Log the remote address of failed login attempts (#2800)

Signed-off-by: Jan N. Klug <github@klug.nrw>
2022-02-26 10:00:00 +01:00 · 2022-02-26 10:00:00 +01:00 · 013e317b6b
parent b57a8c3beb
commit 013e317b6b
5 changed files with 13 additions and 8 deletions
--- a/bundles/org.openhab.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AbstractAuthPageServlet.java
+++ b/bundles/org.openhab.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AbstractAuthPageServlet.java
@ -142,12 +142,12 @@ public abstract class AbstractAuthPageServlet extends HttpServlet {
        return user;
    }

-    protected void processFailedLogin(HttpServletResponse resp, Map<String, String[]> params, @Nullable String message)
-            throws IOException {
+    protected void processFailedLogin(HttpServletResponse resp, String remoteAddr, Map<String, String[]> params,
+            @Nullable String message) throws IOException {
        lastAuthenticationFailure = Instant.now();
        authenticationFailureCount += 1;
        resp.setContentType("text/html;charset=UTF-8");
-        logger.warn("Authentication failed: {}", message);
+        logger.warn("Authentication failed from {}: {}", remoteAddr, message);
        resp.getWriter().append(getPageBody(params, getLocalizedMessage("auth.login.fail"), false));
        resp.getWriter().close();
    }
--- a/bundles/org.openhab.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AuthorizePageServlet.java
+++ b/bundles/org.openhab.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/AuthorizePageServlet.java
@ -184,7 +184,7 @@ public class AuthorizePageServlet extends AbstractAuthPageServlet {
            resp.addHeader(HttpHeaders.LOCATION, getRedirectUri(baseRedirectUri, authorizationCode, null, state));
            resp.setStatus(HttpStatus.MOVED_TEMPORARILY_302);
        } catch (AuthenticationException e) {
-            processFailedLogin(resp, params, e.getMessage());
+            processFailedLogin(resp, req.getRemoteAddr(), params, e.getMessage());
        } catch (IllegalArgumentException e) {
            @Nullable
            String baseRedirectUri = params.containsKey("redirect_uri") ? params.get("redirect_uri")[0] : null;
--- a/bundles/org.openhab.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/ChangePasswordPageServlet.java
+++ b/bundles/org.openhab.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/ChangePasswordPageServlet.java
@ -121,7 +121,7 @@ public class ChangePasswordPageServlet extends AbstractAuthPageServlet {
            resp.getWriter().append(getResultPageBody(params, getLocalizedMessage("auth.changepassword.success")));
            resp.getWriter().close();
        } catch (AuthenticationException e) {
-            processFailedLogin(resp, params, e.getMessage());
+            processFailedLogin(resp, req.getRemoteAddr(), params, e.getMessage());
        }
    }

--- a/bundles/org.openhab.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/CreateAPITokenPageServlet.java
+++ b/bundles/org.openhab.core.io.http.auth/src/main/java/org/openhab/core/io/http/auth/internal/CreateAPITokenPageServlet.java
@ -136,7 +136,7 @@ public class CreateAPITokenPageServlet extends AbstractAuthPageServlet {
            resp.getWriter().append(getResultPageBody(params, resultMessage));
            resp.getWriter().close();
        } catch (AuthenticationException e) {
-            processFailedLogin(resp, params, e.getMessage());
+            processFailedLogin(resp, req.getRemoteAddr(), params, e.getMessage());
        }
    }

--- a/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java
+++ b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java
@ -22,10 +22,12 @@ import java.util.Map;
 import java.util.Random;

 import javax.annotation.Priority;
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Priorities;
 import javax.ws.rs.container.ContainerRequestContext;
 import javax.ws.rs.container.ContainerRequestFilter;
 import javax.ws.rs.container.PreMatching;
+import javax.ws.rs.core.Context;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.Response.Status;
 import javax.ws.rs.core.SecurityContext;
@ -96,7 +98,10 @@ public class AuthFilter implements ContainerRequestFilter {
    private final JwtHelper jwtHelper;
    private final UserRegistry userRegistry;

-    private RegistryChangeListener<User> userRegistryListener = new RegistryChangeListener<User>() {
+    @Context
+    private @NonNullByDefault({}) HttpServletRequest servletRequest;
+
+    private RegistryChangeListener<User> userRegistryListener = new RegistryChangeListener<>() {

        @Override
        public void added(User element) {
@ -257,7 +262,7 @@ public class AuthFilter implements ContainerRequestFilter {
                    requestContext.setSecurityContext(new AnonymousUserSecurityContext());
                }
            } catch (AuthenticationException e) {
-                logger.warn("Unauthorized API request: {}", e.getMessage());
+                logger.warn("Unauthorized API request from {}: {}", servletRequest.getRemoteAddr(), e.getMessage());
                requestContext.abortWith(JSONResponse.createErrorResponse(Status.UNAUTHORIZED, "Invalid credentials"));
            }
        }