feat: add action_by and environment to privilege escalation email (#89)

romanetar · smarcet · commit 23f9a74e7102 · 2025-09-16T17:03:58.000-03:00
Signed-off-by: romanetar &lt;roman_ag@hotmail.com&gt;
diff --git a/app/Jobs/NotifyMonitoredSecurityGroupActivity.php b/app/Jobs/NotifyMonitoredSecurityGroupActivity.php
@@ -77,6 +77,8 @@ final class NotifyMonitoredSecurityGroupActivity implements ShouldQueue
      */
     public $group_slug;
 
+    public $action_by;
+
     /**
      * @param string $action
      * @param int $user_id
@@ -85,6 +87,7 @@ final class NotifyMonitoredSecurityGroupActivity implements ShouldQueue
      * @param int $group_id
      * @param string $group_name
      * @param string $group_slug
+     * @param string $action_by
      * @throws ValidationException
      */
     public function __construct
@@ -95,7 +98,8 @@ public function __construct
         string $user_name,
         int $group_id,
         string $group_name,
-        string $group_slug
+        string $group_slug,
+        string $action_by
     )
     {
         if(!in_array($action, self::ValidActions)){
@@ -108,19 +112,21 @@ public function __construct
         $this->group_id = $group_id;
         $this->group_name = $group_name;
         $this->group_slug = $group_slug;
+        $this->action_by = $action_by;
 
         Log::debug
         (
             sprintf
             (
-                "NotifyMonitoredSecurityGroupActivity::constructor action %s user_id %s user_email %s user_name %s group_id %s group_name %s group_slug %s",
+                "NotifyMonitoredSecurityGroupActivity::constructor action %s user_id %s user_email %s user_name %s group_id %s group_name %s group_slug %s action_by %s",
                 $action,
                 $user_id,
                 $user_email,
                 $user_name,
                 $group_id,
                 $group_name,
-                $group_slug
+                $group_slug,
+                $action_by
             )
         );
     }
@@ -134,14 +140,15 @@ public function handle(IUserService $service){
         (
             sprintf
             (
-                "NotifyMonitoredSecurityGroupActivity::handle action %s user_id %s user_email %s user_name %s group_id %s group_name %s group_slug %s",
+                "NotifyMonitoredSecurityGroupActivity::handle action %s user_id %s user_email %s user_name %s group_id %s group_name %s group_slug %s action_by %s",
                 $this->action,
                 $this->user_id,
                 $this->user_email,
                 $this->user_name,
                 $this->group_id,
                 $this->group_name,
-                $this->group_slug
+                $this->group_slug,
+                $this->action_by
             )
         );
 
@@ -153,9 +160,9 @@ public function handle(IUserService $service){
             $this->user_name,
             $this->group_id,
             $this->group_name,
-            $this->group_slug
+            $this->group_slug,
+            $this->action_by
         );
-
     }
 
     public function failed(\Throwable $exception)
diff --git a/app/Mail/MonitoredSecurityGroupNotificationEmail.php b/app/Mail/MonitoredSecurityGroupNotificationEmail.php
@@ -34,6 +34,11 @@ final class MonitoredSecurityGroupNotificationEmail extends Mailable
      */
     public $action;
 
+    /**
+     * @var string
+     */
+    public $action_by;
+
     /**
      * @var int
      */
@@ -76,9 +81,17 @@ final class MonitoredSecurityGroupNotificationEmail extends Mailable
      */
     public $subject;
 
