Merge branch 'main' into web/update-provider-forms-for-invalidation
* main: (142 commits) core: bump goauthentik.io/api/v3 from 3.2024102.2 to 3.2024104.1 (#12149) core: bump debugpy from 1.8.8 to 1.8.9 (#12150) core: bump webauthn from 2.2.0 to 2.3.0 (#12151) core: bump pydantic from 2.10.0 to 2.10.1 (#12152) translate: Updates for file web/xliff/en.xlf in zh_CN (#12156) translate: Updates for file web/xliff/en.xlf in zh-Hans (#12157) core: bump sentry-sdk from 2.18.0 to 2.19.0 (#12153) web: bump API Client version (#12147) root: Backport version change (#12146) website/docs: update info about footer links to match new UI (#12120) website/docs: prepare release notes (#12142) providers/oauth2: fix migration (#12138) providers/oauth2: fix migration dependencies (#12123) web: bump API Client version (#12129) providers/oauth2: fix redirect uri input (#12122) providers/proxy: fix redirect_uri (#12121) website/docs: prepare release notes (#12119) web: bump API Client version (#12118) security: fix CVE 2024 52289 (#12113) security: fix CVE 2024 52307 (#12115) ...
This commit is contained in:
Ken Sternberg
@ -1,5 +1,5 @@
|
|||||||
[bumpversion]
|
[bumpversion]
|
||||||
current_version = 2024.10.0
|
current_version = 2024.10.4
|
||||||
tag = True
|
tag = True
|
||||||
commit = True
|
commit = True
|
||||||
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
|
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
|
||||||
|
|||||||
6
.github/workflows/ci-main.yml
vendored
6
.github/workflows/ci-main.yml
vendored
@ -116,7 +116,7 @@ jobs:
|
|||||||
poetry run make test
|
poetry run make test
|
||||||
poetry run coverage xml
|
poetry run coverage xml
|
||||||
- if: ${{ always() }}
|
- if: ${{ always() }}
|
||||||
uses: codecov/codecov-action@v4
|
uses: codecov/codecov-action@v5
|
||||||
with:
|
with:
|
||||||
flags: unit
|
flags: unit
|
||||||
token: ${{ secrets.CODECOV_TOKEN }}
|
token: ${{ secrets.CODECOV_TOKEN }}
|
||||||
@ -140,7 +140,7 @@ jobs:
|
|||||||
poetry run coverage run manage.py test tests/integration
|
poetry run coverage run manage.py test tests/integration
|
||||||
poetry run coverage xml
|
poetry run coverage xml
|
||||||
- if: ${{ always() }}
|
- if: ${{ always() }}
|
||||||
uses: codecov/codecov-action@v4
|
uses: codecov/codecov-action@v5
|
||||||
with:
|
with:
|
||||||
flags: integration
|
flags: integration
|
||||||
token: ${{ secrets.CODECOV_TOKEN }}
|
token: ${{ secrets.CODECOV_TOKEN }}
|
||||||
@ -198,7 +198,7 @@ jobs:
|
|||||||
poetry run coverage run manage.py test ${{ matrix.job.glob }}
|
poetry run coverage run manage.py test ${{ matrix.job.glob }}
|
||||||
poetry run coverage xml
|
poetry run coverage xml
|
||||||
- if: ${{ always() }}
|
- if: ${{ always() }}
|
||||||
uses: codecov/codecov-action@v4
|
uses: codecov/codecov-action@v5
|
||||||
with:
|
with:
|
||||||
flags: e2e
|
flags: e2e
|
||||||
token: ${{ secrets.CODECOV_TOKEN }}
|
token: ${{ secrets.CODECOV_TOKEN }}
|
||||||
|
|||||||
@ -80,7 +80,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
|
|||||||
go build -o /go/authentik ./cmd/server
|
go build -o /go/authentik ./cmd/server
|
||||||
|
|
||||||
# Stage 4: MaxMind GeoIP
|
# Stage 4: MaxMind GeoIP
|
||||||
FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 AS geoip
|
FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
|
||||||
|
|
||||||
ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
|
ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
|
||||||
ENV GEOIPUPDATE_VERBOSE="1"
|
ENV GEOIPUPDATE_VERBOSE="1"
|
||||||
|
|||||||
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
from os import environ
|
from os import environ
|
||||||
|
|
||||||
__version__ = "2024.10.0"
|
__version__ = "2024.10.4"
|
||||||
ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
|
ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -7,7 +7,7 @@ API Browser - {{ brand.branding_title }}
|
|||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
||||||
{% block head %}
|
{% block head %}
|
||||||
{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
|
<script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
|
||||||
<meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
|
<meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
|
||||||
<meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
|
<meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|||||||
@ -27,7 +27,8 @@ def blueprint_tester(file_name: Path) -> Callable:
|
|||||||
base = Path("blueprints/")
|
base = Path("blueprints/")
|
||||||
rel_path = Path(file_name).relative_to(base)
|
rel_path = Path(file_name).relative_to(base)
|
||||||
importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
|
importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
|
||||||
self.assertTrue(importer.validate()[0])
|
validation, logs = importer.validate()
|
||||||
|
self.assertTrue(validation, logs)
|
||||||
self.assertTrue(importer.apply())
|
self.assertTrue(importer.apply())
|
||||||
|
|
||||||
return tester
|
return tester
|
||||||
|
|||||||
@ -293,7 +293,11 @@ class Importer:
|
|||||||
|
|
||||||
serializer_kwargs = {}
|
serializer_kwargs = {}
|
||||||
model_instance = existing_models.first()
|
model_instance = existing_models.first()
|
||||||
if not isinstance(model(), BaseMetaModel) and model_instance:
|
if (
|
||||||
|
not isinstance(model(), BaseMetaModel)
|
||||||
|
and model_instance
|
||||||
|
and entry.state != BlueprintEntryDesiredState.MUST_CREATED
|
||||||
|
):
|
||||||
self.logger.debug(
|
self.logger.debug(
|
||||||
"Initialise serializer with instance",
|
"Initialise serializer with instance",
|
||||||
model=model,
|
model=model,
|
||||||
@ -303,11 +307,12 @@ class Importer:
|
|||||||
serializer_kwargs["instance"] = model_instance
|
serializer_kwargs["instance"] = model_instance
|
||||||
serializer_kwargs["partial"] = True
|
serializer_kwargs["partial"] = True
|
||||||
elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
|
elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
|
||||||
|
msg = (
|
||||||
|
f"State is set to {BlueprintEntryDesiredState.MUST_CREATED.value} "
|
||||||
|
"and object exists already",
|
||||||
|
)
|
||||||
raise EntryInvalidError.from_entry(
|
raise EntryInvalidError.from_entry(
|
||||||
(
|
ValidationError({k: msg for k in entry.identifiers.keys()}, "unique"),
|
||||||
f"State is set to {BlueprintEntryDesiredState.MUST_CREATED} "
|
|
||||||
"and object exists already",
|
|
||||||
),
|
|
||||||
entry,
|
entry,
|
||||||
)
|
)
|
||||||
else:
|
else:
|
||||||
|
|||||||
@ -4,7 +4,7 @@ from collections.abc import Callable
|
|||||||
|
|
||||||
from django.http.request import HttpRequest
|
from django.http.request import HttpRequest
|
||||||
from django.http.response import HttpResponse
|
from django.http.response import HttpResponse
|
||||||
from django.utils.translation import activate
|
from django.utils.translation import override
|
||||||
|
|
||||||
from authentik.brands.utils import get_brand_for_request
|
from authentik.brands.utils import get_brand_for_request
|
||||||
|
|
||||||
@ -18,10 +18,12 @@ class BrandMiddleware:
|
|||||||
self.get_response = get_response
|
self.get_response = get_response
|
||||||
|
|
||||||
def __call__(self, request: HttpRequest) -> HttpResponse:
|
def __call__(self, request: HttpRequest) -> HttpResponse:
|
||||||
|
locale_to_set = None
|
||||||
if not hasattr(request, "brand"):
|
if not hasattr(request, "brand"):
|
||||||
brand = get_brand_for_request(request)
|
brand = get_brand_for_request(request)
|
||||||
request.brand = brand
|
request.brand = brand
|
||||||
locale = brand.default_locale
|
locale = brand.default_locale
|
||||||
if locale != "":
|
if locale != "":
|
||||||
activate(locale)
|
locale_to_set = locale
|
||||||
return self.get_response(request)
|
with override(locale_to_set):
|
||||||
|
return self.get_response(request)
|
||||||
|
|||||||
@ -1,5 +1,6 @@
|
|||||||
"""Authenticator Devices API Views"""
|
"""Authenticator Devices API Views"""
|
||||||
|
|
||||||
|
from django.utils.translation import gettext_lazy as _
|
||||||
from drf_spectacular.types import OpenApiTypes
|
from drf_spectacular.types import OpenApiTypes
|
||||||
from drf_spectacular.utils import OpenApiParameter, extend_schema
|
from drf_spectacular.utils import OpenApiParameter, extend_schema
|
||||||
from rest_framework.fields import (
|
from rest_framework.fields import (
|
||||||
@ -40,7 +41,11 @@ class DeviceSerializer(MetaNameSerializer):
|
|||||||
def get_extra_description(self, instance: Device) -> str:
|
def get_extra_description(self, instance: Device) -> str:
|
||||||
"""Get extra description"""
|
"""Get extra description"""
|
||||||
if isinstance(instance, WebAuthnDevice):
|
if isinstance(instance, WebAuthnDevice):
|
||||||
return instance.device_type.description
|
return (
|
||||||
|
instance.device_type.description
|
||||||
|
if instance.device_type
|
||||||
|
else _("Extra description not available")
|
||||||
|
)
|
||||||
if isinstance(instance, EndpointDevice):
|
if isinstance(instance, EndpointDevice):
|
||||||
return instance.data.get("deviceSignals", {}).get("deviceModel")
|
return instance.data.get("deviceSignals", {}).get("deviceModel")
|
||||||
return ""
|
return ""
|
||||||
|
|||||||
@ -1,10 +1,12 @@
|
|||||||
"""transactional application and provider creation"""
|
"""transactional application and provider creation"""
|
||||||
|
|
||||||
from django.apps import apps
|
from django.apps import apps
|
||||||
|
from django.db.models import Model
|
||||||
|
from django.utils.translation import gettext as _
|
||||||
from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
|
from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
|
||||||
from rest_framework.exceptions import ValidationError
|
from rest_framework.exceptions import PermissionDenied, ValidationError
|
||||||
from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
|
from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
|
||||||
from rest_framework.permissions import IsAdminUser
|
from rest_framework.permissions import IsAuthenticated
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
from rest_framework.views import APIView
|
from rest_framework.views import APIView
|
||||||
@ -22,6 +24,7 @@ from authentik.core.api.applications import ApplicationSerializer
|
|||||||
from authentik.core.api.utils import PassiveSerializer
|
from authentik.core.api.utils import PassiveSerializer
|
||||||
from authentik.core.models import Provider
|
from authentik.core.models import Provider
|
||||||
from authentik.lib.utils.reflection import all_subclasses
|
from authentik.lib.utils.reflection import all_subclasses
|
||||||
|
from authentik.policies.api.bindings import PolicyBindingSerializer
|
||||||
|
|
||||||
|
|
||||||
def get_provider_serializer_mapping():
|
def get_provider_serializer_mapping():
|
||||||
@ -45,6 +48,13 @@ class TransactionProviderField(DictField):
|
|||||||
"""Dictionary field which can hold provider creation data"""
|
"""Dictionary field which can hold provider creation data"""
|
||||||
|
|
||||||
|
|
||||||
|
class TransactionPolicyBindingSerializer(PolicyBindingSerializer):
|
||||||
|
"""PolicyBindingSerializer which does not require target as target is set implicitly"""
|
||||||
|
|
||||||
|
class Meta(PolicyBindingSerializer.Meta):
|
||||||
|
fields = [x for x in PolicyBindingSerializer.Meta.fields if x != "target"]
|
||||||
|
|
||||||
|
|
||||||
class TransactionApplicationSerializer(PassiveSerializer):
|
class TransactionApplicationSerializer(PassiveSerializer):
|
||||||
"""Serializer for creating a provider and an application in one transaction"""
|
"""Serializer for creating a provider and an application in one transaction"""
|
||||||
|
|
||||||
@ -52,6 +62,8 @@ class TransactionApplicationSerializer(PassiveSerializer):
|
|||||||
provider_model = ChoiceField(choices=list(get_provider_serializer_mapping().keys()))
|
provider_model = ChoiceField(choices=list(get_provider_serializer_mapping().keys()))
|
||||||
provider = TransactionProviderField()
|
provider = TransactionProviderField()
|
||||||
|
|
||||||
|
policy_bindings = TransactionPolicyBindingSerializer(many=True, required=False)
|
||||||
|
|
||||||
_provider_model: type[Provider] = None
|
_provider_model: type[Provider] = None
|
||||||
|
|
||||||
def validate_provider_model(self, fq_model_name: str) -> str:
|
def validate_provider_model(self, fq_model_name: str) -> str:
|
||||||
@ -96,6 +108,19 @@ class TransactionApplicationSerializer(PassiveSerializer):
|
|||||||
id="app",
|
id="app",
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
for binding in attrs.get("policy_bindings", []):
|
||||||
|
binding["target"] = KeyOf(None, ScalarNode(tag="", value="app"))
|
||||||
|
for key, value in binding.items():
|
||||||
|
if not isinstance(value, Model):
|
||||||
|
continue
|
||||||
|
binding[key] = value.pk
|
||||||
|
blueprint.entries.append(
|
||||||
|
BlueprintEntry(
|
||||||
|
model="authentik_policies.policybinding",
|
||||||
|
state=BlueprintEntryDesiredState.MUST_CREATED,
|
||||||
|
identifiers=binding,
|
||||||
|
)
|
||||||
|
)
|
||||||
importer = Importer(blueprint, {})
|
importer = Importer(blueprint, {})
|
||||||
try:
|
try:
|
||||||
valid, _ = importer.validate(raise_validation_errors=True)
|
valid, _ = importer.validate(raise_validation_errors=True)
|
||||||
@ -120,8 +145,7 @@ class TransactionApplicationResponseSerializer(PassiveSerializer):
|
|||||||
class TransactionalApplicationView(APIView):
|
class TransactionalApplicationView(APIView):
|
||||||
"""Create provider and application and attach them in a single transaction"""
|
"""Create provider and application and attach them in a single transaction"""
|
||||||
|
|
||||||
# TODO: Migrate to a more specific permission
|
permission_classes = [IsAuthenticated]
|
||||||
permission_classes = [IsAdminUser]
|
|
||||||
|
|
||||||
@extend_schema(
|
@extend_schema(
|
||||||
request=TransactionApplicationSerializer(),
|
request=TransactionApplicationSerializer(),
|
||||||
@ -133,8 +157,23 @@ class TransactionalApplicationView(APIView):
|
|||||||
"""Convert data into a blueprint, validate it and apply it"""
|
"""Convert data into a blueprint, validate it and apply it"""
|
||||||
data = TransactionApplicationSerializer(data=request.data)
|
data = TransactionApplicationSerializer(data=request.data)
|
||||||
data.is_valid(raise_exception=True)
|
data.is_valid(raise_exception=True)
|
||||||
|
blueprint: Blueprint = data.validated_data
|
||||||
importer = Importer(data.validated_data, {})
|
for entry in blueprint.entries:
|
||||||
|
full_model = entry.get_model(blueprint)
|
||||||
|
app, __, model = full_model.partition(".")
|
||||||
|
if not request.user.has_perm(f"{app}.add_{model}"):
|
||||||
|
raise PermissionDenied(
|
||||||
|
{
|
||||||
|
entry.id: _(
|
||||||
|
"User lacks permission to create {model}".format_map(
|
||||||
|
{
|
||||||
|
"model": full_model,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
)
|
||||||
|
}
|
||||||
|
)
|
||||||
|
importer = Importer(blueprint, {})
|
||||||
applied = importer.apply()
|
applied = importer.apply()
|
||||||
response = {"applied": False, "logs": []}
|
response = {"applied": False, "logs": []}
|
||||||
response["applied"] = applied
|
response["applied"] = applied
|
||||||
|
|||||||
@ -666,7 +666,12 @@ class UserViewSet(UsedByMixin, ModelViewSet):
|
|||||||
|
|
||||||
@permission_required("authentik_core.impersonate")
|
@permission_required("authentik_core.impersonate")
|
||||||
@extend_schema(
|
@extend_schema(
|
||||||
request=OpenApiTypes.NONE,
|
request=inline_serializer(
|
||||||
|
"ImpersonationSerializer",
|
||||||
|
{
|
||||||
|
"reason": CharField(required=True),
|
||||||
|
},
|
||||||
|
),
|
||||||
responses={
|
responses={
|
||||||
"204": OpenApiResponse(description="Successfully started impersonation"),
|
"204": OpenApiResponse(description="Successfully started impersonation"),
|
||||||
"401": OpenApiResponse(description="Access denied"),
|
"401": OpenApiResponse(description="Access denied"),
|
||||||
@ -679,6 +684,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
|
|||||||
LOGGER.debug("User attempted to impersonate", user=request.user)
|
LOGGER.debug("User attempted to impersonate", user=request.user)
|
||||||
return Response(status=401)
|
return Response(status=401)
|
||||||
user_to_be = self.get_object()
|
user_to_be = self.get_object()
|
||||||
|
reason = request.data.get("reason", "")
|
||||||
# Check both object-level perms and global perms
|
# Check both object-level perms and global perms
|
||||||
if not request.user.has_perm(
|
if not request.user.has_perm(
|
||||||
"authentik_core.impersonate", user_to_be
|
"authentik_core.impersonate", user_to_be
|
||||||
@ -688,11 +694,16 @@ class UserViewSet(UsedByMixin, ModelViewSet):
|
|||||||
if user_to_be.pk == self.request.user.pk:
|
if user_to_be.pk == self.request.user.pk:
|
||||||
LOGGER.debug("User attempted to impersonate themselves", user=request.user)
|
LOGGER.debug("User attempted to impersonate themselves", user=request.user)
|
||||||
return Response(status=401)
|
return Response(status=401)
|
||||||
|
if not reason and request.tenant.impersonation_require_reason:
|
||||||
|
LOGGER.debug(
|
||||||
|
"User attempted to impersonate without providing a reason", user=request.user
|
||||||
|
)
|
||||||
|
return Response(status=401)
|
||||||
|
|
||||||
request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
|
request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
|
||||||
request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be
|
request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be
|
||||||
|
|
||||||
Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
|
Event.new(EventAction.IMPERSONATION_STARTED, reason=reason).from_http(request, user_to_be)
|
||||||
|
|
||||||
return Response(status=201)
|
return Response(status=201)
|
||||||
|
|
||||||
|
|||||||
@ -5,7 +5,7 @@ from contextvars import ContextVar
|
|||||||
from uuid import uuid4
|
from uuid import uuid4
|
||||||
|
|
||||||
from django.http import HttpRequest, HttpResponse
|
from django.http import HttpRequest, HttpResponse
|
||||||
from django.utils.translation import activate
|
from django.utils.translation import override
|
||||||
from sentry_sdk.api import set_tag
|
from sentry_sdk.api import set_tag
|
||||||
from structlog.contextvars import STRUCTLOG_KEY_PREFIX
|
from structlog.contextvars import STRUCTLOG_KEY_PREFIX
|
||||||
|
|
||||||
@ -31,17 +31,19 @@ class ImpersonateMiddleware:
|
|||||||
def __call__(self, request: HttpRequest) -> HttpResponse:
|
def __call__(self, request: HttpRequest) -> HttpResponse:
