Compare commits
6 Commits
version-20
...
version/20
| Author | SHA1 | Date | |
|---|---|---|---|
| 83f46f6ff1 | |||
| 0e7cc6da4c | |||
| a262171671 | |||
| 87b8ca7be4 | |||
| cc8dc1403f | |||
| f21a196a3b |
@ -1,5 +1,5 @@
|
||||
[bumpversion]
|
||||
current_version = 2022.10.1
|
||||
current_version = 2022.10.3
|
||||
tag = True
|
||||
commit = True
|
||||
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
|
||||
|
||||
@ -17,24 +17,24 @@ diverse, inclusive, and healthy community.
|
||||
Examples of behavior that contributes to a positive environment for our
|
||||
community include:
|
||||
|
||||
* Demonstrating empathy and kindness toward other people
|
||||
* Being respectful of differing opinions, viewpoints, and experiences
|
||||
* Giving and gracefully accepting constructive feedback
|
||||
* Accepting responsibility and apologizing to those affected by our mistakes,
|
||||
and learning from the experience
|
||||
* Focusing on what is best not just for us as individuals, but for the
|
||||
overall community
|
||||
- Demonstrating empathy and kindness toward other people
|
||||
- Being respectful of differing opinions, viewpoints, and experiences
|
||||
- Giving and gracefully accepting constructive feedback
|
||||
- Accepting responsibility and apologizing to those affected by our mistakes,
|
||||
and learning from the experience
|
||||
- Focusing on what is best not just for us as individuals, but for the
|
||||
overall community
|
||||
|
||||
Examples of unacceptable behavior include:
|
||||
|
||||
* The use of sexualized language or imagery, and sexual attention or
|
||||
advances of any kind
|
||||
* Trolling, insulting or derogatory comments, and personal or political attacks
|
||||
* Public or private harassment
|
||||
* Publishing others' private information, such as a physical or email
|
||||
address, without their explicit permission
|
||||
* Other conduct which could reasonably be considered inappropriate in a
|
||||
professional setting
|
||||
- The use of sexualized language or imagery, and sexual attention or
|
||||
advances of any kind
|
||||
- Trolling, insulting or derogatory comments, and personal or political attacks
|
||||
- Public or private harassment
|
||||
- Publishing others' private information, such as a physical or email
|
||||
address, without their explicit permission
|
||||
- Other conduct which could reasonably be considered inappropriate in a
|
||||
professional setting
|
||||
|
||||
## Enforcement Responsibilities
|
||||
|
||||
@ -106,7 +106,7 @@ Violating these terms may lead to a permanent ban.
|
||||
### 4. Permanent Ban
|
||||
|
||||
**Community Impact**: Demonstrating a pattern of violation of community
|
||||
standards, including sustained inappropriate behavior, harassment of an
|
||||
standards, including sustained inappropriate behavior, harassment of an
|
||||
individual, or aggression toward or disparagement of classes of individuals.
|
||||
|
||||
**Consequence**: A permanent ban from any sort of public interaction within
|
||||
|
||||
@ -11,19 +11,22 @@ The following is a set of guidelines for contributing to authentik and its compo
|
||||
[I don't want to read this whole thing, I just have a question!!!](#i-dont-want-to-read-this-whole-thing-i-just-have-a-question)
|
||||
|
||||
[What should I know before I get started?](#what-should-i-know-before-i-get-started)
|
||||
* [The components](#the-components)
|
||||
* [authentik's structure](#authentiks-structure)
|
||||
|
||||
- [The components](#the-components)
|
||||
- [authentik's structure](#authentiks-structure)
|
||||
|
||||
[How Can I Contribute?](#how-can-i-contribute)
|
||||
* [Reporting Bugs](#reporting-bugs)
|
||||
* [Suggesting Enhancements](#suggesting-enhancements)
|
||||
* [Your First Code Contribution](#your-first-code-contribution)
|
||||
* [Pull Requests](#pull-requests)
|
||||
|
||||
- [Reporting Bugs](#reporting-bugs)
|
||||
- [Suggesting Enhancements](#suggesting-enhancements)
|
||||
- [Your First Code Contribution](#your-first-code-contribution)
|
||||
- [Pull Requests](#pull-requests)
|
||||
|
||||
[Styleguides](#styleguides)
|
||||
* [Git Commit Messages](#git-commit-messages)
|
||||
* [Python Styleguide](#python-styleguide)
|
||||
* [Documentation Styleguide](#documentation-styleguide)
|
||||
|
||||
- [Git Commit Messages](#git-commit-messages)
|
||||
- [Python Styleguide](#python-styleguide)
|
||||
- [Documentation Styleguide](#documentation-styleguide)
|
||||
|
||||
## Code of Conduct
|
||||
|
||||
@ -39,11 +42,11 @@ Either [create a question on GitHub](https://github.com/goauthentik/authentik/is
|
||||
|
||||
authentik consists of a few larger components:
|
||||
|
||||
- *authentik* the actual application server, is described below.
