Merge branch 'master' into 52-active-directory-support

conf/config.inc.php

@@ -195,6 +195,12 @@
 
 # Audit
 #$audit_log_file = "/var/log/service-desk/audit.log";
+$use_showauditlog = false;
+$audit_log_days = 5;
+$audit_log_items = array('date','ip','user_dn','done_by','action','result','comment');
+$audit_log_sortby = "date";
+$audit_log_reverse = true;
+$audit_log_truncate_value_after = 40;
 #$header_name_audit_admin = "AUTH_USER";
 
 # Debug mode

docs/audit.rst

@@ -74,3 +74,56 @@ In nginx.conf:
 .. warning:: Using Nginx, headers with underscores in their names are discarded by default. In order for these headers to be considered valid, we need to add ``underscores_in_headers on`` to ``nginx.conf``.
 
 .. tip:: If no header defined or if header is empty, actions will be logged as "anonymous"
+
+Display audit logs
+==================
+
+Enabling audit logs display
+---------------------------
+
+When the audit logs are enabled, they can be displayed in a table by setting the following variable:
+
+.. code-block:: php
+
+ $use_showauditlog = true;
+
+Days of audit logs
+------------------
+
+The number of days that can be displayed in the table can be configured as follows:
+
+.. code-block:: php
+
+ $audit_log_days = 5;
+
+.. note::
+
+ The log file specified under $audit_log_file may only contain logs generated within the last $audit_log_days due to log rotation configuration.
+
+Display table columns
+---------------------
+
+The table columns to be displayed can be configured with the following variable:
+
+.. code-block:: php
+
+ $audit_log_items = array('date','ip','dn','done_by','action','result','comment');
+
+Audit table sorting
+-------------------
+
+The table can be sorted by default by the setting:
+
+.. code-block:: php
+
+ $audit_log_sortby = "date";
+
+Audit table sorting order
+-------------------------
+
+Audit logs are usually display with the oldest first as they are being parsed from a file.
+In order to have the newest audit log entries first the following configuration can reverse the order:
+
+.. code-block:: php
+
+ $audit_log_reverse = true;

docs/presentation.rst

@@ -17,9 +17,10 @@ Features
 * Test current password
 * Reset password and force password change at next connection
 * Lock and unlock account
+* Create and view audit logs
 * Dashboards:
 
  * Accounts locked
  * Accounts with a password that will soon expire
  * Accounts with an expired password
- * Accounts idle (never connected or not connected since a number of days)
+ * Accounts idle (never connected or not connected since a number of days)

htdocs/auditlog.php

@@ -0,0 +1,19 @@
+<?php
+/*
+ * Collect audit logs to be displayed.
+ */
+require_once("../conf/config.inc.php");
+require __DIR__ . '/../vendor/autoload.php';
+require_once("../lib/date.inc.php");
+require_once("../lib/audit.inc.php");
+
+$events = array();
+[$events,$nb_events] = displayauditlog($audit_log_file, $audit_log_days, $audit_log_sortby, $audit_log_reverse);
+
+$smarty->assign("page_title", "auditlogtitle");
+$smarty->assign("nb_events", $nb_events);
+$smarty->assign("events", $events);
+$smarty->assign("listing_columns", $audit_log_items);
+$smarty->assign("truncate_value_after", $audit_log_truncate_value_after);
+
+?>

htdocs/index.php

@@ -148,6 +148,7 @@
 $smarty->assign('use_searchexpired',$use_searchexpired);
 $smarty->assign('use_searchwillexpire',$use_searchwillexpire);
 $smarty->assign('use_searchidle',$use_searchidle);
+$smarty->assign('use_showauditlog',$use_showauditlog);
 $smarty->assign('fake_password_inputs',$fake_password_inputs);
 $smarty->assign('use_enableaccount',$use_enableaccount);
 $smarty->assign('use_disableaccount',$use_disableaccount);
@@ -209,6 +210,7 @@
 if ( $page === "searchexpired" and !$use_searchexpired ) { $page = "welcome"; }
 if ( $page === "searchwillexpire" and !$use_searchwillexpire ) { $page = "welcome"; }
 if ( $page === "searchidle" and !$use_searchidle ) { $page = "welcome"; }
+if ( $page === "auditlog" and !$use_showauditlog ) { $page = "welcome"; }
 if ( file_exists($page.".php") ) { require_once($page.".php"); }
 $smarty->assign('page',$page);
 