|
||||||
# No permission checks are done here, they need to be checked before
|
# No permission checks are done here, they need to be checked before
|
||||||
# SESSION_KEY_IMPERSONATE_USER is set.
|
# SESSION_KEY_IMPERSONATE_USER is set.
|
||||||
|
locale_to_set = None
|
||||||
if request.user.is_authenticated:
|
if request.user.is_authenticated:
|
||||||
locale = request.user.locale(request)
|
locale = request.user.locale(request)
|
||||||
if locale != "":
|
if locale != "":
|
||||||
activate(locale)
|
locale_to_set = locale
|
||||||
|
|
||||||
if SESSION_KEY_IMPERSONATE_USER in request.session:
|
if SESSION_KEY_IMPERSONATE_USER in request.session:
|
||||||
request.user = request.session[SESSION_KEY_IMPERSONATE_USER]
|
request.user = request.session[SESSION_KEY_IMPERSONATE_USER]
|
||||||
# Ensure that the user is active, otherwise nothing will work
|
# Ensure that the user is active, otherwise nothing will work
|
||||||
request.user.is_active = True
|
request.user.is_active = True
|
||||||
|
|
||||||
return self.get_response(request)
|
with override(locale_to_set):
|
||||||
|
return self.get_response(request)
|
||||||
|
|
||||||
|
|
||||||
class RequestIDMiddleware:
|
class RequestIDMiddleware:
|
||||||
|
|||||||
@ -129,6 +129,11 @@ class SourceFlowManager:
|
|||||||
)
|
)
|
||||||
new_connection.user = self.request.user
|
new_connection.user = self.request.user
|
||||||
new_connection = self.update_user_connection(new_connection, **kwargs)
|
new_connection = self.update_user_connection(new_connection, **kwargs)
|
||||||
|
if existing := self.user_connection_type.objects.filter(
|
||||||
|
source=self.source, identifier=self.identifier
|
||||||
|
).first():
|
||||||
|
existing = self.update_user_connection(existing)
|
||||||
|
return Action.AUTH, existing
|
||||||
return Action.LINK, new_connection
|
return Action.LINK, new_connection
|
||||||
|
|
||||||
action, connection = self.matcher.get_user_action(self.identifier, self.user_properties)
|
action, connection = self.matcher.get_user_action(self.identifier, self.user_properties)
|
||||||
|
|||||||
@ -15,8 +15,8 @@
|
|||||||
{% endblock %}
|
{% endblock %}
|
||||||
<link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
|
<link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
|
||||||
<link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
|
<link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
|
||||||
{% versioned_script "dist/poly-%v.js" %}
|
<script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
|
||||||
{% versioned_script "dist/standalone/loading/index-%v.js" %}
|
<script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
|
||||||
{% block head %}
|
{% block head %}
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
<meta name="sentry-trace" content="{{ sentry_trace }}" />
|
<meta name="sentry-trace" content="{{ sentry_trace }}" />
|
||||||
|
|||||||
@ -3,7 +3,7 @@
|
|||||||
{% load authentik_core %}
|
{% load authentik_core %}
|
||||||
|
|
||||||
{% block head %}
|
{% block head %}
|
||||||
{% versioned_script "dist/admin/AdminInterface-%v.js" %}
|
<script src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}" type="module"></script>
|
||||||
<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
|
<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
|
||||||
<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
|
<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
|
||||||
{% include "base/header_js.html" %}
|
{% include "base/header_js.html" %}
|
||||||
|
|||||||
@ -3,7 +3,7 @@
|
|||||||
{% load authentik_core %}
|
{% load authentik_core %}
|
||||||
|
|
||||||
{% block head %}
|
{% block head %}
|
||||||
{% versioned_script "dist/user/UserInterface-%v.js" %}
|
<script src="{% versioned_script 'dist/user/UserInterface-%v.js' %}" type="module"></script>
|
||||||
<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
|
<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
|
||||||
<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
|
<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
|
||||||
{% include "base/header_js.html" %}
|
{% include "base/header_js.html" %}
|
||||||
|
|||||||
@ -2,7 +2,6 @@
|
|||||||
|
|
||||||
from django import template
|
from django import template
|
||||||
from django.templatetags.static import static as static_loader
|
from django.templatetags.static import static as static_loader
|
||||||
from django.utils.safestring import mark_safe
|
|
||||||
|
|
||||||
from authentik import get_full_version
|
from authentik import get_full_version
|
||||||
|
|
||||||
@ -12,10 +11,4 @@ register = template.Library()
|
|||||||
@register.simple_tag()
|
@register.simple_tag()
|
||||||
def versioned_script(path: str) -> str:
|
def versioned_script(path: str) -> str:
|
||||||
"""Wrapper around {% static %} tag that supports setting the version"""
|
"""Wrapper around {% static %} tag that supports setting the version"""
|
||||||
returned_lines = [
|
return static_loader(path.replace("%v", get_full_version()))
|
||||||
(
|
|
||||||
f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
|
|
||||||
'" type="module"></script>'
|
|
||||||
),
|
|
||||||
]
|
|
||||||
return mark_safe("".join(returned_lines)) # nosec
|
|
||||||
|
|||||||
@ -12,7 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow
|
|||||||
from authentik.lib.generators import generate_id
|
from authentik.lib.generators import generate_id
|
||||||
from authentik.policies.dummy.models import DummyPolicy
|
from authentik.policies.dummy.models import DummyPolicy
|
||||||
from authentik.policies.models import PolicyBinding
|
from authentik.policies.models import PolicyBinding
|
||||||
from authentik.providers.oauth2.models import OAuth2Provider
|
from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
|
||||||
from authentik.providers.proxy.models import ProxyProvider
|
from authentik.providers.proxy.models import ProxyProvider
|
||||||
from authentik.providers.saml.models import SAMLProvider
|
from authentik.providers.saml.models import SAMLProvider
|
||||||
|
|
||||||
@ -24,7 +24,7 @@ class TestApplicationsAPI(APITestCase):
|
|||||||
self.user = create_test_admin_user()
|
self.user = create_test_admin_user()
|
||||||
self.provider = OAuth2Provider.objects.create(
|
self.provider = OAuth2Provider.objects.create(
|
||||||
name="test",
|
name="test",
|
||||||
redirect_uris="http://some-other-domain",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")],
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
)
|
)
|
||||||
self.allowed: Application = Application.objects.create(
|
self.allowed: Application = Application.objects.create(
|
||||||
|
|||||||
@ -29,7 +29,8 @@ class TestImpersonation(APITestCase):
|
|||||||
reverse(
|
reverse(
|
||||||
"authentik_api:user-impersonate",
|
"authentik_api:user-impersonate",
|
||||||
kwargs={"pk": self.other_user.pk},
|
kwargs={"pk": self.other_user.pk},
|
||||||
)
|
),
|
||||||
|
data={"reason": "some reason"},
|
||||||
)
|
)
|
||||||
|
|
||||||
response = self.client.get(reverse("authentik_api:user-me"))
|
response = self.client.get(reverse("authentik_api:user-me"))
|
||||||
@ -55,7 +56,8 @@ class TestImpersonation(APITestCase):
|
|||||||
reverse(
|
reverse(
|
||||||
"authentik_api:user-impersonate",
|
"authentik_api:user-impersonate",
|
||||||
kwargs={"pk": self.other_user.pk},
|
kwargs={"pk": self.other_user.pk},
|
||||||
)
|
),
|
||||||
|
data={"reason": "some reason"},
|
||||||
)
|
)
|
||||||
self.assertEqual(response.status_code, 201)
|
self.assertEqual(response.status_code, 201)
|
||||||
|
|
||||||
@ -75,7 +77,8 @@ class TestImpersonation(APITestCase):
|
|||||||
reverse(
|
reverse(
|
||||||
"authentik_api:user-impersonate",
|
"authentik_api:user-impersonate",
|
||||||
kwargs={"pk": self.other_user.pk},
|
kwargs={"pk": self.other_user.pk},
|
||||||
)
|
),
|
||||||
|
data={"reason": "some reason"},
|
||||||
)
|
)
|
||||||
self.assertEqual(response.status_code, 201)
|
self.assertEqual(response.status_code, 201)
|
||||||
|
|
||||||
@ -89,7 +92,8 @@ class TestImpersonation(APITestCase):
|
|||||||
self.client.force_login(self.other_user)
|
self.client.force_login(self.other_user)
|
||||||
|
|
||||||
response = self.client.post(
|
response = self.client.post(
|
||||||
reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
|
reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
|
||||||
|
data={"reason": "some reason"},
|
||||||
)
|
)
|
||||||
self.assertEqual(response.status_code, 403)
|
self.assertEqual(response.status_code, 403)
|
||||||
|
|
||||||
@ -105,7 +109,8 @@ class TestImpersonation(APITestCase):
|
|||||||
self.client.force_login(self.user)
|
self.client.force_login(self.user)
|
||||||
|
|
||||||
response = self.client.post(
|
response = self.client.post(
|
||||||
reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk})
|
reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}),
|
||||||
|
data={"reason": "some reason"},
|
||||||
)
|
)
|
||||||
self.assertEqual(response.status_code, 401)
|
self.assertEqual(response.status_code, 401)
|
||||||
|
|
||||||
@ -118,7 +123,22 @@ class TestImpersonation(APITestCase):
|
|||||||
self.client.force_login(self.user)
|
self.client.force_login(self.user)
|
||||||
|
|
||||||
response = self.client.post(
|
response = self.client.post(
|
||||||
reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
|
reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
|
||||||
|
data={"reason": "some reason"},
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 401)
|
||||||
|
|
||||||
|
response = self.client.get(reverse("authentik_api:user-me"))
|
||||||
|
response_body = loads(response.content.decode())
|
||||||
|
self.assertEqual(response_body["user"]["username"], self.user.username)
|
||||||
|
|
||||||
|
def test_impersonate_reason_required(self):
|
||||||
|
"""test impersonation that user must provide reason"""
|
||||||
|
self.client.force_login(self.user)
|
||||||
|
|
||||||
|
response = self.client.post(
|
||||||
|
reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
|
||||||
|
data={"reason": ""},
|
||||||
)
|
)
|
||||||
self.assertEqual(response.status_code, 401)
|
self.assertEqual(response.status_code, 401)
|
||||||
|
|
||||||
|
|||||||
@ -81,6 +81,22 @@ class TestSourceFlowManager(TestCase):
|
|||||||
reverse("authentik_core:if-user") + "#/settings;page-sources",
|
reverse("authentik_core:if-user") + "#/settings;page-sources",
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_authenticated_auth(self):
|
||||||
|
"""Test authenticated user linking"""
|
||||||
|
user = User.objects.create(username="foo", email="foo@bar.baz")
|
||||||
|
UserOAuthSourceConnection.objects.create(
|
||||||
|
user=user, source=self.source, identifier=self.identifier
|
||||||
|
)
|
||||||
|
request = get_request("/", user=user)
|
||||||
|
flow_manager = OAuthSourceFlowManager(
|
||||||
|
self.source, request, self.identifier, {"info": {}}, {}
|
||||||
|
)
|
||||||
|
action, connection = flow_manager.get_action()
|
||||||
|
self.assertEqual(action, Action.AUTH)
|
||||||
|
self.assertIsNotNone(connection.pk)
|
||||||
|
response = flow_manager.get_flow()
|
||||||
|
self.assertEqual(response.status_code, 302)
|
||||||
|
|
||||||
def test_unauthenticated_link(self):
|
def test_unauthenticated_link(self):
|
||||||
"""Test un-authenticated user linking"""
|
"""Test un-authenticated user linking"""
|
||||||
flow_manager = OAuthSourceFlowManager(
|
flow_manager = OAuthSourceFlowManager(
|
||||||
|
|||||||
@ -1,11 +1,13 @@
|
|||||||
"""Test Transactional API"""
|
"""Test Transactional API"""
|
||||||
|
|
||||||
from django.urls import reverse
|
from django.urls import reverse
|
||||||
|
from guardian.shortcuts import assign_perm
|
||||||
from rest_framework.test import APITestCase
|
from rest_framework.test import APITestCase
|
||||||
|
|
||||||
from authentik.core.models import Application
|
from authentik.core.models import Application, Group
|
||||||
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
|
from authentik.core.tests.utils import create_test_flow, create_test_user
|
||||||
from authentik.lib.generators import generate_id
|
from authentik.lib.generators import generate_id
|
||||||
|
from authentik.policies.models import PolicyBinding
|
||||||
from authentik.providers.oauth2.models import OAuth2Provider
|
from authentik.providers.oauth2.models import OAuth2Provider
|
||||||
|
|
||||||
|
|
||||||
@ -13,7 +15,9 @@ class TestTransactionalApplicationsAPI(APITestCase):
|
|||||||
"""Test Transactional API"""
|
"""Test Transactional API"""
|
||||||
|
|
||||||
def setUp(self) -> None:
|
def setUp(self) -> None:
|
||||||
self.user = create_test_admin_user()
|
self.user = create_test_user()
|
||||||
|
assign_perm("authentik_core.add_application", self.user)
|
||||||
|
assign_perm("authentik_providers_oauth2.add_oauth2provider", self.user)
|
||||||
|
|
||||||
def test_create_transactional(self):
|
def test_create_transactional(self):
|
||||||
"""Test transactional Application + provider creation"""
|
"""Test transactional Application + provider creation"""
|
||||||
@ -31,6 +35,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
|
|||||||
"name": uid,
|
"name": uid,
|
||||||
"authorization_flow": str(create_test_flow().pk),
|
"authorization_flow": str(create_test_flow().pk),
|
||||||
"invalidation_flow": str(create_test_flow().pk),
|
"invalidation_flow": str(create_test_flow().pk),
|
||||||
|
"redirect_uris": [],
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
@ -41,6 +46,66 @@ class TestTransactionalApplicationsAPI(APITestCase):
|
|||||||
self.assertIsNotNone(app)
|
self.assertIsNotNone(app)
|
||||||
self.assertEqual(app.provider.pk, provider.pk)
|
self.assertEqual(app.provider.pk, provider.pk)
|
||||||
|
|
||||||
|
def test_create_transactional_permission_denied(self):
|
||||||
|
"""Test transactional Application + provider creation (missing permissions)"""
|
||||||
|
self.client.force_login(self.user)
|
||||||
|
uid = generate_id()
|
||||||
|
response = self.client.put(
|
||||||
|
reverse("authentik_api:core-transactional-application"),
|
||||||
|
data={
|
||||||
|
"app": {
|
||||||
|
"name": uid,
|
||||||
|
"slug": uid,
|
||||||
|
},
|
||||||
|
"provider_model": "authentik_providers_saml.samlprovider",
|
||||||
|
"provider": {
|
||||||
|
"name": uid,
|
||||||
|
"authorization_flow": str(create_test_flow().pk),
|
||||||
|
"invalidation_flow": str(create_test_flow().pk),
|
||||||
|
"acs_url": "https://goauthentik.io",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
)
|
||||||
|
self.assertJSONEqual(
|
||||||
|
response.content.decode(),
|
||||||
|
{"provider": "User lacks permission to create authentik_providers_saml.samlprovider"},
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_create_transactional_bindings(self):
|
||||||
|
"""Test transactional Application + provider creation"""
|
||||||
|
assign_perm("authentik_policies.add_policybinding", self.user)
|
||||||
|
self.client.force_login(self.user)
|
||||||
|
uid = generate_id()
|
||||||
|
group = Group.objects.create(name=generate_id())
|
||||||
|
authorization_flow = create_test_flow()
|
||||||
|
response = self.client.put(
|
||||||
|
reverse("authentik_api:core-transactional-application"),
|
||||||
|
data={
|
||||||
|
"app": {
|
||||||
|
"name": uid,
|
||||||
|
"slug": uid,
|
||||||
|
},
|
||||||
|
"provider_model": "authentik_providers_oauth2.oauth2provider",
|
||||||
|
"provider": {
|
||||||
|
"name": uid,
|
||||||
|
"authorization_flow": str(authorization_flow.pk),
|
||||||
|
"invalidation_flow": str(authorization_flow.pk),
|
||||||
|
"redirect_uris": [],
|
||||||
|
},
|
||||||
|
"policy_bindings": [{"group": group.pk, "order": 0}],
|
||||||
|
},
|
||||||
|
)
|
||||||
|
self.assertJSONEqual(response.content.decode(), {"applied": True, "logs": []})
|
||||||
|
provider = OAuth2Provider.objects.filter(name=uid).first()
|
||||||
|
self.assertIsNotNone(provider)
|
||||||
|
app = Application.objects.filter(slug=uid).first()
|
||||||
|
self.assertIsNotNone(app)
|
||||||
|
self.assertEqual(app.provider.pk, provider.pk)
|
||||||
|
binding = PolicyBinding.objects.filter(target=app).first()
|
||||||
|
self.assertIsNotNone(binding)
|
||||||
|
self.assertEqual(binding.target, app)
|
||||||
|
self.assertEqual(binding.group, group)
|
||||||
|
|
||||||
def test_create_transactional_invalid(self):
|
def test_create_transactional_invalid(self):
|
||||||
"""Test transactional Application + provider creation"""
|
"""Test transactional Application + provider creation"""
|
||||||
self.client.force_login(self.user)
|
self.client.force_login(self.user)
|
||||||
@ -57,6 +122,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
|
|||||||
"name": uid,
|
"name": uid,
|
||||||
"authorization_flow": "",
|
"authorization_flow": "",
|
||||||
"invalidation_flow": "",
|
"invalidation_flow": "",
|
||||||
|
"redirect_uris": [],
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
@ -69,3 +135,32 @@ class TestTransactionalApplicationsAPI(APITestCase):
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_create_transactional_duplicate_name_provider(self):
|
||||||
|
"""Test transactional Application + provider creation"""
|
||||||
|
self.client.force_login(self.user)
|
||||||
|
uid = generate_id()
|
||||||
|
OAuth2Provider.objects.create(
|
||||||
|
name=uid,
|
||||||
|
authorization_flow=create_test_flow(),
|
||||||
|
invalidation_flow=create_test_flow(),
|
||||||
|
)
|
||||||
|
response = self.client.put(
|
||||||
|
reverse("authentik_api:core-transactional-application"),
|
||||||
|
data={
|
||||||
|
"app": {
|
||||||
|
"name": uid,
|
||||||
|
"slug": uid,
|
||||||
|
},
|
||||||
|
"provider_model": "authentik_providers_oauth2.oauth2provider",
|
||||||
|
"provider": {
|
||||||
|
"name": uid,
|
||||||
|
"authorization_flow": str(create_test_flow().pk),
|
||||||
|
"invalidation_flow": str(create_test_flow().pk),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
)
|
||||||
|
self.assertJSONEqual(
|
||||||
|
response.content.decode(),
|
||||||
|
{"provider": {"name": ["State is set to must_created and object exists already"]}},
|
||||||
|
)
|
||||||
|
|||||||
@ -24,6 +24,7 @@ from rest_framework.fields import (
|
|||||||
from rest_framework.filters import OrderingFilter, SearchFilter
|
from rest_framework.filters import OrderingFilter, SearchFilter
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.validators import UniqueValidator
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
@ -181,7 +182,10 @@ class CertificateDataSerializer(PassiveSerializer):
|
|||||||
class CertificateGenerationSerializer(PassiveSerializer):
|
class CertificateGenerationSerializer(PassiveSerializer):
|
||||||
"""Certificate generation parameters"""
|
"""Certificate generation parameters"""
|
||||||
|
|
||||||
common_name = CharField()
|
common_name = CharField(
|
||||||
|
validators=[UniqueValidator(queryset=CertificateKeyPair.objects.all())],
|
||||||
|
source="name",
|
||||||
|
)
|
||||||
subject_alt_name = CharField(required=False, allow_blank=True, label=_("Subject-alt name"))
|
subject_alt_name = CharField(required=False, allow_blank=True, label=_("Subject-alt name"))
|
||||||
validity_days = IntegerField(initial=365)
|
validity_days = IntegerField(initial=365)
|
||||||
alg = ChoiceField(default=PrivateKeyAlg.RSA, choices=PrivateKeyAlg.choices)
|
alg = ChoiceField(default=PrivateKeyAlg.RSA, choices=PrivateKeyAlg.choices)
|
||||||
@ -242,11 +246,10 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
|
|||||||
def generate(self, request: Request) -> Response:
|
def generate(self, request: Request) -> Response:
|
||||||
"""Generate a new, self-signed certificate-key pair"""
|
"""Generate a new, self-signed certificate-key pair"""
|
||||||
data = CertificateGenerationSerializer(data=request.data)
|
data = CertificateGenerationSerializer(data=request.data)
|
||||||
if not data.is_valid():
|
data.is_valid(raise_exception=True)
|
||||||
return Response(data.errors, status=400)
|
|
||||||
raw_san = data.validated_data.get("subject_alt_name", "")
|
raw_san = data.validated_data.get("subject_alt_name", "")
|
||||||
sans = raw_san.split(",") if raw_san != "" else []
|
sans = raw_san.split(",") if raw_san != "" else []
|
||||||
builder = CertificateBuilder(data.validated_data["common_name"])
|
builder = CertificateBuilder(data.validated_data["name"])
|
||||||
builder.alg = data.validated_data["alg"]
|
builder.alg = data.validated_data["alg"]
|
||||||
builder.build(
|
builder.build(
|
||||||
subject_alt_names=sans,
|
subject_alt_names=sans,
|
||||||
|
|||||||
@ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair
|
|||||||
from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
|
from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
|
||||||
from authentik.lib.config import CONFIG
|
from authentik.lib.config import CONFIG
|
||||||
from authentik.lib.generators import generate_id, generate_key
|
from authentik.lib.generators import generate_id, generate_key
|
||||||
from authentik.providers.oauth2.models import OAuth2Provider
|
from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
|
||||||
|
|
||||||
|
|
||||||
class TestCrypto(APITestCase):
|
class TestCrypto(APITestCase):
|
||||||
@ -89,6 +89,17 @@ class TestCrypto(APITestCase):
|
|||||||
self.assertIsInstance(ext[1], DNSName)
|
self.assertIsInstance(ext[1], DNSName)
|
||||||
self.assertEqual(ext[1].value, "baz")
|
self.assertEqual(ext[1].value, "baz")
|
||||||
|
|
||||||
|
def test_builder_api_duplicate(self):
|
||||||
|
"""Test Builder (via API)"""
|
||||||
|
cert = create_test_cert()
|
||||||
|
self.client.force_login(create_test_admin_user())
|
||||||
|
res = self.client.post(
|
||||||
|
reverse("authentik_api:certificatekeypair-generate"),
|
||||||
|
data={"common_name": cert.name, "subject_alt_name": "bar,baz", "validity_days": 3},
|
||||||
|
)
|
||||||
|
self.assertEqual(res.status_code, 400)
|
||||||
|
self.assertJSONEqual(res.content, {"common_name": ["This field must be unique."]})
|
||||||
|
|
||||||
def test_builder_api_empty_san(self):
|
def test_builder_api_empty_san(self):
|
||||||
"""Test Builder (via API)"""
|
"""Test Builder (via API)"""
|
||||||
self.client.force_login(create_test_admin_user())
|
self.client.force_login(create_test_admin_user())
|
||||||
@ -263,7 +274,7 @@ class TestCrypto(APITestCase):
|
|||||||
client_id="test",
|
client_id="test",
|
||||||
client_secret=generate_key(),
|
client_secret=generate_key(),
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://localhost",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
|
||||||
signing_key=keypair,
|
signing_key=keypair,
|
||||||
)
|
)
|
||||||
response = self.client.get(
|
response = self.client.get(
|
||||||
@ -295,7 +306,7 @@ class TestCrypto(APITestCase):
|
|||||||
client_id="test",
|
client_id="test",
|
||||||
client_secret=generate_key(),
|
client_secret=generate_key(),
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://localhost",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
|
||||||
signing_key=keypair,
|
signing_key=keypair,
|
||||||
)
|
)
|
||||||
response = self.client.get(
|
response = self.client.get(
|
||||||
|
|||||||
@ -16,13 +16,28 @@ class RACProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
|
|||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
model = RACProvider
|
model = RACProvider
|
||||||
fields = ProviderSerializer.Meta.fields + [
|
fields = [
|
||||||
|
"pk",
|
||||||
|
"name",
|
||||||
|
"authentication_flow",
|
||||||
|
"authorization_flow",
|
||||||
|
"property_mappings",
|
||||||
|
"component",
|
||||||
|
"assigned_application_slug",
|
||||||
|
"assigned_application_name",
|
||||||
|
"assigned_backchannel_application_slug",
|
||||||
|
"assigned_backchannel_application_name",
|
||||||
|
"verbose_name",
|
||||||
|
"verbose_name_plural",
|
||||||
|
"meta_model_name",
|
||||||
"settings",
|
"settings",
|
||||||
"outpost_set",
|
"outpost_set",
|
||||||
"connection_expiry",
|
"connection_expiry",
|
||||||
"delete_token_on_disconnect",
|
"delete_token_on_disconnect",
|
||||||
]
|
]
|
||||||
extra_kwargs = ProviderSerializer.Meta.extra_kwargs
|
extra_kwargs = {
|
||||||
|
"authorization_flow": {"required": True, "allow_null": False},
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
class RACProviderViewSet(UsedByMixin, ModelViewSet):
|
class RACProviderViewSet(UsedByMixin, ModelViewSet):
|
||||||
|
|||||||
@ -3,7 +3,7 @@
|
|||||||
{% load authentik_core %}
|
{% load authentik_core %}
|
||||||
|
|
||||||
{% block head %}
|
{% block head %}
|
||||||
{% versioned_script "dist/enterprise/rac/index-%v.js" %}
|
<script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
|
||||||
<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
|
<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
|
||||||
<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
|
<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
|
||||||
<link rel="icon" href="{{ tenant.branding_favicon }}">
|
<link rel="icon" href="{{ tenant.branding_favicon }}">
|
||||||
|
|||||||
46
authentik/enterprise/providers/rac/tests/test_api.py
Normal file
46
authentik/enterprise/providers/rac/tests/test_api.py
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
"""Test RAC Provider"""
|
||||||
|
|
||||||
|
from datetime import timedelta
|
||||||
|
from time import mktime
|
||||||
|
from unittest.mock import MagicMock, patch
|
||||||
|
|
||||||
|
from django.urls import reverse
|
||||||
|
from django.utils.timezone import now
|
||||||
|
from rest_framework.test import APITestCase
|
||||||
|
|
||||||
|
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
|
||||||
|
from authentik.enterprise.license import LicenseKey
|
||||||
|
from authentik.enterprise.models import License
|
||||||
|
from authentik.lib.generators import generate_id
|
||||||
|
|
||||||
|
|
||||||
|
class TestAPI(APITestCase):
|
||||||
|
"""Test Provider API"""
|
||||||
|
|
||||||
|
def setUp(self) -> None:
|
||||||
|
self.user = create_test_admin_user()
|
||||||
|
|
||||||
|
@patch(
|
||||||
|
"authentik.enterprise.license.LicenseKey.validate",
|
||||||
|
MagicMock(
|
||||||
|
return_value=LicenseKey(
|
||||||
|
aud="",
|
||||||
|
exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
|
||||||
|
name=generate_id(),
|
||||||
|
internal_users=100,
|
||||||
|
external_users=100,
|
||||||
|
)
|
||||||
|
),
|
||||||
|
)
|
||||||
|
def test_create(self):
|
||||||
|
"""Test creation of RAC Provider"""
|
||||||
|
License.objects.create(key=generate_id())
|
||||||
|
self.client.force_login(self.user)
|
||||||
|
response = self.client.post(
|
||||||
|
reverse("authentik_api:racprovider-list"),
|
||||||
|
data={
|
||||||
|
"name": generate_id(),
|
||||||
|
"authorization_flow": create_test_flow().pk,
|
||||||
|
},
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 201)
|
||||||
@ -68,7 +68,6 @@ class TestEndpointsAPI(APITestCase):
|
|||||||
"name": self.provider.name,
|
"name": self.provider.name,
|
||||||
"authentication_flow": None,
|
"authentication_flow": None,
|
||||||
"authorization_flow": None,
|
"authorization_flow": None,
|
||||||
"invalidation_flow": None,
|
|
||||||
"property_mappings": [],
|
"property_mappings": [],
|
||||||
"connection_expiry": "hours=8",
|
"connection_expiry": "hours=8",
|
||||||
"delete_token_on_disconnect": False,
|
"delete_token_on_disconnect": False,
|
||||||
@ -121,7 +120,6 @@ class TestEndpointsAPI(APITestCase):
|
|||||||
"name": self.provider.name,
|
"name": self.provider.name,
|
||||||
"authentication_flow": None,
|
"authentication_flow": None,
|
||||||
"authorization_flow": None,
|
"authorization_flow": None,
|
||||||
"invalidation_flow": None,
|
|
||||||
"property_mappings": [],
|
"property_mappings": [],
|
||||||
"component": "ak-provider-rac-form",
|
"component": "ak-provider-rac-form",
|
||||||
"assigned_application_slug": self.app.slug,
|
"assigned_application_slug": self.app.slug,
|
||||||
@ -151,7 +149,6 @@ class TestEndpointsAPI(APITestCase):
|
|||||||
"name": self.provider.name,
|
"name": self.provider.name,
|
||||||
"authentication_flow": None,
|
"authentication_flow": None,
|
||||||
"authorization_flow": None,
|
"authorization_flow": None,
|
||||||
"invalidation_flow": None,
|
|
||||||
"property_mappings": [],
|
"property_mappings": [],
|
||||||
"component": "ak-provider-rac-form",
|
"component": "ak-provider-rac-form",
|
||||||
"assigned_application_slug": self.app.slug,
|
"assigned_application_slug": self.app.slug,
|
||||||
|
|||||||
@ -60,7 +60,7 @@ def default_event_duration():
|
|||||||
"""Default duration an Event is saved.
