core: add ability to provide reason for impersonation

rissson · rissson · commit cf100c944fba · 2024-11-07T17:00:59.000+01:00
Signed-off-by: Marc 'risson' Schmitt &lt;marc.schmitt@risson.space&gt;
diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py
@@ -666,7 +666,12 @@ def recovery_email(self, request: Request, pk: int) -> Response:
 
     @permission_required("authentik_core.impersonate")
     @extend_schema(
-        request=OpenApiTypes.NONE,
+        request=inline_serializer(
+            "ImpersonationSerializer",
+            {
+                "reason": CharField(required=True),
+            },
+        ),
         responses={
             "204": OpenApiResponse(description="Successfully started impersonation"),
             "401": OpenApiResponse(description="Access denied"),
@@ -679,6 +684,7 @@ def impersonate(self, request: Request, pk: int) -> Response:
             LOGGER.debug("User attempted to impersonate", user=request.user)
             return Response(status=401)
         user_to_be = self.get_object()
+        reason = request.data.get("reason", "")
         # Check both object-level perms and global perms
         if not request.user.has_perm(
             "authentik_core.impersonate", user_to_be
@@ -688,11 +694,14 @@ def impersonate(self, request: Request, pk: int) -> Response:
         if user_to_be.pk == self.request.user.pk:
             LOGGER.debug("User attempted to impersonate themselves", user=request.user)
             return Response(status=401)
+        if not reason and request.tenant.impersonation_require_reason:
+            LOGGER.debug("User attempted to impersonate without providing a reason", user=request.user)
+            return Response(status=401)
 
         request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
         request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be
 
-        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
+        Event.new(EventAction.IMPERSONATION_STARTED, reason=reason).from_http(request, user_to_be)
 
         return Response(status=201)
 
diff --git a/authentik/events/migrations/0001_squashed_0019_alter_notificationtransport_webhook_url.py b/authentik/events/migrations/0001_squashed_0019_alter_notificationtransport_webhook_url.py
@@ -8,6 +8,7 @@
 from django.conf import settings
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+from django.utils.timezone import now
 
