wip: rename to authentik (#361)

* root: initial rename * web: rename custom element prefix * root: rename external functions with pb_ prefix * root: fix formatting * root: replace domain with goauthentik.io * proxy: update path * root: rename remaining prefixes * flows: rename file extension * root: pbadmin -> akadmin * docs: fix image filenames * lifecycle: ignore migration files * ci: copy default config from current source before loading last tagged * *: new sentry dsn * tests: fix missing python3.9-dev package * root: add additional migrations for service accounts created by outposts * core: mark system-created service accounts with attribute * policies/expression: fix pb_ replacement not working * web: fix last linting errors, add lit-analyse * policies/expressions: fix lint errors * web: fix sidebar display on screens where not all items fit * proxy: attempt to fix proxy pipeline * proxy: use go env GOPATH to get gopath * lib: fix user_default naming inconsistency * docs: add upgrade docs * docs: update screenshots to use authentik * admin: fix create button on empty-state of outpost * web: fix modal submit not refreshing SiteShell and Table * web: fix height of app-card and height of generic icon * web: fix rendering of subtext * admin: fix version check error not being caught * web: fix worker count not being shown * docs: update screenshots * root: new icon * web: fix lint error * admin: fix linting error * root: migrate coverage config to pyproject
2020-12-05 22:08:42 +01:00
parent 810a7ab50b
commit 1cfe1aff13
989 changed files with 6425 additions and 4412 deletions
--- a/authentik/crypto/init.py
+++ b/authentik/crypto/init.py
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -0,0 +1,47 @@
+"""Crypto API Views"""
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
+from cryptography.x509 import load_pem_x509_certificate
+from rest_framework.serializers import ModelSerializer, ValidationError
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.crypto.models import CertificateKeyPair
+
+
+class CertificateKeyPairSerializer(ModelSerializer):
+    """CertificateKeyPair Serializer"""
+
+    def validate_certificate_data(self, value):
+        """Verify that input is a valid PEM x509 Certificate"""
+        try:
+            load_pem_x509_certificate(value.encode("utf-8"), default_backend())
+        except ValueError:
+            raise ValidationError("Unable to load certificate.")
+        return value
+
+    def validate_key_data(self, value):
+        """Verify that input is a valid PEM RSA Key"""
+        # Since this field is optional, data can be empty.
+        if value == "":
+            return value
+        try:
+            load_pem_private_key(
+                str.encode("\n".join([x.strip() for x in value.split("\n")])),
+                password=None,
+                backend=default_backend(),
+            )
+        except ValueError:
+            raise ValidationError("Unable to load private key.")
+        return value
+
+    class Meta:
+
+        model = CertificateKeyPair
+        fields = ["pk", "name", "certificate_data", "key_data"]
+
+
+class CertificateKeyPairViewSet(ModelViewSet):
+    """CertificateKeyPair Viewset"""
+
+    queryset = CertificateKeyPair.objects.all()
+    serializer_class = CertificateKeyPairSerializer
--- a/authentik/crypto/apps.py
+++ b/authentik/crypto/apps.py
@ -0,0 +1,10 @@
+"""authentik crypto app config"""
+from django.apps import AppConfig
+
+
+class AuthentikCryptoConfig(AppConfig):
+    """authentik crypto app config"""
+
+    name = "authentik.crypto"
+    label = "authentik_crypto"
+    verbose_name = "authentik Crypto"
--- a/authentik/crypto/builder.py
+++ b/authentik/crypto/builder.py
@ -0,0 +1,84 @@
+"""Create self-signed certificates"""
+import datetime
+import uuid
+
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.x509.oid import NameOID
+
+
+class CertificateBuilder:
+    """Build self-signed certificates"""
+
+    __public_key = None
+    __private_key = None
+    __builder = None
+    __certificate = None
+
+    def __init__(self):
+        self.__public_key = None
+        self.__private_key = None
+        self.__builder = None
+        self.__certificate = None
+
+    def build(self):
+        """Build self-signed certificate"""
+        one_day = datetime.timedelta(1, 0, 0)
+        self.__private_key = rsa.generate_private_key(
+            public_exponent=65537, key_size=2048, backend=default_backend()
+        )
+        self.__public_key = self.__private_key.public_key()
+        self.__builder = (
+            x509.CertificateBuilder()
+            .subject_name(
+                x509.Name(
+                    [
+                        x509.NameAttribute(
+                            NameOID.COMMON_NAME,
+                            "authentik Self-signed Certificate",
+                        ),
+                        x509.NameAttribute(NameOID.ORGANIZATION_NAME, "authentik"),
+                        x509.NameAttribute(
+                            NameOID.ORGANIZATIONAL_UNIT_NAME, "Self-signed"
+                        ),
+                    ]
+                )
+            )
+            .issuer_name(
+                x509.Name(
+                    [
+                        x509.NameAttribute(
+                            NameOID.COMMON_NAME,
+                            "authentik Self-signed Certificate",
+                        ),
+                    ]
+                )
+            )
+            .not_valid_before(datetime.datetime.today() - one_day)
