policies: constraint only one type

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2025-04-17 17:13:39 +02:00
parent 5e6874cc1f
commit e4a21c824a
2 changed files with 63 additions and 0 deletions
--- a/authentik/policies/migrations/0012_policybinding_authentik_policies_policybinding_only_one_type.py
+++ b/authentik/policies/migrations/0012_policybinding_authentik_policies_policybinding_only_one_type.py
@ -0,0 +1,40 @@
+# Generated by Django 5.1.8 on 2025-04-17 15:13
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0047_delete_oldauthenticatedsession"),
+        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.AddConstraint(
+            model_name="policybinding",
+            constraint=models.CheckConstraint(
+                condition=models.Q(
+                    models.Q(
+                        ("policy_id__isnull", False),
+                        ("group_id__isnull", True),
+                        ("user_id__isnull", True),
+                    ),
+                    models.Q(
+                        ("group_id__isnull", False),
+                        ("policy_id__isnull", True),
+                        ("user_id__isnull", True),
+                    ),
+                    models.Q(
+                        ("user_id__isnull", False),
+                        ("policy_id__isnull", True),
+                        ("group_id__isnull", True),
+                    ),
+                    _connector="OR",
+                ),
+                name="authentik_policies_policybinding_only_one_type",
+            ),
+        ),
+    ]
--- a/authentik/policies/models.py
+++ b/authentik/policies/models.py
@ -3,6 +3,7 @@
 from uuid import uuid4

 from django.db import models
+from django.db.models import Q
 from django.utils.translation import gettext_lazy as _
 from model_utils.managers import InheritanceManager
 from rest_framework.serializers import BaseSerializer
@ -158,6 +159,28 @@ class PolicyBinding(SerializerModel):
            models.Index(fields=["user"]),
            models.Index(fields=["target"]),
        ]
+        constraints = (
+            models.CheckConstraint(
+                condition=(
+                    (
+                        Q(policy_id__isnull=False)
+                        & Q(group_id__isnull=True)
+                        & Q(user_id__isnull=True)
+                    )
+                    | (
+                        Q(group_id__isnull=False)
+                        & Q(policy_id__isnull=True)
+                        & Q(user_id__isnull=True)
+                    )
+                    | (
+                        Q(user_id__isnull=False)
+                        & Q(policy_id__isnull=True)
+                        & Q(group_id__isnull=True)
+                    )
+                ),
+                name="%(app_label)s_%(class)s_only_one_type",
+            ),
+        )


 class Policy(SerializerModel, CreatedUpdatedModel):