Adding logging in Traffic Ops, to show which login mechanism was used…

… by the client
rimashah25 · May 22, 2024 · 66c107d · 66c107d
1 parent a892235
commit 66c107d
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ## [unreleased]
 ### Added
+- [#8014](https://github.com/apache/trafficcontrol/pull/8014) *Traffic Ops* Added logs to indicate which mechanism a client used to login to TO.
 - [#7812](https://github.com/apache/trafficcontrol/pull/7812) *Traffic Portal*: Expose the `configUpdateFailed` and `revalUpdateFailed` fields on the server table.
 - [#7870](https://github.com/apache/trafficcontrol/pull/7870) *Traffic Portal*: Adds a hyperlink to the DSR page to the DS itself for ease of navigation.
 - [#7896](https://github.com/apache/trafficcontrol/pull/7896) *ATC Build system*: Count commits since the last release, not commits

diff --git a/traffic_ops/traffic_ops_golang/login/login.go b/traffic_ops/traffic_ops_golang/login/login.go
@@ -175,6 +175,7 @@ func LoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 
 		// Failed certificate-based auth, perform standard form auth
 		if !authenticated {
+			log.Infof("user %s could not be authenticated using client certificates", form.Username)
 			// Perform form authentication
 			if err := json.NewDecoder(r.Body).Decode(&form); err != nil {
 				api.HandleErr(w, r, nil, http.StatusBadRequest, err, nil)
@@ -212,17 +213,25 @@ func LoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 			if err != nil {
 				log.Errorf("checking local user password: %s\n", err)
 			}
-			var ldapErr error
-			if !authenticated && cfg.LDAPEnabled {
+			if authenticated {
+				log.Infof("user %s successfully authenticated using username/ password", form.Username)
+			} else if cfg.LDAPEnabled {
+				var ldapErr error
 				authenticated, ldapErr = auth.CheckLDAPUser(form, cfg.ConfigLDAP)
 				if ldapErr != nil {
+					log.Infof("user %s could not be successfully authenticated using LDAP", form.Username)
 					log.Errorf("checking ldap user: %s\n", ldapErr.Error())
+				} else {
+					log.Infof("user %s successfully authenticated using LDAP", form.Username)
 				}
 			}
+		} else {
+			log.Infof("user %s successfully authenticated using client certificates", form.Username)
 		}
 
 		// Failed to authenticate in either local DB or LDAP, return unauthorized
 		if !authenticated {
+			log.Infof("user %s could not be successfully authenticated using username/ password", form.Username)
 			resp = tc.CreateAlerts(tc.ErrorLevel, "Invalid username or password.")
 			w.WriteHeader(http.StatusUnauthorized)
 			api.WriteRespRaw(w, r, resp)