+    /**
+     * @var string
+     */
+    public $env;
+
+    public $action_by_phrase;
+
     /**
      * @param string $email
      * @param string $action
+     * @param string $action_by
      * @param int $user_id
      * @param string $user_email
      * @param string $user_name
@@ -90,6 +103,7 @@ public function __construct
     (
         string $email,
         string $action,
+        string $action_by,
         int $user_id,
         string $user_email,
         string $user_name,
@@ -100,20 +114,23 @@ public function __construct
     {
         $this->email = $email;
         $this->action = $action;
+        $this->action_by = $action_by;
         $this->user_id = $user_id;
         $this->user_email = $user_email;
         $this->user_name = $user_name;
         $this->group_id = $group_id;
         $this->group_name = $group_name;
         $this->group_slug = $group_slug;
-
+        $this->env = Config::get('app.env');
+        $this->action_by_phrase = $this->action_by ? " by $this->action_by" : "";
         Log::debug
         (
             sprintf
             (
-                "MonitoredSecurityGroupNotificationEmail::constructor email %s action %s user_id %s user_email %s user_name %s group_id %s group_name %s group_slug %s",
+                "MonitoredSecurityGroupNotificationEmail::constructor email %s action %s action_by %s user_id %s user_email %s user_name %s group_id %s group_name %s group_slug %s",
                 $email,
                 $action,
+                $action_by,
                 $user_id,
                 $user_email,
                 $user_name,
@@ -126,15 +143,19 @@ public function __construct
 
     public function build()
     {
+
+
         $this->subject = sprintf
         (
-            "[%s] Monitored Security Groups - User %s (%s) has been %s - Group %s (%s)"
+            "[%s] Monitored Security Groups - User %s (%s) has been %s%s - Group %s (%s) - Environment: %s"
             ,Config::get('app.app_name')
             ,$this->user_name
             ,$this->user_email
             ,$this->action
+            ,$this->action_by_phrase
             ,$this->group_name
             ,$this->group_id
+            ,$this->env
         );
         Log::debug(sprintf("MonitoredSecurityGroupNotificationEmail::build to %s", $this->email));
         return $this->from(Config::get("mail.from"))
diff --git a/app/Services/OpenId/UserService.php b/app/Services/OpenId/UserService.php
@@ -37,7 +37,6 @@
 use Illuminate\Support\Facades\Storage;
 use models\exceptions\EntityNotFoundException;
 use models\exceptions\ValidationException;
-use Models\OAuth2\Client;
 use models\utils\IEntity;
 use OAuth2\IResourceServerContext;
 use OAuth2\Models\IClient;
@@ -474,7 +473,17 @@ public function updateProfilePhoto($user_id, UploadedFile $file, $max_file_size
         return $user;
     }
 
-    public function notifyMonitoredSecurityGroupActivity(string $action, int $user_id, string $user_email, string $user_name, int $group_id, string $group_name, string $group_slug): void
+    public function notifyMonitoredSecurityGroupActivity
+    (
+        string $action,
+        int $user_id,
+        string $user_email,
+        string $user_name,
+        int $group_id,
+        string $group_name,
+        string $group_slug,
+        string $action_by
+    ): void
     {
        $watcher_groups = Config::get('audit.monitored_security_groups_set_activity_watchers', []);
 
@@ -497,13 +506,15 @@ public function notifyMonitoredSecurityGroupActivity(string $action, int $user_i
                     continue;
                 }
                 $notified_users[] = $user->getId();
+
                 Log::debug(sprintf("UserService::notifyMonitoredSecurityGroupActivity processing user %s", $user->getId()));
                 Mail::queue
                 (
                     new MonitoredSecurityGroupNotificationEmail
                     (
                         $user->getEmail(),
                         $action,
+                        $action_by,
                         $user_id,
                         $user_email,
                         $user_name,
@@ -514,6 +525,5 @@ public function notifyMonitoredSecurityGroupActivity(string $action, int $user_i
                 );
             }
         }
-
     }
 }
diff --git a/app/libs/Auth/Models/User.php b/app/libs/Auth/Models/User.php
@@ -731,6 +731,7 @@ public function addToGroup(Group $group)
         );
 
         $current_user = Auth::user();
+        $action_by = '';
         if($current_user instanceof User){
             Log::debug
             (
@@ -769,6 +770,7 @@ public function addToGroup(Group $group)
             );
 
             AddUserAction::dispatch($this->id, IPHelper::getUserIp(), $action);
+            $action_by = sprintf("%s (%s)", $current_user->getFullName(), $current_user->getEmail());
         }
 
         if ($this->groups->contains($group))
@@ -789,7 +791,8 @@ public function addToGroup(Group $group)
                 $this->getFullName(),
                 $group->getId(),
                 $group->getName(),
-                $group->getSlug()
+                $group->getSlug(),
+                $action_by
             );
         }
     }
@@ -810,6 +813,7 @@ public function removeFromGroup(Group $group)
             )
         );
         $current_user = Auth::user();
+        $action_by = '';
         if($current_user instanceof User){
             Log::debug
             (
@@ -845,6 +849,7 @@ public function removeFromGroup(Group $group)
             );
 
