Compare commits
49 Commits
web/use-oa
...
web/sideba
| Author | SHA1 | Date | |
|---|---|---|---|
| b865ed4392 | |||
| f0afac0b87 | |||
| a31588668d | |||
| 9768684c3c | |||
| cde94c2377 | |||
| b0e852afca | |||
| e35cefb63e | |||
| 2a11356961 | |||
| a3673906c7 | |||
| f2834cc7e2 | |||
| 5b898bef01 | |||
| 6b9201907d | |||
| 2ec8932891 | |||
| a9886b047e | |||
| a0dfe7ce78 | |||
| c471428c6b | |||
| 83e934f80c | |||
| 5386f0f4c3 | |||
| d5875a597b | |||
| 25ecc21d6d | |||
| ff78f2f00a | |||
| 3c277f14c8 | |||
| d539884204 | |||
| 476adef4ea | |||
| 3e905cc956 | |||
| e3b1ba63a6 | |||
| 2aed74bd9f | |||
| 2545815f08 | |||
| 657089eac9 | |||
| 19e8b675ae | |||
| bdd92f63d8 | |||
| 829ad5d3f2 | |||
| 58639a5d03 | |||
| 67cae13f93 | |||
| 100a6f02f1 | |||
| 242e5b492b | |||
| 48495f3c53 | |||
| 77549753c2 | |||
| 3b19aa1915 | |||
| 6653bd8224 | |||
| 639a8ceb5a | |||
| 0449fd07c5 | |||
| 8e892373a1 | |||
| 8713a1d120 | |||
| 0123bf61ab | |||
| e8edbdb4ae | |||
| 83338f8c32 | |||
| e51b36c614 | |||
| 314d89b1b7 |
@ -1,5 +1,5 @@
|
|||||||
[bumpversion]
|
[bumpversion]
|
||||||
current_version = 2024.6.0
|
current_version = 2024.4.2
|
||||||
tag = True
|
tag = True
|
||||||
commit = True
|
commit = True
|
||||||
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
|
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
|
||||||
@ -17,8 +17,6 @@ optional_value = final
|
|||||||
|
|
||||||
[bumpversion:file:pyproject.toml]
|
[bumpversion:file:pyproject.toml]
|
||||||
|
|
||||||
[bumpversion:file:package.json]
|
|
||||||
|
|
||||||
[bumpversion:file:docker-compose.yml]
|
[bumpversion:file:docker-compose.yml]
|
||||||
|
|
||||||
[bumpversion:file:schema.yml]
|
[bumpversion:file:schema.yml]
|
||||||
|
|||||||
38
.github/dependabot.yml
vendored
38
.github/dependabot.yml
vendored
@ -21,10 +21,7 @@ updates:
|
|||||||
labels:
|
labels:
|
||||||
- dependencies
|
- dependencies
|
||||||
- package-ecosystem: npm
|
- package-ecosystem: npm
|
||||||
directories:
|
directory: "/web"
|
||||||
- "/web"
|
|
||||||
- "/tests/wdio"
|
|
||||||
- "/web/sfe"
|
|
||||||
schedule:
|
schedule:
|
||||||
interval: daily
|
interval: daily
|
||||||
time: "04:00"
|
time: "04:00"
|
||||||
@ -33,6 +30,7 @@ updates:
|
|||||||
open-pull-requests-limit: 10
|
open-pull-requests-limit: 10
|
||||||
commit-message:
|
commit-message:
|
||||||
prefix: "web:"
|
prefix: "web:"
|
||||||
|
# TODO: deduplicate these groups
|
||||||
groups:
|
groups:
|
||||||
sentry:
|
sentry:
|
||||||
patterns:
|
patterns:
|
||||||
@ -58,6 +56,38 @@ updates:
|
|||||||
patterns:
|
patterns:
|
||||||
- "@rollup/*"
|
- "@rollup/*"
|
||||||
- "rollup-*"
|
- "rollup-*"
|
||||||
|
- package-ecosystem: npm
|
||||||
|
directory: "/tests/wdio"
|
||||||
|
schedule:
|
||||||
|
interval: daily
|
||||||
|
time: "04:00"
|
||||||
|
labels:
|
||||||
|
- dependencies
|
||||||
|
open-pull-requests-limit: 10
|
||||||
|
commit-message:
|
||||||
|
prefix: "web:"
|
||||||
|
# TODO: deduplicate these groups
|
||||||
|
groups:
|
||||||
|
sentry:
|
||||||
|
patterns:
|
||||||
|
- "@sentry/*"
|
||||||
|
- "@spotlightjs/*"
|
||||||
|
babel:
|
||||||
|
patterns:
|
||||||
|
- "@babel/*"
|
||||||
|
- "babel-*"
|
||||||
|
eslint:
|
||||||
|
patterns:
|
||||||
|
- "@typescript-eslint/*"
|
||||||
|
- "eslint"
|
||||||
|
- "eslint-*"
|
||||||
|
storybook:
|
||||||
|
patterns:
|
||||||
|
- "@storybook/*"
|
||||||
|
- "*storybook*"
|
||||||
|
esbuild:
|
||||||
|
patterns:
|
||||||
|
- "@esbuild/*"
|
||||||
wdio:
|
wdio:
|
||||||
patterns:
|
patterns:
|
||||||
- "@wdio/*"
|
- "@wdio/*"
|
||||||
|
|||||||
7
.github/workflows/api-ts-publish.yml
vendored
7
.github/workflows/api-ts-publish.yml
vendored
@ -31,12 +31,7 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
|
||||||
- name: Upgrade /web
|
- name: Upgrade /web
|
||||||
working-directory: web
|
working-directory: web/
|
||||||
run: |
|
|
||||||
export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
|
|
||||||
npm i @goauthentik/api@$VERSION
|
|
||||||
- name: Upgrade /web/sfe
|
|
||||||
working-directory: web/sfe
|
|
||||||
run: |
|
run: |
|
||||||
export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
|
export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
|
||||||
npm i @goauthentik/api@$VERSION
|
npm i @goauthentik/api@$VERSION
|
||||||
|
|||||||
4
.github/workflows/ci-main.yml
vendored
4
.github/workflows/ci-main.yml
vendored
@ -219,7 +219,7 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
ref: ${{ github.event.pull_request.head.sha }}
|
ref: ${{ github.event.pull_request.head.sha }}
|
||||||
- name: Set up QEMU
|
- name: Set up QEMU
|
||||||
uses: docker/setup-qemu-action@v3.1.0
|
uses: docker/setup-qemu-action@v3.0.0
|
||||||
- name: Set up Docker Buildx
|
- name: Set up Docker Buildx
|
||||||
uses: docker/setup-buildx-action@v3
|
uses: docker/setup-buildx-action@v3
|
||||||
- name: prepare variables
|
- name: prepare variables
|
||||||
@ -240,7 +240,7 @@ jobs:
|
|||||||
- name: generate ts client
|
- name: generate ts client
|
||||||
run: make gen-client-ts
|
run: make gen-client-ts
|
||||||
- name: Build Docker Image
|
- name: Build Docker Image
|
||||||
uses: docker/build-push-action@v6
|
uses: docker/build-push-action@v5
|
||||||
with:
|
with:
|
||||||
context: .
|
context: .
