add default app and restrict

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2024-03-21 16:55:55 +01:00
parent 0b4822c1e3
commit 828f477548
8 changed files with 163 additions and 11 deletions
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -56,6 +56,7 @@ class BrandSerializer(ModelSerializer):
            "flow_unenrollment",
            "flow_user_settings",
            "flow_device_code",
+            "default_application",
            "web_certificate",
            "attributes",
        ]
--- a/authentik/brands/migrations/0006_brand_default_application.py
+++ b/authentik/brands/migrations/0006_brand_default_application.py
@ -0,0 +1,26 @@
+# Generated by Django 5.0.3 on 2024-03-21 15:42
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_brands", "0005_tenantuuid_to_branduuid"),
+        ("authentik_core", "0033_alter_user_options"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="brand",
+            name="default_application",
+            field=models.ForeignKey(
+                default=None,
+                help_text="When set, external users will be redirected to this application after authenticating.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_core.application",
+            ),
+        ),
+    ]
--- a/authentik/brands/models.py
+++ b/authentik/brands/models.py
@ -51,6 +51,16 @@ class Brand(SerializerModel):
        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
    )

+    default_application = models.ForeignKey(
+        "authentik_core.Application",
+        null=True,
+        default=None,
+        on_delete=models.SET_DEFAULT,
+        help_text=_(
+            "When set, external users will be redirected to this application after authenticating."
+        ),
+    )
+
    web_certificate = models.ForeignKey(
        CertificateKeyPair,
        null=True,
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -6,7 +6,6 @@ from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
-from django.views.generic import RedirectView

 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@ -20,7 +19,12 @@ from authentik.core.api.transactional_applications import TransactionalApplicati
 from authentik.core.api.users import UserViewSet
 from authentik.core.views import apps
 from authentik.core.views.debug import AccessDeniedView
-from authentik.core.views.interface import FlowInterfaceView, InterfaceView
+from authentik.core.views.interface import (
+    BrandDefaultRedirectView,
+    FlowInterfaceView,
+    InterfaceView,
+    RootRedirectView,
+)
 from authentik.core.views.session import EndSessionView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
@ -29,13 +33,11 @@ from authentik.root.middleware import ChannelsLoggingMiddleware
 urlpatterns = [
    path(
        "",
-        login_required(
-            RedirectView.as_view(pattern_name="authentik_core:if-user", query_string=True)
-        ),
+        login_required(RootRedirectView.as_view()),
        name="root-redirect",
    ),
    path(
-        # We have to use this format since everything else uses applications/o or applications/saml
+        # We have to use this format since everything else uses application/o or application/saml
        "application/launch/<slug:application_slug>/",
        apps.RedirectToAppLaunch.as_view(),
        name="application-launch",
@ -43,12 +45,12 @@ urlpatterns = [
    # Interfaces
    path(
        "if/admin/",
-        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/admin.html")),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/admin.html")),
        name="if-admin",
    ),
    path(
        "if/user/",
-        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/user.html")),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/user.html")),
        name="if-user",
    ),
    path(
--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -3,15 +3,43 @@
 from json import dumps
 from typing import Any

-from django.shortcuts import get_object_or_404
-from django.views.generic.base import TemplateView
+from django.http import HttpRequest
+from django.http.response import HttpResponse
+from django.shortcuts import get_object_or_404, redirect
+from django.utils.translation import gettext as _
+from django.views.generic.base import RedirectView, TemplateView
 from rest_framework.request import Request

 from authentik import get_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
+from authentik.brands.models import Brand
+from authentik.core.models import UserTypes
 from authentik.flows.models import Flow
+from authentik.policies.denied import AccessDeniedResponse
+
+
+class RootRedirectView(RedirectView):
+    """Root redirect view, redirect to brand's default application if set"""
+
+    pattern_name = "authentik_core:if-user"
+    query_string = True
+
+    def redirect_to_app(self, request: HttpRequest):
+        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
+            brand: Brand = request.brand
+            if brand.default_application:
+                return redirect(
+                    "authentik_core:application-launch",
+                    application_slug=brand.default_application.slug,
+                )
+        return None
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        if redirect_response := RootRedirectView().redirect_to_app(request):
+            return redirect_response
+        return super().dispatch(request, *args, **kwargs)


 class InterfaceView(TemplateView):
@ -27,6 +55,22 @@ class InterfaceView(TemplateView):
        return super().get_context_data(**kwargs)


