habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

policies: add GeoIP policy (#10454)

Browse Source 
* add GeoIP policy

* handle empty lists of ASNs and countries

* handle missing GeoIP database or missing IP from the database

The exceptions raised here are `PolicyException`s to let admins bypass
an execution failure.

* fix translations

whoops

* remove `GeoIPPolicyMode`

Use the policy binding's `negate` option instead

* fix `DataProvision` typing

`ak-dual-select-provider` can handle unpaginated data

* use `django-countries` instead of a static list of countries for ISO-3166

* simplify `GeoIPPolicyForm`

* pass `GeoIPPolicy` on empty policy

* add backend tests to `GeoIPPolicy`

* revise translations

* move `iso-3166/` to `policies/geoip_iso3166/`

* add client-side caching to ISO3166 API call

* fix `GeoIPPolicy` creation

The automatically generated APIs can't seem to handle `CountryField`,
so I'll have to do this by hand too.

* add docs for GeoIP Policy

* docs: stylize

add review suggestions from @tanberry

* refactor `GeoIPPolicy` API

It is now as declarative as I could make it.

* clean up `api.py` and `views.py`
This commit is contained in:
Simonyi Gergő
2024-08-06 12:37:29 +02:00
committed by GitHub
parent 87858afaf3
commit f7b16ed723
22 changed files with 1650 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
website/docs/policies/expression.mdx
View File

@ -55,6 +55,10 @@ import Objects from "../expressions/_objects.md";
- `geoip`: GeoIP dictionary. The following fields are available:
:::info
For basic country matching, consider using a [GeoIP policy](index.md#geoip-policy).
:::
- `continent`: a two character continent code like `NA` (North America) or `OC` (Oceania).
- `country`: the two character [ISO 3166-1](https://en.wikipedia.org/wiki/ISO_3166-1) alpha code for the country.
- `lat`: the approximate latitude of the location associated with the IP address.
@ -62,11 +66,15 @@ import Objects from "../expressions/_objects.md";
- `city`: the name of the city. May be empty.
```python
return context["geoip"]["country"] == "US"
return context["geoip"]["continent"] == "EU"
```
- `asn`: ASN dictionary. The follow fields are available:
:::info
For basic ASN matching, consider using a [GeoIP policy](index.md#geoip-policy).
:::
- `asn`: the autonomous system number associated with the IP address.
- `as_org`: the organization associated with the registered autonomous system number for the IP address.
- `network`: the network associated with the record. In particular, this is the largest network where all of the fields except `ip_address` have the same value.

16
website/docs/policies/index.md
View File

@ -6,22 +6,26 @@ title: Policies
This policy is used by the events subsystem. You can use this policy to match events by multiple different criteria, to choose when you get notified.
## Expression Policy
## Expression policy
See [Expression Policy](expression.mdx).
See [Expression policy](expression.mdx).
## Have I Been Pwned Policy
## GeoIP policy
Use this policy for simple GeoIP lookups, such as country or ASN matching. (For a more advanced GeoIP lookup, use an [Expression policy](expression.mdx).)
## Have I Been Pwned policy
:::info
This policy is deprecated since authentik 2022.11.0, as this can be done with the password policy now.
:::
This policy checks the hashed password against the [Have I Been Pwned](https://haveibeenpwned.com/) API. This only sends the first 5 characters of the hashed password. The remaining comparison is done within authentik.
## Password-Expiry Policy
## Password-Expiry policy
This policy can enforce regular password rotation by expiring set passwords after a finite amount of time. This forces users to set a new password.
## Password Policy
## Password policy
This policy allows you to specify password rules, such as length and required characters.
The following rules can be set:
@ -37,7 +41,7 @@ Starting with authentik 2022.11.0, the following checks can also be done with th
- Check the password hash against the database of [Have I Been Pwned](https://haveibeenpwned.com/). Only the first 5 characters of the hashed password are transmitted, the rest is compared in authentik
- Check the password against the password complexity checker [zxcvbn](https://github.com/dropbox/zxcvbn), which detects weak password on various metrics.
## Reputation Policy
## Reputation policy
authentik keeps track of failed login attempts by source IP and attempted username. These values are saved as scores. Each failed login decreases the score for the client IP as well as the targeted username by 1 (one).