|
||||||
secrets: |
|
secrets: |
|
||||||
|
|||||||
4
.github/workflows/ci-outpost.yml
vendored
4
.github/workflows/ci-outpost.yml
vendored
@ -76,7 +76,7 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
ref: ${{ github.event.pull_request.head.sha }}
|
ref: ${{ github.event.pull_request.head.sha }}
|
||||||
- name: Set up QEMU
|
- name: Set up QEMU
|
||||||
uses: docker/setup-qemu-action@v3.1.0
|
uses: docker/setup-qemu-action@v3.0.0
|
||||||
- name: Set up Docker Buildx
|
- name: Set up Docker Buildx
|
||||||
uses: docker/setup-buildx-action@v3
|
uses: docker/setup-buildx-action@v3
|
||||||
- name: prepare variables
|
- name: prepare variables
|
||||||
@ -96,7 +96,7 @@ jobs:
|
|||||||
- name: Generate API
|
- name: Generate API
|
||||||
run: make gen-client-go
|
run: make gen-client-go
|
||||||
- name: Build Docker Image
|
- name: Build Docker Image
|
||||||
uses: docker/build-push-action@v6
|
uses: docker/build-push-action@v5
|
||||||
with:
|
with:
|
||||||
tags: ${{ steps.ev.outputs.imageTags }}
|
tags: ${{ steps.ev.outputs.imageTags }}
|
||||||
file: ${{ matrix.type }}.Dockerfile
|
file: ${{ matrix.type }}.Dockerfile
|
||||||
|
|||||||
122
.github/workflows/ci-web.yml
vendored
122
.github/workflows/ci-web.yml
vendored
@ -12,36 +12,14 @@ on:
|
|||||||
- version-*
|
- version-*
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
lint:
|
lint-eslint:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
matrix:
|
matrix:
|
||||||
command:
|
|
||||||
- lint
|
|
||||||
- lint:lockfile
|
|
||||||
- tsc
|
|
||||||
- prettier-check
|
|
||||||
project:
|
project:
|
||||||
- web
|
- web
|
||||||
- tests/wdio
|
- tests/wdio
|
||||||
include:
|
|
||||||
- command: tsc
|
|
||||||
project: web
|
|
||||||
extra_setup: |
|
|
||||||
cd sfe/ && npm ci
|
|
||||||
- command: lit-analyse
|
|
||||||
project: web
|
|
||||||
extra_setup: |
|
|
||||||
# lit-analyse doesn't understand path rewrites, so make it
|
|
||||||
# belive it's an actual module
|
|
||||||
cd node_modules/@goauthentik
|
|
||||||
ln -s ../../src/ web
|
|
||||||
exclude:
|
|
||||||
- command: lint:lockfile
|
|
||||||
project: tests/wdio
|
|
||||||
- command: tsc
|
|
||||||
project: tests/wdio
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/setup-node@v4
|
- uses: actions/setup-node@v4
|
||||||
@ -50,17 +28,85 @@ jobs:
|
|||||||
cache: "npm"
|
cache: "npm"
|
||||||
cache-dependency-path: ${{ matrix.project }}/package-lock.json
|
cache-dependency-path: ${{ matrix.project }}/package-lock.json
|
||||||
- working-directory: ${{ matrix.project }}/
|
- working-directory: ${{ matrix.project }}/
|
||||||
run: |
|
run: npm ci
|
||||||
npm ci
|
|
||||||
${{ matrix.extra_setup }}
|
|
||||||
- name: Generate API
|
- name: Generate API
|
||||||
run: make gen-client-ts
|
run: make gen-client-ts
|
||||||
- name: Lint
|
- name: Eslint
|
||||||
working-directory: ${{ matrix.project }}/
|
working-directory: ${{ matrix.project }}/
|
||||||
run: npm run ${{ matrix.command }}
|
run: npm run lint
|
||||||
|
lint-lockfile:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- working-directory: web/
|
||||||
|
run: |
|
||||||
|
[ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
|
||||||
|
lint-build:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- uses: actions/setup-node@v4
|
||||||
|
with:
|
||||||
|
node-version-file: web/package.json
|
||||||
|
cache: "npm"
|
||||||
|
cache-dependency-path: web/package-lock.json
|
||||||
|
- working-directory: web/
|
||||||
|
run: npm ci
|
||||||
|
- name: Generate API
|
||||||
|
run: make gen-client-ts
|
||||||
|
- name: TSC
|
||||||
|
working-directory: web/
|
||||||
|
run: npm run tsc
|
||||||
|
lint-prettier:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
project:
|
||||||
|
- web
|
||||||
|
- tests/wdio
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- uses: actions/setup-node@v4
|
||||||
|
with:
|
||||||
|
node-version-file: ${{ matrix.project }}/package.json
|
||||||
|
cache: "npm"
|
||||||
|
cache-dependency-path: ${{ matrix.project }}/package-lock.json
|
||||||
|
- working-directory: ${{ matrix.project }}/
|
||||||
|
run: npm ci
|
||||||
|
- name: Generate API
|
||||||
|
run: make gen-client-ts
|
||||||
|
- name: prettier
|
||||||
|
working-directory: ${{ matrix.project }}/
|
||||||
|
run: npm run prettier-check
|
||||||
|
lint-lit-analyse:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- uses: actions/setup-node@v4
|
||||||
|
with:
|
||||||
|
node-version-file: web/package.json
|
||||||
|
cache: "npm"
|
||||||
|
cache-dependency-path: web/package-lock.json
|
||||||
|
- working-directory: web/
|
||||||
|
run: |
|
||||||
|
npm ci
|
||||||
|
# lit-analyse doesn't understand path rewrites, so make it
|
||||||
|
# belive it's an actual module
|
||||||
|
cd node_modules/@goauthentik
|
||||||
|
ln -s ../../src/ web
|
||||||
|
- name: Generate API
|
||||||
|
run: make gen-client-ts
|
||||||
|
- name: lit-analyse
|
||||||
|
working-directory: web/
|
||||||
|
run: npm run lit-analyse
|
||||||
ci-web-mark:
|
ci-web-mark:
|
||||||
needs:
|
needs:
|
||||||
- lint
|
- lint-lockfile
|
||||||
|
- lint-eslint
|
||||||
|
- lint-prettier
|
||||||
|
- lint-lit-analyse
|
||||||
|
- lint-build
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- run: echo mark
|
- run: echo mark
|
||||||
@ -82,21 +128,3 @@ jobs:
|
|||||||
- name: build
|
- name: build
|
||||||
working-directory: web/
|
working-directory: web/
|
||||||
run: npm run build
|
run: npm run build
|
||||||
test:
|
|
||||||
needs:
|
|
||||||
- ci-web-mark
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
- uses: actions/setup-node@v4
|
|
||||||
with:
|
|
||||||
node-version-file: web/package.json
|
|
||||||
cache: "npm"
|
|
||||||
cache-dependency-path: web/package-lock.json
|
|
||||||
- working-directory: web/
|
|
||||||
run: npm ci
|
|
||||||
- name: Generate API
|
|
||||||
run: make gen-client-ts
|
|
||||||
- name: test
|
|
||||||
working-directory: web/
|
|
||||||
run: npm run test
|
|
||||||
|
|||||||
27
.github/workflows/ci-website.yml
vendored
27
.github/workflows/ci-website.yml
vendored
@ -12,21 +12,27 @@ on:
|
|||||||
- version-*
|
- version-*
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
lint:
|
lint-lockfile:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
strategy:
|
|
||||||
fail-fast: false
|
|
||||||
matrix:
|
|
||||||
command:
|
|
||||||
- lint:lockfile
|
|
||||||
- prettier-check
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
- working-directory: website/
|
||||||
|
run: |
|
||||||
|
[ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
|
||||||
|
lint-prettier:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- uses: actions/setup-node@v4
|
||||||
|
with:
|
||||||
|
node-version-file: website/package.json
|
||||||
|
cache: "npm"
|
||||||
|
cache-dependency-path: website/package-lock.json
|
||||||
- working-directory: website/
|
- working-directory: website/
|
||||||
run: npm ci
|
run: npm ci
|
||||||
- name: Lint
|
- name: prettier
|
||||||
working-directory: website/
|
working-directory: website/
|
||||||
run: npm run ${{ matrix.command }}
|
run: npm run prettier-check
|
||||||
test:
|
test:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
@ -63,7 +69,8 @@ jobs:
|
|||||||
run: npm run ${{ matrix.job }}
|
run: npm run ${{ matrix.job }}
|
||||||
ci-website-mark:
|
ci-website-mark:
|
||||||
needs:
|
needs:
|
||||||
- lint
|
- lint-lockfile
|
||||||
|
- lint-prettier
|
||||||
- test
|
- test
|
||||||
- build
|
- build
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|||||||
12
.github/workflows/release-publish.yml
vendored
12
.github/workflows/release-publish.yml
vendored
@ -14,7 +14,7 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- name: Set up QEMU
|
- name: Set up QEMU
|
||||||
uses: docker/setup-qemu-action@v3.1.0
|
uses: docker/setup-qemu-action@v3.0.0
|
||||||
- name: Set up Docker Buildx
|
- name: Set up Docker Buildx
|
||||||
uses: docker/setup-buildx-action@v3
|
uses: docker/setup-buildx-action@v3
|
||||||
- name: prepare variables
|
- name: prepare variables
|
||||||
@ -40,7 +40,7 @@ jobs:
|
|||||||
mkdir -p ./gen-ts-api
|
mkdir -p ./gen-ts-api
|
||||||
mkdir -p ./gen-go-api
|
mkdir -p ./gen-go-api
|
||||||
- name: Build Docker Image
|
- name: Build Docker Image
|
||||||
uses: docker/build-push-action@v6
|
uses: docker/build-push-action@v5
|
||||||
with:
|
with:
|
||||||
context: .
