Port: Webhook alert token and new user alerts

commons-persistence/src/main/java/org/dependencytrack/persistence/model/NotificationGroup.java

@@ -43,5 +43,7 @@ public enum NotificationGroup {
     VEX_PROCESSED,
     POLICY_VIOLATION,
     PROJECT_CREATED,
-    PROJECT_VULN_ANALYSIS_COMPLETE
+    PROJECT_VULN_ANALYSIS_COMPLETE,
+    USER_CREATED,
+    USER_DELETED
 }

commons/src/main/java/org/dependencytrack/common/KafkaTopic.java

@@ -35,6 +35,7 @@ public enum KafkaTopic {
     NOTIFICATION_PROJECT_AUDIT_CHANGE("dtrack.notification.project-audit-change"),
     NOTIFICATION_REPOSITORY("dtrack.notification.repository"),
     NOTIFICATION_VEX("dtrack.notification.vex"),
+    NOTIFICATION_USER("dtrack.notification.user"),
     REPO_META_ANALYSIS_COMMAND("dtrack.repo-meta-analysis.component"),
     REPO_META_ANALYSIS_RESULT("dtrack.repo-meta-analysis.result"),
     VULN_ANALYSIS_SCANNER_RESULT("dtrack.vuln-analysis.scanner.result"),

docker-compose.yml

@@ -306,6 +306,8 @@ services:
                 valueProtoType: org.cyclonedx.v1_4.Bom
               - topicName: dtrack.epss
                 valueProtoType: org.dependencytrack.mirror.v1.EpssItem
+              - topicName: dtrack.notification.user
+                valueProtoType: org.dependencytrack.notification.v1.Notification
             fileSystem:
               enabled: true
               paths: ["/etc/protos"]

docs/reference/topics.md

@@ -15,6 +15,7 @@
 | `dtrack.notification.project-created`                                                             | 3          |                                                                                     |
 | `dtrack.notification.repository`                                                                  | 3          |                                                                                     |
 | `dtrack.notification.vex`                                                                         | 3          |                                                                                     |
+| `dtrack.notification.user`                                                                        | 3          |                                                                                     |
 | `dtrack.notification.project-vuln-analysis-complete` <sup>3</sup>                                 | 3          | `cleanup.policy=compact`<br/>`segment.bytes=67108864`<br/>`max.compaction.lag.ms=0` |
 | `dtrack.repo-meta-analysis.component`<sup>1A</sup>                                                | 3          |                                                                                     |
 | `dtrack.repo-meta-analysis.result`                                                                | 3          |                                                                                     |

notification-publisher/src/main/java/org/dependencytrack/notification/NotificationConstants.java

@@ -52,6 +52,8 @@ public static class Title {
         public static final String BOM_PROCESSING_FAILED = "Bill of Materials Processing Failed";
         public static final String VEX_CONSUMED = "Vulnerability Exploitability Exchange (VEX) Consumed";
         public static final String VEX_PROCESSED = "Vulnerability Exploitability Exchange (VEX) Processed";
+        public static final String USER_CREATED = "User Created";
+        public static final String USER_DELETED = "User Deleted";
     }
 
 }

notification-publisher/src/main/java/org/dependencytrack/notification/config/ProtoReflectionConfiguration.java

@@ -42,6 +42,7 @@
 import org.dependencytrack.proto.notification.v1.ProjectVulnAnalysisCompleteSubject;
 import org.dependencytrack.proto.notification.v1.ProjectVulnAnalysisStatus;
 import org.dependencytrack.proto.notification.v1.Scope;
+import org.dependencytrack.proto.notification.v1.UserPrincipalSubject;
 import org.dependencytrack.proto.notification.v1.VexConsumedOrProcessedSubject;
 import org.dependencytrack.proto.notification.v1.Vulnerability;
 import org.dependencytrack.proto.notification.v1.VulnerabilityAnalysis;
@@ -73,6 +74,7 @@
                 PolicyViolationSubject.class,
                 Project.class,
                 ProjectVulnAnalysisCompleteSubject.class,
+                UserPrincipalSubject.class,
                 ProjectVulnAnalysisStatus.class,
                 Scope.class,
                 Timestamp.class,

notification-publisher/src/main/java/org/dependencytrack/notification/publisher/AbstractWebhookPublisher.java

@@ -79,6 +79,8 @@ public void publish(final PublishContext ctx, final PebbleTemplate template, fin
             } else {
                 request.addHeader("Authorization", "Bearer " + credentials.password);
             }
+        } else if (getToken(config) != null) {
+            request.addHeader(getTokenHeader(config), getToken(config));
         }
 