|
"""Default duration an Event is saved.
|
||||||
This is used as a fallback when no brand is available"""
|
This is used as a fallback when no brand is available"""
|
||||||
try:
|
try:
|
||||||
tenant = get_current_tenant()
|
tenant = get_current_tenant(only=["event_retention"])
|
||||||
return now() + timedelta_from_string(tenant.event_retention)
|
return now() + timedelta_from_string(tenant.event_retention)
|
||||||
except Tenant.DoesNotExist:
|
except Tenant.DoesNotExist:
|
||||||
return now() + timedelta(days=365)
|
return now() + timedelta(days=365)
|
||||||
|
|||||||
@ -18,7 +18,7 @@ window.authentik.flow = {
|
|||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
||||||
{% block head %}
|
{% block head %}
|
||||||
{% versioned_script "dist/flow/FlowInterface-%v.js" %}
|
<script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
|
||||||
<style>
|
<style>
|
||||||
:root {
|
:root {
|
||||||
--ak-flow-background: url("{{ flow.background_url }}");
|
--ak-flow-background: url("{{ flow.background_url }}");
|
||||||
|
|||||||
@ -89,6 +89,10 @@ class PasswordPolicy(Policy):
|
|||||||
|
|
||||||
def passes_static(self, password: str, request: PolicyRequest) -> PolicyResult:
|
def passes_static(self, password: str, request: PolicyRequest) -> PolicyResult:
|
||||||
"""Check static rules"""
|
"""Check static rules"""
|
||||||
|
error_message = self.error_message
|
||||||
|
if error_message == "":
|
||||||
|
error_message = _("Invalid password.")
|
||||||
|
|
||||||
if len(password) < self.length_min:
|
if len(password) < self.length_min:
|
||||||
LOGGER.debug("password failed", check="static", reason="length")
|
LOGGER.debug("password failed", check="static", reason="length")
|
||||||
return PolicyResult(False, self.error_message)
|
return PolicyResult(False, self.error_message)
|
||||||
|
|||||||
@ -159,7 +159,10 @@ class LDAPOutpostConfigViewSet(ListModelMixin, GenericViewSet):
|
|||||||
access_response = PolicyResult(result.passing)
|
access_response = PolicyResult(result.passing)
|
||||||
response = self.LDAPCheckAccessSerializer(
|
response = self.LDAPCheckAccessSerializer(
|
||||||
instance={
|
instance={
|
||||||
"has_search_permission": request.user.has_perm("search_full_directory", provider),
|
"has_search_permission": (
|
||||||
|
request.user.has_perm("search_full_directory", provider)
|
||||||
|
or request.user.has_perm("authentik_providers_ldap.search_full_directory")
|
||||||
|
),
|
||||||
"access": access_response,
|
"access": access_response,
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|||||||
@ -1,15 +1,18 @@
|
|||||||
"""OAuth2Provider API Views"""
|
"""OAuth2Provider API Views"""
|
||||||
|
|
||||||
from copy import copy
|
from copy import copy
|
||||||
|
from re import compile
|
||||||
|
from re import error as RegexError
|
||||||
|
|
||||||
from django.urls import reverse
|
from django.urls import reverse
|
||||||
from django.utils import timezone
|
from django.utils import timezone
|
||||||
|
from django.utils.translation import gettext_lazy as _
|
||||||
from drf_spectacular.types import OpenApiTypes
|
from drf_spectacular.types import OpenApiTypes
|
||||||
from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
|
from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
|
||||||
from guardian.shortcuts import get_objects_for_user
|
from guardian.shortcuts import get_objects_for_user
|
||||||
from rest_framework.decorators import action
|
from rest_framework.decorators import action
|
||||||
from rest_framework.exceptions import ValidationError
|
from rest_framework.exceptions import ValidationError
|
||||||
from rest_framework.fields import CharField
|
from rest_framework.fields import CharField, ChoiceField
|
||||||
from rest_framework.generics import get_object_or_404
|
from rest_framework.generics import get_object_or_404
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
@ -20,13 +23,39 @@ from authentik.core.api.used_by import UsedByMixin
|
|||||||
from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer
|
from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer
|
||||||
from authentik.core.models import Provider
|
from authentik.core.models import Provider
|
||||||
from authentik.providers.oauth2.id_token import IDToken
|
from authentik.providers.oauth2.id_token import IDToken
|
||||||
from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, ScopeMapping
|
from authentik.providers.oauth2.models import (
|
||||||
|
AccessToken,
|
||||||
|
OAuth2Provider,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
|
ScopeMapping,
|
||||||
|
)
|
||||||
from authentik.rbac.decorators import permission_required
|
from authentik.rbac.decorators import permission_required
|
||||||
|
|
||||||
|
|
||||||
|
class RedirectURISerializer(PassiveSerializer):
|
||||||
|
"""A single allowed redirect URI entry"""
|
||||||
|
|
||||||
|
matching_mode = ChoiceField(choices=RedirectURIMatchingMode.choices)
|
||||||
|
url = CharField()
|
||||||
|
|
||||||
|
|
||||||
class OAuth2ProviderSerializer(ProviderSerializer):
|
class OAuth2ProviderSerializer(ProviderSerializer):
|
||||||
"""OAuth2Provider Serializer"""
|
"""OAuth2Provider Serializer"""
|
||||||
|
|
||||||
|
redirect_uris = RedirectURISerializer(many=True, source="_redirect_uris")
|
||||||
|
|
||||||
|
def validate_redirect_uris(self, data: list) -> list:
|
||||||
|
for entry in data:
|
||||||
|
if entry.get("matching_mode") == RedirectURIMatchingMode.REGEX:
|
||||||
|
url = entry.get("url")
|
||||||
|
try:
|
||||||
|
compile(url)
|
||||||
|
except RegexError:
|
||||||
|
raise ValidationError(
|
||||||
|
_("Invalid Regex Pattern: {url}".format(url=url))
|
||||||
|
) from None
|
||||||
|
return data
|
||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
model = OAuth2Provider
|
model = OAuth2Provider
|
||||||
fields = ProviderSerializer.Meta.fields + [
|
fields = ProviderSerializer.Meta.fields + [
|
||||||
@ -79,7 +108,6 @@ class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):
|
|||||||
"refresh_token_validity",
|
"refresh_token_validity",
|
||||||
"include_claims_in_id_token",
|
"include_claims_in_id_token",
|
||||||
"signing_key",
|
"signing_key",
|
||||||
"redirect_uris",
|
|
||||||
"sub_mode",
|
"sub_mode",
|
||||||
"property_mappings",
|
"property_mappings",
|
||||||
"issuer_mode",
|
"issuer_mode",
|
||||||
|
|||||||
@ -7,7 +7,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
|
|||||||
from authentik.events.models import Event, EventAction
|
from authentik.events.models import Event, EventAction
|
||||||
from authentik.lib.sentry import SentryIgnoredException
|
from authentik.lib.sentry import SentryIgnoredException
|
||||||
from authentik.lib.views import bad_request_message
|
from authentik.lib.views import bad_request_message
|
||||||
from authentik.providers.oauth2.models import GrantTypes
|
from authentik.providers.oauth2.models import GrantTypes, RedirectURI
|
||||||
|
|
||||||
|
|
||||||
class OAuth2Error(SentryIgnoredException):
|
class OAuth2Error(SentryIgnoredException):
|
||||||
@ -46,9 +46,9 @@ class RedirectUriError(OAuth2Error):
|
|||||||
)
|
)
|
||||||
|
|
||||||
provided_uri: str
|
provided_uri: str
|
||||||
allowed_uris: list[str]
|
allowed_uris: list[RedirectURI]
|
||||||
|
|
||||||
def __init__(self, provided_uri: str, allowed_uris: list[str]) -> None:
|
def __init__(self, provided_uri: str, allowed_uris: list[RedirectURI]) -> None:
|
||||||
super().__init__()
|
super().__init__()
|
||||||
self.provided_uri = provided_uri
|
self.provided_uri = provided_uri
|
||||||
self.allowed_uris = allowed_uris
|
self.allowed_uris = allowed_uris
|
||||||
|
|||||||
@ -11,13 +11,16 @@ class Migration(migrations.Migration):
|
|||||||
migrations.swappable_dependency(settings.AUTH_USER_MODEL),
|
migrations.swappable_dependency(settings.AUTH_USER_MODEL),
|
||||||
]
|
]
|
||||||
|
|
||||||
operations = [
|
# Original preserved
|
||||||
migrations.AddIndex(
|
# See https://github.com/goauthentik/authentik/issues/11874
|
||||||
model_name="accesstoken",
|
# operations = [
|
||||||
index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"),
|
# migrations.AddIndex(
|
||||||
),
|
# model_name="accesstoken",
|
||||||
migrations.AddIndex(
|
# index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"),
|
||||||
model_name="refreshtoken",
|
# ),
|
||||||
index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"),
|
# migrations.AddIndex(
|
||||||
),
|
# model_name="refreshtoken",
|
||||||
]
|
# index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"),
|
||||||
|
# ),
|
||||||
|
# ]
|
||||||
|
operations = []
|
||||||
|
|||||||
@ -11,21 +11,24 @@ class Migration(migrations.Migration):
|
|||||||
migrations.swappable_dependency(settings.AUTH_USER_MODEL),
|
migrations.swappable_dependency(settings.AUTH_USER_MODEL),
|
||||||
]
|
]
|
||||||
|
|
||||||
operations = [
|
# Original preserved
|
||||||
migrations.RemoveIndex(
|
# See https://github.com/goauthentik/authentik/issues/11874
|
||||||
model_name="accesstoken",
|
# operations = [
|
||||||
name="authentik_p_token_4bc870_idx",
|
# migrations.RemoveIndex(
|
||||||
),
|
# model_name="accesstoken",
|
||||||
migrations.RemoveIndex(
|
# name="authentik_p_token_4bc870_idx",
|
||||||
model_name="refreshtoken",
|
# ),
|
||||||
name="authentik_p_token_1a841f_idx",
|
# migrations.RemoveIndex(
|
||||||
),
|
# model_name="refreshtoken",
|
||||||
migrations.AddIndex(
|
# name="authentik_p_token_1a841f_idx",
|
||||||
model_name="accesstoken",
|
# ),
|
||||||
index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"),
|
# migrations.AddIndex(
|
||||||
),
|
# model_name="accesstoken",
|
||||||
migrations.AddIndex(
|
# index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"),
|
||||||
model_name="refreshtoken",
|
# ),
|
||||||
index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"),
|
# migrations.AddIndex(
|
||||||
),
|
# model_name="refreshtoken",
|
||||||
]
|
# index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"),
|
||||||
|
# ),
|
||||||
|
# ]
|
||||||
|
operations = []
|
||||||
|
|||||||
@ -37,7 +37,7 @@ def migrate_session(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
|
|||||||
class Migration(migrations.Migration):
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
dependencies = [
|
dependencies = [
|
||||||
("authentik_core", "0040_provider_invalidation_flow"),
|
("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
|
||||||
("authentik_providers_oauth2", "0021_oauth2provider_encryption_key_and_more"),
|
("authentik_providers_oauth2", "0021_oauth2provider_encryption_key_and_more"),
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|||||||
@ -0,0 +1,31 @@
|
|||||||
|
# Generated by Django 5.0.9 on 2024-10-31 14:28
|
||||||
|
|
||||||
|
import django.contrib.postgres.indexes
|
||||||
|
from django.conf import settings
|
||||||
|
from django.db import migrations
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
|
dependencies = [
|
||||||
|
("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
|
||||||
|
("authentik_providers_oauth2", "0022_remove_accesstoken_session_id_and_more"),
|
||||||
|
migrations.swappable_dependency(settings.AUTH_USER_MODEL),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.RunSQL("DROP INDEX IF EXISTS authentik_p_token_f99422_idx;"),
|
||||||
|
migrations.RunSQL("DROP INDEX IF EXISTS authentik_p_token_a1d921_idx;"),
|
||||||
|
migrations.AddIndex(
|
||||||
|
model_name="accesstoken",
|
||||||
|
index=django.contrib.postgres.indexes.HashIndex(
|
||||||
|
fields=["token"], name="authentik_p_token_e00883_hash"
|
||||||
|
),
|
||||||
|
),
|
||||||
|
migrations.AddIndex(
|
||||||
|
model_name="refreshtoken",
|
||||||
|
index=django.contrib.postgres.indexes.HashIndex(
|
||||||
|
fields=["token"], name="authentik_p_token_32e2b7_hash"
|
||||||
|
),
|
||||||
|
),
|
||||||
|
]
|
||||||
@ -0,0 +1,49 @@
|
|||||||
|
# Generated by Django 5.0.9 on 2024-11-04 12:56
|
||||||
|
from dataclasses import asdict
|
||||||
|
from django.apps.registry import Apps
|
||||||
|
|
||||||
|
from django.db.backends.base.schema import BaseDatabaseSchemaEditor
|
||||||
|
|
||||||
|
from django.db import migrations, models
|
||||||
|
|
||||||
|
|
||||||
|
def migrate_redirect_uris(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
|
||||||
|
from authentik.providers.oauth2.models import RedirectURI, RedirectURIMatchingMode
|
||||||
|
|
||||||
|
OAuth2Provider = apps.get_model("authentik_providers_oauth2", "oauth2provider")
|
||||||
|
|
||||||
|
db_alias = schema_editor.connection.alias
|
||||||
|
for provider in OAuth2Provider.objects.using(db_alias).all():
|
||||||
|
uris = []
|
||||||
|
for old in provider.old_redirect_uris.split("\n"):
|
||||||
|
mode = RedirectURIMatchingMode.STRICT
|
||||||
|
if old == "*" or old == ".*":
|
||||||
|
mode = RedirectURIMatchingMode.REGEX
|
||||||
|
uris.append(asdict(RedirectURI(mode, url=old)))
|
||||||
|
provider._redirect_uris = uris
|
||||||
|
provider.save()
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
|
dependencies = [
|
||||||
|
("authentik_providers_oauth2", "0023_alter_accesstoken_refreshtoken_use_hash_index"),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.RenameField(
|
||||||
|
model_name="oauth2provider",
|
||||||
|
old_name="redirect_uris",
|
||||||
|
new_name="old_redirect_uris",
|
||||||
|
),
|
||||||
|
migrations.AddField(
|
||||||
|
model_name="oauth2provider",
|
||||||
|
name="_redirect_uris",
|
||||||
|
field=models.JSONField(default=dict, verbose_name="Redirect URIs"),
|
||||||
|
),
|
||||||
|
migrations.RunPython(migrate_redirect_uris, lambda *args: ...),
|
||||||
|
migrations.RemoveField(
|
||||||
|
model_name="oauth2provider",
|
||||||
|
name="old_redirect_uris",
|
||||||
|
),
|
||||||
|
]
|
||||||
@ -3,7 +3,7 @@
|
|||||||
import base64
|
import base64
|
||||||
import binascii
|
import binascii
|
||||||
import json
|
import json
|
||||||
from dataclasses import asdict
|
from dataclasses import asdict, dataclass
|
||||||
from functools import cached_property
|
from functools import cached_property
|
||||||
from hashlib import sha256
|
from hashlib import sha256
|
||||||
from typing import Any
|
from typing import Any
|
||||||
@ -12,7 +12,9 @@ from urllib.parse import urlparse, urlunparse
|
|||||||
from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
|
from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
|
||||||
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
|
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
|
||||||
from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
|
from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
|
||||||
|
from dacite import Config
|
||||||
from dacite.core import from_dict
|
from dacite.core import from_dict
|
||||||
|
from django.contrib.postgres.indexes import HashIndex
|
||||||
from django.db import models
|
from django.db import models
|
||||||
from django.http import HttpRequest
|
from django.http import HttpRequest
|
||||||
from django.templatetags.static import static
|
from django.templatetags.static import static
|
||||||
@ -76,11 +78,25 @@ class IssuerMode(models.TextChoices):
|
|||||||
"""Configure how the `iss` field is created."""
|
"""Configure how the `iss` field is created."""
|
||||||
|
|
||||||
GLOBAL = "global", _("Same identifier is used for all providers")
|
GLOBAL = "global", _("Same identifier is used for all providers")
|
||||||
PER_PROVIDER = "per_provider", _(
|
PER_PROVIDER = (
|
||||||
"Each provider has a different issuer, based on the application slug."
|
"per_provider",
|
||||||
|
_("Each provider has a different issuer, based on the application slug."),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
class RedirectURIMatchingMode(models.TextChoices):
|
||||||
|
STRICT = "strict", _("Strict URL comparison")
|
||||||
|
REGEX = "regex", _("Regular Expression URL matching")
|
||||||
|
|
||||||
|
|
||||||
|
@dataclass
|
||||||
|
class RedirectURI:
|
||||||
|
"""A single redirect URI entry"""
|
||||||
|
|
||||||
|
matching_mode: RedirectURIMatchingMode
|
||||||
|
url: str
|
||||||
|
|
||||||
|
|
||||||
class ResponseTypes(models.TextChoices):
|
class ResponseTypes(models.TextChoices):
|
||||||
"""Response Type required by the client."""
