Added logging to authentication endpoints, and SAML 2.0 SP and IdP

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@62 44740490-163a-0410-bde0-09ae8108e29a

www/_include.php

@@ -13,7 +13,6 @@ require_once('SimpleSAML/Configuration.php');
 SimpleSAML_Configuration::init(dirname(dirname(__FILE__)) . '/config');
 
 
-define_syslog_variables();
-openlog("simpleSAMLphp", LOG_PID, LOG_LOCAL0);
+
 
 ?>
\ No newline at end of file

www/auth/login-ldapmulti.php

@@ -3,12 +3,10 @@
 
 require_once('../../www/_include.php');
 
-
 require_once('SimpleSAML/Utilities.php');
 require_once('SimpleSAML/Session.php');
+require_once('SimpleSAML/Logger.php');
 require_once('SimpleSAML/XML/MetaDataStore.php');
-require_once('SimpleSAML/XML/SAML20/AuthnRequest.php');
-require_once('SimpleSAML/Bindings/SAML20/HTTPRedirect.php');
 require_once('SimpleSAML/XHTML/Template.php');
 
 session_start();
@@ -16,12 +14,15 @@ session_start();
 $config = SimpleSAML_Configuration::getInstance();
 $metadata = new SimpleSAML_XML_MetaDataStore($config);
 $session = SimpleSAML_Session::getInstance();
-
+$logger = new SimpleSAML_Logger();
 
 $ldapconfigfile = $config->getValue('basedir') . 'config/ldapmulti.php';
 require_once($ldapconfigfile);
 
 
+$logger->log(LOG_INFO, $session->getTrackID(), 'AUTH', 'ldap-multi', 'EVENT', 'Access', 'Accessing auth endpoint login-ldapmulti');
+
+
 $error = null;
 $attributes = array();
 	
@@ -39,6 +40,9 @@ if (isset($_POST['username'])) {
 	if ($ds) {
 	
 		if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
+		
+			$logger->log(LOG_CRIT, $session->getTrackID(), 'AUTH', 'ldap-multi', 'LDAP_OPT_PROTOCOL_VERSION', '3', 'Error setting LDAP prot version to 3');
+			
 			echo "Failed to set LDAP Protocol version to 3";
 			exit;
 		}
@@ -50,7 +54,8 @@ if (isset($_POST['username'])) {
 		*/
 		if (!ldap_bind($ds, $dn, $pwd)) {
 			$error = "Bind failed, wrong username or password. Tried with DN=[" . $dn . "] DNPattern=[" .  $ldapconfig['dnpattern'] . "]";
-			
+
+			$logger->log(LOG_NOTICE, $session->getTrackID(), 'AUTH', 'ldap-multi', 'Fail', $_POST['username'], $_POST['username'] . ' failed to authenticate');
 			
 		} else {
 			$sr = ldap_read($ds, $dn, $ldapconfig['attributes'] );
@@ -71,6 +76,9 @@ if (isset($_POST['username'])) {
 			//print_r($ldapentries);
 			//print_r($attributes);
 			
+			$logger->log(LOG_NOTICE, $session->getTrackID(), 'AUTH', 'ldap-multi', 'OK', $_POST['username'], $_POST['username'] . ' successfully authenticated');
+			
+			
 			$session->setAuthenticated(true);
 			$session->setAttributes($attributes);
 			

www/auth/login-radius.php

@@ -4,18 +4,18 @@ require_once('../../www/_include.php');
 
 require_once('SimpleSAML/Utilities.php');
 require_once('SimpleSAML/Session.php');
+require_once('SimpleSAML/Logger.php');
 require_once('SimpleSAML/XML/MetaDataStore.php');
-require_once('SimpleSAML/XML/SAML20/AuthnRequest.php');
-require_once('SimpleSAML/Bindings/SAML20/HTTPRedirect.php');
 require_once('SimpleSAML/XHTML/Template.php');
 
 session_start();
 
 $config = SimpleSAML_Configuration::getInstance();
 $metadata = new SimpleSAML_XML_MetaDataStore($config);
-
-	
 $session = SimpleSAML_Session::getInstance();
+$logger = new SimpleSAML_Logger();
+
+$logger->log(LOG_INFO, $session->getTrackID(), 'AUTH', 'radius', 'EVENT', 'Access', 'Accessing auth endpoint login');
 
 $error = null;
 $attributes = array();
@@ -29,10 +29,15 @@ if (isset($_POST['username'])) {
 		// ( resource $radius_handle, string $hostname, int $port, string $secret, int $timeout, int $max_tries )
 		if (! radius_add_server($radius, $config->getValue('auth.radius.hostname'), $config->getValue('auth.radius.port'), 
 				$config->getValue('auth.radius.secret'), 5, 3)) {
+				
+			$logger->log(LOG_CRIT, $session->getTrackID(), 'AUTH', 'radius', 'radius_strerror', radius_strerror($radius), 
+				'Problem occured when connecting to Radius server');
 			throw new Exception('Problem occured when connecting to Radius server: ' . radius_strerror($radius));
 		}
 	
 		if (! radius_create_request($radius,RADIUS_ACCESS_REQUEST)) {
+			$logger->log(LOG_CRIT, $session->getTrackID(), 'AUTH', 'radius', 'radius_strerror', radius_strerror($radius), 
+				'Problem occured when creating the Radius request');
 			throw new Exception('Problem occured when creating the Radius request: ' . radius_strerror($radius));
 		}
 	
@@ -46,6 +51,8 @@ if (isset($_POST['username'])) {
 				// GOOD Login :)
 				$attributes = array('urn:mace:eduroam.no:username' => array($_POST['username']));
 				
+				$logger->log(LOG_NOTICE, $session->getTrackID(), 'AUTH', 'radius', 'OK', $_POST['username'], $_POST['username'] . ' successfully authenticated');
+				
 				$session->setAuthenticated(true);
 				$session->setAttributes($attributes);
 				$returnto = $_REQUEST['RelayState'];
@@ -56,12 +63,17 @@ if (isset($_POST['username'])) {
 	
 			case RADIUS_ACCESS_REJECT:
 			
+				$logger->log(LOG_NOTICE, $session->getTrackID(), 'AUTH', 'radius', 'Fail', $_POST['username'], $_POST['username'] . ' failed to authenticate');
 				throw new Exception('Radius authentication error: Bad credentials ');
 				break;
 			case RADIUS_ACCESS_CHALLENGE:
+				$logger->log(LOG_CRIT, $session->getTrackID(), 'AUTH', 'radius', 'radius_strerror', radius_strerror($radius), 
+					'Challenge requested');
 				throw new Exception('Radius authentication error: Challenge requested');
 				break;
 			default:
+				$logger->log(LOG_CRIT, $session->getTrackID(), 'AUTH', 'radius', 'radius_strerror', radius_strerror($radius), 
+					'General radius error');
 				throw new Exception('Error during radius authentication: ' . radius_strerror($radius));
 				
 		}

www/auth/login.php

@@ -10,14 +10,16 @@ require_once('SimpleSAML/XML/MetaDataStore.php');
 require_once('SimpleSAML/XML/SAML20/AuthnRequest.php');
 require_once('SimpleSAML/Bindings/SAML20/HTTPRedirect.php');
 require_once('SimpleSAML/XHTML/Template.php');
+require_once('SimpleSAML/Logger.php');
 
 session_start();
 
 $config = SimpleSAML_Configuration::getInstance();
-$metadata = new SimpleSAML_XML_MetaDataStore($config);
-
-	
+$metadata = new SimpleSAML_XML_MetaDataStore($config);	
 $session = SimpleSAML_Session::getInstance();
+$logger = new SimpleSAML_Logger();
+
+$logger->log(LOG_INFO, $session->getTrackID(), 'AUTH', 'ldap', 'EVENT', 'Access', 'Accessing auth endpoint login');
 
