Managed objects (#519)

* managed: add base manager and Ops * core: use ManagedModel for Token and PropertyMapping * providers/saml: implement managed objects for SAML Provider * sources/ldap: migrate to managed * providers/oauth2: migrate to managed * providers/proxy: migrate to managed * *: load .managed in apps * managed: add reconcile task, run on startup * providers/oauth2: fix import path for managed * providers/saml: don't set FriendlyName when mapping is none * *: use ObjectManager in tests to ensure objects exist * ci: use vmImage ubuntu-latest * providers/saml: add new mapping for username and user id * tests: remove docker proxy * tests/e2e: use updated attribute names * docs: update SAML docs * tests/e2e: fix remaining saml cases * outposts: make tokens as managed * *: make PropertyMapping SerializerModel * web: add page for property-mappings * web: add codemirror to common_styles because codemirror * docs: fix member-of in nextcloud * docs: nextcloud add admin * web: fix refresh reloading data two times * web: add loading lock to table to prevent double loads * web: add ability to use null in QueryArgs (value will be skipped) * web: add hide option to property mappings * web: fix linting
2021-02-03 21:18:31 +01:00
parent f8f26d2a23
commit e25d03d8f4
71 changed files with 1014 additions and 284 deletions
--- a/website/docs/integrations/services/awx-tower/index.md
+++ b/website/docs/integrations/services/awx-tower/index.md
@ -64,14 +64,14 @@ In the `SAML Enabled Identity Providers` paste the following configuration:
 ```json
 {
    "authentik": {
-        "attr_username": "urn:oid:2.16.840.1.113730.3.1.241",
-        "attr_user_permanent_id": "urn:oid:0.9.2342.19200300.100.1.1",
+        "attr_username": "http://schemas.goauthentik.io/2021/02/saml/username",
+        "attr_user_permanent_id": "http://schemas.goauthentik.io/2021/02/saml/uid",
        "x509cert": "MIIDEjCCAfqgAwIBAgIRAJZ9pOZ1g0xjiHtQAAejsMEwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UEAwwlcGFzc2Jvb2sgU2VsZi1zaWduZWQgU0FNTCBDZXJ0aWZpY2F0ZTAeFw0xOTEyMjYyMDEwNDFaFw0yMDEyMjYyMDEwNDFaMFkxLjAsBgNVBAMMJXBhc3Nib29rIFNlbGYtc2lnbmVkIFNBTUwgQ2VydGlmaWNhdGUxETAPBgNVBAoMCHBhc3Nib29rMRQwEgYDVQQLDAtTZWxmLXNpZ25lZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO/ktBYZkY9xAijF4acvzX6Q1K8KoIZeyde8fVgcWBz4L5FgDQ4/dni4k2YAcPdwteGL4nKVzetUzjbRCBUNuO6lqU4J4WNNX4Xg4Ir7XLRoAQeo+omTPBdpJ1p02HjtN5jT01umN3bK2yto1e37CJhK6WJiaXqRewPxh4lI4aqdj3BhFkJ3I3r2qxaWOAXQ6X7fg3w/ny7QP53//ouZo7hSLY3GIcRKgvdjjVM3OW5C3WLpOq5Dez5GWVJ17aeFCfGQ8bwFKde6qfYqyGcU9xHB36TtVHB9hSFP/tUFhkiSOxtsrYwCgCyXm4UTSpP+wiNyjKfFw7qGLBvA2hGTNw8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh9PeAqPRQk1/SSygIFADZBi08O/DPCshFwEHvJATIcTzcDD8UGAjXh+H5OlkDyX7KyrcaNvYaafCUo63A+WprdtdY5Ty6SBEwTYyiQyQfwM9BfK+imCoif1Ai7xAelD7p9lNazWq7JU+H/Ep7U7Q7LvpxAbK0JArt+IWTb2NcMb3OWE1r0gFbs44O1l6W9UbJTbyLMzbGbe5i+NHlgnwPwuhtRMh0NUYabGHKcHbhwyFhfGAQv2dAp5KF1E5gu6ZzCiFePzc0FrqXQyb2zpFYcJHXquiqaOeG7cZxRHYcjrl10Vxzki64XVA9BpdELgKSnupDGUEJsRUt3WVOmvZuA==",
        "url": "https://authentik.company/application/saml/awx/login/",
        "attr_last_name": "User.LastName",
        "entity_id": "https://awx.company/sso/metadata/saml/",
-        "attr_email": "urn:oid:0.9.2342.19200300.100.1.3",
-        "attr_first_name": "urn:oid:2.5.4.3"
+        "attr_email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
+        "attr_first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
    }
 }
 ```
--- a/website/docs/integrations/services/gitlab/index.md
+++ b/website/docs/integrations/services/gitlab/index.md
@ -44,14 +44,15 @@ gitlab_rails['omniauth_providers'] = [
    name: 'saml',
    args: {
      assertion_consumer_service_url: 'https://gitlab.company/users/auth/saml/callback',
+      # Shown when navigating to certificates in authentik
      idp_cert_fingerprint: '4E:1E:CD:67:4A:67:5A:E9:6A:D0:3C:E6:DD:7A:F2:44:2E:76:00:6A',
      idp_sso_target_url: 'https://authentik.company/application/saml/<authentik application slug>/sso/binding/post/',
      issuer: 'https://gitlab.company',
      name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
      attribute_statements: {
-        email: ['urn:oid:1.3.6.1.4.1.5923.1.1.1.6'],
-        first_name: ['urn:oid:2.5.4.3'],
-        nickname: ['urn:oid:2.16.840.1.113730.3.1.241']
+        email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
+        first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
+        nickname: ['http://schemas.goauthentik.io/2021/02/saml/username']
      }
    },
    label: 'authentik'
--- a/website/docs/integrations/services/nextcloud/index.md
+++ b/website/docs/integrations/services/nextcloud/index.md
@ -42,7 +42,7 @@ In NextCloud, navigate to `Settings`, then `SSO & SAML Authentication`.

