Update audit logging and dashboard

2025-05-13 21:54:40 +02:00
parent 60026a485d
commit 3055f5277b
20 changed files with 788 additions and 285 deletions
--- a/packages/sshecret-admin/src/sshecret_admin/frontend/views/auth.py
+++ b/packages/sshecret-admin/src/sshecret_admin/frontend/views/auth.py
@ -8,6 +8,7 @@ from fastapi import APIRouter, Depends, Query, Request, Response, status
 from fastapi.responses import RedirectResponse
 from fastapi.security import OAuth2PasswordRequestForm
 from sqlmodel import Session
+from sshecret_admin.services import AdminBackend
 from starlette.datastructures import URL

 from sshecret_admin.auth import (
@ -17,6 +18,8 @@ from sshecret_admin.auth import (
    create_refresh_token,
 )

+from sshecret.backend.models import Operation
+
 from ..dependencies import FrontendDependencies
 from ..exceptions import RedirectException

@ -30,6 +33,19 @@ class LoginError(BaseModel):
    message: str


+async def audit_login_failure(admin: AdminBackend, username: str, request: Request) -> None:
+    """Write login failure to audit log."""
+    origin: str | None = None
+    if request.client:
+        origin = request.client.host
+    await admin.write_audit_message(
+        operation=Operation.DENY,
+        message="Login failed",
+        origin=origin or "UNKNOWN",
+        username=username,
+    )
+
+
 def create_router(dependencies: FrontendDependencies) -> APIRouter:
    """Create auth router."""

@ -64,6 +80,7 @@ def create_router(dependencies: FrontendDependencies) -> APIRouter:
        request: Request,
        response: Response,
        session: Annotated[Session, Depends(dependencies.get_db_session)],
+        admin: Annotated[AdminBackend, Depends(dependencies.get_admin_backend)],
        form_data: Annotated[OAuth2PasswordRequestForm, Depends()],
        next: Annotated[str, Query()] = "/dashboard",
        error_title: str | None = None,
@ -89,6 +106,7 @@ def create_router(dependencies: FrontendDependencies) -> APIRouter:
            )
        )
        if not user:
+            await audit_login_failure(admin, form_data.username, request)
            raise login_failed
        token_data: dict[str, str] = {"sub": user.username}
        access_token = create_access_token(dependencies.settings, data=token_data)
@ -108,6 +126,17 @@ def create_router(dependencies: FrontendDependencies) -> APIRouter:
            secure=False,
            samesite="strict",
        )
+        origin = "UNKNOWN"
+        if request.client:
+            origin = request.client.host
+
+        await admin.write_audit_message(
+            operation=Operation.LOGIN,
+            message="Logged in to admin frontend",
+            origin=origin,
+            username=form_data.username,
+        )
+
        return response

    @app.get("/refresh")