events: add ability to create events via API

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/events/api/event.py

@@ -6,11 +6,11 @@ from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, DictField, IntegerField
+from rest_framework.fields import DictField, IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
-from rest_framework.viewsets import ReadOnlyModelViewSet
+from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.utils import PassiveSerializer, TypeCreateSerializer
 from authentik.events.models import Event, EventAction
@@ -19,11 +19,6 @@ from authentik.events.models import Event, EventAction
 class EventSerializer(ModelSerializer):
     """Event Serializer"""
 
-    # Since we only use this serializer for read-only operations,
-    # no checking of the action is done here.
-    # This allows clients to check wildcards, prefixes and custom types
-    action = CharField()
-
     class Meta:
 
         model = Event
@@ -96,7 +91,7 @@ class EventsFilter(django_filters.FilterSet):
         fields = ["action", "client_ip", "username"]
 
 
-class EventViewSet(ReadOnlyModelViewSet):
+class EventViewSet(ModelViewSet):
     """Event Read-Only Viewset"""
 
     queryset = Event.objects.all()

authentik/outposts/models.py

@@ -405,7 +405,10 @@ class Outpost(models.Model):
 
     def get_required_objects(self) -> Iterable[Union[models.Model, str]]:
         """Get an iterator of all objects the user needs read access to"""
-        objects: list[Union[models.Model, str]] = [self]
+        objects: list[Union[models.Model, str]] = [
+            self,
+            "authentik_events.add_event",
+        ]
         for provider in (
             Provider.objects.filter(outpost=self).select_related().select_subclasses()
         ):

authentik/root/settings.py

@@ -153,6 +153,7 @@ SPECTACULAR_SETTINGS = {
         "url": "https://github.com/goauthentik/authentik/blob/master/LICENSE",
     },
     "ENUM_NAME_OVERRIDES": {
+        "EventActions": "authentik.events.models.EventAction",
         "ChallengeChoices": "authentik.flows.challenge.ChallengeTypes",
         "FlowDesignationEnum": "authentik.flows.models.FlowDesignation",
         "PolicyEngineMode": "authentik.policies.models.PolicyEngineMode",