|
||||
- *outpost-proxy* is a Go application based on a forked version of oauth2_proxy, which does identity-aware reverse proxying.
|
||||
- *outpost-ldap* is a Go LDAP server that uses the *authentik* application server as its backend
|
||||
- *web* is the web frontend, both for administrating and using authentik. It is written in TypeScript using lit-html and the PatternFly CSS Library.
|
||||
- *website* is the Website/documentation, which uses docusaurus.
|
||||
- _authentik_ the actual application server, is described below.
|
||||
- _outpost-proxy_ is a Go application based on a forked version of oauth2_proxy, which does identity-aware reverse proxying.
|
||||
- _outpost-ldap_ is a Go LDAP server that uses the _authentik_ application server as its backend
|
||||
- _web_ is the web frontend, both for administrating and using authentik. It is written in TypeScript using lit-html and the PatternFly CSS Library.
|
||||
- _website_ is the Website/documentation, which uses docusaurus.
|
||||
|
||||
### authentik's structure
|
||||
|
||||
@ -137,10 +140,10 @@ This is documented in the [developer docs](https://goauthentik.io/developer-docs
|
||||
|
||||
The process described here has several goals:
|
||||
|
||||
- Maintain authentik's quality
|
||||
- Fix problems that are important to users
|
||||
- Engage the community in working toward the best possible authentik
|
||||
- Enable a sustainable system for authentik's maintainers to review contributions
|
||||
- Maintain authentik's quality
|
||||
- Fix problems that are important to users
|
||||
- Engage the community in working toward the best possible authentik
|
||||
- Enable a sustainable system for authentik's maintainers to review contributions
|
||||
|
||||
Please follow these steps to have your contribution considered by the maintainers:
|
||||
|
||||
@ -154,10 +157,10 @@ While the prerequisites above must be satisfied prior to having your pull reques
|
||||
|
||||
### Git Commit Messages
|
||||
|
||||
* Use the format of `<package>: <verb> <description>`
|
||||
- See [here](#authentik-packages) for `package`
|
||||
- Example: `providers/saml2: fix parsing of requests`
|
||||
* Reference issues and pull requests liberally after the first line
|
||||
- Use the format of `<package>: <verb> <description>`
|
||||
- See [here](#authentik-packages) for `package`
|
||||
- Example: `providers/saml2: fix parsing of requests`
|
||||
- Reference issues and pull requests liberally after the first line
|
||||
|
||||
### Python Styleguide
|
||||
|
||||
@ -165,11 +168,11 @@ All Python code is linted with [black](https://black.readthedocs.io/en/stable/),
|
||||
|
||||
authentik runs on Python 3.9 at the time of writing this.
|
||||
|
||||
* Use native type-annotations wherever possible.
|
||||
* Add meaningful docstrings when possible.
|
||||
* Ensure any database migrations work properly from the last stable version (this is checked via CI)
|
||||
* If your code changes central functions, make sure nothing else is broken.
|
||||
- Use native type-annotations wherever possible.
|
||||
- Add meaningful docstrings when possible.
|
||||
- Ensure any database migrations work properly from the last stable version (this is checked via CI)
|
||||
- If your code changes central functions, make sure nothing else is broken.
|
||||
|
||||
### Documentation Styleguide
|
||||
|
||||
* Use [MDX](https://mdxjs.com/) whenever appropriate.
|
||||
- Use [MDX](https://mdxjs.com/) whenever appropriate.
|
||||
|
||||
@ -3,6 +3,7 @@ FROM --platform=${BUILDPLATFORM} docker.io/node:18 as website-builder
|
||||
|
||||
COPY ./website /work/website/
|
||||
COPY ./blueprints /work/blueprints/
|
||||
COPY ./SECURITY.md /work/
|
||||
|
||||
ENV NODE_ENV=production
|
||||
WORKDIR /work/website
|
||||
|
||||
@ -26,10 +26,10 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
|
||||
|
||||
## Screenshots
|
||||
|
||||
Light | Dark
|
||||
--- | ---
|
||||
 | 
|
||||
 | 
|
||||
| Light | Dark |
|
||||
| ------------------------------------------------------ | ----------------------------------------------------- |
|
||||
|  |  |
|
||||
|  |  |
|
||||
|
||||
## Development
|
||||
|
||||
|
||||
38
SECURITY.md
38
SECURITY.md
@ -1,17 +1,43 @@
|
||||
# Security Policy
|
||||
Authentik takes security very seriously. We follow the rules of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the issue quickly, announce it's existence and release the fixed version.
