stages/authenticator_sms: make sms stage payload customisable (#3780)

* make sms stage payload customisable

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update phrasing for webhook mapping

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/events/migrations/0002_alter_notificationtransport_mode.py

@@ -22,4 +22,8 @@ class Migration(migrations.Migration):
                 default="local",
             ),
         ),
+        migrations.AlterModelOptions(
+            name="notificationwebhookmapping",
+            options={"verbose_name": "Webhook Mapping", "verbose_name_plural": "Webhook Mappings"},
+        ),
     ]

authentik/events/models.py

@@ -560,7 +560,7 @@ class NotificationRule(SerializerModel, PolicyBindingModel):
 
 
 class NotificationWebhookMapping(PropertyMapping):
-    """Modify the schema and layout of the webhook being sent"""
+    """Modify the payload of outgoing webhook requests"""
 
     @property
     def component(self) -> str:
@@ -573,9 +573,9 @@ class NotificationWebhookMapping(PropertyMapping):
         return NotificationWebhookMappingSerializer
 
     def __str__(self):
-        return f"Notification Webhook Mapping {self.name}"
+        return f"Webhook Mapping {self.name}"
 
     class Meta:
 
-        verbose_name = _("Notification Webhook Mapping")
+        verbose_name = _("Webhook Mapping")
-        verbose_name_plural = _("Notification Webhook Mappings")
+        verbose_name_plural = _("Webhook Mappings")

authentik/providers/saml/models.py

@@ -182,7 +182,7 @@ class SAMLProvider(Provider):
 
 
 class SAMLPropertyMapping(PropertyMapping):
-    """Map User/Group attribute to SAML Attribute, which can be used by the Service Provider."""
+    """Map User/Group attribute to SAML Attribute, which can be used by the Service Provider"""
 
     saml_name = models.TextField(verbose_name="SAML Name")
     friendly_name = models.TextField(default=None, blank=True, null=True)

authentik/stages/authenticator_sms/api.py

@@ -27,6 +27,7 @@ class AuthenticatorSMSStageSerializer(StageSerializer):
             "auth_password",
             "auth_type",
             "verify_only",
+            "mapping",
         ]
 
 

authentik/stages/authenticator_sms/migrations/0005_authenticatorsmsstage_mapping.py

@@ -0,0 +1,26 @@
+# Generated by Django 4.1.2 on 2022-10-13 20:19
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_events", "0002_alter_notificationtransport_mode"),
+        ("authentik_stages_authenticator_sms", "0004_authenticatorsmsstage_verify_only_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="authenticatorsmsstage",
+            name="mapping",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                to="authentik_events.notificationwebhookmapping",
+                help_text="Optionally modify the payload being sent to custom providers.",
+            ),
+        ),
+    ]

authentik/stages/authenticator_sms/models.py

@@ -15,7 +15,8 @@ from twilio.base.exceptions import TwilioRestException
 from twilio.rest import Client
 
 from authentik.core.types import UserSettingSerializer
-from authentik.events.models import Event, EventAction
+from authentik.events.models import Event, EventAction, NotificationWebhookMapping
+from authentik.events.utils import sanitize_item
 from authentik.flows.models import ConfigurableStage, Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.errors import exception_to_string
@@ -59,6 +60,14 @@ class AuthenticatorSMSStage(ConfigurableStage, Stage):
         ),
     )
 
+    mapping = models.ForeignKey(
+        NotificationWebhookMapping,
+        null=True,
+        default=None,
+        on_delete=models.SET_NULL,
+        help_text=_("Optionally modify the payload being sent to custom providers."),
+    )
+
     def send(self, token: str, device: "SMSDevice"):
         """Send message via selected provider"""
         if self.provider == SMSProviders.TWILIO:
@@ -82,24 +91,33 @@ class AuthenticatorSMSStage(ConfigurableStage, Stage):
 
     def send_generic(self, token: str, device: "SMSDevice"):
         """Send SMS via outside API"""
-
+        payload = {
-        data = {
             "From": self.from_number,
             "To": device.phone_number,
             "Body": token,
         }
 
+        if self.mapping:
+            payload = sanitize_item(
+                self.mapping.evaluate(
+                    user=device.user,
+                    request=None,
+                    device=device,
+                    token=token,
+                    stage=self,
+                )
+            )
+
         if self.auth_type == SMSAuthTypes.BEARER:
             response = get_http_session().post(
                 f"{self.account_sid}",
-                json=data,
+                json=payload,
                 headers={"Authorization": f"Bearer {self.auth}"},
             )
-
         elif self.auth_type == SMSAuthTypes.BASIC:
             response = get_http_session().post(
                 f"{self.account_sid}",
-                json=data,
+                json=payload,
                 auth=(self.auth, self.auth_password),
             )
         else:

schema.yml

@@ -13101,7 +13101,7 @@ paths:
         schema:
           type: string
           format: uuid
-        description: A UUID string identifying this Notification Webhook Mapping.
+        description: A UUID string identifying this Webhook Mapping.
         required: true
       tags:
       - propertymappings
@@ -13135,7 +13135,7 @@ paths:
         schema:
           type: string
           format: uuid
-        description: A UUID string identifying this Notification Webhook Mapping.
+        description: A UUID string identifying this Webhook Mapping.
         required: true
       tags:
       - propertymappings
@@ -13175,7 +13175,7 @@ paths:
         schema:
           type: string
           format: uuid
-        description: A UUID string identifying this Notification Webhook Mapping.
+        description: A UUID string identifying this Webhook Mapping.
         required: true
       tags:
       - propertymappings
@@ -13214,7 +13214,7 @@ paths:
         schema:
           type: string
           format: uuid
-        description: A UUID string identifying this Notification Webhook Mapping.
+        description: A UUID string identifying this Webhook Mapping.
         required: true
       tags:
       - propertymappings
@@ -13245,7 +13245,7 @@ paths:
         schema:
           type: string
           format: uuid
-        description: A UUID string identifying this Notification Webhook Mapping.
+        description: A UUID string identifying this Webhook Mapping.
         required: true
       tags:
       - propertymappings
@@ -18794,6 +18794,11 @@ paths:
         name: from_number
         schema:
           type: string
+      - in: query
+        name: mapping
+        schema:
+          type: string
+          format: uuid
       - in: query
         name: name
         schema:
@@ -25185,6 +25190,11 @@ components:
           description: When enabled, the Phone number is only used during enrollment
             to verify the users authenticity. Only a hash of the phone number is saved
             to ensure it is not re-used in the future.
+        mapping:
+          type: string
+          format: uuid
+          nullable: true
+          description: Optionally modify the payload being sent to custom providers.
       required:
       - account_sid
       - auth
@@ -25233,6 +25243,11 @@ components:
           description: When enabled, the Phone number is only used during enrollment
             to verify the users authenticity. Only a hash of the phone number is saved
             to ensure it is not re-used in the future.
+        mapping:
+          type: string
+          format: uuid
+          nullable: true
+          description: Optionally modify the payload being sent to custom providers.
       required:
       - account_sid
       - auth
@@ -32702,6 +32717,11 @@ components:
           description: When enabled, the Phone number is only used during enrollment
             to verify the users authenticity. Only a hash of the phone number is saved
             to ensure it is not re-used in the future.
+        mapping:
+          type: string
+          format: uuid
+          nullable: true
+          description: Optionally modify the payload being sent to custom providers.
     PatchedAuthenticatorStaticStageRequest:
       type: object
       description: AuthenticatorStaticStage Serializer

web/src/admin/stages/authenticator_sms/AuthenticatorSMSStageForm.ts

@@ -16,6 +16,7 @@ import {
     AuthenticatorSMSStage,
     FlowsApi,
     FlowsInstancesListDesignationEnum,
+    PropertymappingsApi,
     ProviderEnum,
     StagesApi,
 } from "@goauthentik/api";
@@ -91,7 +92,8 @@ export class AuthenticatorSMSStageForm extends ModelForm<AuthenticatorSMSStage,
     }
 
     renderProviderGeneric(): TemplateResult {
-        return html` <ak-form-element-horizontal
+        return html`
+            <ak-form-element-horizontal
                 label=${t`Authentication Type`}
                 @change=${(ev: Event) => {
                     const current = (ev.target as HTMLInputElement).value;
@@ -153,7 +155,33 @@ export class AuthenticatorSMSStageForm extends ModelForm<AuthenticatorSMSStage,
                 <p class="pf-c-form__helper-text">
                     ${t`This is the password to be used with basic auth`}
                 </p>
-            </ak-form-element-horizontal>`;
+            </ak-form-element-horizontal>
+            <ak-form-element-horizontal label=${t`Mapping`} name="mapping">
+                <select class="pf-c-form-control">
+                    <option value="" ?selected=${this.instance?.mapping === undefined}>
+                        ---------
+                    </option>
+                    ${until(
+                        new PropertymappingsApi(DEFAULT_CONFIG)
+                            .propertymappingsNotificationList({})
+                            .then((mappings) => {
+                                return mappings.results.map((mapping) => {
+                                    return html`<option
+                                        value=${ifDefined(mapping.pk)}
+                                        ?selected=${this.instance?.mapping === mapping.pk}
+                                    >
+                                        ${mapping.name}
+                                    </option>`;
+                                });
+                            }),
+                        html`<option>${t`Loading...`}</option>`,
+                    )}
+                </select>
+                <p class="pf-c-form__helper-text">
+                    ${t`Modify the payload sent to the custom provider.`}
+                </p>
+            </ak-form-element-horizontal>
+        `;
     }
 
     renderForm(): TemplateResult {

website/docs/flow/stages/authenticator_sms/index.md

@@ -36,6 +36,16 @@ For the generic provider, a POST request will be sent to the URL you have specif
 
 Authentication can either be done as HTTP Basic, or via a Bearer Token. Any response with status 400 or above is counted as failed, and will prevent the user from proceeding.
 
+Starting with authentik 2022.10, a custom webhook mapping can be specified to freely customise the payload of the request. For example:
+
+```python
+return {
+    "from": stage.from_number,
+    "to": device.phone_number,
+    "body": f"foo bar baz {token}".
+}
+```
+
 ## Verify only
 
 :::info