diff --git a/authentik/enterprise/providers/ssf/signals.py b/authentik/enterprise/providers/ssf/signals.py index 0b75573a1b..b678aff246 100644 --- a/authentik/enterprise/providers/ssf/signals.py +++ b/authentik/enterprise/providers/ssf/signals.py @@ -70,18 +70,19 @@ def ssf_user_logged_out_session_revoked(sender, request: HttpRequest, user: User send_ssf_event( EventTypes.CAEP_SESSION_REVOKED, { - "subject": { - "session": { - "format": "opaque", - "id": sha256(request.session.session_key.encode("ascii")).hexdigest(), - }, - "user": { - "format": "email", - "email": user.email, - }, - }, "initiating_entity": "user", }, + sub_id={ + "format": "complex", + "session": { + "format": "opaque", + "id": sha256(request.session.session_key.encode("ascii")).hexdigest(), + }, + "user": { + "format": "email", + "email": user.email, + }, + }, request=request, ) @@ -95,18 +96,19 @@ def ssf_user_session_delete_session_revoked(sender, instance: AuthenticatedSessi send_ssf_event( EventTypes.CAEP_SESSION_REVOKED, { - "subject": { - "session": { - "format": "opaque", - "id": sha256(instance.session_key.encode("ascii")).hexdigest(), - }, - "user": { - "format": "email", - "email": instance.user.email, - }, - }, "initiating_entity": "user", }, + sub_id={ + "format": "complex", + "session": { + "format": "opaque", + "id": sha256(instance.session_key.encode("ascii")).hexdigest(), + }, + "user": { + "format": "email", + "email": instance.user.email, + }, + }, ) @@ -116,15 +118,16 @@ def ssf_password_changed_cred_change(sender, user: User, password: str | None, * send_ssf_event( EventTypes.CAEP_CREDENTIAL_CHANGE, { - "subject": { - "user": { - "format": "email", - "email": user.email, - }, - }, "credential_type": "password", "change_type": "revoke" if password is None else "update", }, + sub_id={ + "format": "complex", + "user": { + "format": "email", + "email": user.email, + }, + }, ) @@ -144,19 +147,23 @@ def ssf_device_post_save(sender: type[Model], instance: Device, created: bool, * return device_type = device_type_map.get(instance.__class__) data = { - "subject": { - "user": { - "format": "email", - "email": instance.user.email, - }, - }, "credential_type": device_type, "change_type": "create" if created else "update", "friendly_name": instance.name, } if isinstance(instance, WebAuthnDevice) and instance.aaguid != UNKNOWN_DEVICE_TYPE_AAGUID: data["fido2_aaguid"] = instance.aaguid - send_ssf_event(EventTypes.CAEP_CREDENTIAL_CHANGE, data) + send_ssf_event( + EventTypes.CAEP_CREDENTIAL_CHANGE, + data, + sub_id={ + "format": "complex", + "user": { + "format": "email", + "email": instance.user.email, + }, + }, + ) @receiver(post_delete) @@ -167,16 +174,20 @@ def ssf_device_post_delete(sender: type[Model], instance: Device, **_): return device_type = device_type_map.get(instance.__class__) data = { - "subject": { - "user": { - "format": "email", - "email": instance.user.email, - }, - }, "credential_type": device_type, "change_type": "delete", "friendly_name": instance.name, } if isinstance(instance, WebAuthnDevice) and instance.aaguid != UNKNOWN_DEVICE_TYPE_AAGUID: data["fido2_aaguid"] = instance.aaguid - send_ssf_event(EventTypes.CAEP_CREDENTIAL_CHANGE, data) + send_ssf_event( + EventTypes.CAEP_CREDENTIAL_CHANGE, + data, + sub_id={ + "format": "complex", + "user": { + "format": "email", + "email": instance.user.email, + }, + }, + ) diff --git a/authentik/enterprise/providers/ssf/tasks.py b/authentik/enterprise/providers/ssf/tasks.py index 4a7cca780b..335db4bd97 100644 --- a/authentik/enterprise/providers/ssf/tasks.py +++ b/authentik/enterprise/providers/ssf/tasks.py @@ -36,7 +36,7 @@ def send_ssf_event( stream_filter = {} stream_filter["events_requested__contains"] = [event_type] if request and hasattr(request, "request_id"): - data.setdefault("txn", request.request_id) + extra_data.setdefault("txn", request.request_id) for stream in Stream.objects.filter(**stream_filter): event_data = stream.prepare_event_payload(event_type, data, **extra_data) payload.append((str(stream.uuid), event_data)) diff --git a/authentik/enterprise/providers/ssf/tests/test_signals.py b/authentik/enterprise/providers/ssf/tests/test_signals.py