|
||||
|
||||
## Supported Versions
|
||||
|
||||
(.x being the latest patch release for each version)
|
||||
|
||||
| Version | Supported |
|
||||
| ---------- | ------------------ |
|
||||
| 2022.9.x | :white_check_mark: |
|
||||
| 2022.10.x | :white_check_mark: |
|
||||
| Version | Supported |
|
||||
| --------- | ------------------ |
|
||||
| 2022.10.x | :white_check_mark: |
|
||||
| 2022.11.x | :white_check_mark: |
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io)
|
||||
To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io). Be sure to include relevant information like which version you've found the issue in, instructions on how to reproduce the issue, and anything else that might make it easier for us to find the bug.
|
||||
|
||||
## Criticality levels
|
||||
|
||||
### High
|
||||
|
||||
- Authorization bypass
|
||||
- Circumvention of policies
|
||||
|
||||
### Moderate
|
||||
|
||||
- Denial-of-Service attacks
|
||||
|
||||
### Low
|
||||
|
||||
- Unvalidated redirects
|
||||
- Issues requiring uncommon setups
|
||||
|
||||
## Disclosure process
|
||||
|
||||
1. Issue is reported via Email as listed above.
|
||||
2. The authentik Security team will try to reproduce the issue and ask for more information if required.
|
||||
3. A criticality level is assigned.
|
||||
4. A fix is created, and if possible tested by the issue reporter.
|
||||
5. The fix is backported to other supported versions, and if possible a workaround for other versions is created.
|
||||
6. An announcement is sent out with a fixed release date and criticality level of the issue. The announcement will be sent at least 24 hours before the release of the fix
|
||||
7. The fixed version is released for the supported versions.
|
||||
|
||||
## Getting security notifications
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
from os import environ
|
||||
from typing import Optional
|
||||
|
||||
__version__ = "2022.10.1"
|
||||
__version__ = "2022.10.3"
|
||||
ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
|
||||
|
||||
|
||||
|
||||
@ -72,6 +72,7 @@ class FlowSerializer(ModelSerializer):
|
||||
"export_url",
|
||||
"layout",
|
||||
"denied_action",
|
||||
"authentication",
|
||||
]
|
||||
extra_kwargs = {
|
||||
"background": {"read_only": True},
|
||||
|
||||
@ -1,4 +1,6 @@
|
||||
"""flow exceptions"""
|
||||
from typing import Optional
|
||||
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
|
||||
from authentik.lib.sentry import SentryIgnoredException
|
||||
@ -6,15 +8,15 @@ from authentik.policies.types import PolicyResult
|
||||
|
||||
|
||||
class FlowNonApplicableException(SentryIgnoredException):
|
||||
"""Flow does not apply to current user (denied by policy)."""
|
||||
"""Flow does not apply to current user (denied by policy, or otherwise)."""
|
||||
|
||||
policy_result: PolicyResult
|
||||
policy_result: Optional[PolicyResult] = None
|
||||
|
||||
@property
|
||||
def messages(self) -> str:
|
||||
"""Get messages from policy result, fallback to generic reason"""
|
||||
if len(self.policy_result.messages) < 1:
|
||||
return _("Flow does not apply to current user (denied by policy).")
|
||||
if not self.policy_result or len(self.policy_result.messages) < 1:
|
||||
return _("Flow does not apply to current user.")