lang/en.inc.php

@@ -6,6 +6,8 @@
 
 $messages['accountenabled'] = "Account is enabled";
 $messages['accountdisabled'] = "Account is disabled";
+$messages['auditlogs'] = "Audit logs";
+$messages['auditlogtitle'] = "Audit log for the last $audit_log_days days";
 $messages['accountlocked'] = "Account is locked";
 $messages['accountnotdisabled'] = "Fail to disable account";
 $messages['accountnotenabled'] = "Fail to enable account";
@@ -30,6 +32,8 @@
 $messages['enableaccount'] = "Enable account";
 $messages['entriesfound'] = "entries found";
 $messages['entryfound'] = "entry found";
+$messages['eventfound'] = "event found";
+$messages['eventsfound'] = "events found";
 $messages['expiredaccounts'] = "Passwords expired";
 $messages['false'] = "No";
 $messages['forcereset'] = "Force reset at next connection";
@@ -39,19 +43,24 @@
 $messages['pager_all'] = "All";
 $messages['print_all'] = "Print all results";
 $messages['print_page'] = "Print this page";
+$messages['label_action'] = "Action";
 $messages['label_authtimestamp'] = "Last authentication";
 $messages['label_businesscategory'] = "Business category";
 $messages['label_carlicense'] = "Car license";
+$messages['label_comment'] = "Comment";
 $messages["label_created"] = "Created";
+$messages['label_date'] = "Date";
 $messages['label_description'] = "Description";
 $messages['label_displayname'] = "Display name";
+$messages['label_done_by'] = "Done by";
 $messages['label_employeenumber'] = "Employee number";
 $messages['label_employeetype'] = "Employee type";
 $messages['label_expirationdate'] = "Expiration date";
 $messages['label_fax'] = "Fax";
 $messages['label_firstname'] = "First name";
 $messages['label_fullname'] = "Full name";
 $messages['label_identifier'] = "Identifier";
+$messages['label_ip'] = "IP Address";
 $messages['label_l'] = "Locality";
 $messages['label_lastname'] = "Last name";
 $messages['label_mail'] = "Mail";
@@ -70,16 +79,19 @@
 $messages['label_pwdfailuretime'] = "Last authentication failures";
 $messages['label_pwdpolicysubentry'] = "Associated password policy";
 $messages['label_pwdreset'] = "Reset password at next connection";
+$messages['label_result'] = "Result";
 $messages['label_secretary'] = "Secretary";
 $messages['label_state'] = "State";
 $messages['label_street'] = "Street";
 $messages['label_title'] = "Title";
+$messages['label_user_dn'] = "User";
 $messages['ldaperror'] = "LDAP communication error";
 $messages['lockaccount'] = "Lock account";
 $messages['lockedaccounts'] = "Locked accounts";
 $messages['logout'] = "Logout";
 $messages['newpassword'] = "New password";
 $messages['noentriesfound'] = "No entries found";
+$messages['noeventsfound'] = "No events found";
 $messages['notdefined'] = "Not defined";
 $messages['password'] = "Password";
 $messages['passwordchanged'] = "Password changed";