|
"""Response Type required by the client."""
|
||||||
|
|
||||||
@ -155,11 +171,9 @@ class OAuth2Provider(WebfingerProvider, Provider):
|
|||||||
verbose_name=_("Client Secret"),
|
verbose_name=_("Client Secret"),
|
||||||
default=generate_client_secret,
|
default=generate_client_secret,
|
||||||
)
|
)
|
||||||
redirect_uris = models.TextField(
|
_redirect_uris = models.JSONField(
|
||||||
default="",
|
default=dict,
|
||||||
blank=True,
|
|
||||||
verbose_name=_("Redirect URIs"),
|
verbose_name=_("Redirect URIs"),
|
||||||
help_text=_("Enter each URI on a new line."),
|
|
||||||
)
|
)
|
||||||
|
|
||||||
include_claims_in_id_token = models.BooleanField(
|
include_claims_in_id_token = models.BooleanField(
|
||||||
@ -270,12 +284,33 @@ class OAuth2Provider(WebfingerProvider, Provider):
|
|||||||
except Provider.application.RelatedObjectDoesNotExist:
|
except Provider.application.RelatedObjectDoesNotExist:
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
@property
|
||||||
|
def redirect_uris(self) -> list[RedirectURI]:
|
||||||
|
uris = []
|
||||||
|
for entry in self._redirect_uris:
|
||||||
|
uris.append(
|
||||||
|
from_dict(
|
||||||
|
RedirectURI,
|
||||||
|
entry,
|
||||||
|
config=Config(type_hooks={RedirectURIMatchingMode: RedirectURIMatchingMode}),
|
||||||
|
)
|
||||||
|
)
|
||||||
|
return uris
|
||||||
|
|
||||||
|
@redirect_uris.setter
|
||||||
|
def redirect_uris(self, value: list[RedirectURI]):
|
||||||
|
cleansed = []
|
||||||
|
for entry in value:
|
||||||
|
cleansed.append(asdict(entry))
|
||||||
|
self._redirect_uris = cleansed
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def launch_url(self) -> str | None:
|
def launch_url(self) -> str | None:
|
||||||
"""Guess launch_url based on first redirect_uri"""
|
"""Guess launch_url based on first redirect_uri"""
|
||||||
if self.redirect_uris == "":
|
redirects = self.redirect_uris
|
||||||
|
if len(redirects) < 1:
|
||||||
return None
|
return None
|
||||||
main_url = self.redirect_uris.split("\n", maxsplit=1)[0]
|
main_url = redirects[0].url
|
||||||
try:
|
try:
|
||||||
launch_url = urlparse(main_url)._replace(path="")
|
launch_url = urlparse(main_url)._replace(path="")
|
||||||
return urlunparse(launch_url)
|
return urlunparse(launch_url)
|
||||||
@ -418,7 +453,7 @@ class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel):
|
|||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
indexes = [
|
indexes = [
|
||||||
models.Index(fields=["token", "provider"]),
|
HashIndex(fields=["token"]),
|
||||||
]
|
]
|
||||||
verbose_name = _("OAuth2 Access Token")
|
verbose_name = _("OAuth2 Access Token")
|
||||||
verbose_name_plural = _("OAuth2 Access Tokens")
|
verbose_name_plural = _("OAuth2 Access Tokens")
|
||||||
@ -464,7 +499,7 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel):
|
|||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
indexes = [
|
indexes = [
|
||||||
models.Index(fields=["token", "provider"]),
|
HashIndex(fields=["token"]),
|
||||||
]
|
]
|
||||||
verbose_name = _("OAuth2 Refresh Token")
|
verbose_name = _("OAuth2 Refresh Token")
|
||||||
verbose_name_plural = _("OAuth2 Refresh Tokens")
|
verbose_name_plural = _("OAuth2 Refresh Tokens")
|
||||||
|
|||||||
@ -10,7 +10,13 @@ from rest_framework.test import APITestCase
|
|||||||
from authentik.blueprints.tests import apply_blueprint
|
from authentik.blueprints.tests import apply_blueprint
|
||||||
from authentik.core.models import Application
|
from authentik.core.models import Application
|
||||||
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
|
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
|
||||||
from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
|
from authentik.lib.generators import generate_id
|
||||||
|
from authentik.providers.oauth2.models import (
|
||||||
|
OAuth2Provider,
|
||||||
|
RedirectURI,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
|
ScopeMapping,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
class TestAPI(APITestCase):
|
class TestAPI(APITestCase):
|
||||||
@ -21,7 +27,7 @@ class TestAPI(APITestCase):
|
|||||||
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
|
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
|
||||||
name="test",
|
name="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://testserver",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
|
||||||
)
|
)
|
||||||
self.provider.property_mappings.set(ScopeMapping.objects.all())
|
self.provider.property_mappings.set(ScopeMapping.objects.all())
|
||||||
self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
|
self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
|
||||||
@ -50,9 +56,29 @@ class TestAPI(APITestCase):
|
|||||||
@skipUnless(version_info >= (3, 11, 4), "This behaviour is only Python 3.11.4 and up")
|
@skipUnless(version_info >= (3, 11, 4), "This behaviour is only Python 3.11.4 and up")
|
||||||
def test_launch_url(self):
|
def test_launch_url(self):
|
||||||
"""Test launch_url"""
|
"""Test launch_url"""
|
||||||
self.provider.redirect_uris = (
|
self.provider.redirect_uris = [
|
||||||
"https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/\n"
|
RedirectURI(
|
||||||
)
|
RedirectURIMatchingMode.REGEX,
|
||||||
|
"https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/",
|
||||||
|
),
|
||||||
|
]
|
||||||
self.provider.save()
|
self.provider.save()
|
||||||
self.provider.refresh_from_db()
|
self.provider.refresh_from_db()
|
||||||
self.assertIsNone(self.provider.launch_url)
|
self.assertIsNone(self.provider.launch_url)
|
||||||
|
|
||||||
|
def test_validate_redirect_uris(self):
|
||||||
|
"""Test redirect_uris API"""
|
||||||
|
response = self.client.post(
|
||||||
|
reverse("authentik_api:oauth2provider-list"),
|
||||||
|
data={
|
||||||
|
"name": generate_id(),
|
||||||
|
"authorization_flow": create_test_flow().pk,
|
||||||
|
"invalidation_flow": create_test_flow().pk,
|
||||||
|
"redirect_uris": [
|
||||||
|
{"matching_mode": "strict", "url": "http://goauthentik.io"},
|
||||||
|
{"matching_mode": "regex", "url": "**"},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
)
|
||||||
|
self.assertJSONEqual(response.content, {"redirect_uris": ["Invalid Regex Pattern: **"]})
|
||||||
|
self.assertEqual(response.status_code, 400)
|
||||||
|
|||||||
@ -19,6 +19,8 @@ from authentik.providers.oauth2.models import (
|
|||||||
AuthorizationCode,
|
AuthorizationCode,
|
||||||
GrantTypes,
|
GrantTypes,
|
||||||
OAuth2Provider,
|
OAuth2Provider,
|
||||||
|
RedirectURI,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
ScopeMapping,
|
ScopeMapping,
|
||||||
)
|
)
|
||||||
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
||||||
@ -39,7 +41,7 @@ class TestAuthorize(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://local.invalid/Foo",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
|
||||||
)
|
)
|
||||||
with self.assertRaises(AuthorizeError):
|
with self.assertRaises(AuthorizeError):
|
||||||
request = self.factory.get(
|
request = self.factory.get(
|
||||||
@ -64,7 +66,7 @@ class TestAuthorize(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://local.invalid/Foo",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
|
||||||
)
|
)
|
||||||
with self.assertRaises(AuthorizeError):
|
with self.assertRaises(AuthorizeError):
|
||||||
request = self.factory.get(
|
request = self.factory.get(
|
||||||
@ -84,7 +86,7 @@ class TestAuthorize(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://local.invalid",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
|
||||||
)
|
)
|
||||||
with self.assertRaises(RedirectUriError):
|
with self.assertRaises(RedirectUriError):
|
||||||
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
|
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
|
||||||
@ -106,7 +108,7 @@ class TestAuthorize(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="data:local.invalid",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "data:local.invalid")],
|
||||||
)
|
)
|
||||||
with self.assertRaises(RedirectUriError):
|
with self.assertRaises(RedirectUriError):
|
||||||
request = self.factory.get(
|
request = self.factory.get(
|
||||||
@ -125,7 +127,7 @@ class TestAuthorize(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="",
|
redirect_uris=[],
|
||||||
)
|
)
|
||||||
with self.assertRaises(RedirectUriError):
|
with self.assertRaises(RedirectUriError):
|
||||||
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
|
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
|
||||||
@ -140,7 +142,7 @@ class TestAuthorize(OAuthTestCase):
|
|||||||
)
|
)
|
||||||
OAuthAuthorizationParams.from_request(request)
|
OAuthAuthorizationParams.from_request(request)
|
||||||
provider.refresh_from_db()
|
provider.refresh_from_db()
|
||||||
self.assertEqual(provider.redirect_uris, "+")
|
self.assertEqual(provider.redirect_uris, [RedirectURI(RedirectURIMatchingMode.STRICT, "+")])
|
||||||
|
|
||||||
def test_invalid_redirect_uri_regex(self):
|
def test_invalid_redirect_uri_regex(self):
|
||||||
"""test missing/invalid redirect URI"""
|
"""test missing/invalid redirect URI"""
|
||||||
@ -148,7 +150,7 @@ class TestAuthorize(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://local.invalid?",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid?")],
|
||||||
)
|
)
|
||||||
with self.assertRaises(RedirectUriError):
|
with self.assertRaises(RedirectUriError):
|
||||||
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
|
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
|
||||||
@ -170,7 +172,7 @@ class TestAuthorize(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="+",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "+")],
|
||||||
)
|
)
|
||||||
with self.assertRaises(RedirectUriError):
|
with self.assertRaises(RedirectUriError):
|
||||||
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
|
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
|
||||||
@ -213,7 +215,7 @@ class TestAuthorize(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://local.invalid/Foo",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
|
||||||
)
|
)
|
||||||
provider.property_mappings.set(
|
provider.property_mappings.set(
|
||||||
ScopeMapping.objects.filter(
|
ScopeMapping.objects.filter(
|
||||||
@ -301,7 +303,7 @@ class TestAuthorize(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=flow,
|
authorization_flow=flow,
|
||||||
redirect_uris="foo://localhost",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
|
||||||
access_code_validity="seconds=100",
|
access_code_validity="seconds=100",
|
||||||
)
|
)
|
||||||
Application.objects.create(name="app", slug="app", provider=provider)
|
Application.objects.create(name="app", slug="app", provider=provider)
|
||||||
@ -343,7 +345,7 @@ class TestAuthorize(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=flow,
|
authorization_flow=flow,
|
||||||
redirect_uris="http://localhost",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
|
||||||
signing_key=self.keypair,
|
signing_key=self.keypair,
|
||||||
)
|
)
|
||||||
provider.property_mappings.set(
|
provider.property_mappings.set(
|
||||||
@ -420,7 +422,7 @@ class TestAuthorize(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=flow,
|
authorization_flow=flow,
|
||||||
redirect_uris="http://localhost",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
|
||||||
signing_key=self.keypair,
|
signing_key=self.keypair,
|
||||||
encryption_key=self.keypair,
|
encryption_key=self.keypair,
|
||||||
)
|
)
|
||||||
@ -486,7 +488,7 @@ class TestAuthorize(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=flow,
|
authorization_flow=flow,
|
||||||
redirect_uris="http://localhost",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
|
||||||
signing_key=self.keypair,
|
signing_key=self.keypair,
|
||||||
)
|
)
|
||||||
Application.objects.create(name="app", slug="app", provider=provider)
|
Application.objects.create(name="app", slug="app", provider=provider)
|
||||||
@ -541,7 +543,7 @@ class TestAuthorize(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id=generate_id(),
|
client_id=generate_id(),
|
||||||
authorization_flow=flow,
|
authorization_flow=flow,
|
||||||
redirect_uris="http://localhost",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
|
||||||
signing_key=self.keypair,
|
signing_key=self.keypair,
|
||||||
)
|
)
|
||||||
provider.property_mappings.set(
|
provider.property_mappings.set(
|
||||||
@ -599,7 +601,7 @@ class TestAuthorize(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id=generate_id(),
|
client_id=generate_id(),
|
||||||
authorization_flow=flow,
|
authorization_flow=flow,
|
||||||
redirect_uris="http://localhost",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
|
||||||
signing_key=self.keypair,
|
signing_key=self.keypair,
|
||||||
)
|
)
|
||||||
app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
|
app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
|
||||||
|
|||||||
@ -3,6 +3,7 @@
|
|||||||
from urllib.parse import urlencode
|
from urllib.parse import urlencode
|
||||||
|
|
||||||
from django.urls import reverse
|
from django.urls import reverse
|
||||||
|
from rest_framework.test import APIClient
|
||||||
|
|
||||||
from authentik.core.models import Application, Group
|
from authentik.core.models import Application, Group
|
||||||
from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
|
from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
|
||||||
@ -34,7 +35,10 @@ class TesOAuth2DeviceInit(OAuthTestCase):
|
|||||||
self.brand.flow_device_code = self.device_flow
|
self.brand.flow_device_code = self.device_flow
|
||||||
self.brand.save()
|
self.brand.save()
|
||||||
|
|
||||||
def test_device_init(self):
|
self.api_client = APIClient()
|
||||||
|
self.api_client.force_login(self.user)
|
||||||
|
|
||||||
|
def test_device_init_get(self):
|
||||||
"""Test device init"""
|
"""Test device init"""
|
||||||
res = self.client.get(reverse("authentik_providers_oauth2_root:device-login"))
|
res = self.client.get(reverse("authentik_providers_oauth2_root:device-login"))
|
||||||
self.assertEqual(res.status_code, 302)
|
self.assertEqual(res.status_code, 302)
|
||||||
@ -48,6 +52,76 @@ class TesOAuth2DeviceInit(OAuthTestCase):
|
|||||||
),
|
),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_device_init_post(self):
|
||||||
|
"""Test device init"""
|
||||||
|
res = self.api_client.get(reverse("authentik_providers_oauth2_root:device-login"))
|
||||||
|
self.assertEqual(res.status_code, 302)
|
||||||
|
self.assertEqual(
|
||||||
|
res.url,
|
||||||
|
reverse(
|
||||||
|
"authentik_core:if-flow",
|
||||||
|
kwargs={
|
||||||
|
"flow_slug": self.device_flow.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
)
|
||||||
|
res = self.api_client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_api:flow-executor",
|
||||||
|
kwargs={
|
||||||
|
"flow_slug": self.device_flow.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
)
|
||||||
|
self.assertEqual(res.status_code, 200)
|
||||||
|
self.assertJSONEqual(
|
||||||
|
res.content,
|
||||||
|
{
|
||||||
|
"component": "ak-provider-oauth2-device-code",
|
||||||
|
"flow_info": {
|
||||||
|
"background": "/static/dist/assets/images/flow_background.jpg",
|
||||||
|
"cancel_url": "/flows/-/cancel/",
|
||||||
|
"layout": "stacked",
|
||||||
|
"title": self.device_flow.title,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
)
|
||||||
|
|
||||||
|
provider = OAuth2Provider.objects.create(
|
||||||
|
name=generate_id(),
|
||||||
|
authorization_flow=create_test_flow(),
|
||||||
|
)
|
||||||
|
Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
|
||||||
|
token = DeviceToken.objects.create(
|
||||||
|
provider=provider,
|
||||||
|
)
|
||||||
|
|
||||||
|
res = self.api_client.post(
|
||||||
|
reverse(
|
||||||
|
"authentik_api:flow-executor",
|
||||||
|
kwargs={
|
||||||
|
"flow_slug": self.device_flow.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
data={
|
||||||
|
"component": "ak-provider-oauth2-device-code",
|
||||||
|
"code": token.user_code,
|
||||||
|
},
|
||||||
|
)
|
||||||
|
self.assertEqual(res.status_code, 200)
|
||||||
|
self.assertJSONEqual(
|
||||||
|
res.content,
|
||||||
|
{
|
||||||
|
"component": "xak-flow-redirect",
|
||||||
|
"to": reverse(
|
||||||
|
"authentik_core:if-flow",
|
||||||
|
kwargs={
|
||||||
|
"flow_slug": provider.authorization_flow.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
},
|
||||||
|
)
|
||||||
|
|
||||||
def test_no_flow(self):
|
def test_no_flow(self):
|
||||||
"""Test no flow"""
|
"""Test no flow"""
|
||||||
self.brand.flow_device_code = None
|
self.brand.flow_device_code = None
|
||||||
|
|||||||
@ -11,7 +11,14 @@ from authentik.core.models import Application
|
|||||||
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
|
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
|
||||||
from authentik.lib.generators import generate_id
|
from authentik.lib.generators import generate_id
|
||||||
from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
|
from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
|
||||||
from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
|
from authentik.providers.oauth2.models import (
|
||||||
|
AccessToken,
|
||||||
|
IDToken,
|
||||||
|
OAuth2Provider,
|
||||||
|
RedirectURI,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
|
RefreshToken,
|
||||||
|
)
|
||||||
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
||||||
|
|
||||||
|
|
||||||
@ -23,7 +30,7 @@ class TesOAuth2Introspection(OAuthTestCase):
|
|||||||
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
|
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
|
||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
|
||||||
signing_key=create_test_cert(),
|
signing_key=create_test_cert(),
|
||||||
)
|
)
|
||||||
self.app = Application.objects.create(
|
self.app = Application.objects.create(
|
||||||
@ -118,7 +125,7 @@ class TesOAuth2Introspection(OAuthTestCase):
|
|||||||
provider: OAuth2Provider = OAuth2Provider.objects.create(
|
provider: OAuth2Provider = OAuth2Provider.objects.create(
|
||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
|
||||||
signing_key=create_test_cert(),
|
signing_key=create_test_cert(),
|
||||||
)
|
)
|
||||||
auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
|
auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
|
||||||
|
|||||||
@ -13,7 +13,7 @@ from authentik.core.tests.utils import create_test_cert, create_test_flow
|
|||||||
from authentik.crypto.builder import PrivateKeyAlg
|
from authentik.crypto.builder import PrivateKeyAlg
|
||||||
from authentik.crypto.models import CertificateKeyPair
|
from authentik.crypto.models import CertificateKeyPair
|
||||||
from authentik.lib.generators import generate_id
|
from authentik.lib.generators import generate_id
|
||||||
from authentik.providers.oauth2.models import OAuth2Provider
|
from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
|
||||||
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
||||||
|
|
||||||
TEST_CORDS_CERT = """
|
TEST_CORDS_CERT = """
|
||||||
@ -49,7 +49,7 @@ class TestJWKS(OAuthTestCase):
|
|||||||
name="test",
|
name="test",
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://local.invalid",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
|
||||||
signing_key=create_test_cert(),
|
signing_key=create_test_cert(),
|
||||||
)
|
)
|
||||||
app = Application.objects.create(name="test", slug="test", provider=provider)
|
app = Application.objects.create(name="test", slug="test", provider=provider)
|
||||||
@ -68,7 +68,7 @@ class TestJWKS(OAuthTestCase):
|
|||||||
name="test",
|
name="test",
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://local.invalid",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
|
||||||
)
|
)
|
||||||
app = Application.objects.create(name="test", slug="test", provider=provider)
|
app = Application.objects.create(name="test", slug="test", provider=provider)
|
||||||
response = self.client.get(
|
response = self.client.get(
|
||||||
@ -82,7 +82,7 @@ class TestJWKS(OAuthTestCase):
|
|||||||
name="test",
|
name="test",
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://local.invalid",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
|
||||||
signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
|
signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
|
||||||
)
|
)
|
||||||
app = Application.objects.create(name="test", slug="test", provider=provider)
|
app = Application.objects.create(name="test", slug="test", provider=provider)
|
||||||
@ -99,7 +99,7 @@ class TestJWKS(OAuthTestCase):
|
|||||||
name="test",
|
name="test",
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://local.invalid",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
|
||||||
signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
|
signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
|
||||||
encryption_key=create_test_cert(PrivateKeyAlg.ECDSA),
|
encryption_key=create_test_cert(PrivateKeyAlg.ECDSA),
|
||||||
)
|
)
|
||||||
@ -122,7 +122,7 @@ class TestJWKS(OAuthTestCase):
|
|||||||
name="test",
|
name="test",
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://local.invalid",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
|
||||||
signing_key=cert,
|
signing_key=cert,
|
||||||
)
|
)
|
||||||
app = Application.objects.create(name="test", slug="test", provider=provider)
|
app = Application.objects.create(name="test", slug="test", provider=provider)
|
||||||
|
|||||||
@ -10,7 +10,14 @@ from django.utils import timezone
|
|||||||
from authentik.core.models import Application
|
from authentik.core.models import Application
|
||||||
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
|
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
|
||||||
from authentik.lib.generators import generate_id
|
from authentik.lib.generators import generate_id
|
||||||
from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
|
from authentik.providers.oauth2.models import (
|
||||||
|
AccessToken,
|
||||||
|
IDToken,
|
||||||
|
OAuth2Provider,
|
||||||
|
RedirectURI,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
|
RefreshToken,
|
||||||
|
)
|
||||||
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
||||||
|
|
||||||
|
|
||||||
@ -22,7 +29,7 @@ class TesOAuth2Revoke(OAuthTestCase):
|
|||||||
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
|
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
|
||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
|
||||||
signing_key=create_test_cert(),
|
signing_key=create_test_cert(),
|
||||||
)
|
)
|
||||||
self.app = Application.objects.create(
|
self.app = Application.objects.create(
|
||||||
|
|||||||
@ -22,6 +22,8 @@ from authentik.providers.oauth2.models import (
|
|||||||
AccessToken,
|
AccessToken,
|
||||||
AuthorizationCode,
|
AuthorizationCode,
|
||||||
OAuth2Provider,
|
OAuth2Provider,
|
||||||
|
RedirectURI,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
RefreshToken,
|
RefreshToken,
|
||||||
ScopeMapping,
|
ScopeMapping,
|
||||||
)
|
)
|
||||||
@ -42,7 +44,7 @@ class TestToken(OAuthTestCase):
|
|||||||
provider = OAuth2Provider.objects.create(
|
provider = OAuth2Provider.objects.create(
|
||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://TestServer",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://TestServer")],
|
||||||
signing_key=self.keypair,
|
signing_key=self.keypair,
|
||||||
)
|
)
|
||||||
header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
|
header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
|
||||||
@ -69,7 +71,7 @@ class TestToken(OAuthTestCase):
|
|||||||
provider = OAuth2Provider.objects.create(
|
provider = OAuth2Provider.objects.create(
|
||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://testserver",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
|
||||||
signing_key=self.keypair,
|
signing_key=self.keypair,
|
||||||
)
|
)
|
||||||
header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
|
header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
|
||||||
