2020-12-20 21:04:29 +00:00
|
|
|
"""authentik events models"""
|
2021-12-14 20:33:19 +00:00
|
|
|
import time
|
|
|
|
|
from collections import Counter
|
2021-03-18 16:10:59 +00:00
|
|
|
from datetime import timedelta
|
2021-12-15 15:44:22 +00:00
|
|
|
from inspect import currentframe
|
2021-01-12 20:48:16 +00:00
|
|
|
from smtplib import SMTPException
|
2021-12-30 13:59:01 +00:00
|
|
|
from typing import TYPE_CHECKING, Optional
|
2020-12-20 21:04:29 +00:00
|
|
|
from uuid import uuid4
|
2019-12-05 15:14:08 +00:00
|
|
|
|
2018-11-23 16:05:41 +00:00
|
|
|
from django.db import models
|
2021-12-14 20:33:19 +00:00
|
|
|
from django.db.models import Count, ExpressionWrapper, F
|
|
|
|
|
from django.db.models.fields import DurationField
|
2023-01-11 11:21:07 +00:00
|
|
|
from django.db.models.functions import Extract
|
2021-12-14 20:33:19 +00:00
|
|
|
from django.db.models.manager import Manager
|
|
|
|
|
from django.db.models.query import QuerySet
|
2019-12-05 15:14:08 +00:00
|
|
|
from django.http import HttpRequest
|
2021-09-15 18:15:04 +00:00
|
|
|
from django.http.request import QueryDict
|
2021-03-18 16:10:59 +00:00
|
|
|
from django.utils.timezone import now
|
2018-12-10 12:47:51 +00:00
|
|
|
from django.utils.translation import gettext as _
|
2021-09-11 18:54:58 +00:00
|
|
|
from requests import RequestException
|
2021-01-01 14:39:43 +00:00
|
|
|
from structlog.stdlib import get_logger
|
2018-11-23 16:05:41 +00:00
|
|
|
|
2022-09-17 11:16:53 +00:00
|
|
|
from authentik import get_full_version
|
2022-05-31 19:53:23 +00:00
|
|
|
from authentik.core.middleware import (
|
|
|
|
|
SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
|
|
|
|
|
SESSION_KEY_IMPERSONATE_USER,
|
|
|
|
|
)
|
2021-09-11 23:02:51 +00:00
|
|
|
from authentik.core.models import ExpiringModel, Group, PropertyMapping, User
|
2021-02-12 08:47:37 +00:00
|
|
|
from authentik.events.geo import GEOIP_READER
|
2022-09-17 11:16:53 +00:00
|
|
|
from authentik.events.utils import (
|
|
|
|
|
cleanse_dict,
|
|
|
|
|
get_user,
|
|
|
|
|
model_to_dict,
|
|
|
|
|
sanitize_dict,
|
|
|
|
|
sanitize_item,
|
|
|
|
|
)
|
2022-07-31 15:11:44 +00:00
|
|
|
from authentik.lib.models import DomainlessURLValidator, SerializerModel
|
2021-01-12 20:48:16 +00:00
|
|
|
from authentik.lib.sentry import SentryIgnoredException
|
2021-09-11 18:54:58 +00:00
|
|
|
from authentik.lib.utils.http import get_client_ip, get_http_session
|
2021-07-24 17:21:35 +00:00
|
|
|
from authentik.lib.utils.time import timedelta_from_string
|
2021-01-11 17:43:59 +00:00
|
|
|
from authentik.policies.models import PolicyBindingModel
|
|
|
|
|
from authentik.stages.email.utils import TemplateEmailMessage
|
2021-07-24 17:21:35 +00:00
|
|
|
from authentik.tenants.models import Tenant
|
2021-06-14 15:34:42 +00:00
|
|
|
from authentik.tenants.utils import DEFAULT_TENANT
|
2018-11-23 16:05:41 +00:00
|
|
|
|
2022-12-12 15:32:06 +00:00
|
|
|
LOGGER = get_logger()
|
2021-09-11 23:02:51 +00:00
|
|
|
if TYPE_CHECKING:
|
|
|
|
|
from rest_framework.serializers import Serializer
|
2019-12-31 12:33:07 +00:00
|
|
|
|
|
|
|
|
|
2021-03-18 16:10:59 +00:00
|
|
|
def default_event_duration():
|
2021-07-24 17:21:35 +00:00
|
|
|
"""Default duration an Event is saved.