+            .not_valid_after(datetime.datetime.today() + datetime.timedelta(days=365))
+            .serial_number(int(uuid.uuid4()))
+            .public_key(self.__public_key)
+        )
+        self.__certificate = self.__builder.sign(
+            private_key=self.__private_key,
+            algorithm=hashes.SHA256(),
+            backend=default_backend(),
+        )
+
+    @property
+    def private_key(self):
+        """Return private key in PEM format"""
+        return self.__private_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption(),
+        ).decode("utf-8")
+
+    @property
+    def certificate(self):
+        """Return certificate in PEM format"""
+        return self.__certificate.public_bytes(
+            encoding=serialization.Encoding.PEM,
+        ).decode("utf-8")
--- a/authentik/crypto/forms.py
+++ b/authentik/crypto/forms.py
@ -0,0 +1,57 @@
+"""authentik Crypto forms"""
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
+from cryptography.x509 import load_pem_x509_certificate
+from django import forms
+from django.utils.translation import gettext_lazy as _
+
+from authentik.crypto.models import CertificateKeyPair
+
+
+class CertificateKeyPairForm(forms.ModelForm):
+    """CertificateKeyPair Form"""
+
+    def clean_certificate_data(self):
+        """Verify that input is a valid PEM x509 Certificate"""
+        certificate_data = self.cleaned_data["certificate_data"]
+        try:
+            load_pem_x509_certificate(
+                certificate_data.encode("utf-8"), default_backend()
+            )
+        except ValueError:
+            raise forms.ValidationError("Unable to load certificate.")
+        return certificate_data
+
+    def clean_key_data(self):
+        """Verify that input is a valid PEM RSA Key"""
+        key_data = self.cleaned_data["key_data"]
+        # Since this field is optional, data can be empty.
+        if key_data == "":
+            return key_data
+        try:
+            load_pem_private_key(
+                str.encode("\n".join([x.strip() for x in key_data.split("\n")])),
+                password=None,
+                backend=default_backend(),
+            )
+        except ValueError:
+            raise forms.ValidationError("Unable to load private key.")
+        return key_data
+
+    class Meta:
+
+        model = CertificateKeyPair
+        fields = [
+            "name",
+            "certificate_data",
+            "key_data",
+        ]
+        widgets = {
+            "name": forms.TextInput(),
+            "certificate_data": forms.Textarea(attrs={"class": "monospaced"}),
+            "key_data": forms.Textarea(attrs={"class": "monospaced"}),
+        }
+        labels = {
+            "certificate_data": _("Certificate"),
+            "key_data": _("Private Key"),
+        }
--- a/authentik/crypto/migrations/0001_initial.py
+++ b/authentik/crypto/migrations/0001_initial.py
@ -0,0 +1,48 @@
+# Generated by Django 3.0.6 on 2020-05-19 22:08
+
+import uuid
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = []
+
+    operations = [
+        migrations.CreateModel(
+            name="CertificateKeyPair",
+            fields=[
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("last_updated", models.DateTimeField(auto_now=True)),
+                (
+                    "kp_uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("name", models.TextField()),
+                (
+                    "certificate_data",
+                    models.TextField(help_text="PEM-encoded Certificate data"),
+                ),
+                (
+                    "key_data",
+                    models.TextField(
+                        blank=True,
+                        default="",
+                        help_text="Optional Private Key. If this is set, you can use this keypair for encryption.",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Certificate-Key Pair",
+                "verbose_name_plural": "Certificate-Key Pairs",
+            },
+        ),
+    ]
--- a/authentik/crypto/migrations/0002_create_self_signed_kp.py
+++ b/authentik/crypto/migrations/0002_create_self_signed_kp.py
@ -0,0 +1,26 @@
+# Generated by Django 3.0.6 on 2020-05-23 23:07
+
+from django.db import migrations
+
+
+def create_self_signed(apps, schema_editor):
+    CertificateKeyPair = apps.get_model("authentik_crypto", "CertificateKeyPair")
+    db_alias = schema_editor.connection.alias
+    from authentik.crypto.builder import CertificateBuilder
+
+    builder = CertificateBuilder()
+    builder.build()
+    CertificateKeyPair.objects.using(db_alias).create(
+        name="authentik Self-signed Certificate",
+        certificate_data=builder.certificate,
+        key_data=builder.private_key,
+    )
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_crypto", "0001_initial"),
+    ]
+
+    operations = [migrations.RunPython(create_self_signed)]
--- a/authentik/crypto/migrations/init.py
+++ b/authentik/crypto/migrations/init.py
--- a/authentik/crypto/models.py
+++ b/authentik/crypto/models.py
@ -0,0 +1,87 @@
+"""authentik crypto models"""
+from binascii import hexlify
+from hashlib import md5
+from typing import Optional
+from uuid import uuid4
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
+from cryptography.x509 import Certificate, load_pem_x509_certificate
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+from authentik.lib.models import CreatedUpdatedModel
+
+
+class CertificateKeyPair(CreatedUpdatedModel):
+    """CertificateKeyPair that can be used for signing or encrypting if `key_data`
+    is set, otherwise it can be used to verify remote data."""
