search

sul-dlss / folio-tasks

Migration and data-loading tasks for FOLIO
MIT License
2 stars 1 forks source link

Adds configuration for mod-login. #203

Closed shelleydoljack closed 1 year ago

shelleydoljack commented 1 year ago

Closes #195 Need to run in folio-test and -stage. login_configs.tsv uploaded to folio ops migration files.

shelleydoljack commented 1 year ago

I tested login.fail.attempts on folio-dev with setting of 1 and it worked to block the user. I'm not sure where the EVENT_LOG configurations are logged. When I tail the mod-login log, I see the following when supplying the wrong password:

mod-login-54975f494b-lg62j mod-login 17:23:26 [556158/authn] [sul] [] [mod_login] ERROR LoginAttemptsHelper  java.lang.ClassCastException: class java.lang.String cannot be cast to class java.lang.Number (java.lang.String and java.lang.Number are in module java.base of loader 'bootstrap')
mod-login-54975f494b-lg62j mod-login 17:23:26 [556158/authn] [sul] [] [mod_login] ERROR LoginAPI             Password does not match for userid 07e8be0e-1cf5-5061-b5b3-4517d9a74d77
mod-login-54975f494b-lg62j mod-login 17:23:26 [556158/authn] [sul] [] [mod_login] INFO  LogUtil              10.1.28.111:52516 POST /authn/login null HTTP_1_1 422 212 154 tid=sul Unprocessable Entity

When a login is successful, I see this in the logs (n.b. I didn't enable SUCCESSFUL_LOGIN_ATTEMPT)

mod-login-54975f494b-lg62j mod-login 17:24:56 [383381/authn] [sul] [] [mod_login] INFO  LogUtil              10.1.28.111:41768 POST /authn/login null HTTP_1_1 201 603 124 tid=sul Created 
mod-login-54975f494b-lg62j mod-login 17:24:56 [] [] [] [] INFO  ogStorageServiceImpl For event logging `SUCCESSFUL_LOGIN_ATTEMPT` is disabled

As a test, I deleted the FAILED_LOGIN_ATTEMPT configuration and tried logging in with an incorrect password. The log shows that the configuration is disabled and it also shows the same info as when it is enabled:

mod-login-54975f494b-lg62j mod-login 17:25:51 [906645/authn] [sul] [] [mod_login] ERROR LoginAttemptsHelper  java.lang.ClassCastException: class java.lang.String cannot be cast to class java.lang.Number (java.lang.String and java.lang.Number are in module java.base of loader 'bootstrap')
mod-login-54975f494b-lg62j mod-login 17:25:51 [] [] [] [] INFO  ogStorageServiceImpl For event logging `FAILED_LOGIN_ATTEMPT` is disabled
mod-login-54975f494b-lg62j mod-login 17:25:51 [906645/authn] [sul] [] [mod_login] ERROR LoginAPI             Password does not match for userid 3b8cd81e-2fe3-4854-ad6c-5e8d82c12994
mod-login-54975f494b-lg62j mod-login 17:25:51 [906645/authn] [sul] [] [mod_login] INFO  LogUtil              10.1.28.111:41768 POST /authn/login null HTTP_1_1 422 211 104 tid=sul Unprocessable Entity

I'm not sure EVENT_LOG works or where it is logging. I will ask in FOLIO slack. It may not be useful after all and the only useful config is the login.fail.attempts setting.

shelleydoljack commented 1 year ago

There's a table in sul_mod_login.event_logs that is written to once these configurations are enabled. It can be queried with a GET to /authn/log/events?query=eventType=="FAILED_LOGIN_ATTEMPT" or /authn/log/events?query=timestamp=="2023-04-12T*" or even ip and userId. Example response:

{
  "id": "43d25ae0-ab7f-43fd-b6aa-eb5098fe4bcd",
  "eventType": "FAILED_LOGIN_ATTEMPT",
  "tenant": "sul",
  "userId": "07e8be0e-1cf5-5061-b5b3-4517d9a74d77",
  "ip": "10.130.139.6",
  "browserInformation": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36",
  "timestamp": "2023-04-12T17:23:26.336+00:00"
}
shelleydoljack commented 1 year ago

This has been run on folio-test and folio-stage. @jgreben ready for review/merging.