Update security notifications

- Updated error message when trying to set a value below 15 minutes.
- Added a checkbox to allow retroactive application of maximum duration.
- Fixed a bug by updating valuespec.
- Security messages now display a warning symbol and on hover indicate the notification cannot be removed.

Change-Id: I1eea840e06b4c913d48f0027b8e664b6b54f0059

cmk/gui/message.py

@@ -64,14 +64,24 @@ def get_gui_messages(user_id: UserId | None = None) -> MutableSequence[Message]:
     path = cmk.utils.paths.profile_dir / user_id / "messages.mk"
     messages = store.load_object_from_file(path, default=[])
 
-    # Delete too old messages
+    # Delete too old messages and update security message durations
     updated = False
     for index, message in enumerate(messages):
         now = time.time()
         valid_till = message.get("valid_till")
-        if valid_till is not None and valid_till < now:
-            messages.pop(index)
-            updated = True
+        valid_from = message.get("time")
+        if valid_till is not None:
+            if message.get("security") and active_config.user_security_notification_duration.get(
+                "update_existing_duration"
+            ):
+                message["valid_till"] = (
+                    valid_from
+                    + active_config.user_security_notification_duration.get("max_duration")
+                )
+                updated = True
+            if valid_till < now:
+                messages.pop(index)
+                updated = True
 
     if updated:
         save_gui_messages(messages)
@@ -286,7 +296,7 @@ def _validate_msg(msg: Message, _varprefix: str) -> None:
                 raise MKUserError("dest", _('A user with the id "%s" does not exist.') % user_id)
 
 
-def _process_message_message(msg: Message) -> None:  # pylint: disable=too-many-branches
+def _process_message_message(msg: Message) -> None:  # pylint: disable=R0912
     msg["id"] = utils.gen_id()
     msg["time"] = time.time()
 

cmk/gui/plugins/config/base.py

@@ -423,7 +423,12 @@ class CREConfig:
 
     # Individual changes to user's authentication security will trigger either emails or use notifications
     # Default is 7 days
-    user_security_notification_duration: int = 604800
+    user_security_notification_duration: dict[str, Any] = field(
+        default_factory=lambda: {
+            "max_duration": 604800,
+            "update_existing_duration": False,
+        }
+    )
 
     user_localizations: dict[str, dict[str, str]] = field(
         default_factory=lambda: {

cmk/gui/user_message.py

@@ -109,6 +109,8 @@ def render_user_message_table(what: str) -> None:
                     "delete",
                     onclick=onclick,
                 )
+            else:
+                html.icon("warning", _("Cannot be deleted manually, must expire"))
 
             table.cell(_("Message"), msg)
             table.cell(_("Date sent"), datetime)

cmk/gui/utils/user_security_message.py

@@ -71,15 +71,14 @@ def _send_mail(email_address: str, event: SecurityNotificationEvent, event_time:
 
 def _send_gui(user_id: UserId, event: SecurityNotificationEvent, event_time: datetime) -> None:
     timestamp = int(event_time.timestamp())
-
+    duration = int(config.active_config.user_security_notification_duration["max_duration"])
     message_gui(
         user_id,
         {
             "text": str(event.value),
             "dest": ("list", [user_id]),
             "methods": ["gui_hint"],
-            "valid_till": timestamp
-            + config.active_config.user_security_notification_duration,  # 1 week
+            "valid_till": timestamp + duration,  # 1 week
             "id": utils.gen_id(),
             "time": timestamp,
             "security": True,

cmk/gui/wato/_check_mk_configuration.py

@@ -2719,15 +2719,8 @@ def ident(self) -> str:
         return "user_security_notification_duration"
 
     def valuespec(self) -> ValueSpec:
-        return Optional(
-            valuespec=Age(
-                display=["days", "minutes", "hours"],
-                label=_("Session timeout:"),
-                minvalue=900,
-                default_value=604800,
-            ),
+        return Dictionary(
             title=_("User security notification duration"),
-            label=_("Display time for user security messages"),
             help=_(
                 "If a user has an email address associated with their account, "
                 "the user will not be shown a security notification in their user "
@@ -2736,8 +2729,36 @@ def valuespec(self) -> ValueSpec:
                 "an undismissable message in their user tab for the duration "
                 "defined by this setting."
             ),
+            elements=[
+                (
+                    "max_duration",
+                    Age(
+                        display=["days", "minutes", "hours"],
+                        label=_("Session timeout:"),
+                        default_value=604800,
+                        title=_("Display time for user security messages"),
+                        validate=self._validate_min,
+                    ),
+                ),
+                (
+                    "update_existing_duration",
+                    Checkbox(
+                        title=_("Update existing security notifications"),
+                        label=_("Retroactively apply max duration to existing notifications"),
+                        help=_(
+                            "Update existing security notifications to use the new max duration."
+                        ),
+                        default_value=False,
+                    ),
+                ),
+            ],
+            optional_keys=[],
         )
 
+    def _validate_min(self, value, varprefix):
+        if value < 900:
+            raise MKUserError(varprefix, _("The minimum duration may not be less than 15 minutes"))
+
 
 class ConfigVariableDefaultUserProfile(ConfigVariable):
     def group(self) -> type[ConfigVariableGroup]: