Provide an activity log for login and administrative actions

Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish.

Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen:

  - The log itself is useful if there are shenanigans.
  - Password login can check it and start CAPTCHA'ing users after a few failed attempts.

I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow.

Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways.

Reviewers: jungejason, tuomaspelkonen, aran

CC:

Differential Revision: 302

src/applications/auth/controller/login/PhabricatorLoginController.php

@@ -61,6 +61,12 @@ class PhabricatorLoginController extends PhabricatorAuthController {
 
             return id(new AphrontRedirectResponse())
               ->setURI('/');
+          } else {
+            $log = PhabricatorUserLog::newLog(
+              null,
+              $user,
+              PhabricatorUserLog::ACTION_LOGIN_FAILURE);
+            $log->save();
           }
         }
 

src/applications/auth/controller/login/__init__.php

@@ -9,6 +9,7 @@
 phutil_require_module('phabricator', 'aphront/response/redirect');
 phutil_require_module('phabricator', 'applications/auth/controller/base');
 phutil_require_module('phabricator', 'applications/auth/oauth/provider/base');
+phutil_require_module('phabricator', 'applications/people/storage/log');
 phutil_require_module('phabricator', 'applications/people/storage/user');
 phutil_require_module('phabricator', 'infrastructure/env');
 phutil_require_module('phabricator', 'view/form/base');

src/applications/auth/controller/logout/PhabricatorLogoutController.php

@@ -29,8 +29,16 @@ class PhabricatorLogoutController extends PhabricatorAuthController {
 
   public function processRequest() {
     $request = $this->getRequest();
+    $user = $request->getUser();
 
     if ($request->isFormPost()) {
+
+      $log = PhabricatorUserLog::newLog(
+        $user,
+        $user,
+        PhabricatorUserLog::ACTION_LOGOUT);
+      $log->save();
+
       $request->clearCookie('phsid');
       return id(new AphrontRedirectResponse())
         ->setURI('/login/');

src/applications/auth/controller/logout/__init__.php

@@ -8,6 +8,7 @@
 
 phutil_require_module('phabricator', 'aphront/response/redirect');
 phutil_require_module('phabricator', 'applications/auth/controller/base');
+phutil_require_module('phabricator', 'applications/people/storage/log');
 
 phutil_require_module('phutil', 'utils');