         StringEntity entity = new StringEntity(content);
@@ -109,5 +111,13 @@ protected record AuthCredentials(String user, String password) {
     protected String getDestinationUrl(final JsonObject config) {
         return config.getString(CONFIG_DESTINATION, null);
     }
+
+    protected String getToken(final JsonObject config) {
+        return config.getString(CONFIG_TOKEN, null);
+    }
+
+    protected String getTokenHeader(final JsonObject config) {
+        return config.getString(CONFIG_TOKEN_HEADER, "X-Api-Key");
+    }
 }
 

notification-publisher/src/main/java/org/dependencytrack/notification/publisher/PublishContext.java

@@ -30,6 +30,7 @@
 import org.dependencytrack.proto.notification.v1.PolicyViolationAnalysisDecisionChangeSubject;
 import org.dependencytrack.proto.notification.v1.PolicyViolationSubject;
 import org.dependencytrack.proto.notification.v1.ProjectVulnAnalysisCompleteSubject;
+import org.dependencytrack.proto.notification.v1.UserPrincipalSubject;
 import org.dependencytrack.proto.notification.v1.VexConsumedOrProcessedSubject;
 import org.dependencytrack.proto.notification.v1.VulnerabilityAnalysisDecisionChangeSubject;
 
@@ -129,6 +130,9 @@ public static PublishContext fromRecord(final ConsumerRecord<String, Notificatio
         } else if (notification.getSubject().is(VexConsumedOrProcessedSubject.class)) {
             final VexConsumedOrProcessedSubject subject = notification.getSubject().unpack(VexConsumedOrProcessedSubject.class);
             notificationSubjects.put(SUBJECT_PROJECT, Project.convert(subject.getProject()));
+        } else if (notification.getSubject().is(UserPrincipalSubject.class)) {
+            final UserPrincipalSubject subject = notification.getSubject().unpack(UserPrincipalSubject.class);
+            notificationSubjects.put("User", subject);
         }
 
         return new PublishContext(consumerRecord.topic(), consumerRecord.partition(), consumerRecord.offset(),

notification-publisher/src/main/java/org/dependencytrack/notification/publisher/Publisher.java

@@ -31,6 +31,7 @@
 import org.dependencytrack.proto.notification.v1.PolicyViolationAnalysisDecisionChangeSubject;
 import org.dependencytrack.proto.notification.v1.PolicyViolationSubject;
 import org.dependencytrack.proto.notification.v1.ProjectVulnAnalysisCompleteSubject;
+import org.dependencytrack.proto.notification.v1.UserPrincipalSubject;
 import org.dependencytrack.proto.notification.v1.VexConsumedOrProcessedSubject;
 import org.dependencytrack.proto.notification.v1.VulnerabilityAnalysisDecisionChangeSubject;
 import org.eclipse.microprofile.config.ConfigProvider;
@@ -42,6 +43,7 @@
 import java.util.Map;
 
 import static org.dependencytrack.proto.notification.v1.Scope.SCOPE_PORTFOLIO;
+import static org.dependencytrack.proto.notification.v1.Scope.SCOPE_SYSTEM;
 
 public interface Publisher {
 
@@ -51,6 +53,10 @@
 
     String CONFIG_DESTINATION = "destination";
 
+    String CONFIG_TOKEN = "token";
+
+    String CONFIG_TOKEN_HEADER = "tokenHeader";
+
 
     void inform(final PublishContext ctx, final Notification notification, final JsonObject config) throws Exception;
 
@@ -125,6 +131,13 @@
                 context.put("subjectJson", JsonFormat.printer().print(subject));
             }
         }
+        else if  (notification.getScope() == SCOPE_SYSTEM) {
+            if (notification.getSubject().is(UserPrincipalSubject.class)) {
+                final var subject = notification.getSubject().unpack(UserPrincipalSubject.class);
+                context.put("subject", subject);
+                context.put("subjectJson", JsonFormat.printer().print(subject));
+            }
+        }
 
         enrichTemplateContext(context, config);
 

notification-publisher/src/main/java/org/dependencytrack/notification/util/ModelConverter.java

@@ -64,6 +64,8 @@ public static NotificationGroup convert(final Group group) {
             case GROUP_POLICY_VIOLATION -> NotificationGroup.POLICY_VIOLATION;
             case GROUP_PROJECT_CREATED -> NotificationGroup.PROJECT_CREATED;
             case GROUP_PROJECT_VULN_ANALYSIS_COMPLETE -> NotificationGroup.PROJECT_VULN_ANALYSIS_COMPLETE;
+            case GROUP_USER_CREATED -> NotificationGroup.USER_CREATED;
+            case GROUP_USER_DELETED -> NotificationGroup.USER_DELETED;
             default -> throw new IllegalArgumentException("Unknown group: " + group);
         };
     }

notification-publisher/src/test/java/org/dependencytrack/notification/NotificationConstantsTest.java