|
||||
return "\n".join(self.policy_result.messages)
|
||||
|
||||
|
||||
|
||||
27
authentik/flows/migrations/0024_flow_authentication.py
Normal file
27
authentik/flows/migrations/0024_flow_authentication.py
Normal file
@ -0,0 +1,27 @@
|
||||
# Generated by Django 4.1.3 on 2022-11-30 09:04
|
||||
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
("authentik_flows", "0023_flow_denied_action"),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AddField(
|
||||
model_name="flow",
|
||||
name="authentication",
|
||||
field=models.TextField(
|
||||
choices=[
|
||||
("none", "None"),
|
||||
("require_authenticated", "Require Authenticated"),
|
||||
("require_unauthenticated", "Require Unauthenticated"),
|
||||
("require_superuser", "Require Superuser"),
|
||||
],
|
||||
default="none",
|
||||
help_text="Required level of authentication and authorization to access a flow.",
|
||||
),
|
||||
),
|
||||
]
|
||||
@ -23,6 +23,15 @@ if TYPE_CHECKING:
|
||||
LOGGER = get_logger()
|
||||
|
||||
|
||||
class FlowAuthenticationRequirement(models.TextChoices):
|
||||
"""Required level of authentication and authorization to access a flow"""
|
||||
|
||||
NONE = "none"
|
||||
REQUIRE_AUTHENTICATED = "require_authenticated"
|
||||
REQUIRE_UNAUTHENTICATED = "require_unauthenticated"
|
||||
REQUIRE_SUPERUSER = "require_superuser"
|
||||
|
||||
|
||||
class NotConfiguredAction(models.TextChoices):
|
||||
"""Decides how the FlowExecutor should proceed when a stage isn't configured"""
|
||||
|
||||
@ -152,6 +161,12 @@ class Flow(SerializerModel, PolicyBindingModel):
|
||||
help_text=_("Configure what should happen when a flow denies access to a user."),
|
||||
)
|
||||
|
||||
authentication = models.TextField(
|
||||
choices=FlowAuthenticationRequirement.choices,
|
||||
default=FlowAuthenticationRequirement.NONE,
|
||||
help_text=_("Required level of authentication and authorization to access a flow."),
|
||||
)
|
||||
|
||||
@property
|
||||
def background_url(self) -> str:
|
||||
"""Get the URL to the background image. If the name is /static or starts with http
|
||||
|
||||
@ -13,7 +13,14 @@ from authentik.events.models import cleanse_dict
|
||||
from authentik.flows.apps import HIST_FLOWS_PLAN_TIME
|
||||
from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
|
||||
from authentik.flows.markers import ReevaluateMarker, StageMarker
|
||||
from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding, Stage, in_memory_stage
|
||||
from authentik.flows.models import (
|
||||
Flow,
|
||||
FlowAuthenticationRequirement,
|
||||
FlowDesignation,
|
||||
FlowStageBinding,
|
||||
Stage,
|
||||
in_memory_stage,
|
||||
)
|
||||
from authentik.lib.config import CONFIG
|
||||
from authentik.policies.engine import PolicyEngine
|
||||
|
||||
@ -116,11 +123,30 @@ class FlowPlanner:
|
||||
self.flow = flow
|
||||
self._logger = get_logger().bind(flow_slug=flow.slug)
|
||||
|
||||
def _check_authentication(self, request: HttpRequest):
|
||||
"""Check the flow's authentication level is matched by `request`"""
|
||||
if (
|
||||
self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_AUTHENTICATED
|
||||
and not request.user.is_authenticated
|
||||
):
|
||||
raise FlowNonApplicableException()
|
||||
if (
|
||||
self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_UNAUTHENTICATED
|
||||
and request.user.is_authenticated
|
||||
):
|
||||
raise FlowNonApplicableException()
|
||||
if (
|
||||
self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_SUPERUSER
|
||||
and not request.user.is_superuser
|
||||
):
|
||||
raise FlowNonApplicableException()
|
||||
|
||||
def plan(
|
||||
self, request: HttpRequest, default_context: Optional[dict[str, Any]] = None
|
||||
) -> FlowPlan:
|
||||
"""Check each of the flows' policies, check policies for each stage with PolicyBinding
|
||||
and return ordered list"""
|
||||
self._check_authentication(request)
|
||||
with Hub.current.start_span(
|
||||
op="authentik.flow.planner.plan", description=self.flow.slug
|
||||
) as span:
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
"""flow planner tests"""
|
||||
from unittest.mock import MagicMock, Mock, PropertyMock, patch
|
||||
|
||||
from django.contrib.auth.models import AnonymousUser
|
||||
from django.contrib.sessions.middleware import SessionMiddleware
|
||||
from django.core.cache import cache
|
||||
from django.test import RequestFactory, TestCase
|
||||
@ -8,10 +9,10 @@ from django.urls import reverse
|
||||
from guardian.shortcuts import get_anonymous_user
|
||||
|
||||
from authentik.core.models import User
|
||||
from authentik.core.tests.utils import create_test_flow
|
||||
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
|
||||
from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
|
||||
from authentik.flows.markers import ReevaluateMarker, StageMarker
|
||||
from authentik.flows.models import FlowDesignation, FlowStageBinding
|
||||
from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignation, FlowStageBinding
|
||||
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
|
||||
from authentik.lib.tests.utils import dummy_get_response
|
||||
from authentik.policies.dummy.models import DummyPolicy
|
||||
@ -43,6 +44,30 @@ class TestFlowPlanner(TestCase):
|
||||
planner = FlowPlanner(flow)
|
||||
planner.plan(request)
|
||||
|
||||
def test_authentication(self):
|
||||
"""Test flow authentication"""
|
||||
flow = create_test_flow()
|
||||
flow.authentication = FlowAuthenticationRequirement.NONE
|
||||
request = self.request_factory.get(
|
||||
reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
|
||||
)
|
||||
request.user = AnonymousUser()
|
||||
planner = FlowPlanner(flow)
|
||||
planner.allow_empty_flows = True
|
||||
planner.plan(request)
|
||||
|
||||
with self.assertRaises(FlowNonApplicableException):
|
||||
flow.authentication = FlowAuthenticationRequirement.REQUIRE_AUTHENTICATED
|
||||
FlowPlanner(flow).plan(request)
|
||||
with self.assertRaises(FlowNonApplicableException):
|
||||
flow.authentication = FlowAuthenticationRequirement.REQUIRE_SUPERUSER
|
||||
FlowPlanner(flow).plan(request)
|
||||
|
||||
request.user = create_test_admin_user()
|
||||
planner = FlowPlanner(flow)
|
||||
planner.allow_empty_flows = True
|
||||
planner.plan(request)
|
||||
|
||||
@patch(
|
||||
"authentik.policies.engine.PolicyEngine.result",
|
||||
POLICY_RETURN_FALSE,
|
||||
|
||||
@ -6,6 +6,7 @@ entries:
|
||||
designation: stage_configuration
|
||||
name: Change Password
|
||||
title: Change password
|
||||
authentication: require_authenticated
|
||||
identifiers:
|
||||
slug: default-password-change
|
||||
model: authentik_flows.flow
|
||||
|
||||
@ -11,6 +11,7 @@ entries:
|
||||
designation: authentication
|
||||
name: Welcome to authentik!