|
|
|
|
|
This is used as a fallback when no tenant is available"""
|
2021-03-18 16:10:59 +00:00
|
|
|
return now() + timedelta(days=365)
|
|
|
|
|
|
|
|
|
|
|
2021-06-14 15:34:42 +00:00
|
|
|
def default_tenant():
|
|
|
|
|
"""Get a default value for tenant"""
|
|
|
|
|
return sanitize_dict(model_to_dict(DEFAULT_TENANT))
|
|
|
|
|
|
|
|
|
|
|
2021-01-12 20:48:16 +00:00
|
|
|
class NotificationTransportError(SentryIgnoredException):
|
|
|
|
|
"""Error raised when a notification fails to be delivered"""
|
|
|
|
|
|
|
|
|
|
|
2020-09-21 18:16:14 +00:00
|
|
|
class EventAction(models.TextChoices):
|
2020-12-20 21:04:29 +00:00
|
|
|
"""All possible actions to save into the events log"""
|
2019-12-05 15:14:08 +00:00
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
LOGIN = "login"
|
|
|
|
|
LOGIN_FAILED = "login_failed"
|
|
|
|
|
LOGOUT = "logout"
|
2020-09-21 18:16:14 +00:00
|
|
|
|
2020-10-05 21:43:56 +00:00
|
|
|
USER_WRITE = "user_write"
|
2019-12-31 11:51:16 +00:00
|
|
|
SUSPICIOUS_REQUEST = "suspicious_request"
|
2020-09-21 18:16:14 +00:00
|
|
|
PASSWORD_SET = "password_set" # noqa # nosec
|
|
|
|
|
|
2021-02-09 17:18:36 +00:00
|
|
|
SECRET_VIEW = "secret_view" # noqa # nosec
|
2021-07-14 19:47:32 +00:00
|
|
|
SECRET_ROTATE = "secret_rotate" # noqa # nosec
|
2020-10-17 20:26:18 +00:00
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
INVITE_USED = "invitation_used"
|
2020-09-21 18:16:14 +00:00
|
|
|
|
2020-10-05 21:43:56 +00:00
|
|
|
AUTHORIZE_APPLICATION = "authorize_application"
|
2020-09-21 18:30:30 +00:00
|
|
|
SOURCE_LINKED = "source_linked"
|
|
|
|
|
|
2020-09-18 21:39:37 +00:00
|
|
|
IMPERSONATION_STARTED = "impersonation_started"
|
|
|
|
|
IMPERSONATION_ENDED = "impersonation_ended"
|
2019-12-05 15:14:08 +00:00
|
|
|
|
2021-12-14 15:13:05 +00:00
|
|
|
FLOW_EXECUTION = "flow_execution"
|
2020-12-20 21:04:29 +00:00
|
|
|
POLICY_EXECUTION = "policy_execution"
|
|
|
|
|
POLICY_EXCEPTION = "policy_exception"
|
|
|
|
|
PROPERTY_MAPPING_EXCEPTION = "property_mapping_exception"
|
|
|
|
|
|
2021-01-18 08:34:48 +00:00
|
|
|
SYSTEM_TASK_EXECUTION = "system_task_execution"
|
|
|
|
|
SYSTEM_TASK_EXCEPTION = "system_task_exception"
|
2021-06-14 15:22:58 +00:00
|
|
|
SYSTEM_EXCEPTION = "system_exception"
|
2021-01-18 08:34:48 +00:00
|
|
|
|
2020-12-27 12:11:38 +00:00
|
|
|
CONFIGURATION_ERROR = "configuration_error"
|
|
|
|
|
|
2020-09-21 18:16:14 +00:00
|
|
|
MODEL_CREATED = "model_created"
|
|
|
|
|
MODEL_UPDATED = "model_updated"
|
|
|
|
|
MODEL_DELETED = "model_deleted"
|
2021-06-09 08:27:34 +00:00
|
|
|
EMAIL_SENT = "email_sent"
|
2020-09-21 18:16:14 +00:00
|
|
|
|
2020-12-20 21:04:29 +00:00
|
|
|
UPDATE_AVAILABLE = "update_available"
|
|
|
|
|
|
2020-09-21 18:16:14 +00:00
|
|
|
CUSTOM_PREFIX = "custom_"
|
2019-12-05 15:14:08 +00:00
|
|
|
|
|
|
|
|
|
2021-12-14 20:33:19 +00:00
|
|
|
class EventQuerySet(QuerySet):
|
|
|
|
|
"""Custom events query set with helper functions"""
|
|
|
|
|
|
2023-01-11 11:21:07 +00:00
|
|
|
def get_events_per(
|
|
|
|
|
self,
|
|
|
|
|
time_since: timedelta,
|
|
|
|
|
extract: Extract,
|
|
|
|
|
data_points: int,
|
|
|
|
|
) -> list[dict[str, int]]:
|
2021-12-14 20:33:19 +00:00
|
|
|
"""Get event count by hour in the last day, fill with zeros"""
|
|
|
|
|
_now = now()
|
2023-01-11 11:21:07 +00:00
|
|
|
max_since = timedelta(days=60)
|
|
|
|
|
# Allow maximum of 60 days to limit load
|
|
|
|
|
if time_since.total_seconds() > max_since.total_seconds():
|
|
|
|
|
time_since = max_since
|
|
|
|
|
date_from = _now - time_since
|
2021-12-14 20:33:19 +00:00
|
|
|
result = (
|
|
|
|
|
self.filter(created__gte=date_from)
|
2023-01-11 11:21:07 +00:00
|
|
|
.annotate(age=ExpressionWrapper(_now - F("created"), output_field=DurationField()))
|
|
|
|
|
.annotate(age_interval=extract("age"))
|
|
|
|
|
.values("age_interval")
|
2021-12-14 20:33:19 +00:00
|
|
|
.annotate(count=Count("pk"))
|
2023-01-11 11:21:07 +00:00
|
|
|
.order_by("age_interval")