+
+    kp_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+
+    name = models.TextField()
+    certificate_data = models.TextField(help_text=_("PEM-encoded Certificate data"))
+    key_data = models.TextField(
+        help_text=_(
+            "Optional Private Key. If this is set, you can use this keypair for encryption."
+        ),
+        blank=True,
+        default="",
+    )
+
+    _cert: Optional[Certificate] = None
+    _private_key: Optional[RSAPrivateKey] = None
+    _public_key: Optional[RSAPublicKey] = None
+
+    @property
+    def certificate(self) -> Certificate:
+        """Get python cryptography Certificate instance"""
+        if not self._cert:
+            self._cert = load_pem_x509_certificate(
+                self.certificate_data.encode("utf-8"), default_backend()
+            )
+        return self._cert
+
+    @property
+    def public_key(self) -> Optional[RSAPublicKey]:
+        """Get public key of the private key"""
+        if not self._public_key:
+            self._public_key = self.private_key.public_key()
+        return self._public_key
+
+    @property
+    def private_key(self) -> Optional[RSAPrivateKey]:
+        """Get python cryptography PrivateKey instance"""
+        if not self._private_key and self._private_key != "":
+            self._private_key = load_pem_private_key(
+                str.encode("\n".join([x.strip() for x in self.key_data.split("\n")])),
+                password=None,
+                backend=default_backend(),
+            )
+        return self._private_key
+
+    @property
+    def fingerprint(self) -> str:
+        """Get SHA256 Fingerprint of certificate_data"""
+        return hexlify(self.certificate.fingerprint(hashes.SHA256()), ":").decode(
+            "utf-8"
+        )
+
+    @property
+    def kid(self):
+        """Get Key ID used for JWKS"""
+        return "{0}".format(
+            md5(self.key_data.encode("utf-8")).hexdigest()  # nosec
+            if self.key_data
+            else ""
+        )
+
+    def __str__(self) -> str:
+        return f"Certificate-Key Pair {self.name}"
+
+    class Meta:
+
+        verbose_name = _("Certificate-Key Pair")
+        verbose_name_plural = _("Certificate-Key Pairs")
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -0,0 +1,50 @@
+"""Crypto tests"""
+from django.test import TestCase
+
+from authentik.crypto.api import CertificateKeyPairSerializer
+from authentik.crypto.forms import CertificateKeyPairForm
+from authentik.crypto.models import CertificateKeyPair
+
+
+class TestCrypto(TestCase):
+    """Test Crypto validation"""
+
+    def test_form(self):
+        """Test form validation"""
+        keypair = CertificateKeyPair.objects.first()
+        self.assertTrue(
+            CertificateKeyPairForm(
+                {
+                    "name": keypair.name,
+                    "certificate_data": keypair.certificate_data,
+                    "key_data": keypair.key_data,
+                }
+            ).is_valid()
+        )
+        self.assertFalse(
+            CertificateKeyPairForm(
+                {"name": keypair.name, "certificate_data": "test", "key_data": "test"}
+            ).is_valid()
+        )
+
+    def test_serializer(self):
+        """Test API Validation"""
+        keypair = CertificateKeyPair.objects.first()
+        self.assertTrue(
+            CertificateKeyPairSerializer(
+                data={
+                    "name": keypair.name,
+                    "certificate_data": keypair.certificate_data,
+                    "key_data": keypair.key_data,
+                }
+            ).is_valid()
+        )
+        self.assertFalse(
+            CertificateKeyPairSerializer(
+                data={
+                    "name": keypair.name,
+                    "certificate_data": "test",
+                    "key_data": "test",
+                }
+            ).is_valid()
+        )