|
context: .
|
||||||
push: true
|
push: true
|
||||||
@ -68,7 +68,7 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
go-version-file: "go.mod"
|
go-version-file: "go.mod"
|
||||||
- name: Set up QEMU
|
- name: Set up QEMU
|
||||||
uses: docker/setup-qemu-action@v3.1.0
|
uses: docker/setup-qemu-action@v3.0.0
|
||||||
- name: Set up Docker Buildx
|
- name: Set up Docker Buildx
|
||||||
uses: docker/setup-buildx-action@v3
|
uses: docker/setup-buildx-action@v3
|
||||||
- name: prepare variables
|
- name: prepare variables
|
||||||
@ -94,7 +94,7 @@ jobs:
|
|||||||
username: ${{ github.repository_owner }}
|
username: ${{ github.repository_owner }}
|
||||||
password: ${{ secrets.GITHUB_TOKEN }}
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||||||
- name: Build Docker Image
|
- name: Build Docker Image
|
||||||
uses: docker/build-push-action@v6
|
uses: docker/build-push-action@v5
|
||||||
with:
|
with:
|
||||||
push: true
|
push: true
|
||||||
tags: ${{ steps.ev.outputs.imageTags }}
|
tags: ${{ steps.ev.outputs.imageTags }}
|
||||||
@ -155,8 +155,8 @@ jobs:
|
|||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- name: Run test suite in final docker images
|
- name: Run test suite in final docker images
|
||||||
run: |
|
run: |
|
||||||
echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
|
echo "PG_PASS=$(openssl rand 32 | base64)" >> .env
|
||||||
echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
|
echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64)" >> .env
|
||||||
docker compose pull -q
|
docker compose pull -q
|
||||||
docker compose up --no-start
|
docker compose up --no-start
|
||||||
docker compose start postgresql redis
|
docker compose start postgresql redis
|
||||||
|
|||||||
4
.github/workflows/release-tag.yml
vendored
4
.github/workflows/release-tag.yml
vendored
@ -14,8 +14,8 @@ jobs:
|
|||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- name: Pre-release test
|
- name: Pre-release test
|
||||||
run: |
|
run: |
|
||||||
echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
|
echo "PG_PASS=$(openssl rand 32 | base64)" >> .env
|
||||||
echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
|
echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64)" >> .env
|
||||||
docker buildx install
|
docker buildx install
|
||||||
mkdir -p ./gen-ts-api
|
mkdir -p ./gen-ts-api
|
||||||
docker build -t testing:latest .
|
docker build -t testing:latest .
|
||||||
|
|||||||
12
Dockerfile
12
Dockerfile
@ -22,30 +22,20 @@ RUN npm run build-bundled
|
|||||||
# Stage 2: Build webui
|
# Stage 2: Build webui
|
||||||
FROM --platform=${BUILDPLATFORM} docker.io/node:22 as web-builder
|
FROM --platform=${BUILDPLATFORM} docker.io/node:22 as web-builder
|
||||||
|
|
||||||
ARG GIT_BUILD_HASH
|
|
||||||
ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
|
|
||||||
ENV NODE_ENV=production
|
ENV NODE_ENV=production
|
||||||
|
|
||||||
WORKDIR /work/web
|
WORKDIR /work/web
|
||||||
|
|
||||||
RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
|
RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
|
||||||
--mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
|
--mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
|
||||||
--mount=type=bind,target=/work/web/sfe/package.json,src=./web/sfe/package.json \
|
|
||||||
--mount=type=bind,target=/work/web/sfe/package-lock.json,src=./web/sfe/package-lock.json \
|
|
||||||
--mount=type=bind,target=/work/web/scripts,src=./web/scripts \
|
|
||||||
--mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
|
--mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
|
||||||
npm ci --include=dev && \
|
|
||||||
cd sfe && \
|
|
||||||
npm ci --include=dev
|
npm ci --include=dev
|
||||||
|
|
||||||
COPY ./package.json /work
|
|
||||||
COPY ./web /work/web/
|
COPY ./web /work/web/
|
||||||
COPY ./website /work/website/
|
COPY ./website /work/website/
|
||||||
COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
|
COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
|
||||||
|
|
||||||
RUN npm run build && \
|
RUN npm run build
|
||||||
cd sfe && \
|
|
||||||
npm run build
|
|
||||||
|
|
||||||
# Stage 3: Build go proxy
|
# Stage 3: Build go proxy
|
||||||
FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.22-fips-bookworm AS go-builder
|
FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.22-fips-bookworm AS go-builder
|
||||||
|
|||||||
10
Makefile
10
Makefile
@ -47,8 +47,8 @@ test-go:
|
|||||||
go test -timeout 0 -v -race -cover ./...
|
go test -timeout 0 -v -race -cover ./...
|
||||||
|
|
||||||
test-docker: ## Run all tests in a docker-compose
|
test-docker: ## Run all tests in a docker-compose
|
||||||
echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
|
echo "PG_PASS=$(shell openssl rand 32 | base64)" >> .env
|
||||||
echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
|
echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64)" >> .env
|
||||||
docker compose pull -q
|
docker compose pull -q
|
||||||
docker compose up --no-start
|
docker compose up --no-start
|
||||||
docker compose start postgresql redis
|
docker compose start postgresql redis
|
||||||
@ -60,11 +60,9 @@ test: ## Run the server tests and produce a coverage report (locally)
|
|||||||
coverage html
|
coverage html
|
||||||
coverage report
|
coverage report
|
||||||
|
|
||||||
lint-fix: lint-codespell ## Lint and automatically fix errors in the python source code. Reports spelling errors.
|
lint-fix: ## Lint and automatically fix errors in the python source code. Reports spelling errors.
|
||||||
black $(PY_SOURCES)
|
black $(PY_SOURCES)
|
||||||
ruff check --fix $(PY_SOURCES)
|
ruff check --fix $(PY_SOURCES)
|
||||||
|
|
||||||
lint-codespell: ## Reports spelling errors.