             AddUserAction::dispatch($this->id, IPHelper::getUserIp(), $action);
+            $action_by = sprintf("%s (%s)", $current_user->getFullName(), $current_user->getEmail());
         }
 
         if (!$this->groups->contains($group)) return;
@@ -862,7 +867,8 @@ public function removeFromGroup(Group $group)
                 $this->getFullName(),
                 $group->getId(),
                 $group->getName(),
-                $group->getSlug()
+                $group->getSlug(),
+                $action_by
             );
         }
     }
diff --git a/app/libs/OpenId/Services/IUserService.php b/app/libs/OpenId/Services/IUserService.php
@@ -91,6 +91,7 @@ public function update(int $id, array $payload): IEntity;
      * @param int $group_id
      * @param string $group_name
      * @param string $group_slug
+     * @params string $action_by
      * @return void
      */
     public function notifyMonitoredSecurityGroupActivity(
@@ -100,7 +101,8 @@ public function notifyMonitoredSecurityGroupActivity(
         string $user_name,
         int $group_id,
         string $group_name,
-        string $group_slug
+        string $group_slug,
+        string $action_by,
     ): void;
 
 }
diff --git a/resources/views/emails/audit/monitored_security_group_notification.blade.php b/resources/views/emails/audit/monitored_security_group_notification.blade.php
@@ -15,14 +15,18 @@
             <td align="center" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                 <div style="font-family:open Sans Helvetica, Arial, sans-serif;font-size:16px;line-height:1;text-align:center;color:#000000;">
                     <p>
-                        User {!! $user_name !!} (Email: {!! $user_email !!}) has been  <b>{!! $action !!}</b>
+                        User {!! $user_name !!} (Email: {!! $user_email !!}) has been  <b>{!! $action !!}</b> {!! $action_by_phrase !!}
                     </p>
                 </div>
             </td>
         </tr>
         <tr>
             <td align="center" style="font-size:0px;padding:10px 25px;padding-right:25px;padding-left:25px;word-break:break-word;">
-                <div style="font-family:open Sans Helvetica, Arial, sans-serif;font-size:16px;line-height:1;text-align:center;color:#000000;">Thanks! <br/><br/>{{Config::get('app.tenant_name')}} Support Team</div>
+                <div style="font-family:open Sans Helvetica, Arial, sans-serif;font-size:16px;line-height:1;text-align:center;color:#000000;">
+                    Thanks! <br/><br/>
+                    {{Config::get('app.tenant_name')}} Support Team <br/><br/>
+                    <b>{!! $env !!} ENVIRONMENT</b>
+                </div>
             </td>
         </tr>
         </tbody>

