/**
* Helper function.
*
* If the supplied logging level is at or above the current logging
* threshold then log the message after optionally encoding any special
* characters that might be dangerous when viewed by an HTML based log
* viewer. Also encode any carriage returns and line feeds to prevent log
* injection attacks. This logs all the supplied parameters: level, event
* type, whether the event represents success or failure and the log
* message. In addition, the application name, logger name/category, local
* IP address and port, the identity of the user and their source IP
* address, a logging specific user session ID, and the current date/time
* are also logged.
* If the supplied logging level is below the current logging threshold then
* the message will be discarded.
*
* @param int $level the priority level of the event - an Logger Level
* constant.
* @param int $type the type of the event - an Logger Event constant.
* @param bool $success TRUE indicates this was a successful
* event, FALSE indicates this was a failed event
* (the typical value).
* @param string $message the message to be logged.
* @param Exception $throwable The throwable Exception.
*
* @return does not return a value.
*/
private function _log($level, $type, $success, $message, $throwable)
{
// If this log level is below the threshold we can quit now.
$logLevel = self::_convertESAPILeveltoLoggerLevel($level);
if (!$this->_log4php->isEnabledFor($logLevel)) {
return;
}
$encoder = ESAPI::getEncoder();
$secConfig = ESAPI::getSecurityConfiguration();
// Add some context to log the message.
$context = '';
// The output of log level is handled here instead of providing a
// LayoutPattern to Log4PHP. This allows us to print TRACE instead of
// ALL and WARNING instead of WARN.
$levelStr = $logLevel->toString();
if ($levelStr == 'ALL') {
$levelStr = 'TRACE';
} elseif ($levelStr == 'WARN') {
$levelStr = 'WARNING';
}
$context .= $levelStr;
// Application name.
// $this->appName is set only if it is to be logged.
if ($this->_appName !== null) {
$context .= ' ' . $this->_appName;
}
// Logger name (Category in Log4PHP parlance)
$context .= ' ' . $this->_log4phpName;
// Event Type
if (!is_string($type)) {
$type = 'EVENT_UNKNOWN';
}
$context .= ' ' . $type;
// Success or Failure of Event
if ($success === true) {
$context .= '-SUCCESS';
} else {
$context .= '-FAILURE';
}
$request = ESAPI::getHttpUtilities()->getCurrentRequest();
if ($request === null) {
$request = new SafeRequest();
ESAPI::getHttpUtilities()->setCurrentHTTP($request);
}
$laddr = $request->getServerName();
if ($laddr === '') {
$laddr = 'UnknownLocalHost';
}
$lport = $request->getServerPort();
$ruser = $request->getRemoteUser();
if ($ruser === '') {
$ruser = '******';
}
$raddr = $request->getRemoteAddr();
if ($raddr === '') {
$raddr = 'UnknownRemoteHost';
}
$context .= " {$laddr}:{$lport} {$ruser}@{$raddr}";
// create a random session number for the user to represent the
// user's session, if it doesn't exist already
$userSessionIDforLogging = 'SessionUnknown';
if (isset($_SESSION)) {
if (isset($_SESSION['DefaultAuditor']) && isset($_SESSION['DefaultAuditor']['SessionIDForLogging'])) {
$userSessionIDforLogging = $_SESSION['DefaultAuditor']['SessionIDForLogging'];
} else {
try {
$userSessionIDforLogging = (string) ESAPI::getRandomizer()->getRandomInteger(0, 1000000);
$_SESSION['DefaultAuditor']['SessionIDForLogging'] = $userSessionIDforLogging;
} catch (Exception $e) {
// continue
}
}
}
$context .= "[ID:{$userSessionIDforLogging}]";
// Now comes the message.
if (!is_string($message)) {
$message = '';
}
// Encode CRLF - this bit might have to go in a try block
// Codec Debugging entries are not affected.
if (defined('CD_LOG') == true && $this->_log4phpName === CD_LOG) {
$crlfEncoded = $message;
} else {
$crlfEncoded = $this->_replaceCRLF($message, '_');
}
// Encode for HTML if ESAPI.xml says so
$encodedMessage = null;
if ($secConfig->getLogEncodingRequired()) {
try {
$encodedMessage = $encoder->encodeForHTML($crlfEncoded);
if ($encodedMessage !== $crlfEncoded) {
$encodedMessage .= ' (This log message was encoded for HTML)';
}
} catch (Exception $e) {
$exType = get_type($e);
$encodedMessage = "The supplied log message generated an " . "Exception of type {$exType} and was not included";
}
} else {
$encodedMessage = $crlfEncoded;
}
// Now handle the exception
$dumpedException = '';
if ($throwable !== null && $throwable instanceof Exception) {
$dumpedException = ' ' . $this->_replaceCRLF($throwable, ' | ');
}
$messageForLog = $context . ' ' . $encodedMessage . $dumpedException;
$this->_log4php->log($logLevel, $messageForLog, $this);
}
/**
* {@inheritDoc}
*/
public function loginWithPassword($password)
{
//FIXME: time() might not be the correct format to be used?
if (is_null($password) || $password == "") {
$this->setLastFailedLoginTime(time());
$this->incrementFailedLoginCount();
throw new AuthenticationLoginException("Login failed", "Missing password: "******"Login failed", "Disabled user attempt to login: "******"Login failed", "Locked user attempt to login: "******"Login failed", "Expired user attempt to login: "******"DefaultUser")->trace(ESAPILogger::SECURITY, "User logged in: " . $this->_accountName);
} else {
$this->_loggedIn = false;
$this->setLastFailedLoginTime(time());
$this->incrementFailedLoginCount();
throw new AuthenticationLoginException("Login failed", "Incorrect password provided for " . $this->getAccountName());
}
}