|
||||
title: Welcome to authentik!
|
||||
authentication: require_unauthenticated
|
||||
identifiers:
|
||||
slug: default-authentication-flow
|
||||
model: authentik_flows.flow
|
||||
|
||||
@ -6,6 +6,7 @@ entries:
|
||||
designation: invalidation
|
||||
name: Logout
|
||||
title: Default Invalidation Flow
|
||||
authentication: require_authenticated
|
||||
identifiers:
|
||||
slug: default-invalidation-flow
|
||||
model: authentik_flows.flow
|
||||
|
||||
@ -6,6 +6,7 @@ entries:
|
||||
designation: stage_configuration
|
||||
name: default-authenticator-static-setup
|
||||
title: Setup Static OTP Tokens
|
||||
authentication: require_authenticated
|
||||
identifiers:
|
||||
slug: default-authenticator-static-setup
|
||||
model: authentik_flows.flow
|
||||
|
||||
@ -6,6 +6,7 @@ entries:
|
||||
designation: stage_configuration
|
||||
name: default-authenticator-totp-setup
|
||||
title: Setup Two-Factor authentication
|
||||
authentication: require_authenticated
|
||||
identifiers:
|
||||
slug: default-authenticator-totp-setup
|
||||
model: authentik_flows.flow
|
||||
|
||||
@ -6,6 +6,7 @@ entries:
|
||||
designation: stage_configuration
|
||||
name: default-authenticator-webauthn-setup
|
||||
title: Setup WebAuthn
|
||||
authentication: require_authenticated
|
||||
identifiers:
|
||||
slug: default-authenticator-webauthn-setup
|
||||
model: authentik_flows.flow
|
||||
|
||||
@ -6,6 +6,7 @@ entries:
|
||||
designation: authorization
|
||||
name: Authorize Application
|
||||
title: Redirecting to %(app)s
|
||||
authentication: require_authenticated
|
||||
identifiers:
|
||||
slug: default-provider-authorization-explicit-consent
|
||||
model: authentik_flows.flow
|
||||
|
||||
@ -6,6 +6,7 @@ entries:
|
||||
designation: authorization
|
||||
name: Authorize Application
|
||||
title: Redirecting to %(app)s
|
||||
authentication: require_authenticated
|
||||
identifiers:
|
||||
slug: default-provider-authorization-implicit-consent
|
||||
model: authentik_flows.flow
|
||||
|
||||
@ -6,6 +6,7 @@ entries:
|
||||
designation: authentication
|
||||
name: Welcome to authentik!
|
||||
title: Welcome to authentik!
|
||||
authentication: require_unauthenticated
|
||||
identifiers:
|
||||
slug: default-source-authentication
|
||||
model: authentik_flows.flow
|
||||
|
||||
@ -6,6 +6,7 @@ entries:
|
||||
designation: enrollment
|
||||
name: Welcome to authentik! Please select a username.
|
||||
title: Welcome to authentik! Please select a username.