|
|
||||||
codespell -w $(CODESPELL_ARGS)
|
codespell -w $(CODESPELL_ARGS)
|
||||||
|
|
||||||
lint: ## Lint the python and golang sources
|
lint: ## Lint the python and golang sources
|
||||||
@ -241,7 +239,7 @@ website: website-lint-fix website-build ## Automatically fix formatting issues
|
|||||||
website-install:
|
website-install:
|
||||||
cd website && npm ci
|
cd website && npm ci
|
||||||
|
|
||||||
website-lint-fix: lint-codespell
|
website-lint-fix:
|
||||||
cd website && npm run prettier
|
cd website && npm run prettier
|
||||||
|
|
||||||
website-build:
|
website-build:
|
||||||
|
|||||||
@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
|
|||||||
|
|
||||||
(.x being the latest patch release for each version)
|
(.x being the latest patch release for each version)
|
||||||
|
|
||||||
| Version | Supported |
|
| Version | Supported |
|
||||||
| -------- | --------- |
|
| --------- | --------- |
|
||||||
| 2024.4.x | ✅ |
|
| 2023.10.x | ✅ |
|
||||||
| 2024.6.x | ✅ |
|
| 2024.2.x | ✅ |
|
||||||
|
|
||||||
## Reporting a Vulnerability
|
## Reporting a Vulnerability
|
||||||
|
|
||||||
|
|||||||
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
from os import environ
|
from os import environ
|
||||||
|
|
||||||
__version__ = "2024.6.0"
|
__version__ = "2024.4.2"
|
||||||
ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
|
ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -16,7 +16,6 @@ from rest_framework.views import APIView
|
|||||||
|
|
||||||
from authentik import get_full_version
|
from authentik import get_full_version
|
||||||
from authentik.core.api.utils import PassiveSerializer
|
from authentik.core.api.utils import PassiveSerializer
|
||||||
from authentik.enterprise.license import LicenseKey
|
|
||||||
from authentik.lib.config import CONFIG
|
from authentik.lib.config import CONFIG
|
||||||
from authentik.lib.utils.reflection import get_env
|
from authentik.lib.utils.reflection import get_env
|
||||||
from authentik.outposts.apps import MANAGED_OUTPOST
|
from authentik.outposts.apps import MANAGED_OUTPOST
|
||||||
@ -33,7 +32,7 @@ class RuntimeDict(TypedDict):
|
|||||||
platform: str
|
platform: str
|
||||||
uname: str
|
uname: str
|
||||||
openssl_version: str
|
openssl_version: str
|
||||||
openssl_fips_enabled: bool | None
|
openssl_fips_mode: bool
|
||||||
authentik_version: str
|
authentik_version: str
|
||||||
|
|
||||||
|
|
||||||
@ -72,9 +71,7 @@ class SystemInfoSerializer(PassiveSerializer):
|
|||||||
"architecture": platform.machine(),
|
"architecture": platform.machine(),
|
||||||
"authentik_version": get_full_version(),
|
"authentik_version": get_full_version(),
|
||||||
"environment": get_env(),
|
"environment": get_env(),
|
||||||
"openssl_fips_enabled": (
|
"openssl_fips_enabled": backend._fips_enabled,
|
||||||
backend._fips_enabled if LicenseKey.get_total().is_valid() else None
|
|
||||||
),
|
|
||||||
"openssl_version": OPENSSL_VERSION,
|
"openssl_version": OPENSSL_VERSION,
|
||||||
"platform": platform.platform(),
|
"platform": platform.platform(),
|
||||||
"python_version": python_version,
|
"python_version": python_version,
|
||||||
|
|||||||
@ -1,13 +1,13 @@
|
|||||||
{% extends "base/skeleton.html" %}
|
{% extends "base/skeleton.html" %}
|
||||||
|
|
||||||
{% load authentik_core %}
|
{% load static %}
|
||||||
|
|
||||||
{% block title %}
|
{% block title %}
|
||||||
API Browser - {{ brand.branding_title }}
|
API Browser - {{ brand.branding_title }}
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
||||||
{% block head %}
|
{% block head %}
|
||||||
{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
|
<script src="{% static 'dist/standalone/api-browser/index.js' %}?version={{ version }}" type="module"></script>
|
||||||
<meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
|
<meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
|
||||||
<meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
|
<meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|||||||
@ -11,20 +11,21 @@ from rest_framework.filters import OrderingFilter, SearchFilter
|
|||||||
from rest_framework.permissions import AllowAny
|
from rest_framework.permissions import AllowAny
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.validators import UniqueValidator
|
from rest_framework.validators import UniqueValidator
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
|
|
||||||
from authentik.api.authorization import SecretKeyFilter
|
from authentik.api.authorization import SecretKeyFilter
|
||||||
from authentik.brands.models import Brand
|
from authentik.brands.models import Brand
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer, PassiveSerializer
|
from authentik.core.api.utils import PassiveSerializer
|
||||||
from authentik.tenants.utils import get_current_tenant
|
from authentik.tenants.utils import get_current_tenant
|
||||||
|
|
||||||
|
|
||||||
class FooterLinkSerializer(PassiveSerializer):
|
class FooterLinkSerializer(PassiveSerializer):
|
||||||
"""Links returned in Config API"""
|
"""Links returned in Config API"""
|
||||||
|
|
||||||
href = CharField(read_only=True, allow_null=True)
|
href = CharField(read_only=True)
|
||||||
name = CharField(read_only=True)
|
name = CharField(read_only=True)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -17,6 +17,7 @@ from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodFiel
|
|||||||
from rest_framework.parsers import MultiPartParser
|
from rest_framework.parsers import MultiPartParser
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
@ -25,7 +26,6 @@ from authentik.api.pagination import Pagination
|
|||||||
from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
|
from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
|
||||||
from authentik.core.api.providers import ProviderSerializer
|
from authentik.core.api.providers import ProviderSerializer
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.core.models import Application, User
|
from authentik.core.models import Application, User
|
||||||
from authentik.events.logs import LogEventSerializer, capture_logs
|
from authentik.events.logs import LogEventSerializer, capture_logs
|
||||||
from authentik.events.models import EventAction
|
from authentik.events.models import EventAction
|
||||||
@ -103,7 +103,7 @@ class ApplicationSerializer(ModelSerializer):
|
|||||||
class ApplicationViewSet(UsedByMixin, ModelViewSet):
|
class ApplicationViewSet(UsedByMixin, ModelViewSet):
|
||||||
"""Application Viewset"""
|
"""Application Viewset"""
|
||||||
|
|
||||||
queryset = Application.objects.all().prefetch_related("provider").prefetch_related("policies")
|
queryset = Application.objects.all().prefetch_related("provider")
|
||||||
serializer_class = ApplicationSerializer
|
serializer_class = ApplicationSerializer
|
||||||
search_fields = [
|
search_fields = [
|
||||||
"name",
|
"name",
|
||||||
|
|||||||
@ -8,12 +8,12 @@ from rest_framework import mixins
|
|||||||
from rest_framework.fields import SerializerMethodField
|
from rest_framework.fields import SerializerMethodField
|
||||||
from rest_framework.filters import OrderingFilter, SearchFilter
|
from rest_framework.filters import OrderingFilter, SearchFilter
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import GenericViewSet
|
from rest_framework.viewsets import GenericViewSet
|
||||||
from ua_parser import user_agent_parser
|
from ua_parser import user_agent_parser
|
||||||
|
|
||||||
from authentik.api.authorization import OwnerSuperuserPermissions
|
from authentik.api.authorization import OwnerSuperuserPermissions
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.core.models import AuthenticatedSession
|
from authentik.core.models import AuthenticatedSession
|
||||||
from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR, ASNDict
|
from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR, ASNDict
|
||||||
from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR, GeoIPDict
|
from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR, GeoIPDict
|
||||||
|
|||||||
@ -17,12 +17,12 @@ from rest_framework.decorators import action
|
|||||||
from rest_framework.fields import CharField, IntegerField, SerializerMethodField
|
from rest_framework.fields import CharField, IntegerField, SerializerMethodField
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
from rest_framework.serializers import ListSerializer, ValidationError
|
from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
|
||||||
from rest_framework.validators import UniqueValidator
|
from rest_framework.validators import UniqueValidator
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
|
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
|
from authentik.core.api.utils import JSONDictField, PassiveSerializer
|
||||||
from authentik.core.models import Group, User
|
from authentik.core.models import Group, User
|
||||||
from authentik.rbac.api.roles import RoleSerializer
|
from authentik.rbac.api.roles import RoleSerializer
|
||||||
from authentik.rbac.decorators import permission_required
|
from authentik.rbac.decorators import permission_required
|
||||||
|
|||||||
@ -8,10 +8,11 @@ from guardian.shortcuts import get_objects_for_user
|
|||||||
from rest_framework import mixins
|
from rest_framework import mixins
|
||||||
from rest_framework.decorators import action
|
from rest_framework.decorators import action
|
||||||
from rest_framework.exceptions import PermissionDenied
|
from rest_framework.exceptions import PermissionDenied
|
||||||
from rest_framework.fields import BooleanField, CharField, SerializerMethodField
|
from rest_framework.fields import BooleanField, CharField
|
||||||
from rest_framework.relations import PrimaryKeyRelatedField
|
from rest_framework.relations import PrimaryKeyRelatedField
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer, SerializerMethodField
|
||||||
from rest_framework.viewsets import GenericViewSet
|
from rest_framework.viewsets import GenericViewSet
|
||||||
|
|
||||||
from authentik.blueprints.api import ManagedSerializer
|
from authentik.blueprints.api import ManagedSerializer
|
||||||
@ -19,7 +20,6 @@ from authentik.core.api.object_types import TypesMixin
|
|||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import (
|
from authentik.core.api.utils import (
|
||||||
MetaNameSerializer,
|
MetaNameSerializer,
|
||||||
ModelSerializer,
|
|
||||||
PassiveSerializer,
|
PassiveSerializer,
|
||||||
)
|
)
|
||||||
from authentik.core.expression.evaluator import PropertyMappingEvaluator
|
from authentik.core.expression.evaluator import PropertyMappingEvaluator
|
||||||
|
|||||||
@ -6,12 +6,13 @@ from django.utils.translation import gettext_lazy as _
|
|||||||
from django_filters.filters import BooleanFilter
|
from django_filters.filters import BooleanFilter
|
||||||
from django_filters.filterset import FilterSet
|
from django_filters.filterset import FilterSet
|
||||||
from rest_framework import mixins
|
from rest_framework import mixins
|
||||||
from rest_framework.fields import ReadOnlyField, SerializerMethodField
|
from rest_framework.fields import ReadOnlyField
|
||||||
|
from rest_framework.serializers import ModelSerializer, SerializerMethodField
|
||||||
from rest_framework.viewsets import GenericViewSet
|
from rest_framework.viewsets import GenericViewSet
|
||||||
|
|
||||||
from authentik.core.api.object_types import TypesMixin
|
from authentik.core.api.object_types import TypesMixin
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
|
from authentik.core.api.utils import MetaNameSerializer
|
||||||
from authentik.core.models import Provider
|
from authentik.core.models import Provider
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,7 @@ from rest_framework.filters import OrderingFilter, SearchFilter
|
|||||||
from rest_framework.parsers import MultiPartParser
|
from rest_framework.parsers import MultiPartParser
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import GenericViewSet
|
from rest_framework.viewsets import GenericViewSet
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
@ -18,7 +19,7 @@ from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
|
|||||||
from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
|
from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
|
||||||
from authentik.core.api.object_types import TypesMixin
|
from authentik.core.api.object_types import TypesMixin
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
|
from authentik.core.api.utils import MetaNameSerializer
|
||||||
from authentik.core.models import Source, UserSourceConnection
|
from authentik.core.models import Source, UserSourceConnection
|
||||||
from authentik.core.types import UserSettingSerializer
|
from authentik.core.types import UserSettingSerializer
|
||||||
from authentik.lib.utils.file import (
|
from authentik.lib.utils.file import (
|
||||||
|
|||||||
@ -12,6 +12,7 @@ from rest_framework.fields import CharField
|
|||||||
from rest_framework.filters import OrderingFilter, SearchFilter
|
from rest_framework.filters import OrderingFilter, SearchFilter
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
|
|
||||||
from authentik.api.authorization import OwnerSuperuserPermissions
|
from authentik.api.authorization import OwnerSuperuserPermissions
|
||||||
@ -19,7 +20,7 @@ from authentik.blueprints.api import ManagedSerializer
|
|||||||
from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
|
from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.users import UserSerializer
|
from authentik.core.api.users import UserSerializer
|
||||||
from authentik.core.api.utils import ModelSerializer, PassiveSerializer
|
from authentik.core.api.utils import PassiveSerializer
|
||||||
from authentik.core.models import (
|
from authentik.core.models import (
|
||||||
USER_ATTRIBUTE_TOKEN_EXPIRING,
|
USER_ATTRIBUTE_TOKEN_EXPIRING,
|
||||||
USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
|
USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
|
||||||
@ -44,13 +45,6 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
|
|||||||
if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
|
if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
|
||||||
self.fields["key"] = CharField(required=False)
|
self.fields["key"] = CharField(required=False)
|
||||||
|
|
||||||
def validate_user(self, user: User):
|
|
||||||
"""Ensure user of token cannot be changed"""
|
|
||||||
if self.instance and self.instance.user_id:
|
|
||||||
if user.pk != self.instance.user_id:
|
|
||||||
raise ValidationError("User cannot be changed")
|
|
||||||
return user
|
|
||||||
|
|
||||||
def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
|
def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
|
||||||
"""Ensure only API or App password tokens are created."""
|
"""Ensure only API or App password tokens are created."""
|
||||||
request: Request = self.context.get("request")
|
request: Request = self.context.get("request")
|
||||||
|
|||||||
@ -40,6 +40,7 @@ from rest_framework.serializers import (
|
|||||||
BooleanField,
|
BooleanField,
|
||||||
DateTimeField,
|
DateTimeField,
|
||||||
ListSerializer,
|
ListSerializer,
|
||||||
|
ModelSerializer,
|
||||||
PrimaryKeyRelatedField,
|
PrimaryKeyRelatedField,
|
||||||
ValidationError,
|
ValidationError,
|
||||||
)
|
)
|
||||||
@ -51,12 +52,7 @@ from authentik.admin.api.metrics import CoordinateSerializer
|
|||||||
from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
|
from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
|
||||||
from authentik.brands.models import Brand
|
from authentik.brands.models import Brand
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import (
|
from authentik.core.api.utils import JSONDictField, LinkSerializer, PassiveSerializer
|
||||||
JSONDictField,
|
|
||||||
LinkSerializer,
|
|
||||||
ModelSerializer,
|
|
||||||
PassiveSerializer,
|
|
||||||
)
|
|
||||||
from authentik.core.middleware import (
|
from authentik.core.middleware import (
|
||||||
SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
|
SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
|
||||||
SESSION_KEY_IMPERSONATE_USER,
|
SESSION_KEY_IMPERSONATE_USER,
|
||||||
|
|||||||
@ -12,12 +12,9 @@ from rest_framework.fields import (
|
|||||||
JSONField,
|
JSONField,
|
||||||
SerializerMethodField,
|
SerializerMethodField,
|
||||||
)
|
)
|
||||||
from rest_framework.serializers import ModelSerializer as BaseModelSerializer
|
|
||||||
from rest_framework.serializers import (
|
from rest_framework.serializers import (
|
||||||
Serializer,
|
Serializer,
|
||||||
ValidationError,
|
ValidationError,
|
||||||
model_meta,
|
|
||||||
raise_errors_on_nested_writes,
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
@ -28,39 +25,6 @@ def is_dict(value: Any):
|
|||||||
raise ValidationError("Value must be a dictionary, and not have any duplicate keys.")
