{% embed "block/scaffholding/board.twig" with {'class': "emergency__display-box"} %} {# do NOT use class exception here! #}
diff --git a/zmsapi/composer.json b/zmsapi/composer.json
index 857d5d1e2..77bb891ac 100644
--- a/zmsapi/composer.json
+++ b/zmsapi/composer.json
@@ -47,8 +47,8 @@
"scripts": {
"clean": "rm -f public/doc/assets/*.* && rm -f public/_test/assets/*.*",
"command": "bin/configure",
+ "prepare-dirs": "mkdir -p public/_test/assets && mkdir -p public/doc/assets",
"wget-files": [
- "wget https://eappointment.gitlab.io/zmsapi/doc/swagger.json -O public/doc/swagger.json",
"wget https://eappointment.gitlab.io/zmsapi/doc/assets/redoc.min.js -O public/doc/assets/redoc.min.js",
"wget https://eappointment.gitlab.io/zmsapi/_test/assets/swagger-ui-bundle.js -O public/_test/assets/swagger-ui-bundle.js",
"wget https://eappointment.gitlab.io/zmsapi/_test/assets/swagger-ui.css -O public/_test/assets/swagger-ui.css",
@@ -56,9 +56,11 @@
"sha256sum --status -c checksums.txt"
],
"post-install-cmd": [
+ "@prepare-dirs",
"@wget-files"
],
"post-update-cmd": [
+ "@prepare-dirs",
"@wget-files"
]
},
diff --git a/zmscitizenapi/checksums.txt b/zmscitizenapi/checksums.txt
new file mode 100644
index 000000000..a8b6fac1b
--- /dev/null
+++ b/zmscitizenapi/checksums.txt
@@ -0,0 +1,4 @@
+7f700a62cf9c402a09313486b461a06233a4f46ed29d8e38f27f07668fc60591 public/doc/assets/redoc.min.js
+73cc9ec630f285bebd75544742055fa89792543ef989e985cbfed217412f6d34 public/_test/assets/swagger-ui-bundle.js
+f9e1d39b7fe5b0b472743b42be2b472249feae67c89d63593ce72674c33ca4dd public/_test/assets/swagger-ui.css
+68a210d666aa74d72f3001757474a52ba3c5dd03deac11803d2e9ec9c8d6a3c1 public/_test/assets/swagger-ui-standalone-preset.js
\ No newline at end of file
diff --git a/zmscitizenapi/composer.json b/zmscitizenapi/composer.json
index b044bc226..91dad7982 100644
--- a/zmscitizenapi/composer.json
+++ b/zmscitizenapi/composer.json
@@ -38,10 +38,20 @@
"scripts": {
"clean": "rm -f public/doc/assets/*.* && rm -f public/_test/assets/*.*",
"command": "bin/configure",
+ "prepare-dirs": "mkdir -p public/_test/assets && mkdir -p public/doc/assets",
+ "wget-files": [
+ "wget https://eappointment.gitlab.io/zmsapi/doc/assets/redoc.min.js -O public/doc/assets/redoc.min.js",
+ "wget https://eappointment.gitlab.io/zmsapi/_test/assets/swagger-ui-bundle.js -O public/_test/assets/swagger-ui-bundle.js",
+ "wget https://eappointment.gitlab.io/zmsapi/_test/assets/swagger-ui.css -O public/_test/assets/swagger-ui.css",
+ "wget https://eappointment.gitlab.io/zmsapi/_test/assets/swagger-ui-standalone-preset.js -O public/_test/assets/swagger-ui-standalone-preset.js",
+ "sha256sum --status -c checksums.txt"
+ ],
"post-install-cmd": [
+ "@prepare-dirs",
"@wget-files"
],
"post-update-cmd": [
+ "@prepare-dirs",
"@wget-files"
]
},
diff --git a/zmsdb/src/Zmsdb/Helper/CalculateSlots.php b/zmsdb/src/Zmsdb/Helper/CalculateSlots.php
index 582d297c5..e1d6f93ee 100644
--- a/zmsdb/src/Zmsdb/Helper/CalculateSlots.php
+++ b/zmsdb/src/Zmsdb/Helper/CalculateSlots.php
@@ -166,7 +166,7 @@ public function writePostProcessingByScope(\BO\Zmsentities\Scope $scope, \DateTi
}
}
- public function writeCanceledSlots(\DateTimeInterface $now, $modify = '+10 minutes')
+ public function writeCanceledSlots(\DateTimeInterface $now, $modify = '+5 minutes')