|
||||
authentication: none
|
||||
identifiers:
|
||||
slug: default-source-enrollment
|
||||
model: authentik_flows.flow
|
||||
|
||||
@ -6,6 +6,7 @@ entries:
|
||||
designation: stage_configuration
|
||||
name: Pre-Authentication
|
||||
title: Pre-authentication
|
||||
authentication: none
|
||||
identifiers:
|
||||
slug: default-source-pre-authentication
|
||||
model: authentik_flows.flow
|
||||
|
||||
@ -6,6 +6,7 @@ entries:
|
||||
designation: stage_configuration
|
||||
name: User settings
|
||||
title: Update your info
|
||||
authentication: require_authenticated
|
||||
identifiers:
|
||||
slug: default-user-settings-flow
|
||||
model: authentik_flows.flow
|
||||
|
||||
@ -12,6 +12,7 @@ entries:
|
||||
name: Default enrollment Flow
|
||||
title: Welcome to authentik!
|
||||
designation: enrollment
|
||||
authentication: require_unauthenticated
|
||||
- identifiers:
|
||||
field_key: username
|
||||
label: Username
|
||||
|
||||
@ -12,6 +12,7 @@ entries:
|
||||
name: Default enrollment Flow
|
||||
title: Welcome to authentik!
|
||||
designation: enrollment
|
||||
authentication: require_unauthenticated
|
||||
- identifiers:
|
||||
field_key: username
|
||||
label: Username
|
||||
|
||||
@ -12,6 +12,7 @@ entries:
|
||||
name: Default Authentication Flow
|
||||
title: Welcome to authentik!
|
||||
designation: authentication
|
||||
authentication: require_unauthenticated
|
||||
- identifiers:
|
||||
name: test-not-app-password
|
||||
id: test-not-app-password
|
||||
|
||||
@ -12,6 +12,7 @@ entries:
|
||||
name: Default Authentication Flow
|
||||
title: Welcome to authentik!
|
||||
designation: authentication
|
||||
authentication: require_unauthenticated
|
||||
- identifiers:
|
||||
name: default-authentication-login
|
||||
id: default-authentication-login
|
||||
|
||||
@ -12,6 +12,7 @@ entries:
|
||||
name: Default recovery flow
|
||||
title: Reset your password
|
||||
designation: recovery
|
||||
authentication: require_unauthenticated
|
||||
- identifiers:
|
||||
field_key: password
|
||||
label: Password
|
||||
|
||||
@ -12,6 +12,7 @@ entries:
|
||||
name: Default unenrollment flow
|
||||
title: Delete your account
|
||||
designation: unenrollment
|
||||
authentication: require_authenticated
|
||||
- identifiers:
|
||||
name: default-unenrollment-user-delete
|
||||
id: default-unenrollment-user-delete
|
||||
|
||||
@ -32,7 +32,7 @@ services:
|
||||
volumes:
|
||||
- redis:/data
|
||||
server:
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.1}
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.3}
|
||||
restart: unless-stopped
|
||||
command: server
|
||||
environment:
|
||||
@ -52,7 +52,7 @@ services:
|
||||
- "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
|
||||
- "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
|
||||
worker:
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.1}
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.3}
|
||||
restart: unless-stopped
|
||||
command: worker
|
||||
environment:
|
||||
|
||||
@ -29,4 +29,4 @@ func UserAgent() string {
|
||||
return fmt.Sprintf("authentik@%s", FullVersion())
|
||||
}
|
||||
|
||||
const VERSION = "2022.10.1"
|
||||
const VERSION = "2022.10.3"
|
||||
|
||||
@ -100,7 +100,7 @@ addopts = "-p no:celery --junitxml=unittest.xml"
|
||||
|
||||
[tool.poetry]
|
||||
name = "authentik"
|
||||
version = "2022.10.1"
|
||||
version = "2022.10.3"
|
||||
description = ""
|
||||
authors = ["authentik Team <hello@goauthentik.io>"]
|
||||
|
||||
|
||||
24
schema.yml
24
schema.yml
@ -1,7 +1,7 @@
|
||||
openapi: 3.0.3
|
||||
info:
|
||||
title: authentik
|
||||
version: 2022.10.1
|
||||
version: 2022.10.3
|
||||
description: Making authentication simple.
|
||||
contact:
|
||||
email: hello@goauthentik.io
|
||||
@ -25215,6 +25215,13 @@ components:
|
||||
- last_used
|
||||
- user
|
||||
- user_agent
|
||||
AuthenticationEnum:
|
||||
enum:
|
||||
- none
|
||||
- require_authenticated
|
||||
- require_unauthenticated
|
||||
- require_superuser
|
||||
type: string
|
||||
AuthenticatorAttachmentEnum:
|
||||
enum:
|
||||
- platform
|
||||
@ -27512,6 +27519,11 @@ components:
|
||||
- $ref: '#/components/schemas/DeniedActionEnum'
|
||||
description: Configure what should happen when a flow denies access to a
|
||||
user.
|
||||
authentication:
|
||||
allOf:
|
||||
- $ref: '#/components/schemas/AuthenticationEnum'
|
||||
description: Required level of authentication and authorization to access
|
||||
a flow.