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,6 @@`
`37`	`37`	`use Illuminate\Support\Facades\Storage;`
`38`	`38`	`use models\exceptions\EntityNotFoundException;`
`39`	`39`	`use models\exceptions\ValidationException;`
`40`		`-use Models\OAuth2\Client;`
`41`	`40`	`use models\utils\IEntity;`
`42`	`41`	`use OAuth2\IResourceServerContext;`
`43`	`42`	`use OAuth2\Models\IClient;`
`@@ -474,7 +473,17 @@ public function updateProfilePhoto($user_id, UploadedFile $file, $max_file_size`
`474`	`473`	`return $user;`
`475`	`474`	`}`
`476`	`475`
`477`		`- public function notifyMonitoredSecurityGroupActivity(string $action, int $user_id, string $user_email, string $user_name, int $group_id, string $group_name, string $group_slug): void`
	`476`	`+ public function notifyMonitoredSecurityGroupActivity`
	`477`	`+ (`
	`478`	`+ string $action,`
	`479`	`+ int $user_id,`
	`480`	`+ string $user_email,`
	`481`	`+ string $user_name,`
	`482`	`+ int $group_id,`
	`483`	`+ string $group_name,`
	`484`	`+ string $group_slug,`
	`485`	`+ string $action_by`
	`486`	`+ ): void`
`478`	`487`	`{`
`479`	`488`	`$watcher_groups = Config::get('audit.monitored_security_groups_set_activity_watchers', []);`
`480`	`489`
`@@ -497,13 +506,15 @@ public function notifyMonitoredSecurityGroupActivity(string $action, int $user_i`
`497`	`506`	`continue;`
`498`	`507`	`}`
`499`	`508`	`$notified_users[] = $user->getId();`
	`509`	`+`
`500`	`510`	`Log::debug(sprintf("UserService::notifyMonitoredSecurityGroupActivity processing user %s", $user->getId()));`
`501`	`511`	`Mail::queue`
`502`	`512`	`(`
`503`	`513`	`new MonitoredSecurityGroupNotificationEmail`
`504`	`514`	`(`
`505`	`515`	`$user->getEmail(),`
`506`	`516`	`$action,`
	`517`	`+ $action_by,`
`507`	`518`	`$user_id,`
`508`	`519`	`$user_email,`
`509`	`520`	`$user_name,`
`@@ -514,6 +525,5 @@ public function notifyMonitoredSecurityGroupActivity(string $action, int $user_i`
`514`	`525`	`);`
`515`	`526`	`}`
`516`	`527`	`}`
`517`		`-`
`518`	`528`	`}`
`519`	`529`	`}`
Original file line number	Diff line number	Diff line change
`@@ -731,6 +731,7 @@ public function addToGroup(Group $group)`
`731`	`731`	`);`
`732`	`732`
`733`	`733`	`$current_user = Auth::user();`
	`734`	`+ $action_by = '';`
`734`	`735`	`if($current_user instanceof User){`
`735`	`736`	`Log::debug`
`736`	`737`	`(`
`@@ -769,6 +770,7 @@ public function addToGroup(Group $group)`
`769`	`770`	`);`
`770`	`771`
`771`	`772`	`AddUserAction::dispatch($this->id, IPHelper::getUserIp(), $action);`
	`773`	`+ $action_by = sprintf("%s (%s)", $current_user->getFullName(), $current_user->getEmail());`
`772`	`774`	`}`
`773`	`775`
`774`	`776`	`if ($this->groups->contains($group))`
`@@ -789,7 +791,8 @@ public function addToGroup(Group $group)`
`789`	`791`	`$this->getFullName(),`
`790`	`792`	`$group->getId(),`
`791`	`793`	`$group->getName(),`
`792`		`- $group->getSlug()`
	`794`	`+ $group->getSlug(),`
	`795`	`+ $action_by`
`793`	`796`	`);`
`794`	`797`	`}`
`795`	`798`	`}`
`@@ -810,6 +813,7 @@ public function removeFromGroup(Group $group)`
`810`	`813`	`)`
`811`	`814`	`);`
`812`	`815`	`$current_user = Auth::user();`
	`816`	`+ $action_by = '';`
`813`	`817`	`if($current_user instanceof User){`
`814`	`818`	`Log::debug`
`815`	`819`	`(`
`@@ -845,6 +849,7 @@ public function removeFromGroup(Group $group)`
`845`	`849`	`);`
`846`	`850`
`847`	`851`	`AddUserAction::dispatch($this->id, IPHelper::getUserIp(), $action);`
	`852`	`+ $action_by = sprintf("%s (%s)", $current_user->getFullName(), $current_user->getEmail());`
`848`	`853`	`}`
`849`	`854`
`850`	`855`	`if (!$this->groups->contains($group)) return;`
`@@ -862,7 +867,8 @@ public function removeFromGroup(Group $group)`
`862`	`867`	`$this->getFullName(),`
`863`	`868`	`$group->getId(),`
`864`	`869`	`$group->getName(),`
`865`		`- $group->getSlug()`
	`870`	`+ $group->getSlug(),`
	`871`	`+ $action_by`
`866`	`872`	`);`
`867`	`873`	`}`
`868`	`874`	`}`