2018-11-23 16:05:41 +00:00
|
|
|
"""passbook audit models"""
|
2019-12-05 15:14:08 +00:00
|
|
|
from inspect import getmodule, stack
|
2020-09-21 19:16:14 +01:00
|
|
|
from typing import Any, Dict, Optional, Union
|
2020-05-20 08:17:06 +01:00
|
|
|
from uuid import UUID, uuid4
|
2019-12-05 15:14:08 +00:00
|
|
|
|
2018-11-23 16:05:41 +00:00
|
|
|
from django.conf import settings
|
2018-12-10 14:26:28 +00:00
|
|
|
from django.contrib.auth.models import AnonymousUser
|
2018-12-10 12:47:51 +00:00
|
|
|
from django.core.exceptions import ValidationError
|
2018-11-23 16:05:41 +00:00
|
|
|
from django.db import models
|
2020-09-18 22:39:37 +01:00
|
|
|
from django.db.models.base import Model
|
2019-12-05 15:14:08 +00:00
|
|
|
from django.http import HttpRequest
|
2018-12-10 12:47:51 +00:00
|
|
|
from django.utils.translation import gettext as _
|
2020-08-15 20:04:22 +01:00
|
|
|
from django.views.debug import SafeExceptionReporterFilter
|
2020-09-21 12:20:50 +01:00
|
|
|
from guardian.utils import get_anonymous_user
|
2019-10-01 09:24:10 +01:00
|
|
|
from structlog import get_logger
|
2018-11-23 16:05:41 +00:00
|
|
|
|
2020-09-19 21:49:40 +01:00
|
|
|
from passbook.core.middleware import (
|
|
|
|
SESSION_IMPERSONATE_ORIGINAL_USER,
|
|
|
|
SESSION_IMPERSONATE_USER,
|
|
|
|
)
|
2020-09-21 12:20:50 +01:00
|
|
|
from passbook.core.models import User
|
2019-12-05 13:33:55 +00:00
|
|
|
from passbook.lib.utils.http import get_client_ip
|
2018-11-23 16:05:41 +00:00
|
|
|
|
2020-09-21 19:16:14 +01:00
|
|
|
LOGGER = get_logger("passbook.audit")
|
2018-11-23 16:05:41 +00:00
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
|
2020-06-29 18:13:07 +01:00
|
|
|
def cleanse_dict(source: Dict[Any, Any]) -> Dict[Any, Any]:
|
|
|
|
"""Cleanse a dictionary, recursively"""
|
|
|
|
final_dict = {}
|
|
|
|
for key, value in source.items():
|
|
|
|
try:
|
2020-08-15 20:04:22 +01:00
|
|
|
if SafeExceptionReporterFilter.hidden_settings.search(key):
|
|
|
|
final_dict[key] = SafeExceptionReporterFilter.cleansed_substitute
|
2020-06-29 18:13:07 +01:00
|
|
|
else:
|
|
|
|
final_dict[key] = value
|
|
|
|
except TypeError:
|
|
|
|
final_dict[key] = value
|
|
|
|
if isinstance(value, dict):
|
|
|
|
final_dict[key] = cleanse_dict(value)
|
|
|
|
return final_dict
|
|
|
|
|
|
|
|
|
2020-09-18 22:39:37 +01:00
|
|
|
def model_to_dict(model: Model) -> Dict[str, Any]:
|
|
|
|
"""Convert model to dict"""
|
|
|
|
name = str(model)
|
|
|
|
if hasattr(model, "name"):
|
|
|
|
name = model.name
|
|
|
|
return {
|
|
|
|
"app": model._meta.app_label,
|
|
|
|
"model_name": model._meta.model_name,
|
|
|
|
"pk": model.pk,
|
|
|
|
"name": name,
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-09-21 12:20:50 +01:00
|
|
|
def get_user(user: User, original_user: Optional[User] = None) -> Dict[str, Any]:
|
|
|
|
"""Convert user object to dictionary, optionally including the original user"""
|
|
|
|
if isinstance(user, AnonymousUser):
|
|
|
|
user = get_anonymous_user()
|
|
|
|
user_data = {
|
|
|
|
"username": user.username,
|
|
|
|
"pk": user.pk,
|
|
|
|
"email": user.email,
|
|
|
|
}
|
|
|
|
if original_user:
|
|
|
|
original_data = get_user(original_user)
|
|
|
|
original_data["on_behalf_of"] = user_data
|
|
|
|
return original_data
|
|
|
|
return user_data
|
|
|
|
|
|
|
|
|
2019-12-31 12:33:07 +00:00
|
|
|
def sanitize_dict(source: Dict[Any, Any]) -> Dict[Any, Any]:
|
|
|
|
"""clean source of all Models that would interfere with the JSONField.
