Do the Login & Logout events exist and are they exploitable with ScriptRunner?

Looks like I am able to detect the logout even if I disable the Logout Redirection  from my SAML plugin.

Hi @Peter-Dave Sheehan and thanks!

Your answers are quite encouraging for the current investigation and I thank you very much for the side-tips about the use-cases.

I'd like to know where you went to detect the events / how you did it. Can you redirect me to some documentation please ? I can't seem to go further than manipulating existing events in the "Script Listeners" tab / testing code in the "Script Console" tab.

Thanks a lot again,

Regards,

Dylan

Well, the Script Listener tab is where you want to be.

1. Create a new custom script listener,
2. select LoginEvent or LogoutEvent in the  Events to listen too,
3. Write a script for what you want to do when that event is detected

In my case all I did was write a line of text to the log:

Then I tailed the log while logging out with a test account and saw that line go in the log.

Both the LoginEvent and the LogoutEvent generate an UserEvent (as subclasses). 

You can see the documentation for those event classes here: https://docs.atlassian.com/software/jira/docs/api/8.11.1/com/atlassian/jira/event/user/UserEvent.html

You will see that there isn't a whole lot of information in those classes, but at least the user is there, that's probably the most critical piece.

The rest of the script will really be depending on what you intend to do.

The only other documentation I can point you to is the generic custom listener page at adaptivist: https://scriptrunner.adaptavist.com/6.5.0-p5/jira/listeners.html#_custom_listeners

Thank you very much @Peter-Dave Sheehan, that's very informative.

However, I noticed that I'm talking about ScriptRunner for Jira Cloud and you're talking about ScriptRunner for Jira Server.

As such, I can't find the same events and I can't even find the "Custom Listeners" tab. 

Should I give up?

Thanks again,

Regards,

Dylan

My bad... I completely missed that you were working with Cloud.

Unfortunately, I know nothing of the capabilities and limitations of scriptrunner in a cloud environment. Especially with regards to listeners.

At a quick glance, there doesn't appear to be any login/logout event that can be used in a cloud listener. There is user_created, user_deleted and user_updated events only

It's alright, I learned a lot thanks to you :-).

I'll do with what I have and suggest different behaviours to the client.

Thanks a lot for your time, I really appreciate it.

Regards,

Dylan

Hi @Krzysztof 

Not sure if you got from the thread that all my advice were only applicable to server/dc.

If you're on cloud, I can't help.

But for server, I have no issue accessing the user with:

def user = (event as LoginEvent).user //returns ApplicationUser

Thanks! @Peter-Dave Sheehan 

You can go review the javadocs for each of those events: LoginEvent, LogoutEvent, LoginFailedEvent

Or output some details to the log to see what's available in each class and build out a script that can show you those details.

E.g.

import com.atlassian.jira.event.user.LoginFailedEvent
import com.atlassian.jira.event.user.LoginEvent
import com.atlassian.jira.event.user.LogoutEvent

log.info event.metaClass*.methods.name.sort().unique()
log.info "event =$event"
log.info "event class=${event.getClass()}"
log.info "event.initiatingUser=$event.initiatingUser"
log.info "event.user=$event.user"
if(event instanceof LoginFailedEvent){
    log.info "event.loginInfo=$event.loginInfo"
    log.info "event.loginReason=$event.loginReason"
}