{
\BO\Zmsdb\Connection\Select::getWriteConnection();
$slotQuery = new \BO\Zmsdb\Slot();
diff --git a/zmsslim/src/Slim/Application.php b/zmsslim/src/Slim/Application.php
index e854bce3a..de5db074d 100644
--- a/zmsslim/src/Slim/Application.php
+++ b/zmsslim/src/Slim/Application.php
@@ -24,7 +24,7 @@ class Application
* if debug is enabled, an exception is shown with a backtrace
*/
const DEBUG = false;
- const DEBUGLEVEL = 'WARNING';
+ const DEBUGLEVEL = 'DEBUG';
const SESSION_DURATION = ZMS_SESSION_DURATION;
diff --git a/zmsslim/src/Slim/Bootstrap.php b/zmsslim/src/Slim/Bootstrap.php
index 0a9482c8a..935937083 100644
--- a/zmsslim/src/Slim/Bootstrap.php
+++ b/zmsslim/src/Slim/Bootstrap.php
@@ -3,7 +3,7 @@
use App;
use Monolog\Formatter\JsonFormatter;
-use Monolog\Handler\ErrorLogHandler;
+use Monolog\Handler\StreamHandler;
use Monolog\Logger;
use Slim\HttpCache\CacheProvider;
use BO\Slim\Factory\ResponseFactory;
@@ -76,8 +76,26 @@ protected function configureLogger(string $level, string $identifier): void
{
App::$log = new Logger($identifier);
$level = $this->parseDebugLevel($level);
- $handler = new ErrorLogHandler(ErrorLogHandler::OPERATING_SYSTEM, $level);
- $handler->setFormatter(new JsonFormatter());
+ $handler = new StreamHandler('php://stderr', $level);
+
+ $formatter = new JsonFormatter();
+
+ // Add processor to format time_local first
+ App::$log->pushProcessor(function ($record) {
+ return array(
+ 'time_local' => (new \DateTime())->format('Y-m-d\TH:i:sP'),
+ 'client_ip' => $_SERVER['REMOTE_ADDR'] ?? '',
+ 'remote_addr' => $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] ?? '',
+ 'remote_user' => '',
+ 'application' => 'zmsslim',
+ 'message' => $record['message'],
+ 'level' => $record['level_name'],
+ 'context' => $record['context'],
+ 'extra' => $record['extra']
+ );
+ });
+
+ $handler->setFormatter($formatter);
App::$log->pushHandler($handler);
}
diff --git a/zmsslim/src/Slim/Middleware/OAuth/KeycloakInstance.php b/zmsslim/src/Slim/Middleware/OAuth/KeycloakInstance.php
index 5af03932e..0b6fcfca0 100644
--- a/zmsslim/src/Slim/Middleware/OAuth/KeycloakInstance.php
+++ b/zmsslim/src/Slim/Middleware/OAuth/KeycloakInstance.php
@@ -9,7 +9,6 @@
/**
* @SuppressWarnings(PHPMD)
*/
-
class KeycloakInstance
{
protected $provider = null;
@@ -17,6 +16,7 @@ class KeycloakInstance
public function __construct()
{
$this->provider = new Keycloak\Provider();
+ $this->logger = \App::$log;
return $this;
}
@@ -27,19 +27,40 @@ public function getProvider()
public function doLogin(ServerRequestInterface $request, ResponseInterface $response)
{
- $accessToken = $this->getAccessToken($request->getParam("code"));
- $this->testAccess($accessToken);
- $ownerInputData = $this->provider->getResourceOwnerData($accessToken);
- $this->testOwnerData($ownerInputData);
+ \App::$log->info('OIDC login attempt', [
+ 'event' => 'oauth_login_start',
+ 'timestamp' => date('c')
+ ]);
+
try {
+ $accessToken = $this->getAccessToken($request->getParam("code"));
+ $this->testAccess($accessToken);
+ $ownerInputData = $this->provider->getResourceOwnerData($accessToken);
+ $this->testOwnerData($ownerInputData);
+
if (\BO\Zmsclient\Auth::getKey()) {
+ \App::$log->info('Clearing existing session', [
+ 'event' => 'oauth_session_clear',
