123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284 |
- <?php
- /**
- * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
- namespace OC\Log;
- use OC\Core\Controller\SetupController;
- use OC\Security\IdentityProof\Key;
- use OC\Setup;
- use OC\SystemConfig;
- use OCA\Encryption\Controller\RecoveryController;
- use OCA\Encryption\Controller\SettingsController;
- use OCA\Encryption\Crypto\Crypt;
- use OCA\Encryption\Crypto\Encryption;
- use OCA\Encryption\Hooks\UserHooks;
- use OCA\Encryption\KeyManager;
- use OCA\Encryption\Session;
- use OCP\HintException;
- class ExceptionSerializer {
- public const SENSITIVE_VALUE_PLACEHOLDER = '*** sensitive parameters replaced ***';
- public const methodsWithSensitiveParameters = [
- // Session/User
- 'completeLogin',
- 'login',
- 'checkPassword',
- 'checkPasswordNoLogging',
- 'loginWithPassword',
- 'updatePrivateKeyPassword',
- 'validateUserPass',
- 'loginWithToken',
- '{closure}',
- 'createSessionToken',
- // Provisioning
- 'addUser',
- // TokenProvider
- 'getToken',
- 'isTokenPassword',
- 'getPassword',
- 'decryptPassword',
- 'logClientIn',
- 'generateToken',
- 'validateToken',
- // TwoFactorAuth
- 'solveChallenge',
- 'verifyChallenge',
- // ICrypto
- 'calculateHMAC',
- 'encrypt',
- 'decrypt',
- // LoginController
- 'tryLogin',
- 'confirmPassword',
- // LDAP
- 'bind',
- 'areCredentialsValid',
- 'invokeLDAPMethod',
- // Encryption
- 'storeKeyPair',
- 'setupUser',
- 'checkSignature',
- // files_external: OCA\Files_External\MountConfig
- 'getBackendStatus',
- // files_external: UserStoragesController
- 'update',
- // Preview providers, don't log big data strings
- 'imagecreatefromstring',
- // text: PublicSessionController, SessionController and ApiService
- 'create',
- 'close',
- 'push',
- 'sync',
- 'updateSession',
- 'mention',
- 'loginSessionUser',
- ];
- public function __construct(
- private SystemConfig $systemConfig,
- ) {
- }
- protected array $methodsWithSensitiveParametersByClass = [
- SetupController::class => [
- 'run',
- 'display',
- 'loadAutoConfig',
- ],
- Setup::class => [
- 'install'
- ],
- Key::class => [
- '__construct'
- ],
- \Redis::class => [
- 'auth'
- ],
- \RedisCluster::class => [
- '__construct'
- ],
- Crypt::class => [
- 'symmetricEncryptFileContent',
- 'encrypt',
- 'generatePasswordHash',
- 'encryptPrivateKey',
- 'decryptPrivateKey',
- 'isValidPrivateKey',
- 'symmetricDecryptFileContent',
- 'checkSignature',
- 'createSignature',
- 'decrypt',
- 'multiKeyDecrypt',
- 'multiKeyEncrypt',
- ],
- RecoveryController::class => [
- 'adminRecovery',
- 'changeRecoveryPassword'
- ],
- SettingsController::class => [
- 'updatePrivateKeyPassword',
- ],
- Encryption::class => [
- 'encrypt',
- 'decrypt',
- ],
- KeyManager::class => [
- 'checkRecoveryPassword',
- 'storeKeyPair',
- 'setRecoveryKey',
- 'setPrivateKey',
- 'setFileKey',
- 'setAllFileKeys',
- ],
- Session::class => [
- 'setPrivateKey',
- 'prepareDecryptAll',
- ],
- \OCA\Encryption\Users\Setup::class => [
- 'setupUser',
- ],
- UserHooks::class => [
- 'login',
- 'postCreateUser',
- 'postDeleteUser',
- 'prePasswordReset',
- 'postPasswordReset',
- 'preSetPassphrase',
- 'setPassphrase',
- ],
- ];
- private function editTrace(array &$sensitiveValues, array $traceLine): array {
- if (isset($traceLine['args'])) {
- $sensitiveValues = array_merge($sensitiveValues, $traceLine['args']);
- }
- $traceLine['args'] = [self::SENSITIVE_VALUE_PLACEHOLDER];
- return $traceLine;
- }
- private function filterTrace(array $trace) {