@ -90,7 +92,7 @@ class TestToken(OAuthTestCase):
|
|||||||
provider = OAuth2Provider.objects.create(
|
provider = OAuth2Provider.objects.create(
|
||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://local.invalid",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
|
||||||
signing_key=self.keypair,
|
signing_key=self.keypair,
|
||||||
)
|
)
|
||||||
header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
|
header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
|
||||||
@ -118,7 +120,7 @@ class TestToken(OAuthTestCase):
|
|||||||
provider = OAuth2Provider.objects.create(
|
provider = OAuth2Provider.objects.create(
|
||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://local.invalid",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
|
||||||
signing_key=self.keypair,
|
signing_key=self.keypair,
|
||||||
)
|
)
|
||||||
# Needs to be assigned to an application for iss to be set
|
# Needs to be assigned to an application for iss to be set
|
||||||
@ -157,7 +159,7 @@ class TestToken(OAuthTestCase):
|
|||||||
provider = OAuth2Provider.objects.create(
|
provider = OAuth2Provider.objects.create(
|
||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://local.invalid",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
|
||||||
signing_key=self.keypair,
|
signing_key=self.keypair,
|
||||||
encryption_key=self.keypair,
|
encryption_key=self.keypair,
|
||||||
)
|
)
|
||||||
@ -188,7 +190,7 @@ class TestToken(OAuthTestCase):
|
|||||||
provider = OAuth2Provider.objects.create(
|
provider = OAuth2Provider.objects.create(
|
||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://local.invalid",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
|
||||||
signing_key=self.keypair,
|
signing_key=self.keypair,
|
||||||
)
|
)
|
||||||
provider.property_mappings.set(
|
provider.property_mappings.set(
|
||||||
@ -250,7 +252,7 @@ class TestToken(OAuthTestCase):
|
|||||||
provider = OAuth2Provider.objects.create(
|
provider = OAuth2Provider.objects.create(
|
||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://local.invalid",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
|
||||||
signing_key=self.keypair,
|
signing_key=self.keypair,
|
||||||
)
|
)
|
||||||
provider.property_mappings.set(
|
provider.property_mappings.set(
|
||||||
@ -308,7 +310,7 @@ class TestToken(OAuthTestCase):
|
|||||||
provider = OAuth2Provider.objects.create(
|
provider = OAuth2Provider.objects.create(
|
||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://testserver",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
|
||||||
signing_key=self.keypair,
|
signing_key=self.keypair,
|
||||||
)
|
)
|
||||||
provider.property_mappings.set(
|
provider.property_mappings.set(
|
||||||
|
|||||||
@ -19,7 +19,12 @@ from authentik.providers.oauth2.constants import (
|
|||||||
SCOPE_OPENID_PROFILE,
|
SCOPE_OPENID_PROFILE,
|
||||||
TOKEN_TYPE,
|
TOKEN_TYPE,
|
||||||
)
|
)
|
||||||
from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
|
from authentik.providers.oauth2.models import (
|
||||||
|
OAuth2Provider,
|
||||||
|
RedirectURI,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
|
ScopeMapping,
|
||||||
|
)
|
||||||
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
||||||
from authentik.providers.oauth2.views.jwks import JWKSView
|
from authentik.providers.oauth2.views.jwks import JWKSView
|
||||||
from authentik.sources.oauth.models import OAuthSource
|
from authentik.sources.oauth.models import OAuthSource
|
||||||
@ -54,7 +59,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
|
|||||||
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
|
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
|
||||||
name="test",
|
name="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://testserver",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
|
||||||
signing_key=self.cert,
|
signing_key=self.cert,
|
||||||
)
|
)
|
||||||
self.provider.jwks_sources.add(self.source)
|
self.provider.jwks_sources.add(self.source)
|
||||||
|
|||||||
@ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import (
|
|||||||
TOKEN_TYPE,
|
TOKEN_TYPE,
|
||||||
)
|
)
|
||||||
from authentik.providers.oauth2.errors import TokenError
|
from authentik.providers.oauth2.errors import TokenError
|
||||||
from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
|
from authentik.providers.oauth2.models import (
|
||||||
|
AccessToken,
|
||||||
|
OAuth2Provider,
|
||||||
|
RedirectURI,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
|
ScopeMapping,
|
||||||
|
)
|
||||||
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
||||||
|
|
||||||
|
|
||||||
@ -33,7 +39,7 @@ class TestTokenClientCredentialsStandard(OAuthTestCase):
|
|||||||
self.provider = OAuth2Provider.objects.create(
|
self.provider = OAuth2Provider.objects.create(
|
||||||
name="test",
|
name="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://testserver",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
|
||||||
signing_key=create_test_cert(),
|
signing_key=create_test_cert(),
|
||||||
)
|
)
|
||||||
self.provider.property_mappings.set(ScopeMapping.objects.all())
|
self.provider.property_mappings.set(ScopeMapping.objects.all())
|
||||||
@ -107,6 +113,48 @@ class TestTokenClientCredentialsStandard(OAuthTestCase):
|
|||||||
{"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]},
|
{"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]},
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_incorrect_scopes(self):
|
||||||
|
"""test scope that isn't configured"""
|
||||||
|
response = self.client.post(
|
||||||
|
reverse("authentik_providers_oauth2:token"),
|
||||||
|
{
|
||||||
|
"grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
|
||||||
|
"scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE} extra_scope",
|
||||||
|
"client_id": self.provider.client_id,
|
||||||
|
"client_secret": self.provider.client_secret,
|
||||||
|
},
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
body = loads(response.content.decode())
|
||||||
|
self.assertEqual(body["token_type"], TOKEN_TYPE)
|
||||||
|
token = AccessToken.objects.filter(
|
||||||
|
provider=self.provider, token=body["access_token"]
|
||||||
|
).first()
|
||||||
|
self.assertSetEqual(
|
||||||
|
set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE}
|
||||||
|
)
|
||||||
|
_, alg = self.provider.jwt_key
|
||||||
|
jwt = decode(
|
||||||
|
body["access_token"],
|
||||||
|
key=self.provider.signing_key.public_key,
|
||||||
|
algorithms=[alg],
|
||||||
|
audience=self.provider.client_id,
|
||||||
|
)
|
||||||
|
self.assertEqual(
|
||||||
|
jwt["given_name"], "Autogenerated user from application test (client credentials)"
|
||||||
|
)
|
||||||
|
self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials")
|
||||||
|
jwt = decode(
|
||||||
|
body["id_token"],
|
||||||
|
key=self.provider.signing_key.public_key,
|
||||||
|
algorithms=[alg],
|
||||||
|
audience=self.provider.client_id,
|
||||||
|
)
|
||||||
|
self.assertEqual(
|
||||||
|
jwt["given_name"], "Autogenerated user from application test (client credentials)"
|
||||||
|
)
|
||||||
|
self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials")
|
||||||
|
|
||||||
def test_successful(self):
|
def test_successful(self):
|
||||||
"""test successful"""
|
"""test successful"""
|
||||||
response = self.client.post(
|
response = self.client.post(
|
||||||
|
|||||||
@ -20,7 +20,12 @@ from authentik.providers.oauth2.constants import (
|
|||||||
TOKEN_TYPE,
|
TOKEN_TYPE,
|
||||||
)
|
)
|
||||||
from authentik.providers.oauth2.errors import TokenError
|
from authentik.providers.oauth2.errors import TokenError
|
||||||
from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
|
from authentik.providers.oauth2.models import (
|
||||||
|
OAuth2Provider,
|
||||||
|
RedirectURI,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
|
ScopeMapping,
|
||||||
|
)
|
||||||
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
||||||
|
|
||||||
|
|
||||||
@ -34,7 +39,7 @@ class TestTokenClientCredentialsStandardCompat(OAuthTestCase):
|
|||||||
self.provider = OAuth2Provider.objects.create(
|
self.provider = OAuth2Provider.objects.create(
|
||||||
name="test",
|
name="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://testserver",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
|
||||||
signing_key=create_test_cert(),
|
signing_key=create_test_cert(),
|
||||||
)
|
)
|
||||||
self.provider.property_mappings.set(ScopeMapping.objects.all())
|
self.provider.property_mappings.set(ScopeMapping.objects.all())
|
||||||
|
|||||||
@ -19,7 +19,12 @@ from authentik.providers.oauth2.constants import (
|
|||||||
TOKEN_TYPE,
|
TOKEN_TYPE,
|
||||||
)
|
)
|
||||||
from authentik.providers.oauth2.errors import TokenError
|
from authentik.providers.oauth2.errors import TokenError
|
||||||
from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
|
from authentik.providers.oauth2.models import (
|
||||||
|
OAuth2Provider,
|
||||||
|
RedirectURI,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
|
ScopeMapping,
|
||||||
|
)
|
||||||
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
||||||
|
|
||||||
|
|
||||||
@ -33,7 +38,7 @@ class TestTokenClientCredentialsUserNamePassword(OAuthTestCase):
|
|||||||
self.provider = OAuth2Provider.objects.create(
|
self.provider = OAuth2Provider.objects.create(
|
||||||
name="test",
|
name="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://testserver",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
|
||||||
signing_key=create_test_cert(),
|
signing_key=create_test_cert(),
|
||||||
)
|
)
|
||||||
self.provider.property_mappings.set(ScopeMapping.objects.all())
|
self.provider.property_mappings.set(ScopeMapping.objects.all())
|
||||||
|
|||||||
@ -9,8 +9,19 @@ from authentik.blueprints.tests import apply_blueprint
|
|||||||
from authentik.core.models import Application
|
from authentik.core.models import Application
|
||||||
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
|
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
|
||||||
from authentik.lib.generators import generate_code_fixed_length, generate_id
|
from authentik.lib.generators import generate_code_fixed_length, generate_id
|
||||||
from authentik.providers.oauth2.constants import GRANT_TYPE_DEVICE_CODE
|
from authentik.providers.oauth2.constants import (
|
||||||
from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider, ScopeMapping
|
GRANT_TYPE_DEVICE_CODE,
|
||||||
|
SCOPE_OPENID,
|
||||||
|
SCOPE_OPENID_EMAIL,
|
||||||
|
)
|
||||||
|
from authentik.providers.oauth2.models import (
|
||||||
|
AccessToken,
|
||||||
|
DeviceToken,
|
||||||
|
OAuth2Provider,
|
||||||
|
RedirectURI,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
|
ScopeMapping,
|
||||||
|
)
|
||||||
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
||||||
|
|
||||||
|
|
||||||
@ -24,7 +35,7 @@ class TestTokenDeviceCode(OAuthTestCase):
|
|||||||
self.provider = OAuth2Provider.objects.create(
|
self.provider = OAuth2Provider.objects.create(
|
||||||
name="test",
|
name="test",
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="http://testserver",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
|
||||||
signing_key=create_test_cert(),
|
signing_key=create_test_cert(),
|
||||||
)
|
)
|
||||||
self.provider.property_mappings.set(ScopeMapping.objects.all())
|
self.provider.property_mappings.set(ScopeMapping.objects.all())
|
||||||
@ -80,3 +91,28 @@ class TestTokenDeviceCode(OAuthTestCase):
|
|||||||
},
|
},
|
||||||
)
|
)
|
||||||
self.assertEqual(res.status_code, 200)
|
self.assertEqual(res.status_code, 200)
|
||||||
|
|
||||||
|
def test_code_mismatched_scope(self):
|
||||||
|
"""Test code with user (mismatched scopes)"""
|
||||||
|
device_token = DeviceToken.objects.create(
|
||||||
|
provider=self.provider,
|
||||||
|
user_code=generate_code_fixed_length(),
|
||||||
|
device_code=generate_id(),
|
||||||
|
user=self.user,
|
||||||
|
scope=[SCOPE_OPENID, SCOPE_OPENID_EMAIL],
|
||||||
|
)
|
||||||
|
res = self.client.post(
|
||||||
|
reverse("authentik_providers_oauth2:token"),
|
||||||
|
data={
|
||||||
|
"client_id": self.provider.client_id,
|
||||||
|
"grant_type": GRANT_TYPE_DEVICE_CODE,
|
||||||
|
"device_code": device_token.device_code,
|
||||||
|
"scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} invalid",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
self.assertEqual(res.status_code, 200)
|
||||||
|
body = loads(res.content)
|
||||||
|
token = AccessToken.objects.filter(
|
||||||
|
provider=self.provider, token=body["access_token"]
|
||||||
|
).first()
|
||||||
|
self.assertSetEqual(set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL})
|
||||||
|
|||||||
@ -10,7 +10,12 @@ from authentik.core.models import Application
|
|||||||
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
|
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
|
||||||
from authentik.lib.generators import generate_id
|
from authentik.lib.generators import generate_id
|
||||||
from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
|
from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
|
||||||
from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider
|
from authentik.providers.oauth2.models import (
|
||||||
|
AuthorizationCode,
|
||||||
|
OAuth2Provider,
|
||||||
|
RedirectURI,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
|
)
|
||||||
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
||||||
|
|
||||||
|
|
||||||
@ -30,7 +35,7 @@ class TestTokenPKCE(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=flow,
|
authorization_flow=flow,
|
||||||
redirect_uris="foo://localhost",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
|
||||||
access_code_validity="seconds=100",
|
access_code_validity="seconds=100",
|
||||||
)
|
)
|
||||||
Application.objects.create(name="app", slug="app", provider=provider)
|
Application.objects.create(name="app", slug="app", provider=provider)
|
||||||
@ -93,7 +98,7 @@ class TestTokenPKCE(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=flow,
|
authorization_flow=flow,
|
||||||
redirect_uris="foo://localhost",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
|
||||||
access_code_validity="seconds=100",
|
access_code_validity="seconds=100",
|
||||||
)
|
)
|
||||||
Application.objects.create(name="app", slug="app", provider=provider)
|
Application.objects.create(name="app", slug="app", provider=provider)
|
||||||
@ -154,7 +159,7 @@ class TestTokenPKCE(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=flow,
|
authorization_flow=flow,
|
||||||
redirect_uris="foo://localhost",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
|
||||||
access_code_validity="seconds=100",
|
access_code_validity="seconds=100",
|
||||||
)
|
)
|
||||||
Application.objects.create(name="app", slug="app", provider=provider)
|
Application.objects.create(name="app", slug="app", provider=provider)
|
||||||
@ -210,7 +215,7 @@ class TestTokenPKCE(OAuthTestCase):
|
|||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
client_id="test",
|
client_id="test",
|
||||||
authorization_flow=flow,
|
authorization_flow=flow,
|
||||||
redirect_uris="foo://localhost",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
|
||||||
access_code_validity="seconds=100",
|
access_code_validity="seconds=100",
|
||||||
)
|
)
|
||||||
Application.objects.create(name="app", slug="app", provider=provider)
|
Application.objects.create(name="app", slug="app", provider=provider)
|
||||||
|
|||||||
@ -11,7 +11,14 @@ from authentik.core.models import Application
|
|||||||
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
|
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
|
||||||
from authentik.events.models import Event, EventAction
|
from authentik.events.models import Event, EventAction
|
||||||
from authentik.lib.generators import generate_id
|
from authentik.lib.generators import generate_id
|
||||||
from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, ScopeMapping
|
from authentik.providers.oauth2.models import (
|
||||||
|
AccessToken,
|
||||||
|
IDToken,
|
||||||
|
OAuth2Provider,
|
||||||
|
RedirectURI,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
|
ScopeMapping,
|
||||||
|
)
|
||||||
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
||||||
|
|
||||||
|
|
||||||
@ -25,7 +32,7 @@ class TestUserinfo(OAuthTestCase):
|
|||||||
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
|
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
|
||||||
name=generate_id(),
|
name=generate_id(),
|
||||||
authorization_flow=create_test_flow(),
|
authorization_flow=create_test_flow(),
|
||||||
redirect_uris="",
|
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
|
||||||
signing_key=create_test_cert(),
|
signing_key=create_test_cert(),
|
||||||
)
|
)
|
||||||
self.provider.property_mappings.set(ScopeMapping.objects.all())
|
self.provider.property_mappings.set(ScopeMapping.objects.all())
|
||||||
|
|||||||
@ -56,6 +56,8 @@ from authentik.providers.oauth2.models import (
|
|||||||
AuthorizationCode,
|
AuthorizationCode,
|
||||||
GrantTypes,
|
GrantTypes,
|
||||||
OAuth2Provider,
|
OAuth2Provider,
|
||||||
|
RedirectURI,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
ResponseMode,
|
ResponseMode,
|
||||||
ResponseTypes,
|
ResponseTypes,
|
||||||
ScopeMapping,
|
ScopeMapping,
|
||||||
@ -187,40 +189,39 @@ class OAuthAuthorizationParams:
|
|||||||
|
|
||||||
def check_redirect_uri(self):
|
def check_redirect_uri(self):
|
||||||
"""Redirect URI validation."""
|
"""Redirect URI validation."""
|
||||||
allowed_redirect_urls = self.provider.redirect_uris.split()
|
allowed_redirect_urls = self.provider.redirect_uris
|
||||||
if not self.redirect_uri:
|
if not self.redirect_uri:
|
||||||
LOGGER.warning("Missing redirect uri.")
|
LOGGER.warning("Missing redirect uri.")
|
||||||
raise RedirectUriError("", allowed_redirect_urls)
|
raise RedirectUriError("", allowed_redirect_urls)
|
||||||
|
|
||||||
if self.provider.redirect_uris == "":
|
if len(allowed_redirect_urls) < 1:
|
||||||
LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
|
LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
|
||||||
self.provider.redirect_uris = self.redirect_uri
|
self.provider.redirect_uris = [
|
||||||
|
RedirectURI(RedirectURIMatchingMode.STRICT, self.redirect_uri)
|
||||||
|
]
|
||||||
self.provider.save()
|
self.provider.save()
|
||||||
allowed_redirect_urls = self.provider.redirect_uris.split()
|
allowed_redirect_urls = self.provider.redirect_uris
|
||||||
|
|
||||||
if self.provider.redirect_uris == "*":
|
match_found = False
|
||||||
LOGGER.info("Converting redirect_uris to regex", redirect=self.redirect_uri)
|
for allowed in allowed_redirect_urls:
|
||||||
self.provider.redirect_uris = ".*"
|
if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
|
||||||
self.provider.save()
|
if self.redirect_uri == allowed.url:
|
||||||
allowed_redirect_urls = self.provider.redirect_uris.split()
|
match_found = True
|
||||||
|
break
|
||||||
try:
|
if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
|
||||||
if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
|
try:
|
||||||
LOGGER.warning(
|
if fullmatch(allowed.url, self.redirect_uri):
|
||||||
"Invalid redirect uri (regex comparison)",
|
match_found = True
|
||||||
redirect_uri_given=self.redirect_uri,
|
break
|
||||||
redirect_uri_expected=allowed_redirect_urls,
|
except RegexError as exc:
|
||||||
)
|
LOGGER.warning(
|
||||||
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
|
"Failed to parse regular expression",
|
||||||
except RegexError as exc:
|
exc=exc,
|
||||||
LOGGER.info("Failed to parse regular expression, checking directly", exc=exc)
|
url=allowed.url,
|
||||||
if not any(x == self.redirect_uri for x in allowed_redirect_urls):
|
provider=self.provider,
|
||||||
LOGGER.warning(
|
)
|
||||||
"Invalid redirect uri (strict comparison)",
|
if not match_found:
|
||||||
redirect_uri_given=self.redirect_uri,
|
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
|
||||||
redirect_uri_expected=allowed_redirect_urls,
|
|
||||||
)
|
|
||||||
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) from None
|
|
||||||
# Check against forbidden schemes
|
# Check against forbidden schemes
|
||||||
if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
|
if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
|
||||||
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
|
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
|
||||||
|
|||||||
@ -5,7 +5,7 @@ from typing import Any
|
|||||||
from django.http import HttpRequest, HttpResponse
|
from django.http import HttpRequest, HttpResponse
|
||||||
from django.utils.translation import gettext as _
|
from django.utils.translation import gettext as _
|
||||||
from rest_framework.exceptions import ValidationError
|
from rest_framework.exceptions import ValidationError
|
||||||
from rest_framework.fields import CharField, IntegerField
|
from rest_framework.fields import CharField
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
from authentik.brands.models import Brand
|
from authentik.brands.models import Brand
|
||||||
@ -47,6 +47,9 @@ class CodeValidatorView(PolicyAccessView):
|
|||||||
self.provider = self.token.provider
|
self.provider = self.token.provider
|
||||||
self.application = self.token.provider.application
|
self.application = self.token.provider.application
|
||||||
|
|
||||||
|
def post(self, request: HttpRequest, *args, **kwargs):
|
||||||
|
return self.get(request, *args, **kwargs)
|
||||||
|
|
||||||
def get(self, request: HttpRequest, *args, **kwargs):
|
def get(self, request: HttpRequest, *args, **kwargs):
|
||||||
scope_descriptions = UserInfoView().get_scope_descriptions(self.token.scope, self.provider)
|
scope_descriptions = UserInfoView().get_scope_descriptions(self.token.scope, self.provider)
|
||||||
planner = FlowPlanner(self.provider.authorization_flow)
|
planner = FlowPlanner(self.provider.authorization_flow)
|
||||||
@ -122,7 +125,7 @@ class OAuthDeviceCodeChallenge(Challenge):
|
|||||||
class OAuthDeviceCodeChallengeResponse(ChallengeResponse):
|
class OAuthDeviceCodeChallengeResponse(ChallengeResponse):
|
||||||
"""Response that includes the user-entered device code"""
|
"""Response that includes the user-entered device code"""
|
||||||
|
|
||||||
code = IntegerField()
|
code = CharField()
|
||||||
component = CharField(default="ak-provider-oauth2-device-code")
|
component = CharField(default="ak-provider-oauth2-device-code")
|
||||||
|
|
||||||
def validate_code(self, code: int) -> HttpResponse | None:
|
def validate_code(self, code: int) -> HttpResponse | None:
|
||||||
|
|||||||
@ -162,5 +162,5 @@ class ProviderInfoView(View):
|
|||||||
OAuth2Provider, pk=application.provider_id
|
OAuth2Provider, pk=application.provider_id
|
||||||
)
|
)
|
||||||
response = super().dispatch(request, *args, **kwargs)
|
response = super().dispatch(request, *args, **kwargs)
|
||||||
cors_allow(request, response, *self.provider.redirect_uris.split("\n"))
|
cors_allow(request, response, *[x.url for x in self.provider.redirect_uris])
|
||||||
return response
|
return response
|
||||||
|
|||||||
@ -58,7 +58,9 @@ from authentik.providers.oauth2.models import (
|
|||||||
ClientTypes,
|
ClientTypes,
|
||||||
DeviceToken,
|
DeviceToken,
|
||||||
OAuth2Provider,
|
OAuth2Provider,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
RefreshToken,
|
RefreshToken,
|
||||||
|
ScopeMapping,
|
||||||
)
|
)
|
||||||
from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
|
from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
|
||||||
from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
|
from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
|
||||||
@ -77,7 +79,7 @@ class TokenParams:
|
|||||||
redirect_uri: str
|
redirect_uri: str
|
||||||
grant_type: str
|
grant_type: str
|
||||||
state: str
|
state: str
|
||||||
scope: list[str]
|
scope: set[str]
|
||||||
|
|
||||||
provider: OAuth2Provider
|
provider: OAuth2Provider
|
||||||
|
|
||||||
@ -112,11 +114,26 @@ class TokenParams:
|
|||||||
redirect_uri=request.POST.get("redirect_uri", ""),
|
redirect_uri=request.POST.get("redirect_uri", ""),
|
||||||
grant_type=request.POST.get("grant_type", ""),
|
grant_type=request.POST.get("grant_type", ""),
|
||||||
state=request.POST.get("state", ""),
|
state=request.POST.get("state", ""),
|
||||||
scope=request.POST.get("scope", "").split(),
|
scope=set(request.POST.get("scope", "").split()),
|
||||||
# PKCE parameter.
|
# PKCE parameter.
|
||||||
code_verifier=request.POST.get("code_verifier"),
|
code_verifier=request.POST.get("code_verifier"),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def __check_scopes(self):
|
||||||
|
allowed_scope_names = set(
|
||||||
|
ScopeMapping.objects.filter(provider__in=[self.provider]).values_list(
|
||||||
|
"scope_name", flat=True
|
||||||
|
)
|
||||||
|
)
|
||||||
|
scopes_to_check = self.scope
|
||||||
|
if not scopes_to_check.issubset(allowed_scope_names):
|
||||||
|
LOGGER.info(
|
||||||
|
"Application requested scopes not configured, setting to overlap",
|
||||||
|
scope_allowed=allowed_scope_names,
|
||||||
|
scope_given=self.scope,
|
||||||
|
)
|
||||||
|
self.scope = self.scope.intersection(allowed_scope_names)
|
||||||
|
|
||||||
def __check_policy_access(self, app: Application, request: HttpRequest, **kwargs):
|
def __check_policy_access(self, app: Application, request: HttpRequest, **kwargs):
|
||||||
with start_span(
|
with start_span(
|
||||||
op="authentik.providers.oauth2.token.policy",
|
op="authentik.providers.oauth2.token.policy",
|
||||||
@ -149,7 +166,7 @@ class TokenParams:
|
|||||||
client_id=self.provider.client_id,
|
client_id=self.provider.client_id,
|
||||||
)
|
)
|
||||||
raise TokenError("invalid_client")
|
raise TokenError("invalid_client")
|
||||||
|
self.__check_scopes()
|
||||||
if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE:
|
if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE:
|
||||||
with start_span(
|
with start_span(
|
||||||
op="authentik.providers.oauth2.post.parse.code",
|
op="authentik.providers.oauth2.post.parse.code",
|
||||||
@ -179,42 +196,7 @@ class TokenParams:
|
|||||||
LOGGER.warning("Missing authorization code")
|
LOGGER.warning("Missing authorization code")
|
||||||
raise TokenError("invalid_grant")
|
raise TokenError("invalid_grant")
|
||||||
|
|
||||||
allowed_redirect_urls = self.provider.redirect_uris.split()
|
self.__check_redirect_uri(request)
|
||||||
# At this point, no provider should have a blank redirect_uri, in case they do
|
|
||||||
# this will check an empty array and raise an error
|
|
||||||
try:
|
|
||||||
if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
|
|
||||||
LOGGER.warning(
|
|
||||||
"Invalid redirect uri (regex comparison)",
|
|
||||||
redirect_uri=self.redirect_uri,
|
|
||||||
expected=allowed_redirect_urls,
|
|
||||||
)
|
|
||||||
Event.new(
|
|
||||||
EventAction.CONFIGURATION_ERROR,
|
|
||||||
message="Invalid redirect URI used by provider",
|
|
||||||
provider=self.provider,
|
|
||||||
redirect_uri=self.redirect_uri,
|
|
||||||
expected=allowed_redirect_urls,
|
|
||||||
).from_http(request)
|
|
||||||
raise TokenError("invalid_client")
|
|
||||||
except RegexError as exc:
|
|
||||||
LOGGER.info("Failed to parse regular expression, checking directly", exc=exc)
|
|
||||||
if not any(x == self.redirect_uri for x in allowed_redirect_urls):
|
|
||||||
LOGGER.warning(
|
|
||||||
"Invalid redirect uri (strict comparison)",
|
|
||||||
redirect_uri=self.redirect_uri,
|
|
||||||
expected=allowed_redirect_urls,
|
|
||||||
)
|
|
||||||
Event.new(
|
|
||||||
EventAction.CONFIGURATION_ERROR,
|
|
||||||
message="Invalid redirect_uri configured",
|
|
||||||
provider=self.provider,
|
|
||||||
).from_http(request)
|
|
||||||
raise TokenError("invalid_client") from None
|
|
||||||
|
|
||||||
# Check against forbidden schemes
|
|
||||||
if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
|
|
||||||
raise TokenError("invalid_request")
|
|
||||||
|
|
||||||
self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
|
self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
|
||||||
if not self.authorization_code:
|
if not self.authorization_code:
|
||||||
@ -254,6 +236,48 @@ class TokenParams:
|
|||||||
if not self.authorization_code.code_challenge and self.code_verifier:
|
if not self.authorization_code.code_challenge and self.code_verifier:
|
||||||
raise TokenError("invalid_grant")
|
raise TokenError("invalid_grant")
|
||||||
|
|
||||||
|
def __check_redirect_uri(self, request: HttpRequest):
|
||||||
|
allowed_redirect_urls = self.provider.redirect_uris
|
||||||
|
# At this point, no provider should have a blank redirect_uri, in case they do
|
||||||
|
# this will check an empty array and raise an error
|
||||||
|
|
||||||
|
match_found = False
|
||||||
|
for allowed in allowed_redirect_urls:
|
||||||
|
if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
|
||||||
|
if self.redirect_uri == allowed.url:
|
||||||
|
match_found = True
|
||||||
|
break
|
||||||
|
if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
|
||||||
|
try:
|
||||||
|
if fullmatch(allowed.url, self.redirect_uri):
|
||||||
|
match_found = True
|
||||||
|
break
|
||||||
|
except RegexError as exc:
|
||||||
|
LOGGER.warning(
|
||||||
|
"Failed to parse regular expression",
|
||||||
|
exc=exc,
|
||||||
|
url=allowed.url,
|
||||||
|
provider=self.provider,
|
||||||
|
)
|
||||||
|
Event.new(
|
||||||
|
EventAction.CONFIGURATION_ERROR,
|
||||||
|
message="Invalid redirect_uri configured",
|
||||||
|
provider=self.provider,
|
||||||
|
).from_http(request)
|
||||||
|
if not match_found:
|
||||||
|
Event.new(
|
||||||
|
EventAction.CONFIGURATION_ERROR,
|
||||||
|
message="Invalid redirect URI used by provider",
|
||||||
|
provider=self.provider,
|
||||||
|
redirect_uri=self.redirect_uri,
|
||||||
|
expected=allowed_redirect_urls,
|
||||||
|
).from_http(request)
|
||||||
|
raise TokenError("invalid_client")
|
||||||
|
|
||||||
|
# Check against forbidden schemes
|
||||||
|
if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
|
||||||
|
raise TokenError("invalid_request")
|
||||||
|
|
||||||
def __post_init_refresh(self, raw_token: str, request: HttpRequest):
|
def __post_init_refresh(self, raw_token: str, request: HttpRequest):
|
||||||
if not raw_token:
|
if not raw_token:
|
||||||
LOGGER.warning("Missing refresh token")
|
LOGGER.warning("Missing refresh token")
|
||||||
@ -497,7 +521,7 @@ class TokenView(View):
|
|||||||
response = super().dispatch(request, *args, **kwargs)
|
response = super().dispatch(request, *args, **kwargs)
|
||||||
allowed_origins = []
|
allowed_origins = []
|
||||||
if self.provider:
|
if self.provider:
|
||||||
allowed_origins = self.provider.redirect_uris.split("\n")
|
allowed_origins = [x.url for x in self.provider.redirect_uris]
|
||||||
cors_allow(self.request, response, *allowed_origins)
|
cors_allow(self.request, response, *allowed_origins)
|
||||||
return response
|
return response
|
||||||
|
|
||||||
@ -710,7 +734,7 @@ class TokenView(View):
|
|||||||
"id_token": access_token.id_token.to_jwt(self.provider),
|
"id_token": access_token.id_token.to_jwt(self.provider),
|
||||||
}
|
}
|
||||||
|
|
||||||
if SCOPE_OFFLINE_ACCESS in self.params.scope:
|
if SCOPE_OFFLINE_ACCESS in self.params.device_code.scope:
|
||||||
refresh_token_expiry = now + timedelta_from_string(self.provider.refresh_token_validity)
|
refresh_token_expiry = now + timedelta_from_string(self.provider.refresh_token_validity)
|
||||||
refresh_token = RefreshToken(
|
refresh_token = RefreshToken(
|
||||||
user=self.params.device_code.user,
|
user=self.params.device_code.user,
|
||||||
|
|||||||
@ -108,7 +108,7 @@ class UserInfoView(View):
|
|||||||
response = super().dispatch(request, *args, **kwargs)
|
response = super().dispatch(request, *args, **kwargs)
|
||||||
allowed_origins = []
|
allowed_origins = []
|
||||||
if self.token:
|
if self.token:
|
||||||
allowed_origins = self.token.provider.redirect_uris.split("\n")
|
allowed_origins = [x.url for x in self.token.provider.redirect_uris]
|
||||||
cors_allow(self.request, response, *allowed_origins)
|
cors_allow(self.request, response, *allowed_origins)
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
|||||||
@ -13,6 +13,7 @@ from authentik.core.api.providers import ProviderSerializer
|
|||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer, PassiveSerializer
|
from authentik.core.api.utils import ModelSerializer, PassiveSerializer
|
||||||
from authentik.lib.utils.time import timedelta_from_string
|
from authentik.lib.utils.time import timedelta_from_string
|
||||||
|
from authentik.providers.oauth2.api.providers import RedirectURISerializer
|
||||||
from authentik.providers.oauth2.models import ScopeMapping
|
from authentik.providers.oauth2.models import ScopeMapping
|
||||||
from authentik.providers.oauth2.views.provider import ProviderInfoView
|
from authentik.providers.oauth2.views.provider import ProviderInfoView
|
||||||
from authentik.providers.proxy.models import ProxyMode, ProxyProvider
|
from authentik.providers.proxy.models import ProxyMode, ProxyProvider
|
||||||
@ -39,7 +40,7 @@ class ProxyProviderSerializer(ProviderSerializer):
|
|||||||
"""ProxyProvider Serializer"""
|
"""ProxyProvider Serializer"""
|
||||||
|
|
||||||
client_id = CharField(read_only=True)
|
client_id = CharField(read_only=True)
|
||||||
redirect_uris = CharField(read_only=True)
|
redirect_uris = RedirectURISerializer(many=True, read_only=True, source="_redirect_uris")
|
||||||
outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all")
|
outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all")
|
||||||
|
|
||||||
def validate_basic_auth_enabled(self, value: bool) -> bool:
|
def validate_basic_auth_enabled(self, value: bool) -> bool:
|
||||||
@ -121,7 +122,6 @@ class ProxyProviderViewSet(UsedByMixin, ModelViewSet):
|
|||||||
"basic_auth_password_attribute": ["iexact"],
|
"basic_auth_password_attribute": ["iexact"],
|
||||||
"basic_auth_user_attribute": ["iexact"],
|
"basic_auth_user_attribute": ["iexact"],
|
||||||
"mode": ["iexact"],
|
"mode": ["iexact"],
|
||||||
"redirect_uris": ["iexact"],
|
|
||||||
"cookie_domain": ["iexact"],
|
"cookie_domain": ["iexact"],
|
||||||
}
|
}
|
||||||
search_fields = ["name"]
|
search_fields = ["name"]
|
||||||
|
|||||||
@ -13,7 +13,13 @@ from rest_framework.serializers import Serializer
|
|||||||
from authentik.crypto.models import CertificateKeyPair
|
from authentik.crypto.models import CertificateKeyPair
|
||||||
from authentik.lib.models import DomainlessURLValidator
|
from authentik.lib.models import DomainlessURLValidator
|
||||||
from authentik.outposts.models import OutpostModel
|
from authentik.outposts.models import OutpostModel
|
||||||
from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
|
from authentik.providers.oauth2.models import (
|
||||||
|
ClientTypes,
|
||||||
|
OAuth2Provider,
|
||||||
|
RedirectURI,
|
||||||
|
RedirectURIMatchingMode,
|
||||||
|
ScopeMapping,
|
||||||
|
)
|
||||||
|
|
||||||
SCOPE_AK_PROXY = "ak_proxy"
|
SCOPE_AK_PROXY = "ak_proxy"
|
||||||
OUTPOST_CALLBACK_SIGNATURE = "X-authentik-auth-callback"
|
OUTPOST_CALLBACK_SIGNATURE = "X-authentik-auth-callback"
|
||||||
@ -24,14 +30,14 @@ def get_cookie_secret():
|
|||||||
return "".join(SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(32))
|
return "".join(SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(32))
|
||||||
|
|
||||||
|
|
||||||
def _get_callback_url(uri: str) -> str:
|
def _get_callback_url(uri: str) -> list[RedirectURI]:
|
||||||
return "\n".join(
|
return [
|
||||||
[
|
RedirectURI(
|
||||||
urljoin(uri, "outpost.goauthentik.io/callback")
|
RedirectURIMatchingMode.STRICT,
|
||||||
+ f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true",
|
urljoin(uri, "outpost.goauthentik.io/callback") + f"?{OUTPOST_CALLBACK_SIGNATURE}=true",
|
||||||
uri + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true",
|
),
|
||||||
]
|
RedirectURI(RedirectURIMatchingMode.STRICT, uri + f"?{OUTPOST_CALLBACK_SIGNATURE}=true"),
|
||||||
)
|
]
|
||||||
|
|
||||||
|
|
||||||
class ProxyMode(models.TextChoices):
|
class ProxyMode(models.TextChoices):
|
||||||
|
|||||||
@ -19,6 +19,7 @@ SCIM_GROUP_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:Group"
|
|||||||
class User(BaseUser):
|
class User(BaseUser):
|
||||||
"""Modified User schema with added externalId field"""
|
"""Modified User schema with added externalId field"""
|
||||||
|
|
||||||
|
id: str | int | None = None
|
||||||
schemas: list[str] = [SCIM_USER_SCHEMA]
|
schemas: list[str] = [SCIM_USER_SCHEMA]
|
||||||
externalId: str | None = None
|
externalId: str | None = None
|
||||||
meta: dict | None = None
|
meta: dict | None = None
|
||||||
@ -27,6 +28,7 @@ class User(BaseUser):
|
|||||||
class Group(BaseGroup):
|
class Group(BaseGroup):
|
||||||
"""Modified Group schema with added externalId field"""
|
"""Modified Group schema with added externalId field"""
|
||||||
|
|
||||||
|
id: str | int | None = None
|
||||||
schemas: list[str] = [SCIM_GROUP_SCHEMA]
|
schemas: list[str] = [SCIM_GROUP_SCHEMA]
|
||||||
externalId: str | None = None
|
externalId: str | None = None
|
||||||
meta: dict | None = None
|
meta: dict | None = None
|
||||||
|
|||||||
@ -53,7 +53,7 @@ class ExtraRoleObjectPermissionSerializer(RoleObjectPermissionSerializer):
|
|||||||
except LookupError:
|
except LookupError:
|
||||||
return None
|
return None
|
||||||
objects = get_objects_for_group(instance.group, f"{app_label}.view_{model}", model_class)
|
objects = get_objects_for_group(instance.group, f"{app_label}.view_{model}", model_class)
|
||||||
obj = objects.first()
|
obj = objects.filter(pk=instance.object_pk).first()
|
||||||
if not obj:
|
if not obj:
|
||||||
return None
|
return None
|
||||||
return str(obj)
|
return str(obj)
|
||||||
|
|||||||
@ -53,7 +53,7 @@ class ExtraUserObjectPermissionSerializer(UserObjectPermissionSerializer):
|
|||||||
except LookupError:
|
except LookupError:
|
||||||
return None
|
return None
|
||||||
objects = get_objects_for_user(instance.user, f"{app_label}.view_{model}", model_class)
|
objects = get_objects_for_user(instance.user, f"{app_label}.view_{model}", model_class)
|
||||||
obj = objects.first()
|
obj = objects.filter(pk=instance.object_pk).first()
|
||||||
if not obj:
|
if not obj:
|
||||||
return None
|
return None
|
||||||
return str(obj)
|
return str(obj)
|
||||||
|
|||||||
@ -1,6 +1,8 @@
|
|||||||
"""Metrics view"""
|
"""Metrics view"""
|
||||||
|
|
||||||
from base64 import b64encode
|
from hmac import compare_digest
|
||||||
|
from pathlib import Path
|
||||||
|
from tempfile import gettempdir
|
||||||
|
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
from django.db import connections
|
from django.db import connections
|
||||||
@ -16,22 +18,21 @@ monitoring_set = Signal()
|
|||||||
|
|
||||||
|
|
||||||
class MetricsView(View):
|
class MetricsView(View):
|
||||||
"""Wrapper around ExportToDjangoView, using http-basic auth"""
|
"""Wrapper around ExportToDjangoView with authentication, accessed by the authentik router"""
|
||||||
|
|
||||||
|
def __init__(self, **kwargs):
|
||||||
|
_tmp = Path(gettempdir())
|
||||||
|
with open(_tmp / "authentik-core-metrics.key") as _f:
|
||||||
|
self.monitoring_key = _f.read()
|
||||||
|
|
||||||
def get(self, request: HttpRequest) -> HttpResponse:
|
def get(self, request: HttpRequest) -> HttpResponse:
|
||||||
"""Check for HTTP-Basic auth"""
|
"""Check for HTTP-Basic auth"""
|
||||||
auth_header = request.META.get("HTTP_AUTHORIZATION", "")
|
auth_header = request.META.get("HTTP_AUTHORIZATION", "")
|
||||||
auth_type, _, given_credentials = auth_header.partition(" ")
|
auth_type, _, given_credentials = auth_header.partition(" ")
|
||||||
credentials = f"monitor:{settings.SECRET_KEY}"
|
authed = auth_type == "Bearer" and compare_digest(given_credentials, self.monitoring_key)
|
||||||
expected = b64encode(str.encode(credentials)).decode()
|
|
||||||
authed = auth_type == "Basic" and given_credentials == expected
|
|
||||||
if not authed and not settings.DEBUG:
|
if not authed and not settings.DEBUG:
|
||||||
response = HttpResponse(status=401)
|
return HttpResponse(status=401)
|
||||||
response["WWW-Authenticate"] = 'Basic realm="authentik-monitoring"'
|
|
||||||
return response
|
|
||||||
|
|
||||||
monitoring_set.send_robust(self)
|
monitoring_set.send_robust(self)
|
||||||
|
|
||||||
return ExportToDjangoView(request)
|
return ExportToDjangoView(request)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -1,8 +1,9 @@
|
|||||||
"""root tests"""
|
"""root tests"""
|
||||||
|
|
||||||
from base64 import b64encode
|
from pathlib import Path
|
||||||
|
from secrets import token_urlsafe
|
||||||
|
from tempfile import gettempdir
|
||||||
|
|
||||||
from django.conf import settings
|
|
||||||
from django.test import TestCase
|
from django.test import TestCase
|
||||||
from django.urls import reverse
|
from django.urls import reverse
|
||||||
|
|
||||||
@ -10,6 +11,16 @@ from django.urls import reverse
|
|||||||
class TestRoot(TestCase):
|
class TestRoot(TestCase):
|
||||||
"""Test root application"""
|
"""Test root application"""
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
_tmp = Path(gettempdir())
|
||||||
|
self.token = token_urlsafe(32)
|
||||||
|
with open(_tmp / "authentik-core-metrics.key", "w") as _f:
|
||||||
|
_f.write(self.token)
|
||||||
|
|
||||||
|
def tearDown(self):
|
||||||
|
_tmp = Path(gettempdir())
|
||||||
|
(_tmp / "authentik-core-metrics.key").unlink()
|
||||||
|
|
||||||
def test_monitoring_error(self):
|
def test_monitoring_error(self):
|
||||||
"""Test monitoring without any credentials"""
|
"""Test monitoring without any credentials"""
|
||||||
response = self.client.get(reverse("metrics"))
|
response = self.client.get(reverse("metrics"))
|
||||||
@ -17,8 +28,7 @@ class TestRoot(TestCase):
|
|||||||
|
|
||||||
def test_monitoring_ok(self):
|
def test_monitoring_ok(self):
|
||||||
"""Test monitoring with credentials"""
|
"""Test monitoring with credentials"""
|
||||||
creds = "Basic " + b64encode(f"monitor:{settings.SECRET_KEY}".encode()).decode("utf-8")
|
auth_headers = {"HTTP_AUTHORIZATION": f"Bearer {self.token}"}
|
||||||
auth_headers = {"HTTP_AUTHORIZATION": creds}
|
|
||||||
response = self.client.get(reverse("metrics"), **auth_headers)
|
response = self.client.get(reverse("metrics"), **auth_headers)
|
||||||
self.assertEqual(response.status_code, 200)
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
|||||||
@ -6,7 +6,6 @@ from tempfile import gettempdir
|
|||||||
from typing import Any
|
from typing import Any
|
||||||
|
|
||||||
import gssapi
|
import gssapi
|
||||||
import kadmin
|
|
||||||
import pglock
|
import pglock
|
||||||
from django.db import connection, models
|
from django.db import connection, models
|
||||||
from django.db.models.fields import b64decode
|
from django.db.models.fields import b64decode
|
||||||
@ -14,6 +13,8 @@ from django.http import HttpRequest
|
|||||||
from django.shortcuts import reverse
|
from django.shortcuts import reverse
|
||||||
from django.templatetags.static import static
|
from django.templatetags.static import static
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
from kadmin import KAdmin
|
||||||
|
from kadmin.exceptions import PyKAdminException
|
||||||
from rest_framework.serializers import Serializer
|
from rest_framework.serializers import Serializer
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
@ -30,9 +31,8 @@ from authentik.flows.challenge import RedirectChallenge
|
|||||||
LOGGER = get_logger()
|
LOGGER = get_logger()
|
||||||
|
|
||||||
|
|
||||||
# python-kadmin leaks file descriptors. As such, this global is used to reuse
|
# Creating kadmin connections is expensive. As such, this global is used to reuse
|
||||||
# existing kadmin connections instead of creating new ones, which results in less to no file
|