+class BrandDefaultRedirectView(InterfaceView):
+    """By default redirect to default app"""
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
+            brand: Brand = request.brand
+            if brand.default_application:
+                return redirect(
+                    "authentik_core:application-launch",
+                    application_slug=brand.default_application.slug,
+                )
+            response = AccessDeniedResponse(self.request)
+            response.error_message = _("Interface can only be accessed by internal users.")
+        return super().dispatch(request, *args, **kwargs)
+
+
 class FlowInterfaceView(InterfaceView):
    """Flow interface"""

--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -7652,6 +7652,11 @@
                    "type": "integer",
                    "title": "Flow device code"
                },
+                "default_application": {
+                    "type": "integer",
+                    "title": "Default application",
+                    "description": "When set, external users will be redirected to this application after authenticating."
+                },
                "web_certificate": {
                    "type": "integer",
                    "title": "Web certificate",
--- a/schema.yml
+++ b/schema.yml
@ -31366,6 +31366,12 @@ components:
          type: string
          format: uuid
          nullable: true
+        default_application:
+          type: string
+          format: uuid
+          nullable: true
+          description: When set, external users will be redirected to this application
+            after authenticating.
        web_certificate:
          type: string
          format: uuid
@ -31419,6 +31425,12 @@ components:
          type: string
          format: uuid
          nullable: true
+        default_application:
+          type: string
+          format: uuid
+          nullable: true
+          description: When set, external users will be redirected to this application
+            after authenticating.
        web_certificate:
          type: string
          format: uuid
@ -38553,6 +38565,12 @@ components:
          type: string
          format: uuid
          nullable: true
+        default_application:
+          type: string
+          format: uuid
+          nullable: true
+          description: When set, external users will be redirected to this application
+            after authenticating.
        web_certificate:
          type: string
          format: uuid
--- a/web/src/admin/brands/BrandForm.ts
+++ b/web/src/admin/brands/BrandForm.ts
@ -15,7 +15,13 @@ import { msg } from "@lit/localize";
 import { TemplateResult, html } from "lit";
 import { customElement } from "lit/decorators.js";

-import { Brand, CoreApi, FlowsInstancesListDesignationEnum } from "@goauthentik/api";
+import {
+    Application,
+    Brand,
+    CoreApi,
+    CoreApplicationsListRequest,
+    FlowsInstancesListDesignationEnum,
+} from "@goauthentik/api";

@customElement("ak-brand-form")
 export class BrandForm extends ModelForm<Brand, string> {
@ -137,6 +143,46 @@ export class BrandForm extends ModelForm<Brand, string> {
                    </ak-form-element-horizontal>
                </div>
            </ak-form-group>
+
+            <ak-form-group>
+                <span slot="header"> ${msg("External user settings")} </span>
+                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal
+                        label=${msg("Default application")}
+                        name="defaultApplication"
+                    >
+                        <ak-search-select
+                            .fetchObjects=${async (query?: string): Promise<Application[]> => {
+                                const args: CoreApplicationsListRequest = {
+                                    ordering: "name",
+                                    superuserFullList: true,
+                                };
+                                if (query !== undefined) {
+                                    args.search = query;
+                                }
+                                const users = await new CoreApi(
+                                    DEFAULT_CONFIG,
+                                ).coreApplicationsList(args);
+                                return users.results;
+                            }}
+                            .renderElement=${(item: Application): string => {
+                                return item.name;
+                            }}
+                            .renderDescription=${(item: Application): TemplateResult => {
+                                return html`${item.slug}`;
+                            }}
+                            .value=${(item: Application | undefined): string | undefined => {
+                                return item?.pk;
+                            }}
+                            .selected=${(item: Application): boolean => {
+                                return item.pk === this.instance?.defaultApplication;
+                            }}
+                        >
+                        </ak-search-select>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>
+
            <ak-form-group>
                <span slot="header"> ${msg("Default flows")} </span>
                <div slot="body" class="pf-c-form">