|
raise ValidationError("Value must be a dictionary, and not have any duplicate keys.")
|
||||||
|
|
||||||
|
|
||||||
class ModelSerializer(BaseModelSerializer):
|
|
||||||
|
|
||||||
def update(self, instance: Model, validated_data):
|
|
||||||
raise_errors_on_nested_writes("update", self, validated_data)
|
|
||||||
info = model_meta.get_field_info(instance)
|
|
||||||
|
|
||||||
# Simply set each attribute on the instance, and then save it.
|
|
||||||
# Note that unlike `.create()` we don't need to treat many-to-many
|
|
||||||
# relationships as being a special case. During updates we already
|
|
||||||
# have an instance pk for the relationships to be associated with.
|
|
||||||
m2m_fields = []
|
|
||||||
for attr, value in validated_data.items():
|
|
||||||
if attr in info.relations and info.relations[attr].to_many:
|
|
||||||
m2m_fields.append((attr, value))
|
|
||||||
else:
|
|
||||||
setattr(instance, attr, value)
|
|
||||||
|
|
||||||
instance.save()
|
|
||||||
|
|
||||||
# Note that many-to-many fields are set after updating instance.
|
|
||||||
# Setting m2m fields triggers signals which could potentially change
|
|
||||||
# updated instance and we do not want it to collide with .update()
|
|
||||||
for attr, value in m2m_fields:
|
|
||||||
field = getattr(instance, attr)
|
|
||||||
# We can't check for inheritance here as m2m managers are generated dynamically
|
|
||||||
if field.__class__.__name__ == "RelatedManager":
|
|
||||||
field.set(value, bulk=False)
|
|
||||||
else:
|
|
||||||
field.set(value)
|
|
||||||
|
|
||||||
return instance
|
|
||||||
|
|
||||||
|
|
||||||
class JSONDictField(JSONField):
|
class JSONDictField(JSONField):
|
||||||
"""JSON Field which only allows dictionaries"""
|
"""JSON Field which only allows dictionaries"""
|
||||||
|
|
||||||
|
|||||||
@ -76,11 +76,8 @@ class PropertyMappingEvaluator(BaseEvaluator):
|
|||||||
)
|
)
|
||||||
if "request" in self._context:
|
if "request" in self._context:
|
||||||
req: PolicyRequest = self._context["request"]
|
req: PolicyRequest = self._context["request"]
|
||||||
if req.http_request:
|
event.from_http(req.http_request, req.user)
|
||||||
event.from_http(req.http_request, req.user)
|
return
|
||||||
return
|
|
||||||
elif req.user:
|
|
||||||
event.set_user(req.user)
|
|
||||||
event.save()
|
event.save()
|
||||||
|
|
||||||
def evaluate(self, *args, **kwargs) -> Any:
|
def evaluate(self, *args, **kwargs) -> Any:
|
||||||
|
|||||||
@ -1,6 +1,5 @@
|
|||||||
"""authentik core exceptions"""
|
"""authentik core exceptions"""
|
||||||
|
|
||||||
from authentik.lib.expression.exceptions import ControlFlowException
|
|
||||||
from authentik.lib.sentry import SentryIgnoredException
|
from authentik.lib.sentry import SentryIgnoredException
|
||||||
|
|
||||||
|
|
||||||
@ -13,7 +12,7 @@ class PropertyMappingExpressionException(SentryIgnoredException):
|
|||||||
self.mapping = mapping
|
self.mapping = mapping
|
||||||
|
|
||||||
|
|
||||||
class SkipObjectException(ControlFlowException):
|
class SkipObjectException(PropertyMappingExpressionException):
|
||||||
"""Exception which can be raised in a property mapping to skip syncing an object.
|
"""Exception which can be raised in a property mapping to skip syncing an object.
|
||||||
Only applies to Property mappings which sync objects, and not on mappings which transitively
|
Only applies to Property mappings which sync objects, and not on mappings which transitively
|
||||||
apply to a single user"""
|
apply to a single user"""
|
||||||
|
|||||||
@ -26,7 +26,6 @@ from authentik.blueprints.models import ManagedModel
|
|||||||
from authentik.core.expression.exceptions import PropertyMappingExpressionException
|
from authentik.core.expression.exceptions import PropertyMappingExpressionException
|
||||||
from authentik.core.types import UILoginButton, UserSettingSerializer
|
from authentik.core.types import UILoginButton, UserSettingSerializer
|
||||||
from authentik.lib.avatars import get_avatar
|
from authentik.lib.avatars import get_avatar
|
||||||
from authentik.lib.expression.exceptions import ControlFlowException
|
|
||||||
from authentik.lib.generators import generate_id
|
from authentik.lib.generators import generate_id
|
||||||
from authentik.lib.models import (
|
from authentik.lib.models import (
|
||||||
CreatedUpdatedModel,
|
CreatedUpdatedModel,
|
||||||
@ -784,8 +783,6 @@ class PropertyMapping(SerializerModel, ManagedModel):
|
|||||||
evaluator = PropertyMappingEvaluator(self, user, request, **kwargs)
|
evaluator = PropertyMappingEvaluator(self, user, request, **kwargs)
|
||||||
try:
|
try:
|
||||||
return evaluator.evaluate(self.expression)
|
return evaluator.evaluate(self.expression)
|
||||||
except ControlFlowException as exc:
|
|
||||||
raise exc
|
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
raise PropertyMappingExpressionException(self, exc) from exc
|
raise PropertyMappingExpressionException(self, exc) from exc
|
||||||
|
|
||||||
|
|||||||
@ -309,7 +309,7 @@ class SourceFlowManager:
|
|||||||
# When request isn't authenticated we jump straight to auth
|
# When request isn't authenticated we jump straight to auth
|
||||||
if not self.request.user.is_authenticated:
|
if not self.request.user.is_authenticated:
|
||||||
return self.handle_auth(connection)
|
return self.handle_auth(connection)
|
||||||
connection.save()
|
# Connection has already been saved
|
||||||
Event.new(
|
Event.new(
|
||||||
EventAction.SOURCE_LINKED,
|
EventAction.SOURCE_LINKED,
|
||||||
message="Linked Source",
|
message="Linked Source",
|
||||||
|
|||||||
@ -10,7 +10,7 @@
|
|||||||
versionSubdomain: "{{ version_subdomain }}",
|
versionSubdomain: "{{ version_subdomain }}",
|
||||||
build: "{{ build }}",
|
build: "{{ build }}",
|
||||||
};
|
};
|
||||||
window.addEventListener("DOMContentLoaded", function () {
|
window.addEventListener("DOMContentLoaded", () => {
|
||||||
{% for message in messages %}
|
{% for message in messages %}
|
||||||
window.dispatchEvent(
|
window.dispatchEvent(
|
||||||
new CustomEvent("ak-message", {
|
new CustomEvent("ak-message", {
|
||||||
|
|||||||
@ -1,6 +1,5 @@
|
|||||||
{% load static %}
|
{% load static %}
|
||||||
{% load i18n %}
|
{% load i18n %}
|
||||||
{% load authentik_core %}
|
|
||||||
|
|
||||||
<!DOCTYPE html>
|
<!DOCTYPE html>
|
||||||
|
|
||||||
@ -15,8 +14,8 @@
|
|||||||
{% endblock %}
|
{% endblock %}
|
||||||
<link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
|
<link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
|
||||||
<link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
|
<link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
|
||||||
{% versioned_script "dist/poly-%v.js" %}
|
<script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
|
||||||
{% versioned_script "dist/standalone/loading/index-%v.js" %}
|
<script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>
|
||||||
{% block head %}
|
{% block head %}
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