|
2021-12-14 20:33:19 +00:00
|
|
|
)
|
2023-01-11 11:21:07 +00:00
|
|
|
data = Counter({int(d["age_interval"]): d["count"] for d in result})
|
2021-12-14 20:33:19 +00:00
|
|
|
results = []
|
2023-01-15 16:02:31 +00:00
|
|
|
interval_delta = time_since / data_points
|
2023-01-11 11:21:07 +00:00
|
|
|
for interval in range(1, -data_points, -1):
|
2021-12-14 20:33:19 +00:00
|
|
|
results.append(
|
|
|
|
|
{
|
2023-01-15 16:02:31 +00:00
|
|
|
"x_cord": time.mktime((_now + (interval_delta * interval)).timetuple()) * 1000,
|
2023-01-11 11:21:07 +00:00
|
|
|
"y_cord": data[interval * -1],
|
2021-12-14 20:33:19 +00:00
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
return results
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class EventManager(Manager):
|
|
|
|
|
"""Custom helper methods for Events"""
|
|
|
|
|
|
|
|
|
|
def get_queryset(self) -> QuerySet:
|
|
|
|
|
"""use custom queryset"""
|
|
|
|
|
return EventQuerySet(self.model, using=self._db)
|
|
|
|
|
|
2023-01-11 11:21:07 +00:00
|
|
|
def get_events_per(
|
|
|
|
|
self,
|
|
|
|
|
time_since: timedelta,
|
|
|
|
|
extract: Extract,
|
|
|
|
|
data_points: int,
|
|
|
|
|
) -> list[dict[str, int]]:
|
2021-12-14 20:33:19 +00:00
|
|
|
"""Wrap method from queryset"""
|
2023-01-11 11:21:07 +00:00
|
|
|
return self.get_queryset().get_events_per(time_since, extract, data_points)
|
2021-12-14 20:33:19 +00:00
|
|
|
|
|
|
|
|
|
2022-07-31 15:11:44 +00:00
|
|
|
class Event(SerializerModel, ExpiringModel):
|
2020-12-20 21:04:29 +00:00
|
|
|
"""An individual Audit/Metrics/Notification/Error Event"""
|
2018-11-23 16:05:41 +00:00
|
|
|
|
2020-05-20 07:17:06 +00:00
|
|
|
event_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
2020-09-21 11:20:50 +00:00
|
|
|
user = models.JSONField(default=dict)
|
2020-09-21 18:16:14 +00:00
|
|
|
action = models.TextField(choices=EventAction.choices)
|
2018-11-23 16:05:41 +00:00
|
|
|
app = models.TextField()
|
2020-08-15 19:04:22 +00:00
|
|
|
context = models.JSONField(default=dict, blank=True)
|
2019-12-05 15:14:08 +00:00
|
|
|
client_ip = models.GenericIPAddressField(null=True)
|
2018-12-13 17:01:45 +00:00
|
|
|
created = models.DateTimeField(auto_now_add=True)
|
2021-06-14 15:34:42 +00:00
|
|
|
tenant = models.JSONField(default=default_tenant, blank=True)
|
2018-12-10 12:47:51 +00:00
|
|
|
|
2021-03-18 16:10:59 +00:00
|
|
|
# Shadow the expires attribute from ExpiringModel to override the default duration
|
|
|
|
|
expires = models.DateTimeField(default=default_event_duration)
|
|
|
|
|
|
2021-12-14 20:33:19 +00:00
|
|
|
objects = EventManager()
|
|
|
|
|
|
2018-12-10 12:47:51 +00:00
|
|
|
@staticmethod
|
2019-12-05 15:14:08 +00:00
|
|
|
def _get_app_from_request(request: HttpRequest) -> str:
|
|
|
|
|
if not isinstance(request, HttpRequest):
|
|
|
|
|
return ""
|
|
|
|
|
return request.resolver_match.app_name
|
|
|
|
|
|
|
|
|
|
@staticmethod
|
2019-12-31 11:51:16 +00:00
|
|
|
def new(
|
2021-12-30 13:59:01 +00:00
|
|
|
action: str | EventAction,
|
2019-12-31 11:51:16 +00:00
|
|
|
app: Optional[str] = None,
|
|
|
|
|
**kwargs,
|
|
|
|
|
) -> "Event":
|
2019-12-05 15:14:08 +00:00
|
|
|
"""Create new Event instance from arguments. Instance is NOT saved."""
|
|
|
|
|
if not isinstance(action, EventAction):
|
2020-09-21 18:16:14 +00:00
|
|
|
action = EventAction.CUSTOM_PREFIX + action
|
2019-12-05 15:14:08 +00:00
|
|
|
if not app:
|
2021-12-15 15:44:22 +00:00
|
|
|
current = currentframe()
|
|
|
|
|
parent = current.f_back
|
|
|
|
|
app = parent.f_globals["__name__"]
|
2022-12-01 13:56:28 +00:00
|
|
|
cleaned_kwargs = cleanse_dict(sanitize_dict(kwargs))
|
2020-09-21 18:16:14 +00:00
|
|
|
event = Event(action=action, app=app, context=cleaned_kwargs)
|
2019-12-05 15:14:08 +00:00
|
|
|
return event
|
|
|
|
|
|
2020-12-20 21:04:29 +00:00
|
|
|
def set_user(self, user: User) -> "Event":
|
|
|
|
|
"""Set `.user` based on user, ensuring the correct attributes are copied.