lang/fr.inc.php

@@ -6,6 +6,8 @@
 
 $messages['accountenabled'] = "Le compte est activé";
 $messages['accountdisabled'] = "Le compte est désactivé";
+$messages['auditlogs'] = "Audit";
+$messages['auditlogtitle'] = "Traces d'audit pour les $audit_log_days derniers jours";
 $messages['accountlocked'] = "Le compte est bloqué";
 $messages['accountnotdisabled'] = "Échec de la désactivation du compte";
 $messages['accountnotenabled'] = "Échec de l'activation du compte";
@@ -30,6 +32,8 @@
 $messages['enableaccount'] = "Activer le compte";
 $messages['entriesfound'] = "entrées trouvées";
 $messages['entryfound'] = "entrée trouvée";
+$messages['eventfound'] = "événement trouvé";
+$messages['eventsfound'] = "événements trouvés";
 $messages['expiredaccounts'] = "Mots de passe expirés";
 $messages['false'] = "Non";
 $messages['forcereset'] = "Forcer la réinitialisation à la prochaine connexion";
@@ -39,19 +43,24 @@
 $messages['pager_all'] = "Tout";
 $messages['print_all'] = "Imprimer tous les résultats";
 $messages['print_page'] = "Imprimer cette page";
+$messages['label_action'] = "Action";
 $messages['label_authtimestamp'] = "Dernière authentification";
 $messages['label_businesscategory'] = "Catégorie";
 $messages['label_carlicense'] = "Permis de conduire";
+$messages['label_comment'] = "Commentaire";
 $messages["label_created"] = "Créé";
+$messages['label_date'] = "Date";
 $messages['label_description'] = "Description";
 $messages['label_displayname'] = "Nom d'affichage";
+$messages['label_done_by'] = "Fait par";
 $messages['label_employeenumber'] = "Numéro d'employé";
 $messages['label_employeetype'] = "Type d'employé";
 $messages['label_expirationdate'] = "Date d'expiration";
 $messages['label_fax'] = "Télécopie";
 $messages['label_firstname'] = "Prénom";
 $messages['label_fullname'] = "Nom complet";
 $messages['label_identifier'] = "Identifiant";
+$messages['label_ip'] = "Adresse IP";
 $messages['label_l'] = "Ville";
 $messages['label_lastname'] = "Nom";
 $messages['label_mail'] = "Courriel";
@@ -70,16 +79,19 @@
 $messages['label_pwdfailuretime'] = "Derniers échecs d'authentification";
 $messages['label_pwdpolicysubentry'] = "Politique des mots de passe associée";
 $messages['label_pwdreset'] = "Réinitialisation du mot de passe à la prochaine connexion";
+$messages['label_result'] = "Résultat";
 $messages['label_secretary'] = "Secrétaire";
 $messages['label_state'] = "État";
 $messages['label_street'] = "Voie";
 $messages['label_title'] = "Titre";
+$messages['label_user_dn'] = "Utilisateur";
 $messages['ldaperror'] = "Erreur de communication avec l'annuaire LDAP";
 $messages['lockaccount'] = "Bloquer le compte";
 $messages['lockedaccounts'] = "Comptes bloqués";
 $messages['logout'] = "Déconnexion";
 $messages['newpassword'] = "Nouveau mot de passe";
 $messages['noentriesfound'] = "Aucune entrée trouvée";
+$messages['noeventsfound'] = "Aucun événement trouvé";
 $messages['notdefined'] = "Non renseigné";
 $messages['password'] = "Mot de passe";
 $messages['passwordchanged'] = "Le mot de passe a été changé";

lib/audit.inc.php

@@ -1,4 +1,5 @@
 <?php
+
 function auditlog($file, $dn, $admin, $action, $result, $comment) {
 
  $log = array(
@@ -16,4 +17,44 @@ function auditlog($file, $dn, $admin, $action, $result, $comment) {
 
  file_put_contents($file, json_encode($log, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES) . PHP_EOL, FILE_APPEND | LOCK_EX);
 }
-?>
+
+function displayauditlog($audit_log_file, $audit_log_days, $audit_log_sortby, $audit_log_reverse) {
+
+ $events = array();
+
+ # Date calculation to limit oldest audit logs
+ $olddatelog = new DateTime();
+ date_sub( $olddatelog, new DateInterval('P'.$audit_log_days.'D') );
+
+ foreach(file($audit_log_file) as $line) {
+ $json = json_decode($line, true);
+ $logdate = DateTimeImmutable::createFromFormat("D, d M Y H:i:s", $json['date']);
+ if ($logdate > $olddatelog) {
+ $json['date'] = date_format($logdate, "Y-m-d H:i:s");
+ array_push($events, $json);
+ }
+ }
+
+ # Sort audit log with sort key and normal/reverse order
+ dateSort($events, $audit_log_sortby, $audit_log_reverse);
+
+ $nb_events = sizeof($events);
+
+ return [$events,$nb_events];
+}
+
+function dateSort(array &$events, $sortkey, $audit_log_reverse) {
+ $reverse_order = fn($a, $b) => strtotime($a[$sortkey]) < strtotime($b[$sortkey]);
+ $normal_order = fn($a, $b) => strtotime($a[$sortkey]) > strtotime($b[$sortkey]);
+
+ if ($audit_log_reverse) {
+ usort($events, $reverse_order);
+ }
+ else {
+ usort($events, $normal_order);
+ }
+
+ return true;
+}
+
+?>

templates/auditlog.tpl

@@ -0,0 +1,7 @@
+<div class="alert alert-warning">
+ {if $nb_events==0}{$msg_noeventsfound}{elseif $nb_events==1}{$nb_events} {$msg_eventfound}{else}{$nb_events} {$msg_eventsfound}{/if}
+</div>
+
+<table id="search-listing" class="table table-striped table-hover table-condensed dataTable">
+ {include 'listing_table.tpl' display="audit"}
+</table>