core: app entitlements (#12090)

* core: initial app entitlements Signed-off-by: Jens Langhammer <jens@goauthentik.io> * base off of pbm Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add tests and oauth2 Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add to proxy Signed-off-by: Jens Langhammer <jens@goauthentik.io> * rewrite to use bindings Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make policy bindings form and list more customizable Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * double fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * refine permissions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add missing rbac modal to app entitlements Signed-off-by: Jens Langhammer <jens@goauthentik.io> * separate scope for app entitlements Signed-off-by: Jens Langhammer <jens@goauthentik.io> * include entitlements mapping in proxy Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add API validation to prevent policies from being bound to entitlements Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make preview Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add initial docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove duplicate docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2024-12-18 14:32:44 +01:00
parent 675a4a6788
commit 40a7135c0c
39 changed files with 1246 additions and 94 deletions
--- a/website/docs/add-secure-apps/providers/proxy/_caddy_standalone.md
+++ b/website/docs/add-secure-apps/providers/proxy/_caddy_standalone.md
@ -12,7 +12,7 @@ app.company {
            uri /outpost.goauthentik.io/auth/caddy

            # capitalization of the headers is important, otherwise they will be empty
-            copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+            copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version

            # optional, in this config trust all private ranges, should probably be set to the outposts IP
            trusted_proxies private_ranges
--- a/website/docs/add-secure-apps/providers/proxy/_nginx_ingress.md
+++ b/website/docs/add-secure-apps/providers/proxy/_nginx_ingress.md
@ -40,7 +40,7 @@ metadata:
        nginx.ingress.kubernetes.io/auth-signin: |-
            https://app.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$escaped_request_uri
        nginx.ingress.kubernetes.io/auth-response-headers: |-
-            Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
+            Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid
        nginx.ingress.kubernetes.io/auth-snippet: |
            proxy_set_header X-Forwarded-Host $http_host;
 ```
--- a/website/docs/add-secure-apps/providers/proxy/_nginx_proxy_manager.md
+++ b/website/docs/add-secure-apps/providers/proxy/_nginx_proxy_manager.md
@ -26,12 +26,14 @@ location / {
    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+    auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
+    proxy_set_header X-authentik-entitlements $authentik_entitlements;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
--- a/website/docs/add-secure-apps/providers/proxy/_nginx_standalone.md
+++ b/website/docs/add-secure-apps/providers/proxy/_nginx_standalone.md
@ -39,12 +39,14 @@ server {
        # translate headers from the outposts back to the actual upstream
        auth_request_set $authentik_username $upstream_http_x_authentik_username;
        auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+        auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
        auth_request_set $authentik_email $upstream_http_x_authentik_email;
        auth_request_set $authentik_name $upstream_http_x_authentik_name;
        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

        proxy_set_header X-authentik-username $authentik_username;
        proxy_set_header X-authentik-groups $authentik_groups;
+        proxy_set_header X-authentik-entitlements $authentik_entitlements;
        proxy_set_header X-authentik-email $authentik_email;
        proxy_set_header X-authentik-name $authentik_name;
        proxy_set_header X-authentik-uid $authentik_uid;
--- a/website/docs/add-secure-apps/providers/proxy/_traefik_compose.md
+++ b/website/docs/add-secure-apps/providers/proxy/_traefik_compose.md
@ -32,7 +32,7 @@ services:
            # `authentik-proxy` refers to the service name in the compose file.
            traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
            traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
-            traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
+            traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
        restart: unless-stopped

    whoami:
--- a/website/docs/add-secure-apps/providers/proxy/_traefik_ingress.md
+++ b/website/docs/add-secure-apps/providers/proxy/_traefik_ingress.md
@ -13,6 +13,7 @@ spec:
        authResponseHeaders:
            - X-authentik-username
            - X-authentik-groups
+            - X-authentik-entitlements
            - X-authentik-email
            - X-authentik-name
            - X-authentik-uid
--- a/website/docs/add-secure-apps/providers/proxy/_traefik_standalone.md
+++ b/website/docs/add-secure-apps/providers/proxy/_traefik_standalone.md
@ -8,6 +8,7 @@ http:
                authResponseHeaders:
                    - X-authentik-username
                    - X-authentik-groups
+                    - X-authentik-entitlements
                    - X-authentik-email
                    - X-authentik-name
                    - X-authentik-uid
--- a/website/docs/add-secure-apps/providers/proxy/index.md
+++ b/website/docs/add-secure-apps/providers/proxy/index.md
@ -36,6 +36,12 @@ Example value: `foo|bar|baz`

 The groups the user is member of, separated by a pipe

+### `X-authentik-entitlements`
+
+Example value: `foo|bar|baz`
+
+The entitlements on the application this user has access to, separated by a pipe
+
 ### `X-authentik-email`

 Example value: `root@localhost`