|
|
|
|
|
This should only be used when self.from_http is *not* used."""
|
|
|
|
|
self.user = get_user(user)
|
|
|
|
|
return self
|
|
|
|
|
|
2023-05-21 22:18:54 +00:00
|
|
|
def from_http(self, request: HttpRequest, user: Optional[User] = None) -> "Event":
|
2019-12-05 15:14:08 +00:00
|
|
|
"""Add data from a Django-HttpRequest, allowing the creation of
|
|
|
|
|
Events independently from requests.
|
|
|
|
|
`user` arguments optionally overrides user from requests."""
|
2021-06-14 15:34:42 +00:00
|
|
|
if request:
|
2023-04-13 22:07:41 +00:00
|
|
|
from authentik.flows.views.executor import QS_QUERY
|
|
|
|
|
|
2021-06-14 15:34:42 +00:00
|
|
|
self.context["http_request"] = {
|
2021-09-15 18:15:04 +00:00
|
|
|
"path": request.path,
|
2021-06-14 15:34:42 +00:00
|
|
|
"method": request.method,
|
2023-05-07 18:11:36 +00:00
|
|
|
"args": cleanse_dict(QueryDict(request.META.get("QUERY_STRING", ""))),
|
2021-06-14 15:34:42 +00:00
|
|
|
}
|
2023-04-13 22:07:41 +00:00
|
|
|
# Special case for events created during flow execution
|
|
|
|
|
# since they keep the http query within a wrapped query
|
|
|
|
|
if QS_QUERY in self.context["http_request"]["args"]:
|
|
|
|
|
wrapped = self.context["http_request"]["args"][QS_QUERY]
|
2023-05-07 18:11:36 +00:00
|
|
|
self.context["http_request"]["args"] = cleanse_dict(QueryDict(wrapped))
|
2021-06-14 15:34:42 +00:00
|
|
|
if hasattr(request, "tenant"):
|
2021-07-24 17:21:35 +00:00
|
|
|
tenant: Tenant = request.tenant
|
|
|
|
|
# Because self.created only gets set on save, we can't use it's value here
|
|
|
|
|
# hence we set self.created to now and then use it
|
|
|
|
|
self.created = now()
|
|
|
|
|
self.expires = self.created + timedelta_from_string(tenant.event_retention)
|
|
|
|
|
self.tenant = sanitize_dict(model_to_dict(tenant))
|
2019-12-31 11:51:16 +00:00
|
|
|
if hasattr(request, "user"):
|
2021-01-11 17:43:59 +00:00
|
|
|
original_user = None
|
|
|
|
|
if hasattr(request, "session"):
|
2022-05-31 19:53:23 +00:00
|
|
|
original_user = request.session.get(SESSION_KEY_IMPERSONATE_ORIGINAL_USER, None)
|
2021-01-11 17:43:59 +00:00
|
|
|
self.user = get_user(request.user, original_user)
|
2019-12-05 15:14:08 +00:00
|
|
|
if user:
|
2020-09-21 11:20:50 +00:00
|
|
|
self.user = get_user(user)
|
2020-09-18 21:39:37 +00:00
|
|
|
# Check if we're currently impersonating, and add that user
|
|
|
|
|
if hasattr(request, "session"):
|
2022-05-31 19:53:23 +00:00
|
|
|
if SESSION_KEY_IMPERSONATE_ORIGINAL_USER in request.session:
|
|
|
|
|
self.user = get_user(request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER])
|
|
|
|
|
self.user["on_behalf_of"] = get_user(request.session[SESSION_KEY_IMPERSONATE_USER])
|
2019-12-05 15:14:08 +00:00
|
|
|
# User 255.255.255.255 as fallback if IP cannot be determined
|
2021-05-30 10:49:44 +00:00
|
|
|
self.client_ip = get_client_ip(request)
|
2021-02-12 08:47:37 +00:00
|
|
|
# Apply GeoIP Data, when enabled
|
|
|
|
|
self.with_geoip()
|
2019-12-05 15:14:08 +00:00
|
|
|
# If there's no app set, we get it from the requests too
|
|
|
|
|
if not self.app:
|
|
|
|
|
self.app = Event._get_app_from_request(request)
|
|
|
|
|
self.save()
|
|
|
|
|
return self
|
2018-11-23 16:05:41 +00:00
|
|
|
|
2021-05-30 12:23:45 +00:00
|
|
|
def with_geoip(self): # pragma: no cover
|
2021-02-12 08:47:37 +00:00
|
|
|
"""Apply GeoIP Data, when enabled"""
|
2021-06-05 22:38:14 +00:00
|
|
|
city = GEOIP_READER.city_dict(self.client_ip)
|
|
|
|
|
if not city:
|
2021-02-12 09:43:00 +00:00
|
|
|
return
|
2021-06-05 22:38:14 +00:00
|
|
|
self.context["geo"] = city
|
2021-02-12 08:47:37 +00:00
|
|
|
|
2018-11-23 16:05:41 +00:00
|
|
|
def save(self, *args, **kwargs):
|
2021-02-12 08:47:37 +00:00
|
|
|
if self._state.adding:
|
2022-04-14 20:37:30 +00:00
|
|
|
LOGGER.info(
|
2021-02-12 08:47:37 +00:00
|
|
|
"Created Event",
|
|
|
|
|
action=self.action,
|
|
|
|
|
context=self.context,
|
|
|
|
|
client_ip=self.client_ip,
|
|
|
|
|
user=self.user,
|
|
|
|
|
)
|
2021-05-23 18:29:34 +00:00
|
|
|
super().save(*args, **kwargs)
|
2018-12-10 12:47:51 +00:00
|
|
|
|
2022-07-31 15:11:44 +00:00
|
|
|
@property
|
|
|
|
|
def serializer(self) -> "Serializer":
|
|
|
|
|
from authentik.events.api.events import EventSerializer
|
|
|
|
|
|
|
|
|
|
return EventSerializer
|
|
|
|
|
|
2021-01-11 17:43:59 +00:00
|
|
|
@property
|
|
|
|
|
def summary(self) -> str:
|
|
|
|
|
"""Return a summary of this event."""