@@ -42,5 +42,7 @@ public void testConstants() {
         Assertions.assertEquals("Analysis Decision: Finding Suppressed", NotificationConstants.Title.ANALYSIS_DECISION_SUPPRESSED);
         Assertions.assertEquals("Analysis Decision: Finding UnSuppressed", NotificationConstants.Title.ANALYSIS_DECISION_UNSUPPRESSED);
         Assertions.assertEquals("Analysis Decision: Finding Resolved", NotificationConstants.Title.ANALYSIS_DECISION_RESOLVED);
+        Assertions.assertEquals("User Created", NotificationConstants.Title.USER_CREATED);
+        Assertions.assertEquals("User Deleted", NotificationConstants.Title.USER_DELETED);
     }
 }

notification-publisher/src/test/java/org/dependencytrack/notification/NotificationRouterTest.java

@@ -42,6 +42,7 @@
 import org.dependencytrack.proto.notification.v1.PolicyViolationAnalysisDecisionChangeSubject;
 import org.dependencytrack.proto.notification.v1.PolicyViolationSubject;
 import org.dependencytrack.proto.notification.v1.Project;
+import org.dependencytrack.proto.notification.v1.UserPrincipalSubject;
 import org.dependencytrack.proto.notification.v1.VexConsumedOrProcessedSubject;
 import org.dependencytrack.proto.notification.v1.Vulnerability;
 import org.dependencytrack.proto.notification.v1.VulnerabilityAnalysisDecisionChangeSubject;
@@ -62,10 +63,12 @@
 import static org.dependencytrack.proto.notification.v1.Group.GROUP_NEW_VULNERABLE_DEPENDENCY;
 import static org.dependencytrack.proto.notification.v1.Group.GROUP_POLICY_VIOLATION;
 import static org.dependencytrack.proto.notification.v1.Group.GROUP_PROJECT_AUDIT_CHANGE;
+import static org.dependencytrack.proto.notification.v1.Group.GROUP_USER_CREATED;
 import static org.dependencytrack.proto.notification.v1.Group.GROUP_VEX_CONSUMED;
 import static org.dependencytrack.proto.notification.v1.Level.LEVEL_ERROR;
 import static org.dependencytrack.proto.notification.v1.Level.LEVEL_INFORMATIONAL;
 import static org.dependencytrack.proto.notification.v1.Scope.SCOPE_PORTFOLIO;
+import static org.dependencytrack.proto.notification.v1.Scope.SCOPE_SYSTEM;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.verify;
@@ -836,6 +839,30 @@
         verify(consolePublisherMock).inform(any(), eq(notification), any());
     }
 
+    @Test
+    @TestTransaction
+    void testResolveRulesUserCreatedNotification() throws Exception {
+
+        final Long publisherId = createConsolePublisher();
+        createRule("Limit To Test Rule",
+                NotificationScope.SYSTEM, NotificationLevel.INFORMATIONAL,
+                NotificationGroup.USER_CREATED, publisherId);
+
+        final var notificationUser = Notification.newBuilder()
+                .setScope(SCOPE_SYSTEM)
+                .setGroup(GROUP_USER_CREATED)
+                .setLevel(LEVEL_INFORMATIONAL)
+                .setSubject(Any.pack(UserPrincipalSubject.newBuilder()
+                        .setUsername("username")
+                        .setEmail("email.com")
+                        .build()))
+                .build();
+
+        Assertions.assertThat(notificationRouter.resolveRules(PublisherTestUtil.createPublisherContext(notificationUser), notificationUser)).satisfiesExactly(
+                rule -> Assertions.assertThat(rule.getName()).isEqualTo("Limit To Test Rule")
+        );
+    }
+
     private Long createConsolePublisher() {
         return (Long) entityManager.createNativeQuery("""
                 INSERT INTO "NOTIFICATIONPUBLISHER" ("DEFAULT_PUBLISHER", "NAME", "PUBLISHER_CLASS", "TEMPLATE", "TEMPLATE_MIME_TYPE", "UUID") VALUES

notification-publisher/src/test/java/org/dependencytrack/notification/publisher/PublishContextTest.java

