From e4cbcbb664ff94b866868778c006a918656cf0f9 Mon Sep 17 00:00:00 2001
From: benrubson <6764151+benrubson@users.noreply.github.com>
Date: Sun, 9 Feb 2020 10:00:23 +0100
Subject: [PATCH] Log failed accesses

---
 Core/Frameworks/Baikal/Core/Server.php           | 11 +++++++----
 Core/Frameworks/BaikalAdmin/Controller/Login.php | 11 ++++++++---
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/Core/Frameworks/Baikal/Core/Server.php b/Core/Frameworks/Baikal/Core/Server.php
index b5792ba..09aaee5 100644
--- a/Core/Frameworks/Baikal/Core/Server.php
+++ b/Core/Frameworks/Baikal/Core/Server.php
@@ -185,7 +185,7 @@ class Server {
     }
 
     /**
-     * Log failed accesses, for further processing by other tools (fail2ban)
+     * Log failed accesses, matching the default fail2ban nginx/apache auth rules
      *
      * @return void
      */
@@ -193,9 +193,12 @@ class Server {
         if ($e instanceof \Sabre\DAV\Exception\NotAuthenticated) {
             // Applications may make their first call without auth so don't log these attempts
             // Pattern from sabre/dav/lib/DAV/Auth/Backend/AbstractDigest.php
-            if (strpos($e->getMessage(), "No 'Authorization: Digest' header found.") === false
-                && strpos($e->getMessage(), "No 'Authorization: Basic' header found.") === false) {
-                error_log('user not authorized: Baikal DAV: ' . $e->getMessage());
+            if (!preg_match("/No 'Authorization: (Basic|Digest)' header found./", $e->getMessage())) {
+                if (isset($_SERVER['SERVER_SOFTWARE']) && preg_match('/nginx/i', $_SERVER['SERVER_SOFTWARE'])) {
+                    error_log('user "(name stripped-out)" was not found in "Baikal DAV"', 4);
+                } else {
+                    error_log('user "(name stripped-out)" authentication failure for "Baikal DAV"', 4);
+                }
             }
         } else {
             error_log($e);
diff --git a/Core/Frameworks/BaikalAdmin/Controller/Login.php b/Core/Frameworks/BaikalAdmin/Controller/Login.php
index 17022e5..3450cc4 100644
--- a/Core/Frameworks/BaikalAdmin/Controller/Login.php
+++ b/Core/Frameworks/BaikalAdmin/Controller/Login.php
@@ -37,9 +37,15 @@ class Login extends \Flake\Core\Controller {
         $sSubmittedFlagName = "auth";
         $sMessage = "";
 
+        $sLogin = htmlspecialchars(\Flake\Util\Tools::POST("login"));
+
         if (self::isSubmitted() && !\BaikalAdmin\Core\Auth::isAuthenticated()) {
-            // Log failed accesses, for further processing by other tools (fail2ban)
-            error_log('user not authorized: Baikal GUI');
+            // Log failed accesses, matching the default fail2ban nginx/apache auth rules
+            if (isset($_SERVER['SERVER_SOFTWARE']) && preg_match('/nginx/i', $_SERVER['SERVER_SOFTWARE'])) {
+                error_log('user "' . $sLogin . '" was not found in "Baikal GUI"', 4);
+            } else {
+                error_log('user "' . $sLogin . '" authentication failure for "Baikal GUI"', 4);
+            }
             $sMessage = \Formal\Core\Message::error(
                 "The login/password you provided is invalid. Please retry.",
                 "Authentication error"
@@ -52,7 +58,6 @@ class Login extends \Flake\Core\Controller {
             );
         }
 
-        $sLogin = htmlspecialchars(\Flake\Util\Tools::POST("login"));
         $sPassword = htmlspecialchars(\Flake\Util\Tools::POST("password"));
 
         if (trim($sLogin) === "") {