|
|
|
|
|
if "message" in self.context:
|
|
|
|
|
return self.context["message"]
|
|
|
|
|
return f"{self.action}: {self.context}"
|
|
|
|
|
|
|
|
|
|
def __str__(self) -> str:
|
2022-11-15 13:31:29 +00:00
|
|
|
return f"Event action={self.action} user={self.user} context={self.context}"
|
2021-01-11 17:43:59 +00:00
|
|
|
|
2018-12-10 12:47:51 +00:00
|
|
|
class Meta:
|
2020-12-20 21:04:29 +00:00
|
|
|
verbose_name = _("Event")
|
|
|
|
|
verbose_name_plural = _("Events")
|
2021-01-11 17:43:59 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class TransportMode(models.TextChoices):
|
|
|
|
|
"""Modes that a notification transport can send a notification"""
|
|
|
|
|
|
2022-05-30 18:55:05 +00:00
|
|
|
LOCAL = "local", _("authentik inbuilt notifications")
|
2021-01-11 17:43:59 +00:00
|
|
|
WEBHOOK = "webhook", _("Generic Webhook")
|
|
|
|
|
WEBHOOK_SLACK = "webhook_slack", _("Slack Webhook (Slack/Discord)")
|
|
|
|
|
EMAIL = "email", _("Email")
|
|
|
|
|
|
|
|
|
|
|
2022-07-31 15:11:44 +00:00
|
|
|
class NotificationTransport(SerializerModel):
|
2021-01-15 15:23:27 +00:00
|
|
|
"""Action which is executed when a Rule matches"""
|
2021-01-11 17:43:59 +00:00
|
|
|
|
|
|
|
|
uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
|
|
|
|
|
|
|
|
|
name = models.TextField(unique=True)
|
2022-05-30 19:32:48 +00:00
|
|
|
mode = models.TextField(choices=TransportMode.choices, default=TransportMode.LOCAL)
|
2021-01-11 17:43:59 +00:00
|
|
|
|
2021-11-23 21:51:04 +00:00
|
|
|
webhook_url = models.TextField(blank=True, validators=[DomainlessURLValidator()])
|
2021-09-11 23:02:51 +00:00
|
|
|
webhook_mapping = models.ForeignKey(
|
|
|
|
|
"NotificationWebhookMapping", on_delete=models.SET_DEFAULT, null=True, default=None
|
|
|
|
|
)
|
2021-02-02 18:34:55 +00:00
|
|
|
send_once = models.BooleanField(
|
|
|
|
|
default=False,
|
|
|
|
|
help_text=_(
|
|
|
|
|
"Only send notification once, for example when sending a webhook into a chat channel."