 $error = null;
 $attributes = array();
@@ -33,6 +35,9 @@ if (isset($_POST['username'])) {
 	if ($ds) {
 	
 		if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
+		
+			$logger->log(LOG_CRIT, $session->getTrackID(), 'AUTH', 'ldap-multi', 'LDAP_OPT_PROTOCOL_VERSION', '3', 'Error setting LDAP prot version to 3');
+			
 			echo "Failed to set LDAP Protocol version to 3";
 			exit;
 		}
@@ -45,6 +50,7 @@ if (isset($_POST['username'])) {
 		if (!ldap_bind($ds, $dn, $pwd)) {
 			$error = "Bind failed, wrong username or password. Tried with DN=[" . $dn . "] DNPattern=[" . $config->getValue('auth.ldap.dnpattern') . "]";
 			
+			$logger->log(LOG_NOTICE, $session->getTrackID(), 'AUTH', 'ldap', 'Fail', $_POST['username'], $_POST['username'] . ' failed to authenticate');
 			
 		} else {
 			$sr = ldap_read($ds, $dn, $config->getValue('auth.ldap.attributes'));
@@ -71,6 +77,9 @@ if (isset($_POST['username'])) {
 			$session->setNameID(SimpleSAML_Utilities::generateID());
 			$session->setNameIDFormat('urn:oasis:names:tc:SAML:2.0:nameid-format:transient');
 			
+			$logger->log(LOG_NOTICE, $session->getTrackID(), 'AUTH', 'ldap', 'OK', $_POST['username'], $_POST['username'] . ' successfully authenticated');
+			
+			
 			$returnto = $_REQUEST['RelayState'];
 			header("Location: " . $returnto);
 			exit(0);

www/example-simple/saml2-example.php

@@ -11,8 +11,10 @@ require_once('SimpleSAML/Bindings/SAML20/HTTPRedirect.php');
 require_once('SimpleSAML/Bindings/SAML20/HTTPPost.php');
 require_once('SimpleSAML/XHTML/Template.php');
 
+
 session_start();
 
+
 /* Load simpleSAMLphp, configuration and metadata */
 $config = SimpleSAML_Configuration::getInstance();
 $metadata = new SimpleSAML_XML_MetaDataStore($config);

www/saml2/idp/SSOService.php

@@ -6,6 +6,7 @@ require_once('../../../www/_include.php');
 
 require_once('SimpleSAML/Utilities.php');
 require_once('SimpleSAML/Session.php');
+require_once('SimpleSAML/Logger.php');
 require_once('SimpleSAML/XML/MetaDataStore.php');
 require_once('SimpleSAML/XML/AttributeFilter.php');
 require_once('SimpleSAML/XML/SAML20/AuthnRequest.php');
@@ -19,12 +20,16 @@ session_start();
 
 $config = SimpleSAML_Configuration::getInstance();
 $metadata = new SimpleSAML_XML_MetaDataStore($config);
+$session = SimpleSAML_Session::getInstance(true);
+
+$logger = new SimpleSAML_Logger();
 
 $idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
 $idpmeta = $metadata->getMetaDataCurrent('saml20-idp-hosted');
 
 $requestid = null;
-$session = null;
+
+$logger->log(LOG_INFO, $session->getTrackID(), 'SAML2.0', 'IdP.SSOService', 'EVENT', 'Access', 'Accessing SAML 2.0 IdP endpoint SSOService');
 
 
 if (isset($_GET['SAMLRequest'])) {
@@ -35,12 +40,13 @@ if (isset($_GET['SAMLRequest'])) {
 		$authnrequest = $binding->decodeRequest($_GET);
 		
 		$session = $authnrequest->createSession();
-	
 		$requestid = $authnrequest->getRequestID();
 		
-	
-		
 		$session->setAuthnRequest($requestid, $authnrequest);
+		
+		$logger->log(LOG_NOTICE, $session->getTrackID(), 'SAML2.0', 'IdP.SSOService', 'AuthnRequest', 
+			array($authnrequest->getIssuer(), $requestid), 
+			'Incomming Authentication request');
 	
 	} catch(Exception $exception) {
 		
@@ -62,6 +68,9 @@ if (isset($_GET['SAMLRequest'])) {
 		$session = SimpleSAML_Session::getInstance();
 		$authnrequest = $session->getAuthnRequest($requestid);
 		
