blueprints: migrate from managed (#3338)

* test all bundled blueprints Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix empty title Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix default blueprints Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add script to generate dev config Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * migrate managed to blueprints Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add more to blueprint instance Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * migrated away from ObjectManager Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix lint errors Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * migrate things Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * migrate tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix some tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix a bit more Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix more tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * whops Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix missing name Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * *sigh* Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix more tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tasks Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * scheduled Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * run discovery on start Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * oops this test should stay Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-08-01 23:05:58 +02:00
parent 7a05c6faef
commit a023eee9bf
88 changed files with 1094 additions and 871 deletions
--- a/blueprints/system/providers-oauth2.yaml
+++ b/blueprints/system/providers-oauth2.yaml
@ -0,0 +1,44 @@
+version: 1
+entries:
+  - identifiers:
+      managed: goauthentik.io/providers/oauth2/scope-openid
+    model: authentik_providers_oauth2.ScopeMapping
+    attrs:
+      name: "authentik default OAuth Mapping: OpenID 'openid'"
+      scope_name: openid
+      expression: |
+        # This scope is required by the OpenID-spec, and must as such exist in authentik.
+        # The scope by itself does not grant any information
+        return {}
+  - identifiers:
+      managed: goauthentik.io/providers/oauth2/scope-email
+    model: authentik_providers_oauth2.ScopeMapping
+    attrs:
+      name: "authentik default OAuth Mapping: OpenID 'email'"
+      scope_name: email
+      description: "Email address"
+      expression: |
+        return {
+            "email": request.user.email,
+            "email_verified": True
+        }
+  - identifiers:
+      managed: goauthentik.io/providers/oauth2/scope-profile
+    model: authentik_providers_oauth2.ScopeMapping
+    attrs:
+      name: "authentik default OAuth Mapping: OpenID 'profile'"
+      scope_name: profile
+      description: "General Profile Information"
+      expression: |
+        return {
+            # Because authentik only saves the user's full name, and has no concept of first and last names,
+            # the full name is used as given name.
+            # You can override this behaviour in custom mappings, i.e. `request.user.name.split(" ")`
+            "name": request.user.name,
+            "given_name": request.user.name,
+            "family_name": "",
+            "preferred_username": request.user.username,
+            "nickname": request.user.username,
+            # groups is not part of the official userinfo schema, but is a quasi-standard
+            "groups": [group.name for group in request.user.ak_groups.all()],
+        }
--- a/blueprints/system/providers-proxy.yaml
+++ b/blueprints/system/providers-proxy.yaml
@ -0,0 +1,17 @@
+version: 1
+entries:
+  - identifiers:
+      managed: goauthentik.io/providers/proxy/scope-proxy
+    model: authentik_providers_oauth2.ScopeMapping
+    attrs:
+      name: "authentik default OAuth Mapping: Proxy outpost"
+      scope_name: ak_proxy
+      expression: |
+        # This mapping is used by the authentik proxy. It passes extra user attributes,
+        # which are used for example for the HTTP-Basic Authentication mapping.