|
|
|
|
|
),
|
|
|
|
|
)
|
2021-01-11 17:43:59 +00:00
|
|
|
|
|
|
|
|
def send(self, notification: "Notification") -> list[str]:
|
|
|
|
|
"""Send notification to user, called from async task"""
|
2022-05-30 18:55:05 +00:00
|
|
|
if self.mode == TransportMode.LOCAL:
|
|
|
|
|
return self.send_local(notification)
|
2021-01-11 17:43:59 +00:00
|
|
|
if self.mode == TransportMode.WEBHOOK:
|
|
|
|
|
return self.send_webhook(notification)
|
|
|
|
|
if self.mode == TransportMode.WEBHOOK_SLACK:
|
|
|
|
|
return self.send_webhook_slack(notification)
|
|
|
|
|
if self.mode == TransportMode.EMAIL:
|
|
|
|
|
return self.send_email(notification)
|
|
|
|
|
raise ValueError(f"Invalid mode {self.mode} set")
|
|
|
|
|
|
2022-05-30 18:55:05 +00:00
|
|
|
def send_local(self, notification: "Notification") -> list[str]:
|
|
|
|
|
"""Local notification delivery"""
|
|
|
|
|
if self.webhook_mapping:
|
|
|
|
|
self.webhook_mapping.evaluate(
|
|
|
|
|
user=notification.user,
|
|
|
|
|
request=None,
|
|
|
|
|
notification=notification,
|
|
|
|
|
)
|
|
|
|
|
notification.save()
|
|
|
|
|
return []
|
|
|
|
|
|
2021-01-11 17:43:59 +00:00
|
|
|
def send_webhook(self, notification: "Notification") -> list[str]:
|
|
|
|
|
"""Send notification to generic webhook"""
|
2021-09-11 23:02:51 +00:00
|
|
|
default_body = {
|
|
|
|
|
"body": notification.body,
|
|
|
|
|
"severity": notification.severity,
|
|
|
|
|
"user_email": notification.user.email,
|
|
|
|
|
"user_username": notification.user.username,
|
|
|
|
|
}
|
2023-05-08 13:34:21 +00:00
|
|
|
if notification.event and notification.event.user:
|
|
|
|
|
default_body["event_user_email"] = notification.event.user.get("email", None)
|
|
|
|
|
default_body["event_user_username"] = notification.event.user.get("username", None)
|
2021-09-11 23:02:51 +00:00
|
|
|
if self.webhook_mapping:
|
2022-09-17 11:16:53 +00:00
|
|
|
default_body = sanitize_item(
|
|
|
|
|
self.webhook_mapping.evaluate(
|
|
|
|
|
user=notification.user,
|
|
|
|
|
request=None,
|
|
|
|
|
notification=notification,
|
|
|
|
|
)
|
2021-09-11 23:02:51 +00:00
|
|
|
)
|
2021-01-12 20:48:16 +00:00
|
|
|
try:
|
2021-09-11 18:54:58 +00:00
|
|
|
response = get_http_session().post(
|
2021-01-12 20:48:16 +00:00
|
|
|
self.webhook_url,
|
2021-09-11 23:02:51 +00:00
|
|
|
json=default_body,
|
2021-01-12 20:48:16 +00:00
|
|
|
)
|
|
|
|
|
response.raise_for_status()
|
|
|
|
|
except RequestException as exc:
|
2023-02-01 18:39:57 +00:00
|
|
|
raise NotificationTransportError(
|
|
|
|
|
exc.response.text if exc.response else str(exc)
|
|
|
|
|
) from exc
|
2021-01-11 17:43:59 +00:00
|
|
|
return [
|
|
|
|
|
response.status_code,
|
|
|
|
|
response.text,
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
def send_webhook_slack(self, notification: "Notification") -> list[str]:
|
|
|
|
|
"""Send notification to slack or slack-compatible endpoints"""
|
2021-01-14 16:40:19 +00:00
|
|
|
fields = [
|
|
|
|
|
{
|
|
|
|
|
"title": _("Severity"),
|
|
|
|
|
"value": notification.severity,
|
|
|
|
|
"short": True,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"title": _("Dispatched for user"),
|
|
|
|
|
"value": str(notification.user),
|
|
|
|
|
"short": True,
|
|
|
|
|
},
|
|
|
|
|
]
|
|
|
|
|
if notification.event:
|
2023-05-08 13:34:21 +00:00
|
|
|
if notification.event.user:
|
|
|
|
|
fields.append(
|
|
|
|
|
{
|
|
|
|
|
"title": _("Event user"),
|
|
|
|
|
"value": str(notification.event.user.get("username")),
|
|
|
|
|
"short": True,
|
|
|
|
|
},
|
|
|
|
|
)
|
2021-01-14 16:40:19 +00:00
|
|
|
for key, value in notification.event.context.items():
|
|
|
|
|
if not isinstance(value, str):
|
|
|
|
|
continue
|
|
|
|
|
# https://birdie0.github.io/discord-webhooks-guide/other/field_limits.html
|
|
|
|
|
if len(fields) >= 25:
|
|
|
|
|
continue
|
|
|
|
|
fields.append({"title": key[:256], "value": value[:1024]})
|
2021-01-11 17:43:59 +00:00
|
|
|
body = {
|
|
|
|
|
"username": "authentik",
|
|
|
|
|
"icon_url": "https://goauthentik.io/img/icon.png",
|
|
|
|
|
"attachments": [
|
|
|
|
|
{
|
|
|
|
|
"author_name": "authentik",
|
|
|
|
|
"author_link": "https://goauthentik.io",
|
|
|
|
|
"author_icon": "https://goauthentik.io/img/icon.png",
|
|
|
|
|
"title": notification.body,
|
|
|
|
|
"color": "#fd4b2d",
|
2021-01-14 16:40:19 +00:00
|
|
|
"fields": fields,
|
2022-09-17 11:16:53 +00:00
|
|
|
"footer": f"authentik {get_full_version()}",
|
2021-01-11 17:43:59 +00:00
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
}
|
|
|
|
|
if notification.event:
|
|
|
|
|
body["attachments"][0]["title"] = notification.event.action
|
2021-01-12 20:48:16 +00:00
|
|
|
try:
|
2021-09-11 18:54:58 +00:00
|
|
|
response = get_http_session().post(self.webhook_url, json=body)
|
2021-01-12 20:48:16 +00:00
|
|
|
response.raise_for_status()
|
|
|
|
|
except RequestException as exc:
|
2021-07-09 17:52:19 +00:00
|
|
|
text = exc.response.text if exc.response else str(exc)
