Compare commits
	
		
			54 Commits
		
	
	
		
			safari-cra
			...
			version/20
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 527e584699 | |||
| 80dfe371e6 | |||
| a3d1491aee | |||
| 1b98792637 | |||
| 111e120220 | |||
| 20642d49c3 | |||
| a9776a83d3 | |||
| b9faae83b4 | |||
| afc2998697 | |||
| fabacc56c4 | |||
| 11b013d3b8 | |||
| e10c47d8b8 | |||
| d2b194f6b7 | |||
| 780a59c908 | |||
| f8015fccd8 | |||
| 05f4e738a1 | |||
| f535a23c03 | |||
| 91905530c7 | |||
| 40a970e321 | |||
| b51d8d0ba3 | |||
| 7e8891338f | |||
| 3ae0001bb5 | |||
| 66a4970014 | |||
| 7ab9300761 | |||
| a2eccd5022 | |||
| 31aeaa247f | |||
| f49008bbb6 | |||
| feb13c8ee5 | |||
| d5ef831718 | |||
| 64676819ec | |||
| 7ed268fef4 | |||
| f6526d1be9 | |||
| 12f8b4566b | |||
| 665de8ef22 | |||
| 9eaa723bf8 | |||
| b2ca9c8cbc | |||
| 7927392100 | |||
| d8d07e32cb | |||
| f7c5d329eb | |||
| 92dec32547 | |||
| 510feccd31 | |||
| 364a9a1f02 | |||
| 40cbb7567b | |||
| 8ad0f63994 | |||
| 6ce33ab912 | |||
| d96b577abd | |||
| 8c547589f6 | |||
| 3775e5b84f | |||
| fa30339f65 | |||
| e825eda106 | |||
| 246cae3dfa | |||
| 6cfd2bd1af | |||
| f0e4f93fe6 | |||
| 434aa57ba7 | 
| @ -1,5 +1,5 @@ | |||||||
| [bumpversion] | [bumpversion] | ||||||
| current_version = 2024.8.3 | current_version = 2024.10.4 | ||||||
| tag = True | tag = True | ||||||
| commit = True | commit = True | ||||||
| parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))? | parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))? | ||||||
|  | |||||||
| @ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni | |||||||
|  |  | ||||||
| (.x being the latest patch release for each version) | (.x being the latest patch release for each version) | ||||||
|  |  | ||||||
| | Version  | Supported | | | Version   | Supported | | ||||||
| | -------- | --------- | | | --------- | --------- | | ||||||
| | 2024.6.x | ✅        | | | 2024.8.x  | ✅        | | ||||||
| | 2024.8.x | ✅        | | | 2024.10.x | ✅        | | ||||||
|  |  | ||||||
| ## Reporting a Vulnerability | ## Reporting a Vulnerability | ||||||
|  |  | ||||||
|  | |||||||
| @ -2,7 +2,7 @@ | |||||||
|  |  | ||||||
| from os import environ | from os import environ | ||||||
|  |  | ||||||
| __version__ = "2024.8.3" | __version__ = "2024.10.4" | ||||||
| ENV_GIT_HASH_KEY = "GIT_BUILD_HASH" | ENV_GIT_HASH_KEY = "GIT_BUILD_HASH" | ||||||
|  |  | ||||||
|  |  | ||||||
|  | |||||||
| @ -7,7 +7,7 @@ API Browser - {{ brand.branding_title }} | |||||||
| {% endblock %} | {% endblock %} | ||||||
|  |  | ||||||
| {% block head %} | {% block head %} | ||||||
| {% versioned_script "dist/standalone/api-browser/index-%v.js" %} | <script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script> | ||||||
| <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)"> | <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)"> | ||||||
| <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)"> | <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)"> | ||||||
| {% endblock %} | {% endblock %} | ||||||
|  | |||||||
| @ -27,7 +27,8 @@ def blueprint_tester(file_name: Path) -> Callable: | |||||||
|         base = Path("blueprints/") |         base = Path("blueprints/") | ||||||
|         rel_path = Path(file_name).relative_to(base) |         rel_path = Path(file_name).relative_to(base) | ||||||
|         importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve()) |         importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve()) | ||||||
|         self.assertTrue(importer.validate()[0]) |         validation, logs = importer.validate() | ||||||
|  |         self.assertTrue(validation, logs) | ||||||
|         self.assertTrue(importer.apply()) |         self.assertTrue(importer.apply()) | ||||||
|  |  | ||||||
|     return tester |     return tester | ||||||
|  | |||||||
| @ -4,7 +4,7 @@ from collections.abc import Callable | |||||||
|  |  | ||||||
| from django.http.request import HttpRequest | from django.http.request import HttpRequest | ||||||
| from django.http.response import HttpResponse | from django.http.response import HttpResponse | ||||||
| from django.utils.translation import activate | from django.utils.translation import override | ||||||
|  |  | ||||||
| from authentik.brands.utils import get_brand_for_request | from authentik.brands.utils import get_brand_for_request | ||||||
|  |  | ||||||
| @ -18,10 +18,12 @@ class BrandMiddleware: | |||||||
|         self.get_response = get_response |         self.get_response = get_response | ||||||
|  |  | ||||||
|     def __call__(self, request: HttpRequest) -> HttpResponse: |     def __call__(self, request: HttpRequest) -> HttpResponse: | ||||||
|  |         locale_to_set = None | ||||||
|         if not hasattr(request, "brand"): |         if not hasattr(request, "brand"): | ||||||
|             brand = get_brand_for_request(request) |             brand = get_brand_for_request(request) | ||||||
|             request.brand = brand |             request.brand = brand | ||||||
|             locale = brand.default_locale |             locale = brand.default_locale | ||||||
|             if locale != "": |             if locale != "": | ||||||
|                 activate(locale) |                 locale_to_set = locale | ||||||
|         return self.get_response(request) |         with override(locale_to_set): | ||||||
|  |             return self.get_response(request) | ||||||
|  | |||||||
| @ -1,5 +1,6 @@ | |||||||
| """Authenticator Devices API Views""" | """Authenticator Devices API Views""" | ||||||
|  |  | ||||||
|  | from django.utils.translation import gettext_lazy as _ | ||||||
| from drf_spectacular.types import OpenApiTypes | from drf_spectacular.types import OpenApiTypes | ||||||
| from drf_spectacular.utils import OpenApiParameter, extend_schema | from drf_spectacular.utils import OpenApiParameter, extend_schema | ||||||
| from rest_framework.fields import ( | from rest_framework.fields import ( | ||||||
| @ -40,7 +41,11 @@ class DeviceSerializer(MetaNameSerializer): | |||||||
|     def get_extra_description(self, instance: Device) -> str: |     def get_extra_description(self, instance: Device) -> str: | ||||||
|         """Get extra description""" |         """Get extra description""" | ||||||
|         if isinstance(instance, WebAuthnDevice): |         if isinstance(instance, WebAuthnDevice): | ||||||
|             return instance.device_type.description |             return ( | ||||||
|  |                 instance.device_type.description | ||||||
|  |                 if instance.device_type | ||||||
|  |                 else _("Extra description not available") | ||||||
|  |             ) | ||||||
|         if isinstance(instance, EndpointDevice): |         if isinstance(instance, EndpointDevice): | ||||||
|             return instance.data.get("deviceSignals", {}).get("deviceModel") |             return instance.data.get("deviceSignals", {}).get("deviceModel") | ||||||
|         return "" |         return "" | ||||||
|  | |||||||
| @ -5,7 +5,7 @@ from contextvars import ContextVar | |||||||
| from uuid import uuid4 | from uuid import uuid4 | ||||||
|  |  | ||||||
| from django.http import HttpRequest, HttpResponse | from django.http import HttpRequest, HttpResponse | ||||||
| from django.utils.translation import activate | from django.utils.translation import override | ||||||
| from sentry_sdk.api import set_tag | from sentry_sdk.api import set_tag | ||||||
| from structlog.contextvars import STRUCTLOG_KEY_PREFIX | from structlog.contextvars import STRUCTLOG_KEY_PREFIX | ||||||
|  |  | ||||||
| @ -31,17 +31,19 @@ class ImpersonateMiddleware: | |||||||
|     def __call__(self, request: HttpRequest) -> HttpResponse: |     def __call__(self, request: HttpRequest) -> HttpResponse: | ||||||
|         # No permission checks are done here, they need to be checked before |         # No permission checks are done here, they need to be checked before | ||||||
|         # SESSION_KEY_IMPERSONATE_USER is set. |         # SESSION_KEY_IMPERSONATE_USER is set. | ||||||
|  |         locale_to_set = None | ||||||
|         if request.user.is_authenticated: |         if request.user.is_authenticated: | ||||||
|             locale = request.user.locale(request) |             locale = request.user.locale(request) | ||||||
|             if locale != "": |             if locale != "": | ||||||
|                 activate(locale) |                 locale_to_set = locale | ||||||
|  |  | ||||||
|         if SESSION_KEY_IMPERSONATE_USER in request.session: |         if SESSION_KEY_IMPERSONATE_USER in request.session: | ||||||
|             request.user = request.session[SESSION_KEY_IMPERSONATE_USER] |             request.user = request.session[SESSION_KEY_IMPERSONATE_USER] | ||||||
|             # Ensure that the user is active, otherwise nothing will work |             # Ensure that the user is active, otherwise nothing will work | ||||||
|             request.user.is_active = True |             request.user.is_active = True | ||||||
|  |  | ||||||
|         return self.get_response(request) |         with override(locale_to_set): | ||||||
|  |             return self.get_response(request) | ||||||
|  |  | ||||||
|  |  | ||||||
| class RequestIDMiddleware: | class RequestIDMiddleware: | ||||||
|  | |||||||
| @ -129,6 +129,11 @@ class SourceFlowManager: | |||||||
|             ) |             ) | ||||||
|             new_connection.user = self.request.user |             new_connection.user = self.request.user | ||||||
|             new_connection = self.update_user_connection(new_connection, **kwargs) |             new_connection = self.update_user_connection(new_connection, **kwargs) | ||||||
|  |             if existing := self.user_connection_type.objects.filter( | ||||||
|  |                 source=self.source, identifier=self.identifier | ||||||
|  |             ).first(): | ||||||
|  |                 existing = self.update_user_connection(existing) | ||||||
|  |                 return Action.AUTH, existing | ||||||
|             return Action.LINK, new_connection |             return Action.LINK, new_connection | ||||||
|  |  | ||||||
|         action, connection = self.matcher.get_user_action(self.identifier, self.user_properties) |         action, connection = self.matcher.get_user_action(self.identifier, self.user_properties) | ||||||
|  | |||||||
| @ -15,8 +15,8 @@ | |||||||
|         {% endblock %} |         {% endblock %} | ||||||
|         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}"> |         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}"> | ||||||
|         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject> |         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject> | ||||||
|         {% versioned_script "dist/poly-%v.js" %} |         <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script> | ||||||
|         {% versioned_script "dist/standalone/loading/index-%v.js" %} |         <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script> | ||||||
|         {% block head %} |         {% block head %} | ||||||
|         {% endblock %} |         {% endblock %} | ||||||
|         <meta name="sentry-trace" content="{{ sentry_trace }}" /> |         <meta name="sentry-trace" content="{{ sentry_trace }}" /> | ||||||
|  | |||||||
| @ -3,7 +3,7 @@ | |||||||
| {% load authentik_core %} | {% load authentik_core %} | ||||||
|  |  | ||||||
| {% block head %} | {% block head %} | ||||||
| {% versioned_script "dist/admin/AdminInterface-%v.js" %} | <script src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}" type="module"></script> | ||||||
| <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)"> | <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)"> | ||||||
| <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)"> | <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)"> | ||||||
| {% include "base/header_js.html" %} | {% include "base/header_js.html" %} | ||||||
|  | |||||||
| @ -3,7 +3,7 @@ | |||||||
| {% load authentik_core %} | {% load authentik_core %} | ||||||
|  |  | ||||||
| {% block head %} | {% block head %} | ||||||
| {% versioned_script "dist/user/UserInterface-%v.js" %} | <script src="{% versioned_script 'dist/user/UserInterface-%v.js' %}" type="module"></script> | ||||||
| <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)"> | <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)"> | ||||||
| <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)"> | <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)"> | ||||||
| {% include "base/header_js.html" %} | {% include "base/header_js.html" %} | ||||||
|  | |||||||
| @ -2,7 +2,6 @@ | |||||||
|  |  | ||||||
| from django import template | from django import template | ||||||
| from django.templatetags.static import static as static_loader | from django.templatetags.static import static as static_loader | ||||||
| from django.utils.safestring import mark_safe |  | ||||||
|  |  | ||||||
| from authentik import get_full_version | from authentik import get_full_version | ||||||
|  |  | ||||||
| @ -12,10 +11,4 @@ register = template.Library() | |||||||
| @register.simple_tag() | @register.simple_tag() | ||||||
| def versioned_script(path: str) -> str: | def versioned_script(path: str) -> str: | ||||||
|     """Wrapper around {% static %} tag that supports setting the version""" |     """Wrapper around {% static %} tag that supports setting the version""" | ||||||
|     returned_lines = [ |     return static_loader(path.replace("%v", get_full_version())) | ||||||
|         ( |  | ||||||
|             f'<script src="{static_loader(path.replace("%v", get_full_version()))}' |  | ||||||
|             '" type="module"></script>' |  | ||||||
|         ), |  | ||||||
|     ] |  | ||||||
|     return mark_safe("".join(returned_lines))  # nosec |  | ||||||
|  | |||||||
| @ -12,7 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow | |||||||
| from authentik.lib.generators import generate_id | from authentik.lib.generators import generate_id | ||||||
| from authentik.policies.dummy.models import DummyPolicy | from authentik.policies.dummy.models import DummyPolicy | ||||||
| from authentik.policies.models import PolicyBinding | from authentik.policies.models import PolicyBinding | ||||||
| from authentik.providers.oauth2.models import OAuth2Provider | from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode | ||||||
| from authentik.providers.proxy.models import ProxyProvider | from authentik.providers.proxy.models import ProxyProvider | ||||||
| from authentik.providers.saml.models import SAMLProvider | from authentik.providers.saml.models import SAMLProvider | ||||||
|  |  | ||||||
| @ -24,7 +24,7 @@ class TestApplicationsAPI(APITestCase): | |||||||
|         self.user = create_test_admin_user() |         self.user = create_test_admin_user() | ||||||
|         self.provider = OAuth2Provider.objects.create( |         self.provider = OAuth2Provider.objects.create( | ||||||
|             name="test", |             name="test", | ||||||
|             redirect_uris="http://some-other-domain", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")], | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|         ) |         ) | ||||||
|         self.allowed: Application = Application.objects.create( |         self.allowed: Application = Application.objects.create( | ||||||
|  | |||||||
| @ -81,6 +81,22 @@ class TestSourceFlowManager(TestCase): | |||||||
|             reverse("authentik_core:if-user") + "#/settings;page-sources", |             reverse("authentik_core:if-user") + "#/settings;page-sources", | ||||||
|         ) |         ) | ||||||
|  |  | ||||||
|  |     def test_authenticated_auth(self): | ||||||
|  |         """Test authenticated user linking""" | ||||||
|  |         user = User.objects.create(username="foo", email="foo@bar.baz") | ||||||
|  |         UserOAuthSourceConnection.objects.create( | ||||||
|  |             user=user, source=self.source, identifier=self.identifier | ||||||
|  |         ) | ||||||
|  |         request = get_request("/", user=user) | ||||||
|  |         flow_manager = OAuthSourceFlowManager( | ||||||
|  |             self.source, request, self.identifier, {"info": {}}, {} | ||||||
|  |         ) | ||||||
|  |         action, connection = flow_manager.get_action() | ||||||
|  |         self.assertEqual(action, Action.AUTH) | ||||||
|  |         self.assertIsNotNone(connection.pk) | ||||||
|  |         response = flow_manager.get_flow() | ||||||
|  |         self.assertEqual(response.status_code, 302) | ||||||
|  |  | ||||||
|     def test_unauthenticated_link(self): |     def test_unauthenticated_link(self): | ||||||
|         """Test un-authenticated user linking""" |         """Test un-authenticated user linking""" | ||||||
|         flow_manager = OAuthSourceFlowManager( |         flow_manager = OAuthSourceFlowManager( | ||||||
|  | |||||||
| @ -31,6 +31,7 @@ class TestTransactionalApplicationsAPI(APITestCase): | |||||||
|                     "name": uid, |                     "name": uid, | ||||||
|                     "authorization_flow": str(create_test_flow().pk), |                     "authorization_flow": str(create_test_flow().pk), | ||||||
|                     "invalidation_flow": str(create_test_flow().pk), |                     "invalidation_flow": str(create_test_flow().pk), | ||||||
|  |                     "redirect_uris": [], | ||||||
|                 }, |                 }, | ||||||
|             }, |             }, | ||||||
|         ) |         ) | ||||||
| @ -57,6 +58,7 @@ class TestTransactionalApplicationsAPI(APITestCase): | |||||||
|                     "name": uid, |                     "name": uid, | ||||||
|                     "authorization_flow": "", |                     "authorization_flow": "", | ||||||
|                     "invalidation_flow": "", |                     "invalidation_flow": "", | ||||||
|  |                     "redirect_uris": [], | ||||||
|                 }, |                 }, | ||||||
|             }, |             }, | ||||||
|         ) |         ) | ||||||
|  | |||||||
| @ -24,6 +24,7 @@ from rest_framework.fields import ( | |||||||
| from rest_framework.filters import OrderingFilter, SearchFilter | from rest_framework.filters import OrderingFilter, SearchFilter | ||||||
| from rest_framework.request import Request | from rest_framework.request import Request | ||||||
| from rest_framework.response import Response | from rest_framework.response import Response | ||||||
|  | from rest_framework.validators import UniqueValidator | ||||||
| from rest_framework.viewsets import ModelViewSet | from rest_framework.viewsets import ModelViewSet | ||||||
| from structlog.stdlib import get_logger | from structlog.stdlib import get_logger | ||||||
|  |  | ||||||
| @ -181,7 +182,10 @@ class CertificateDataSerializer(PassiveSerializer): | |||||||
| class CertificateGenerationSerializer(PassiveSerializer): | class CertificateGenerationSerializer(PassiveSerializer): | ||||||
|     """Certificate generation parameters""" |     """Certificate generation parameters""" | ||||||
|  |  | ||||||
|     common_name = CharField() |     common_name = CharField( | ||||||
|  |         validators=[UniqueValidator(queryset=CertificateKeyPair.objects.all())], | ||||||
|  |         source="name", | ||||||
|  |     ) | ||||||
|     subject_alt_name = CharField(required=False, allow_blank=True, label=_("Subject-alt name")) |     subject_alt_name = CharField(required=False, allow_blank=True, label=_("Subject-alt name")) | ||||||
|     validity_days = IntegerField(initial=365) |     validity_days = IntegerField(initial=365) | ||||||
|     alg = ChoiceField(default=PrivateKeyAlg.RSA, choices=PrivateKeyAlg.choices) |     alg = ChoiceField(default=PrivateKeyAlg.RSA, choices=PrivateKeyAlg.choices) | ||||||
| @ -242,11 +246,10 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet): | |||||||
|     def generate(self, request: Request) -> Response: |     def generate(self, request: Request) -> Response: | ||||||
|         """Generate a new, self-signed certificate-key pair""" |         """Generate a new, self-signed certificate-key pair""" | ||||||
|         data = CertificateGenerationSerializer(data=request.data) |         data = CertificateGenerationSerializer(data=request.data) | ||||||
|         if not data.is_valid(): |         data.is_valid(raise_exception=True) | ||||||
|             return Response(data.errors, status=400) |  | ||||||
|         raw_san = data.validated_data.get("subject_alt_name", "") |         raw_san = data.validated_data.get("subject_alt_name", "") | ||||||
|         sans = raw_san.split(",") if raw_san != "" else [] |         sans = raw_san.split(",") if raw_san != "" else [] | ||||||
|         builder = CertificateBuilder(data.validated_data["common_name"]) |         builder = CertificateBuilder(data.validated_data["name"]) | ||||||
|         builder.alg = data.validated_data["alg"] |         builder.alg = data.validated_data["alg"] | ||||||
|         builder.build( |         builder.build( | ||||||
|             subject_alt_names=sans, |             subject_alt_names=sans, | ||||||
|  | |||||||
| @ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair | |||||||
| from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery | from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery | ||||||
| from authentik.lib.config import CONFIG | from authentik.lib.config import CONFIG | ||||||
| from authentik.lib.generators import generate_id, generate_key | from authentik.lib.generators import generate_id, generate_key | ||||||
| from authentik.providers.oauth2.models import OAuth2Provider | from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode | ||||||
|  |  | ||||||
|  |  | ||||||
| class TestCrypto(APITestCase): | class TestCrypto(APITestCase): | ||||||
| @ -89,6 +89,17 @@ class TestCrypto(APITestCase): | |||||||
|         self.assertIsInstance(ext[1], DNSName) |         self.assertIsInstance(ext[1], DNSName) | ||||||
|         self.assertEqual(ext[1].value, "baz") |         self.assertEqual(ext[1].value, "baz") | ||||||
|  |  | ||||||
|  |     def test_builder_api_duplicate(self): | ||||||
|  |         """Test Builder (via API)""" | ||||||
|  |         cert = create_test_cert() | ||||||
|  |         self.client.force_login(create_test_admin_user()) | ||||||
|  |         res = self.client.post( | ||||||
|  |             reverse("authentik_api:certificatekeypair-generate"), | ||||||
|  |             data={"common_name": cert.name, "subject_alt_name": "bar,baz", "validity_days": 3}, | ||||||
|  |         ) | ||||||
|  |         self.assertEqual(res.status_code, 400) | ||||||
|  |         self.assertJSONEqual(res.content, {"common_name": ["This field must be unique."]}) | ||||||
|  |  | ||||||
|     def test_builder_api_empty_san(self): |     def test_builder_api_empty_san(self): | ||||||
|         """Test Builder (via API)""" |         """Test Builder (via API)""" | ||||||
|         self.client.force_login(create_test_admin_user()) |         self.client.force_login(create_test_admin_user()) | ||||||
| @ -263,7 +274,7 @@ class TestCrypto(APITestCase): | |||||||
|             client_id="test", |             client_id="test", | ||||||
|             client_secret=generate_key(), |             client_secret=generate_key(), | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://localhost", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")], | ||||||
|             signing_key=keypair, |             signing_key=keypair, | ||||||
|         ) |         ) | ||||||
|         response = self.client.get( |         response = self.client.get( | ||||||
| @ -295,7 +306,7 @@ class TestCrypto(APITestCase): | |||||||
|             client_id="test", |             client_id="test", | ||||||
|             client_secret=generate_key(), |             client_secret=generate_key(), | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://localhost", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")], | ||||||
|             signing_key=keypair, |             signing_key=keypair, | ||||||
|         ) |         ) | ||||||
|         response = self.client.get( |         response = self.client.get( | ||||||
|  | |||||||
| @ -16,13 +16,28 @@ class RACProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer): | |||||||
|  |  | ||||||
|     class Meta: |     class Meta: | ||||||
|         model = RACProvider |         model = RACProvider | ||||||
|         fields = ProviderSerializer.Meta.fields + [ |         fields = [ | ||||||
|  |             "pk", | ||||||
|  |             "name", | ||||||
|  |             "authentication_flow", | ||||||
|  |             "authorization_flow", | ||||||
|  |             "property_mappings", | ||||||
|  |             "component", | ||||||
|  |             "assigned_application_slug", | ||||||
|  |             "assigned_application_name", | ||||||
|  |             "assigned_backchannel_application_slug", | ||||||
|  |             "assigned_backchannel_application_name", | ||||||
|  |             "verbose_name", | ||||||
|  |             "verbose_name_plural", | ||||||
|  |             "meta_model_name", | ||||||
|             "settings", |             "settings", | ||||||
|             "outpost_set", |             "outpost_set", | ||||||
|             "connection_expiry", |             "connection_expiry", | ||||||
|             "delete_token_on_disconnect", |             "delete_token_on_disconnect", | ||||||
|         ] |         ] | ||||||
|         extra_kwargs = ProviderSerializer.Meta.extra_kwargs |         extra_kwargs = { | ||||||
|  |             "authorization_flow": {"required": True, "allow_null": False}, | ||||||
|  |         } | ||||||
|  |  | ||||||
|  |  | ||||||
| class RACProviderViewSet(UsedByMixin, ModelViewSet): | class RACProviderViewSet(UsedByMixin, ModelViewSet): | ||||||
|  | |||||||
| @ -3,7 +3,7 @@ | |||||||
| {% load authentik_core %} | {% load authentik_core %} | ||||||
|  |  | ||||||
| {% block head %} | {% block head %} | ||||||
| {% versioned_script "dist/enterprise/rac/index-%v.js" %} | <script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script> | ||||||
| <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)"> | <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)"> | ||||||
| <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)"> | <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)"> | ||||||
| <link rel="icon" href="{{ tenant.branding_favicon }}"> | <link rel="icon" href="{{ tenant.branding_favicon }}"> | ||||||
|  | |||||||
							
								
								
									
										46
									
								
								authentik/enterprise/providers/rac/tests/test_api.py
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										46
									
								
								authentik/enterprise/providers/rac/tests/test_api.py
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,46 @@ | |||||||
|  | """Test RAC Provider""" | ||||||
|  |  | ||||||
|  | from datetime import timedelta | ||||||
|  | from time import mktime | ||||||
|  | from unittest.mock import MagicMock, patch | ||||||
|  |  | ||||||
|  | from django.urls import reverse | ||||||
|  | from django.utils.timezone import now | ||||||
|  | from rest_framework.test import APITestCase | ||||||
|  |  | ||||||
|  | from authentik.core.tests.utils import create_test_admin_user, create_test_flow | ||||||
|  | from authentik.enterprise.license import LicenseKey | ||||||
|  | from authentik.enterprise.models import License | ||||||
|  | from authentik.lib.generators import generate_id | ||||||
|  |  | ||||||
|  |  | ||||||
|  | class TestAPI(APITestCase): | ||||||
|  |     """Test Provider API""" | ||||||
|  |  | ||||||
|  |     def setUp(self) -> None: | ||||||
|  |         self.user = create_test_admin_user() | ||||||
|  |  | ||||||
|  |     @patch( | ||||||
|  |         "authentik.enterprise.license.LicenseKey.validate", | ||||||
|  |         MagicMock( | ||||||
|  |             return_value=LicenseKey( | ||||||
|  |                 aud="", | ||||||
|  |                 exp=int(mktime((now() + timedelta(days=3000)).timetuple())), | ||||||
|  |                 name=generate_id(), | ||||||
|  |                 internal_users=100, | ||||||
|  |                 external_users=100, | ||||||
|  |             ) | ||||||
|  |         ), | ||||||
|  |     ) | ||||||
|  |     def test_create(self): | ||||||
|  |         """Test creation of RAC Provider""" | ||||||
|  |         License.objects.create(key=generate_id()) | ||||||
|  |         self.client.force_login(self.user) | ||||||
|  |         response = self.client.post( | ||||||
|  |             reverse("authentik_api:racprovider-list"), | ||||||
|  |             data={ | ||||||
|  |                 "name": generate_id(), | ||||||
|  |                 "authorization_flow": create_test_flow().pk, | ||||||
|  |             }, | ||||||
|  |         ) | ||||||
|  |         self.assertEqual(response.status_code, 201) | ||||||
| @ -68,7 +68,6 @@ class TestEndpointsAPI(APITestCase): | |||||||
|                             "name": self.provider.name, |                             "name": self.provider.name, | ||||||
|                             "authentication_flow": None, |                             "authentication_flow": None, | ||||||
|                             "authorization_flow": None, |                             "authorization_flow": None, | ||||||
|                             "invalidation_flow": None, |  | ||||||
|                             "property_mappings": [], |                             "property_mappings": [], | ||||||
|                             "connection_expiry": "hours=8", |                             "connection_expiry": "hours=8", | ||||||
|                             "delete_token_on_disconnect": False, |                             "delete_token_on_disconnect": False, | ||||||
| @ -121,7 +120,6 @@ class TestEndpointsAPI(APITestCase): | |||||||
|                             "name": self.provider.name, |                             "name": self.provider.name, | ||||||
|                             "authentication_flow": None, |                             "authentication_flow": None, | ||||||
|                             "authorization_flow": None, |                             "authorization_flow": None, | ||||||
|                             "invalidation_flow": None, |  | ||||||
|                             "property_mappings": [], |                             "property_mappings": [], | ||||||
|                             "component": "ak-provider-rac-form", |                             "component": "ak-provider-rac-form", | ||||||
|                             "assigned_application_slug": self.app.slug, |                             "assigned_application_slug": self.app.slug, | ||||||
| @ -151,7 +149,6 @@ class TestEndpointsAPI(APITestCase): | |||||||
|                             "name": self.provider.name, |                             "name": self.provider.name, | ||||||
|                             "authentication_flow": None, |                             "authentication_flow": None, | ||||||
|                             "authorization_flow": None, |                             "authorization_flow": None, | ||||||
|                             "invalidation_flow": None, |  | ||||||
|                             "property_mappings": [], |                             "property_mappings": [], | ||||||
|                             "component": "ak-provider-rac-form", |                             "component": "ak-provider-rac-form", | ||||||
|                             "assigned_application_slug": self.app.slug, |                             "assigned_application_slug": self.app.slug, | ||||||
|  | |||||||
| @ -18,7 +18,7 @@ window.authentik.flow = { | |||||||
| {% endblock %} | {% endblock %} | ||||||
|  |  | ||||||
| {% block head %} | {% block head %} | ||||||
| {% versioned_script "dist/flow/FlowInterface-%v.js" %} | <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script> | ||||||
| <style> | <style> | ||||||
| :root { | :root { | ||||||
|     --ak-flow-background: url("{{ flow.background_url }}"); |     --ak-flow-background: url("{{ flow.background_url }}"); | ||||||
|  | |||||||
| @ -89,6 +89,10 @@ class PasswordPolicy(Policy): | |||||||
|  |  | ||||||
|     def passes_static(self, password: str, request: PolicyRequest) -> PolicyResult: |     def passes_static(self, password: str, request: PolicyRequest) -> PolicyResult: | ||||||
|         """Check static rules""" |         """Check static rules""" | ||||||
|  |         error_message = self.error_message | ||||||
|  |         if error_message == "": | ||||||
|  |             error_message = _("Invalid password.") | ||||||
|  |  | ||||||
|         if len(password) < self.length_min: |         if len(password) < self.length_min: | ||||||
|             LOGGER.debug("password failed", check="static", reason="length") |             LOGGER.debug("password failed", check="static", reason="length") | ||||||
|             return PolicyResult(False, self.error_message) |             return PolicyResult(False, self.error_message) | ||||||
|  | |||||||
| @ -159,7 +159,10 @@ class LDAPOutpostConfigViewSet(ListModelMixin, GenericViewSet): | |||||||
|         access_response = PolicyResult(result.passing) |         access_response = PolicyResult(result.passing) | ||||||
|         response = self.LDAPCheckAccessSerializer( |         response = self.LDAPCheckAccessSerializer( | ||||||
|             instance={ |             instance={ | ||||||
|                 "has_search_permission": request.user.has_perm("search_full_directory", provider), |                 "has_search_permission": ( | ||||||
|  |                     request.user.has_perm("search_full_directory", provider) | ||||||
|  |                     or request.user.has_perm("authentik_providers_ldap.search_full_directory") | ||||||
|  |                 ), | ||||||
|                 "access": access_response, |                 "access": access_response, | ||||||
|             } |             } | ||||||
|         ) |         ) | ||||||
|  | |||||||
| @ -1,15 +1,18 @@ | |||||||
| """OAuth2Provider API Views""" | """OAuth2Provider API Views""" | ||||||
|  |  | ||||||
| from copy import copy | from copy import copy | ||||||
|  | from re import compile | ||||||
|  | from re import error as RegexError | ||||||
|  |  | ||||||
| from django.urls import reverse | from django.urls import reverse | ||||||
| from django.utils import timezone | from django.utils import timezone | ||||||
|  | from django.utils.translation import gettext_lazy as _ | ||||||
| from drf_spectacular.types import OpenApiTypes | from drf_spectacular.types import OpenApiTypes | ||||||
| from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema | from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema | ||||||
| from guardian.shortcuts import get_objects_for_user | from guardian.shortcuts import get_objects_for_user | ||||||
| from rest_framework.decorators import action | from rest_framework.decorators import action | ||||||
| from rest_framework.exceptions import ValidationError | from rest_framework.exceptions import ValidationError | ||||||
| from rest_framework.fields import CharField | from rest_framework.fields import CharField, ChoiceField | ||||||
| from rest_framework.generics import get_object_or_404 | from rest_framework.generics import get_object_or_404 | ||||||
| from rest_framework.request import Request | from rest_framework.request import Request | ||||||
| from rest_framework.response import Response | from rest_framework.response import Response | ||||||
| @ -20,13 +23,39 @@ from authentik.core.api.used_by import UsedByMixin | |||||||
| from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer | from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer | ||||||
| from authentik.core.models import Provider | from authentik.core.models import Provider | ||||||
| from authentik.providers.oauth2.id_token import IDToken | from authentik.providers.oauth2.id_token import IDToken | ||||||
| from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, ScopeMapping | from authentik.providers.oauth2.models import ( | ||||||
|  |     AccessToken, | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  |     ScopeMapping, | ||||||
|  | ) | ||||||
| from authentik.rbac.decorators import permission_required | from authentik.rbac.decorators import permission_required | ||||||
|  |  | ||||||
|  |  | ||||||
|  | class RedirectURISerializer(PassiveSerializer): | ||||||
|  |     """A single allowed redirect URI entry""" | ||||||
|  |  | ||||||
|  |     matching_mode = ChoiceField(choices=RedirectURIMatchingMode.choices) | ||||||
|  |     url = CharField() | ||||||
|  |  | ||||||
|  |  | ||||||
| class OAuth2ProviderSerializer(ProviderSerializer): | class OAuth2ProviderSerializer(ProviderSerializer): | ||||||
|     """OAuth2Provider Serializer""" |     """OAuth2Provider Serializer""" | ||||||
|  |  | ||||||
|  |     redirect_uris = RedirectURISerializer(many=True, source="_redirect_uris") | ||||||
|  |  | ||||||
|  |     def validate_redirect_uris(self, data: list) -> list: | ||||||
|  |         for entry in data: | ||||||
|  |             if entry.get("matching_mode") == RedirectURIMatchingMode.REGEX: | ||||||
|  |                 url = entry.get("url") | ||||||
|  |                 try: | ||||||
|  |                     compile(url) | ||||||
|  |                 except RegexError: | ||||||
|  |                     raise ValidationError( | ||||||
|  |                         _("Invalid Regex Pattern: {url}".format(url=url)) | ||||||
|  |                     ) from None | ||||||
|  |         return data | ||||||
|  |  | ||||||
|     class Meta: |     class Meta: | ||||||
|         model = OAuth2Provider |         model = OAuth2Provider | ||||||
|         fields = ProviderSerializer.Meta.fields + [ |         fields = ProviderSerializer.Meta.fields + [ | ||||||
| @ -79,7 +108,6 @@ class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet): | |||||||
|         "refresh_token_validity", |         "refresh_token_validity", | ||||||
|         "include_claims_in_id_token", |         "include_claims_in_id_token", | ||||||
|         "signing_key", |         "signing_key", | ||||||
|         "redirect_uris", |  | ||||||
|         "sub_mode", |         "sub_mode", | ||||||
|         "property_mappings", |         "property_mappings", | ||||||
|         "issuer_mode", |         "issuer_mode", | ||||||
|  | |||||||
| @ -7,7 +7,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect | |||||||
| from authentik.events.models import Event, EventAction | from authentik.events.models import Event, EventAction | ||||||
| from authentik.lib.sentry import SentryIgnoredException | from authentik.lib.sentry import SentryIgnoredException | ||||||
| from authentik.lib.views import bad_request_message | from authentik.lib.views import bad_request_message | ||||||
| from authentik.providers.oauth2.models import GrantTypes | from authentik.providers.oauth2.models import GrantTypes, RedirectURI | ||||||
|  |  | ||||||
|  |  | ||||||
| class OAuth2Error(SentryIgnoredException): | class OAuth2Error(SentryIgnoredException): | ||||||
| @ -46,9 +46,9 @@ class RedirectUriError(OAuth2Error): | |||||||
|     ) |     ) | ||||||
|  |  | ||||||
|     provided_uri: str |     provided_uri: str | ||||||
|     allowed_uris: list[str] |     allowed_uris: list[RedirectURI] | ||||||
|  |  | ||||||
|     def __init__(self, provided_uri: str, allowed_uris: list[str]) -> None: |     def __init__(self, provided_uri: str, allowed_uris: list[RedirectURI]) -> None: | ||||||
|         super().__init__() |         super().__init__() | ||||||
|         self.provided_uri = provided_uri |         self.provided_uri = provided_uri | ||||||
|         self.allowed_uris = allowed_uris |         self.allowed_uris = allowed_uris | ||||||
|  | |||||||
| @ -11,13 +11,16 @@ class Migration(migrations.Migration): | |||||||
|         migrations.swappable_dependency(settings.AUTH_USER_MODEL), |         migrations.swappable_dependency(settings.AUTH_USER_MODEL), | ||||||
|     ] |     ] | ||||||
|  |  | ||||||
|     operations = [ |     # Original preserved | ||||||
|         migrations.AddIndex( |     # See https://github.com/goauthentik/authentik/issues/11874 | ||||||
|             model_name="accesstoken", |     # operations = [ | ||||||
|             index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"), |     #     migrations.AddIndex( | ||||||
|         ), |     #         model_name="accesstoken", | ||||||
|         migrations.AddIndex( |     #         index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"), | ||||||
|             model_name="refreshtoken", |     #     ), | ||||||
|             index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"), |     #     migrations.AddIndex( | ||||||
|         ), |     #         model_name="refreshtoken", | ||||||
|     ] |     #         index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"), | ||||||
|  |     #     ), | ||||||
|  |     # ] | ||||||
|  |     operations = [] | ||||||
|  | |||||||
| @ -11,21 +11,24 @@ class Migration(migrations.Migration): | |||||||
|         migrations.swappable_dependency(settings.AUTH_USER_MODEL), |         migrations.swappable_dependency(settings.AUTH_USER_MODEL), | ||||||
|     ] |     ] | ||||||
|  |  | ||||||
|     operations = [ |     # Original preserved | ||||||
|         migrations.RemoveIndex( |     # See https://github.com/goauthentik/authentik/issues/11874 | ||||||
|             model_name="accesstoken", |     # operations = [ | ||||||
|             name="authentik_p_token_4bc870_idx", |     #     migrations.RemoveIndex( | ||||||
|         ), |     #         model_name="accesstoken", | ||||||
|         migrations.RemoveIndex( |     #         name="authentik_p_token_4bc870_idx", | ||||||
|             model_name="refreshtoken", |     #     ), | ||||||
|             name="authentik_p_token_1a841f_idx", |     #     migrations.RemoveIndex( | ||||||
|         ), |     #         model_name="refreshtoken", | ||||||
|         migrations.AddIndex( |     #         name="authentik_p_token_1a841f_idx", | ||||||
|             model_name="accesstoken", |     #     ), | ||||||
|             index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"), |     #     migrations.AddIndex( | ||||||
|         ), |     #         model_name="accesstoken", | ||||||
|         migrations.AddIndex( |     #         index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"), | ||||||
|             model_name="refreshtoken", |     #     ), | ||||||
|             index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"), |     #     migrations.AddIndex( | ||||||
|         ), |     #         model_name="refreshtoken", | ||||||
|     ] |     #         index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"), | ||||||
|  |     #     ), | ||||||
|  |     # ] | ||||||
|  |     operations = [] | ||||||
|  | |||||||
| @ -37,7 +37,7 @@ def migrate_session(apps: Apps, schema_editor: BaseDatabaseSchemaEditor): | |||||||
| class Migration(migrations.Migration): | class Migration(migrations.Migration): | ||||||
|  |  | ||||||
|     dependencies = [ |     dependencies = [ | ||||||
|         ("authentik_core", "0040_provider_invalidation_flow"), |         ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"), | ||||||
|         ("authentik_providers_oauth2", "0021_oauth2provider_encryption_key_and_more"), |         ("authentik_providers_oauth2", "0021_oauth2provider_encryption_key_and_more"), | ||||||
|     ] |     ] | ||||||
|  |  | ||||||
|  | |||||||
| @ -0,0 +1,31 @@ | |||||||
|  | # Generated by Django 5.0.9 on 2024-10-31 14:28 | ||||||
|  |  | ||||||
|  | import django.contrib.postgres.indexes | ||||||
|  | from django.conf import settings | ||||||
|  | from django.db import migrations | ||||||
|  |  | ||||||
|  |  | ||||||
|  | class Migration(migrations.Migration): | ||||||
|  |  | ||||||
|  |     dependencies = [ | ||||||
|  |         ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"), | ||||||
|  |         ("authentik_providers_oauth2", "0022_remove_accesstoken_session_id_and_more"), | ||||||
|  |         migrations.swappable_dependency(settings.AUTH_USER_MODEL), | ||||||
|  |     ] | ||||||
|  |  | ||||||
|  |     operations = [ | ||||||
|  |         migrations.RunSQL("DROP INDEX IF EXISTS authentik_p_token_f99422_idx;"), | ||||||
|  |         migrations.RunSQL("DROP INDEX IF EXISTS authentik_p_token_a1d921_idx;"), | ||||||
|  |         migrations.AddIndex( | ||||||
|  |             model_name="accesstoken", | ||||||
|  |             index=django.contrib.postgres.indexes.HashIndex( | ||||||
|  |                 fields=["token"], name="authentik_p_token_e00883_hash" | ||||||
|  |             ), | ||||||
|  |         ), | ||||||
|  |         migrations.AddIndex( | ||||||
|  |             model_name="refreshtoken", | ||||||
|  |             index=django.contrib.postgres.indexes.HashIndex( | ||||||
|  |                 fields=["token"], name="authentik_p_token_32e2b7_hash" | ||||||
|  |             ), | ||||||
|  |         ), | ||||||
|  |     ] | ||||||
| @ -0,0 +1,49 @@ | |||||||
|  | # Generated by Django 5.0.9 on 2024-11-04 12:56 | ||||||
|  | from dataclasses import asdict | ||||||
|  | from django.apps.registry import Apps | ||||||
|  |  | ||||||
|  | from django.db.backends.base.schema import BaseDatabaseSchemaEditor | ||||||
|  |  | ||||||
|  | from django.db import migrations, models | ||||||
|  |  | ||||||
|  |  | ||||||
|  | def migrate_redirect_uris(apps: Apps, schema_editor: BaseDatabaseSchemaEditor): | ||||||
|  |     from authentik.providers.oauth2.models import RedirectURI, RedirectURIMatchingMode | ||||||
|  |  | ||||||
|  |     OAuth2Provider = apps.get_model("authentik_providers_oauth2", "oauth2provider") | ||||||
|  |  | ||||||
|  |     db_alias = schema_editor.connection.alias | ||||||
|  |     for provider in OAuth2Provider.objects.using(db_alias).all(): | ||||||
|  |         uris = [] | ||||||
|  |         for old in provider.old_redirect_uris.split("\n"): | ||||||
|  |             mode = RedirectURIMatchingMode.STRICT | ||||||
|  |             if old == "*" or old == ".*": | ||||||
|  |                 mode = RedirectURIMatchingMode.REGEX | ||||||
|  |             uris.append(asdict(RedirectURI(mode, url=old))) | ||||||
|  |         provider._redirect_uris = uris | ||||||
|  |         provider.save() | ||||||
|  |  | ||||||
|  |  | ||||||
|  | class Migration(migrations.Migration): | ||||||
|  |  | ||||||
|  |     dependencies = [ | ||||||
|  |         ("authentik_providers_oauth2", "0023_alter_accesstoken_refreshtoken_use_hash_index"), | ||||||
|  |     ] | ||||||
|  |  | ||||||
|  |     operations = [ | ||||||
|  |         migrations.RenameField( | ||||||
|  |             model_name="oauth2provider", | ||||||
|  |             old_name="redirect_uris", | ||||||
|  |             new_name="old_redirect_uris", | ||||||
|  |         ), | ||||||
|  |         migrations.AddField( | ||||||
|  |             model_name="oauth2provider", | ||||||
|  |             name="_redirect_uris", | ||||||
|  |             field=models.JSONField(default=dict, verbose_name="Redirect URIs"), | ||||||
|  |         ), | ||||||
|  |         migrations.RunPython(migrate_redirect_uris, lambda *args: ...), | ||||||
|  |         migrations.RemoveField( | ||||||
|  |             model_name="oauth2provider", | ||||||
|  |             name="old_redirect_uris", | ||||||
|  |         ), | ||||||
|  |     ] | ||||||
| @ -3,7 +3,7 @@ | |||||||
| import base64 | import base64 | ||||||
| import binascii | import binascii | ||||||
| import json | import json | ||||||
| from dataclasses import asdict | from dataclasses import asdict, dataclass | ||||||
| from functools import cached_property | from functools import cached_property | ||||||
| from hashlib import sha256 | from hashlib import sha256 | ||||||
| from typing import Any | from typing import Any | ||||||
| @ -12,7 +12,9 @@ from urllib.parse import urlparse, urlunparse | |||||||
| from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey | from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey | ||||||
| from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey | from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey | ||||||
| from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes | from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes | ||||||
|  | from dacite import Config | ||||||
| from dacite.core import from_dict | from dacite.core import from_dict | ||||||
|  | from django.contrib.postgres.indexes import HashIndex | ||||||
| from django.db import models | from django.db import models | ||||||
| from django.http import HttpRequest | from django.http import HttpRequest | ||||||
| from django.templatetags.static import static | from django.templatetags.static import static | ||||||
| @ -76,11 +78,25 @@ class IssuerMode(models.TextChoices): | |||||||
|     """Configure how the `iss` field is created.""" |     """Configure how the `iss` field is created.""" | ||||||
|  |  | ||||||
|     GLOBAL = "global", _("Same identifier is used for all providers") |     GLOBAL = "global", _("Same identifier is used for all providers") | ||||||
|     PER_PROVIDER = "per_provider", _( |     PER_PROVIDER = ( | ||||||
|         "Each provider has a different issuer, based on the application slug." |         "per_provider", | ||||||
|  |         _("Each provider has a different issuer, based on the application slug."), | ||||||
|     ) |     ) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | class RedirectURIMatchingMode(models.TextChoices): | ||||||
|  |     STRICT = "strict", _("Strict URL comparison") | ||||||
|  |     REGEX = "regex", _("Regular Expression URL matching") | ||||||
|  |  | ||||||
|  |  | ||||||
|  | @dataclass | ||||||
|  | class RedirectURI: | ||||||
|  |     """A single redirect URI entry""" | ||||||
|  |  | ||||||
|  |     matching_mode: RedirectURIMatchingMode | ||||||
|  |     url: str | ||||||
|  |  | ||||||
|  |  | ||||||
| class ResponseTypes(models.TextChoices): | class ResponseTypes(models.TextChoices): | ||||||
|     """Response Type required by the client.""" |     """Response Type required by the client.""" | ||||||
|  |  | ||||||
| @ -155,11 +171,9 @@ class OAuth2Provider(WebfingerProvider, Provider): | |||||||
|         verbose_name=_("Client Secret"), |         verbose_name=_("Client Secret"), | ||||||
|         default=generate_client_secret, |         default=generate_client_secret, | ||||||
|     ) |     ) | ||||||
|     redirect_uris = models.TextField( |     _redirect_uris = models.JSONField( | ||||||
|         default="", |         default=dict, | ||||||
|         blank=True, |  | ||||||
|         verbose_name=_("Redirect URIs"), |         verbose_name=_("Redirect URIs"), | ||||||
|         help_text=_("Enter each URI on a new line."), |  | ||||||
|     ) |     ) | ||||||
|  |  | ||||||
|     include_claims_in_id_token = models.BooleanField( |     include_claims_in_id_token = models.BooleanField( | ||||||
| @ -270,12 +284,33 @@ class OAuth2Provider(WebfingerProvider, Provider): | |||||||
|         except Provider.application.RelatedObjectDoesNotExist: |         except Provider.application.RelatedObjectDoesNotExist: | ||||||
|             return None |             return None | ||||||
|  |  | ||||||
|  |     @property | ||||||
|  |     def redirect_uris(self) -> list[RedirectURI]: | ||||||
|  |         uris = [] | ||||||
|  |         for entry in self._redirect_uris: | ||||||
|  |             uris.append( | ||||||
|  |                 from_dict( | ||||||
|  |                     RedirectURI, | ||||||
|  |                     entry, | ||||||
|  |                     config=Config(type_hooks={RedirectURIMatchingMode: RedirectURIMatchingMode}), | ||||||
|  |                 ) | ||||||
|  |             ) | ||||||
|  |         return uris | ||||||
|  |  | ||||||
|  |     @redirect_uris.setter | ||||||
|  |     def redirect_uris(self, value: list[RedirectURI]): | ||||||
|  |         cleansed = [] | ||||||
|  |         for entry in value: | ||||||
|  |             cleansed.append(asdict(entry)) | ||||||
|  |         self._redirect_uris = cleansed | ||||||
|  |  | ||||||
|     @property |     @property | ||||||
|     def launch_url(self) -> str | None: |     def launch_url(self) -> str | None: | ||||||
|         """Guess launch_url based on first redirect_uri""" |         """Guess launch_url based on first redirect_uri""" | ||||||
|         if self.redirect_uris == "": |         redirects = self.redirect_uris | ||||||
|  |         if len(redirects) < 1: | ||||||
|             return None |             return None | ||||||
|         main_url = self.redirect_uris.split("\n", maxsplit=1)[0] |         main_url = redirects[0].url | ||||||
|         try: |         try: | ||||||
|             launch_url = urlparse(main_url)._replace(path="") |             launch_url = urlparse(main_url)._replace(path="") | ||||||
|             return urlunparse(launch_url) |             return urlunparse(launch_url) | ||||||
| @ -418,7 +453,7 @@ class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel): | |||||||
|  |  | ||||||
|     class Meta: |     class Meta: | ||||||
|         indexes = [ |         indexes = [ | ||||||
|             models.Index(fields=["token", "provider"]), |             HashIndex(fields=["token"]), | ||||||
|         ] |         ] | ||||||
|         verbose_name = _("OAuth2 Access Token") |         verbose_name = _("OAuth2 Access Token") | ||||||
|         verbose_name_plural = _("OAuth2 Access Tokens") |         verbose_name_plural = _("OAuth2 Access Tokens") | ||||||
| @ -464,7 +499,7 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel): | |||||||
|  |  | ||||||
|     class Meta: |     class Meta: | ||||||
|         indexes = [ |         indexes = [ | ||||||
|             models.Index(fields=["token", "provider"]), |             HashIndex(fields=["token"]), | ||||||
|         ] |         ] | ||||||
|         verbose_name = _("OAuth2 Refresh Token") |         verbose_name = _("OAuth2 Refresh Token") | ||||||
|         verbose_name_plural = _("OAuth2 Refresh Tokens") |         verbose_name_plural = _("OAuth2 Refresh Tokens") | ||||||
|  | |||||||
| @ -10,7 +10,13 @@ from rest_framework.test import APITestCase | |||||||
| from authentik.blueprints.tests import apply_blueprint | from authentik.blueprints.tests import apply_blueprint | ||||||
| from authentik.core.models import Application | from authentik.core.models import Application | ||||||
| from authentik.core.tests.utils import create_test_admin_user, create_test_flow | from authentik.core.tests.utils import create_test_admin_user, create_test_flow | ||||||
| from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping | from authentik.lib.generators import generate_id | ||||||
|  | from authentik.providers.oauth2.models import ( | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  |     ScopeMapping, | ||||||
|  | ) | ||||||
|  |  | ||||||
|  |  | ||||||
| class TestAPI(APITestCase): | class TestAPI(APITestCase): | ||||||
| @ -21,7 +27,7 @@ class TestAPI(APITestCase): | |||||||
|         self.provider: OAuth2Provider = OAuth2Provider.objects.create( |         self.provider: OAuth2Provider = OAuth2Provider.objects.create( | ||||||
|             name="test", |             name="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://testserver", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")], | ||||||
|         ) |         ) | ||||||
|         self.provider.property_mappings.set(ScopeMapping.objects.all()) |         self.provider.property_mappings.set(ScopeMapping.objects.all()) | ||||||
|         self.app = Application.objects.create(name="test", slug="test", provider=self.provider) |         self.app = Application.objects.create(name="test", slug="test", provider=self.provider) | ||||||
| @ -50,9 +56,29 @@ class TestAPI(APITestCase): | |||||||
|     @skipUnless(version_info >= (3, 11, 4), "This behaviour is only Python 3.11.4 and up") |     @skipUnless(version_info >= (3, 11, 4), "This behaviour is only Python 3.11.4 and up") | ||||||
|     def test_launch_url(self): |     def test_launch_url(self): | ||||||
|         """Test launch_url""" |         """Test launch_url""" | ||||||
|         self.provider.redirect_uris = ( |         self.provider.redirect_uris = [ | ||||||
|             "https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/\n" |             RedirectURI( | ||||||
|         ) |                 RedirectURIMatchingMode.REGEX, | ||||||
|  |                 "https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/", | ||||||
|  |             ), | ||||||
|  |         ] | ||||||
|         self.provider.save() |         self.provider.save() | ||||||
|         self.provider.refresh_from_db() |         self.provider.refresh_from_db() | ||||||
|         self.assertIsNone(self.provider.launch_url) |         self.assertIsNone(self.provider.launch_url) | ||||||
|  |  | ||||||
|  |     def test_validate_redirect_uris(self): | ||||||
|  |         """Test redirect_uris API""" | ||||||
|  |         response = self.client.post( | ||||||
|  |             reverse("authentik_api:oauth2provider-list"), | ||||||
|  |             data={ | ||||||
|  |                 "name": generate_id(), | ||||||
|  |                 "authorization_flow": create_test_flow().pk, | ||||||
|  |                 "invalidation_flow": create_test_flow().pk, | ||||||
|  |                 "redirect_uris": [ | ||||||
|  |                     {"matching_mode": "strict", "url": "http://goauthentik.io"}, | ||||||
|  |                     {"matching_mode": "regex", "url": "**"}, | ||||||
|  |                 ], | ||||||
|  |             }, | ||||||
|  |         ) | ||||||
|  |         self.assertJSONEqual(response.content, {"redirect_uris": ["Invalid Regex Pattern: **"]}) | ||||||
|  |         self.assertEqual(response.status_code, 400) | ||||||
|  | |||||||
| @ -19,6 +19,8 @@ from authentik.providers.oauth2.models import ( | |||||||
|     AuthorizationCode, |     AuthorizationCode, | ||||||
|     GrantTypes, |     GrantTypes, | ||||||
|     OAuth2Provider, |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|     ScopeMapping, |     ScopeMapping, | ||||||