<meta name="sentry-trace" content="{{ sentry_trace }}" />
|
<meta name="sentry-trace" content="{{ sentry_trace }}" />
|
||||||
|
|||||||
@ -1,9 +1,9 @@
|
|||||||
{% extends "base/skeleton.html" %}
|
{% extends "base/skeleton.html" %}
|
||||||
|
|
||||||
{% load authentik_core %}
|
{% load static %}
|
||||||
|
|
||||||
{% block head %}
|
{% block head %}
|
||||||
{% versioned_script "dist/admin/AdminInterface-%v.js" %}
|
<script src="{% static 'dist/admin/AdminInterface.js' %}?version={{ version }}" type="module"></script>
|
||||||
<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
|
<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
|
||||||
<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
|
<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
|
||||||
{% include "base/header_js.html" %}
|
{% include "base/header_js.html" %}
|
||||||
|
|||||||
@ -1,7 +1,6 @@
|
|||||||
{% extends "base/skeleton.html" %}
|
{% extends "base/skeleton.html" %}
|
||||||
|
|
||||||
{% load static %}
|
{% load static %}
|
||||||
{% load authentik_core %}
|
|
||||||
|
|
||||||
{% block head_before %}
|
{% block head_before %}
|
||||||
{{ block.super }}
|
{{ block.super }}
|
||||||
@ -18,7 +17,7 @@ window.authentik.flow = {
|
|||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
||||||
{% block head %}
|
{% block head %}
|
||||||
{% versioned_script "dist/flow/FlowInterface-%v.js" %}
|
<script src="{% static 'dist/flow/FlowInterface.js' %}?version={{ version }}" type="module"></script>
|
||||||
<style>
|
<style>
|
||||||
:root {
|
:root {
|
||||||
--ak-flow-background: url("{{ flow.background_url }}");
|
--ak-flow-background: url("{{ flow.background_url }}");
|
||||||
@ -1,9 +1,9 @@
|
|||||||
{% extends "base/skeleton.html" %}
|
{% extends "base/skeleton.html" %}
|
||||||
|
|
||||||
{% load authentik_core %}
|
{% load static %}
|
||||||
|
|
||||||
{% block head %}
|
{% block head %}
|
||||||
{% versioned_script "dist/user/UserInterface-%v.js" %}
|
<script src="{% static 'dist/user/UserInterface.js' %}?version={{ version }}" type="module"></script>
|
||||||
<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
|
<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
|
||||||
<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
|
<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
|
||||||
{% include "base/header_js.html" %}
|
{% include "base/header_js.html" %}
|
||||||
|
|||||||
@ -71,9 +71,9 @@
|
|||||||
</li>
|
</li>
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
<li>
|
<li>
|
||||||
<span>
|
<a href="https://goauthentik.io?utm_source=authentik">
|
||||||
{% trans 'Powered by authentik' %}
|
{% trans 'Powered by authentik' %}
|
||||||
</span>
|
</a>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</footer>
|
</footer>
|
||||||
|
|||||||
@ -1,21 +0,0 @@
|
|||||||
"""authentik core tags"""
|
|
||||||
|
|
||||||
from django import template
|
|
||||||
from django.templatetags.static import static as static_loader
|
|
||||||
from django.utils.safestring import mark_safe
|
|
||||||
|
|
||||||
from authentik import get_full_version
|
|
||||||
|
|
||||||
register = template.Library()
|
|
||||||
|
|
||||||
|
|
||||||
@register.simple_tag()
|
|
||||||
def versioned_script(path: str) -> str:
|
|
||||||
"""Wrapper around {% static %} tag that supports setting the version"""
|
|
||||||
returned_lines = [
|
|
||||||
(
|
|
||||||
f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
|
|
||||||
'" type="module"></script>'
|
|
||||||
),
|
|
||||||
]
|
|
||||||
return mark_safe("".join(returned_lines)) # nosec
|
|
||||||
@ -3,10 +3,7 @@
|
|||||||
from django.test import RequestFactory, TestCase
|
from django.test import RequestFactory, TestCase
|
||||||
from guardian.shortcuts import get_anonymous_user
|
from guardian.shortcuts import get_anonymous_user
|
||||||
|
|
||||||
from authentik.core.expression.exceptions import (
|
from authentik.core.expression.exceptions import PropertyMappingExpressionException
|
||||||
PropertyMappingExpressionException,
|
|
||||||
SkipObjectException,
|
|
||||||
)
|
|
||||||
from authentik.core.models import PropertyMapping
|
from authentik.core.models import PropertyMapping
|
||||||
from authentik.core.tests.utils import create_test_admin_user
|
from authentik.core.tests.utils import create_test_admin_user
|
||||||
from authentik.events.models import Event, EventAction
|
from authentik.events.models import Event, EventAction
|
||||||
@ -45,17 +42,6 @@ class TestPropertyMappings(TestCase):
|
|||||||
self.assertTrue(events.exists())
|
self.assertTrue(events.exists())
|
||||||
self.assertEqual(len(events), 1)
|
self.assertEqual(len(events), 1)
|
||||||
|
|
||||||
def test_expression_skip(self):
|
|
||||||
"""Test expression error"""
|
|
||||||
expr = "raise SkipObject"
|
|
||||||
mapping = PropertyMapping.objects.create(name=generate_id(), expression=expr)
|
|
||||||
with self.assertRaises(SkipObjectException):
|
|
||||||
mapping.evaluate(None, None)
|
|
||||||
events = Event.objects.filter(
|
|
||||||
action=EventAction.PROPERTY_MAPPING_EXCEPTION, context__expression=expr
|
|
||||||
)
|
|
||||||
self.assertFalse(events.exists())
|
|
||||||
|
|
||||||
def test_expression_error_extended(self):
|
def test_expression_error_extended(self):
|
||||||
"""Test expression error (with user and http request"""
|
"""Test expression error (with user and http request"""
|
||||||
expr = "return aaa"
|
expr = "return aaa"
|
||||||
|
|||||||
@ -13,8 +13,9 @@ from authentik.core.models import (
|
|||||||
USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
|
USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
|
||||||
Token,
|
Token,
|
||||||
TokenIntents,
|
TokenIntents,
|
||||||
|
User,
|
||||||
)
|
)
|
||||||
from authentik.core.tests.utils import create_test_admin_user, create_test_user
|
from authentik.core.tests.utils import create_test_admin_user
|
||||||
from authentik.lib.generators import generate_id
|
from authentik.lib.generators import generate_id
|
||||||
|
|
||||||
|
|
||||||
@ -23,7 +24,7 @@ class TestTokenAPI(APITestCase):
|
|||||||
|
|
||||||
def setUp(self) -> None:
|
def setUp(self) -> None:
|
||||||
super().setUp()
|
super().setUp()
|
||||||
self.user = create_test_user()
|
self.user = User.objects.create(username="testuser")
|
||||||
self.admin = create_test_admin_user()
|
self.admin = create_test_admin_user()
|
||||||
self.client.force_login(self.user)
|
self.client.force_login(self.user)
|
||||||
|
|
||||||
@ -153,24 +154,6 @@ class TestTokenAPI(APITestCase):
|
|||||||
self.assertEqual(token.expiring, True)
|
self.assertEqual(token.expiring, True)
|
||||||
self.assertNotEqual(token.expires.timestamp(), expires.timestamp())
|
self.assertNotEqual(token.expires.timestamp(), expires.timestamp())
|
||||||
|
|
||||||
def test_token_change_user(self):
|
|
||||||
"""Test creating a token and then changing the user"""
|
|
||||||
ident = generate_id()
|
|
||||||
response = self.client.post(reverse("authentik_api:token-list"), {"identifier": ident})