|
||||
required:
|
||||
- background
|
||||
- cache_count
|
||||
@ -27804,6 +27816,11 @@ components:
|
||||
- $ref: '#/components/schemas/DeniedActionEnum'
|
||||
description: Configure what should happen when a flow denies access to a
|
||||
user.
|
||||
authentication:
|
||||
allOf:
|
||||
- $ref: '#/components/schemas/AuthenticationEnum'
|
||||
description: Required level of authentication and authorization to access
|
||||
a flow.
|
||||
required:
|
||||
- designation
|
||||
- name
|
||||
@ -33535,6 +33552,11 @@ components:
|
||||
- $ref: '#/components/schemas/DeniedActionEnum'
|
||||
description: Configure what should happen when a flow denies access to a
|
||||
user.
|
||||
authentication:
|
||||
allOf:
|
||||
- $ref: '#/components/schemas/AuthenticationEnum'
|
||||
description: Required level of authentication and authorization to access
|
||||
a flow.
|
||||
PatchedFlowStageBindingRequest:
|
||||
type: object
|
||||
description: FlowStageBinding Serializer
|
||||
|
||||
14
web/package-lock.json
generated
14
web/package-lock.json
generated
@ -21,7 +21,7 @@
|
||||
"@codemirror/legacy-modes": "^6.2.0",
|
||||
"@formatjs/intl-listformat": "^7.1.3",
|
||||
"@fortawesome/fontawesome-free": "^6.2.0",
|
||||
"@goauthentik/api": "^2022.10.0-1666383274",
|
||||
"@goauthentik/api": "^2022.11.2-1669997585",
|
||||
"@jackfranklin/rollup-plugin-markdown": "^0.4.0",
|
||||
"@lingui/cli": "^3.14.0",
|
||||
"@lingui/core": "^3.14.0",
|
||||
@ -1941,9 +1941,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@goauthentik/api": {
|
||||
"version": "2022.10.0-1666383274",
|
||||
"resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.10.0-1666383274.tgz",
|
||||
"integrity": "sha512-mwBT/bTpX4cSDxy6tQgaoHIzzWqpwIXSuv16knNqjk5emquckFOI1QhurB1D2MxbvrMETX8jfJWaE+LrE/cACA=="
|
||||
"version": "2022.11.2-1669997585",
|
||||
"resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.11.2-1669997585.tgz",
|
||||
"integrity": "sha512-muW3STOZgeuFUGX1Ojl6HSJcQFopESDXg4BdOvw8ltgt5eytwj/XQV3uQA5RB/m9aeZ+o6IAt/G6MWqNke8oUQ=="
|
||||
},
|
||||
"node_modules/@humanwhocodes/config-array": {
|
||||
"version": "0.11.6",
|
||||
@ -11620,9 +11620,9 @@
|
||||
"integrity": "sha512-CNR7qRIfCwWHNN7FnKUniva94edPdyQzil/zCwk3v6k4R6rR2Fr8i4s3PM7n/lyfPA6Zfko9z5WDzFxG9SW1uQ=="
|
||||
},
|
||||
"@goauthentik/api": {
|
||||
"version": "2022.10.0-1666383274",
|
||||
"resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.10.0-1666383274.tgz",
|
||||
"integrity": "sha512-mwBT/bTpX4cSDxy6tQgaoHIzzWqpwIXSuv16knNqjk5emquckFOI1QhurB1D2MxbvrMETX8jfJWaE+LrE/cACA=="
|
||||
"version": "2022.11.2-1669997585",
|
||||
"resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.11.2-1669997585.tgz",
|
||||
"integrity": "sha512-muW3STOZgeuFUGX1Ojl6HSJcQFopESDXg4BdOvw8ltgt5eytwj/XQV3uQA5RB/m9aeZ+o6IAt/G6MWqNke8oUQ=="
|
||||
},
|
||||
"@humanwhocodes/config-array": {
|
||||
"version": "0.11.6",
|
||||
|
||||
@ -64,7 +64,7 @@
|
||||
"@codemirror/legacy-modes": "^6.2.0",
|
||||
"@formatjs/intl-listformat": "^7.1.3",
|
||||
"@fortawesome/fontawesome-free": "^6.2.0",
|
||||
"@goauthentik/api": "^2022.10.0-1666383274",
|
||||
"@goauthentik/api": "^2022.11.2-1669997585",
|
||||
"@jackfranklin/rollup-plugin-markdown": "^0.4.0",
|
||||
"@lingui/cli": "^3.14.0",
|
||||
"@lingui/core": "^3.14.0",
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
import { DesignationToLabel, LayoutToLabel } from "@goauthentik/admin/flows/utils";
|
||||
import { AuthenticationEnum } from "@goauthentik/api/dist/models/AuthenticationEnum";
|
||||
import { DEFAULT_CONFIG, config } from "@goauthentik/common/api/config";
|
||||
import { first } from "@goauthentik/common/utils";