+ 'timestamp' => date('c')
+ ]);
$this->writeDeleteSession();
}
+
$this->writeTokenToSession($accessToken);
\App::$http
->readPostResult('/workstation/oauth/', $ownerInputData, ['state' => \BO\Zmsclient\Auth::getKey()])
->getEntity();
+
+ \App::$log->info('OIDC login successful', [
+ 'event' => 'oauth_login_success',
+ 'timestamp' => date('c')
+ ]);
} catch (\BO\Zmsclient\Exception $exception) {
+ $this->logger->error('OIDC login failed', [
+ 'event' => 'oauth_login_error',
+ 'timestamp' => date('c'),
+ 'error' => $exception->getMessage()
+ ]);
$this->writeDeleteSession();
\BO\Zmsclient\Auth::removeKey();
\BO\Zmsclient\Auth::removeOidcProvider();
@@ -76,53 +97,112 @@ public function writeNewAccessTokenIfExpired()
private function testAccess(AccessToken $token)
{
- list($header, $payload, $signature) = explode('.', $token->getToken());
-
- // Ensure header, payload, and signature exist
+ \App::$log->info('Validating OIDC token', [
+ 'event' => 'oauth_token_validation',
+ 'timestamp' => date('c')
+ ]);
+
+ list($header, $payload, $signature) = explode('.', $token->getToken());
+
if (empty($header)) {
+ $this->logger->error('Token validation failed', [
+ 'event' => 'oauth_token_validation_failed',
+ 'timestamp' => date('c'),
+ 'reason' => 'missing_header'
+ ]);
throw new \BO\Slim\Exception\OAuthFailed();
}
if (empty($payload)) {
+ $this->logger->error('Token validation failed', [
+ 'event' => 'oauth_token_validation_failed',
+ 'timestamp' => date('c'),
+ 'reason' => 'missing_payload'
+ ]);
throw new \BO\Slim\Exception\OAuthFailed();
}
if (empty($signature)) {
+ $this->logger->error('Token validation failed', [
+ 'event' => 'oauth_token_validation_failed',
+ 'timestamp' => date('c'),
+ 'reason' => 'missing_signature'
+ ]);
throw new \BO\Slim\Exception\OAuthFailed();
}
-
+
$realmData = $this->provider->getBasicOptionsFromJsonFile();
- $accessTokenPayload = json_decode(base64_decode($payload), true);
+
+ // Fix: Properly handle base64url encoding before JSON decoding
+ $payload = str_replace(['-', '_'], ['+', '/'], $payload);
+ $payload = base64_decode($payload . str_repeat('=', 4 - (strlen($payload) % 4)));
+ $accessTokenPayload = json_decode($payload, true);
+
$clientRoles = array();
-
- // Ensure that the payload is correctly decoded
+
if ($accessTokenPayload === null) {
+ $this->logger->error('Token validation failed', [
+ 'event' => 'oauth_token_validation_failed',
+ 'timestamp' => date('c'),
+ 'reason' => 'invalid_payload_json',
+ 'error' => json_last_error_msg()
+ ]);
throw new \BO\Slim\Exception\OAuthFailed();
}
-
- // Checking for 'resource_access' and ensuring it's an array
+
if (!isset($accessTokenPayload['resource_access']) || !is_array($accessTokenPayload['resource_access'])) {
+ $this->logger->error('Token validation failed', [
+ 'event' => 'oauth_token_validation_failed',
+ 'timestamp' => date('c'),
+ 'reason' => 'invalid_resource_access',
+ 'has_resource_access' => isset($accessTokenPayload['resource_access']),
+ 'resource_access_type' => gettype($accessTokenPayload['resource_access'] ?? null)
+ ]);
throw new \BO\Slim\Exception\OAuthFailed();
}
-
- // Checking if App Identifier exists
+
if (!isset($accessTokenPayload['resource_access'][\App::IDENTIFIER])) {
+ $this->logger->error('Token validation failed', [
