rbac: rework API for terraform, add blueprint support (#10698)

* rbac: rework API slightly to improve terraform compatibility Signed-off-by: Jens Langhammer <jens@goauthentik.io> * sigh https://www.django-rest-framework.org/api-guide/filtering/#filtering-and-object-lookups Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add permission support for users global permissions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add role support to blueprints Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix yaml tags Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add generated read-only role Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix web Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make permissions optional Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add object permission support to blueprints Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests kinda Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add more tests and fix bugs Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2024-08-02 16:34:30 +02:00
parent 3541ec467c
commit d24e2abe7f
31 changed files with 4117 additions and 77 deletions
--- a/website/developer-docs/blueprints/v1/models.md
+++ b/website/developer-docs/blueprints/v1/models.md
@ -2,7 +2,9 @@

 Some models behave differently and allow for access to different API fields when created via blueprint.

-### `authentik_core.token`
+## `authentik_core.token`
+
+### `key`

 :::info
 Requires authentik 2023.4
@ -26,7 +28,9 @@ For example:
      intent: api
 ```

-### `authentik_core.user`
+## `authentik_core.user`
+
+### `password`

 :::info
 Requires authentik 2023.6
@ -49,7 +53,29 @@ For example:
      password: this-should-be-a-long-value
 ```

-### `authentik_core.application`
+### `permissions`
+
+:::info
+Requires authentik 2024.8
+:::
+
+The `permissions` field can be used to set global permissions for a user. A full list of possible permissions is included in the JSON schema for blueprints.
+
+For example:
+
+```yaml
+# [...]
+- model: authentik_core.user
+  identifiers:
+      username: test-user
+  attrs:
+      permissions:
+          - authentik_blueprints.view_blueprintinstance
+```
+
+## `authentik_core.application`
+
+### `icon`

 :::info
 Requires authentik 2023.5
@ -69,7 +95,9 @@ For example:
      icon: https://goauthentik.io/img/icon.png
 ```

-### `authentik_sources_oauth.oauthsource`, `authentik_sources_saml.samlsource`, `authentik_sources_plex.plexsource`
+## `authentik_sources_oauth.oauthsource`, `authentik_sources_saml.samlsource`, `authentik_sources_plex.plexsource`
+
+### `icon`

 :::info
 Requires authentik 2023.5
@ -89,7 +117,9 @@ For example:
      icon: https://goauthentik.io/img/icon.png
 ```

-### `authentik_flows.flow`
+## `authentik_flows.flow`
+
+### `icon`

 :::info
 Requires authentik 2023.5
@ -110,3 +140,25 @@ For example:
      designation: authentication
      background: https://goauthentik.io/img/icon.png
 ```
+
+## `authentik_rbac.role`
+
+### `permissions`
+
+:::info
+Requires authentik 2024.8
+:::
+
+The `permissions` field can be used to set global permissions for a role. A full list of possible permissions is included in the JSON schema for blueprints.
+
+For example:
+
+```yaml
+# [...]
+- model: authentik_rbac.role
+  identifiers:
+      name: test-role
+  attrs:
+      permissions:
+          - authentik_blueprints.view_blueprintinstance
+```
--- a/website/developer-docs/blueprints/v1/structure.md
+++ b/website/developer-docs/blueprints/v1/structure.md
@ -60,6 +60,11 @@ entries:
          designation: stage_configuration
          name: default-oobe-setup
          title: Welcome to authentik!
+      # Optionally set object-level permissions on the object
+      # Requires authentik 2024.8
+      permissions:
+          - permission: inspect_flow
+            user: !Find [authentik_core.user, [username, akadmin]]
 ```

 ## Special Labels
--- a/website/developer-docs/blueprints/v1/tags.md
+++ b/website/developer-docs/blueprints/v1/tags.md
@ -7,15 +7,15 @@ For VS Code, for example, add these entries to your `settings.json`:
 ```
 {
    "yaml.customTags": [
-        "!KeyOf scalar",
+        "!Condition sequence",
+        "!Context scalar",
+        "!Enumerate sequence",
        "!Env scalar",
        "!Find sequence",
-        "!Context scalar",
        "!Format sequence",
        "!If sequence",
-        "!Condition sequence",
-        "!Enumerate sequence",
        "!Index scalar",
+        "!KeyOf scalar",
        "!Value scalar"
    ]
 }