- $sensitiveValues = [];
- $trace = array_map(function (array $traceLine) use (&$sensitiveValues) {
- $className = $traceLine['class'] ?? '';
- if ($className && isset($this->methodsWithSensitiveParametersByClass[$className])
- && in_array($traceLine['function'], $this->methodsWithSensitiveParametersByClass[$className], true)) {
- return $this->editTrace($sensitiveValues, $traceLine);
- }
- foreach (self::methodsWithSensitiveParameters as $sensitiveMethod) {
- if (str_contains($traceLine['function'], $sensitiveMethod)) {
- return $this->editTrace($sensitiveValues, $traceLine);
- }
- }
- return $traceLine;
- }, $trace);
- return array_map(function (array $traceLine) use ($sensitiveValues) {
- if (isset($traceLine['args'])) {
- $traceLine['args'] = $this->removeValuesFromArgs($traceLine['args'], $sensitiveValues);
- }
- return $traceLine;
- }, $trace);
- }
- private function removeValuesFromArgs($args, $values): array {
- $workArgs = [];
- foreach ($args as $arg) {
- if (in_array($arg, $values, true)) {
- $arg = self::SENSITIVE_VALUE_PLACEHOLDER;
- } elseif (is_array($arg)) {
- $arg = $this->removeValuesFromArgs($arg, $values);
- }
- $workArgs[] = $arg;
- }
- return $workArgs;
- }
- private function encodeTrace($trace) {
- $trace = array_map(function (array $line) {
- if (isset($line['args'])) {
- $line['args'] = array_map([$this, 'encodeArg'], $line['args']);
- }
- return $line;
- }, $trace);
- return $this->filterTrace($trace);
- }
- private function encodeArg($arg, $nestingLevel = 5) {
- if (is_object($arg)) {
- if ($nestingLevel === 0) {
- return [
- '__class__' => get_class($arg),
- '__properties__' => 'Encoding skipped as the maximum nesting level was reached',
- ];
- }
- $objectInfo = [ '__class__' => get_class($arg) ];
- $objectVars = get_object_vars($arg);
- return array_map(function ($arg) use ($nestingLevel) {
- return $this->encodeArg($arg, $nestingLevel - 1);
- }, array_merge($objectInfo, $objectVars));
- }
- if (is_array($arg)) {
- if ($nestingLevel === 0) {
- return ['Encoding skipped as the maximum nesting level was reached'];
- }
- // Only log the first 5 elements of an array unless we are on debug
- if ((int)$this->systemConfig->getValue('loglevel', 2) !== 0) {
- $elemCount = count($arg);
- if ($elemCount > 5) {
- $arg = array_slice($arg, 0, 5);
- $arg[] = 'And ' . ($elemCount - 5) . ' more entries, set log level to debug to see all entries';
- }
- }
- return array_map(function ($e) use ($nestingLevel) {
- return $this->encodeArg($e, $nestingLevel - 1);
- }, $arg);
- }
- return $arg;
- }
- public function serializeException(\Throwable $exception): array {
- $data = [
- 'Exception' => get_class($exception),
- 'Message' => $exception->getMessage(),
- 'Code' => $exception->getCode(),
- 'Trace' => $this->encodeTrace($exception->getTrace()),
- 'File' => $exception->getFile(),
- 'Line' => $exception->getLine(),
- ];
- if ($exception instanceof HintException) {
- $data['Hint'] = $exception->getHint();
- }
- if ($exception->getPrevious()) {
- $data['Previous'] = $this->serializeException($exception->getPrevious());
- }
- return $data;
- }
- public function enlistSensitiveMethods(string $class, array $methods): void {
- if (!isset($this->methodsWithSensitiveParametersByClass[$class])) {
- $this->methodsWithSensitiveParametersByClass[$class] = [];
- }
- $this->methodsWithSensitiveParametersByClass[$class] = array_merge($this->methodsWithSensitiveParametersByClass[$class], $methods);
- }
- }
|