Event Handler for auth or validate/check - Message/Error Message Regex Breaks privacyIDEA

I am attempting to setup an event handler to either send an email to my group or run a script to change the default SMS provider when our main vendor has issues.

To do this I have setup an event handler to look for ProxyError|ConnectionError|ConnectTimeoutError|ReadTimeout within the detail->message.

If I set this handler to pre, it breaks privacyIDEA and all validate/check or auth attempts fail. There is no error written to the log even in debug mode. If I set it to post, it appears to work as expected.

However, it leads me to think that if the detail->message is non-existent in a reply, the same failure will occur so I’m not feeling confident enough to enable this.

I am currently running 3.1.1, has any one else had this issue or know if it’s fixed in a later release?

Hi @droo,

interesting concept of yours.

However, the thing with the event handlers is that the flexibility also means that there are a lot of pitfalls. It was never our goal to make these fool proof, since it would probably limit the possibilities.

So some things, that will not work out, must be considered by the administrator, since the programmatically logic would not be enough to ever been completly implemented.

The pre event handlers can not work a condition like detail->message since this is part of the response. And pre handlers are fired before a response exists. So this will always fail!.

Pre means, that the evenhandler is executed before the HTTP request is performed. So if the HTTP request to /validate/check is not performed yet, you can not know if you have a connection error.

So your event handler must be a post handler. This way of course you will loose one auth request. But otherwise you would not know that your provider has a problem.

If you want to avoid this, run an external cronjob, that checks the provider and that changes the config if the provider has an issue.

Thanks for the response. I also was able to make a code change that eliminates the crash in privacyIDEA if the message is missing:

Original Code in lib/eventhandler/base.py

    if CONDITION.DETAIL_ERROR_MESSAGE in conditions:
        message = content.get("detail", {}).get("error", {}).get("message")
        search_exp = conditions.get(CONDITION.DETAIL_ERROR_MESSAGE)
        m = re.search(search_exp, message)
        if not bool(m):
            return False

    if CONDITION.DETAIL_MESSAGE in conditions:
        message = content.get("detail", {}).get("message")
        search_exp = conditions.get(CONDITION.DETAIL_MESSAGE)
        m = re.search(search_exp, message)
        if not bool(m):
            return False

Fixed code:

     if CONDITION.DETAIL_ERROR_MESSAGE in conditions:
        message = content.get("detail", {}).get("error", {}).get("message") or ""
        search_exp = conditions.get(CONDITION.DETAIL_ERROR_MESSAGE)
        m = re.search(search_exp, message)
        if not bool(m):
            return False

    if CONDITION.DETAIL_MESSAGE in conditions:
        message = content.get("detail", {}).get("message") or ""
        search_exp = conditions.get(CONDITION.DETAIL_MESSAGE)
        m = re.search(search_exp, message)
        if not bool(m):
            return False

I went ahead and opened an issue, in case it’s something you think is worth fixing.