stages/identification: log invalid_login similar to event for easier log parsing

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#3715
This commit is contained in:
Jens Langhammer 2022-10-20 19:31:22 +02:00
parent 13d975a258
commit a1ce8100e9

View file

@ -15,6 +15,7 @@ from sentry_sdk.hub import Hub
from authentik.core.api.utils import PassiveSerializer from authentik.core.api.utils import PassiveSerializer
from authentik.core.models import Application, Source, User from authentik.core.models import Application, Source, User
from authentik.events.utils import sanitize_item
from authentik.flows.challenge import ( from authentik.flows.challenge import (
Challenge, Challenge,
ChallengeResponse, ChallengeResponse,
@ -25,6 +26,7 @@ from authentik.flows.models import FlowDesignation
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, ChallengeStageView from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, ChallengeStageView
from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_GET from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_GET
from authentik.lib.utils.http import get_client_ip
from authentik.lib.utils.urls import reverse_with_qs from authentik.lib.utils.urls import reverse_with_qs
from authentik.sources.oauth.types.apple import AppleLoginChallenge from authentik.sources.oauth.types.apple import AppleLoginChallenge
from authentik.sources.plex.models import PlexAuthenticationChallenge from authentik.sources.plex.models import PlexAuthenticationChallenge
@ -96,7 +98,17 @@ class IdentificationChallengeResponse(ChallengeResponse):
): ):
# Sleep a random time (between 90 and 210ms) to "prevent" user enumeration attacks # Sleep a random time (between 90 and 210ms) to "prevent" user enumeration attacks
sleep(0.030 * SystemRandom().randint(3, 7)) sleep(0.030 * SystemRandom().randint(3, 7))
self.stage.logger.info("invalid_login", identifier=uid_field) # Log in a similar format to Event.new(), but we don't want to create an event here
# as this stage is mostly used by unauthenticated users with very high rate limits
self.stage.logger.info(
"invalid_login",
identifier=uid_field,
client_ip=get_client_ip(self.stage.request),
action="invalid_identifier",
context={
"stage": sanitize_item(self.stage),
},
)
identification_failed.send(sender=self, request=self.stage.request, uid_field=uid_field) identification_failed.send(sender=self, request=self.stage.request, uid_field=uid_field)
# We set the pending_user even on failure so it's part of the context, even # We set the pending_user even on failure so it's part of the context, even
# when the input is invalid # when the input is invalid