+		$logger->log(LOG_INFO, $session->getTrackID(), 'SAML2.0', 'IdP.SSOService', 'EVENT', $requestid, 'Got incomming RequestID');
+		
+		
 		if (!$authnrequest) throw new Exception('Could not retrieve cached RequestID = ' . $requestid);
 		
 	} catch(Exception $exception) {
@@ -100,6 +109,10 @@ if (!$session->isAuthenticated() ) {
 		'&RequestID=' . urlencode($requestid);
 	$authurl = SimpleSAML_Utilities::addURLparameter('/' . $config->getValue('baseurlpath') . $idpmeta['auth'], 
 		'RelayState=' . urlencode($relaystate));
+		
+	$logger->log(LOG_NOTICE, $session->getTrackID(), 'SAML2.0', 'IdP.SSOService', 'AuthNext', $idpmeta['auth'], 
+		'Will go to authentication module ' . $idpmeta['auth']);
+		
 	header('Location: ' . $authurl);
 	exit(0);
 } else {
@@ -117,7 +130,10 @@ if (!$session->isAuthenticated() ) {
 		if ($idpmeta['requireconsent']) {
 			
 			if (!isset($_GET['consent'])) {
-			
+
+				$logger->log(LOG_NOTICE, $session->getTrackID(), 'SAML2.0', 'IdP.SSOService', 'Consent', 'request', 
+					'Requires consent from user for attribute release');
+
 				$t = new SimpleSAML_XHTML_Template($config, 'consent.php');
 				$t->data['header'] = 'Consent';
 				$t->data['spentityid'] = $spentityid;
@@ -126,6 +142,11 @@ if (!$session->isAuthenticated() ) {
 				$t->show();
 				exit(0);
 				
+			} else {
+			
+				$logger->log(LOG_NOTICE, $session->getTrackID(), 'SAML2.0', 'IdP.SSOService', 'ConsentOK', '-', 
+					'Got consent from user');
+			
 			}
 			
 		}
@@ -134,6 +155,11 @@ if (!$session->isAuthenticated() ) {
 		$session->add_sp_session($spentityid);
 
 
+		
+		$logger->log(LOG_NOTICE, $session->getTrackID(), 'SAML2.0', 'IdP.SSOService', 'AuthnResponse', $spentityid, 
+			'Sending back AuthnResponse');
+		
+
 		/*
 		 * Filtering attributes.
 		 */

www/saml2/sp/AssertionConsumerService.php

@@ -5,6 +5,7 @@ require_once('../../_include.php');
 
 require_once('SimpleSAML/Utilities.php');
 require_once('SimpleSAML/Session.php');
+require_once('SimpleSAML/Logger.php');
 require_once('SimpleSAML/XML/MetaDataStore.php');
 require_once('SimpleSAML/XML/SAML20/AuthnRequest.php');
 require_once('SimpleSAML/Bindings/SAML20/HTTPPost.php');
@@ -12,6 +13,14 @@ require_once('SimpleSAML/XHTML/Template.php');
 
 session_start();
 
+$session = SimpleSAML_Session::getInstance();
+
+$logger = new SimpleSAML_Logger();
+
+
+$logger->log(LOG_INFO, $session->getTrackID(), 'SAML2.0', 'SP.AssertionConsumerService', 'EVENT', 'Access', 
+	'Accessing SAML 2.0 SP endpoint AssertionConsumerService');
+
 try {
 	
 	$config = SimpleSAML_Configuration::getInstance();	
@@ -26,7 +35,9 @@ try {
 	if (isset($session)) {
 		
 		$attributes = $session->getAttributes();
-		syslog(LOG_INFO, 'User is authenticated,' . $attributes['mail'] . ',' . $authnResponse->getIssuer());
+
+		$logger->log(LOG_NOTICE, $session->getTrackID(), 'SAML2.0', 'SP.AssertionConsumerService', 'AuthnResponse', '-', 
+			'Successfully created local session from Authentication Response');
 	