|
|
|
|
Models are replaced with a dictionary of {
|
|
|
|
app: str,
|
|
|
|
name: str,
|
|
|
|
pk: Any
|
|
|
|
}"""
|
2020-06-29 15:19:56 +01:00
|
|
|
final_dict = {}
|
2019-12-31 12:33:07 +00:00
|
|
|
for key, value in source.items():
|
|
|
|
if isinstance(value, dict):
|
2020-06-29 15:19:56 +01:00
|
|
|
final_dict[key] = sanitize_dict(value)
|
2019-12-31 12:33:07 +00:00
|
|
|
elif isinstance(value, models.Model):
|
2020-09-18 22:39:37 +01:00
|
|
|
final_dict[key] = sanitize_dict(model_to_dict(value))
|
2020-01-02 12:00:16 +00:00
|
|
|
elif isinstance(value, UUID):
|
2020-06-29 15:19:56 +01:00
|
|
|
final_dict[key] = value.hex
|
|
|
|
else:
|
|
|
|
final_dict[key] = value
|
|
|
|
return final_dict
|
2019-12-31 12:33:07 +00:00
|
|
|
|
|
|
|
|
2020-09-21 19:16:14 +01:00
|
|
|
class EventAction(models.TextChoices):
|
2019-12-05 15:14:08 +00:00
|
|
|
"""All possible actions to save into the audit log"""
|
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
LOGIN = "login"
|
|
|
|
LOGIN_FAILED = "login_failed"
|
|
|
|
LOGOUT = "logout"
|
2020-09-21 19:16:14 +01:00
|
|
|
|
2020-10-05 22:43:56 +01:00
|
|
|
USER_WRITE = "user_write"
|
2019-12-31 11:51:16 +00:00
|
|
|
SUSPICIOUS_REQUEST = "suspicious_request"
|
2020-09-21 19:16:14 +01:00
|
|
|
PASSWORD_SET = "password_set" # noqa # nosec
|
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
INVITE_CREATED = "invitation_created"
|
|
|
|
INVITE_USED = "invitation_used"
|
2020-09-21 19:16:14 +01:00
|
|
|
|
2020-10-05 22:43:56 +01:00
|
|
|
AUTHORIZE_APPLICATION = "authorize_application"
|
2020-09-21 19:30:30 +01:00
|
|
|
SOURCE_LINKED = "source_linked"
|
|
|
|
|
2020-09-18 22:39:37 +01:00
|
|
|
IMPERSONATION_STARTED = "impersonation_started"
|
|
|
|
IMPERSONATION_ENDED = "impersonation_ended"
|
2019-12-05 15:14:08 +00:00
|
|
|
|
2020-09-21 19:16:14 +01:00
|
|
|
MODEL_CREATED = "model_created"
|
|
|
|
MODEL_UPDATED = "model_updated"
|
|
|
|
MODEL_DELETED = "model_deleted"
|
|
|
|
|
|
|
|
CUSTOM_PREFIX = "custom_"
|
2019-12-05 15:14:08 +00:00
|
|
|
|
|
|
|
|
2020-05-20 08:17:06 +01:00
|
|
|
class Event(models.Model):
|
2019-10-28 13:26:34 +00:00
|
|
|
"""An individual audit log event"""
|
2018-11-23 16:05:41 +00:00
|
|
|
|
2020-05-20 08:17:06 +01:00
|
|
|
event_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
2020-09-21 12:20:50 +01:00
|
|
|
user = models.JSONField(default=dict)
|
2020-09-21 19:16:14 +01:00
|
|
|
action = models.TextField(choices=EventAction.choices)
|
2018-11-23 16:05:41 +00:00
|
|
|
date = models.DateTimeField(auto_now_add=True)
|
|
|
|
app = models.TextField()
|
2020-08-15 20:04:22 +01:00
|
|
|
context = models.JSONField(default=dict, blank=True)
|
2019-12-05 15:14:08 +00:00
|
|
|
client_ip = models.GenericIPAddressField(null=True)
|
2018-12-13 17:01:45 +00:00
|
|
|
created = models.DateTimeField(auto_now_add=True)
|
2018-12-10 12:47:51 +00:00
|
|
|
|
|
|
|
@staticmethod
|
2019-12-05 15:14:08 +00:00
|
|
|
def _get_app_from_request(request: HttpRequest) -> str:
|
|
|
|
if not isinstance(request, HttpRequest):
|
|
|
|
return ""
|
|
|
|
return request.resolver_match.app_name
|
|
|
|
|
|
|
|
@staticmethod
|
2019-12-31 11:51:16 +00:00
|
|
|
def new(
|
2020-09-21 19:16:14 +01:00
|
|
|
action: Union[str, EventAction],
|
2019-12-31 11:51:16 +00:00
|
|
|
app: Optional[str] = None,
|
|
|
|
_inspect_offset: int = 1,
|
|
|
|
**kwargs,
|
|
|
|
) -> "Event":
|
2019-12-05 15:14:08 +00:00
|
|
|
"""Create new Event instance from arguments. Instance is NOT saved."""