| ) | ) | ||||||
| from authentik.providers.oauth2.tests.utils import OAuthTestCase | from authentik.providers.oauth2.tests.utils import OAuthTestCase | ||||||
| @ -39,7 +41,7 @@ class TestAuthorize(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://local.invalid/Foo", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")], | ||||||
|         ) |         ) | ||||||
|         with self.assertRaises(AuthorizeError): |         with self.assertRaises(AuthorizeError): | ||||||
|             request = self.factory.get( |             request = self.factory.get( | ||||||
| @ -64,7 +66,7 @@ class TestAuthorize(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://local.invalid/Foo", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")], | ||||||
|         ) |         ) | ||||||
|         with self.assertRaises(AuthorizeError): |         with self.assertRaises(AuthorizeError): | ||||||
|             request = self.factory.get( |             request = self.factory.get( | ||||||
| @ -84,7 +86,7 @@ class TestAuthorize(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://local.invalid", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")], | ||||||
|         ) |         ) | ||||||
|         with self.assertRaises(RedirectUriError): |         with self.assertRaises(RedirectUriError): | ||||||
|             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"}) |             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"}) | ||||||
| @ -106,7 +108,7 @@ class TestAuthorize(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="data:local.invalid", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "data:local.invalid")], | ||||||
|         ) |         ) | ||||||
|         with self.assertRaises(RedirectUriError): |         with self.assertRaises(RedirectUriError): | ||||||
|             request = self.factory.get( |             request = self.factory.get( | ||||||
| @ -125,7 +127,7 @@ class TestAuthorize(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="", |             redirect_uris=[], | ||||||
|         ) |         ) | ||||||
|         with self.assertRaises(RedirectUriError): |         with self.assertRaises(RedirectUriError): | ||||||
|             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"}) |             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"}) | ||||||
| @ -140,7 +142,7 @@ class TestAuthorize(OAuthTestCase): | |||||||
|         ) |         ) | ||||||
|         OAuthAuthorizationParams.from_request(request) |         OAuthAuthorizationParams.from_request(request) | ||||||
|         provider.refresh_from_db() |         provider.refresh_from_db() | ||||||
|         self.assertEqual(provider.redirect_uris, "+") |         self.assertEqual(provider.redirect_uris, [RedirectURI(RedirectURIMatchingMode.STRICT, "+")]) | ||||||
|  |  | ||||||
|     def test_invalid_redirect_uri_regex(self): |     def test_invalid_redirect_uri_regex(self): | ||||||
|         """test missing/invalid redirect URI""" |         """test missing/invalid redirect URI""" | ||||||
| @ -148,7 +150,7 @@ class TestAuthorize(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://local.invalid?", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid?")], | ||||||
|         ) |         ) | ||||||
|         with self.assertRaises(RedirectUriError): |         with self.assertRaises(RedirectUriError): | ||||||
|             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"}) |             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"}) | ||||||
| @ -170,7 +172,7 @@ class TestAuthorize(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="+", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "+")], | ||||||
|         ) |         ) | ||||||
|         with self.assertRaises(RedirectUriError): |         with self.assertRaises(RedirectUriError): | ||||||
|             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"}) |             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"}) | ||||||
| @ -213,7 +215,7 @@ class TestAuthorize(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://local.invalid/Foo", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")], | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
|             ScopeMapping.objects.filter( |             ScopeMapping.objects.filter( | ||||||
| @ -301,7 +303,7 @@ class TestAuthorize(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=flow, |             authorization_flow=flow, | ||||||
|             redirect_uris="foo://localhost", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")], | ||||||
|             access_code_validity="seconds=100", |             access_code_validity="seconds=100", | ||||||
|         ) |         ) | ||||||
|         Application.objects.create(name="app", slug="app", provider=provider) |         Application.objects.create(name="app", slug="app", provider=provider) | ||||||
| @ -343,7 +345,7 @@ class TestAuthorize(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=flow, |             authorization_flow=flow, | ||||||
|             redirect_uris="http://localhost", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")], | ||||||
|             signing_key=self.keypair, |             signing_key=self.keypair, | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
| @ -420,7 +422,7 @@ class TestAuthorize(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=flow, |             authorization_flow=flow, | ||||||
|             redirect_uris="http://localhost", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")], | ||||||
|             signing_key=self.keypair, |             signing_key=self.keypair, | ||||||
|             encryption_key=self.keypair, |             encryption_key=self.keypair, | ||||||
|         ) |         ) | ||||||
| @ -486,7 +488,7 @@ class TestAuthorize(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=flow, |             authorization_flow=flow, | ||||||
|             redirect_uris="http://localhost", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")], | ||||||
|             signing_key=self.keypair, |             signing_key=self.keypair, | ||||||
|         ) |         ) | ||||||
|         Application.objects.create(name="app", slug="app", provider=provider) |         Application.objects.create(name="app", slug="app", provider=provider) | ||||||
| @ -541,7 +543,7 @@ class TestAuthorize(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id=generate_id(), |             client_id=generate_id(), | ||||||
|             authorization_flow=flow, |             authorization_flow=flow, | ||||||
|             redirect_uris="http://localhost", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")], | ||||||
|             signing_key=self.keypair, |             signing_key=self.keypair, | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
| @ -599,7 +601,7 @@ class TestAuthorize(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id=generate_id(), |             client_id=generate_id(), | ||||||
|             authorization_flow=flow, |             authorization_flow=flow, | ||||||
|             redirect_uris="http://localhost", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")], | ||||||
|             signing_key=self.keypair, |             signing_key=self.keypair, | ||||||
|         ) |         ) | ||||||
|         app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider) |         app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider) | ||||||
|  | |||||||
| @ -3,6 +3,7 @@ | |||||||
| from urllib.parse import urlencode | from urllib.parse import urlencode | ||||||
|  |  | ||||||
| from django.urls import reverse | from django.urls import reverse | ||||||
|  | from rest_framework.test import APIClient | ||||||
|  |  | ||||||
| from authentik.core.models import Application, Group | from authentik.core.models import Application, Group | ||||||
| from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow | from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow | ||||||
| @ -34,7 +35,10 @@ class TesOAuth2DeviceInit(OAuthTestCase): | |||||||
|         self.brand.flow_device_code = self.device_flow |         self.brand.flow_device_code = self.device_flow | ||||||
|         self.brand.save() |         self.brand.save() | ||||||
|  |  | ||||||
|     def test_device_init(self): |         self.api_client = APIClient() | ||||||
|  |         self.api_client.force_login(self.user) | ||||||
|  |  | ||||||
|  |     def test_device_init_get(self): | ||||||
|         """Test device init""" |         """Test device init""" | ||||||
|         res = self.client.get(reverse("authentik_providers_oauth2_root:device-login")) |         res = self.client.get(reverse("authentik_providers_oauth2_root:device-login")) | ||||||
|         self.assertEqual(res.status_code, 302) |         self.assertEqual(res.status_code, 302) | ||||||
| @ -48,6 +52,76 @@ class TesOAuth2DeviceInit(OAuthTestCase): | |||||||
|             ), |             ), | ||||||
|         ) |         ) | ||||||
|  |  | ||||||
|  |     def test_device_init_post(self): | ||||||
|  |         """Test device init""" | ||||||
|  |         res = self.api_client.get(reverse("authentik_providers_oauth2_root:device-login")) | ||||||
|  |         self.assertEqual(res.status_code, 302) | ||||||
|  |         self.assertEqual( | ||||||
|  |             res.url, | ||||||
|  |             reverse( | ||||||
|  |                 "authentik_core:if-flow", | ||||||
|  |                 kwargs={ | ||||||
|  |                     "flow_slug": self.device_flow.slug, | ||||||
|  |                 }, | ||||||
|  |             ), | ||||||
|  |         ) | ||||||
|  |         res = self.api_client.get( | ||||||
|  |             reverse( | ||||||
|  |                 "authentik_api:flow-executor", | ||||||
|  |                 kwargs={ | ||||||
|  |                     "flow_slug": self.device_flow.slug, | ||||||
|  |                 }, | ||||||
|  |             ), | ||||||
|  |         ) | ||||||
|  |         self.assertEqual(res.status_code, 200) | ||||||
|  |         self.assertJSONEqual( | ||||||
|  |             res.content, | ||||||
|  |             { | ||||||
|  |                 "component": "ak-provider-oauth2-device-code", | ||||||
|  |                 "flow_info": { | ||||||
|  |                     "background": "/static/dist/assets/images/flow_background.jpg", | ||||||
|  |                     "cancel_url": "/flows/-/cancel/", | ||||||
|  |                     "layout": "stacked", | ||||||
|  |                     "title": self.device_flow.title, | ||||||
|  |                 }, | ||||||
|  |             }, | ||||||
|  |         ) | ||||||
|  |  | ||||||
|  |         provider = OAuth2Provider.objects.create( | ||||||
|  |             name=generate_id(), | ||||||
|  |             authorization_flow=create_test_flow(), | ||||||
|  |         ) | ||||||
|  |         Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider) | ||||||
|  |         token = DeviceToken.objects.create( | ||||||
|  |             provider=provider, | ||||||
|  |         ) | ||||||
|  |  | ||||||
|  |         res = self.api_client.post( | ||||||
|  |             reverse( | ||||||
|  |                 "authentik_api:flow-executor", | ||||||
|  |                 kwargs={ | ||||||
|  |                     "flow_slug": self.device_flow.slug, | ||||||
|  |                 }, | ||||||
|  |             ), | ||||||
|  |             data={ | ||||||
|  |                 "component": "ak-provider-oauth2-device-code", | ||||||
|  |                 "code": token.user_code, | ||||||
|  |             }, | ||||||
|  |         ) | ||||||
|  |         self.assertEqual(res.status_code, 200) | ||||||
|  |         self.assertJSONEqual( | ||||||
|  |             res.content, | ||||||
|  |             { | ||||||
|  |                 "component": "xak-flow-redirect", | ||||||
|  |                 "to": reverse( | ||||||
|  |                     "authentik_core:if-flow", | ||||||
|  |                     kwargs={ | ||||||
|  |                         "flow_slug": provider.authorization_flow.slug, | ||||||
|  |                     }, | ||||||
|  |                 ), | ||||||
|  |             }, | ||||||
|  |         ) | ||||||
|  |  | ||||||
|     def test_no_flow(self): |     def test_no_flow(self): | ||||||
|         """Test no flow""" |         """Test no flow""" | ||||||
|         self.brand.flow_device_code = None |         self.brand.flow_device_code = None | ||||||
|  | |||||||
| @ -11,7 +11,14 @@ from authentik.core.models import Application | |||||||
| from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow | from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow | ||||||
| from authentik.lib.generators import generate_id | from authentik.lib.generators import generate_id | ||||||
| from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT | from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT | ||||||
| from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken | from authentik.providers.oauth2.models import ( | ||||||
|  |     AccessToken, | ||||||
|  |     IDToken, | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  |     RefreshToken, | ||||||
|  | ) | ||||||
| from authentik.providers.oauth2.tests.utils import OAuthTestCase | from authentik.providers.oauth2.tests.utils import OAuthTestCase | ||||||
|  |  | ||||||
|  |  | ||||||
| @ -23,7 +30,7 @@ class TesOAuth2Introspection(OAuthTestCase): | |||||||
|         self.provider: OAuth2Provider = OAuth2Provider.objects.create( |         self.provider: OAuth2Provider = OAuth2Provider.objects.create( | ||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")], | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|         ) |         ) | ||||||
|         self.app = Application.objects.create( |         self.app = Application.objects.create( | ||||||
| @ -118,7 +125,7 @@ class TesOAuth2Introspection(OAuthTestCase): | |||||||
|         provider: OAuth2Provider = OAuth2Provider.objects.create( |         provider: OAuth2Provider = OAuth2Provider.objects.create( | ||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")], | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|         ) |         ) | ||||||
|         auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode() |         auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode() | ||||||
|  | |||||||
| @ -13,7 +13,7 @@ from authentik.core.tests.utils import create_test_cert, create_test_flow | |||||||
| from authentik.crypto.builder import PrivateKeyAlg | from authentik.crypto.builder import PrivateKeyAlg | ||||||
| from authentik.crypto.models import CertificateKeyPair | from authentik.crypto.models import CertificateKeyPair | ||||||
| from authentik.lib.generators import generate_id | from authentik.lib.generators import generate_id | ||||||
| from authentik.providers.oauth2.models import OAuth2Provider | from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode | ||||||
| from authentik.providers.oauth2.tests.utils import OAuthTestCase | from authentik.providers.oauth2.tests.utils import OAuthTestCase | ||||||
|  |  | ||||||
| TEST_CORDS_CERT = """ | TEST_CORDS_CERT = """ | ||||||
| @ -49,7 +49,7 @@ class TestJWKS(OAuthTestCase): | |||||||
|             name="test", |             name="test", | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://local.invalid", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")], | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|         ) |         ) | ||||||
|         app = Application.objects.create(name="test", slug="test", provider=provider) |         app = Application.objects.create(name="test", slug="test", provider=provider) | ||||||
| @ -68,7 +68,7 @@ class TestJWKS(OAuthTestCase): | |||||||
|             name="test", |             name="test", | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://local.invalid", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")], | ||||||
|         ) |         ) | ||||||
|         app = Application.objects.create(name="test", slug="test", provider=provider) |         app = Application.objects.create(name="test", slug="test", provider=provider) | ||||||
|         response = self.client.get( |         response = self.client.get( | ||||||
| @ -82,7 +82,7 @@ class TestJWKS(OAuthTestCase): | |||||||
|             name="test", |             name="test", | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://local.invalid", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")], | ||||||
|             signing_key=create_test_cert(PrivateKeyAlg.ECDSA), |             signing_key=create_test_cert(PrivateKeyAlg.ECDSA), | ||||||
|         ) |         ) | ||||||
|         app = Application.objects.create(name="test", slug="test", provider=provider) |         app = Application.objects.create(name="test", slug="test", provider=provider) | ||||||
| @ -99,7 +99,7 @@ class TestJWKS(OAuthTestCase): | |||||||
|             name="test", |             name="test", | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://local.invalid", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")], | ||||||
|             signing_key=create_test_cert(PrivateKeyAlg.ECDSA), |             signing_key=create_test_cert(PrivateKeyAlg.ECDSA), | ||||||
|             encryption_key=create_test_cert(PrivateKeyAlg.ECDSA), |             encryption_key=create_test_cert(PrivateKeyAlg.ECDSA), | ||||||
|         ) |         ) | ||||||
| @ -122,7 +122,7 @@ class TestJWKS(OAuthTestCase): | |||||||
|             name="test", |             name="test", | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://local.invalid", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")], | ||||||
|             signing_key=cert, |             signing_key=cert, | ||||||
|         ) |         ) | ||||||
|         app = Application.objects.create(name="test", slug="test", provider=provider) |         app = Application.objects.create(name="test", slug="test", provider=provider) | ||||||
|  | |||||||
| @ -10,7 +10,14 @@ from django.utils import timezone | |||||||
| from authentik.core.models import Application | from authentik.core.models import Application | ||||||
| from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow | from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow | ||||||
| from authentik.lib.generators import generate_id | from authentik.lib.generators import generate_id | ||||||
| from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken | from authentik.providers.oauth2.models import ( | ||||||
|  |     AccessToken, | ||||||
|  |     IDToken, | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  |     RefreshToken, | ||||||
|  | ) | ||||||
| from authentik.providers.oauth2.tests.utils import OAuthTestCase | from authentik.providers.oauth2.tests.utils import OAuthTestCase | ||||||
|  |  | ||||||
|  |  | ||||||
| @ -22,7 +29,7 @@ class TesOAuth2Revoke(OAuthTestCase): | |||||||
|         self.provider: OAuth2Provider = OAuth2Provider.objects.create( |         self.provider: OAuth2Provider = OAuth2Provider.objects.create( | ||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")], | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|         ) |         ) | ||||||
|         self.app = Application.objects.create( |         self.app = Application.objects.create( | ||||||
|  | |||||||
| @ -22,6 +22,8 @@ from authentik.providers.oauth2.models import ( | |||||||
|     AccessToken, |     AccessToken, | ||||||
|     AuthorizationCode, |     AuthorizationCode, | ||||||
|     OAuth2Provider, |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|     RefreshToken, |     RefreshToken, | ||||||
|     ScopeMapping, |     ScopeMapping, | ||||||
| ) | ) | ||||||
| @ -42,7 +44,7 @@ class TestToken(OAuthTestCase): | |||||||
|         provider = OAuth2Provider.objects.create( |         provider = OAuth2Provider.objects.create( | ||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://TestServer", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://TestServer")], | ||||||
|             signing_key=self.keypair, |             signing_key=self.keypair, | ||||||
|         ) |         ) | ||||||
|         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode() |         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode() | ||||||
| @ -69,7 +71,7 @@ class TestToken(OAuthTestCase): | |||||||
|         provider = OAuth2Provider.objects.create( |         provider = OAuth2Provider.objects.create( | ||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://testserver", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")], | ||||||
|             signing_key=self.keypair, |             signing_key=self.keypair, | ||||||
|         ) |         ) | ||||||
|         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode() |         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode() | ||||||
| @ -90,7 +92,7 @@ class TestToken(OAuthTestCase): | |||||||
|         provider = OAuth2Provider.objects.create( |         provider = OAuth2Provider.objects.create( | ||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://local.invalid", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")], | ||||||
|             signing_key=self.keypair, |             signing_key=self.keypair, | ||||||
|         ) |         ) | ||||||
|         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode() |         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode() | ||||||
| @ -118,7 +120,7 @@ class TestToken(OAuthTestCase): | |||||||
|         provider = OAuth2Provider.objects.create( |         provider = OAuth2Provider.objects.create( | ||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://local.invalid", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")], | ||||||
|             signing_key=self.keypair, |             signing_key=self.keypair, | ||||||
|         ) |         ) | ||||||
|         # Needs to be assigned to an application for iss to be set |         # Needs to be assigned to an application for iss to be set | ||||||
| @ -157,7 +159,7 @@ class TestToken(OAuthTestCase): | |||||||
|         provider = OAuth2Provider.objects.create( |         provider = OAuth2Provider.objects.create( | ||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://local.invalid", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")], | ||||||
|             signing_key=self.keypair, |             signing_key=self.keypair, | ||||||
|             encryption_key=self.keypair, |             encryption_key=self.keypair, | ||||||
|         ) |         ) | ||||||
| @ -188,7 +190,7 @@ class TestToken(OAuthTestCase): | |||||||
|         provider = OAuth2Provider.objects.create( |         provider = OAuth2Provider.objects.create( | ||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://local.invalid", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")], | ||||||
|             signing_key=self.keypair, |             signing_key=self.keypair, | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
| @ -250,7 +252,7 @@ class TestToken(OAuthTestCase): | |||||||
|         provider = OAuth2Provider.objects.create( |         provider = OAuth2Provider.objects.create( | ||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://local.invalid", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")], | ||||||
|             signing_key=self.keypair, |             signing_key=self.keypair, | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
| @ -308,7 +310,7 @@ class TestToken(OAuthTestCase): | |||||||
|         provider = OAuth2Provider.objects.create( |         provider = OAuth2Provider.objects.create( | ||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://testserver", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")], | ||||||
|             signing_key=self.keypair, |             signing_key=self.keypair, | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
|  | |||||||
| @ -19,7 +19,12 @@ from authentik.providers.oauth2.constants import ( | |||||||
|     SCOPE_OPENID_PROFILE, |     SCOPE_OPENID_PROFILE, | ||||||
|     TOKEN_TYPE, |     TOKEN_TYPE, | ||||||
| ) | ) | ||||||
| from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping | from authentik.providers.oauth2.models import ( | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  |     ScopeMapping, | ||||||
|  | ) | ||||||
| from authentik.providers.oauth2.tests.utils import OAuthTestCase | from authentik.providers.oauth2.tests.utils import OAuthTestCase | ||||||
| from authentik.providers.oauth2.views.jwks import JWKSView | from authentik.providers.oauth2.views.jwks import JWKSView | ||||||
| from authentik.sources.oauth.models import OAuthSource | from authentik.sources.oauth.models import OAuthSource | ||||||
| @ -54,7 +59,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase): | |||||||
|         self.provider: OAuth2Provider = OAuth2Provider.objects.create( |         self.provider: OAuth2Provider = OAuth2Provider.objects.create( | ||||||
|             name="test", |             name="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://testserver", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")], | ||||||
|             signing_key=self.cert, |             signing_key=self.cert, | ||||||
|         ) |         ) | ||||||
|         self.provider.jwks_sources.add(self.source) |         self.provider.jwks_sources.add(self.source) | ||||||
|  | |||||||
| @ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import ( | |||||||
|     TOKEN_TYPE, |     TOKEN_TYPE, | ||||||
| ) | ) | ||||||
| from authentik.providers.oauth2.errors import TokenError | from authentik.providers.oauth2.errors import TokenError | ||||||
| from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping | from authentik.providers.oauth2.models import ( | ||||||
|  |     AccessToken, | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  |     ScopeMapping, | ||||||
|  | ) | ||||||
| from authentik.providers.oauth2.tests.utils import OAuthTestCase | from authentik.providers.oauth2.tests.utils import OAuthTestCase | ||||||
|  |  | ||||||
|  |  | ||||||
| @ -33,7 +39,7 @@ class TestTokenClientCredentialsStandard(OAuthTestCase): | |||||||
|         self.provider = OAuth2Provider.objects.create( |         self.provider = OAuth2Provider.objects.create( | ||||||
|             name="test", |             name="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://testserver", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")], | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|         ) |         ) | ||||||
|         self.provider.property_mappings.set(ScopeMapping.objects.all()) |         self.provider.property_mappings.set(ScopeMapping.objects.all()) | ||||||
| @ -107,6 +113,48 @@ class TestTokenClientCredentialsStandard(OAuthTestCase): | |||||||
|             {"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]}, |             {"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]}, | ||||||
|         ) |         ) | ||||||
|  |  | ||||||
|  |     def test_incorrect_scopes(self): | ||||||
|  |         """test scope that isn't configured""" | ||||||
|  |         response = self.client.post( | ||||||
|  |             reverse("authentik_providers_oauth2:token"), | ||||||
|  |             { | ||||||
|  |                 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, | ||||||
|  |                 "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE} extra_scope", | ||||||
|  |                 "client_id": self.provider.client_id, | ||||||
|  |                 "client_secret": self.provider.client_secret, | ||||||
|  |             }, | ||||||
|  |         ) | ||||||
|  |         self.assertEqual(response.status_code, 200) | ||||||
|  |         body = loads(response.content.decode()) | ||||||
|  |         self.assertEqual(body["token_type"], TOKEN_TYPE) | ||||||
|  |         token = AccessToken.objects.filter( | ||||||
|  |             provider=self.provider, token=body["access_token"] | ||||||
|  |         ).first() | ||||||
|  |         self.assertSetEqual( | ||||||
|  |             set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE} | ||||||
|  |         ) | ||||||
|  |         _, alg = self.provider.jwt_key | ||||||
|  |         jwt = decode( | ||||||
|  |             body["access_token"], | ||||||
|  |             key=self.provider.signing_key.public_key, | ||||||
|  |             algorithms=[alg], | ||||||
|  |             audience=self.provider.client_id, | ||||||
|  |         ) | ||||||
|  |         self.assertEqual( | ||||||
|  |             jwt["given_name"], "Autogenerated user from application test (client credentials)" | ||||||
|  |         ) | ||||||
|  |         self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials") | ||||||
|  |         jwt = decode( | ||||||
|  |             body["id_token"], | ||||||
|  |             key=self.provider.signing_key.public_key, | ||||||
|  |             algorithms=[alg], | ||||||
|  |             audience=self.provider.client_id, | ||||||
|  |         ) | ||||||
|  |         self.assertEqual( | ||||||
|  |             jwt["given_name"], "Autogenerated user from application test (client credentials)" | ||||||
|  |         ) | ||||||
|  |         self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials") | ||||||
|  |  | ||||||
|     def test_successful(self): |     def test_successful(self): | ||||||
|         """test successful""" |         """test successful""" | ||||||
|         response = self.client.post( |         response = self.client.post( | ||||||
|  | |||||||
| @ -20,7 +20,12 @@ from authentik.providers.oauth2.constants import ( | |||||||
|     TOKEN_TYPE, |     TOKEN_TYPE, | ||||||
| ) | ) | ||||||
| from authentik.providers.oauth2.errors import TokenError | from authentik.providers.oauth2.errors import TokenError | ||||||
| from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping | from authentik.providers.oauth2.models import ( | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  |     ScopeMapping, | ||||||
|  | ) | ||||||
| from authentik.providers.oauth2.tests.utils import OAuthTestCase | from authentik.providers.oauth2.tests.utils import OAuthTestCase | ||||||
|  |  | ||||||
|  |  | ||||||
| @ -34,7 +39,7 @@ class TestTokenClientCredentialsStandardCompat(OAuthTestCase): | |||||||
|         self.provider = OAuth2Provider.objects.create( |         self.provider = OAuth2Provider.objects.create( | ||||||
|             name="test", |             name="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://testserver", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")], | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|         ) |         ) | ||||||
|         self.provider.property_mappings.set(ScopeMapping.objects.all()) |         self.provider.property_mappings.set(ScopeMapping.objects.all()) | ||||||
|  | |||||||
| @ -19,7 +19,12 @@ from authentik.providers.oauth2.constants import ( | |||||||
|     TOKEN_TYPE, |     TOKEN_TYPE, | ||||||
| ) | ) | ||||||
| from authentik.providers.oauth2.errors import TokenError | from authentik.providers.oauth2.errors import TokenError | ||||||
| from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping | from authentik.providers.oauth2.models import ( | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  |     ScopeMapping, | ||||||
|  | ) | ||||||
| from authentik.providers.oauth2.tests.utils import OAuthTestCase | from authentik.providers.oauth2.tests.utils import OAuthTestCase | ||||||
|  |  | ||||||
|  |  | ||||||
| @ -33,7 +38,7 @@ class TestTokenClientCredentialsUserNamePassword(OAuthTestCase): | |||||||
|         self.provider = OAuth2Provider.objects.create( |         self.provider = OAuth2Provider.objects.create( | ||||||
|             name="test", |             name="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://testserver", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")], | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|         ) |         ) | ||||||