|
||||
import "@goauthentik/elements/forms/HorizontalFormElement";
|
||||
@ -141,6 +142,37 @@ export class FlowForm extends ModelForm<Flow, string> {
|
||||
</option>`;
|
||||
}
|
||||
|
||||
renderAuthentication(): TemplateResult {
|
||||
return html`
|
||||
<option
|
||||
value=${AuthenticationEnum.None}
|
||||
?selected=${this.instance?.authentication === AuthenticationEnum.None}
|
||||
>
|
||||
${t`No requirement`}
|
||||
</option>
|
||||
<option
|
||||
value=${AuthenticationEnum.RequireAuthenticated}
|
||||
?selected=${this.instance?.authentication ===
|
||||
AuthenticationEnum.RequireAuthenticated}
|
||||
>
|
||||
${t`Require authentication`}
|
||||
</option>
|
||||
<option
|
||||
value=${AuthenticationEnum.RequireUnauthenticated}
|
||||
?selected=${this.instance?.authentication ===
|
||||
AuthenticationEnum.RequireUnauthenticated}
|
||||
>
|
||||
${t`Require no authentication.`}
|
||||
</option>
|
||||
<option
|
||||
value=${AuthenticationEnum.RequireSuperuser}
|
||||
?selected=${this.instance?.authentication === AuthenticationEnum.RequireSuperuser}
|
||||
>
|
||||
${t`Require superuser.`}
|
||||
</option>
|
||||
`;
|
||||
}
|
||||
|
||||
renderLayout(): TemplateResult {
|
||||
return html`
|
||||
<option
|
||||
@ -224,6 +256,18 @@ export class FlowForm extends ModelForm<Flow, string> {
|
||||
</option>
|
||||
</select>
|
||||
</ak-form-element-horizontal>
|
||||
<ak-form-element-horizontal
|
||||
label=${t`Authentication`}
|
||||
?required=${true}
|
||||
name="authentication"
|
||||
>
|
||||
<select class="pf-c-form-control">
|
||||
${this.renderAuthentication()}
|
||||
</select>
|
||||
<p class="pf-c-form__helper-text">
|
||||
${t`Required authentication level for this flow.`}
|
||||
</p>
|
||||
</ak-form-element-horizontal>
|
||||
<ak-form-element-horizontal
|
||||
label=${t`Designation`}
|
||||
?required=${true}
|
||||
|
||||
@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
|
||||
export const ERROR_CLASS = "pf-m-danger";
|
||||
export const PROGRESS_CLASS = "pf-m-in-progress";
|
||||
export const CURRENT_CLASS = "pf-m-current";
|
||||
export const VERSION = "2022.10.1";
|
||||
export const VERSION = "2022.10.3";
|
||||
export const TITLE_DEFAULT = "authentik";
|
||||
export const ROUTE_SEPARATOR = ";";
|
||||
|
||||
|
||||
19
website/docs/security/CVE-2022-46145.md
Normal file
19
website/docs/security/CVE-2022-46145.md
Normal file
@ -0,0 +1,19 @@
|
||||
# CVE-2022-46145
|
||||
|
||||
## Unauthorized user creation and potential account takeover
|
||||
|
||||
### Impact
|
||||
|
||||
With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts
|
||||
|
||||
### Patches
|
||||
|
||||
authentik 2022.11.2 and 2022.10.2 fix this issue, for other versions the workaround can be used.
|
||||
|
||||
### Workarounds
|
||||
|
||||
A policy can be created and bound to the `default-user-settings-flow` flow with the following contents
|
||||
|
||||
```python
|
||||
return request.user.is_authenticated
|
||||
```
|
||||
5
website/docs/security/policy.mdx
Normal file
5
website/docs/security/policy.mdx
Normal file
@ -0,0 +1,5 @@
|
||||
# Security Policy
|
||||
|
||||
import SecurityPolicy from "../../../SECURITY.md";
|
||||
|
||||
<SecurityPolicy />
|
||||
@ -281,5 +281,15 @@ module.exports = {
|
||||
"troubleshooting/missing_admin_group",
|
||||
],
|
||||
},
|
||||
{
|
||||
type: "category",
|
||||
label: "Security",
|
||||
link: {
|
||||
type: "generated-index",
|
||||
title: "Security",
|
||||
slug: "security",
|
||||
},
|
||||
items: ["security/policy", "security/CVE-2022-46145"],
|
||||
},
|
||||
],
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user