events: stop spam (#7611)

* events: don't log updates to internal service accounts

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* dont log reputation updates

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* don't actually ignore things, stop updating outpost user when not required

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* prevent updating internal service account users

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix setattr call

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L 2023-11-18 01:46:16 +01:00 committed by GitHub
parent aecd4b52ef
commit 98a07cd0ef
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 23 additions and 5 deletions

View File

@ -171,6 +171,11 @@ class UserSerializer(ModelSerializer):
raise ValidationError("Setting a user to internal service account is not allowed.") raise ValidationError("Setting a user to internal service account is not allowed.")
return user_type return user_type
def validate(self, attrs: dict) -> dict:
if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
raise ValidationError("Can't modify internal service account users")
return super().validate(attrs)
class Meta: class Meta:
model = User model = User
fields = [ fields = [

View File

@ -27,6 +27,7 @@ from authentik.lib.sentry import before_send
from authentik.lib.utils.errors import exception_to_string from authentik.lib.utils.errors import exception_to_string
from authentik.outposts.models import OutpostServiceConnection from authentik.outposts.models import OutpostServiceConnection
from authentik.policies.models import Policy, PolicyBindingModel from authentik.policies.models import Policy, PolicyBindingModel
from authentik.policies.reputation.models import Reputation
from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
from authentik.providers.scim.models import SCIMGroup, SCIMUser from authentik.providers.scim.models import SCIMGroup, SCIMUser
from authentik.stages.authenticator_static.models import StaticToken from authentik.stages.authenticator_static.models import StaticToken
@ -52,11 +53,13 @@ IGNORED_MODELS = (
RefreshToken, RefreshToken,
SCIMUser, SCIMUser,
SCIMGroup, SCIMGroup,
Reputation,
) )
def should_log_model(model: Model) -> bool: def should_log_model(model: Model) -> bool:
"""Return true if operation on `model` should be logged""" """Return true if operation on `model` should be logged"""
# Check for silk by string so this comparison doesn't fail when silk isn't installed
if model.__module__.startswith("silk"): if model.__module__.startswith("silk"):
return False return False
return model.__class__ not in IGNORED_MODELS return model.__class__ not in IGNORED_MODELS

View File

@ -344,12 +344,22 @@ class Outpost(SerializerModel, ManagedModel):
user_created = False user_created = False
if not user: if not user:
user: User = User.objects.create(username=self.user_identifier) user: User = User.objects.create(username=self.user_identifier)
user.set_unusable_password()
user_created = True user_created = True
user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT attrs = {
user.name = f"Outpost {self.name} Service-Account" "type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
user.path = USER_PATH_OUTPOSTS "name": f"Outpost {self.name} Service-Account",
user.save() "path": USER_PATH_OUTPOSTS,
}
dirty = False
for key, value in attrs.items():
if getattr(user, key) != value:
dirty = True
setattr(user, key, value)
if user.has_usable_password():
user.set_unusable_password()
dirty = True
if dirty:
user.save()
if user_created: if user_created:
self.build_user_permissions(user) self.build_user_permissions(user)
return user return user