core: applications backchannel provider (#5449)

* backchannel applications Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add webui Signed-off-by: Jens Langhammer <jens@goauthentik.io> * include assigned app in provider Signed-off-by: Jens Langhammer <jens@goauthentik.io> * improve backchannel provider list display Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make ldap provider compatible Signed-off-by: Jens Langhammer <jens@goauthentik.io> * show backchannel providers in app view Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make backchannel required for SCIM Signed-off-by: Jens Langhammer <jens@goauthentik.io> * cleanup api Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Apply suggestions from code review Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org> * update docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens L. <jens@beryju.org> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
2023-05-08 15:29:12 +02:00
parent 9f4be4d150
commit 7acd0558f5
23 changed files with 496 additions and 36 deletions
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -52,6 +52,9 @@ class ApplicationSerializer(ModelSerializer):

    launch_url = SerializerMethodField()
    provider_obj = ProviderSerializer(source="get_provider", required=False, read_only=True)
+    backchannel_providers_obj = ProviderSerializer(
+        source="backchannel_providers", required=False, read_only=True, many=True
+    )

    meta_icon = ReadOnlyField(source="get_meta_icon")

@ -75,6 +78,8 @@ class ApplicationSerializer(ModelSerializer):
            "slug",
            "provider",
            "provider_obj",
+            "backchannel_providers",
+            "backchannel_providers_obj",
            "launch_url",
            "open_in_new_tab",
            "meta_launch_url",
@ -86,6 +91,7 @@ class ApplicationSerializer(ModelSerializer):
        ]
        extra_kwargs = {
            "meta_icon": {"read_only": True},
+            "backchannel_providers": {"required": False},
        }


--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@ -1,5 +1,7 @@
 """Provider API Views"""
 from django.utils.translation import gettext_lazy as _
+from django_filters.filters import BooleanFilter
+from django_filters.filterset import FilterSet
 from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
@ -20,6 +22,8 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):

    assigned_application_slug = ReadOnlyField(source="application.slug")
    assigned_application_name = ReadOnlyField(source="application.name")
+    assigned_backchannel_application_slug = ReadOnlyField(source="backchannel_application.slug")
+    assigned_backchannel_application_name = ReadOnlyField(source="backchannel_application.name")

    component = SerializerMethodField()

@ -40,6 +44,8 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
            "component",
            "assigned_application_slug",
            "assigned_application_name",
+            "assigned_backchannel_application_slug",
+            "assigned_backchannel_application_name",
            "verbose_name",
            "verbose_name_plural",
            "meta_model_name",
@ -49,6 +55,22 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
        }


+class ProviderFilter(FilterSet):
+    """Filter for groups"""
+
+    application__isnull = BooleanFilter(
+        field_name="application",
+        lookup_expr="isnull",
+    )
+    backchannel_only = BooleanFilter(
+        method="filter_backchannel_only",
+    )
+
+    def filter_backchannel_only(self, queryset, name, value):
+        """Only return backchannel providers"""
+        return queryset.filter(is_backchannel=value)
+
+
 class ProviderViewSet(
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
@ -60,9 +82,7 @@ class ProviderViewSet(

    queryset = Provider.objects.none()
    serializer_class = ProviderSerializer
-    filterset_fields = {
-        "application": ["isnull"],
-    }
+    filterset_class = ProviderFilter
    search_fields = [
        "name",
        "application__name",
@ -78,6 +98,8 @@ class ProviderViewSet(
        data = []
        for subclass in all_subclasses(self.queryset.model):
            subclass: Provider
+            if subclass._meta.abstract:
+                continue
            data.append(
                {
                    "name": subclass._meta.verbose_name,
--- a/authentik/core/migrations/0029_provider_backchannel_applications_and_more.py
+++ b/authentik/core/migrations/0029_provider_backchannel_applications_and_more.py
@ -0,0 +1,49 @@
+# Generated by Django 4.1.7 on 2023-04-30 17:56
+
+import django.db.models.deletion
+from django.apps.registry import Apps
+from django.db import DatabaseError, InternalError, ProgrammingError, migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def backport_is_backchannel(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    from authentik.core.models import BackchannelProvider
+
+    for model in BackchannelProvider.__subclasses__():
+        try:
+            for obj in model.objects.all():
+                obj.is_backchannel = True
+                obj.save()
+        except (DatabaseError, InternalError, ProgrammingError):
+            # The model might not have been migrated yet/doesn't exist yet
+            # so we don't need to worry about backporting the data
+            pass
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_core", "0028_provider_authentication_flow"),
+        ("authentik_providers_ldap", "0002_ldapprovider_bind_mode"),
+        ("authentik_providers_scim", "0006_rename_parent_group_scimprovider_filter_group"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="provider",
+            name="backchannel_application",
+            field=models.ForeignKey(
+                default=None,
+                help_text="Accessed from applications; optional backchannel providers for protocols like LDAP and SCIM.",
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="backchannel_providers",
+                to="authentik_core.application",
+            ),
+        ),
+        migrations.AddField(
+            model_name="provider",
+            name="is_backchannel",
+            field=models.BooleanField(default=False),
+        ),
+        migrations.RunPython(backport_is_backchannel),
+    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -270,6 +270,20 @@ class Provider(SerializerModel):

    property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)