+ 'event' => 'oauth_token_validation_failed',
+ 'timestamp' => date('c'),
+ 'reason' => 'missing_app_identifier',
+ 'app_identifier' => \App::IDENTIFIER,
+ 'available_resources' => array_keys($accessTokenPayload['resource_access'])
+ ]);
throw new \BO\Slim\Exception\OAuthFailed();
}
-
- // Checking if roles exist for the app identifier
+
$resourceAccess = $accessTokenPayload['resource_access'];
$appIdentifierRoles = $resourceAccess[\App::IDENTIFIER]['roles'] ?? null;
-
+
if (!$appIdentifierRoles || !is_array($appIdentifierRoles)) {
+ $this->logger->error('Token validation failed', [
+ 'event' => 'oauth_token_validation_failed',
+ 'timestamp' => date('c'),
+ 'reason' => 'invalid_roles',
+ 'has_roles' => isset($resourceAccess[\App::IDENTIFIER]['roles']),
+ 'roles_type' => gettype($appIdentifierRoles)
+ ]);
throw new \BO\Slim\Exception\OAuthFailed();
}
-
+
if (is_array($accessTokenPayload['resource_access'])) {
$clientRoles = array_values($accessTokenPayload['resource_access'][\App::IDENTIFIER]['roles']);
}
if (!in_array($realmData['accessRole'], $clientRoles)) {
+ $this->logger->error('Token validation failed', [
+ 'event' => 'oauth_token_validation_failed',
+ 'timestamp' => date('c'),
+ 'reason' => 'missing_required_role',
+ 'required_role' => $realmData['accessRole'],
+ 'available_roles' => $clientRoles
+ ]);
throw new \BO\Slim\Exception\OAuthFailed();
}
+
+ \App::$log->info('Token validation successful', [
+ 'event' => 'oauth_token_validation_success',
+ 'timestamp' => date('c')
+ ]);
}
private function testOwnerData(array $ownerInputData)
@@ -133,22 +213,41 @@ private function testOwnerData(array $ownerInputData)
}
}
-
private function getAccessToken($code)
{
+ \App::$log->info('Getting access token', [
+ 'event' => 'oauth_get_token',
+ 'timestamp' => date('c')
+ ]);
+
try {
$accessToken = $this->provider->getAccessToken('authorization_code', ['code' => $code]);
+ \App::$log->info('Access token obtained', [
+ 'event' => 'oauth_get_token_success',
+ 'timestamp' => date('c')
+ ]);
+ return $accessToken;
} catch (\Exception $exception) {
+ $this->logger->error('Failed to get access token', [
+ 'event' => 'oauth_get_token_error',
+ 'timestamp' => date('c'),
+ 'error' => $exception->getMessage(),
+ 'exception_class' => get_class($exception)
+ ]);
if ('League\OAuth2\Client\Provider\Exception\IdentityProviderException' === get_class($exception)) {
throw new \BO\Slim\Exception\OAuthFailed();
}
throw $exception;
}
- return $accessToken;
}
private function writeTokenToSession($token)
{
+ \App::$log->info('Writing token to session', [
+ 'event' => 'oauth_write_token',
+ 'timestamp' => date('c')
+ ]);
+
$realmData = $this->provider->getBasicOptionsFromJsonFile();
$sessionHandler = (new \BO\Zmsclient\SessionHandler(\App::$http));
$sessionHandler->open('/'. $realmData['realm'] . '/', $realmData['clientId']);
@@ -158,6 +257,11 @@ private function writeTokenToSession($token)
private function writeDeleteSession()
{
+ \App::$log->info('Deleting session', [
+ 'event' => 'oauth_delete_session',
+ 'timestamp' => date('c')
+ ]);
+
$realmData = $this->provider->getBasicOptionsFromJsonFile();
$sessionHandler = (new \BO\Zmsclient\SessionHandler(\App::$http));
$sessionHandler->open('/'. $realmData['realm'] . '/', $realmData['clientId']);