# existing kadmin connections instead of creating new ones
|
||||||
# descriptors leaks
|
|
||||||
_kadmin_connections: dict[str, Any] = {}
|
_kadmin_connections: dict[str, Any] = {}
|
||||||
|
|
||||||
|
|
||||||
@ -198,13 +198,13 @@ class KerberosSource(Source):
|
|||||||
conf_path.write_text(self.krb5_conf)
|
conf_path.write_text(self.krb5_conf)
|
||||||
return str(conf_path)
|
return str(conf_path)
|
||||||
|
|
||||||
def _kadmin_init(self) -> "kadmin.KAdmin | None":
|
def _kadmin_init(self) -> KAdmin | None:
|
||||||
# kadmin doesn't use a ccache for its connection
|
# kadmin doesn't use a ccache for its connection
|
||||||
# as such, we don't need to create a separate ccache for each source
|
# as such, we don't need to create a separate ccache for each source
|
||||||
if not self.sync_principal:
|
if not self.sync_principal:
|
||||||
return None
|
return None
|
||||||
if self.sync_password:
|
if self.sync_password:
|
||||||
return kadmin.init_with_password(
|
return KAdmin.with_password(
|
||||||
self.sync_principal,
|
self.sync_principal,
|
||||||
self.sync_password,
|
self.sync_password,
|
||||||
)
|
)
|
||||||
@ -215,18 +215,18 @@ class KerberosSource(Source):
|
|||||||
keytab_path.touch(mode=0o600)
|
keytab_path.touch(mode=0o600)
|
||||||
keytab_path.write_bytes(b64decode(self.sync_keytab))
|
keytab_path.write_bytes(b64decode(self.sync_keytab))
|
||||||
keytab = f"FILE:{keytab_path}"
|
keytab = f"FILE:{keytab_path}"
|
||||||
return kadmin.init_with_keytab(
|
return KAdmin.with_keytab(
|
||||||
self.sync_principal,
|
self.sync_principal,
|
||||||
keytab,
|
keytab,
|
||||||
)
|
)
|
||||||
if self.sync_ccache:
|
if self.sync_ccache:
|
||||||
return kadmin.init_with_ccache(
|
return KAdmin.with_ccache(
|
||||||
self.sync_principal,
|
self.sync_principal,
|
||||||
self.sync_ccache,
|
self.sync_ccache,
|
||||||
)
|
)
|
||||||
return None
|
return None
|
||||||
|
|
||||||
def connection(self) -> "kadmin.KAdmin | None":
|
def connection(self) -> KAdmin | None:
|
||||||
"""Get kadmin connection"""
|
"""Get kadmin connection"""
|
||||||
if str(self.pk) not in _kadmin_connections:
|
if str(self.pk) not in _kadmin_connections:
|
||||||
kadm = self._kadmin_init()
|
kadm = self._kadmin_init()
|
||||||
@ -246,7 +246,7 @@ class KerberosSource(Source):
|
|||||||
status["status"] = "no connection"
|
status["status"] = "no connection"
|
||||||
return status
|
return status
|
||||||
status["principal_exists"] = kadm.principal_exists(self.sync_principal)
|
status["principal_exists"] = kadm.principal_exists(self.sync_principal)
|
||||||
except kadmin.KAdminError as exc:
|
except PyKAdminException as exc:
|
||||||
status["status"] = str(exc)
|
status["status"] = str(exc)
|
||||||
return status
|
return status
|
||||||
|
|
||||||
|
|||||||
@ -1,8 +1,8 @@
|
|||||||
"""authentik kerberos source signals"""
|
"""authentik kerberos source signals"""
|
||||||
|
|
||||||
import kadmin
|
|
||||||
from django.db.models.signals import post_save
|
from django.db.models.signals import post_save
|
||||||
from django.dispatch import receiver
|
from django.dispatch import receiver
|
||||||
|
from kadmin.exceptions import PyKAdminException
|
||||||
from rest_framework.serializers import ValidationError
|
from rest_framework.serializers import ValidationError
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
@ -48,7 +48,7 @@ def kerberos_sync_password(sender, user: User, password: str, **_):
|
|||||||
source.connection().getprinc(user_source_connection.identifier).change_password(
|
source.connection().getprinc(user_source_connection.identifier).change_password(
|
||||||
password
|
password
|
||||||
)
|
)
|
||||||
except kadmin.KAdminError as exc:
|
except PyKAdminException as exc:
|
||||||
LOGGER.warning("failed to set Kerberos password", exc=exc, source=source)
|
LOGGER.warning("failed to set Kerberos password", exc=exc, source=source)
|
||||||
Event.new(
|
Event.new(
|
||||||
EventAction.CONFIGURATION_ERROR,
|
EventAction.CONFIGURATION_ERROR,
|
||||||
|
|||||||
@ -2,9 +2,9 @@
|
|||||||
|
|
||||||
from typing import Any
|
from typing import Any
|
||||||
|
|
||||||
import kadmin
|
|
||||||
from django.core.exceptions import FieldError
|
from django.core.exceptions import FieldError
|
||||||
from django.db import IntegrityError, transaction
|
from django.db import IntegrityError, transaction
|
||||||
|
from kadmin import KAdmin
|
||||||
from structlog.stdlib import BoundLogger, get_logger
|
from structlog.stdlib import BoundLogger, get_logger
|
||||||
|
|
||||||
from authentik.core.expression.exceptions import (
|
from authentik.core.expression.exceptions import (
|
||||||
@ -30,7 +30,7 @@ class KerberosSync:
|
|||||||
|
|
||||||
_source: KerberosSource
|
_source: KerberosSource
|
||||||
_logger: BoundLogger
|
_logger: BoundLogger
|
||||||
_connection: "kadmin.KAdmin"
|
_connection: KAdmin
|
||||||
mapper: SourceMapper
|
mapper: SourceMapper
|
||||||
user_manager: PropertyMappingManager
|
user_manager: PropertyMappingManager
|
||||||
group_manager: PropertyMappingManager
|
group_manager: PropertyMappingManager
|
||||||
@ -161,7 +161,7 @@ class KerberosSync:
|
|||||||
|
|
||||||
user_count = 0
|
user_count = 0
|
||||||
with Krb5ConfContext(self._source):
|
with Krb5ConfContext(self._source):
|
||||||
for principal in self._connection.principals():
|
for principal in self._connection.list_principals(None):
|
||||||
if self._handle_principal(principal):
|
if self._handle_principal(principal):
|
||||||
user_count += 1
|
user_count += 1
|
||||||
return user_count
|
return user_count
|
||||||
|
|||||||
@ -23,6 +23,7 @@ class TestKerberosAuth(KerberosTestCase):
|
|||||||
)
|
)
|
||||||
self.user = User.objects.create(username=generate_id())
|
self.user = User.objects.create(username=generate_id())
|
||||||
self.user.set_unusable_password()
|
self.user.set_unusable_password()
|
||||||
|
self.user.save()
|
||||||
UserKerberosSourceConnection.objects.create(
|
UserKerberosSourceConnection.objects.create(
|
||||||
source=self.source, user=self.user, identifier=self.realm.user_princ
|
source=self.source, user=self.user, identifier=self.realm.user_princ
|
||||||
)
|
)
|
||||||
|
|||||||
@ -2,6 +2,8 @@
|
|||||||
|
|
||||||
from base64 import b64decode, b64encode
|
from base64 import b64decode, b64encode
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
|
from sys import platform
|
||||||
|
from unittest import skipUnless
|
||||||
|
|
||||||
import gssapi
|
import gssapi
|
||||||
from django.urls import reverse
|
from django.urls import reverse
|
||||||
@ -36,6 +38,7 @@ class TestSPNEGOSource(KerberosTestCase):
|
|||||||
)
|
)
|
||||||
self.assertEqual(response.status_code, 200)
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
@skipUnless(platform.startswith("linux"), "Requires compatible GSSAPI implementation")
|
||||||
def test_source_login(self):
|
def test_source_login(self):
|
||||||
"""test login view"""
|
"""test login view"""
|
||||||
response = self.client.get(
|
response = self.client.get(
|
||||||
|
|||||||
File diff suppressed because one or more lines are too long
@ -17,6 +17,7 @@ class CaptchaStageSerializer(StageSerializer):
|
|||||||
"private_key",
|
"private_key",
|
||||||
"js_url",
|
"js_url",
|
||||||
"api_url",
|
"api_url",
|
||||||
|
"interactive",
|
||||||
"score_min_threshold",
|
"score_min_threshold",
|
||||||
"score_max_threshold",
|
"score_max_threshold",
|
||||||
"error_on_invalid_score",
|
"error_on_invalid_score",
|
||||||
|
|||||||
@ -0,0 +1,18 @@
|
|||||||
|
# Generated by Django 5.0.9 on 2024-10-30 14:28
|
||||||
|
|
||||||
|
from django.db import migrations, models
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
|
dependencies = [
|
||||||
|
("authentik_stages_captcha", "0003_captchastage_error_on_invalid_score_and_more"),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.AddField(
|
||||||
|
model_name="captchastage",
|
||||||
|
name="interactive",
|
||||||
|
field=models.BooleanField(default=False),
|
||||||
|
),
|
||||||
|
]
|
||||||
@ -9,11 +9,13 @@ from authentik.flows.models import Stage
|
|||||||
|
|
||||||
|
|
||||||
class CaptchaStage(Stage):
|
class CaptchaStage(Stage):
|
||||||
"""Verify the user is human using Google's reCaptcha."""
|
"""Verify the user is human using Google's reCaptcha/other compatible CAPTCHA solutions."""
|
||||||
|
|
||||||
public_key = models.TextField(help_text=_("Public key, acquired your captcha Provider."))
|
public_key = models.TextField(help_text=_("Public key, acquired your captcha Provider."))
|
||||||
private_key = models.TextField(help_text=_("Private key, acquired your captcha Provider."))
|
private_key = models.TextField(help_text=_("Private key, acquired your captcha Provider."))
|
||||||
|
|
||||||
|
interactive = models.BooleanField(default=False)
|
||||||
|
|
||||||
score_min_threshold = models.FloatField(default=0.5) # Default values for reCaptcha
|
score_min_threshold = models.FloatField(default=0.5) # Default values for reCaptcha
|
||||||
score_max_threshold = models.FloatField(default=1.0) # Default values for reCaptcha
|
score_max_threshold = models.FloatField(default=1.0) # Default values for reCaptcha
|
||||||
|
|
||||||
|
|||||||
@ -3,7 +3,7 @@
|
|||||||
from django.http.response import HttpResponse
|
from django.http.response import HttpResponse
|
||||||
from django.utils.translation import gettext as _
|
from django.utils.translation import gettext as _
|
||||||
from requests import RequestException
|
from requests import RequestException
|
||||||
from rest_framework.fields import CharField
|
from rest_framework.fields import BooleanField, CharField
|
||||||
from rest_framework.serializers import ValidationError
|
from rest_framework.serializers import ValidationError
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
@ -24,10 +24,12 @@ PLAN_CONTEXT_CAPTCHA = "captcha"
|
|||||||
class CaptchaChallenge(WithUserInfoChallenge):
|
class CaptchaChallenge(WithUserInfoChallenge):
|
||||||
"""Site public key"""
|
"""Site public key"""
|
||||||
|
|
||||||
site_key = CharField()
|
|
||||||
js_url = CharField()
|
|
||||||
component = CharField(default="ak-stage-captcha")
|
component = CharField(default="ak-stage-captcha")
|
||||||
|
|
||||||
|
site_key = CharField(required=True)
|
||||||
|
js_url = CharField(required=True)
|
||||||
|
interactive = BooleanField(required=True)
|
||||||
|
|
||||||
|
|
||||||
def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str):
|
def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str):
|
||||||
"""Validate captcha token"""
|
"""Validate captcha token"""
|
||||||
@ -103,6 +105,7 @@ class CaptchaStageView(ChallengeStageView):
|
|||||||
data={
|
data={
|
||||||
"js_url": self.executor.current_stage.js_url,
|
"js_url": self.executor.current_stage.js_url,
|
||||||
"site_key": self.executor.current_stage.public_key,
|
"site_key": self.executor.current_stage.public_key,
|
||||||
|
"interactive": self.executor.current_stage.interactive,
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|||||||
@ -223,6 +223,7 @@ class IdentificationStageView(ChallengeStageView):
|
|||||||
{
|
{
|
||||||
"js_url": current_stage.captcha_stage.js_url,
|
"js_url": current_stage.captcha_stage.js_url,
|
||||||
"site_key": current_stage.captcha_stage.public_key,
|
"site_key": current_stage.captcha_stage.public_key,
|
||||||
|
"interactive": current_stage.captcha_stage.interactive,
|
||||||
}
|
}
|
||||||
if current_stage.captcha_stage
|
if current_stage.captcha_stage
|
||||||
else None
|
else None
|
||||||
|
|||||||
@ -21,7 +21,7 @@ from authentik.flows.challenge import (
|
|||||||
WithUserInfoChallenge,
|
WithUserInfoChallenge,
|
||||||
)
|
)
|
||||||
from authentik.flows.exceptions import StageInvalidException
|
from authentik.flows.exceptions import StageInvalidException
|
||||||
from authentik.flows.models import Flow, FlowDesignation, Stage
|
from authentik.flows.models import Flow, Stage
|
||||||
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
|
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
|
||||||
from authentik.flows.stage import ChallengeStageView
|
from authentik.flows.stage import ChallengeStageView
|
||||||
from authentik.lib.utils.reflection import path_to_class
|
from authentik.lib.utils.reflection import path_to_class
|
||||||
@ -141,11 +141,11 @@ class PasswordStageView(ChallengeStageView):
|
|||||||
"allow_show_password": self.executor.current_stage.allow_show_password,
|
"allow_show_password": self.executor.current_stage.allow_show_password,
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
recovery_flow = Flow.objects.filter(designation=FlowDesignation.RECOVERY)
|
recovery_flow: Flow | None = self.request.brand.flow_recovery
|
||||||
if recovery_flow.exists():
|
if recovery_flow:
|
||||||
recover_url = reverse(
|
recover_url = reverse(
|
||||||
"authentik_core:if-flow",
|
"authentik_core:if-flow",
|
||||||
kwargs={"flow_slug": recovery_flow.first().slug},
|
kwargs={"flow_slug": recovery_flow.slug},
|
||||||
)
|
)
|
||||||
challenge.initial_data["recovery_url"] = self.request.build_absolute_uri(recover_url)
|
challenge.initial_data["recovery_url"] = self.request.build_absolute_uri(recover_url)
|
||||||
return challenge
|
return challenge
|
||||||
|
|||||||
@ -5,7 +5,7 @@ from unittest.mock import MagicMock, patch
|
|||||||
from django.core.exceptions import PermissionDenied
|
from django.core.exceptions import PermissionDenied
|
||||||
from django.urls import reverse
|
from django.urls import reverse
|
||||||
|
|
||||||
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
|
from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
|
||||||
from authentik.flows.markers import StageMarker
|
from authentik.flows.markers import StageMarker
|
||||||
from authentik.flows.models import FlowDesignation, FlowStageBinding
|
from authentik.flows.models import FlowDesignation, FlowStageBinding
|
||||||
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
|
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
|
||||||
@ -57,6 +57,9 @@ class TestPasswordStage(FlowTestCase):
|
|||||||
def test_recovery_flow_link(self):
|
def test_recovery_flow_link(self):
|
||||||
"""Test link to the default recovery flow"""
|
"""Test link to the default recovery flow"""
|
||||||
flow = create_test_flow(designation=FlowDesignation.RECOVERY)
|
flow = create_test_flow(designation=FlowDesignation.RECOVERY)
|
||||||
|
brand = create_test_brand()
|
||||||
|
brand.flow_recovery = flow
|
||||||
|
brand.save()
|
||||||
|
|
||||||
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
|
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
|
||||||
session = self.client.session
|
session = self.client.session
|
||||||
|
|||||||
@ -23,6 +23,7 @@ class SettingsSerializer(ModelSerializer):
|
|||||||
"footer_links",
|
"footer_links",
|
||||||
"gdpr_compliance",
|
"gdpr_compliance",
|
||||||
"impersonation",
|
"impersonation",
|
||||||
|
"impersonation_require_reason",
|
||||||
"default_token_duration",
|
"default_token_duration",
|
||||||
"default_token_length",
|
"default_token_length",
|
||||||
]
|
]
|
||||||
|
|||||||
@ -0,0 +1,21 @@
|
|||||||
|
# Generated by Django 5.0.9 on 2024-11-07 15:08
|
||||||
|
|
||||||
|
from django.db import migrations, models
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
|
dependencies = [
|
||||||
|
("authentik_tenants", "0003_alter_tenant_default_token_duration"),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.AddField(
|
||||||
|
model_name="tenant",
|
||||||
|
name="impersonation_require_reason",
|
||||||
|
field=models.BooleanField(
|
||||||
|
default=True,
|
||||||
|
help_text="Require administrators to provide a reason for impersonating a user.",
|
||||||
|
),
|
||||||
|
),
|
||||||
|
]
|
||||||
@ -85,6 +85,10 @@ class Tenant(TenantMixin, SerializerModel):
|
|||||||
impersonation = models.BooleanField(
|
impersonation = models.BooleanField(
|
||||||
help_text=_("Globally enable/disable impersonation."), default=True
|
help_text=_("Globally enable/disable impersonation."), default=True
|
||||||
)
|
)
|
||||||
|
impersonation_require_reason = models.BooleanField(
|
||||||
|
help_text=_("Require administrators to provide a reason for impersonating a user."),
|
||||||
|
default=True,
|
||||||
|
)
|
||||||
default_token_duration = models.TextField(
|
default_token_duration = models.TextField(
|
||||||
help_text=_("Default token duration"),
|
help_text=_("Default token duration"),
|
||||||
default=DEFAULT_TOKEN_DURATION,
|
default=DEFAULT_TOKEN_DURATION,
|
||||||
|
|||||||
@ -8,9 +8,11 @@ from authentik.root.install_id import get_install_id
|
|||||||
from authentik.tenants.models import Tenant
|
from authentik.tenants.models import Tenant
|
||||||
|
|
||||||
|
|
||||||
def get_current_tenant() -> Tenant:
|
def get_current_tenant(only: list[str] | None = None) -> Tenant:
|
||||||
"""Get tenant for current request"""
|
"""Get tenant for current request"""
|
||||||
return Tenant.objects.get(schema_name=connection.schema_name)
|
if only is None:
|
||||||
|
only = []
|
||||||
|
return Tenant.objects.only(*only).get(schema_name=connection.schema_name)
|
||||||
|
|
||||||
|
|
||||||
def get_unique_identifier() -> str:
|
def get_unique_identifier() -> str:
|
||||||
|
|||||||
@ -101,7 +101,6 @@ entries:
|
|||||||
- !KeyOf prompt-field-email
|
- !KeyOf prompt-field-email
|
||||||
- !KeyOf prompt-field-password
|
- !KeyOf prompt-field-password
|
||||||
- !KeyOf prompt-field-password-repeat
|
- !KeyOf prompt-field-password-repeat
|
||||||
validation_policies: []
|
|
||||||
id: stage-default-oobe-password
|
id: stage-default-oobe-password
|
||||||
identifiers:
|
identifiers:
|
||||||
name: stage-default-oobe-password
|
name: stage-default-oobe-password
|
||||||
|
|||||||
@ -2,6 +2,17 @@ version: 1
|
|||||||
metadata:
|
metadata:
|
||||||
name: Default - Password change flow
|
name: Default - Password change flow
|
||||||
entries:
|
entries:
|
||||||
|
- attrs:
|
||||||
|
check_static_rules: true
|
||||||
|
check_zxcvbn: true
|
||||||
|
length_min: 8
|
||||||
|
password_field: password
|
||||||
|
zxcvbn_score_threshold: 2
|
||||||
|
error_message: Password needs to be 8 characters or longer.
|
||||||
|
identifiers:
|
||||||
|
name: default-password-change-password-policy
|
||||||
|
model: authentik_policies_password.passwordpolicy
|
||||||
|
id: default-password-change-password-policy
|
||||||
- attrs:
|
- attrs:
|
||||||
designation: stage_configuration
|
designation: stage_configuration
|
||||||
name: Change Password
|
name: Change Password
|
||||||
@ -39,6 +50,8 @@ entries:
|
|||||||
fields:
|
fields:
|
||||||
- !KeyOf prompt-field-password
|
- !KeyOf prompt-field-password
|
||||||
- !KeyOf prompt-field-password-repeat
|
- !KeyOf prompt-field-password-repeat
|
||||||
|
validation_policies:
|
||||||
|
- !KeyOf default-password-change-password-policy
|
||||||
identifiers:
|
identifiers:
|
||||||
name: default-password-change-prompt
|
name: default-password-change-prompt
|
||||||
id: default-password-change-prompt
|
id: default-password-change-prompt
|
||||||
|
|||||||
@ -2,7 +2,7 @@
|
|||||||
"$schema": "http://json-schema.org/draft-07/schema",
|
"$schema": "http://json-schema.org/draft-07/schema",
|
||||||
"$id": "https://goauthentik.io/blueprints/schema.json",
|
"$id": "https://goauthentik.io/blueprints/schema.json",
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"title": "authentik 2024.10.0 Blueprint schema",
|
"title": "authentik 2024.10.4 Blueprint schema",
|
||||||
"required": [
|
"required": [
|
||||||
"version",
|
"version",
|
||||||
"entries"
|
"entries"
|
||||||
@ -5570,9 +5570,30 @@
|
|||||||
"description": "Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs."
|
"description": "Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs."
|
||||||
},
|
},
|
||||||
"redirect_uris": {
|
"redirect_uris": {
|
||||||
"type": "string",
|
"type": "array",
|
||||||
"title": "Redirect URIs",
|
"items": {
|
||||||
"description": "Enter each URI on a new line."
