outposts: don't authenticate as service user for flows to set remote-ip

set outpost token as additional header and check that token (user) if they can override remote-ip

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/lib/utils/http.py

@@ -2,10 +2,12 @@
 from typing import Any, Optional
 
 from django.http import HttpRequest
+from structlog.stdlib import get_logger
 
 OUTPOST_REMOTE_IP_HEADER = "HTTP_X_AUTHENTIK_REMOTE_IP"
-USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"
+OUTPOST_TOKEN_HEADER = "HTTP_X_AUTHENTIK_OUTPOST_TOKEN"  # nosec
 DEFAULT_IP = "255.255.255.255"
+LOGGER = get_logger()
 
 
 def _get_client_ip_from_meta(meta: dict[str, Any]) -> str:
@@ -27,13 +29,25 @@ def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]:
     """Get the actual remote IP when set by an outpost. Only
     allowed when the request is authenticated, by a user with USER_ATTRIBUTE_CAN_OVERRIDE_IP set
     to outpost"""
-    if not hasattr(request, "user"):
+    from authentik.core.models import (
+        USER_ATTRIBUTE_CAN_OVERRIDE_IP,
+        Token,
+        TokenIntents,
+    )
+
+    if (
+        OUTPOST_REMOTE_IP_HEADER not in request.META
+        or OUTPOST_TOKEN_HEADER not in request.META
+    ):
         return None
-    if not request.user.is_authenticated:
+    tokens = Token.filter_not_expired(
+        key=request.META.get(OUTPOST_TOKEN_HEADER), intent=TokenIntents.INTENT_API
+    )
+    if not tokens.exists():
+        LOGGER.warning("Attempted remote-ip override without token")
         return None
-    if OUTPOST_REMOTE_IP_HEADER not in request.META:
-        return None
-    if request.user.group_attributes().get(USER_ATTRIBUTE_CAN_OVERRIDE_IP, False):
+    user = tokens.first().user
+    if user.group_attributes().get(USER_ATTRIBUTE_CAN_OVERRIDE_IP, False):
         return None
     return request.META[OUTPOST_REMOTE_IP_HEADER]