index c848125cce..8f838f6658 100644 --- a/authentik/enterprise/providers/ssf/tests/test_signals.py +++ b/authentik/enterprise/providers/ssf/tests/test_signals.py @@ -65,9 +65,10 @@ class TestSignals(APITestCase): "https://schemas.openid.net/secevent/caep/event-type/session-revoked" ] self.assertEqual(event_payload["initiating_entity"], "user") - self.assertEqual(event_payload["subject"]["session"]["format"], "opaque") - self.assertEqual(event_payload["subject"]["user"]["format"], "email") - self.assertEqual(event_payload["subject"]["user"]["email"], user.email) + self.assertEqual(event.payload["sub_id"]["format"], "complex") + self.assertEqual(event.payload["sub_id"]["session"]["format"], "opaque") + self.assertEqual(event.payload["sub_id"]["user"]["format"], "email") + self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email) def test_signal_password_change(self): """Test user password change""" @@ -86,8 +87,9 @@ class TestSignals(APITestCase): ] self.assertEqual(event_payload["change_type"], "update") self.assertEqual(event_payload["credential_type"], "password") - self.assertEqual(event_payload["subject"]["user"]["format"], "email") - self.assertEqual(event_payload["subject"]["user"]["email"], user.email) + self.assertEqual(event.payload["sub_id"]["format"], "complex") + self.assertEqual(event.payload["sub_id"]["user"]["format"], "email") + self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email) def test_signal_authenticator_added(self): """Test authenticator creation signal""" @@ -113,8 +115,9 @@ class TestSignals(APITestCase): self.assertEqual(event_payload["fido2_aaguid"], dev.aaguid) self.assertEqual(event_payload["friendly_name"], dev.name) self.assertEqual(event_payload["credential_type"], "fido-u2f") - self.assertEqual(event_payload["subject"]["user"]["format"], "email") - self.assertEqual(event_payload["subject"]["user"]["email"], user.email) + self.assertEqual(event.payload["sub_id"]["format"], "complex") + self.assertEqual(event.payload["sub_id"]["user"]["format"], "email") + self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email) def test_signal_authenticator_deleted(self): """Test authenticator deletion signal""" @@ -141,5 +144,6 @@ class TestSignals(APITestCase): self.assertEqual(event_payload["fido2_aaguid"], dev.aaguid) self.assertEqual(event_payload["friendly_name"], dev.name) self.assertEqual(event_payload["credential_type"], "fido-u2f") - self.assertEqual(event_payload["subject"]["user"]["format"], "email") - self.assertEqual(event_payload["subject"]["user"]["email"], user.email) + self.assertEqual(event.payload["sub_id"]["format"], "complex") + self.assertEqual(event.payload["sub_id"]["user"]["format"], "email") + self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email) diff --git a/web/src/admin/providers/ssf/SSFProviderFormPage.ts b/web/src/admin/providers/ssf/SSFProviderFormPage.ts index 68d5c5eec0..1a6770e5eb 100644 --- a/web/src/admin/providers/ssf/SSFProviderFormPage.ts +++ b/web/src/admin/providers/ssf/SSFProviderFormPage.ts @@ -1,5 +1,4 @@ import "@goauthentik/admin/common/ak-crypto-certificate-search"; -import "@goauthentik/admin/common/ak-flow-search/ak-flow-search"; import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm"; import { oauth2ProvidersProvider, @@ -7,14 +6,11 @@ import { } from "@goauthentik/admin/providers/oauth2/OAuth2ProvidersProvider"; import { DEFAULT_CONFIG } from "@goauthentik/common/api/config"; import { first } from "@goauthentik/common/utils"; -import "@goauthentik/components/ak-radio-input"; import "@goauthentik/components/ak-text-input"; -import "@goauthentik/components/ak-textarea-input"; import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js"; import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js"; import "@goauthentik/elements/forms/FormGroup"; import "@goauthentik/elements/forms/HorizontalFormElement"; -import "@goauthentik/elements/forms/Radio"; import "@goauthentik/elements/forms/SearchSelect"; import "@goauthentik/elements/utils/TimeDeltaHelp"; @@ -75,9 +71,9 @@ export class SSFProviderFormPage extends BaseProviderForm {

${msg("Key used to sign the events.")}