stages/*: use stage-bound logger when possible

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/stages/authenticator_validate/stage.py

@@ -10,7 +10,6 @@ from django_otp.models import Device
 from jwt import PyJWTError, decode, encode
 from rest_framework.fields import CharField, IntegerField, JSONField, ListField, UUIDField
 from rest_framework.serializers import ValidationError
-from structlog.stdlib import get_logger
 
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User
@@ -36,8 +35,6 @@ from authentik.stages.authenticator_validate.models import AuthenticatorValidate
 from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 
-LOGGER = get_logger()
-
 COOKIE_NAME_MFA = "authentik_mfa"
 
 SESSION_KEY_STAGES = "authentik/stages/authenticator_validate/stages"
@@ -128,7 +125,7 @@ class AuthenticatorValidationChallengeResponse(ChallengeResponse):
         stages = self.stage.request.session.get(SESSION_KEY_STAGES, [])
         if not any(str(stage.pk) == stage_pk for stage in stages):
             raise ValidationError("Selected stage is invalid")
-        LOGGER.debug("Setting selected stage to ", stage=stage_pk)
+        self.stage.logger.debug("Setting selected stage to ", stage=stage_pk)
         self.stage.request.session[SESSION_KEY_SELECTED_STAGE] = stage_pk
         return stage_pk
 
@@ -167,7 +164,7 @@ class AuthenticatorValidateStageView(ChallengeStageView):
                 self.logger.debug("device class not allowed", device_class=device_class)
                 continue
             if isinstance(device, SMSDevice) and device.is_hashed:
-                LOGGER.debug("Hashed SMS device, skipping")
+                self.logger.debug("Hashed SMS device, skipping")
                 continue
             allowed_devices.append(device)
             # Ensure only one challenge per device class

authentik/stages/authenticator_webauthn/stage.py

@@ -5,7 +5,6 @@ from django.http import HttpRequest, HttpResponse
 from django.http.request import QueryDict
 from rest_framework.fields import CharField, JSONField
 from rest_framework.serializers import ValidationError
-from structlog.stdlib import get_logger
 from webauthn import generate_registration_options, options_to_json, verify_registration_response
 from webauthn.helpers import bytes_to_base64url
 from webauthn.helpers.exceptions import InvalidRegistrationResponse
@@ -28,7 +27,6 @@ from authentik.flows.stage import ChallengeStageView
 from authentik.stages.authenticator_webauthn.models import AuthenticateWebAuthnStage, WebAuthnDevice
 from authentik.stages.authenticator_webauthn.utils import get_origin, get_rp_id
 
-LOGGER = get_logger()
 SESSION_KEY_WEBAUTHN_CHALLENGE = "authentik/stages/authenticator_webauthn/challenge"
 
 
@@ -60,7 +58,7 @@ class AuthenticatorWebAuthnChallengeResponse(ChallengeResponse):
                 expected_origin=get_origin(self.request),
             )
         except InvalidRegistrationResponse as exc:
-            LOGGER.warning("registration failed", exc=exc)
+            self.stage.logger.warning("registration failed", exc=exc)
             raise ValidationError(f"Registration failed. Error: {exc}")
 
         credential_id_exists = WebAuthnDevice.objects.filter(

authentik/stages/identification/stage.py

@@ -12,7 +12,6 @@ from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema_fiel
 from rest_framework.fields import BooleanField, CharField, DictField, ListField
 from rest_framework.serializers import ValidationError
 from sentry_sdk.hub import Hub
-from structlog.stdlib import get_logger
 
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import Application, Source, User
@@ -32,8 +31,6 @@ from authentik.stages.identification.models import IdentificationStage
 from authentik.stages.identification.signals import identification_failed
 from authentik.stages.password.stage import authenticate
 
-LOGGER = get_logger()
-
 
 @extend_schema_field(
     PolymorphicProxySerializer(
@@ -98,7 +95,7 @@ class IdentificationChallengeResponse(ChallengeResponse):
             ):
                 # Sleep a random time (between 90 and 210ms) to "prevent" user enumeration attacks
                 sleep(0.030 * SystemRandom().randint(3, 7))
-            LOGGER.debug("invalid_login", identifier=uid_field)
+            self.stage.logger.info("invalid_login", identifier=uid_field)
             identification_failed.send(sender=self, request=self.stage.request, uid_field=uid_field)
             # We set the pending_user even on failure so it's part of the context, even
             # when the input is invalid
@@ -118,7 +115,7 @@ class IdentificationChallengeResponse(ChallengeResponse):
 
         password = attrs.get("password", None)
         if not password:
-            LOGGER.warning("Password not set for ident+auth attempt")
+            self.stage.logger.warning("Password not set for ident+auth attempt")
         try:
             with Hub.current.start_span(
                 op="authentik.stages.identification.authenticate",

authentik/stages/password/stage.py

@@ -56,7 +56,7 @@ def authenticate(
             continue
         # Annotate the user object with the path of the backend.
         user.backend = backend_path
-        LOGGER.debug("Successful authentication", user=user.username, backend=backend_path)
+        LOGGER.info("Successful authentication", user=user.username, backend=backend_path)
         return user
 
     # The credentials supplied are invalid to all backends, fire signal