@@ -166,6 +270,11 @@ private function writeDeleteSession()
private function readTokenDataFromSession()
{
+ \App::$log->info('Reading token from session', [
+ 'event' => 'oauth_read_token',
+ 'timestamp' => date('c')
+ ]);
+
$realmData = $this->provider->getBasicOptionsFromJsonFile();
$sessionHandler = (new \BO\Zmsclient\SessionHandler(\App::$http));
$sessionHandler->open('/'. $realmData['realm'] . '/', $realmData['clientId']);
diff --git a/zmsstatistic/src/Zmsstatistic/Oidc.php b/zmsstatistic/src/Zmsstatistic/Oidc.php
index a62148946..c8e1e1b18 100644
--- a/zmsstatistic/src/Zmsstatistic/Oidc.php
+++ b/zmsstatistic/src/Zmsstatistic/Oidc.php
@@ -23,34 +23,32 @@ public function readResponse(
$state = $request->getParam("state");
$authKey = \BO\Zmsclient\Auth::getKey();
- // Log state validation attempt
- error_log(json_encode([
+ \App::$log->info('OIDC state validation', [
'event' => 'oauth_state_validation',
'timestamp' => date('c'),
'provider' => \BO\Zmsclient\Auth::getOidcProvider(),
'application' => 'zmsstatistic',
'state_match' => ($state == $authKey)
- ]));
+ ]);
if ($state == $authKey) {
try {
$workstation = \App::$http->readGetResult('/workstation/', ['resolveReferences' => 2])->getEntity();
$username = $workstation->getUseraccount()->id . '@' . \BO\Zmsclient\Auth::getOidcProvider();
- // Log workstation access with username
- error_log(json_encode([
+ \App::$log->info('OIDC workstation access', [
'event' => 'oauth_workstation_access',
'timestamp' => date('c'),
'provider' => \BO\Zmsclient\Auth::getOidcProvider(),
'application' => 'zmsstatistic',
'username' => $username,
'workstation_id' => $workstation->id ?? 'unknown'
- ]));
+ ]);
$departmentCount = $workstation->getUseraccount()->getDepartmentList()->count();
// Log department check with username
- error_log(json_encode([
+ \App::$log->info('OIDC department check', [
'event' => 'oauth_department_check',
'timestamp' => date('c'),
'provider' => \BO\Zmsclient\Auth::getOidcProvider(),
@@ -58,7 +56,7 @@ public function readResponse(
'username' => $username,
'department_count' => $departmentCount,
'has_departments' => ($departmentCount > 0)
- ]));
+ ]);
if (0 == $departmentCount) {
return \BO\Slim\Render::redirect(
@@ -75,39 +73,36 @@ public function readResponse(
[]
);
} catch (\Exception $e) {
- // Log workstation access error
- error_log(json_encode([
+ \App::$log->error('OIDC workstation error', [
'event' => 'oauth_workstation_error',
'timestamp' => date('c'),
'provider' => \BO\Zmsclient\Auth::getOidcProvider(),
'application' => 'zmsstatistic',
'error' => $e->getMessage(),
'code' => $e->getCode()
- ]));
+ ]);
throw $e;
}
}
- // Log invalid state
- error_log(json_encode([
+ \App::$log->error('OIDC invalid state', [
'event' => 'oauth_invalid_state',
'timestamp' => date('c'),
'provider' => \BO\Zmsclient\Auth::getOidcProvider(),
'application' => 'zmsstatistic'
- ]));
+ ]);
throw new \BO\Slim\Exception\OAuthInvalid();
} catch (\Exception $e) {
- // Log any uncaught exceptions
- error_log(json_encode([
+ \App::$log->error('OIDC error', [
'event' => 'oauth_error',
'timestamp' => date('c'),
'provider' => \BO\Zmsclient\Auth::getOidcProvider(),
'application' => 'zmsstatistic',
'error' => $e->getMessage(),
'code' => $e->getCode()
- ]));
+ ]);
throw $e;
}
}