|
|
|
|
if not isinstance(action, EventAction):
|
2020-09-21 19:16:14 +01:00
|
|
|
action = EventAction.CUSTOM_PREFIX + action
|
2019-12-05 15:14:08 +00:00
|
|
|
if not app:
|
|
|
|
app = getmodule(stack()[_inspect_offset][0]).__name__
|
2020-06-29 18:13:07 +01:00
|
|
|
cleaned_kwargs = cleanse_dict(sanitize_dict(kwargs))
|
2020-09-21 19:16:14 +01:00
|
|
|
event = Event(action=action, app=app, context=cleaned_kwargs)
|
2019-12-05 15:14:08 +00:00
|
|
|
return event
|
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
def from_http(
|
|
|
|
self, request: HttpRequest, user: Optional[settings.AUTH_USER_MODEL] = None
|
|
|
|
) -> "Event":
|
2019-12-05 15:14:08 +00:00
|
|
|
"""Add data from a Django-HttpRequest, allowing the creation of
|
|
|
|
Events independently from requests.
|
|
|
|
`user` arguments optionally overrides user from requests."""
|
2019-12-31 11:51:16 +00:00
|
|
|
if hasattr(request, "user"):
|
2020-09-21 12:20:50 +01:00
|
|
|
self.user = get_user(
|
|
|
|
request.user,
|
|
|
|
request.session.get(SESSION_IMPERSONATE_ORIGINAL_USER, None),
|
|
|
|
)
|
2019-12-05 15:14:08 +00:00
|
|
|
if user:
|
2020-09-21 12:20:50 +01:00
|
|
|
self.user = get_user(user)
|
2020-09-18 22:39:37 +01:00
|
|
|
# Check if we're currently impersonating, and add that user
|
|
|
|
if hasattr(request, "session"):
|
|
|
|
if SESSION_IMPERSONATE_ORIGINAL_USER in request.session:
|
2020-09-21 12:20:50 +01:00
|
|
|
self.user = get_user(request.session[SESSION_IMPERSONATE_ORIGINAL_USER])
|
|
|
|
self.user["on_behalf_of"] = get_user(
|
2020-09-19 21:49:40 +01:00
|
|
|
request.session[SESSION_IMPERSONATE_USER]
|
2020-09-18 22:39:37 +01:00
|
|
|
)
|
2019-12-05 15:14:08 +00:00
|
|
|
# User 255.255.255.255 as fallback if IP cannot be determined
|
2019-12-31 11:51:16 +00:00
|
|
|
self.client_ip = get_client_ip(request) or "255.255.255.255"
|
2019-12-05 15:14:08 +00:00
|
|
|
# If there's no app set, we get it from the requests too
|
|
|
|
if not self.app:
|
|
|
|
self.app = Event._get_app_from_request(request)
|
|
|
|
self.save()
|
|
|
|
return self
|
2018-11-23 16:05:41 +00:00
|
|
|
|
|
|
|
def save(self, *args, **kwargs):
|
2018-12-10 12:47:51 +00:00
|
|
|
if not self._state.adding:
|
2019-12-31 11:51:16 +00:00
|
|
|
raise ValidationError(
|
|
|
|
"you may not edit an existing %s" % self._meta.model_name
|
|
|
|
)
|
2020-02-18 16:05:11 +00:00
|
|
|
LOGGER.debug(
|
|
|
|
"Created Audit event",
|
|
|
|
action=self.action,
|
|
|
|
context=self.context,
|
|
|
|
client_ip=self.client_ip,
|
2020-02-24 18:14:43 +00:00
|
|
|
user=self.user,
|
2020-02-18 16:05:11 +00:00
|
|
|
)
|
2019-12-05 15:14:08 +00:00
|
|
|
return super().save(*args, **kwargs)
|
2018-12-10 12:47:51 +00:00
|
|
|
|
|
|
|
class Meta:
|
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
verbose_name = _("Audit Event")
|
|
|
|
verbose_name_plural = _("Audit Events")
|