 		$relayState = $authnResponse->getRelayState();
 		if (isset($relayState)) {

www/saml2/sp/SingleLogoutService.php

@@ -2,8 +2,10 @@
 
 require_once('../../_include.php');
 
+
 require_once('SimpleSAML/Utilities.php');
 require_once('SimpleSAML/Session.php');
+require_once('SimpleSAML/Logger.php');
 require_once('SimpleSAML/XML/MetaDataStore.php');
 require_once('SimpleSAML/XML/SAML20/LogoutRequest.php');
 require_once('SimpleSAML/XML/SAML20/LogoutResponse.php');
@@ -14,13 +16,13 @@ session_start();
 $config = SimpleSAML_Configuration::getInstance();
 $metadata = new SimpleSAML_XML_MetaDataStore($config);
 
-
-
-
-
 // Get the local session
 $session = SimpleSAML_Session::getInstance();
 
+$logger = new SimpleSAML_Logger();
+
+$logger->log(LOG_INFO, $session->getTrackID(), 'SAML2.0', 'SP.SingleLogoutService', 'EVENT', 'Access', 
+	'Accessing SAML 2.0 SP endpoint SingleLogoutService');
 
 // Destroy local session if exists.
 if (isset($session) && $session->isAuthenticated() ) {	
@@ -44,9 +46,15 @@ if (isset($_GET['SAMLRequest'])) {
 	$relayState = $logoutrequest->getRelayState();
 	
 	
+
+
+	
 	//$responder = $config->getValue('saml2-hosted-sp');
 	$responder = $metadata->getMetaDataCurrentEntityID();
 	
+	
+	$logger->log(LOG_NOTICE, $session->getTrackID(), 'SAML2.0', 'SP.SingleLogoutService', 'LogoutRequest', $requestid, 
+		'IdP (' . $requester . ') is sending logout request to me SP (' . $responder . ')');
 
 	
 	// Create a logout response
@@ -57,6 +65,10 @@ if (isset($_GET['SAMLRequest'])) {
 	// Create a HTTP Redirect binding.
 	$httpredirect = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
 	
+	
+	$logger->log(LOG_NOTICE, $session->getTrackID(), 'SAML2.0', 'SP.SingleLogoutService', 'LogoutResponse', '-', 
+		'SP me (' . $responder . ') is sending logout response to IdP (' . $requester . ')');
+	
 	// Send the Logout response using HTTP POST binding.
 	$httpredirect->sendMessage($logoutResponseXML, $requester, $logoutrequest->getRelayState(), 'SingleLogoutServiceResponse', 'SAMLResponse');
 

www/saml2/sp/initSLO.php

@@ -2,6 +2,7 @@
 
 require_once('../../_include.php');
 
+require_once('SimpleSAML/Logger.php');
 require_once('SimpleSAML/Utilities.php');
 require_once('SimpleSAML/Session.php');
 require_once('SimpleSAML/XML/MetaDataStore.php');
@@ -10,6 +11,7 @@ require_once('SimpleSAML/Bindings/SAML20/HTTPRedirect.php');
 //require_once('SimpleSAML/Bindings/SAML20/HTTPPost.php');
 
 
+
 session_start();
 
 $config = SimpleSAML_Configuration::getInstance();
@@ -17,10 +19,15 @@ $metadata = new SimpleSAML_XML_MetaDataStore($config);
 
 $session = SimpleSAML_Session::getInstance();
 
+$logger = new SimpleSAML_Logger();
+
 $idpentityid = $session->getIdP();
 //	isset($_GET['idpentityid']) ? $_GET['idpentityid'] : $config->getValue('default-saml20-idp') ;
 $spentityid = isset($_GET['spentityid']) ? $_GET['spentityid'] : $metadata->getMetaDataCurrentEntityID();
 
+$logger->log(LOG_INFO, $session->getTrackID(), 'SAML2.0', 'SP.initSLO', 'EVENT', 'Access', 
+	'Accessing SAML 2.0 SP initSLO script');
+	
 
 if (isset($session) ) {
 	
@@ -37,6 +44,9 @@ if (isset($session) ) {
 			$relayState = $_GET['RelayState'];
 		}
 		