|         self.provider.property_mappings.set(ScopeMapping.objects.all()) |         self.provider.property_mappings.set(ScopeMapping.objects.all()) | ||||||
|  | |||||||
| @ -9,8 +9,19 @@ from authentik.blueprints.tests import apply_blueprint | |||||||
| from authentik.core.models import Application | from authentik.core.models import Application | ||||||
| from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow | from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow | ||||||
| from authentik.lib.generators import generate_code_fixed_length, generate_id | from authentik.lib.generators import generate_code_fixed_length, generate_id | ||||||
| from authentik.providers.oauth2.constants import GRANT_TYPE_DEVICE_CODE | from authentik.providers.oauth2.constants import ( | ||||||
| from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider, ScopeMapping |     GRANT_TYPE_DEVICE_CODE, | ||||||
|  |     SCOPE_OPENID, | ||||||
|  |     SCOPE_OPENID_EMAIL, | ||||||
|  | ) | ||||||
|  | from authentik.providers.oauth2.models import ( | ||||||
|  |     AccessToken, | ||||||
|  |     DeviceToken, | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  |     ScopeMapping, | ||||||
|  | ) | ||||||
| from authentik.providers.oauth2.tests.utils import OAuthTestCase | from authentik.providers.oauth2.tests.utils import OAuthTestCase | ||||||
|  |  | ||||||
|  |  | ||||||
| @ -24,7 +35,7 @@ class TestTokenDeviceCode(OAuthTestCase): | |||||||
|         self.provider = OAuth2Provider.objects.create( |         self.provider = OAuth2Provider.objects.create( | ||||||
|             name="test", |             name="test", | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="http://testserver", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")], | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|         ) |         ) | ||||||
|         self.provider.property_mappings.set(ScopeMapping.objects.all()) |         self.provider.property_mappings.set(ScopeMapping.objects.all()) | ||||||
| @ -80,3 +91,28 @@ class TestTokenDeviceCode(OAuthTestCase): | |||||||
|             }, |             }, | ||||||
|         ) |         ) | ||||||
|         self.assertEqual(res.status_code, 200) |         self.assertEqual(res.status_code, 200) | ||||||
|  |  | ||||||
|  |     def test_code_mismatched_scope(self): | ||||||
|  |         """Test code with user (mismatched scopes)""" | ||||||
|  |         device_token = DeviceToken.objects.create( | ||||||
|  |             provider=self.provider, | ||||||
|  |             user_code=generate_code_fixed_length(), | ||||||
|  |             device_code=generate_id(), | ||||||
|  |             user=self.user, | ||||||
|  |             scope=[SCOPE_OPENID, SCOPE_OPENID_EMAIL], | ||||||
|  |         ) | ||||||
|  |         res = self.client.post( | ||||||
|  |             reverse("authentik_providers_oauth2:token"), | ||||||
|  |             data={ | ||||||
|  |                 "client_id": self.provider.client_id, | ||||||
|  |                 "grant_type": GRANT_TYPE_DEVICE_CODE, | ||||||
|  |                 "device_code": device_token.device_code, | ||||||
|  |                 "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} invalid", | ||||||
|  |             }, | ||||||
|  |         ) | ||||||
|  |         self.assertEqual(res.status_code, 200) | ||||||
|  |         body = loads(res.content) | ||||||
|  |         token = AccessToken.objects.filter( | ||||||
|  |             provider=self.provider, token=body["access_token"] | ||||||
|  |         ).first() | ||||||
|  |         self.assertSetEqual(set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL}) | ||||||
|  | |||||||
| @ -10,7 +10,12 @@ from authentik.core.models import Application | |||||||
| from authentik.core.tests.utils import create_test_admin_user, create_test_flow | from authentik.core.tests.utils import create_test_admin_user, create_test_flow | ||||||
| from authentik.lib.generators import generate_id | from authentik.lib.generators import generate_id | ||||||
| from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE | from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE | ||||||
| from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider | from authentik.providers.oauth2.models import ( | ||||||
|  |     AuthorizationCode, | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  | ) | ||||||
| from authentik.providers.oauth2.tests.utils import OAuthTestCase | from authentik.providers.oauth2.tests.utils import OAuthTestCase | ||||||
|  |  | ||||||
|  |  | ||||||
| @ -30,7 +35,7 @@ class TestTokenPKCE(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=flow, |             authorization_flow=flow, | ||||||
|             redirect_uris="foo://localhost", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")], | ||||||
|             access_code_validity="seconds=100", |             access_code_validity="seconds=100", | ||||||
|         ) |         ) | ||||||
|         Application.objects.create(name="app", slug="app", provider=provider) |         Application.objects.create(name="app", slug="app", provider=provider) | ||||||
| @ -93,7 +98,7 @@ class TestTokenPKCE(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=flow, |             authorization_flow=flow, | ||||||
|             redirect_uris="foo://localhost", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")], | ||||||
|             access_code_validity="seconds=100", |             access_code_validity="seconds=100", | ||||||
|         ) |         ) | ||||||
|         Application.objects.create(name="app", slug="app", provider=provider) |         Application.objects.create(name="app", slug="app", provider=provider) | ||||||
| @ -154,7 +159,7 @@ class TestTokenPKCE(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=flow, |             authorization_flow=flow, | ||||||
|             redirect_uris="foo://localhost", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")], | ||||||
|             access_code_validity="seconds=100", |             access_code_validity="seconds=100", | ||||||
|         ) |         ) | ||||||
|         Application.objects.create(name="app", slug="app", provider=provider) |         Application.objects.create(name="app", slug="app", provider=provider) | ||||||
| @ -210,7 +215,7 @@ class TestTokenPKCE(OAuthTestCase): | |||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             client_id="test", |             client_id="test", | ||||||
|             authorization_flow=flow, |             authorization_flow=flow, | ||||||
|             redirect_uris="foo://localhost", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")], | ||||||
|             access_code_validity="seconds=100", |             access_code_validity="seconds=100", | ||||||
|         ) |         ) | ||||||
|         Application.objects.create(name="app", slug="app", provider=provider) |         Application.objects.create(name="app", slug="app", provider=provider) | ||||||
|  | |||||||
| @ -11,7 +11,14 @@ from authentik.core.models import Application | |||||||
| from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow | from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow | ||||||
| from authentik.events.models import Event, EventAction | from authentik.events.models import Event, EventAction | ||||||
| from authentik.lib.generators import generate_id | from authentik.lib.generators import generate_id | ||||||
| from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, ScopeMapping | from authentik.providers.oauth2.models import ( | ||||||
|  |     AccessToken, | ||||||
|  |     IDToken, | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  |     ScopeMapping, | ||||||
|  | ) | ||||||
| from authentik.providers.oauth2.tests.utils import OAuthTestCase | from authentik.providers.oauth2.tests.utils import OAuthTestCase | ||||||
|  |  | ||||||
|  |  | ||||||
| @ -25,7 +32,7 @@ class TestUserinfo(OAuthTestCase): | |||||||
|         self.provider: OAuth2Provider = OAuth2Provider.objects.create( |         self.provider: OAuth2Provider = OAuth2Provider.objects.create( | ||||||
|             name=generate_id(), |             name=generate_id(), | ||||||
|             authorization_flow=create_test_flow(), |             authorization_flow=create_test_flow(), | ||||||
|             redirect_uris="", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")], | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|         ) |         ) | ||||||
|         self.provider.property_mappings.set(ScopeMapping.objects.all()) |         self.provider.property_mappings.set(ScopeMapping.objects.all()) | ||||||
|  | |||||||
| @ -56,6 +56,8 @@ from authentik.providers.oauth2.models import ( | |||||||
|     AuthorizationCode, |     AuthorizationCode, | ||||||
|     GrantTypes, |     GrantTypes, | ||||||
|     OAuth2Provider, |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|     ResponseMode, |     ResponseMode, | ||||||
|     ResponseTypes, |     ResponseTypes, | ||||||
|     ScopeMapping, |     ScopeMapping, | ||||||
| @ -187,40 +189,39 @@ class OAuthAuthorizationParams: | |||||||
|  |  | ||||||
|     def check_redirect_uri(self): |     def check_redirect_uri(self): | ||||||
|         """Redirect URI validation.""" |         """Redirect URI validation.""" | ||||||
|         allowed_redirect_urls = self.provider.redirect_uris.split() |         allowed_redirect_urls = self.provider.redirect_uris | ||||||
|         if not self.redirect_uri: |         if not self.redirect_uri: | ||||||
|             LOGGER.warning("Missing redirect uri.") |             LOGGER.warning("Missing redirect uri.") | ||||||
|             raise RedirectUriError("", allowed_redirect_urls) |             raise RedirectUriError("", allowed_redirect_urls) | ||||||
|  |  | ||||||
|         if self.provider.redirect_uris == "": |         if len(allowed_redirect_urls) < 1: | ||||||
|             LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri) |             LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri) | ||||||
|             self.provider.redirect_uris = self.redirect_uri |             self.provider.redirect_uris = [ | ||||||
|  |                 RedirectURI(RedirectURIMatchingMode.STRICT, self.redirect_uri) | ||||||
|  |             ] | ||||||
|             self.provider.save() |             self.provider.save() | ||||||
|             allowed_redirect_urls = self.provider.redirect_uris.split() |             allowed_redirect_urls = self.provider.redirect_uris | ||||||
|  |  | ||||||
|         if self.provider.redirect_uris == "*": |         match_found = False | ||||||
|             LOGGER.info("Converting redirect_uris to regex", redirect=self.redirect_uri) |         for allowed in allowed_redirect_urls: | ||||||
|             self.provider.redirect_uris = ".*" |             if allowed.matching_mode == RedirectURIMatchingMode.STRICT: | ||||||
|             self.provider.save() |                 if self.redirect_uri == allowed.url: | ||||||
|             allowed_redirect_urls = self.provider.redirect_uris.split() |                     match_found = True | ||||||
|  |                     break | ||||||
|         try: |             if allowed.matching_mode == RedirectURIMatchingMode.REGEX: | ||||||
|             if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls): |                 try: | ||||||
|                 LOGGER.warning( |                     if fullmatch(allowed.url, self.redirect_uri): | ||||||
|                     "Invalid redirect uri (regex comparison)", |                         match_found = True | ||||||
|                     redirect_uri_given=self.redirect_uri, |                         break | ||||||
|                     redirect_uri_expected=allowed_redirect_urls, |                 except RegexError as exc: | ||||||
|                 ) |                     LOGGER.warning( | ||||||
|                 raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) |                         "Failed to parse regular expression", | ||||||
|         except RegexError as exc: |                         exc=exc, | ||||||
|             LOGGER.info("Failed to parse regular expression, checking directly", exc=exc) |                         url=allowed.url, | ||||||
|             if not any(x == self.redirect_uri for x in allowed_redirect_urls): |                         provider=self.provider, | ||||||
|                 LOGGER.warning( |                     ) | ||||||
|                     "Invalid redirect uri (strict comparison)", |         if not match_found: | ||||||
|                     redirect_uri_given=self.redirect_uri, |             raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) | ||||||
|                     redirect_uri_expected=allowed_redirect_urls, |  | ||||||
|                 ) |  | ||||||
|                 raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) from None |  | ||||||
|         # Check against forbidden schemes |         # Check against forbidden schemes | ||||||
|         if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES: |         if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES: | ||||||
|             raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) |             raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) | ||||||
|  | |||||||
| @ -5,7 +5,7 @@ from typing import Any | |||||||
| from django.http import HttpRequest, HttpResponse | from django.http import HttpRequest, HttpResponse | ||||||
| from django.utils.translation import gettext as _ | from django.utils.translation import gettext as _ | ||||||
| from rest_framework.exceptions import ValidationError | from rest_framework.exceptions import ValidationError | ||||||
| from rest_framework.fields import CharField, IntegerField | from rest_framework.fields import CharField | ||||||
| from structlog.stdlib import get_logger | from structlog.stdlib import get_logger | ||||||
|  |  | ||||||
| from authentik.brands.models import Brand | from authentik.brands.models import Brand | ||||||
| @ -47,6 +47,9 @@ class CodeValidatorView(PolicyAccessView): | |||||||
|         self.provider = self.token.provider |         self.provider = self.token.provider | ||||||
|         self.application = self.token.provider.application |         self.application = self.token.provider.application | ||||||
|  |  | ||||||
|  |     def post(self, request: HttpRequest, *args, **kwargs): | ||||||
|  |         return self.get(request, *args, **kwargs) | ||||||
|  |  | ||||||
|     def get(self, request: HttpRequest, *args, **kwargs): |     def get(self, request: HttpRequest, *args, **kwargs): | ||||||
|         scope_descriptions = UserInfoView().get_scope_descriptions(self.token.scope, self.provider) |         scope_descriptions = UserInfoView().get_scope_descriptions(self.token.scope, self.provider) | ||||||
|         planner = FlowPlanner(self.provider.authorization_flow) |         planner = FlowPlanner(self.provider.authorization_flow) | ||||||
| @ -122,7 +125,7 @@ class OAuthDeviceCodeChallenge(Challenge): | |||||||
| class OAuthDeviceCodeChallengeResponse(ChallengeResponse): | class OAuthDeviceCodeChallengeResponse(ChallengeResponse): | ||||||
|     """Response that includes the user-entered device code""" |     """Response that includes the user-entered device code""" | ||||||
|  |  | ||||||
|     code = IntegerField() |     code = CharField() | ||||||
|     component = CharField(default="ak-provider-oauth2-device-code") |     component = CharField(default="ak-provider-oauth2-device-code") | ||||||
|  |  | ||||||
|     def validate_code(self, code: int) -> HttpResponse | None: |     def validate_code(self, code: int) -> HttpResponse | None: | ||||||
|  | |||||||
| @ -162,5 +162,5 @@ class ProviderInfoView(View): | |||||||
|             OAuth2Provider, pk=application.provider_id |             OAuth2Provider, pk=application.provider_id | ||||||
|         ) |         ) | ||||||
|         response = super().dispatch(request, *args, **kwargs) |         response = super().dispatch(request, *args, **kwargs) | ||||||
|         cors_allow(request, response, *self.provider.redirect_uris.split("\n")) |         cors_allow(request, response, *[x.url for x in self.provider.redirect_uris]) | ||||||
|         return response |         return response | ||||||
|  | |||||||
| @ -58,7 +58,9 @@ from authentik.providers.oauth2.models import ( | |||||||
|     ClientTypes, |     ClientTypes, | ||||||
|     DeviceToken, |     DeviceToken, | ||||||
|     OAuth2Provider, |     OAuth2Provider, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|     RefreshToken, |     RefreshToken, | ||||||
|  |     ScopeMapping, | ||||||
| ) | ) | ||||||
| from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth | from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth | ||||||
| from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES | from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES | ||||||
| @ -77,7 +79,7 @@ class TokenParams: | |||||||
|     redirect_uri: str |     redirect_uri: str | ||||||
|     grant_type: str |     grant_type: str | ||||||
|     state: str |     state: str | ||||||
|     scope: list[str] |     scope: set[str] | ||||||
|  |  | ||||||
|     provider: OAuth2Provider |     provider: OAuth2Provider | ||||||
|  |  | ||||||
| @ -112,11 +114,26 @@ class TokenParams: | |||||||
|             redirect_uri=request.POST.get("redirect_uri", ""), |             redirect_uri=request.POST.get("redirect_uri", ""), | ||||||
|             grant_type=request.POST.get("grant_type", ""), |             grant_type=request.POST.get("grant_type", ""), | ||||||
|             state=request.POST.get("state", ""), |             state=request.POST.get("state", ""), | ||||||
|             scope=request.POST.get("scope", "").split(), |             scope=set(request.POST.get("scope", "").split()), | ||||||
|             # PKCE parameter. |             # PKCE parameter. | ||||||
|             code_verifier=request.POST.get("code_verifier"), |             code_verifier=request.POST.get("code_verifier"), | ||||||
|         ) |         ) | ||||||
|  |  | ||||||
|  |     def __check_scopes(self): | ||||||
|  |         allowed_scope_names = set( | ||||||
|  |             ScopeMapping.objects.filter(provider__in=[self.provider]).values_list( | ||||||
|  |                 "scope_name", flat=True | ||||||
|  |             ) | ||||||
|  |         ) | ||||||
|  |         scopes_to_check = self.scope | ||||||
|  |         if not scopes_to_check.issubset(allowed_scope_names): | ||||||
|  |             LOGGER.info( | ||||||
|  |                 "Application requested scopes not configured, setting to overlap", | ||||||
|  |                 scope_allowed=allowed_scope_names, | ||||||
|  |                 scope_given=self.scope, | ||||||
|  |             ) | ||||||
|  |             self.scope = self.scope.intersection(allowed_scope_names) | ||||||
|  |  | ||||||
|     def __check_policy_access(self, app: Application, request: HttpRequest, **kwargs): |     def __check_policy_access(self, app: Application, request: HttpRequest, **kwargs): | ||||||
|         with start_span( |         with start_span( | ||||||
|             op="authentik.providers.oauth2.token.policy", |             op="authentik.providers.oauth2.token.policy", | ||||||
| @ -149,7 +166,7 @@ class TokenParams: | |||||||
|                     client_id=self.provider.client_id, |                     client_id=self.provider.client_id, | ||||||
|                 ) |                 ) | ||||||
|                 raise TokenError("invalid_client") |                 raise TokenError("invalid_client") | ||||||
|  |         self.__check_scopes() | ||||||
|         if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE: |         if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE: | ||||||
|             with start_span( |             with start_span( | ||||||
|                 op="authentik.providers.oauth2.post.parse.code", |                 op="authentik.providers.oauth2.post.parse.code", | ||||||
| @ -179,42 +196,7 @@ class TokenParams: | |||||||
|             LOGGER.warning("Missing authorization code") |             LOGGER.warning("Missing authorization code") | ||||||
|             raise TokenError("invalid_grant") |             raise TokenError("invalid_grant") | ||||||
|  |  | ||||||
|         allowed_redirect_urls = self.provider.redirect_uris.split() |         self.__check_redirect_uri(request) | ||||||
|         # At this point, no provider should have a blank redirect_uri, in case they do |  | ||||||
|         # this will check an empty array and raise an error |  | ||||||
|         try: |  | ||||||
|             if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls): |  | ||||||
|                 LOGGER.warning( |  | ||||||
|                     "Invalid redirect uri (regex comparison)", |  | ||||||
|                     redirect_uri=self.redirect_uri, |  | ||||||
|                     expected=allowed_redirect_urls, |  | ||||||
|                 ) |  | ||||||
|                 Event.new( |  | ||||||
|                     EventAction.CONFIGURATION_ERROR, |  | ||||||
|                     message="Invalid redirect URI used by provider", |  | ||||||
|                     provider=self.provider, |  | ||||||
|                     redirect_uri=self.redirect_uri, |  | ||||||
|                     expected=allowed_redirect_urls, |  | ||||||
|                 ).from_http(request) |  | ||||||
|                 raise TokenError("invalid_client") |  | ||||||
|         except RegexError as exc: |  | ||||||
|             LOGGER.info("Failed to parse regular expression, checking directly", exc=exc) |  | ||||||
|             if not any(x == self.redirect_uri for x in allowed_redirect_urls): |  | ||||||
|                 LOGGER.warning( |  | ||||||
|                     "Invalid redirect uri (strict comparison)", |  | ||||||
|                     redirect_uri=self.redirect_uri, |  | ||||||
|                     expected=allowed_redirect_urls, |  | ||||||
|                 ) |  | ||||||
|                 Event.new( |  | ||||||
|                     EventAction.CONFIGURATION_ERROR, |  | ||||||
|                     message="Invalid redirect_uri configured", |  | ||||||
|                     provider=self.provider, |  | ||||||
|                 ).from_http(request) |  | ||||||
|                 raise TokenError("invalid_client") from None |  | ||||||
|  |  | ||||||
|         # Check against forbidden schemes |  | ||||||
|         if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES: |  | ||||||
|             raise TokenError("invalid_request") |  | ||||||
|  |  | ||||||
|         self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first() |         self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first() | ||||||
|         if not self.authorization_code: |         if not self.authorization_code: | ||||||
| @ -254,6 +236,48 @@ class TokenParams: | |||||||
|         if not self.authorization_code.code_challenge and self.code_verifier: |         if not self.authorization_code.code_challenge and self.code_verifier: | ||||||
|             raise TokenError("invalid_grant") |             raise TokenError("invalid_grant") | ||||||
|  |  | ||||||
|  |     def __check_redirect_uri(self, request: HttpRequest): | ||||||
|  |         allowed_redirect_urls = self.provider.redirect_uris | ||||||
|  |         # At this point, no provider should have a blank redirect_uri, in case they do | ||||||
|  |         # this will check an empty array and raise an error | ||||||
|  |  | ||||||
|  |         match_found = False | ||||||
|  |         for allowed in allowed_redirect_urls: | ||||||
|  |             if allowed.matching_mode == RedirectURIMatchingMode.STRICT: | ||||||
|  |                 if self.redirect_uri == allowed.url: | ||||||
|  |                     match_found = True | ||||||
|  |                     break | ||||||
|  |             if allowed.matching_mode == RedirectURIMatchingMode.REGEX: | ||||||
|  |                 try: | ||||||
|  |                     if fullmatch(allowed.url, self.redirect_uri): | ||||||
|  |                         match_found = True | ||||||
|  |                         break | ||||||
|  |                 except RegexError as exc: | ||||||
|  |                     LOGGER.warning( | ||||||
|  |                         "Failed to parse regular expression", | ||||||
|  |                         exc=exc, | ||||||
|  |                         url=allowed.url, | ||||||
|  |                         provider=self.provider, | ||||||
|  |                     ) | ||||||
|  |                     Event.new( | ||||||
|  |                         EventAction.CONFIGURATION_ERROR, | ||||||
|  |                         message="Invalid redirect_uri configured", | ||||||
|  |                         provider=self.provider, | ||||||
|  |                     ).from_http(request) | ||||||
|  |         if not match_found: | ||||||
|  |             Event.new( | ||||||
|  |                 EventAction.CONFIGURATION_ERROR, | ||||||
|  |                 message="Invalid redirect URI used by provider", | ||||||
|  |                 provider=self.provider, | ||||||
|  |                 redirect_uri=self.redirect_uri, | ||||||
|  |                 expected=allowed_redirect_urls, | ||||||
|  |             ).from_http(request) | ||||||
|  |             raise TokenError("invalid_client") | ||||||
|  |  | ||||||
|  |         # Check against forbidden schemes | ||||||
|  |         if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES: | ||||||
|  |             raise TokenError("invalid_request") | ||||||
|  |  | ||||||
|     def __post_init_refresh(self, raw_token: str, request: HttpRequest): |     def __post_init_refresh(self, raw_token: str, request: HttpRequest): | ||||||
|         if not raw_token: |         if not raw_token: | ||||||
|             LOGGER.warning("Missing refresh token") |             LOGGER.warning("Missing refresh token") | ||||||
| @ -497,7 +521,7 @@ class TokenView(View): | |||||||
|         response = super().dispatch(request, *args, **kwargs) |         response = super().dispatch(request, *args, **kwargs) | ||||||
|         allowed_origins = [] |         allowed_origins = [] | ||||||
|         if self.provider: |         if self.provider: | ||||||
|             allowed_origins = self.provider.redirect_uris.split("\n") |             allowed_origins = [x.url for x in self.provider.redirect_uris] | ||||||
|         cors_allow(self.request, response, *allowed_origins) |         cors_allow(self.request, response, *allowed_origins) | ||||||
|         return response |         return response | ||||||
|  |  | ||||||
| @ -710,7 +734,7 @@ class TokenView(View): | |||||||
|             "id_token": access_token.id_token.to_jwt(self.provider), |             "id_token": access_token.id_token.to_jwt(self.provider), | ||||||
|         } |         } | ||||||
|  |  | ||||||
|         if SCOPE_OFFLINE_ACCESS in self.params.scope: |         if SCOPE_OFFLINE_ACCESS in self.params.device_code.scope: | ||||||
|             refresh_token_expiry = now + timedelta_from_string(self.provider.refresh_token_validity) |             refresh_token_expiry = now + timedelta_from_string(self.provider.refresh_token_validity) | ||||||
|             refresh_token = RefreshToken( |             refresh_token = RefreshToken( | ||||||
|                 user=self.params.device_code.user, |                 user=self.params.device_code.user, | ||||||
|  | |||||||
| @ -108,7 +108,7 @@ class UserInfoView(View): | |||||||
|         response = super().dispatch(request, *args, **kwargs) |         response = super().dispatch(request, *args, **kwargs) | ||||||
|         allowed_origins = [] |         allowed_origins = [] | ||||||
|         if self.token: |         if self.token: | ||||||
|             allowed_origins = self.token.provider.redirect_uris.split("\n") |             allowed_origins = [x.url for x in self.token.provider.redirect_uris] | ||||||
|         cors_allow(self.request, response, *allowed_origins) |         cors_allow(self.request, response, *allowed_origins) | ||||||
|         return response |         return response | ||||||
|  |  | ||||||
|  | |||||||
| @ -13,6 +13,7 @@ from authentik.core.api.providers import ProviderSerializer | |||||||
| from authentik.core.api.used_by import UsedByMixin | from authentik.core.api.used_by import UsedByMixin | ||||||
| from authentik.core.api.utils import ModelSerializer, PassiveSerializer | from authentik.core.api.utils import ModelSerializer, PassiveSerializer | ||||||
| from authentik.lib.utils.time import timedelta_from_string | from authentik.lib.utils.time import timedelta_from_string | ||||||
|  | from authentik.providers.oauth2.api.providers import RedirectURISerializer | ||||||
| from authentik.providers.oauth2.models import ScopeMapping | from authentik.providers.oauth2.models import ScopeMapping | ||||||
| from authentik.providers.oauth2.views.provider import ProviderInfoView | from authentik.providers.oauth2.views.provider import ProviderInfoView | ||||||
| from authentik.providers.proxy.models import ProxyMode, ProxyProvider | from authentik.providers.proxy.models import ProxyMode, ProxyProvider | ||||||
| @ -39,7 +40,7 @@ class ProxyProviderSerializer(ProviderSerializer): | |||||||
|     """ProxyProvider Serializer""" |     """ProxyProvider Serializer""" | ||||||
|  |  | ||||||
|     client_id = CharField(read_only=True) |     client_id = CharField(read_only=True) | ||||||
|     redirect_uris = CharField(read_only=True) |     redirect_uris = RedirectURISerializer(many=True, read_only=True, source="_redirect_uris") | ||||||
|     outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all") |     outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all") | ||||||
|  |  | ||||||
|     def validate_basic_auth_enabled(self, value: bool) -> bool: |     def validate_basic_auth_enabled(self, value: bool) -> bool: | ||||||
| @ -121,7 +122,6 @@ class ProxyProviderViewSet(UsedByMixin, ModelViewSet): | |||||||
|         "basic_auth_password_attribute": ["iexact"], |         "basic_auth_password_attribute": ["iexact"], | ||||||
|         "basic_auth_user_attribute": ["iexact"], |         "basic_auth_user_attribute": ["iexact"], | ||||||
|         "mode": ["iexact"], |         "mode": ["iexact"], | ||||||
|         "redirect_uris": ["iexact"], |  | ||||||
|         "cookie_domain": ["iexact"], |         "cookie_domain": ["iexact"], | ||||||
|     } |     } | ||||||
|     search_fields = ["name"] |     search_fields = ["name"] | ||||||
|  | |||||||
| @ -13,7 +13,13 @@ from rest_framework.serializers import Serializer | |||||||
| from authentik.crypto.models import CertificateKeyPair | from authentik.crypto.models import CertificateKeyPair | ||||||
| from authentik.lib.models import DomainlessURLValidator | from authentik.lib.models import DomainlessURLValidator | ||||||
| from authentik.outposts.models import OutpostModel | from authentik.outposts.models import OutpostModel | ||||||
| from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping | from authentik.providers.oauth2.models import ( | ||||||
|  |     ClientTypes, | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  |     ScopeMapping, | ||||||
|  | ) | ||||||
|  |  | ||||||
| SCOPE_AK_PROXY = "ak_proxy" | SCOPE_AK_PROXY = "ak_proxy" | ||||||
| OUTPOST_CALLBACK_SIGNATURE = "X-authentik-auth-callback" | OUTPOST_CALLBACK_SIGNATURE = "X-authentik-auth-callback" | ||||||
| @ -24,14 +30,14 @@ def get_cookie_secret(): | |||||||
|     return "".join(SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(32)) |     return "".join(SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(32)) | ||||||
