added logging of ExApp request made on behalf of user

Signed-off-by: Alexander Piskun <[email protected]>
nextcloud · Aug 13, 2024 · cb7b454 · cb7b454
1 parent 53f8def
commit cb7b454
Showing 1 changed file with 19 additions and 2 deletions.
diff --git a/lib/Service/AppAPIService.php b/lib/Service/AppAPIService.php
@@ -15,11 +15,13 @@
 use OCP\Http\Client\IClientService;
 use OCP\Http\Client\IPromise;
 use OCP\Http\Client\IResponse;
+use OCP\IConfig;
 use OCP\IRequest;
 use OCP\ISession;
 use OCP\IUserManager;
 use OCP\IUserSession;
 use OCP\L10N\IFactory;
+use OCP\Log\ILogFactory;
 use OCP\Security\Bruteforce\IThrottler;
 use Psr\Log\LoggerInterface;
 
@@ -29,7 +31,9 @@ class AppAPIService {
 
 	public function __construct(
 		private readonly LoggerInterface         $logger,
+		private readonly ILogFactory			 $logFactory,
 		private readonly IThrottler              $throttler,
+		private readonly IConfig 				 $config,
 		IClientService                           $clientService,
 		private readonly IUserSession            $userSession,
 		private readonly ISession                $session,
@@ -342,7 +346,7 @@ public function validateExAppRequestToNC(IRequest $request, bool $isDav = false)
 				}
 			}
 
-			return $this->finalizeRequestToNC($userId, $request);
+			return $this->finalizeRequestToNC($exApp, $userId, $request);
 		} else {
 			$this->logger->error(sprintf('Invalid signature for ExApp: %s and user: %s.', $exApp->getAppid(), $userId !== '' ? $userId : 'null'));
 			$this->throttler->registerAttempt(Application::APP_ID, $request->getRemoteAddress(), [
@@ -360,14 +364,15 @@ public function validateExAppRequestToNC(IRequest $request, bool $isDav = false)
 	 *  - sets active user (null if not a user context)
 	 *  - updates ExApp last response time
 	 */
-	private function finalizeRequestToNC(string $userId, IRequest $request): bool {
+	private function finalizeRequestToNC(ExApp $exApp, string $userId, IRequest $request): bool {
 		if ($userId !== '') {
 			$activeUser = $this->userManager->get($userId);
 			if ($activeUser === null) {
 				$this->logger->error(sprintf('Requested user does not exists: %s', $userId));
 				return false;
 			}
 			$this->userSession->setUser($activeUser);
+			$this->logImpersonatingRequest($exApp->getAppid());
 		} else {
 			$this->userSession->setUser(null);
 		}
@@ -397,6 +402,18 @@ public function passesScopeCheck(ExApp $exApp, int $apiScope): bool {
 		return false;
 	}
 
+	private function getCustomLogger(string $name): LoggerInterface {
+		$path = $this->config->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data') . '/' . $name;
+		return $this->logFactory->getCustomPsrLogger($path);
+	}
+
+	private function logImpersonatingRequest(string $appId): void {
+		$exAppsImpersonationLogger = $this->getCustomLogger('exapp_impersonation.log');
+		$exAppsImpersonationLogger->warning('impersonation request', [
+			'app' => $appId,
+		]);
+	}
+
 	/**
 	 * Checks if the ExApp version changed and if it is higher, updates it in the database.
 	 */