events: improve infinite loop detection

authentik/events/tasks.py

@@ -11,6 +11,7 @@ from authentik.events.models import (
 )
 from authentik.lib.tasks import MonitoredTask, TaskResult, TaskResultStatus
 from authentik.policies.engine import PolicyEngine, PolicyEngineMode
+from authentik.policies.models import PolicyBinding
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
@@ -33,9 +34,15 @@ def event_trigger_handler(event_uuid: str, trigger_name: str):
 
     if "policy_uuid" in event.context:
         policy_uuid = event.context["policy_uuid"]
-        if trigger.policies.filter(policy_uuid=policy_uuid).exists():
+        if PolicyBinding.objects.filter(
-            # Event has been created by a policy that is attached
+            target__in=NotificationTrigger.objects.all().values_list(
-            # to this trigger. To prevent infinite loops, we stop here
+                "pbm_uuid", flat=True
+            ),
+            policy=policy_uuid,
+        ).exists():
+            # If policy that caused this event to be created is attached
+            # to *any* NotificationTrigger, we return early.
+            # This is the most effective way to prevent infinite loops.
             LOGGER.debug(
                 "e(trigger): attempting to prevent infinite loop", trigger=trigger
             )

website/docs/events/notifications.md

@@ -2,6 +2,10 @@
 title: Notifications
 ---
 
+:::note
+To prevent infinite loops (events created by policies which are attached to a Notification rule), **any events created by a policy which is attached to any Notification Trigger do not trigger notifications.**
+:::
+
 ## Filtering Events
 
 Starting with authentik 0.15, you can create notification triggers, which can alert you based on the creation of certain events.