audit: sanitize kwargs when creating audit event

2019-12-31 13:33:07 +01:00
parent 74b2b26a20
commit 766518ee0e
7 changed files with 46 additions and 9 deletions
--- a/passbook/audit/models.py
+++ b/passbook/audit/models.py
@ -1,12 +1,13 @@
 """passbook audit models"""
 from enum import Enum
 from inspect import getmodule, stack
-from typing import Optional
+from typing import Optional, Dict, Any

 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from django.contrib.postgres.fields import JSONField
 from django.core.exceptions import ValidationError
+from django.contrib.contenttypes.models import ContentType
 from django.db import models
 from django.http import HttpRequest
 from django.utils.translation import gettext as _
@ -19,6 +20,26 @@ from passbook.lib.utils.http import get_client_ip
 LOGGER = get_logger()


+def sanitize_dict(source: Dict[Any, Any]) -> Dict[Any, Any]:
+    """clean source of all Models that would interfere with the JSONField.
+    Models are replaced with a dictionary of {
+        app: str,
+        name: str,
+        pk: Any
+    }"""
+    for key, value in source.items():
+        if isinstance(value, dict):
+            source[key] = sanitize_dict(value)
+        elif isinstance(value, models.Model):
+            model_content_type = ContentType.objects.get_for_model(value)
+            source[key] = {
+                "app": model_content_type.app_label,
+                "name": model_content_type.model,
+                "pk": value.pk,
+            }
+    return source
+
+
 class EventAction(Enum):
    """All possible actions to save into the audit log"""

@ -72,8 +93,9 @@ class Event(UUIDModel):
            )
        if not app:
            app = getmodule(stack()[_inspect_offset][0]).__name__
-        event = Event(action=action.value, app=app, context=kwargs)
-        LOGGER.debug("Created Audit event", action=action, context=kwargs)
+        cleaned_kwargs = sanitize_dict(kwargs)
+        event = Event(action=action.value, app=app, context=cleaned_kwargs)
+        LOGGER.debug("Created Audit event", action=action, context=cleaned_kwargs)
        return event

    def from_http(