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"matching_mode": {
|
||||||
|
"type": "string",
|
||||||
|
"enum": [
|
||||||
|
"strict",
|
||||||
|
"regex"
|
||||||
|
],
|
||||||
|
"title": "Matching mode"
|
||||||
|
},
|
||||||
|
"url": {
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1,
|
||||||
|
"title": "Url"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"required": [
|
||||||
|
"matching_mode",
|
||||||
|
"url"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"title": "Redirect uris"
|
||||||
},
|
},
|
||||||
"sub_mode": {
|
"sub_mode": {
|
||||||
"type": "string",
|
"type": "string",
|
||||||
@ -9781,6 +9802,10 @@
|
|||||||
"minLength": 1,
|
"minLength": 1,
|
||||||
"title": "Api url"
|
"title": "Api url"
|
||||||
},
|
},
|
||||||
|
"interactive": {
|
||||||
|
"type": "boolean",
|
||||||
|
"title": "Interactive"
|
||||||
|
},
|
||||||
"score_min_threshold": {
|
"score_min_threshold": {
|
||||||
"type": "number",
|
"type": "number",
|
||||||
"title": "Score min threshold"
|
"title": "Score min threshold"
|
||||||
@ -13383,12 +13408,6 @@
|
|||||||
"title": "Authorization flow",
|
"title": "Authorization flow",
|
||||||
"description": "Flow used when authorizing this provider."
|
"description": "Flow used when authorizing this provider."
|
||||||
},
|
},
|
||||||
"invalidation_flow": {
|
|
||||||
"type": "string",
|
|
||||||
"format": "uuid",
|
|
||||||
"title": "Invalidation flow",
|
|
||||||
"description": "Flow used ending the session from a provider."
|
|
||||||
},
|
|
||||||
"property_mappings": {
|
"property_mappings": {
|
||||||
"type": "array",
|
"type": "array",
|
||||||
"items": {
|
"items": {
|
||||||
|
|||||||
@ -31,7 +31,7 @@ services:
|
|||||||
volumes:
|
volumes:
|
||||||
- redis:/data
|
- redis:/data
|
||||||
server:
|
server:
|
||||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0}
|
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.4}
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
command: server
|
command: server
|
||||||
environment:
|
environment:
|
||||||
@ -52,7 +52,7 @@ services:
|
|||||||
- postgresql
|
- postgresql
|
||||||
- redis
|
- redis
|
||||||
worker:
|
worker:
|
||||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0}
|
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.4}
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
command: worker
|
command: worker
|
||||||
environment:
|
environment:
|
||||||
|
|||||||
6
go.mod
6
go.mod
@ -29,10 +29,10 @@ require (
|
|||||||
github.com/spf13/cobra v1.8.1
|
github.com/spf13/cobra v1.8.1
|
||||||
github.com/stretchr/testify v1.9.0
|
github.com/stretchr/testify v1.9.0
|
||||||
github.com/wwt/guac v1.3.2
|
github.com/wwt/guac v1.3.2
|
||||||
goauthentik.io/api/v3 v3.2024100.1
|
goauthentik.io/api/v3 v3.2024104.1
|
||||||
golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
|
golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
|
||||||
golang.org/x/oauth2 v0.23.0
|
golang.org/x/oauth2 v0.24.0
|
||||||
golang.org/x/sync v0.8.0
|
golang.org/x/sync v0.9.0
|
||||||
gopkg.in/yaml.v2 v2.4.0
|
gopkg.in/yaml.v2 v2.4.0
|
||||||
layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
|
layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
|
||||||
)
|
)
|
||||||
|
|||||||
12
go.sum
12
go.sum
@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
|
|||||||
go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
|
go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
|
||||||
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
|
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
|
||||||
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
|
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
|
||||||
goauthentik.io/api/v3 v3.2024100.1 h1:ve8xiaKOyUD5oCkNAsu1o3nc7aolt9bKTTR2qMI1iU4=
|
goauthentik.io/api/v3 v3.2024104.1 h1:N09HAJ66W965QEYpx6sJzcaQxPsnFykVwkzVjVK/zH0=
|
||||||
goauthentik.io/api/v3 v3.2024100.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
|
goauthentik.io/api/v3 v3.2024104.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
|
||||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||||
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||||
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||||
@ -388,8 +388,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr
|
|||||||
golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||||
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||||
golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
|
golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
|
||||||
golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
|
golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
|
||||||
golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
|
golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
|
||||||
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
@ -400,8 +400,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
|
|||||||
golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
|
golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
|
||||||
golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
|
golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
|
||||||
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||||
golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
|||||||
@ -29,4 +29,4 @@ func UserAgent() string {
|
|||||||
return fmt.Sprintf("authentik@%s", FullVersion())
|
return fmt.Sprintf("authentik@%s", FullVersion())
|
||||||
}
|
}
|
||||||
|
|
||||||
const VERSION = "2024.10.0"
|
const VERSION = "2024.10.4"
|
||||||
|
|||||||
@ -65,7 +65,7 @@ func (ls *LDAPServer) StartLDAPServer() error {
|
|||||||
ls.log.WithField("listen", listen).WithError(err).Warning("Failed to listen (SSL)")
|
ls.log.WithField("listen", listen).WithError(err).Warning("Failed to listen (SSL)")
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
proxyListener := &proxyproto.Listener{Listener: ln}
|
proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
|
||||||
defer proxyListener.Close()
|
defer proxyListener.Close()
|
||||||
|
|
||||||
ls.log.WithField("listen", listen).Info("Starting LDAP server")
|
ls.log.WithField("listen", listen).Info("Starting LDAP server")
|
||||||
|
|||||||
@ -48,7 +48,7 @@ func (ls *LDAPServer) StartLDAPTLSServer() error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
proxyListener := &proxyproto.Listener{Listener: ln}
|
proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
|
||||||
defer proxyListener.Close()
|
defer proxyListener.Close()
|
||||||
|
|
||||||
tln := tls.NewListener(proxyListener, tlsConfig)
|
tln := tls.NewListener(proxyListener, tlsConfig)
|
||||||
|
|||||||
@ -23,6 +23,7 @@ import (
|
|||||||
"github.com/prometheus/client_golang/prometheus"
|
"github.com/prometheus/client_golang/prometheus"
|
||||||
log "github.com/sirupsen/logrus"
|
log "github.com/sirupsen/logrus"
|
||||||
"goauthentik.io/api/v3"
|
"goauthentik.io/api/v3"
|
||||||
|
"goauthentik.io/internal/config"
|
||||||
"goauthentik.io/internal/outpost/ak"
|
"goauthentik.io/internal/outpost/ak"
|
||||||
"goauthentik.io/internal/outpost/proxyv2/constants"
|
"goauthentik.io/internal/outpost/proxyv2/constants"
|
||||||
"goauthentik.io/internal/outpost/proxyv2/hs256"
|
"goauthentik.io/internal/outpost/proxyv2/hs256"
|
||||||
@ -121,6 +122,14 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old
|
|||||||
bs := string(h.Sum([]byte(*p.ClientId)))
|
bs := string(h.Sum([]byte(*p.ClientId)))
|
||||||
sessionName := fmt.Sprintf("authentik_proxy_%s", bs[:8])
|
sessionName := fmt.Sprintf("authentik_proxy_%s", bs[:8])
|
||||||
|
|
||||||
|
// When HOST_BROWSER is set, use that as Host header for token requests to make the issuer match
|
||||||
|
// otherwise we use the internally configured authentik_host
|
||||||
|
tokenEndpointHost := server.API().Outpost.Config["authentik_host"].(string)
|
||||||
|
if config.Get().AuthentikHostBrowser != "" {
|
||||||
|
tokenEndpointHost = config.Get().AuthentikHostBrowser
|
||||||
|
}
|
||||||
|
publicHTTPClient := web.NewHostInterceptor(c, tokenEndpointHost)
|
||||||
|
|
||||||
a := &Application{
|
a := &Application{
|
||||||
Host: externalHost.Host,
|
Host: externalHost.Host,
|
||||||
log: muxLogger,
|
log: muxLogger,
|
||||||
@ -131,7 +140,7 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old
|
|||||||
tokenVerifier: verifier,
|
tokenVerifier: verifier,
|
||||||
proxyConfig: p,
|
proxyConfig: p,
|
||||||
httpClient: c,
|
httpClient: c,
|
||||||
publicHostHTTPClient: web.NewHostInterceptor(c, server.API().Outpost.Config["authentik_host"].(string)),
|
publicHostHTTPClient: publicHTTPClient,
|
||||||
mux: mux,
|
mux: mux,
|
||||||
errorTemplates: templates.GetTemplates(),
|
errorTemplates: templates.GetTemplates(),
|
||||||
ak: server.API(),
|
ak: server.API(),
|
||||||
|
|||||||
@ -129,7 +129,7 @@ func (ps *ProxyServer) ServeHTTP() {
|
|||||||
ps.log.WithField("listen", listenAddress).WithError(err).Warning("Failed to listen")
|
ps.log.WithField("listen", listenAddress).WithError(err).Warning("Failed to listen")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
proxyListener := &proxyproto.Listener{Listener: listener}
|
proxyListener := &proxyproto.Listener{Listener: listener, ConnPolicy: utils.GetProxyConnectionPolicy()}
|
||||||
defer proxyListener.Close()
|
defer proxyListener.Close()
|
||||||
|
|
||||||
ps.log.WithField("listen", listenAddress).Info("Starting HTTP server")
|
ps.log.WithField("listen", listenAddress).Info("Starting HTTP server")
|
||||||
@ -148,7 +148,7 @@ func (ps *ProxyServer) ServeHTTPS() {
|
|||||||
ps.log.WithError(err).Warning("Failed to listen (TLS)")
|
ps.log.WithError(err).Warning("Failed to listen (TLS)")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}}
|
proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
|
||||||
defer proxyListener.Close()
|
defer proxyListener.Close()
|
||||||
|
|
||||||
tlsListener := tls.NewListener(proxyListener, tlsConfig)
|
tlsListener := tls.NewListener(proxyListener, tlsConfig)
|
||||||
|
|||||||
34
internal/utils/proxy.go
Normal file
34
internal/utils/proxy.go
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
package utils
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net"
|
||||||
|
|
||||||
|
"github.com/pires/go-proxyproto"
|
||||||
|
log "github.com/sirupsen/logrus"
|
||||||
|
"goauthentik.io/internal/config"
|
||||||
|
)
|
||||||
|
|
||||||
|
func GetProxyConnectionPolicy() proxyproto.ConnPolicyFunc {
|
||||||
|
nets := []*net.IPNet{}
|
||||||
|
for _, rn := range config.Get().Listen.TrustedProxyCIDRs {
|
||||||
|
_, cidr, err := net.ParseCIDR(rn)
|
||||||
|
if err != nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
nets = append(nets, cidr)
|
||||||
|
}
|
||||||
|
return func(connPolicyOptions proxyproto.ConnPolicyOptions) (proxyproto.Policy, error) {
|
||||||
|
host, _, err := net.SplitHostPort(connPolicyOptions.Upstream.String())
|
||||||
|
if err == nil {
|
||||||
|
// remoteAddr will be nil if the IP cannot be parsed
|
||||||
|
remoteAddr := net.ParseIP(host)
|
||||||
|
for _, allowedCidr := range nets {
|
||||||
|
if remoteAddr != nil && allowedCidr.Contains(remoteAddr) {
|
||||||
|
log.WithField("remoteAddr", remoteAddr).WithField("cidr", allowedCidr.String()).Trace("Using remote IP from proxy protocol")
|
||||||
|
return proxyproto.USE, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return proxyproto.SKIP, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -14,8 +14,10 @@ type hostInterceptor struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (t hostInterceptor) RoundTrip(r *http.Request) (*http.Response, error) {
|
func (t hostInterceptor) RoundTrip(r *http.Request) (*http.Response, error) {
|
||||||
r.Host = t.host
|
if r.Host != t.host {
|
||||||
r.Header.Set("X-Forwarded-Proto", t.scheme)
|
r.Host = t.host
|
||||||
|
r.Header.Set("X-Forwarded-Proto", t.scheme)
|
||||||
|
}
|
||||||
return t.inner.RoundTrip(r)
|
return t.inner.RoundTrip(r)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -1,11 +1,15 @@
|
|||||||
package web
|
package web
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"encoding/base64"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"os"
|
||||||
|
"path"
|
||||||
|
|
||||||
"github.com/gorilla/mux"
|
"github.com/gorilla/mux"
|
||||||
|
"github.com/gorilla/securecookie"
|
||||||
"github.com/prometheus/client_golang/prometheus"
|
"github.com/prometheus/client_golang/prometheus"
|
||||||
"github.com/prometheus/client_golang/prometheus/promauto"
|
"github.com/prometheus/client_golang/prometheus/promauto"
|
||||||
"github.com/prometheus/client_golang/prometheus/promhttp"
|
"github.com/prometheus/client_golang/prometheus/promhttp"
|
||||||
@ -14,14 +18,25 @@ import (
|
|||||||
"goauthentik.io/internal/utils/sentry"
|
"goauthentik.io/internal/utils/sentry"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const MetricsKeyFile = "authentik-core-metrics.key"
|
||||||
|
|
||||||
var Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{
|
var Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{
|
||||||
Name: "authentik_main_request_duration_seconds",
|
Name: "authentik_main_request_duration_seconds",
|
||||||
Help: "API request latencies in seconds",
|
Help: "API request latencies in seconds",
|
||||||
}, []string{"dest"})
|
}, []string{"dest"})
|
||||||
|
|
||||||
func (ws *WebServer) runMetricsServer() {
|
func (ws *WebServer) runMetricsServer() {
|
||||||
m := mux.NewRouter()
|
|
||||||
l := log.WithField("logger", "authentik.router.metrics")
|
l := log.WithField("logger", "authentik.router.metrics")
|
||||||
|
tmp := os.TempDir()
|
||||||
|
key := base64.StdEncoding.EncodeToString(securecookie.GenerateRandomKey(64))
|
||||||
|
keyPath := path.Join(tmp, MetricsKeyFile)
|
||||||
|
err := os.WriteFile(keyPath, []byte(key), 0o600)
|
||||||
|
if err != nil {
|
||||||
|
l.WithError(err).Warning("failed to save metrics key")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
m := mux.NewRouter()
|
||||||
m.Use(sentry.SentryNoSampleMiddleware)
|
m.Use(sentry.SentryNoSampleMiddleware)
|
||||||
m.Path("/metrics").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
m.Path("/metrics").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
||||||
promhttp.InstrumentMetricHandler(
|
promhttp.InstrumentMetricHandler(
|
||||||
@ -36,7 +51,7 @@ func (ws *WebServer) runMetricsServer() {
|
|||||||
l.WithError(err).Warning("failed to get upstream metrics")
|
l.WithError(err).Warning("failed to get upstream metrics")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
re.SetBasicAuth("monitor", config.Get().SecretKey)
|
re.Header.Set("Authorization", fmt.Sprintf("Bearer %s", key))
|
||||||
res, err := ws.upstreamHttpClient().Do(re)
|
res, err := ws.upstreamHttpClient().Do(re)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
l.WithError(err).Warning("failed to get upstream metrics")
|
l.WithError(err).Warning("failed to get upstream metrics")
|
||||||
@ -49,9 +64,13 @@ func (ws *WebServer) runMetricsServer() {
|
|||||||
}
|
}
|
||||||
})
|
})
|
||||||
l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server")
|
l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server")
|
||||||
err := http.ListenAndServe(config.Get().Listen.Metrics, m)
|
err = http.ListenAndServe(config.Get().Listen.Metrics, m)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
l.WithError(err).Warning("Failed to start metrics server")
|
l.WithError(err).Warning("Failed to start metrics server")
|
||||||
}
|
}
|
||||||
l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server")
|
l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server")
|
||||||
|
err = os.Remove(keyPath)
|
||||||
|
if err != nil {
|
||||||
|
l.WithError(err).Warning("failed to remove metrics key file")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -42,8 +42,11 @@ func (ws *WebServer) configureStatic() {
|
|||||||
|
|
||||||
// Media files, if backend is file
|
// Media files, if backend is file
|
||||||
if config.Get().Storage.Media.Backend == "file" {
|
if config.Get().Storage.Media.Backend == "file" {
|
||||||
fsMedia := http.FileServer(http.Dir(config.Get().Storage.Media.File.Path))
|
fsMedia := http.StripPrefix("/media", http.FileServer(http.Dir(config.Get().Storage.Media.File.Path)))
|
||||||
staticRouter.PathPrefix("/media/").Handler(http.StripPrefix("/media", fsMedia))
|
staticRouter.PathPrefix("/media/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
|
||||||
|
fsMedia.ServeHTTP(w, r)
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
staticRouter.PathPrefix("/if/help/").Handler(http.StripPrefix("/if/help/", http.FileServer(http.Dir("./website/help/"))))
|
staticRouter.PathPrefix("/if/help/").Handler(http.StripPrefix("/if/help/", http.FileServer(http.Dir("./website/help/"))))
|
||||||
|
|||||||
@ -19,6 +19,7 @@ import (
|
|||||||
"goauthentik.io/internal/config"
|
"goauthentik.io/internal/config"
|
||||||
"goauthentik.io/internal/gounicorn"
|
"goauthentik.io/internal/gounicorn"
|
||||||
"goauthentik.io/internal/outpost/proxyv2"
|
"goauthentik.io/internal/outpost/proxyv2"
|
||||||
|
"goauthentik.io/internal/utils"
|
||||||
"goauthentik.io/internal/utils/web"
|
"goauthentik.io/internal/utils/web"
|
||||||
"goauthentik.io/internal/web/brand_tls"
|
"goauthentik.io/internal/web/brand_tls"
|
||||||
)
|
)
|
||||||
@ -52,7 +53,7 @@ func NewWebServer() *WebServer {
|
|||||||
loggingHandler.Use(web.NewLoggingHandler(l, nil))
|
loggingHandler.Use(web.NewLoggingHandler(l, nil))
|
||||||
|
|
||||||
tmp := os.TempDir()
|
tmp := os.TempDir()
|
||||||
socketPath := path.Join(tmp, "authentik-core.sock")
|
socketPath := path.Join(tmp, UnixSocketName)
|
||||||
|
|
||||||
// create http client to talk to backend, normal client if we're in debug more
|
// create http client to talk to backend, normal client if we're in debug more
|
||||||
// and a client that connects to our socket when in non debug mode
|
// and a client that connects to our socket when in non debug mode
|
||||||
@ -149,7 +150,7 @@ func (ws *WebServer) listenPlain() {
|
|||||||
ws.log.WithError(err).Warning("failed to listen")
|
ws.log.WithError(err).Warning("failed to listen")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
proxyListener := &proxyproto.Listener{Listener: ln}
|
proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
|
||||||
defer proxyListener.Close()
|
defer proxyListener.Close()
|
||||||
|
|
||||||
ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server")
|
ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server")
|
||||||
|
|||||||
@ -45,7 +45,7 @@ func (ws *WebServer) listenTLS() {
|
|||||||
ws.log.WithError(err).Warning("failed to listen (TLS)")
|
ws.log.WithError(err).Warning("failed to listen (TLS)")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}}
|
proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
|
||||||
defer proxyListener.Close()
|
defer proxyListener.Close()
|
||||||
|
|
||||||
tlsListener := tls.NewListener(proxyListener, tlsConfig)
|
tlsListener := tls.NewListener(proxyListener, tlsConfig)
|
||||||
@ -33,6 +33,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
|
|||||||
# Stage 2: Run
|
# Stage 2: Run
|
||||||
FROM ghcr.io/goauthentik/fips-debian:bookworm-slim-fips
|
FROM ghcr.io/goauthentik/fips-debian:bookworm-slim-fips
|
||||||
|
|
||||||
|
ARG VERSION
|
||||||
ARG GIT_BUILD_HASH
|
ARG GIT_BUILD_HASH
|
||||||
ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
|
ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
|
||||||
|
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user