From: Bill Erickson <berickxx@gmail.com>
Date: Mon, 15 May 2017 20:44:06 +0000 (-0400)
Subject: JBAS-1792 Log remoteauth (ezproxy) login failures
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=2ee7bcaedabf49b308f8c4f1e48e0f511169e976;p=working%2FEvergreen.git

JBAS-1792 Log remoteauth (ezproxy) login failures

Log all of the reasons a remoteauth login might have failed, including
bad passwords.  Useful for debugging student e-card authentication
issues.

Signed-off-by: Bill Erickson <berickxx@gmail.com>
---

diff --git a/Open-ILS/examples/remoteauth.cgi b/Open-ILS/examples/remoteauth.cgi
index 675d3f9b28..0aea483ab7 100755
--- a/Open-ILS/examples/remoteauth.cgi
+++ b/Open-ILS/examples/remoteauth.cgi
@@ -29,6 +29,7 @@ use Digest::MD5 qw(md5_hex);
 use DateTime;
 use DateTime::Format::ISO8601;
 use OpenSRF::Utils qw/:datetime/;
+use OpenSRF::Utils::Logger qw/$logger/;
 
 use OpenSRF::System;
 use OpenSRF::AppSession;
@@ -39,8 +40,8 @@ use OpenILS::Application::AppUtils;
 my $bootstrap = '/openils/conf/opensrf_core.xml';
 my $cgi = new CGI;
 my $u = $cgi->param('user');
-my $usrname = $cgi->param('usrname');
-my $barcode = $cgi->param('barcode');
+my $usrname = $cgi->param('usrname') || '';
+my $barcode = $cgi->param('barcode') || '';
 my $agent = $cgi->param('agent'); # optional, but preferred
 my $p = $cgi->param('passwd');
 
@@ -92,35 +93,57 @@ if (!($u || $usrname || $barcode) || !$p) {
         $user = $e->search_actor_user({usrname => $u})->[0];
     }
 
-    if ($user 
-        and $user->deleted eq 'f' 
-        and $user->active eq 't' 
-        and $user->passwd eq md5_hex($p)) {
+    my $logtag = $barcode ? "barcode=$barcode" : "username=$usrname";
 
-        my $expire =
-            DateTime::Format::ISO8601->new->parse_datetime(
-                cleanse_ISO8601($user->expire_date));
+    if (!$user) {
+        $logger->warn("remoteauth: no such user $logtag");
+        print '+NO';
+        exit 0;
+    }
 
-        if ($expire < DateTime->now) {
-            print '+NO';
+    $logtag .= " id=".$user->id." profile=".$user->profile;
+
+    if ($user->deleted eq 't') {
+        $logger->warn("remoteauth: user is deleted $logtag");
+        print '+NO';
+        exit 0;
+    }
 
-        } else {
+    if ($user->active eq 'f') {
+        $logger->warn("remoteauth: user is not active $logtag");
+        print '+NO';
+        exit 0;
+    }
 
-            $e->requestor($user);
-            if ($e->allowed('ACCESS_EBOOKS_AND_DATABASES', $user->home_ou)) {
+    if ($user->passwd ne md5_hex($p)) {
+        $logger->warn("remoteauth: bad password for $logtag");
+        print '+NO';
+        exit 0;
+    }
 
-                OpenILS::Application::AppUtils
-                    ->log_user_activity($user->id, $agent, 'verify');
+    my $expire =
+        DateTime::Format::ISO8601->new->parse_datetime(
+            cleanse_ISO8601($user->expire_date));
 
-                print '+VALID';
+    if ($expire < DateTime->now) {
+        $logger->warn("remoteauth: patron account is expired $logtag");
+        print '+NO';
+        exit 0;
+    }
 
-            } else {
-                print '+NO';
-            }
-        }
-    } else {
+    $e->requestor($user);
+    if (!$e->allowed('ACCESS_EBOOKS_AND_DATABASES', $user->home_ou)) {
+        $logger->warn("remoteauth: patron does not have permission $logtag");
         print '+NO';
+        exit 0;
     }
+
+    $logger->info("remoteauth: successful authentication for $logtag");
+
+    OpenILS::Application::AppUtils
+        ->log_user_activity($user->id, $agent, 'verify');
+
+    print '+VALID';
 }
 
 1;