@@ -34,6 +34,7 @@
 import org.dependencytrack.proto.notification.v1.PolicyViolationSubject;
 import org.dependencytrack.proto.notification.v1.Project;
 import org.dependencytrack.proto.notification.v1.ProjectVulnAnalysisCompleteSubject;
+import org.dependencytrack.proto.notification.v1.UserPrincipalSubject;
 import org.dependencytrack.proto.notification.v1.VexConsumedOrProcessedSubject;
 import org.dependencytrack.proto.notification.v1.VulnerabilityAnalysisDecisionChangeSubject;
 import org.junit.jupiter.api.Nested;
@@ -49,10 +50,12 @@
 import static org.dependencytrack.proto.notification.v1.Group.GROUP_PROJECT_AUDIT_CHANGE;
 import static org.dependencytrack.proto.notification.v1.Group.GROUP_PROJECT_CREATED;
 import static org.dependencytrack.proto.notification.v1.Group.GROUP_PROJECT_VULN_ANALYSIS_COMPLETE;
+import static org.dependencytrack.proto.notification.v1.Group.GROUP_USER_CREATED;
 import static org.dependencytrack.proto.notification.v1.Group.GROUP_VEX_CONSUMED;
 import static org.dependencytrack.proto.notification.v1.Group.GROUP_VEX_PROCESSED;
 import static org.dependencytrack.proto.notification.v1.Level.LEVEL_INFORMATIONAL;
 import static org.dependencytrack.proto.notification.v1.Scope.SCOPE_PORTFOLIO;
+import static org.dependencytrack.proto.notification.v1.Scope.SCOPE_SYSTEM;
 
 class PublishContextTest {
 
@@ -512,6 +515,34 @@ void testWithVexProcessedSubject() throws Exception {
             });
         }
 
+        @Test
+        void testWithUserPrincipalSubject() throws Exception {
+            final var notification = Notification.newBuilder()
+                    .setGroup(GROUP_USER_CREATED)
+                    .setLevel(LEVEL_INFORMATIONAL)
+                    .setScope(SCOPE_SYSTEM)
+                    .setTimestamp(Timestamps.fromSeconds(666))
+                    .setSubject(Any.pack(UserPrincipalSubject.newBuilder()
+                            .setUsername("username")
+                            .setEmail("email.com")
+                            .build()))
+                    .build();
+
+            final PublishContext ctx = PublishContext.fromRecord(new ConsumerRecord<>("topic", 1, 2L, "key", notification));
+            assertThat(ctx.kafkaTopic()).isEqualTo("topic");
+            assertThat(ctx.kafkaTopicPartition()).isEqualTo(1);
+            assertThat(ctx.kafkaPartitionOffset()).isEqualTo(2L);
+            assertThat(ctx.notificationGroup()).isEqualTo("GROUP_USER_CREATED");
+            assertThat(ctx.notificationLevel()).isEqualTo("LEVEL_INFORMATIONAL");
+            assertThat(ctx.notificationScope()).isEqualTo("SCOPE_SYSTEM");
+            assertThat(ctx.notificationTimestamp()).isEqualTo("1970-01-01T00:11:06.000Z");
+            assertThat(ctx.notificationSubjects())
+                    .hasEntrySatisfying("User", userObj -> {
+                        final var user = (UserPrincipalSubject) userObj;
+                        assertThat(user.getUsername()).isEqualTo("username");
+                        assertThat(user.getEmail()).isEqualTo("email.com");
+                    });
+        }
     }
 
     @Test

proto/src/main/proto/org/dependencytrack/notification/v1/notification.proto

@@ -50,6 +50,8 @@ enum Group {
   GROUP_PROJECT_CREATED = 16;
   GROUP_BOM_PROCESSING_FAILED = 17;
   GROUP_PROJECT_VULN_ANALYSIS_COMPLETE = 18;
+  GROUP_USER_CREATED = 19;
+  GROUP_USER_DELETED = 20;
 
   // Indexing service has been removed as of
   // https://github.com/DependencyTrack/hyades/issues/661
@@ -216,6 +218,11 @@ message ProjectVulnAnalysisCompleteSubject {
   string token = 4;
 }
 
+message UserPrincipalSubject {
+  string username = 1;
+  string email = 2;
+}
+
 enum ProjectVulnAnalysisStatus {
   PROJECT_VULN_ANALYSIS_STATUS_UNSPECIFIED = 0;
   PROJECT_VULN_ANALYSIS_STATUS_FAILED = 1;

scripts/create-topics.sh

@@ -53,6 +53,7 @@ notification_topics=(
   "${KAFKA_TOPIC_PREFIX:-}dtrack.notification.project-vuln-analysis-complete"
   "${KAFKA_TOPIC_PREFIX:-}dtrack.notification.repository"
   "${KAFKA_TOPIC_PREFIX:-}dtrack.notification.vex"
+  "${KAFKA_TOPIC_PREFIX:-}dtrack.notification.user"
 )
 for topic_name in "${notification_topics[@]}"; do
   create_topic "$topic_name" "${NOTIFICATION_TOPICS_PARTITIONS:-1}" "retention.ms=${NOTIFICATION_TOPICS_RETENTION_MS:-43200000}"