+    backchannel_application = models.ForeignKey(
+        "Application",
+        default=None,
+        null=True,
+        on_delete=models.CASCADE,
+        help_text=_(
+            "Accessed from applications; optional backchannel providers for protocols "
+            "like LDAP and SCIM."
+        ),
+        related_name="backchannel_providers",
+    )
+
+    is_backchannel = models.BooleanField(default=False)
+
    objects = InheritanceManager()

    @property
@ -292,6 +306,26 @@ class Provider(SerializerModel):
        return str(self.name)


+class BackchannelProvider(Provider):
+    """Base class for providers that augment other providers, for example LDAP and SCIM.
+    Multiple of these providers can be configured per application, they may not use the application
+    slug in URLs as an application may have multiple instances of the same
+    type of Backchannel provider
+
+    They can use the application's policies and metadata"""
+
+    @property
+    def component(self) -> str:
+        raise NotImplementedError
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        raise NotImplementedError
+
+    class Meta:
+        abstract = True
+
+
 class Application(SerializerModel, PolicyBindingModel):
    """Every Application which uses authentik for authentication/identification/authorization
    needs an Application record. Other authentication types can subclass this Model to
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -6,11 +6,11 @@ from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.core.signals import Signal
 from django.db.models import Model
-from django.db.models.signals import post_save, pre_delete
+from django.db.models.signals import post_save, pre_delete, pre_save
 from django.dispatch import receiver
 from django.http.request import HttpRequest

-from authentik.core.models import Application, AuthenticatedSession
+from authentik.core.models import Application, AuthenticatedSession, BackchannelProvider

 # Arguments: user: User, password: str
 password_changed = Signal()
@ -54,3 +54,11 @@ def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSe
    """Delete session when authenticated session is deleted"""
    cache_key = f"{KEY_PREFIX}{instance.session_key}"
    cache.delete(cache_key)
+
+
+@receiver(pre_save)
+def backchannel_provider_pre_save(sender: type[Model], instance: Model, **_):
+    """Ensure backchannel providers have is_backchannel set to true"""
+    if not isinstance(instance, BackchannelProvider):
+        return
+    instance.is_backchannel = True
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -139,6 +139,8 @@ class TestApplicationsAPI(APITestCase):
                            "verbose_name": "OAuth2/OpenID Provider",
                            "verbose_name_plural": "OAuth2/OpenID Providers",
                        },
+                        "backchannel_providers": [],
+                        "backchannel_providers_obj": [],
                        "launch_url": f"https://goauthentik.io/{self.user.username}",
                        "meta_launch_url": "https://goauthentik.io/%(username)s",
                        "open_in_new_tab": True,
@ -189,6 +191,8 @@ class TestApplicationsAPI(APITestCase):
                            "verbose_name": "OAuth2/OpenID Provider",
                            "verbose_name_plural": "OAuth2/OpenID Providers",
                        },
+                        "backchannel_providers": [],
+                        "backchannel_providers_obj": [],
                        "launch_url": f"https://goauthentik.io/{self.user.username}",
                        "meta_launch_url": "https://goauthentik.io/%(username)s",
                        "open_in_new_tab": True,
@ -210,6 +214,8 @@ class TestApplicationsAPI(APITestCase):
                        "policy_engine_mode": "any",
                        "provider": None,
                        "provider_obj": None,
+                        "backchannel_providers": [],
+                        "backchannel_providers_obj": [],
                        "slug": "denied",
                    },
                ],
--- a/authentik/core/tests/test_models.py
+++ b/authentik/core/tests/test_models.py
@ -53,9 +53,8 @@ def provider_tester_factory(test_model: type[Stage]) -> Callable:
    def tester(self: TestModels):
        model_class = None
        if test_model._meta.abstract:  # pragma: no cover
-            model_class = test_model.__bases__[0]()
-        else:
-            model_class = test_model()
+            return
+        model_class = test_model()
        self.assertIsNotNone(model_class.component)

    return tester