|  |  | ||||||
|  |  | ||||||
| def _get_callback_url(uri: str) -> str: | def _get_callback_url(uri: str) -> list[RedirectURI]: | ||||||
|     return "\n".join( |     return [ | ||||||
|         [ |         RedirectURI( | ||||||
|             urljoin(uri, "outpost.goauthentik.io/callback") |             RedirectURIMatchingMode.STRICT, | ||||||
|             + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true", |             urljoin(uri, "outpost.goauthentik.io/callback") + f"?{OUTPOST_CALLBACK_SIGNATURE}=true", | ||||||
|             uri + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true", |         ), | ||||||
|         ] |         RedirectURI(RedirectURIMatchingMode.STRICT, uri + f"?{OUTPOST_CALLBACK_SIGNATURE}=true"), | ||||||
|     ) |     ] | ||||||
|  |  | ||||||
|  |  | ||||||
| class ProxyMode(models.TextChoices): | class ProxyMode(models.TextChoices): | ||||||
|  | |||||||
| @ -19,6 +19,7 @@ SCIM_GROUP_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:Group" | |||||||
| class User(BaseUser): | class User(BaseUser): | ||||||
|     """Modified User schema with added externalId field""" |     """Modified User schema with added externalId field""" | ||||||
|  |  | ||||||
|  |     id: str | int | None = None | ||||||
|     schemas: list[str] = [SCIM_USER_SCHEMA] |     schemas: list[str] = [SCIM_USER_SCHEMA] | ||||||
|     externalId: str | None = None |     externalId: str | None = None | ||||||
|     meta: dict | None = None |     meta: dict | None = None | ||||||
| @ -27,6 +28,7 @@ class User(BaseUser): | |||||||
| class Group(BaseGroup): | class Group(BaseGroup): | ||||||
|     """Modified Group schema with added externalId field""" |     """Modified Group schema with added externalId field""" | ||||||
|  |  | ||||||
|  |     id: str | int | None = None | ||||||
|     schemas: list[str] = [SCIM_GROUP_SCHEMA] |     schemas: list[str] = [SCIM_GROUP_SCHEMA] | ||||||
|     externalId: str | None = None |     externalId: str | None = None | ||||||
|     meta: dict | None = None |     meta: dict | None = None | ||||||
|  | |||||||
| @ -53,7 +53,7 @@ class ExtraRoleObjectPermissionSerializer(RoleObjectPermissionSerializer): | |||||||
|         except LookupError: |         except LookupError: | ||||||
|             return None |             return None | ||||||
|         objects = get_objects_for_group(instance.group, f"{app_label}.view_{model}", model_class) |         objects = get_objects_for_group(instance.group, f"{app_label}.view_{model}", model_class) | ||||||
|         obj = objects.first() |         obj = objects.filter(pk=instance.object_pk).first() | ||||||
|         if not obj: |         if not obj: | ||||||
|             return None |             return None | ||||||
|         return str(obj) |         return str(obj) | ||||||
|  | |||||||
| @ -53,7 +53,7 @@ class ExtraUserObjectPermissionSerializer(UserObjectPermissionSerializer): | |||||||
|         except LookupError: |         except LookupError: | ||||||
|             return None |             return None | ||||||
|         objects = get_objects_for_user(instance.user, f"{app_label}.view_{model}", model_class) |         objects = get_objects_for_user(instance.user, f"{app_label}.view_{model}", model_class) | ||||||
|         obj = objects.first() |         obj = objects.filter(pk=instance.object_pk).first() | ||||||
|         if not obj: |         if not obj: | ||||||
|             return None |             return None | ||||||
|         return str(obj) |         return str(obj) | ||||||
|  | |||||||
| @ -1,6 +1,8 @@ | |||||||
| """Metrics view""" | """Metrics view""" | ||||||
|  |  | ||||||
| from base64 import b64encode | from hmac import compare_digest | ||||||
|  | from pathlib import Path | ||||||
|  | from tempfile import gettempdir | ||||||
|  |  | ||||||
| from django.conf import settings | from django.conf import settings | ||||||
| from django.db import connections | from django.db import connections | ||||||
| @ -16,22 +18,21 @@ monitoring_set = Signal() | |||||||
|  |  | ||||||
|  |  | ||||||
| class MetricsView(View): | class MetricsView(View): | ||||||
|     """Wrapper around ExportToDjangoView, using http-basic auth""" |     """Wrapper around ExportToDjangoView with authentication, accessed by the authentik router""" | ||||||
|  |  | ||||||
|  |     def __init__(self, **kwargs): | ||||||
|  |         _tmp = Path(gettempdir()) | ||||||
|  |         with open(_tmp / "authentik-core-metrics.key") as _f: | ||||||
|  |             self.monitoring_key = _f.read() | ||||||
|  |  | ||||||
|     def get(self, request: HttpRequest) -> HttpResponse: |     def get(self, request: HttpRequest) -> HttpResponse: | ||||||
|         """Check for HTTP-Basic auth""" |         """Check for HTTP-Basic auth""" | ||||||
|         auth_header = request.META.get("HTTP_AUTHORIZATION", "") |         auth_header = request.META.get("HTTP_AUTHORIZATION", "") | ||||||
|         auth_type, _, given_credentials = auth_header.partition(" ") |         auth_type, _, given_credentials = auth_header.partition(" ") | ||||||
|         credentials = f"monitor:{settings.SECRET_KEY}" |         authed = auth_type == "Bearer" and compare_digest(given_credentials, self.monitoring_key) | ||||||
|         expected = b64encode(str.encode(credentials)).decode() |  | ||||||
|         authed = auth_type == "Basic" and given_credentials == expected |  | ||||||
|         if not authed and not settings.DEBUG: |         if not authed and not settings.DEBUG: | ||||||
|             response = HttpResponse(status=401) |             return HttpResponse(status=401) | ||||||
|             response["WWW-Authenticate"] = 'Basic realm="authentik-monitoring"' |  | ||||||
|             return response |  | ||||||
|  |  | ||||||
|         monitoring_set.send_robust(self) |         monitoring_set.send_robust(self) | ||||||
|  |  | ||||||
|         return ExportToDjangoView(request) |         return ExportToDjangoView(request) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | |||||||
| @ -1,8 +1,9 @@ | |||||||
| """root tests""" | """root tests""" | ||||||
|  |  | ||||||
| from base64 import b64encode | from pathlib import Path | ||||||
|  | from secrets import token_urlsafe | ||||||
|  | from tempfile import gettempdir | ||||||
|  |  | ||||||
| from django.conf import settings |  | ||||||
| from django.test import TestCase | from django.test import TestCase | ||||||
| from django.urls import reverse | from django.urls import reverse | ||||||
|  |  | ||||||
| @ -10,6 +11,16 @@ from django.urls import reverse | |||||||
| class TestRoot(TestCase): | class TestRoot(TestCase): | ||||||
|     """Test root application""" |     """Test root application""" | ||||||
|  |  | ||||||
|  |     def setUp(self): | ||||||
|  |         _tmp = Path(gettempdir()) | ||||||
|  |         self.token = token_urlsafe(32) | ||||||
|  |         with open(_tmp / "authentik-core-metrics.key", "w") as _f: | ||||||
|  |             _f.write(self.token) | ||||||
|  |  | ||||||
|  |     def tearDown(self): | ||||||
|  |         _tmp = Path(gettempdir()) | ||||||
|  |         (_tmp / "authentik-core-metrics.key").unlink() | ||||||
|  |  | ||||||
|     def test_monitoring_error(self): |     def test_monitoring_error(self): | ||||||
|         """Test monitoring without any credentials""" |         """Test monitoring without any credentials""" | ||||||
|         response = self.client.get(reverse("metrics")) |         response = self.client.get(reverse("metrics")) | ||||||
| @ -17,8 +28,7 @@ class TestRoot(TestCase): | |||||||
|  |  | ||||||
|     def test_monitoring_ok(self): |     def test_monitoring_ok(self): | ||||||
|         """Test monitoring with credentials""" |         """Test monitoring with credentials""" | ||||||
|         creds = "Basic " + b64encode(f"monitor:{settings.SECRET_KEY}".encode()).decode("utf-8") |         auth_headers = {"HTTP_AUTHORIZATION": f"Bearer {self.token}"} | ||||||
|         auth_headers = {"HTTP_AUTHORIZATION": creds} |  | ||||||
|         response = self.client.get(reverse("metrics"), **auth_headers) |         response = self.client.get(reverse("metrics"), **auth_headers) | ||||||
|         self.assertEqual(response.status_code, 200) |         self.assertEqual(response.status_code, 200) | ||||||
|  |  | ||||||
|  | |||||||
| @ -17,6 +17,7 @@ class CaptchaStageSerializer(StageSerializer): | |||||||
|             "private_key", |             "private_key", | ||||||
|             "js_url", |             "js_url", | ||||||
|             "api_url", |             "api_url", | ||||||
|  |             "interactive", | ||||||
|             "score_min_threshold", |             "score_min_threshold", | ||||||
|             "score_max_threshold", |             "score_max_threshold", | ||||||
|             "error_on_invalid_score", |             "error_on_invalid_score", | ||||||
|  | |||||||
| @ -0,0 +1,18 @@ | |||||||
|  | # Generated by Django 5.0.9 on 2024-10-30 14:28 | ||||||
|  |  | ||||||
|  | from django.db import migrations, models | ||||||
|  |  | ||||||
|  |  | ||||||
|  | class Migration(migrations.Migration): | ||||||
|  |  | ||||||
|  |     dependencies = [ | ||||||
|  |         ("authentik_stages_captcha", "0003_captchastage_error_on_invalid_score_and_more"), | ||||||
|  |     ] | ||||||
|  |  | ||||||
|  |     operations = [ | ||||||
|  |         migrations.AddField( | ||||||
|  |             model_name="captchastage", | ||||||
|  |             name="interactive", | ||||||
|  |             field=models.BooleanField(default=False), | ||||||
|  |         ), | ||||||
|  |     ] | ||||||
| @ -9,11 +9,13 @@ from authentik.flows.models import Stage | |||||||
|  |  | ||||||
|  |  | ||||||
| class CaptchaStage(Stage): | class CaptchaStage(Stage): | ||||||
|     """Verify the user is human using Google's reCaptcha.""" |     """Verify the user is human using Google's reCaptcha/other compatible CAPTCHA solutions.""" | ||||||
|  |  | ||||||
|     public_key = models.TextField(help_text=_("Public key, acquired your captcha Provider.")) |     public_key = models.TextField(help_text=_("Public key, acquired your captcha Provider.")) | ||||||
|     private_key = models.TextField(help_text=_("Private key, acquired your captcha Provider.")) |     private_key = models.TextField(help_text=_("Private key, acquired your captcha Provider.")) | ||||||
|  |  | ||||||
|  |     interactive = models.BooleanField(default=False) | ||||||
|  |  | ||||||
|     score_min_threshold = models.FloatField(default=0.5)  # Default values for reCaptcha |     score_min_threshold = models.FloatField(default=0.5)  # Default values for reCaptcha | ||||||
|     score_max_threshold = models.FloatField(default=1.0)  # Default values for reCaptcha |     score_max_threshold = models.FloatField(default=1.0)  # Default values for reCaptcha | ||||||
|  |  | ||||||
|  | |||||||
| @ -3,7 +3,7 @@ | |||||||
| from django.http.response import HttpResponse | from django.http.response import HttpResponse | ||||||
| from django.utils.translation import gettext as _ | from django.utils.translation import gettext as _ | ||||||
| from requests import RequestException | from requests import RequestException | ||||||
| from rest_framework.fields import CharField | from rest_framework.fields import BooleanField, CharField | ||||||
| from rest_framework.serializers import ValidationError | from rest_framework.serializers import ValidationError | ||||||
| from structlog.stdlib import get_logger | from structlog.stdlib import get_logger | ||||||
|  |  | ||||||
| @ -24,10 +24,12 @@ PLAN_CONTEXT_CAPTCHA = "captcha" | |||||||
| class CaptchaChallenge(WithUserInfoChallenge): | class CaptchaChallenge(WithUserInfoChallenge): | ||||||
|     """Site public key""" |     """Site public key""" | ||||||
|  |  | ||||||
|     site_key = CharField() |  | ||||||
|     js_url = CharField() |  | ||||||
|     component = CharField(default="ak-stage-captcha") |     component = CharField(default="ak-stage-captcha") | ||||||
|  |  | ||||||
|  |     site_key = CharField(required=True) | ||||||
|  |     js_url = CharField(required=True) | ||||||
|  |     interactive = BooleanField(required=True) | ||||||
|  |  | ||||||
|  |  | ||||||
| def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str): | def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str): | ||||||
|     """Validate captcha token""" |     """Validate captcha token""" | ||||||
| @ -103,6 +105,7 @@ class CaptchaStageView(ChallengeStageView): | |||||||
|             data={ |             data={ | ||||||
|                 "js_url": self.executor.current_stage.js_url, |                 "js_url": self.executor.current_stage.js_url, | ||||||
|                 "site_key": self.executor.current_stage.public_key, |                 "site_key": self.executor.current_stage.public_key, | ||||||
|  |                 "interactive": self.executor.current_stage.interactive, | ||||||
|             } |             } | ||||||
|         ) |         ) | ||||||
|  |  | ||||||
|  | |||||||
| @ -223,6 +223,7 @@ class IdentificationStageView(ChallengeStageView): | |||||||
|                     { |                     { | ||||||
|                         "js_url": current_stage.captcha_stage.js_url, |                         "js_url": current_stage.captcha_stage.js_url, | ||||||
|                         "site_key": current_stage.captcha_stage.public_key, |                         "site_key": current_stage.captcha_stage.public_key, | ||||||
|  |                         "interactive": current_stage.captcha_stage.interactive, | ||||||
|                     } |                     } | ||||||
|                     if current_stage.captcha_stage |                     if current_stage.captcha_stage | ||||||
|                     else None |                     else None | ||||||
|  | |||||||
| @ -21,7 +21,7 @@ from authentik.flows.challenge import ( | |||||||
|     WithUserInfoChallenge, |     WithUserInfoChallenge, | ||||||
| ) | ) | ||||||
| from authentik.flows.exceptions import StageInvalidException | from authentik.flows.exceptions import StageInvalidException | ||||||
| from authentik.flows.models import Flow, FlowDesignation, Stage | from authentik.flows.models import Flow, Stage | ||||||
| from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER | from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER | ||||||
| from authentik.flows.stage import ChallengeStageView | from authentik.flows.stage import ChallengeStageView | ||||||
| from authentik.lib.utils.reflection import path_to_class | from authentik.lib.utils.reflection import path_to_class | ||||||
| @ -141,11 +141,11 @@ class PasswordStageView(ChallengeStageView): | |||||||
|                 "allow_show_password": self.executor.current_stage.allow_show_password, |                 "allow_show_password": self.executor.current_stage.allow_show_password, | ||||||
|             } |             } | ||||||
|         ) |         ) | ||||||
|         recovery_flow = Flow.objects.filter(designation=FlowDesignation.RECOVERY) |         recovery_flow: Flow | None = self.request.brand.flow_recovery | ||||||
|         if recovery_flow.exists(): |         if recovery_flow: | ||||||
|             recover_url = reverse( |             recover_url = reverse( | ||||||
|                 "authentik_core:if-flow", |                 "authentik_core:if-flow", | ||||||
|                 kwargs={"flow_slug": recovery_flow.first().slug}, |                 kwargs={"flow_slug": recovery_flow.slug}, | ||||||
|             ) |             ) | ||||||
|             challenge.initial_data["recovery_url"] = self.request.build_absolute_uri(recover_url) |             challenge.initial_data["recovery_url"] = self.request.build_absolute_uri(recover_url) | ||||||
|         return challenge |         return challenge | ||||||
|  | |||||||
| @ -5,7 +5,7 @@ from unittest.mock import MagicMock, patch | |||||||
| from django.core.exceptions import PermissionDenied | from django.core.exceptions import PermissionDenied | ||||||
| from django.urls import reverse | from django.urls import reverse | ||||||
|  |  | ||||||
| from authentik.core.tests.utils import create_test_admin_user, create_test_flow | from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow | ||||||
| from authentik.flows.markers import StageMarker | from authentik.flows.markers import StageMarker | ||||||
| from authentik.flows.models import FlowDesignation, FlowStageBinding | from authentik.flows.models import FlowDesignation, FlowStageBinding | ||||||
| from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan | from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan | ||||||
| @ -57,6 +57,9 @@ class TestPasswordStage(FlowTestCase): | |||||||
|     def test_recovery_flow_link(self): |     def test_recovery_flow_link(self): | ||||||
|         """Test link to the default recovery flow""" |         """Test link to the default recovery flow""" | ||||||
|         flow = create_test_flow(designation=FlowDesignation.RECOVERY) |         flow = create_test_flow(designation=FlowDesignation.RECOVERY) | ||||||
|  |         brand = create_test_brand() | ||||||
|  |         brand.flow_recovery = flow | ||||||
|  |         brand.save() | ||||||
|  |  | ||||||
|         plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()]) |         plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()]) | ||||||
|         session = self.client.session |         session = self.client.session | ||||||
|  | |||||||
| @ -101,7 +101,6 @@ entries: | |||||||
|     - !KeyOf prompt-field-email |     - !KeyOf prompt-field-email | ||||||
|     - !KeyOf prompt-field-password |     - !KeyOf prompt-field-password | ||||||
|     - !KeyOf prompt-field-password-repeat |     - !KeyOf prompt-field-password-repeat | ||||||
|     validation_policies: [] |  | ||||||
|   id: stage-default-oobe-password |   id: stage-default-oobe-password | ||||||
|   identifiers: |   identifiers: | ||||||
|     name: stage-default-oobe-password |     name: stage-default-oobe-password | ||||||
|  | |||||||
| @ -2,6 +2,17 @@ version: 1 | |||||||
| metadata: | metadata: | ||||||
|   name: Default - Password change flow |   name: Default - Password change flow | ||||||
| entries: | entries: | ||||||
|  | - attrs: | ||||||
|  |     check_static_rules: true | ||||||
|  |     check_zxcvbn: true | ||||||
|  |     length_min: 8 | ||||||
|  |     password_field: password | ||||||
|  |     zxcvbn_score_threshold: 2 | ||||||
|  |     error_message: Password needs to be 8 characters or longer. | ||||||
|  |   identifiers: | ||||||
|  |     name: default-password-change-password-policy | ||||||
|  |   model: authentik_policies_password.passwordpolicy | ||||||
|  |   id: default-password-change-password-policy | ||||||
| - attrs: | - attrs: | ||||||
|     designation: stage_configuration |     designation: stage_configuration | ||||||
|     name: Change Password |     name: Change Password | ||||||
| @ -39,6 +50,8 @@ entries: | |||||||
|     fields: |     fields: | ||||||
|     - !KeyOf prompt-field-password |     - !KeyOf prompt-field-password | ||||||
|     - !KeyOf prompt-field-password-repeat |     - !KeyOf prompt-field-password-repeat | ||||||
|  |     validation_policies: | ||||||
|  |     - !KeyOf default-password-change-password-policy | ||||||
|   identifiers: |   identifiers: | ||||||
|     name: default-password-change-prompt |     name: default-password-change-prompt | ||||||
|   id: default-password-change-prompt |   id: default-password-change-prompt | ||||||
|  | |||||||
| @ -2,7 +2,7 @@ | |||||||
|     "$schema": "http://json-schema.org/draft-07/schema", |     "$schema": "http://json-schema.org/draft-07/schema", | ||||||
|     "$id": "https://goauthentik.io/blueprints/schema.json", |     "$id": "https://goauthentik.io/blueprints/schema.json", | ||||||
|     "type": "object", |     "type": "object", | ||||||
|     "title": "authentik 2024.8.3 Blueprint schema", |     "title": "authentik 2024.10.4 Blueprint schema", | ||||||
|     "required": [ |     "required": [ | ||||||
|         "version", |         "version", | ||||||
|         "entries" |         "entries" | ||||||
| @ -5570,9 +5570,30 @@ | |||||||
|                     "description": "Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs." |                     "description": "Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs." | ||||||
|                 }, |                 }, | ||||||
|                 "redirect_uris": { |                 "redirect_uris": { | ||||||
|                     "type": "string", |                     "type": "array", | ||||||
|                     "title": "Redirect URIs", |                     "items": { | ||||||
|                     "description": "Enter each URI on a new line." |                         "type": "object", | ||||||
|  |                         "properties": { | ||||||
|  |                             "matching_mode": { | ||||||
|  |                                 "type": "string", | ||||||
|  |                                 "enum": [ | ||||||
|  |                                     "strict", | ||||||
|  |                                     "regex" | ||||||
|  |                                 ], | ||||||
|  |                                 "title": "Matching mode" | ||||||
|  |                             }, | ||||||
|  |                             "url": { | ||||||
|  |                                 "type": "string", | ||||||
|  |                                 "minLength": 1, | ||||||
|  |                                 "title": "Url" | ||||||
|  |                             } | ||||||
|  |                         }, | ||||||
|  |                         "required": [ | ||||||
|  |                             "matching_mode", | ||||||
|  |                             "url" | ||||||
|  |                         ] | ||||||
|  |                     }, | ||||||
|  |                     "title": "Redirect uris" | ||||||
|                 }, |                 }, | ||||||
|                 "sub_mode": { |                 "sub_mode": { | ||||||
|                     "type": "string", |                     "type": "string", | ||||||
| @ -6974,7 +6995,7 @@ | |||||||
|                 "spnego_server_name": { |                 "spnego_server_name": { | ||||||
|                     "type": "string", |                     "type": "string", | ||||||
|                     "title": "Spnego server name", |                     "title": "Spnego server name", | ||||||
|                     "description": "Force the use of a specific server name for SPNEGO" |                     "description": "Force the use of a specific server name for SPNEGO. Must be in the form HTTP@hostname" | ||||||
|                 }, |                 }, | ||||||
|                 "spnego_keytab": { |                 "spnego_keytab": { | ||||||
|                     "type": "string", |                     "type": "string", | ||||||
| @ -9781,6 +9802,10 @@ | |||||||
|                     "minLength": 1, |                     "minLength": 1, | ||||||
|                     "title": "Api url" |                     "title": "Api url" | ||||||
|                 }, |                 }, | ||||||
|  |                 "interactive": { | ||||||
|  |                     "type": "boolean", | ||||||
|  |                     "title": "Interactive" | ||||||
|  |                 }, | ||||||
|                 "score_min_threshold": { |                 "score_min_threshold": { | ||||||
|                     "type": "number", |                     "type": "number", | ||||||
|                     "title": "Score min threshold" |                     "title": "Score min threshold" | ||||||
| @ -13383,12 +13408,6 @@ | |||||||
|                     "title": "Authorization flow", |                     "title": "Authorization flow", | ||||||
|                     "description": "Flow used when authorizing this provider." |                     "description": "Flow used when authorizing this provider." | ||||||
|                 }, |                 }, | ||||||
|                 "invalidation_flow": { |  | ||||||
|                     "type": "string", |  | ||||||
|                     "format": "uuid", |  | ||||||
|                     "title": "Invalidation flow", |  | ||||||
|                     "description": "Flow used ending the session from a provider." |  | ||||||
|                 }, |  | ||||||
|                 "property_mappings": { |                 "property_mappings": { | ||||||
|                     "type": "array", |                     "type": "array", | ||||||
|                     "items": { |                     "items": { | ||||||
|  | |||||||
| @ -38,7 +38,7 @@ entries: | |||||||
|       name: "authentik default Kerberos User Mapping: Ignore system principals" |       name: "authentik default Kerberos User Mapping: Ignore system principals" | ||||||
|       expression: | |       expression: | | ||||||
|         localpart, realm = principal.rsplit("@", 1) |         localpart, realm = principal.rsplit("@", 1) | ||||||
|         denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/"] |         denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/", "kiprop/", "changepw/"] | ||||||
|         for prefix in denied_prefixes: |         for prefix in denied_prefixes: | ||||||
|             if localpart.lower().startswith(prefix.lower()): |             if localpart.lower().startswith(prefix.lower()): | ||||||
|                 raise SkipObject |                 raise SkipObject | ||||||
|  | |||||||
| @ -31,7 +31,7 @@ services: | |||||||
|     volumes: |     volumes: | ||||||
|       - redis:/data |       - redis:/data | ||||||
|   server: |   server: | ||||||
|     image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.3} |     image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.4} | ||||||
|     restart: unless-stopped |     restart: unless-stopped | ||||||
|     command: server |     command: server | ||||||
|     environment: |     environment: | ||||||
| @ -52,7 +52,7 @@ services: | |||||||
|       - postgresql |       - postgresql | ||||||
|       - redis |       - redis | ||||||
|   worker: |   worker: | ||||||
|     image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.3} |     image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.4} | ||||||
|     restart: unless-stopped |     restart: unless-stopped | ||||||
|     command: worker |     command: worker | ||||||
|     environment: |     environment: | ||||||
|  | |||||||
| @ -29,4 +29,4 @@ func UserAgent() string { | |||||||
| 	return fmt.Sprintf("authentik@%s", FullVersion()) | 	return fmt.Sprintf("authentik@%s", FullVersion()) | ||||||
| } | } | ||||||
|  |  | ||||||
| const VERSION = "2024.8.3" | const VERSION = "2024.10.4" | ||||||
|  | |||||||
| @ -65,7 +65,7 @@ func (ls *LDAPServer) StartLDAPServer() error { | |||||||
| 		ls.log.WithField("listen", listen).WithError(err).Warning("Failed to listen (SSL)") | 		ls.log.WithField("listen", listen).WithError(err).Warning("Failed to listen (SSL)") | ||||||
| 		return err | 		return err | ||||||
| 	} | 	} | ||||||
| 	proxyListener := &proxyproto.Listener{Listener: ln} | 	proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()} | ||||||
| 	defer proxyListener.Close() | 	defer proxyListener.Close() | ||||||
|  |  | ||||||
| 	ls.log.WithField("listen", listen).Info("Starting LDAP server") | 	ls.log.WithField("listen", listen).Info("Starting LDAP server") | ||||||
|  | |||||||
| @ -48,7 +48,7 @@ func (ls *LDAPServer) StartLDAPTLSServer() error { | |||||||
| 		return err | 		return err | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	proxyListener := &proxyproto.Listener{Listener: ln} | 	proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()} | ||||||
| 	defer proxyListener.Close() | 	defer proxyListener.Close() | ||||||
|  |  | ||||||
| 	tln := tls.NewListener(proxyListener, tlsConfig) | 	tln := tls.NewListener(proxyListener, tlsConfig) | ||||||
|  | |||||||
| @ -23,6 +23,7 @@ import ( | |||||||
| 	"github.com/prometheus/client_golang/prometheus" | 	"github.com/prometheus/client_golang/prometheus" | ||||||
| 	log "github.com/sirupsen/logrus" | 	log "github.com/sirupsen/logrus" | ||||||
| 	"goauthentik.io/api/v3" | 	"goauthentik.io/api/v3" | ||||||
|  | 	"goauthentik.io/internal/config" | ||||||
| 	"goauthentik.io/internal/outpost/ak" | 	"goauthentik.io/internal/outpost/ak" | ||||||
| 	"goauthentik.io/internal/outpost/proxyv2/constants" | 	"goauthentik.io/internal/outpost/proxyv2/constants" | ||||||
| 	"goauthentik.io/internal/outpost/proxyv2/hs256" | 	"goauthentik.io/internal/outpost/proxyv2/hs256" | ||||||
| @ -121,6 +122,14 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old | |||||||
| 	bs := string(h.Sum([]byte(*p.ClientId))) | 	bs := string(h.Sum([]byte(*p.ClientId))) | ||||||
| 	sessionName := fmt.Sprintf("authentik_proxy_%s", bs[:8]) | 	sessionName := fmt.Sprintf("authentik_proxy_%s", bs[:8]) | ||||||
|  |  | ||||||
|  | 	// When HOST_BROWSER is set, use that as Host header for token requests to make the issuer match | ||||||
|  | 	// otherwise we use the internally configured authentik_host | ||||||
|  | 	tokenEndpointHost := server.API().Outpost.Config["authentik_host"].(string) | ||||||
|  | 	if config.Get().AuthentikHostBrowser != "" { | ||||||
|  | 		tokenEndpointHost = config.Get().AuthentikHostBrowser | ||||||
|  | 	} | ||||||
|  | 	publicHTTPClient := web.NewHostInterceptor(c, tokenEndpointHost) | ||||||
|  |  | ||||||
| 	a := &Application{ | 	a := &Application{ | ||||||
| 		Host:                 externalHost.Host, | 		Host:                 externalHost.Host, | ||||||
| 		log:                  muxLogger, | 		log:                  muxLogger, | ||||||
| @ -131,7 +140,7 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old | |||||||
| 		tokenVerifier:        verifier, | 		tokenVerifier:        verifier, | ||||||
| 		proxyConfig:          p, | 		proxyConfig:          p, | ||||||
| 		httpClient:           c, | 		httpClient:           c, | ||||||
| 		publicHostHTTPClient: web.NewHostInterceptor(c, server.API().Outpost.Config["authentik_host"].(string)), | 		publicHostHTTPClient: publicHTTPClient, | ||||||
| 		mux:                  mux, | 		mux:                  mux, | ||||||
| 		errorTemplates:       templates.GetTemplates(), | 		errorTemplates:       templates.GetTemplates(), | ||||||
| 		ak:                   server.API(), | 		ak:                   server.API(), | ||||||
|  | |||||||
| @ -129,7 +129,7 @@ func (ps *ProxyServer) ServeHTTP() { | |||||||
| 		ps.log.WithField("listen", listenAddress).WithError(err).Warning("Failed to listen") | 		ps.log.WithField("listen", listenAddress).WithError(err).Warning("Failed to listen") | ||||||
| 		return | 		return | ||||||
| 	} | 	} | ||||||
| 	proxyListener := &proxyproto.Listener{Listener: listener} | 	proxyListener := &proxyproto.Listener{Listener: listener, ConnPolicy: utils.GetProxyConnectionPolicy()} | ||||||
| 	defer proxyListener.Close() | 	defer proxyListener.Close() | ||||||
|  |  | ||||||
| 	ps.log.WithField("listen", listenAddress).Info("Starting HTTP server") | 	ps.log.WithField("listen", listenAddress).Info("Starting HTTP server") | ||||||
| @ -148,7 +148,7 @@ func (ps *ProxyServer) ServeHTTPS() { | |||||||
| 		ps.log.WithError(err).Warning("Failed to listen (TLS)") | 		ps.log.WithError(err).Warning("Failed to listen (TLS)") | ||||||
| 		return | 		return | ||||||
| 	} | 	} | ||||||
| 	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}} | 	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()} | ||||||
| 	defer proxyListener.Close() | 	defer proxyListener.Close() | ||||||
|  |  | ||||||
| 	tlsListener := tls.NewListener(proxyListener, tlsConfig) | 	tlsListener := tls.NewListener(proxyListener, tlsConfig) | ||||||
|  | |||||||
							