|
|
|
|
|
raise NotificationTransportError(text) from exc
|
2021-01-11 17:43:59 +00:00
|
|
|
return [
|
|
|
|
|
response.status_code,
|
|
|
|
|
response.text,
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
def send_email(self, notification: "Notification") -> list[str]:
|
|
|
|
|
"""Send notification via global email configuration"""
|
2023-10-02 14:04:40 +00:00
|
|
|
subject_prefix = "authentik Notification: "
|
|
|
|
|
context = {
|
|
|
|
|
"key_value": {
|
|
|
|
|
"user_email": notification.user.email,
|
|
|
|
|
"user_username": notification.user.username,
|
|
|
|
|
},
|
|
|
|
|
"body": notification.body,
|
|
|
|
|
"title": "",
|
2023-05-08 13:34:21 +00:00
|
|
|
}
|
|
|
|
|
if notification.event and notification.event.user:
|
2023-10-02 14:04:40 +00:00
|
|
|
context["key_value"]["event_user_email"] = notification.event.user.get("email", None)
|
|
|
|
|
context["key_value"]["event_user_username"] = notification.event.user.get(
|
|
|
|
|
"username", None
|
|
|
|
|
)
|
2021-02-04 20:44:06 +00:00
|
|
|
if notification.event:
|
2023-10-02 14:04:40 +00:00
|
|
|
context["title"] += notification.event.action
|
2021-02-04 20:44:06 +00:00
|
|
|
for key, value in notification.event.context.items():
|
|
|
|
|
if not isinstance(value, str):
|
|
|
|
|
continue
|
2023-10-02 14:04:40 +00:00
|
|
|
context["key_value"][key] = value
|
2021-02-04 20:44:06 +00:00
|
|
|
else:
|
2023-10-02 14:04:40 +00:00
|
|
|
context["title"] += notification.body[:75]
|
|
|
|
|
# TODO: improve permission check
|
|
|
|
|
if notification.user.is_superuser:
|
|
|
|
|
context["source"] = {
|
|
|
|
|
"from": self.name,
|
|
|
|
|
}
|
2021-01-11 17:43:59 +00:00
|
|
|
mail = TemplateEmailMessage(
|
2023-10-02 14:04:40 +00:00
|
|
|
subject=subject_prefix + context["title"],
|
2021-01-11 17:43:59 +00:00
|
|
|
to=[notification.user.email],
|
2022-10-28 17:42:49 +00:00
|
|
|
language=notification.user.locale(),
|
2023-10-02 14:04:40 +00:00
|
|
|
template_name="email/event_notification.html",
|
|
|
|
|
template_context=context,
|
2021-01-11 17:43:59 +00:00
|
|
|
)
|
|
|
|
|
# Email is sent directly here, as the call to send() should have been from a task.
|
2021-01-12 20:48:16 +00:00
|
|
|
try:
|
2021-01-18 08:34:48 +00:00
|
|
|
from authentik.stages.email.tasks import send_mail
|
|
|
|
|
|
2021-01-12 20:48:16 +00:00
|
|
|
return send_mail(mail.__dict__) # pylint: disable=no-value-for-parameter
|
2021-01-17 22:31:58 +00:00
|
|
|
except (SMTPException, ConnectionError, OSError) as exc:
|
2023-01-19 14:03:56 +00:00
|
|
|
raise NotificationTransportError(exc) from exc
|
2021-01-11 17:43:59 +00:00
|
|
|
|
2022-07-31 15:11:44 +00:00
|
|
|
@property
|
|
|
|
|
def serializer(self) -> "Serializer":
|
|
|
|
|
from authentik.events.api.notification_transports import NotificationTransportSerializer
|
|
|
|
|
|
|
|
|
|
return NotificationTransportSerializer
|
|
|
|
|
|
2021-01-12 21:03:33 +00:00
|
|
|
def __str__(self) -> str:
|
|
|
|
|
return f"Notification Transport {self.name}"
|
|
|
|
|
|
2021-01-11 17:43:59 +00:00
|
|
|
class Meta:
|
|
|
|
|
verbose_name = _("Notification Transport")
|
|
|
|
|
verbose_name_plural = _("Notification Transports")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class NotificationSeverity(models.TextChoices):
|
|
|
|
|
"""Severity images that a notification can have"""
|
|
|
|
|
|
|
|
|
|
NOTICE = "notice", _("Notice")
|
|
|
|
|
WARNING = "warning", _("Warning")
|
|
|
|
|
ALERT = "alert", _("Alert")
|
|
|
|
|
|
|
|
|
|
|
2022-07-31 15:11:44 +00:00
|
|
|
class Notification(SerializerModel):
|
2021-01-11 17:43:59 +00:00
|
|
|
"""Event Notification"""
|
|
|
|
|
|
|
|
|
|
uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
|
|
|
|
severity = models.TextField(choices=NotificationSeverity.choices)
|
|
|
|
|
body = models.TextField()
|
|
|
|
|
created = models.DateTimeField(auto_now_add=True)
|
|
|
|
|
event = models.ForeignKey(Event, on_delete=models.SET_NULL, null=True, blank=True)
|
|
|
|
|
seen = models.BooleanField(default=False)
|
|
|
|
|
user = models.ForeignKey(User, on_delete=models.CASCADE)
|
|
|
|
|
|
2022-07-31 15:11:44 +00:00
|
|
|
@property
|
|
|
|
|
def serializer(self) -> "Serializer":
|
|
|
|
|
from authentik.events.api.notifications import NotificationSerializer
|
|
|
|
|
|
|
|
|
|
return NotificationSerializer
|
|
|
|
|
|
2021-01-11 17:43:59 +00:00
|
|
|
def __str__(self) -> str:
|
|
|
|
|
body_trunc = (self.body[:75] + "..") if len(self.body) > 75 else self.body
|
|
|
|
|
return f"Notification for user {self.user}: {body_trunc}"
|
|
|
|
|
|
|
|
|
|
class Meta:
|
|
|
|
|
verbose_name = _("Notification")
|
|
|
|
|
verbose_name_plural = _("Notifications")
|
|
|
|
|
|
|
|
|
|
|
2022-07-31 15:11:44 +00:00
|
|
|
class NotificationRule(SerializerModel, PolicyBindingModel):
|
2021-01-11 17:43:59 +00:00
|
|
|
"""Decide when to create a Notification based on policies attached to this object."""