+		$logger->log(LOG_NOTICE, $session->getTrackID(), 'SAML2.0', 'SP.initSLO', 'LogoutRequest', $req->getRequestID(), 
+			'SP (' . $spentityid . ') is sending logout request to IdP (' . $idpentityid . ')');
+		
 		//$request, $remoteentityid, $relayState = null, $endpoint = 'SingleLogoutService', $direction = 'SAMLRequest', $mode = 'SP'
 		$httpredirect->sendMessage($req, $idpentityid, $relayState, 'SingleLogoutService', 'SAMLRequest', 'SP');
 
@@ -56,6 +66,9 @@ if (isset($session) ) {
 	
 	$relaystate = $session->getRelayState();
 	
+	$logger->log(LOG_NOTICE, $session->getTrackID(), 'SAML2.0', 'SP.initSLO', 'AlreadyLoggedOut', $req->getRequestID(), 
+		'User is already logged out. Go back to relaystate');
+	
 	header('Location: ' . $relaystate );
 	
 	#print_r($metadata->getMetaData('sam.feide.no'));

www/saml2/sp/initSSO.php

@@ -5,6 +5,7 @@ require_once('../../_include.php');
 
 require_once('SimpleSAML/Utilities.php');
 require_once('SimpleSAML/Session.php');
+require_once('SimpleSAML/Logger.php');
 require_once('SimpleSAML/XHTML/Template.php');
 require_once('SimpleSAML/XML/MetaDataStore.php');
 require_once('SimpleSAML/XML/SAML20/AuthnRequest.php');
@@ -16,10 +17,14 @@ session_start();
 
 $config = SimpleSAML_Configuration::getInstance();
 $metadata = new SimpleSAML_XML_MetaDataStore($config);
+$session = SimpleSAML_Session::getInstance(true);
 
+$logger = new SimpleSAML_Logger();
+
+
+$logger->log(LOG_INFO, $session->getTrackID(), 'SAML2.0', 'SP.initSSO', 'EVENT', 'Access', 
+	'Accessing SAML 2.0 SP initSSO script');
 
-$session = SimpleSAML_Session::getInstance();
-		
 try {
 
 	$idpentityid = isset($_GET['idpentityid']) ? $_GET['idpentityid'] : $config->getValue('default-saml20-idp') ;
@@ -39,6 +44,9 @@ if (!isset($session) || !$session->isValid() ) {
 	
 	if ($idpentityid == null) {
 	
+		$logger->log(LOG_NOTICE, $session->getTrackID(), 'SAML2.0', 'SP.initSSO', 'NextDisco', $spentityid, 
+			'No SP default or specified, go to SAML2disco');
+		
 		$returnURL = urlencode(SimpleSAML_Utilities::selfURL());
 		$discservice = '/' . $config->getValue('baseurlpath') . 'saml2/sp/idpdisco.php?entityID=' . $spentityid . 
 			'&return=' . $returnURL . '&returnIDParam=idpentityid';
@@ -60,6 +68,9 @@ if (!isset($session) || !$session->isValid() ) {
 			$relayState = $_GET['RelayState'];
 		}
 		
+		$logger->log(LOG_NOTICE, $session->getTrackID(), 'SAML2.0', 'SP.initSSO', 'AuthnRequest', $idpentityid, 
+			'SP (' . $spentityid . ') is sending authenticatino request to IdP (' . $idpentityid . ')');
+		
 		$httpredirect->sendMessage($req, $idpentityid, $relayState);
 
 	
@@ -80,6 +91,10 @@ if (!isset($session) || !$session->isValid() ) {
 	$relaystate = $_GET['RelayState'];
 		
 	if (isset($relaystate) && !empty($relaystate)) {
+	
+		$logger->log(LOG_NOTICE, $session->getTrackID(), 'SAML2.0', 'SP.initSSO', 'AlreadyAuthenticated', '-', 
+			'Go back to RelayState');
+	
 		header('Location: ' . $relaystate );
 	} else {
 		$et = new SimpleSAML_XHTML_Template($config, 'error.php');