								
								
									
										34
									
								
								internal/utils/proxy.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										34
									
								
								internal/utils/proxy.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,34 @@ | |||||||
|  | package utils | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"net" | ||||||
|  |  | ||||||
|  | 	"github.com/pires/go-proxyproto" | ||||||
|  | 	log "github.com/sirupsen/logrus" | ||||||
|  | 	"goauthentik.io/internal/config" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | func GetProxyConnectionPolicy() proxyproto.ConnPolicyFunc { | ||||||
|  | 	nets := []*net.IPNet{} | ||||||
|  | 	for _, rn := range config.Get().Listen.TrustedProxyCIDRs { | ||||||
|  | 		_, cidr, err := net.ParseCIDR(rn) | ||||||
|  | 		if err != nil { | ||||||
|  | 			continue | ||||||
|  | 		} | ||||||
|  | 		nets = append(nets, cidr) | ||||||
|  | 	} | ||||||
|  | 	return func(connPolicyOptions proxyproto.ConnPolicyOptions) (proxyproto.Policy, error) { | ||||||
|  | 		host, _, err := net.SplitHostPort(connPolicyOptions.Upstream.String()) | ||||||
|  | 		if err == nil { | ||||||
|  | 			// remoteAddr will be nil if the IP cannot be parsed | ||||||
|  | 			remoteAddr := net.ParseIP(host) | ||||||
|  | 			for _, allowedCidr := range nets { | ||||||
|  | 				if remoteAddr != nil && allowedCidr.Contains(remoteAddr) { | ||||||
|  | 					log.WithField("remoteAddr", remoteAddr).WithField("cidr", allowedCidr.String()).Trace("Using remote IP from proxy protocol") | ||||||
|  | 					return proxyproto.USE, nil | ||||||
|  | 				} | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
|  | 		return proxyproto.SKIP, nil | ||||||
|  | 	} | ||||||
|  | } | ||||||
| @ -14,8 +14,10 @@ type hostInterceptor struct { | |||||||
| } | } | ||||||
|  |  | ||||||
| func (t hostInterceptor) RoundTrip(r *http.Request) (*http.Response, error) { | func (t hostInterceptor) RoundTrip(r *http.Request) (*http.Response, error) { | ||||||
| 	r.Host = t.host | 	if r.Host != t.host { | ||||||
| 	r.Header.Set("X-Forwarded-Proto", t.scheme) | 		r.Host = t.host | ||||||
|  | 		r.Header.Set("X-Forwarded-Proto", t.scheme) | ||||||
|  | 	} | ||||||
| 	return t.inner.RoundTrip(r) | 	return t.inner.RoundTrip(r) | ||||||
| } | } | ||||||
|  |  | ||||||
|  | |||||||
| @ -1,11 +1,15 @@ | |||||||
| package web | package web | ||||||
|  |  | ||||||
| import ( | import ( | ||||||
|  | 	"encoding/base64" | ||||||
| 	"fmt" | 	"fmt" | ||||||
| 	"io" | 	"io" | ||||||
| 	"net/http" | 	"net/http" | ||||||
|  | 	"os" | ||||||
|  | 	"path" | ||||||
|  |  | ||||||
| 	"github.com/gorilla/mux" | 	"github.com/gorilla/mux" | ||||||
|  | 	"github.com/gorilla/securecookie" | ||||||
| 	"github.com/prometheus/client_golang/prometheus" | 	"github.com/prometheus/client_golang/prometheus" | ||||||
| 	"github.com/prometheus/client_golang/prometheus/promauto" | 	"github.com/prometheus/client_golang/prometheus/promauto" | ||||||
| 	"github.com/prometheus/client_golang/prometheus/promhttp" | 	"github.com/prometheus/client_golang/prometheus/promhttp" | ||||||
| @ -14,14 +18,25 @@ import ( | |||||||
| 	"goauthentik.io/internal/utils/sentry" | 	"goauthentik.io/internal/utils/sentry" | ||||||
| ) | ) | ||||||
|  |  | ||||||
|  | const MetricsKeyFile = "authentik-core-metrics.key" | ||||||
|  |  | ||||||
| var Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{ | var Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{ | ||||||
| 	Name: "authentik_main_request_duration_seconds", | 	Name: "authentik_main_request_duration_seconds", | ||||||
| 	Help: "API request latencies in seconds", | 	Help: "API request latencies in seconds", | ||||||
| }, []string{"dest"}) | }, []string{"dest"}) | ||||||
|  |  | ||||||
| func (ws *WebServer) runMetricsServer() { | func (ws *WebServer) runMetricsServer() { | ||||||
| 	m := mux.NewRouter() |  | ||||||
| 	l := log.WithField("logger", "authentik.router.metrics") | 	l := log.WithField("logger", "authentik.router.metrics") | ||||||
|  | 	tmp := os.TempDir() | ||||||
|  | 	key := base64.StdEncoding.EncodeToString(securecookie.GenerateRandomKey(64)) | ||||||
|  | 	keyPath := path.Join(tmp, MetricsKeyFile) | ||||||
|  | 	err := os.WriteFile(keyPath, []byte(key), 0o600) | ||||||
|  | 	if err != nil { | ||||||
|  | 		l.WithError(err).Warning("failed to save metrics key") | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	m := mux.NewRouter() | ||||||
| 	m.Use(sentry.SentryNoSampleMiddleware) | 	m.Use(sentry.SentryNoSampleMiddleware) | ||||||
| 	m.Path("/metrics").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { | 	m.Path("/metrics").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { | ||||||
| 		promhttp.InstrumentMetricHandler( | 		promhttp.InstrumentMetricHandler( | ||||||
| @ -36,7 +51,7 @@ func (ws *WebServer) runMetricsServer() { | |||||||
| 			l.WithError(err).Warning("failed to get upstream metrics") | 			l.WithError(err).Warning("failed to get upstream metrics") | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
| 		re.SetBasicAuth("monitor", config.Get().SecretKey) | 		re.Header.Set("Authorization", fmt.Sprintf("Bearer %s", key)) | ||||||
| 		res, err := ws.upstreamHttpClient().Do(re) | 		res, err := ws.upstreamHttpClient().Do(re) | ||||||
| 		if err != nil { | 		if err != nil { | ||||||
| 			l.WithError(err).Warning("failed to get upstream metrics") | 			l.WithError(err).Warning("failed to get upstream metrics") | ||||||
| @ -49,9 +64,13 @@ func (ws *WebServer) runMetricsServer() { | |||||||
| 		} | 		} | ||||||
| 	}) | 	}) | ||||||
| 	l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server") | 	l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server") | ||||||
| 	err := http.ListenAndServe(config.Get().Listen.Metrics, m) | 	err = http.ListenAndServe(config.Get().Listen.Metrics, m) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		l.WithError(err).Warning("Failed to start metrics server") | 		l.WithError(err).Warning("Failed to start metrics server") | ||||||
| 	} | 	} | ||||||
| 	l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server") | 	l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server") | ||||||
|  | 	err = os.Remove(keyPath) | ||||||
|  | 	if err != nil { | ||||||
|  | 		l.WithError(err).Warning("failed to remove metrics key file") | ||||||
|  | 	} | ||||||
| } | } | ||||||
|  | |||||||
| @ -42,8 +42,11 @@ func (ws *WebServer) configureStatic() { | |||||||
|  |  | ||||||
| 	// Media files, if backend is file | 	// Media files, if backend is file | ||||||
| 	if config.Get().Storage.Media.Backend == "file" { | 	if config.Get().Storage.Media.Backend == "file" { | ||||||
| 		fsMedia := http.FileServer(http.Dir(config.Get().Storage.Media.File.Path)) | 		fsMedia := http.StripPrefix("/media", http.FileServer(http.Dir(config.Get().Storage.Media.File.Path))) | ||||||
| 		staticRouter.PathPrefix("/media/").Handler(http.StripPrefix("/media", fsMedia)) | 		staticRouter.PathPrefix("/media/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||||||
|  | 		    w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox") | ||||||
|  | 		    fsMedia.ServeHTTP(w, r) | ||||||
|  | 		}) | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	staticRouter.PathPrefix("/if/help/").Handler(http.StripPrefix("/if/help/", http.FileServer(http.Dir("./website/help/")))) | 	staticRouter.PathPrefix("/if/help/").Handler(http.StripPrefix("/if/help/", http.FileServer(http.Dir("./website/help/")))) | ||||||
|  | |||||||
| @ -19,6 +19,7 @@ import ( | |||||||
| 	"goauthentik.io/internal/config" | 	"goauthentik.io/internal/config" | ||||||
| 	"goauthentik.io/internal/gounicorn" | 	"goauthentik.io/internal/gounicorn" | ||||||
| 	"goauthentik.io/internal/outpost/proxyv2" | 	"goauthentik.io/internal/outpost/proxyv2" | ||||||
|  | 	"goauthentik.io/internal/utils" | ||||||
| 	"goauthentik.io/internal/utils/web" | 	"goauthentik.io/internal/utils/web" | ||||||
| 	"goauthentik.io/internal/web/brand_tls" | 	"goauthentik.io/internal/web/brand_tls" | ||||||
| ) | ) | ||||||
| @ -52,7 +53,7 @@ func NewWebServer() *WebServer { | |||||||
| 	loggingHandler.Use(web.NewLoggingHandler(l, nil)) | 	loggingHandler.Use(web.NewLoggingHandler(l, nil)) | ||||||
|  |  | ||||||
| 	tmp := os.TempDir() | 	tmp := os.TempDir() | ||||||
| 	socketPath := path.Join(tmp, "authentik-core.sock") | 	socketPath := path.Join(tmp, UnixSocketName) | ||||||
|  |  | ||||||
| 	// create http client to talk to backend, normal client if we're in debug more | 	// create http client to talk to backend, normal client if we're in debug more | ||||||
| 	// and a client that connects to our socket when in non debug mode | 	// and a client that connects to our socket when in non debug mode | ||||||
| @ -149,7 +150,7 @@ func (ws *WebServer) listenPlain() { | |||||||
| 		ws.log.WithError(err).Warning("failed to listen") | 		ws.log.WithError(err).Warning("failed to listen") | ||||||
| 		return | 		return | ||||||
| 	} | 	} | ||||||
| 	proxyListener := &proxyproto.Listener{Listener: ln} | 	proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()} | ||||||
| 	defer proxyListener.Close() | 	defer proxyListener.Close() | ||||||
|  |  | ||||||
| 	ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server") | 	ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server") | ||||||
|  | |||||||
| @ -45,7 +45,7 @@ func (ws *WebServer) listenTLS() { | |||||||
| 		ws.log.WithError(err).Warning("failed to listen (TLS)") | 		ws.log.WithError(err).Warning("failed to listen (TLS)") | ||||||
| 		return | 		return | ||||||
| 	} | 	} | ||||||
| 	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}} | 	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()} | ||||||
| 	defer proxyListener.Close() | 	defer proxyListener.Close() | ||||||
| 
 | 
 | ||||||
| 	tlsListener := tls.NewListener(proxyListener, tlsConfig) | 	tlsListener := tls.NewListener(proxyListener, tlsConfig) | ||||||
| @ -54,7 +54,9 @@ function cleanup { | |||||||
| } | } | ||||||
|  |  | ||||||
| function prepare_debug { | function prepare_debug { | ||||||
|     apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server |     export DEBIAN_FRONTEND=noninteractive | ||||||
|  |     apt-get update | ||||||
|  |     apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server libkrb5-dev gcc | ||||||
|     VIRTUAL_ENV=/ak-root/venv poetry install --no-ansi --no-interaction |     VIRTUAL_ENV=/ak-root/venv poetry install --no-ansi --no-interaction | ||||||
|     touch /unittest.xml |     touch /unittest.xml | ||||||
|     chown authentik:authentik /unittest.xml |     chown authentik:authentik /unittest.xml | ||||||
|  | |||||||
| @ -1,5 +1,5 @@ | |||||||
| { | { | ||||||
|     "name": "@goauthentik/authentik", |     "name": "@goauthentik/authentik", | ||||||
|     "version": "2024.8.3", |     "version": "2024.10.4", | ||||||
|     "private": true |     "private": true | ||||||
| } | } | ||||||
|  | |||||||
| @ -1,6 +1,6 @@ | |||||||
| [tool.poetry] | [tool.poetry] | ||||||
| name = "authentik" | name = "authentik" | ||||||
| version = "2024.8.3" | version = "2024.10.4" | ||||||
| description = "" | description = "" | ||||||
| authors = ["authentik Team <hello@goauthentik.io>"] | authors = ["authentik Team <hello@goauthentik.io>"] | ||||||
|  |  | ||||||
|  | |||||||
							
								
								
									
										94
									
								
								schema.yml
									
									
									
									
									
								
							
							
						
						
									
										94
									
								
								schema.yml
									
									
									
									
									
								
							| @ -1,7 +1,7 @@ | |||||||
| openapi: 3.0.3 | openapi: 3.0.3 | ||||||
| info: | info: | ||||||
|   title: authentik |   title: authentik | ||||||
|   version: 2024.8.3 |   version: 2024.10.4 | ||||||
|   description: Making authentication simple. |   description: Making authentication simple. | ||||||
|   contact: |   contact: | ||||||
|     email: hello@goauthentik.io |     email: hello@goauthentik.io | ||||||
| @ -20218,10 +20218,6 @@ paths: | |||||||
|             format: uuid |             format: uuid | ||||||
|         explode: true |         explode: true | ||||||
|         style: form |         style: form | ||||||
|       - in: query |  | ||||||
|         name: redirect_uris |  | ||||||
|         schema: |  | ||||||
|           type: string |  | ||||||
|       - in: query |       - in: query | ||||||
|         name: refresh_token_validity |         name: refresh_token_validity | ||||||
|         schema: |         schema: | ||||||
| @ -20637,10 +20633,6 @@ paths: | |||||||
|             format: uuid |             format: uuid | ||||||
|         explode: true |         explode: true | ||||||
|         style: form |         style: form | ||||||
|       - in: query |  | ||||||
|         name: redirect_uris__iexact |  | ||||||
|         schema: |  | ||||||
|           type: string |  | ||||||
|       - name: search |       - name: search | ||||||
|         required: false |         required: false | ||||||
|         in: query |         in: query | ||||||
| @ -39220,7 +39212,10 @@ components: | |||||||
|           type: string |           type: string | ||||||
|         js_url: |         js_url: | ||||||
|           type: string |           type: string | ||||||
|  |         interactive: | ||||||
|  |           type: boolean | ||||||
|       required: |       required: | ||||||
|  |       - interactive | ||||||
|       - js_url |       - js_url | ||||||
|       - pending_user |       - pending_user | ||||||
|       - pending_user_avatar |       - pending_user_avatar | ||||||
| @ -39276,6 +39271,8 @@ components: | |||||||
|           type: string |           type: string | ||||||
|         api_url: |         api_url: | ||||||
|           type: string |           type: string | ||||||
|  |         interactive: | ||||||
|  |           type: boolean | ||||||
|         score_min_threshold: |         score_min_threshold: | ||||||
|           type: number |           type: number | ||||||
|           format: double |           format: double | ||||||
| @ -39322,6 +39319,8 @@ components: | |||||||
|         api_url: |         api_url: | ||||||
|           type: string |           type: string | ||||||
|           minLength: 1 |           minLength: 1 | ||||||
|  |         interactive: | ||||||
|  |           type: boolean | ||||||
|         score_min_threshold: |         score_min_threshold: | ||||||
|           type: number |           type: number | ||||||
|           format: double |           format: double | ||||||
| @ -42975,7 +42974,8 @@ components: | |||||||
|           readOnly: true |           readOnly: true | ||||||
|         spnego_server_name: |         spnego_server_name: | ||||||
|           type: string |           type: string | ||||||
|           description: Force the use of a specific server name for SPNEGO |           description: Force the use of a specific server name for SPNEGO. Must be | ||||||
|  |             in the form HTTP@hostname | ||||||
|         spnego_ccache: |         spnego_ccache: | ||||||
|           type: string |           type: string | ||||||
|           description: Credential cache to use for SPNEGO in form type:residual |           description: Credential cache to use for SPNEGO in form type:residual | ||||||
| @ -43144,7 +43144,8 @@ components: | |||||||
|             be in the form TYPE:residual |             be in the form TYPE:residual | ||||||
|         spnego_server_name: |         spnego_server_name: | ||||||
|           type: string |           type: string | ||||||
|           description: Force the use of a specific server name for SPNEGO |           description: Force the use of a specific server name for SPNEGO. Must be | ||||||
|  |             in the form HTTP@hostname | ||||||
|         spnego_keytab: |         spnego_keytab: | ||||||
|           type: string |           type: string | ||||||
|           writeOnly: true |           writeOnly: true | ||||||
| @ -44051,6 +44052,11 @@ components: | |||||||
|       required: |       required: | ||||||
|       - challenge |       - challenge | ||||||
|       - name |       - name | ||||||
|  |     MatchingModeEnum: | ||||||
|  |       enum: | ||||||
|  |       - strict | ||||||
|  |       - regex | ||||||
|  |       type: string | ||||||
|     Metadata: |     Metadata: | ||||||
|       type: object |       type: object | ||||||
|       description: Serializer for blueprint metadata |       description: Serializer for blueprint metadata | ||||||
| @ -44753,8 +44759,9 @@ components: | |||||||
|           description: Key used to encrypt the tokens. When set, tokens will be encrypted |           description: Key used to encrypt the tokens. When set, tokens will be encrypted | ||||||
|             and returned as JWEs. |             and returned as JWEs. | ||||||
|         redirect_uris: |         redirect_uris: | ||||||
|           type: string |           type: array | ||||||
|           description: Enter each URI on a new line. |           items: | ||||||
|  |             $ref: '#/components/schemas/RedirectURI' | ||||||
|         sub_mode: |         sub_mode: | ||||||
|           allOf: |           allOf: | ||||||
|           - $ref: '#/components/schemas/SubModeEnum' |           - $ref: '#/components/schemas/SubModeEnum' | ||||||
| @ -44783,6 +44790,7 @@ components: | |||||||
|       - meta_model_name |       - meta_model_name | ||||||
|       - name |       - name | ||||||
|       - pk |       - pk | ||||||
|  |       - redirect_uris | ||||||
|       - verbose_name |       - verbose_name | ||||||
|       - verbose_name_plural |       - verbose_name_plural | ||||||
|     OAuth2ProviderRequest: |     OAuth2ProviderRequest: | ||||||
| @ -44854,8 +44862,9 @@ components: | |||||||
|           description: Key used to encrypt the tokens. When set, tokens will be encrypted |           description: Key used to encrypt the tokens. When set, tokens will be encrypted | ||||||
|             and returned as JWEs. |             and returned as JWEs. | ||||||
|         redirect_uris: |         redirect_uris: | ||||||
|           type: string |           type: array | ||||||
|           description: Enter each URI on a new line. |           items: | ||||||
|  |             $ref: '#/components/schemas/RedirectURIRequest' | ||||||
|         sub_mode: |         sub_mode: | ||||||
|           allOf: |           allOf: | ||||||
|           - $ref: '#/components/schemas/SubModeEnum' |           - $ref: '#/components/schemas/SubModeEnum' | ||||||
| @ -44877,6 +44886,7 @@ components: | |||||||
|       - authorization_flow |       - authorization_flow | ||||||
|       - invalidation_flow |       - invalidation_flow | ||||||
|       - name |       - name | ||||||
|  |       - redirect_uris | ||||||
|     OAuth2ProviderSetupURLs: |     OAuth2ProviderSetupURLs: | ||||||
|       type: object |       type: object | ||||||
|       description: OAuth2 Provider Metadata serializer |       description: OAuth2 Provider Metadata serializer | ||||||
| @ -44934,7 +44944,8 @@ components: | |||||||
|           minLength: 1 |           minLength: 1 | ||||||
|           default: ak-provider-oauth2-device-code |           default: ak-provider-oauth2-device-code | ||||||
|         code: |         code: | ||||||
|           type: integer |           type: string | ||||||
|  |           minLength: 1 | ||||||
|       required: |       required: | ||||||
|       - code |       - code | ||||||
|     OAuthDeviceCodeFinishChallenge: |     OAuthDeviceCodeFinishChallenge: | ||||||
| @ -47730,6 +47741,8 @@ components: | |||||||
|         api_url: |         api_url: | ||||||
|           type: string |           type: string | ||||||
|           minLength: 1 |           minLength: 1 | ||||||
|  |         interactive: | ||||||
|  |           type: boolean | ||||||
|         score_min_threshold: |         score_min_threshold: | ||||||
|           type: number |           type: number | ||||||
|           format: double |           format: double | ||||||
| @ -48448,7 +48461,8 @@ components: | |||||||
|             be in the form TYPE:residual |             be in the form TYPE:residual | ||||||
|         spnego_server_name: |         spnego_server_name: | ||||||
|           type: string |           type: string | ||||||
|           description: Force the use of a specific server name for SPNEGO |           description: Force the use of a specific server name for SPNEGO. Must be | ||||||
|  |             in the form HTTP@hostname | ||||||
|         spnego_keytab: |         spnego_keytab: | ||||||
|           type: string |           type: string | ||||||
|           writeOnly: true |           writeOnly: true | ||||||
| @ -48871,8 +48885,9 @@ components: | |||||||
|           description: Key used to encrypt the tokens. When set, tokens will be encrypted |           description: Key used to encrypt the tokens. When set, tokens will be encrypted | ||||||
|             and returned as JWEs. |             and returned as JWEs. | ||||||
|         redirect_uris: |         redirect_uris: | ||||||
|           type: string |           type: array | ||||||
|           description: Enter each URI on a new line. |           items: | ||||||
|  |             $ref: '#/components/schemas/RedirectURIRequest' | ||||||
|         sub_mode: |         sub_mode: | ||||||
|           allOf: |           allOf: | ||||||
|           - $ref: '#/components/schemas/SubModeEnum' |           - $ref: '#/components/schemas/SubModeEnum' | ||||||
| @ -49461,10 +49476,6 @@ components: | |||||||
|           type: string |           type: string | ||||||
|           format: uuid |           format: uuid | ||||||
|           description: Flow used when authorizing this provider. |           description: Flow used when authorizing this provider. | ||||||
|         invalidation_flow: |  | ||||||
|           type: string |  | ||||||
|           format: uuid |  | ||||||
|           description: Flow used ending the session from a provider. |  | ||||||
|         property_mappings: |         property_mappings: | ||||||
|           type: array |           type: array | ||||||
|           items: |           items: | ||||||
| @ -51469,7 +51480,9 @@ components: | |||||||
|           description: When enabled, this provider will intercept the authorization |           description: When enabled, this provider will intercept the authorization | ||||||
|             header and authenticate requests based on its value. |             header and authenticate requests based on its value. | ||||||
|         redirect_uris: |         redirect_uris: | ||||||
|           type: string |           type: array | ||||||
|  |           items: | ||||||
|  |             $ref: '#/components/schemas/RedirectURI' | ||||||
|           readOnly: true |           readOnly: true | ||||||
|         cookie_domain: |         cookie_domain: | ||||||
|           type: string |           type: string | ||||||
| @ -51696,10 +51709,6 @@ components: | |||||||
|           type: string |           type: string | ||||||
|           format: uuid |           format: uuid | ||||||
|           description: Flow used when authorizing this provider. |           description: Flow used when authorizing this provider. | ||||||
|         invalidation_flow: |  | ||||||
|           type: string |  | ||||||
|           format: uuid |  | ||||||
|           description: Flow used ending the session from a provider. |  | ||||||
|         property_mappings: |         property_mappings: | ||||||
|           type: array |           type: array | ||||||
|           items: |           items: | ||||||
| @ -51757,7 +51766,6 @@ components: | |||||||
|       - assigned_backchannel_application_slug |       - assigned_backchannel_application_slug | ||||||
|       - authorization_flow |       - authorization_flow | ||||||
|       - component |       - component | ||||||
|       - invalidation_flow |  | ||||||
|       - meta_model_name |       - meta_model_name | ||||||
|       - name |       - name | ||||||
|       - outpost_set |       - outpost_set | ||||||
| @ -51781,10 +51789,6 @@ components: | |||||||
|           type: string |           type: string | ||||||
|           format: uuid |           format: uuid | ||||||
|           description: Flow used when authorizing this provider. |           description: Flow used when authorizing this provider. | ||||||
|         invalidation_flow: |  | ||||||
|           type: string |  | ||||||
|           format: uuid |  | ||||||
|           description: Flow used ending the session from a provider. |  | ||||||
|         property_mappings: |         property_mappings: | ||||||
|           type: array |           type: array | ||||||
|           items: |           items: | ||||||
| @ -51801,7 +51805,6 @@ components: | |||||||
|           description: When set to true, connection tokens will be deleted upon disconnect. |           description: When set to true, connection tokens will be deleted upon disconnect. | ||||||
|       required: |       required: | ||||||
|       - authorization_flow |       - authorization_flow | ||||||
|       - invalidation_flow |  | ||||||
|       - name |       - name | ||||||
|     RadiusCheckAccess: |     RadiusCheckAccess: | ||||||
|       type: object |       type: object | ||||||
| @ -52075,6 +52078,29 @@ components: | |||||||
|           type: string |           type: string | ||||||
|       required: |       required: | ||||||
|       - to |       - to | ||||||
|  |     RedirectURI: | ||||||
|  |       type: object | ||||||
|  |       description: A single allowed redirect URI entry | ||||||
|  |       properties: | ||||||
|  |         matching_mode: | ||||||
|  |           $ref: '#/components/schemas/MatchingModeEnum' | ||||||
|  |         url: | ||||||
|  |           type: string | ||||||
|  |       required: | ||||||
|  |       - matching_mode | ||||||
|  |       - url | ||||||
|  |     RedirectURIRequest: | ||||||
|  |       type: object | ||||||
|  |       description: A single allowed redirect URI entry | ||||||
|  |       properties: | ||||||
|  |         matching_mode: | ||||||
|  |           $ref: '#/components/schemas/MatchingModeEnum' | ||||||
|  |         url: | ||||||
|  |           type: string | ||||||
|  |           minLength: 1 | ||||||
|  |       required: | ||||||
|  |       - matching_mode | ||||||
|  |       - url | ||||||
|     Reputation: |     Reputation: | ||||||
|       type: object |       type: object | ||||||
|       description: Reputation Serializer |       description: Reputation Serializer | ||||||
|  | |||||||
| @ -12,7 +12,12 @@ from authentik.flows.models import Flow | |||||||
| from authentik.lib.generators import generate_id, generate_key | from authentik.lib.generators import generate_id, generate_key | ||||||
| from authentik.policies.expression.models import ExpressionPolicy | from authentik.policies.expression.models import ExpressionPolicy | ||||||
| from authentik.policies.models import PolicyBinding | from authentik.policies.models import PolicyBinding | ||||||
| from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider | from authentik.providers.oauth2.models import ( | ||||||
|  |     ClientTypes, | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  | ) | ||||||
| from tests.e2e.utils import SeleniumTestCase, retry | from tests.e2e.utils import SeleniumTestCase, retry | ||||||
|  |  | ||||||
|  |  | ||||||
| @ -73,7 +78,9 @@ class TestProviderOAuth2Github(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             client_type=ClientTypes.CONFIDENTIAL, |             client_type=ClientTypes.CONFIDENTIAL, | ||||||
|             redirect_uris="http://localhost:3000/login/github", |             redirect_uris=[ | ||||||
|  |                 RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github") | ||||||
|  |             ], | ||||||
|             authorization_flow=authorization_flow, |             authorization_flow=authorization_flow, | ||||||
|         ) |         ) | ||||||
|         Application.objects.create( |         Application.objects.create( | ||||||
| @ -128,7 +135,9 @@ class TestProviderOAuth2Github(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             client_type=ClientTypes.CONFIDENTIAL, |             client_type=ClientTypes.CONFIDENTIAL, | ||||||
|             redirect_uris="http://localhost:3000/login/github", |             redirect_uris=[ | ||||||
|  |                 RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github") | ||||||
|  |             ], | ||||||
|             authorization_flow=authorization_flow, |             authorization_flow=authorization_flow, | ||||||
|         ) |         ) | ||||||
|         app = Application.objects.create( |         app = Application.objects.create( | ||||||
| @ -199,7 +208,9 @@ class TestProviderOAuth2Github(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             client_type=ClientTypes.CONFIDENTIAL, |             client_type=ClientTypes.CONFIDENTIAL, | ||||||
|             redirect_uris="http://localhost:3000/login/github", |             redirect_uris=[ | ||||||
|  |                 RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github") | ||||||
|  |             ], | ||||||
|             authorization_flow=authorization_flow, |             authorization_flow=authorization_flow, | ||||||
|         ) |         ) | ||||||
|         app = Application.objects.create( |         app = Application.objects.create( | ||||||
|  | |||||||
| @ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import ( | |||||||
|     SCOPE_OPENID_EMAIL, |     SCOPE_OPENID_EMAIL, | ||||||
|     SCOPE_OPENID_PROFILE, |     SCOPE_OPENID_PROFILE, | ||||||
| ) | ) | ||||||
| from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping | from authentik.providers.oauth2.models import ( | ||||||
|  |     ClientTypes, | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  |     ScopeMapping, | ||||||
|  | ) | ||||||
| from tests.e2e.utils import SeleniumTestCase, retry | from tests.e2e.utils import SeleniumTestCase, retry | ||||||
|  |  | ||||||
|  |  | ||||||
| @ -82,7 +88,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|             redirect_uris="http://localhost:3000/", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/")], | ||||||
|             authorization_flow=authorization_flow, |             authorization_flow=authorization_flow, | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
| @ -131,7 +137,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|             redirect_uris="http://localhost:3000/login/generic_oauth", |             redirect_uris=[ | ||||||
|  |                 RedirectURI( | ||||||
|  |                     RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth" | ||||||
|  |                 ) | ||||||
|  |             ], | ||||||
|             authorization_flow=authorization_flow, |             authorization_flow=authorization_flow, | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
| @ -200,7 +210,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|             redirect_uris="http://localhost:3000/login/generic_oauth", |             redirect_uris=[ | ||||||
|  |                 RedirectURI( | ||||||
|  |                     RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth" | ||||||
|  |                 ) | ||||||
|  |             ], | ||||||
|             authorization_flow=authorization_flow, |             authorization_flow=authorization_flow, | ||||||
|             invalidation_flow=invalidation_flow, |             invalidation_flow=invalidation_flow, | ||||||
|         ) |         ) | ||||||
| @ -275,7 +289,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|             redirect_uris="http://localhost:3000/login/generic_oauth", |             redirect_uris=[ | ||||||
|  |                 RedirectURI( | ||||||
|  |                     RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth" | ||||||
|  |                 ) | ||||||
|  |             ], | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
|             ScopeMapping.objects.filter( |             ScopeMapping.objects.filter( | ||||||
| @ -355,7 +373,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|             redirect_uris="http://localhost:3000/login/generic_oauth", |             redirect_uris=[ | ||||||
|  |                 RedirectURI( | ||||||
|  |                     RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth" | ||||||
|  |                 ) | ||||||
|  |             ], | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
|             ScopeMapping.objects.filter( |             ScopeMapping.objects.filter( | ||||||
|  | |||||||
| @ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import ( | |||||||
|     SCOPE_OPENID_EMAIL, |     SCOPE_OPENID_EMAIL, | ||||||
|     SCOPE_OPENID_PROFILE, |     SCOPE_OPENID_PROFILE, | ||||||
| ) | ) | ||||||
| from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping | from authentik.providers.oauth2.models import ( | ||||||
|  |     ClientTypes, | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  |     ScopeMapping, | ||||||
|  | ) | ||||||
| from tests.e2e.utils import SeleniumTestCase, retry | from tests.e2e.utils import SeleniumTestCase, retry | ||||||
|  |  | ||||||
|  |  | ||||||
| @ -67,7 +73,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|             redirect_uris="http://localhost:9009/", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/")], | ||||||
|             authorization_flow=authorization_flow, |             authorization_flow=authorization_flow, | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
| @ -116,7 +122,9 @@ class TestProviderOAuth2OIDC(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|             redirect_uris="http://localhost:9009/auth/callback", |             redirect_uris=[ | ||||||
|  |                 RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/auth/callback") | ||||||
|  |             ], | ||||||
|             authorization_flow=authorization_flow, |             authorization_flow=authorization_flow, | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
| @ -188,7 +196,9 @@ class TestProviderOAuth2OIDC(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|             redirect_uris="http://localhost:9009/auth/callback", |             redirect_uris=[ | ||||||
|  |                 RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/auth/callback") | ||||||
|  |             ], | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
|             ScopeMapping.objects.filter( |             ScopeMapping.objects.filter( | ||||||
| @ -259,7 +269,9 @@ class TestProviderOAuth2OIDC(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|             redirect_uris="http://localhost:9009/auth/callback", |             redirect_uris=[ | ||||||
|  |                 RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/auth/callback") | ||||||
|  |             ], | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
|             ScopeMapping.objects.filter( |             ScopeMapping.objects.filter( | ||||||
|  | |||||||
| @ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import ( | |||||||
|     SCOPE_OPENID_EMAIL, |     SCOPE_OPENID_EMAIL, | ||||||
|     SCOPE_OPENID_PROFILE, |     SCOPE_OPENID_PROFILE, | ||||||
| ) | ) | ||||||
| from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping | from authentik.providers.oauth2.models import ( | ||||||
|  |     ClientTypes, | ||||||
|  |     OAuth2Provider, | ||||||
|  |     RedirectURI, | ||||||
|  |     RedirectURIMatchingMode, | ||||||
|  |     ScopeMapping, | ||||||
|  | ) | ||||||
| from tests.e2e.utils import SeleniumTestCase, retry | from tests.e2e.utils import SeleniumTestCase, retry | ||||||
|  |  | ||||||
|  |  | ||||||
| @ -68,7 +74,7 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|             redirect_uris="http://localhost:9009/", |             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/")], | ||||||
|             authorization_flow=authorization_flow, |             authorization_flow=authorization_flow, | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
| @ -117,7 +123,9 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|             redirect_uris="http://localhost:9009/implicit/", |             redirect_uris=[ | ||||||
|  |                 RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/implicit/") | ||||||
|  |             ], | ||||||
|             authorization_flow=authorization_flow, |             authorization_flow=authorization_flow, | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
| @ -170,7 +178,9 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|             redirect_uris="http://localhost:9009/implicit/", |             redirect_uris=[ | ||||||
|  |                 RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/implicit/") | ||||||
|  |             ], | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
|             ScopeMapping.objects.filter( |             ScopeMapping.objects.filter( | ||||||
| @ -238,7 +248,9 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase): | |||||||
|             client_id=self.client_id, |             client_id=self.client_id, | ||||||
|             client_secret=self.client_secret, |             client_secret=self.client_secret, | ||||||
|             signing_key=create_test_cert(), |             signing_key=create_test_cert(), | ||||||
|             redirect_uris="http://localhost:9009/implicit/", |             redirect_uris=[ | ||||||
|  |                 RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/implicit/") | ||||||
|  |             ], | ||||||
|         ) |         ) | ||||||
|         provider.property_mappings.set( |         provider.property_mappings.set( | ||||||
|             ScopeMapping.objects.filter( |             ScopeMapping.objects.filter( | ||||||
|  | |||||||
| @ -119,13 +119,22 @@ async function buildOneSource(source, dest) { | |||||||
|                 Date.now() - start |                 Date.now() - start | ||||||
|             }ms`, |             }ms`, | ||||||
|         ); |         ); | ||||||
|  |         return 0; | ||||||
|     } catch (exc) { |     } catch (exc) { | ||||||
|         console.error(`[${new Date(Date.now()).toISOString()}] Failed to build ${source}: ${exc}`); |         console.error(`[${new Date(Date.now()).toISOString()}] Failed to build ${source}: ${exc}`); | ||||||
|  |         return 1; | ||||||
|     } |     } | ||||||
| } | } | ||||||
|  |  | ||||||
| async function buildAuthentik(interfaces) { | async function buildAuthentik(interfaces) { | ||||||
|     await Promise.allSettled(interfaces.map(([source, dest]) => buildOneSource(source, dest))); |     const code = await Promise.allSettled( | ||||||
|  |         interfaces.map(([source, dest]) => buildOneSource(source, dest)), | ||||||
|  |     ); | ||||||
|  |     const finalCode = code.reduce((a, res) => a + res.value, 0); | ||||||
|  |     if (finalCode > 0) { | ||||||
|  |         return 1; | ||||||
|  |     } | ||||||
|  |     return 0; | ||||||
| } | } | ||||||
|  |  | ||||||
| let timeoutId = null; | let timeoutId = null; | ||||||
| @ -163,11 +172,12 @@ if (process.argv.length > 2 && (process.argv[2] === "-w" || process.argv[2] === | |||||||
|     }); |     }); | ||||||
| } else if (process.argv.length > 2 && (process.argv[2] === "-p" || process.argv[2] === "--proxy")) { | } else if (process.argv.length > 2 && (process.argv[2] === "-p" || process.argv[2] === "--proxy")) { | ||||||
|     // There's no watch-for-proxy, sorry. |     // There's no watch-for-proxy, sorry. | ||||||
|     await buildAuthentik( |     process.exit( | ||||||
|         interfaces.filter(([_, dest]) => ["standalone/loading", "."].includes(dest)), |         await buildAuthentik( | ||||||
|  |             interfaces.filter(([_, dest]) => ["standalone/loading", "."].includes(dest)), | ||||||
|  |         ), | ||||||
|     ); |     ); | ||||||
|     process.exit(0); |  | ||||||
| } else { | } else { | ||||||
|     // And the fallback: just build it. |     // And the fallback: just build it. | ||||||
|     await buildAuthentik(interfaces); |     process.exit(await buildAuthentik(interfaces)); | ||||||
| } | } | ||||||
|  | |||||||
							