|
|
|
|
|
|
|
|
|
|
name = models.TextField(unique=True)
|
|
|
|
|
transports = models.ManyToManyField(
|
|
|
|
|
NotificationTransport,
|
|
|
|
|
help_text=_(
|
2023-02-01 10:31:32 +00:00
|
|
|
"Select which transports should be used to notify the user. If none are "
|
|
|
|
|
"selected, the notification will only be shown in the authentik UI."
|
2021-01-11 17:43:59 +00:00
|
|
|
),
|
2022-05-22 17:32:58 +00:00
|
|
|
blank=True,
|
2021-01-11 17:43:59 +00:00
|
|
|
)
|
|
|
|
|
severity = models.TextField(
|
|
|
|
|
choices=NotificationSeverity.choices,
|
|
|
|
|
default=NotificationSeverity.NOTICE,
|
2021-08-03 15:45:16 +00:00
|
|
|
help_text=_("Controls which severity level the created notifications will have."),
|
2021-01-11 17:43:59 +00:00
|
|
|
)
|
|
|
|
|
group = models.ForeignKey(
|
|
|
|
|
Group,
|
|
|
|
|
help_text=_(
|
2023-02-01 10:31:32 +00:00
|
|
|
"Define which group of users this notification should be sent and shown to. "
|
|
|
|
|
"If left empty, Notification won't ben sent."
|
2021-01-11 17:43:59 +00:00
|
|
|
),
|
|
|
|
|
null=True,
|
|
|
|
|
blank=True,
|
|
|
|
|
on_delete=models.SET_NULL,
|
|
|
|
|
)
|
|
|
|
|
|
2022-07-31 15:11:44 +00:00
|
|
|
@property
|
|
|
|
|
def serializer(self) -> "Serializer":
|
|
|
|
|
from authentik.events.api.notification_rules import NotificationRuleSerializer
|
|
|
|
|
|
|
|
|
|
return NotificationRuleSerializer
|
|
|
|
|
|
2021-01-12 21:03:33 +00:00
|
|
|
def __str__(self) -> str:
|
2021-01-15 15:23:27 +00:00
|
|
|
return f"Notification Rule {self.name}"
|
2021-01-12 21:03:33 +00:00
|
|
|
|
2021-01-11 17:43:59 +00:00
|
|
|
class Meta:
|
2021-01-15 15:23:27 +00:00
|
|
|
verbose_name = _("Notification Rule")
|
|
|
|
|
verbose_name_plural = _("Notification Rules")
|
2021-09-11 23:02:51 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class NotificationWebhookMapping(PropertyMapping):
|
2022-10-14 09:53:01 +00:00
|
|
|
"""Modify the payload of outgoing webhook requests"""
|
2021-09-11 23:02:51 +00:00
|
|
|
|
|
|
|
|
@property
|
|
|
|
|
def component(self) -> str:
|
|
|
|
|
return "ak-property-mapping-notification-form"
|
|
|
|
|
|
|
|
|
|
@property
|
2021-12-30 13:59:01 +00:00
|
|
|
def serializer(self) -> type["Serializer"]:
|
2022-05-14 20:31:13 +00:00
|
|
|
from authentik.events.api.notification_mappings import NotificationWebhookMappingSerializer
|
2021-09-11 23:02:51 +00:00
|
|
|
|
|
|
|
|
return NotificationWebhookMappingSerializer
|
|
|
|
|
|
|
|
|
|
def __str__(self):
|
2022-10-14 09:53:01 +00:00
|
|
|
return f"Webhook Mapping {self.name}"
|
2021-09-11 23:02:51 +00:00
|
|
|
|
|
|
|
|
class Meta:
|
2022-10-14 09:53:01 +00:00
|
|
|
verbose_name = _("Webhook Mapping")
|
|
|
|
|
verbose_name_plural = _("Webhook Mappings")
|