schema.yml

@@ -3572,6 +3572,37 @@ paths:
           $ref: '#/components/schemas/ValidationError'
         '403':
           $ref: '#/components/schemas/GenericError'
+    post:
+      operationId: events_events_create
+      description: Event Read-Only Viewset
+      tags:
+      - events
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/EventRequest'
+          application/x-www-form-urlencoded:
+            schema:
+              $ref: '#/components/schemas/EventRequest'
+          multipart/form-data:
+            schema:
+              $ref: '#/components/schemas/EventRequest'
+        required: true
+      security:
+      - authentik: []
+      - cookieAuth: []
+      responses:
+        '201':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Event'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
   /api/v2beta/events/events/{event_uuid}/:
     get:
       operationId: events_events_retrieve
@@ -3600,6 +3631,106 @@ paths:
           $ref: '#/components/schemas/ValidationError'
         '403':
           $ref: '#/components/schemas/GenericError'
+    put:
+      operationId: events_events_update
+      description: Event Read-Only Viewset
+      parameters:
+      - in: path
+        name: event_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Event.
+        required: true
+      tags:
+      - events
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/EventRequest'
+          application/x-www-form-urlencoded:
+            schema:
+              $ref: '#/components/schemas/EventRequest'
+          multipart/form-data:
+            schema:
+              $ref: '#/components/schemas/EventRequest'
+        required: true
+      security:
+      - authentik: []
+      - cookieAuth: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Event'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    patch:
+      operationId: events_events_partial_update
+      description: Event Read-Only Viewset
+      parameters:
+      - in: path
+        name: event_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Event.
+        required: true
+      tags:
+      - events
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/PatchedEventRequest'
+          application/x-www-form-urlencoded:
+            schema:
+              $ref: '#/components/schemas/PatchedEventRequest'
+          multipart/form-data:
+            schema:
+              $ref: '#/components/schemas/PatchedEventRequest'
+      security:
+      - authentik: []
+      - cookieAuth: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Event'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    delete:
+      operationId: events_events_destroy
+      description: Event Read-Only Viewset
+      parameters:
+      - in: path
+        name: event_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Event.
+        required: true
+      tags:
+      - events
+      security:
+      - authentik: []
+      - cookieAuth: []
+      responses:
+        '204':
+          description: No response body
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
   /api/v2beta/events/events/actions/:
     get:
       operationId: events_events_actions_list
@@ -19242,7 +19373,7 @@ components:
           type: object
           additionalProperties: {}
         action:
-          type: string
+          $ref: '#/components/schemas/EventActions'
         app:
           type: string
         context:
@@ -19266,6 +19397,34 @@ components:
       - app
       - created
       - pk
+    EventActions:
+      enum:
+      - login
+      - login_failed
+      - logout
+      - user_write
+      - suspicious_request
+      - password_set
+      - secret_view
+      - invitation_used
+      - authorize_application
+      - source_linked
+      - impersonation_started
+      - impersonation_ended
+      - policy_execution
+      - policy_exception
+      - property_mapping_exception
+      - system_task_execution
+      - system_task_exception
+      - system_exception
+      - configuration_error
+      - model_created
+      - model_updated
+      - model_deleted
+      - email_sent
+      - update_available
+      - custom_
+      type: string
     EventMatcherPolicy:
       type: object
       description: Event Matcher Policy Serializer
@@ -19296,7 +19455,7 @@ components:
           readOnly: true
         action:
           allOf:
-          - $ref: '#/components/schemas/EventMatcherPolicyActionEnum'
+          - $ref: '#/components/schemas/EventActions'
           description: Match created events with this action type. When left empty,
             all action types will be matched.
         client_ip:
@@ -19314,34 +19473,6 @@ components:
       - pk
       - verbose_name
       - verbose_name_plural
-    EventMatcherPolicyActionEnum:
-      enum:
-      - login
-      - login_failed
-      - logout
-      - user_write
-      - suspicious_request
-      - password_set
-      - secret_view
-      - invitation_used
-      - authorize_application
-      - source_linked
-      - impersonation_started
-      - impersonation_ended
-      - policy_execution
-      - policy_exception
-      - property_mapping_exception
-      - system_task_execution
-      - system_task_exception
-      - system_exception
-      - configuration_error
-      - model_created
-      - model_updated
-      - model_deleted
-      - email_sent
-      - update_available
-      - custom_
-      type: string
     EventMatcherPolicyRequest:
       type: object
       description: Event Matcher Policy Serializer
@@ -19355,7 +19486,7 @@ components:
             will be logged. By default, only execution errors are logged.
         action:
           allOf:
-          - $ref: '#/components/schemas/EventMatcherPolicyActionEnum'
+          - $ref: '#/components/schemas/EventActions'
           description: Match created events with this action type. When left empty,
             all action types will be matched.
         client_ip:
@@ -19375,7 +19506,7 @@ components:
           type: object
           additionalProperties: {}
         action:
-          type: string
+          $ref: '#/components/schemas/EventActions'
         app:
           type: string
         context:
@@ -24429,7 +24560,7 @@ components:
             will be logged. By default, only execution errors are logged.
         action:
           allOf:
-          - $ref: '#/components/schemas/EventMatcherPolicyActionEnum'
+          - $ref: '#/components/schemas/EventActions'
           description: Match created events with this action type. When left empty,
             all action types will be matched.
         client_ip:
@@ -24441,6 +24572,29 @@ components:
           - $ref: '#/components/schemas/AppEnum'
           description: Match events created by selected application. When left empty,
             all applications are matched.
+    PatchedEventRequest:
+      type: object
+      description: Event Serializer
+      properties:
+        user:
+          type: object
+          additionalProperties: {}
+        action:
+          $ref: '#/components/schemas/EventActions'
+        app:
+          type: string
+        context:
+          type: object
+          additionalProperties: {}
+        client_ip:
+          type: string
+          nullable: true
+        expires:
+          type: string
+          format: date-time
+        tenant:
+          type: object
+          additionalProperties: {}
     PatchedExpressionPolicyRequest:
       type: object
       description: Group Membership Policy Serializer