								
								
									
										54
									
								
								web/package-lock.json
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										54
									
								
								web/package-lock.json
									
									
									
										generated
									
									
									
								
							| @ -23,7 +23,7 @@ | |||||||
|                 "@floating-ui/dom": "^1.6.11", |                 "@floating-ui/dom": "^1.6.11", | ||||||
|                 "@formatjs/intl-listformat": "^7.5.7", |                 "@formatjs/intl-listformat": "^7.5.7", | ||||||
|                 "@fortawesome/fontawesome-free": "^6.6.0", |                 "@fortawesome/fontawesome-free": "^6.6.0", | ||||||
|                 "@goauthentik/api": "^2024.8.3-1729836831", |                 "@goauthentik/api": "^2024.10.2-1732206118", | ||||||
|                 "@lit-labs/ssr": "^3.2.2", |                 "@lit-labs/ssr": "^3.2.2", | ||||||
|                 "@lit/context": "^1.1.2", |                 "@lit/context": "^1.1.2", | ||||||
|                 "@lit/localize": "^0.12.2", |                 "@lit/localize": "^0.12.2", | ||||||
| @ -84,7 +84,7 @@ | |||||||
|                 "@wdio/cli": "^9.1.2", |                 "@wdio/cli": "^9.1.2", | ||||||
|                 "@wdio/spec-reporter": "^9.1.2", |                 "@wdio/spec-reporter": "^9.1.2", | ||||||
|                 "chokidar": "^4.0.1", |                 "chokidar": "^4.0.1", | ||||||
|                 "chromedriver": "^129.0.2", |                 "chromedriver": "^130.0.4", | ||||||
|                 "esbuild": "^0.24.0", |                 "esbuild": "^0.24.0", | ||||||
|                 "eslint": "^9.11.1", |                 "eslint": "^9.11.1", | ||||||
|                 "eslint-plugin-lit": "^1.15.0", |                 "eslint-plugin-lit": "^1.15.0", | ||||||
| @ -1775,9 +1775,9 @@ | |||||||
|             } |             } | ||||||
|         }, |         }, | ||||||
|         "node_modules/@goauthentik/api": { |         "node_modules/@goauthentik/api": { | ||||||
|             "version": "2024.8.3-1729836831", |             "version": "2024.10.2-1732206118", | ||||||
|             "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.8.3-1729836831.tgz", |             "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.10.2-1732206118.tgz", | ||||||
|             "integrity": "sha512-nOgvjYQiK+HhWuiZ635h/aSsq7Mfj5cDrIyBJt+IJRQuJFtnnHx8nscRXKK/8sBl9obH2zMCoZgeqytK8145bg==" |             "integrity": "sha512-Zg90AJvGDquD3u73yIBKXFBDxsCljPxVqylylS6hgPzkLSogKVVkjhmKteWFXDrVxxsxo5XIa4FuTe3wAERyzw==" | ||||||
|         }, |         }, | ||||||
|         "node_modules/@goauthentik/web": { |         "node_modules/@goauthentik/web": { | ||||||
|             "resolved": "", |             "resolved": "", | ||||||
| @ -3517,6 +3517,12 @@ | |||||||
|                 "win32" |                 "win32" | ||||||
|             ] |             ] | ||||||
|         }, |         }, | ||||||
|  |         "node_modules/@scarf/scarf": { | ||||||
|  |             "version": "1.4.0", | ||||||
|  |             "resolved": "https://registry.npmjs.org/@scarf/scarf/-/scarf-1.4.0.tgz", | ||||||
|  |             "integrity": "sha512-xxeapPiUXdZAE3che6f3xogoJPeZgig6omHEy1rIY5WVsB3H2BHNnZH+gHG6x91SCWyQCzWGsuL2Hh3ClO5/qQ==", | ||||||
|  |             "hasInstallScript": true | ||||||
|  |         }, | ||||||
|         "node_modules/@sec-ant/readable-stream": { |         "node_modules/@sec-ant/readable-stream": { | ||||||
|             "version": "0.4.1", |             "version": "0.4.1", | ||||||
|             "resolved": "https://registry.npmjs.org/@sec-ant/readable-stream/-/readable-stream-0.4.1.tgz", |             "resolved": "https://registry.npmjs.org/@sec-ant/readable-stream/-/readable-stream-0.4.1.tgz", | ||||||
| @ -8693,9 +8699,9 @@ | |||||||
|             } |             } | ||||||
|         }, |         }, | ||||||
|         "node_modules/chromedriver": { |         "node_modules/chromedriver": { | ||||||
|             "version": "129.0.2", |             "version": "130.0.4", | ||||||
|             "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-129.0.2.tgz", |             "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-130.0.4.tgz", | ||||||
|             "integrity": "sha512-rUEFCJAmAwOdFfaDFtveT97fFeA7NOxlkgyPyN+G09Ws4qGW39aLDxMQBbS9cxQQHhTihqZZobgF5CLVYXnmGA==", |             "integrity": "sha512-lpR+PWXszij1k4Ig3t338Zvll9HtCTiwoLM7n4pCCswALHxzmgwaaIFBh3rt9+5wRk9D07oFblrazrBxwaYYAQ==", | ||||||
|             "dev": true, |             "dev": true, | ||||||
|             "hasInstallScript": true, |             "hasInstallScript": true, | ||||||
|             "dependencies": { |             "dependencies": { | ||||||
| @ -9052,9 +9058,10 @@ | |||||||
|             "dev": true |             "dev": true | ||||||
|         }, |         }, | ||||||
|         "node_modules/cookie": { |         "node_modules/cookie": { | ||||||
|             "version": "0.6.0", |             "version": "0.7.1", | ||||||
|             "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz", |             "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.1.tgz", | ||||||
|             "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==", |             "integrity": "sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==", | ||||||
|  |             "dev": true, | ||||||
|             "engines": { |             "engines": { | ||||||
|                 "node": ">= 0.6" |                 "node": ">= 0.6" | ||||||
|             } |             } | ||||||
| @ -11404,9 +11411,9 @@ | |||||||
|             } |             } | ||||||
|         }, |         }, | ||||||
|         "node_modules/express": { |         "node_modules/express": { | ||||||
|             "version": "4.21.0", |             "version": "4.21.1", | ||||||
|             "resolved": "https://registry.npmjs.org/express/-/express-4.21.0.tgz", |             "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz", | ||||||
|             "integrity": "sha512-VqcNGcj/Id5ZT1LZ/cfihi3ttTn+NJmkli2eZADigjq29qTlWi/hAQ43t/VLPq8+UX06FCEx3ByOYet6ZFblng==", |             "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==", | ||||||
|             "dev": true, |             "dev": true, | ||||||
|             "dependencies": { |             "dependencies": { | ||||||
|                 "accepts": "~1.3.8", |                 "accepts": "~1.3.8", | ||||||
| @ -11414,7 +11421,7 @@ | |||||||
|                 "body-parser": "1.20.3", |                 "body-parser": "1.20.3", | ||||||
|                 "content-disposition": "0.5.4", |                 "content-disposition": "0.5.4", | ||||||
|                 "content-type": "~1.0.4", |                 "content-type": "~1.0.4", | ||||||
|                 "cookie": "0.6.0", |                 "cookie": "0.7.1", | ||||||
|                 "cookie-signature": "1.0.6", |                 "cookie-signature": "1.0.6", | ||||||
|                 "debug": "2.6.9", |                 "debug": "2.6.9", | ||||||
|                 "depd": "2.0.0", |                 "depd": "2.0.0", | ||||||
| @ -19537,17 +19544,18 @@ | |||||||
|             } |             } | ||||||
|         }, |         }, | ||||||
|         "node_modules/swagger-client": { |         "node_modules/swagger-client": { | ||||||
|             "version": "3.29.3", |             "version": "3.31.0", | ||||||
|             "resolved": "https://registry.npmjs.org/swagger-client/-/swagger-client-3.29.3.tgz", |             "resolved": "https://registry.npmjs.org/swagger-client/-/swagger-client-3.31.0.tgz", | ||||||
|             "integrity": "sha512-OhhMAO2dwDEaxtUNDxwaqzw75uiZY5lX/2vx+U6eKCYZYhXWQ5mylU/0qfk/xMR20VyitsnzRc6KcFFjRoCS7A==", |             "integrity": "sha512-hVYift5XB8nOgNJVl6cbNtVTVPT2Fdx2wCOcIvuAFcyq0Mwe6+70ezoZ5WfiaIAzzwWfq72jyaLeg8TViGNSmw==", | ||||||
|             "dependencies": { |             "dependencies": { | ||||||
|                 "@babel/runtime-corejs3": "^7.22.15", |                 "@babel/runtime-corejs3": "^7.22.15", | ||||||
|  |                 "@scarf/scarf": "=1.4.0", | ||||||
|                 "@swagger-api/apidom-core": ">=1.0.0-alpha.9 <1.0.0-beta.0", |                 "@swagger-api/apidom-core": ">=1.0.0-alpha.9 <1.0.0-beta.0", | ||||||
|                 "@swagger-api/apidom-error": ">=1.0.0-alpha.9 <1.0.0-beta.0", |                 "@swagger-api/apidom-error": ">=1.0.0-alpha.9 <1.0.0-beta.0", | ||||||
|                 "@swagger-api/apidom-json-pointer": ">=1.0.0-alpha.9 <1.0.0-beta.0", |                 "@swagger-api/apidom-json-pointer": ">=1.0.0-alpha.9 <1.0.0-beta.0", | ||||||
|                 "@swagger-api/apidom-ns-openapi-3-1": ">=1.0.0-alpha.9 <1.0.0-beta.0", |                 "@swagger-api/apidom-ns-openapi-3-1": ">=1.0.0-alpha.9 <1.0.0-beta.0", | ||||||
|                 "@swagger-api/apidom-reference": ">=1.0.0-alpha.9 <1.0.0-beta.0", |                 "@swagger-api/apidom-reference": ">=1.0.0-alpha.9 <1.0.0-beta.0", | ||||||
|                 "cookie": "~0.6.0", |                 "cookie": "~0.7.2", | ||||||
|                 "deepmerge": "~4.3.0", |                 "deepmerge": "~4.3.0", | ||||||
|                 "fast-json-patch": "^3.0.0-1", |                 "fast-json-patch": "^3.0.0-1", | ||||||
|                 "js-yaml": "^4.1.0", |                 "js-yaml": "^4.1.0", | ||||||
| @ -19560,6 +19568,14 @@ | |||||||
|                 "ramda-adjunct": "^5.0.0" |                 "ramda-adjunct": "^5.0.0" | ||||||
|             } |             } | ||||||
|         }, |         }, | ||||||
|  |         "node_modules/swagger-client/node_modules/cookie": { | ||||||
|  |             "version": "0.7.2", | ||||||
|  |             "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz", | ||||||
|  |             "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==", | ||||||
|  |             "engines": { | ||||||
|  |                 "node": ">= 0.6" | ||||||
|  |             } | ||||||
|  |         }, | ||||||
|         "node_modules/syncpack": { |         "node_modules/syncpack": { | ||||||
|             "version": "13.0.0", |             "version": "13.0.0", | ||||||
|             "resolved": "https://registry.npmjs.org/syncpack/-/syncpack-13.0.0.tgz", |             "resolved": "https://registry.npmjs.org/syncpack/-/syncpack-13.0.0.tgz", | ||||||
|  | |||||||
| @ -11,7 +11,7 @@ | |||||||
|         "@floating-ui/dom": "^1.6.11", |         "@floating-ui/dom": "^1.6.11", | ||||||
|         "@formatjs/intl-listformat": "^7.5.7", |         "@formatjs/intl-listformat": "^7.5.7", | ||||||
|         "@fortawesome/fontawesome-free": "^6.6.0", |         "@fortawesome/fontawesome-free": "^6.6.0", | ||||||
|         "@goauthentik/api": "^2024.8.3-1729836831", |         "@goauthentik/api": "^2024.10.2-1732206118", | ||||||
|         "@lit-labs/ssr": "^3.2.2", |         "@lit-labs/ssr": "^3.2.2", | ||||||
|         "@lit/context": "^1.1.2", |         "@lit/context": "^1.1.2", | ||||||
|         "@lit/localize": "^0.12.2", |         "@lit/localize": "^0.12.2", | ||||||
| @ -72,7 +72,7 @@ | |||||||
|         "@wdio/cli": "^9.1.2", |         "@wdio/cli": "^9.1.2", | ||||||
|         "@wdio/spec-reporter": "^9.1.2", |         "@wdio/spec-reporter": "^9.1.2", | ||||||
|         "chokidar": "^4.0.1", |         "chokidar": "^4.0.1", | ||||||
|         "chromedriver": "^129.0.2", |         "chromedriver": "^130.0.4", | ||||||
|         "esbuild": "^0.24.0", |         "esbuild": "^0.24.0", | ||||||
|         "eslint": "^9.11.1", |         "eslint": "^9.11.1", | ||||||
|         "eslint-plugin-lit": "^1.15.0", |         "eslint-plugin-lit": "^1.15.0", | ||||||
| @ -328,12 +328,18 @@ | |||||||
|         }, |         }, | ||||||
|         "test:e2e:watch": { |         "test:e2e:watch": { | ||||||
|             "command": "wdio run ./tests/wdio.conf.ts", |             "command": "wdio run ./tests/wdio.conf.ts", | ||||||
|  |             "dependencies": [ | ||||||
|  |                 "build" | ||||||
|  |             ], | ||||||
|             "env": { |             "env": { | ||||||
|                 "TS_NODE_PROJECT": "./tests/tsconfig.test.json" |                 "TS_NODE_PROJECT": "./tests/tsconfig.test.json" | ||||||
|             } |             } | ||||||
|         }, |         }, | ||||||
|         "test:watch": { |         "test:watch": { | ||||||
|             "command": "wdio run ./wdio.conf.ts", |             "command": "wdio run ./wdio.conf.ts", | ||||||
|  |             "dependencies": [ | ||||||
|  |                 "build" | ||||||
|  |             ], | ||||||
|             "env": { |             "env": { | ||||||
|                 "TS_NODE_PROJECT": "tsconfig.test.json" |                 "TS_NODE_PROJECT": "tsconfig.test.json" | ||||||
|             } |             } | ||||||
|  | |||||||
							
								
								
