" type:USER_TYPE_PRIMARY  authenticated"}
{"level":"info","service":"graph","request-id":"aa77e0fc-06d8-41a1-87c7-6e5472ee1fb6","query":{},"unrestricted":false,"time":"2023-07-20T14:20:06.765628453Z","line":"github.com/owncloud/ocis/v2/services/graph/pkg/service/v0/drives.go:80","message":"calling get drives"}
{"level":"info","service":"storage-system","pkg":"rgrpc","traceid":"00000000000000000000000000000000","time":"2023-07-20T14:20:06.783695604Z","line":"github.com/cs3org/reva/v2@v2.14.0/internal/grpc/services/authprovider/authprovider.go:141","message":"user idp:\"internal\" opaque_id:\"5f170f85-cc28-487d-a65a-8cfe22a1414d\" type:USER_TYPE_PRIMARY  authenticated"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"aa77e0fc-06d8-41a1-87c7-6e5472ee1fb6","remote-addr":"151.81.252.241","method":"GET","status":200,"path":"/graph/v1.0/me/drives","duration":38.776821,"bytes":1259,"time":"2023-07-20T14:20:06.78670824Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-001488","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":158.024687,"bytes":0,"time":"2023-07-20T14:20:06.79897321Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-001490","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":158.970953,"bytes":0,"time":"2023-07-20T14:20:07.564358471Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-001492","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":184.098427,"bytes":0,"time":"2023-07-20T14:20:08.32562988Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}

Expected behavior

Each failed login attempt should generate 2 consecutive entry logs like it is described in the documentation:

{"level":"error","service":"idm","bind_dn":"uid=someuser,ou=users,o=libregraph-idm","op":"bind","remote_addr":"127.0.0.1:59672","time":"2023-03-20T19:26:04.726564978Z","message":"invalid credentials"}

{"level":"info","service":"proxy","proto":"HTTP/1.0","request-id":"blabla","remote-addr":"123.123.123.123","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":135.139963,"bytes":0,"time":"2023-03-20T19:26:04.727076622Z","message":"access-log"}

Actual behavior

There is no log containing "message":"invalid credentials".

Setup

The setup is done following the ocis_wopi guide.

Additional context

I'm running OCIS 3.0.0. I updated it from 2.0.0 following the release notes.

[mmattel]

@saw-jan fyi, this case was the origin to improve docs.

[wkloucek]

@mmattel this also is a limitation of the builtin IDP we should document. Other IDPs like eg. Keycloak support Bruteforce Protection out of the box, see eg. https://www.keycloak.org/docs/latest/server_admin/#password-guess-brute-force-attacks