+        return {
+            "ak_proxy": {
+                "user_attributes": request.user.group_attributes(request),
+                "is_superuser": request.user.is_superuser,
+            }
+        }
--- a/blueprints/system/providers-saml.yaml
+++ b/blueprints/system/providers-saml.yaml
@ -0,0 +1,59 @@
+version: 1
+entries:
+  - identifiers:
+      managed: goauthentik.io/providers/saml/upn
+    model: authentik_providers_saml.SAMLPropertyMapping
+    attrs:
+      name: "authentik default SAML Mapping: UPN"
+      saml_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
+      expression: |
+        return request.user.attributes.get('upn', request.user.email)
+  - identifiers:
+      managed: goauthentik.io/providers/saml/name
+    model: authentik_providers_saml.SAMLPropertyMapping
+    attrs:
+      name: "authentik default SAML Mapping: Name"
+      saml_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
+      expression: |
+        return request.user.name
+  - identifiers:
+      managed: goauthentik.io/providers/saml/email
+    model: authentik_providers_saml.SAMLPropertyMapping
+    attrs:
+      name: "authentik default SAML Mapping: Email"
+      saml_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+      expression: |
+        return request.user.email
+  - identifiers:
+      managed: goauthentik.io/providers/saml/username
+    model: authentik_providers_saml.SAMLPropertyMapping
+    attrs:
+      name: "authentik default SAML Mapping: Username"
+      saml_name: "http://schemas.goauthentik.io/2021/02/saml/username"
+      expression: |
+        return request.user.username
+  - identifiers:
+      managed: goauthentik.io/providers/saml/uid
+    model: authentik_providers_saml.SAMLPropertyMapping
+    attrs:
+      name: "authentik default SAML Mapping: User ID"
+      saml_name: "http://schemas.goauthentik.io/2021/02/saml/uid"
+      expression: |
+        return request.user.pk
+  - identifiers:
+      managed: goauthentik.io/providers/saml/groups
+    model: authentik_providers_saml.SAMLPropertyMapping
+    attrs:
+      name: "authentik default SAML Mapping: Groups"
+      saml_name: "http://schemas.xmlsoap.org/claims/Group"
+      expression: |
+        for group in request.user.ak_groups.all():
+            yield group.name
+  - identifiers:
+      managed: goauthentik.io/providers/saml/ms-windowsaccountname
+    model: authentik_providers_saml.SAMLPropertyMapping
+    attrs:
+      name: "authentik default SAML Mapping: WindowsAccountname (Username)"
+      saml_name: "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
+      expression: |
+        return request.user.username
--- a/blueprints/system/sources-ldap.yaml
+++ b/blueprints/system/sources-ldap.yaml
@ -0,0 +1,68 @@
+version: 1
+entries:
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/default-name
+    model: authentik_sources_ldap.LDAPPropertyMapping
+    attrs:
+      name: "authentik default LDAP Mapping: Name"
+      object_field: "name"
+      expression: |
+        return ldap.get('name')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/default-mail
+    model: authentik_sources_ldap.LDAPPropertyMapping
+    attrs:
+      name: "authentik default LDAP Mapping: mail"
+      object_field: "email"
+      expression: |
+        return ldap.get('mail')
+  # ActiveDirectory-specific mappings
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/ms-samaccountname
+    model: authentik_sources_ldap.LDAPPropertyMapping
+    attrs:
+      name: "authentik default Active Directory Mapping: sAMAccountName"
+      object_field: "username"
+      expression: |
+        return ldap.get('sAMAccountName')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/ms-userprincipalname
+    model: authentik_sources_ldap.LDAPPropertyMapping
+    attrs:
+      name: "authentik default Active Directory Mapping: userPrincipalName"
+      object_field: "attributes.upn"
+      expression: |
+        return list_flatten(ldap.get('userPrincipalName'))
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/ms-givenName
+    model: authentik_sources_ldap.LDAPPropertyMapping
+    attrs:
+      name: "authentik default Active Directory Mapping: givenName"
+      object_field: "attributes.givenName"
+      expression: |
+        return list_flatten(ldap.get('givenName'))
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/ms-sn
+    model: authentik_sources_ldap.LDAPPropertyMapping
+    attrs:
+      name: "authentik default Active Directory Mapping: sn"
+      object_field: "attributes.sn"
+      expression: |
+        return list_flatten(ldap.get('sn'))
+  # OpenLDAP specific mappings
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/openldap-uid
+    model: authentik_sources_ldap.LDAPPropertyMapping
+    attrs:
+      name: "authentik default OpenLDAP Mapping: uid"
+      object_field: "username"
+      expression: |
+        return ldap.get('uid')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/openldap-cn
+    model: authentik_sources_ldap.LDAPPropertyMapping
+    attrs:
+      name: "authentik default OpenLDAP Mapping: cn"
+      object_field: "name"
+      expression: |
+        return ldap.get('cn')