									
										100
									
								
								web/src/admin/admin-settings/AdminSettingsFooterLinks.ts
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										100
									
								
								web/src/admin/admin-settings/AdminSettingsFooterLinks.ts
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,100 @@ | |||||||
|  | import { AkControlElement } from "@goauthentik/elements/AkControlElement.js"; | ||||||
|  | import { type Spread } from "@goauthentik/elements/types"; | ||||||
|  | import { spread } from "@open-wc/lit-helpers"; | ||||||
|  |  | ||||||
|  | import { msg } from "@lit/localize"; | ||||||
|  | import { css, html } from "lit"; | ||||||
|  | import { customElement, property, queryAll } from "lit/decorators.js"; | ||||||
|  | import { ifDefined } from "lit/directives/if-defined.js"; | ||||||
|  |  | ||||||
|  | import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css"; | ||||||
|  | import PFInputGroup from "@patternfly/patternfly/components/InputGroup/input-group.css"; | ||||||
|  | import PFBase from "@patternfly/patternfly/patternfly-base.css"; | ||||||
|  |  | ||||||
|  | import { FooterLink } from "@goauthentik/api"; | ||||||
|  |  | ||||||
|  | export interface IFooterLinkInput { | ||||||
|  |     footerLink: FooterLink; | ||||||
|  | } | ||||||
|  |  | ||||||
|  | const LEGAL_SCHEMES = ["http://", "https://", "mailto:"]; | ||||||
|  | const hasLegalScheme = (url: string) => | ||||||
|  |     LEGAL_SCHEMES.some((scheme) => url.substr(0, scheme.length).toLowerCase() === scheme); | ||||||
|  |  | ||||||
|  | @customElement("ak-admin-settings-footer-link") | ||||||
|  | export class FooterLinkInput extends AkControlElement<FooterLink> { | ||||||
|  |     static get styles() { | ||||||
|  |         return [ | ||||||
|  |             PFBase, | ||||||
|  |             PFInputGroup, | ||||||
|  |             PFFormControl, | ||||||
|  |             css` | ||||||
|  |                 .pf-c-input-group input#linkname { | ||||||
|  |                     flex-grow: 1; | ||||||
|  |                     width: 8rem; | ||||||
|  |                 } | ||||||
|  |             `, | ||||||
|  |         ]; | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     @property({ type: Object, attribute: false }) | ||||||
|  |     footerLink: FooterLink = { | ||||||
|  |         name: "", | ||||||
|  |         href: "", | ||||||
|  |     }; | ||||||
|  |  | ||||||
|  |     @queryAll(".ak-form-control") | ||||||
|  |     controls?: HTMLInputElement[]; | ||||||
|  |  | ||||||
|  |     json() { | ||||||
|  |         return Object.fromEntries( | ||||||
|  |             Array.from(this.controls ?? []).map((control) => [control.name, control.value]), | ||||||
|  |         ) as unknown as FooterLink; | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     get isValid() { | ||||||
|  |         const href = this.json()?.href ?? ""; | ||||||
|  |         return hasLegalScheme(href) && URL.canParse(href); | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     render() { | ||||||
|  |         const onChange = () => { | ||||||
|  |             this.dispatchEvent(new Event("change", { composed: true, bubbles: true })); | ||||||
|  |         }; | ||||||
|  |  | ||||||
|  |         return html` <div class="pf-c-input-group"> | ||||||
|  |             <input | ||||||
|  |                 type="text" | ||||||
|  |                 @change=${onChange} | ||||||
|  |                 value=${this.footerLink.name} | ||||||
|  |                 id="linkname" | ||||||
|  |                 class="pf-c-form-control ak-form-control" | ||||||
|  |                 name="name" | ||||||
|  |                 placeholder=${msg("Link Title")} | ||||||
|  |                 tabindex="1" | ||||||
|  |             /> | ||||||
|  |             <input | ||||||
|  |                 type="text" | ||||||
|  |                 @change=${onChange} | ||||||
|  |                 value="${ifDefined(this.footerLink.href ?? undefined)}" | ||||||
|  |                 class="pf-c-form-control ak-form-control" | ||||||
|  |                 required | ||||||
|  |                 placeholder=${msg("URL")} | ||||||
|  |                 name="href" | ||||||
|  |                 tabindex="1" | ||||||
|  |             /> | ||||||
|  |         </div>`; | ||||||
|  |     } | ||||||
|  | } | ||||||
|  |  | ||||||
|  | export function akFooterLinkInput(properties: IFooterLinkInput) { | ||||||
|  |     return html`<ak-admin-settings-footer-link | ||||||
|  |         ${spread(properties as unknown as Spread)} | ||||||
|  |     ></ak-admin-settings-footer-link>`; | ||||||
|  | } | ||||||
|  |  | ||||||
|  | declare global { | ||||||
|  |     interface HTMLElementTagNameMap { | ||||||
|  |         "ak-admin-settings-footer-link": FooterLinkInput; | ||||||
|  |     } | ||||||
|  | } | ||||||
| @ -3,8 +3,7 @@ import { first } from "@goauthentik/common/utils"; | |||||||
| import "@goauthentik/components/ak-number-input"; | import "@goauthentik/components/ak-number-input"; | ||||||
| import "@goauthentik/components/ak-switch-input"; | import "@goauthentik/components/ak-switch-input"; | ||||||
| import "@goauthentik/components/ak-text-input"; | import "@goauthentik/components/ak-text-input"; | ||||||
| import "@goauthentik/elements/CodeMirror"; | import "@goauthentik/elements/ak-array-input.js"; | ||||||
| import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror"; |  | ||||||
| import { Form } from "@goauthentik/elements/forms/Form"; | import { Form } from "@goauthentik/elements/forms/Form"; | ||||||
| import "@goauthentik/elements/forms/FormGroup"; | import "@goauthentik/elements/forms/FormGroup"; | ||||||
| import "@goauthentik/elements/forms/HorizontalFormElement"; | import "@goauthentik/elements/forms/HorizontalFormElement"; | ||||||
| @ -13,13 +12,16 @@ import "@goauthentik/elements/forms/SearchSelect"; | |||||||
| import "@goauthentik/elements/utils/TimeDeltaHelp"; | import "@goauthentik/elements/utils/TimeDeltaHelp"; | ||||||
|  |  | ||||||
| import { msg } from "@lit/localize"; | import { msg } from "@lit/localize"; | ||||||
| import { CSSResult, TemplateResult, html } from "lit"; | import { CSSResult, TemplateResult, css, html } from "lit"; | ||||||
| import { customElement, property } from "lit/decorators.js"; | import { customElement, property } from "lit/decorators.js"; | ||||||
| import { ifDefined } from "lit/directives/if-defined.js"; | import { ifDefined } from "lit/directives/if-defined.js"; | ||||||
|  |  | ||||||
| import PFList from "@patternfly/patternfly/components/List/list.css"; | import PFList from "@patternfly/patternfly/components/List/list.css"; | ||||||
|  |  | ||||||
| import { AdminApi, Settings, SettingsRequest } from "@goauthentik/api"; | import { AdminApi, FooterLink, Settings, SettingsRequest } from "@goauthentik/api"; | ||||||
|  |  | ||||||
|  | import "./AdminSettingsFooterLinks.js"; | ||||||
|  | import { IFooterLinkInput, akFooterLinkInput } from "./AdminSettingsFooterLinks.js"; | ||||||
|  |  | ||||||
| @customElement("ak-admin-settings-form") | @customElement("ak-admin-settings-form") | ||||||
| export class AdminSettingsForm extends Form<SettingsRequest> { | export class AdminSettingsForm extends Form<SettingsRequest> { | ||||||
| @ -40,7 +42,14 @@ export class AdminSettingsForm extends Form<SettingsRequest> { | |||||||
|     private _settings?: Settings; |     private _settings?: Settings; | ||||||
|  |  | ||||||
|     static get styles(): CSSResult[] { |     static get styles(): CSSResult[] { | ||||||
|         return super.styles.concat(PFList); |         return super.styles.concat( | ||||||
|  |             PFList, | ||||||
|  |             css` | ||||||
|  |                 ak-array-input { | ||||||
|  |                     width: 100%; | ||||||
|  |                 } | ||||||
|  |             `, | ||||||
|  |         ); | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     getSuccessMessage(): string { |     getSuccessMessage(): string { | ||||||
| @ -166,15 +175,21 @@ export class AdminSettingsForm extends Form<SettingsRequest> { | |||||||
|             > |             > | ||||||
|             </ak-text-input> |             </ak-text-input> | ||||||
|             <ak-form-element-horizontal label=${msg("Footer links")} name="footerLinks"> |             <ak-form-element-horizontal label=${msg("Footer links")} name="footerLinks"> | ||||||
|                 <ak-codemirror |                 <ak-array-input | ||||||
|                     mode=${CodeMirrorMode.YAML} |                     .items=${this._settings?.footerLinks ?? []} | ||||||
|                     .value="${first(this._settings?.footerLinks, [])}" |                     .newItem=${() => ({ name: "", href: "" })} | ||||||
|                 ></ak-codemirror> |                     .row=${(f?: FooterLink) => | ||||||
|  |                         akFooterLinkInput({ | ||||||
|  |                             ".footerLink": f, | ||||||
|  |                             "style": "width: 100%", | ||||||
|  |                             "name": "footer-link", | ||||||
|  |                         } as unknown as IFooterLinkInput)} | ||||||
|  |                 > | ||||||
|  |                 </ak-array-input> | ||||||
|                 <p class="pf-c-form__helper-text"> |                 <p class="pf-c-form__helper-text"> | ||||||
|                     ${msg( |                     ${msg( | ||||||
|                         "This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:", |                         "This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.", | ||||||
|                     )} |                     )} | ||||||
|                     <code>[{"name": "Link Name","href":"https://goauthentik.io"}]</code> |  | ||||||
|                 </p> |                 </p> | ||||||
|             </ak-form-element-horizontal> |             </ak-form-element-horizontal> | ||||||
|             <ak-switch-input |             <ak-switch-input | ||||||
|  | |||||||
| @ -0,0 +1,80 @@ | |||||||
|  | import "@goauthentik/elements/messages/MessageContainer"; | ||||||
|  | import { Meta, StoryObj, WebComponentsRenderer } from "@storybook/web-components"; | ||||||
|  | import { DecoratorFunction } from "storybook/internal/types"; | ||||||
|  |  | ||||||
|  | import { html } from "lit"; | ||||||
|  |  | ||||||
|  | import { FooterLinkInput } from "../AdminSettingsFooterLinks.js"; | ||||||
|  | import "../AdminSettingsFooterLinks.js"; | ||||||
|  |  | ||||||
|  | // eslint-disable-next-line @typescript-eslint/no-explicit-any | ||||||
|  | type Decorator = DecoratorFunction<WebComponentsRenderer, any>; | ||||||
|  |  | ||||||
|  | const metadata: Meta<FooterLinkInput> = { | ||||||
|  |     title: "Components / Footer Link Input", | ||||||
|  |     component: "ak-admin-settings-footer-link", | ||||||
|  |     parameters: { | ||||||
|  |         docs: { | ||||||
|  |             description: { | ||||||
|  |                 component: "A stylized control for the footer links", | ||||||
|  |             }, | ||||||
|  |         }, | ||||||
|  |     }, | ||||||
|  |     decorators: [ | ||||||
|  |         (story: Decorator) => { | ||||||
|  |             window.setTimeout(() => { | ||||||
|  |                 const control = document.getElementById("footer-link"); | ||||||
|  |                 if (!control) { | ||||||
|  |                     throw new Error("Test was not initialized correctly."); | ||||||
|  |                 } | ||||||
|  |                 const messages = document.getElementById("reported-value"); | ||||||
|  |                 control.addEventListener("change", (event: Event) => { | ||||||
|  |                     if (!event.target) { | ||||||
|  |                         return; | ||||||
|  |                     } | ||||||
|  |                     const target = event.target as FooterLinkInput; | ||||||
|  |                     messages!.innerText = `${JSON.stringify(target.json(), null, 2)}\n\nValid: ${target.isValid ? "Yes" : "No"}`; | ||||||
|  |                 }); | ||||||
|  |             }, 250); | ||||||
|  |  | ||||||
|  |             return html`<div | ||||||
|  |                 style="background: #fff; padding: 2em; position: relative" | ||||||
|  |                 id="the-main-event" | ||||||
|  |             > | ||||||
|  |                 <style> | ||||||
|  |                     li { | ||||||
|  |                         display: block; | ||||||
|  |                     } | ||||||
|  |                     p { | ||||||
|  |                         margin-top: 1em; | ||||||
|  |                     } | ||||||
|  |                     #the-answer-block { | ||||||
|  |                         padding-top: 3em; | ||||||
|  |                     } | ||||||
|  |                 </style> | ||||||
|  |                 <div> | ||||||
|  |                     ${ | ||||||
|  |                         // @ts-expect-error The types for web components are not well-defined } | ||||||
|  |                         story() | ||||||
|  |                     } | ||||||
|  |                 </div> | ||||||
|  |                 <div style="margin-top: 2rem"> | ||||||
|  |                     <p>Reported value:</p> | ||||||
|  |                     <pre id="reported-value"></pre> | ||||||
|  |                 </div> | ||||||
|  |             </div>`; | ||||||
|  |         }, | ||||||
|  |     ], | ||||||
|  | }; | ||||||
|  |  | ||||||
|  | export default metadata; | ||||||
|  |  | ||||||
|  | type Story = StoryObj; | ||||||
|  |  | ||||||
|  | export const Default: Story = { | ||||||
|  |     render: () => | ||||||
|  |         html` <ak-admin-settings-footer-link | ||||||
|  |             id="footer-link" | ||||||
|  |             name="the-footer" | ||||||
|  |         ></ak-admin-settings-footer-link>`, | ||||||
|  | }; | ||||||
| @ -0,0 +1,68 @@ | |||||||
|  | import { render } from "@goauthentik/elements/tests/utils.js"; | ||||||
|  | import { $, expect } from "@wdio/globals"; | ||||||
|  |  | ||||||
|  | import { html } from "lit"; | ||||||
|  |  | ||||||
|  | import "../AdminSettingsFooterLinks.js"; | ||||||
|  |  | ||||||
|  | describe("ak-admin-settings-footer-link", () => { | ||||||
|  |     afterEach(async () => { | ||||||
|  |         await browser.execute(async () => { | ||||||
|  |             await document.body.querySelector("ak-admin-settings-footer-link")?.remove(); | ||||||
|  |             if (document.body["_$litPart$"]) { | ||||||
|  |                 // @ts-expect-error expression of type '"_$litPart$"' is added by Lit | ||||||
|  |                 await delete document.body["_$litPart$"]; | ||||||
|  |             } | ||||||
|  |         }); | ||||||
|  |     }); | ||||||
|  |  | ||||||
|  |     it("should render an empty control", async () => { | ||||||
|  |         render(html`<ak-admin-settings-footer-link name="link"></ak-admin-settings-footer-link>`); | ||||||
|  |         const link = await $("ak-admin-settings-footer-link"); | ||||||
|  |         await expect(await link.getProperty("isValid")).toStrictEqual(false); | ||||||
|  |         await expect(await link.getProperty("toJson")).toEqual({ name: "", href: "" }); | ||||||
|  |     }); | ||||||
|  |  | ||||||
|  |     it("should not be valid if just a name is filled in", async () => { | ||||||
|  |         render(html`<ak-admin-settings-footer-link name="link"></ak-admin-settings-footer-link>`); | ||||||
|  |         const link = await $("ak-admin-settings-footer-link"); | ||||||
|  |         await link.$('input[name="name"]').setValue("foo"); | ||||||
|  |         await expect(await link.getProperty("isValid")).toStrictEqual(false); | ||||||
|  |         await expect(await link.getProperty("toJson")).toEqual({ name: "foo", href: "" }); | ||||||
|  |     }); | ||||||
|  |  | ||||||
|  |     it("should be valid if just a URL is filled in", async () => { | ||||||
|  |         render(html`<ak-admin-settings-footer-link name="link"></ak-admin-settings-footer-link>`); | ||||||
|  |         const link = await $("ak-admin-settings-footer-link"); | ||||||
|  |         await link.$('input[name="href"]').setValue("https://foo.com"); | ||||||
|  |         await expect(await link.getProperty("isValid")).toStrictEqual(true); | ||||||
|  |         await expect(await link.getProperty("toJson")).toEqual({ | ||||||
|  |             name: "", | ||||||
|  |             href: "https://foo.com", | ||||||
|  |         }); | ||||||
|  |     }); | ||||||
|  |  | ||||||
|  |     it("should be valid if both are filled in", async () => { | ||||||
|  |         render(html`<ak-admin-settings-footer-link name="link"></ak-admin-settings-footer-link>`); | ||||||
|  |         const link = await $("ak-admin-settings-footer-link"); | ||||||
|  |         await link.$('input[name="name"]').setValue("foo"); | ||||||
|  |         await link.$('input[name="href"]').setValue("https://foo.com"); | ||||||
|  |         await expect(await link.getProperty("isValid")).toStrictEqual(true); | ||||||
|  |         await expect(await link.getProperty("toJson")).toEqual({ | ||||||
|  |             name: "foo", | ||||||
|  |             href: "https://foo.com", | ||||||
|  |         }); | ||||||
|  |     }); | ||||||
|  |  | ||||||
|  |     it("should not be valid if the URL is not valid", async () => { | ||||||
|  |         render(html`<ak-admin-settings-footer-link name="link"></ak-admin-settings-footer-link>`); | ||||||
|  |         const link = await $("ak-admin-settings-footer-link"); | ||||||
|  |         await link.$('input[name="name"]').setValue("foo"); | ||||||
|  |         await link.$('input[name="href"]').setValue("never://foo.com"); | ||||||
|  |         await expect(await link.getProperty("toJson")).toEqual({ | ||||||
|  |             name: "foo", | ||||||
|  |             href: "never://foo.com", | ||||||
|  |         }); | ||||||
|  |         await expect(await link.getProperty("isValid")).toStrictEqual(false); | ||||||
|  |     }); | ||||||
|  | }); | ||||||
| @ -97,7 +97,7 @@ export class ApplicationWizardApplicationDetails extends WithBrandConfig(BasePro | |||||||
|                 </ak-radio-input> |                 </ak-radio-input> | ||||||
|  |  | ||||||
|                 <ak-switch-input |                 <ak-switch-input | ||||||
|                     name="openInNewTab" |                     name="mfaSupport" | ||||||
|                     label=${msg("Code-based MFA Support")} |                     label=${msg("Code-based MFA Support")} | ||||||
|                     ?checked=${provider?.mfaSupport ?? true} |                     ?checked=${provider?.mfaSupport ?? true} | ||||||
|                     help=${mfaSupportHelp} |                     help=${mfaSupportHelp} | ||||||
|  | |||||||
| @ -11,6 +11,10 @@ import { | |||||||
|     redirectUriHelp, |     redirectUriHelp, | ||||||
|     subjectModeOptions, |     subjectModeOptions, | ||||||
| } from "@goauthentik/admin/providers/oauth2/OAuth2ProviderForm"; | } from "@goauthentik/admin/providers/oauth2/OAuth2ProviderForm"; | ||||||
|  | import { | ||||||
|  |     IRedirectURIInput, | ||||||
|  |     akOAuthRedirectURIInput, | ||||||
|  | } from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI"; | ||||||
| import { | import { | ||||||
|     makeSourceSelector, |     makeSourceSelector, | ||||||
|     oauth2SourcesProvider, |     oauth2SourcesProvider, | ||||||
| @ -31,7 +35,13 @@ import { customElement, state } from "@lit/reactive-element/decorators.js"; | |||||||
| import { html, nothing } from "lit"; | import { html, nothing } from "lit"; | ||||||
| import { ifDefined } from "lit/directives/if-defined.js"; | import { ifDefined } from "lit/directives/if-defined.js"; | ||||||
|  |  | ||||||
| import { ClientTypeEnum, FlowsInstancesListDesignationEnum, SourcesApi } from "@goauthentik/api"; | import { | ||||||
|  |     ClientTypeEnum, | ||||||
|  |     FlowsInstancesListDesignationEnum, | ||||||
|  |     MatchingModeEnum, | ||||||
|  |     RedirectURI, | ||||||
|  |     SourcesApi, | ||||||
|  | } from "@goauthentik/api"; | ||||||
| import { type OAuth2Provider, type PaginatedOAuthSourceList } from "@goauthentik/api"; | import { type OAuth2Provider, type PaginatedOAuthSourceList } from "@goauthentik/api"; | ||||||
|  |  | ||||||
| import BaseProviderPanel from "../BaseProviderPanel"; | import BaseProviderPanel from "../BaseProviderPanel"; | ||||||
| @ -120,14 +130,27 @@ export class ApplicationWizardAuthenticationByOauth extends BaseProviderPanel { | |||||||
|                         > |                         > | ||||||
|                         </ak-text-input> |                         </ak-text-input> | ||||||
|  |  | ||||||
|                         <ak-textarea-input |                         <ak-form-element-horizontal | ||||||
|  |                             label=${msg("Redirect URIs/Origins")} | ||||||
|  |                             required | ||||||
|                             name="redirectUris" |                             name="redirectUris" | ||||||
|                             label=${msg("Redirect URIs/Origins (RegEx)")} |  | ||||||
|                             .value=${provider?.redirectUris} |  | ||||||
|                             .errorMessages=${errors?.redirectUriHelp ?? []} |  | ||||||
|                             .bighelp=${redirectUriHelp} |  | ||||||
|                         > |                         > | ||||||
|                         </ak-textarea-input> |                             <ak-array-input | ||||||
|  |                                 .items=${[]} | ||||||
|  |                                 .newItem=${() => ({ | ||||||
|  |                                     matchingMode: MatchingModeEnum.Strict, | ||||||
|  |                                     url: "", | ||||||
|  |                                 })} | ||||||
|  |                                 .row=${(f?: RedirectURI) => | ||||||
|  |                                     akOAuthRedirectURIInput({ | ||||||
|  |                                         ".redirectURI": f, | ||||||
|  |                                         "style": "width: 100%", | ||||||
|  |                                         "name": "oauth2-redirect-uri", | ||||||
|  |                                     } as unknown as IRedirectURIInput)} | ||||||
|  |                             > | ||||||
|  |                             </ak-array-input> | ||||||
|  |                             ${redirectUriHelp} | ||||||
|  |                         </ak-form-element-horizontal> | ||||||
|  |  | ||||||
|                         <ak-form-element-horizontal |                         <ak-form-element-horizontal | ||||||
|                             label=${msg("Signing Key")} |                             label=${msg("Signing Key")} | ||||||
|  | |||||||
| @ -1,11 +1,16 @@ | |||||||
| import "@goauthentik/admin/common/ak-crypto-certificate-search"; | import "@goauthentik/admin/common/ak-crypto-certificate-search"; | ||||||
| import "@goauthentik/admin/common/ak-flow-search/ak-flow-search"; | import "@goauthentik/admin/common/ak-flow-search/ak-flow-search"; | ||||||
| import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm"; | import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm"; | ||||||
|  | import { | ||||||
|  |     IRedirectURIInput, | ||||||
|  |     akOAuthRedirectURIInput, | ||||||
|  | } from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI"; | ||||||
| import { DEFAULT_CONFIG } from "@goauthentik/common/api/config"; | import { DEFAULT_CONFIG } from "@goauthentik/common/api/config"; | ||||||
| import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils"; | import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils"; | ||||||
| import "@goauthentik/components/ak-radio-input"; | import "@goauthentik/components/ak-radio-input"; | ||||||
| import "@goauthentik/components/ak-text-input"; | import "@goauthentik/components/ak-text-input"; | ||||||
| import "@goauthentik/components/ak-textarea-input"; | import "@goauthentik/components/ak-textarea-input"; | ||||||
|  | import "@goauthentik/elements/ak-array-input.js"; | ||||||
| import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js"; | import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js"; | ||||||
| import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js"; | import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js"; | ||||||
| import "@goauthentik/elements/forms/FormGroup"; | import "@goauthentik/elements/forms/FormGroup"; | ||||||
| @ -15,7 +20,7 @@ import "@goauthentik/elements/forms/SearchSelect"; | |||||||
| import "@goauthentik/elements/utils/TimeDeltaHelp"; | import "@goauthentik/elements/utils/TimeDeltaHelp"; | ||||||
|  |  | ||||||
| import { msg } from "@lit/localize"; | import { msg } from "@lit/localize"; | ||||||
| import { TemplateResult, html } from "lit"; | import { TemplateResult, css, html } from "lit"; | ||||||
| import { customElement, state } from "lit/decorators.js"; | import { customElement, state } from "lit/decorators.js"; | ||||||
| import { ifDefined } from "lit/directives/if-defined.js"; | import { ifDefined } from "lit/directives/if-defined.js"; | ||||||
|  |  | ||||||
| @ -23,8 +28,10 @@ import { | |||||||
|     ClientTypeEnum, |     ClientTypeEnum, | ||||||
|     FlowsInstancesListDesignationEnum, |     FlowsInstancesListDesignationEnum, | ||||||
|     IssuerModeEnum, |     IssuerModeEnum, | ||||||
|  |     MatchingModeEnum, | ||||||
|     OAuth2Provider, |     OAuth2Provider, | ||||||
|     ProvidersApi, |     ProvidersApi, | ||||||
|  |     RedirectURI, | ||||||
|     SubModeEnum, |     SubModeEnum, | ||||||
| } from "@goauthentik/api"; | } from "@goauthentik/api"; | ||||||
|  |  | ||||||
| @ -98,13 +105,13 @@ export const issuerModeOptions = [ | |||||||
|  |  | ||||||
| const redirectUriHelpMessages = [ | const redirectUriHelpMessages = [ | ||||||
|     msg( |     msg( | ||||||
|         "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.", |         "Valid redirect URIs after a successful authorization flow. Also specify any origins here for Implicit flows.", | ||||||
|     ), |     ), | ||||||
|     msg( |     msg( | ||||||
|         "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.", |         "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.", | ||||||
|     ), |     ), | ||||||
|     msg( |     msg( | ||||||
|         'To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.', |         'To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.', | ||||||
|     ), |     ), | ||||||
| ]; | ]; | ||||||
|  |  | ||||||
| @ -124,11 +131,23 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> { | |||||||
|     @state() |     @state() | ||||||
|     showClientSecret = true; |     showClientSecret = true; | ||||||
|  |  | ||||||
|  |     @state() | ||||||
|  |     redirectUris: RedirectURI[] = []; | ||||||
|  |  | ||||||
|  |     static get styles() { | ||||||
|  |         return super.styles.concat(css` | ||||||
|  |             ak-array-input { | ||||||
|  |                 width: 100%; | ||||||
|  |             } | ||||||
|  |         `); | ||||||
|  |     } | ||||||
|  |  | ||||||
|     async loadInstance(pk: number): Promise<OAuth2Provider> { |     async loadInstance(pk: number): Promise<OAuth2Provider> { | ||||||
|         const provider = await new ProvidersApi(DEFAULT_CONFIG).providersOauth2Retrieve({ |         const provider = await new ProvidersApi(DEFAULT_CONFIG).providersOauth2Retrieve({ | ||||||
|             id: pk, |             id: pk, | ||||||
|         }); |         }); | ||||||
|         this.showClientSecret = provider.clientType === ClientTypeEnum.Confidential; |         this.showClientSecret = provider.clientType === ClientTypeEnum.Confidential; | ||||||
|  |         this.redirectUris = provider.redirectUris; | ||||||
|         return provider; |         return provider; | ||||||
|     } |     } | ||||||
|  |  | ||||||
| @ -203,13 +222,24 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> { | |||||||
|                         ?hidden=${!this.showClientSecret} |                         ?hidden=${!this.showClientSecret} | ||||||
|                     > |                     > | ||||||
|                     </ak-text-input> |                     </ak-text-input> | ||||||
|                     <ak-textarea-input |                     <ak-form-element-horizontal | ||||||
|  |                         label=${msg("Redirect URIs/Origins")} | ||||||
|  |                         required | ||||||
|                         name="redirectUris" |                         name="redirectUris" | ||||||
|                         label=${msg("Redirect URIs/Origins (RegEx)")} |  | ||||||
|                         .value=${provider?.redirectUris} |  | ||||||
|                         .bighelp=${redirectUriHelp} |  | ||||||
|                     > |                     > | ||||||
|                     </ak-textarea-input> |                         <ak-array-input | ||||||
|  |                             .items=${this.instance?.redirectUris ?? []} | ||||||
|  |                             .newItem=${() => ({ matchingMode: MatchingModeEnum.Strict, url: "" })} | ||||||
|  |                             .row=${(f?: RedirectURI) => | ||||||
|  |                                 akOAuthRedirectURIInput({ | ||||||
|  |                                     ".redirectURI": f, | ||||||
|  |                                     "style": "width: 100%", | ||||||
|  |                                     "name": "oauth2-redirect-uri", | ||||||
|  |                                 } as unknown as IRedirectURIInput)} | ||||||
|  |                         > | ||||||
|  |                         </ak-array-input> | ||||||
|  |                         ${redirectUriHelp} | ||||||
|  |                     </ak-form-element-horizontal> | ||||||
|  |  | ||||||
|                     <ak-form-element-horizontal label=${msg("Signing Key")} name="signingKey"> |                     <ak-form-element-horizontal label=${msg("Signing Key")} name="signingKey"> | ||||||
|                         <!-- NOTE: 'null' cast to 'undefined' on signingKey to satisfy Lit requirements --> |                         <!-- NOTE: 'null' cast to 'undefined' on signingKey to satisfy Lit requirements --> | ||||||
|  | |||||||
Some files were not shown because too many files have changed in this diff Show More
		Reference in New Issue
	
	Block a user
	