 import authentik.events.models
 import authentik.lib.models
@@ -292,7 +293,7 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name="event",
             name="expires",
-            field=models.DateTimeField(default=authentik.events.models.default_event_duration),
+            field=models.DateTimeField(default=now),
         ),
         migrations.AddField(
             model_name="event",
diff --git a/authentik/events/migrations/0008_alter_event_expires.py b/authentik/events/migrations/0008_alter_event_expires.py
@@ -0,0 +1,19 @@
+# Generated by Django 5.0.9 on 2024-11-07 15:12
+
+import authentik.events.models
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_events", "0007_event_authentik_e_action_9a9dd9_idx_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="event",
+            name="expires",
+            field=models.DateTimeField(default=authentik.events.models.default_event_duration),
+        ),
+    ]
diff --git a/authentik/tenants/migrations/0004_tenant_impersonation_require_reason.py b/authentik/tenants/migrations/0004_tenant_impersonation_require_reason.py
@@ -0,0 +1,21 @@
+# Generated by Django 5.0.9 on 2024-11-07 15:08
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_tenants", "0003_alter_tenant_default_token_duration"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="tenant",
+            name="impersonation_require_reason",
+            field=models.BooleanField(
+                default=True,
+                help_text="Require administrators to provide a reason for impersonating a user.",
+            ),
+        ),
+    ]
diff --git a/authentik/tenants/models.py b/authentik/tenants/models.py
@@ -85,6 +85,9 @@ class Tenant(TenantMixin, SerializerModel):
     impersonation = models.BooleanField(
         help_text=_("Globally enable/disable impersonation."), default=True
     )
+    impersonation_require_reason = models.BooleanField(
+        help_text=_("Require administrators to provide a reason for impersonating a user."), default=True
+    )
     default_token_duration = models.TextField(
         help_text=_("Default token duration"),
         default=DEFAULT_TOKEN_DURATION,
diff --git a/schema.yml b/schema.yml
@@ -5295,6 +5295,12 @@ paths:
         required: true
       tags:
       - core
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ImpersonationRequest'
+        required: true
       security:
       - authentik: []
       responses:
@@ -42713,6 +42719,14 @@ components:
             incorrect user info is entered.
       required:
       - name
+    ImpersonationRequest:
+      type: object
+      properties:
+        reason:
+          type: string
+          minLength: 1
+      required:
+      - reason
     InstallID:
       type: object
       properties:
diff --git a/web/src/admin/users/UserImpersonateForm.ts b/web/src/admin/users/UserImpersonateForm.ts
@@ -0,0 +1,39 @@
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import "@goauthentik/components/ak-text-input";
+import { Form } from "@goauthentik/elements/forms/Form";
+
+import { msg } from "@lit/localize";
+import { TemplateResult, html } from "lit";
+import { customElement, property } from "lit/decorators.js";
+
+import { CoreApi, ImpersonationRequest } from "@goauthentik/api";
+
+@customElement("ak-user-impersonate-form")
+export class UserImpersonateForm extends Form<ImpersonationRequest> {
+    @property({ type: Number })
+    instancePk?: number;
+
+    async send(data: ImpersonationRequest): Promise<void> {
+        return new CoreApi(DEFAULT_CONFIG).coreUsersImpersonateCreate({
+            id: this.instancePk || 0,
+            impersonationRequest: data,
+        });
+        // .then(() => {
+        //     window.location.href = "/";
+        // });
+    }
+
+    renderForm(): TemplateResult {
+        return html`<ak-text-input
+            name="reason"
+            label=${msg("Reason")}
+            help=${msg("Reason for impersonating the user")}
+        ></ak-text-input>`;
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-user-impersonate-form": UserImpersonateForm;
+    }
+}
diff --git a/web/src/admin/users/UserListPage.ts b/web/src/admin/users/UserListPage.ts
@@ -2,6 +2,7 @@ import { AdminInterface } from "@goauthentik/admin/AdminInterface";
 import "@goauthentik/admin/users/ServiceAccountForm";
 import "@goauthentik/admin/users/UserActiveForm";
 import "@goauthentik/admin/users/UserForm";
+import "@goauthentik/admin/users/UserImpersonateForm";
 import "@goauthentik/admin/users/UserPasswordForm";
 import "@goauthentik/admin/users/UserResetEmailForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
@@ -266,20 +267,22 @@ export class UserListPage extends WithBrandConfig(WithCapabilitiesConfig(TablePa
                 </ak-forms-modal>
                 ${canImpersonate
                     ? html`
-                          <ak-action-button
-                              class="pf-m-tertiary"
-                              .apiRequest=${() => {
-                                  return new CoreApi(DEFAULT_CONFIG)
-                                      .coreUsersImpersonateCreate({
-                                          id: item.pk,
-                                      })
-                                      .then(() => {
-                                          window.location.href = "/";
-                                      });
-                              }}
-                          >
-                              ${msg("Impersonate")}
-                          </ak-action-button>
+                          <ak-forms-modal size=${PFSize.Medium} id="impersonate-request">
+                              <span slot="submit">${msg("Impersonate")}</span>
+                              <span slot="header">${msg("Impersonate")} ${item.username}</span>
+                              <ak-user-impersonate-form
+                                  slot="form"
+                                  .instancePk=${item.pk}
+                              ></ak-user-impersonate-form>
+                              <button slot="trigger" class="pf-c-button pf-m-tertiary">
+                                  <pf-tooltip
+                                      position="top"
+                                      content=${msg("Temporarily assume the identity of this user")}
+                                  >
+                                      ${msg("Impersonate")}
+                                  </pf-tooltip>
+                              </button>
+                          </ak-forms-modal>
                       `
                     : html``}`,
         ];
diff --git a/web/src/admin/users/UserViewPage.ts b/web/src/admin/users/UserViewPage.ts
@@ -5,6 +5,7 @@ import "@goauthentik/admin/users/UserActiveForm";
 import "@goauthentik/admin/users/UserApplicationTable";
 import "@goauthentik/admin/users/UserChart";
 import "@goauthentik/admin/users/UserForm";
+import "@goauthentik/admin/users/UserImpersonateForm";
 import {
     renderRecoveryEmailRequest,
     requestRecoveryLink,
@@ -208,26 +209,22 @@ export class UserViewPage extends WithCapabilitiesConfig(AKElement) {
             </ak-user-active-form>
             ${canImpersonate
                 ? html`
-                      <ak-action-button
-                          class="pf-m-secondary pf-m-block"
-                          id="impersonate-user-button"
-                          .apiRequest=${() => {
-                              return new CoreApi(DEFAULT_CONFIG)
-                                  .coreUsersImpersonateCreate({
-                                      id: user.pk,
-                                  })
-                                  .then(() => {
-                                      window.location.href = "/";
-                                  });
-                          }}
-                      >
-                          <pf-tooltip
-                              position="top"
-                              content=${msg("Temporarily assume the identity of this user")}
-                          >
-                              ${msg("Impersonate")}
-                          </pf-tooltip>
-                      </ak-action-button>
+                      <ak-forms-modal size=${PFSize.Medium} id="impersonate-request">
+                          <span slot="submit">${msg("Impersonate")}</span>
+                          <span slot="header">${msg("Impersonate")} ${user.username}</span>
+                          <ak-user-impersonate-form
+                              slot="form"
+                              .instancePk=${user.pk}
+                          ></ak-user-impersonate-form>
+                          <button slot="trigger" class="pf-c-button pf-m-secondary pf-m-block">
+                              <pf-tooltip
+                                  position="top"
+                                  content=${msg("Temporarily assume the identity of this user")}
+                              >
+                                  ${msg("Impersonate")}
+                              </pf-tooltip>
+                          </button>
+                      </ak-forms-modal>
                   `
                 : nothing}
         </div> `;