 Set the following values:

- Attribute to map the UID to.: `urn:oid:2.16.840.1.113730.3.1.241`
+- Attribute to map the UID to.: `http://schemas.goauthentik.io/2021/02/saml/username`
 - Optional display name of the identity provider (default: "SSO & SAML log in"): `authentik`
 - Identifier of the IdP entity (must be a URI): `https://authentik.company`
 - URL Target of the IdP where the SP will send the Authentication Request Message: `https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/`
@ -50,9 +50,9 @@ Set the following values:

 Under Attribute mapping, set these values:

- Attribute to map the displayname to.: `urn:oid:2.5.4.3`
- Attribute to map the email address to.: `urn:oid:0.9.2342.19200300.100.1.3`
- Attribute to map the users groups to.: `member-of`
+- Attribute to map the displayname to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
+- Attribute to map the email address to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
+- Attribute to map the users groups to.: `http://schemas.xmlsoap.org/claims/Group`

 ## Group Quotas

@ -61,3 +61,18 @@ Create a group for each different level of quota you want users to have. Set a c
 Afterwards, create a custom SAML Property Mapping with the name `SAML NextCloud Quota`.
 Set the *SAML Name* to `nextcloud_quota`.
 Set the *Expression* to `return user.group_attributes.get("nextcloud_quota", "1 GB")`, where `1 GB` is the default value for users that don't belong to another group (or have another value set).
+
+## Admin Group
+
+To give authentik users admin access to your NextCloud instance, you need to create a custom Property Mapping that maps an authentik group to "admin". It has to be mapped to "admin" as this is static in NextCloud and cannot be changed.
+
+Create a SAML Property mapping with the SAML Name "http://schemas.xmlsoap.org/claims/Group" and this expression:
+
+```python
+for group in user.ak_groups.all():
+    yield group.name
+if ak_is_group_member(request.user, name="<authentik nextcloud admin group's name>"):
+    yield "admin"
+```
+
+Then, edit the NextCloud SAML Provider, and replace the default Groups mapping with the one you've created above.
--- a/website/docs/integrations/services/sentry/index.md
+++ b/website/docs/integrations/services/sentry/index.md
@ -41,8 +41,8 @@ In authentik, get the Metadata URL by right-clicking `Download Metadata` and sel

 On the next screen, input these Values

-IdP User ID: `urn:oid:0.9.2342.19200300.100.1.1`
-User Email: `urn:oid:0.9.2342.19200300.100.1.3`
-First Name: `urn:oid:2.5.4.3`
+IdP User ID: `http://schemas.goauthentik.io/2021/02/saml/uid`
+User Email: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
+First Name: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`

 After confirming, Sentry will authenticate with authentik, and you should be redirected back to a page confirming your settings.