|
|
||||||
self.assertEqual(response.status_code, 201)
|
|
||||||
token = Token.objects.get(identifier=ident)
|
|
||||||
self.assertEqual(token.user, self.user)
|
|
||||||
self.assertEqual(token.intent, TokenIntents.INTENT_API)
|
|
||||||
self.assertEqual(token.expiring, True)
|
|
||||||
self.assertTrue(self.user.has_perm("authentik_core.view_token_key", token))
|
|
||||||
response = self.client.put(
|
|
||||||
reverse("authentik_api:token-detail", kwargs={"identifier": ident}),
|
|
||||||
data={"identifier": "user_token_poc_v3", "intent": "api", "user": self.admin.pk},
|
|
||||||
)
|
|
||||||
self.assertEqual(response.status_code, 400)
|
|
||||||
token.refresh_from_db()
|
|
||||||
self.assertEqual(token.user, self.user)
|
|
||||||
|
|
||||||
def test_list(self):
|
def test_list(self):
|
||||||
"""Test Token List (Test normal authentication)"""
|
"""Test Token List (Test normal authentication)"""
|
||||||
Token.objects.all().delete()
|
Token.objects.all().delete()
|
||||||
|
|||||||
@ -20,9 +20,8 @@ from authentik.core.api.transactional_applications import TransactionalApplicati
|
|||||||
from authentik.core.api.users import UserViewSet
|
from authentik.core.api.users import UserViewSet
|
||||||
from authentik.core.views import apps
|
from authentik.core.views import apps
|
||||||
from authentik.core.views.debug import AccessDeniedView
|
from authentik.core.views.debug import AccessDeniedView
|
||||||
from authentik.core.views.interface import InterfaceView
|
from authentik.core.views.interface import FlowInterfaceView, InterfaceView
|
||||||
from authentik.core.views.session import EndSessionView
|
from authentik.core.views.session import EndSessionView
|
||||||
from authentik.flows.views.interface import FlowInterfaceView
|
|
||||||
from authentik.root.asgi_middleware import SessionMiddleware
|
from authentik.root.asgi_middleware import SessionMiddleware
|
||||||
from authentik.root.messages.consumer import MessageConsumer
|
from authentik.root.messages.consumer import MessageConsumer
|
||||||
from authentik.root.middleware import ChannelsLoggingMiddleware
|
from authentik.root.middleware import ChannelsLoggingMiddleware
|
||||||
@ -54,8 +53,6 @@ urlpatterns = [
|
|||||||
),
|
),
|
||||||
path(
|
path(
|
||||||
"if/flow/<slug:flow_slug>/",
|
"if/flow/<slug:flow_slug>/",
|
||||||
# FIXME: move this url to the flows app...also will cause all
|
|
||||||
# of the reverse calls to be adjusted
|
|
||||||
ensure_csrf_cookie(FlowInterfaceView.as_view()),
|
ensure_csrf_cookie(FlowInterfaceView.as_view()),
|
||||||
name="if-flow",
|
name="if-flow",
|
||||||
),
|
),
|
||||||
|
|||||||
@ -3,6 +3,7 @@
|
|||||||
from json import dumps
|
from json import dumps
|
||||||
from typing import Any
|
from typing import Any
|
||||||
|
|
||||||
|
from django.shortcuts import get_object_or_404
|
||||||
from django.views.generic.base import TemplateView
|
from django.views.generic.base import TemplateView
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
|
|
||||||
@ -10,6 +11,7 @@ from authentik import get_build_hash
|
|||||||
from authentik.admin.tasks import LOCAL_VERSION
|
from authentik.admin.tasks import LOCAL_VERSION
|
||||||
from authentik.api.v3.config import ConfigView
|
from authentik.api.v3.config import ConfigView
|
||||||
from authentik.brands.api import CurrentBrandSerializer
|
from authentik.brands.api import CurrentBrandSerializer
|
||||||
|
from authentik.flows.models import Flow
|
||||||
|
|
||||||
|
|
||||||
class InterfaceView(TemplateView):
|
class InterfaceView(TemplateView):
|
||||||
@ -23,3 +25,14 @@ class InterfaceView(TemplateView):
|
|||||||
kwargs["build"] = get_build_hash()
|
kwargs["build"] = get_build_hash()
|
||||||
kwargs["url_kwargs"] = self.kwargs
|
kwargs["url_kwargs"] = self.kwargs
|
||||||
return super().get_context_data(**kwargs)
|
return super().get_context_data(**kwargs)
|
||||||
|
|
||||||
|
|
||||||
|
class FlowInterfaceView(InterfaceView):
|
||||||
|
"""Flow interface"""
|
||||||
|
|
||||||
|
template_name = "if/flow.html"
|
||||||
|
|
||||||
|
def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
|
||||||
|
kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
|
||||||
|
kwargs["inspector"] = "inspector" in self.request.GET
|
||||||
|
return super().get_context_data(**kwargs)
|
||||||
|
|||||||
@ -24,12 +24,13 @@ from rest_framework.fields import (
|
|||||||
from rest_framework.filters import OrderingFilter, SearchFilter
|
from rest_framework.filters import OrderingFilter, SearchFilter
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
from authentik.api.authorization import SecretKeyFilter
|
from authentik.api.authorization import SecretKeyFilter
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer, PassiveSerializer
|
from authentik.core.api.utils import PassiveSerializer
|
||||||
from authentik.crypto.apps import MANAGED_KEY
|
from authentik.crypto.apps import MANAGED_KEY
|
||||||
from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
|
from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
|
||||||
from authentik.crypto.models import CertificateKeyPair
|
from authentik.crypto.models import CertificateKeyPair
|
||||||
|
|||||||
@ -13,10 +13,11 @@ from rest_framework.fields import CharField, IntegerField
|
|||||||
from rest_framework.permissions import IsAuthenticated
|
from rest_framework.permissions import IsAuthenticated
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
|
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer, PassiveSerializer
|
from authentik.core.api.utils import PassiveSerializer
|
||||||
from authentik.core.models import User, UserTypes
|
from authentik.core.models import User, UserTypes
|
||||||
from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
|
from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
|
||||||
from authentik.enterprise.models import License
|
from authentik.enterprise.models import License
|
||||||
|
|||||||
@ -1,13 +1,12 @@
|
|||||||
"""GoogleWorkspaceProviderGroup API Views"""
|
"""GoogleWorkspaceProviderGroup API Views"""
|
||||||
|
|
||||||
from rest_framework import mixins
|
from rest_framework import mixins
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import GenericViewSet
|
from rest_framework.viewsets import GenericViewSet
|
||||||
|
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.users import UserGroupSerializer
|
from authentik.core.api.users import UserGroupSerializer
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderGroup
|
from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderGroup
|
||||||
from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
|
|
||||||
|
|
||||||
|
|
||||||
class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
|
class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
|
||||||
@ -31,7 +30,6 @@ class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
|
|||||||
|
|
||||||
class GoogleWorkspaceProviderGroupViewSet(
|
class GoogleWorkspaceProviderGroupViewSet(
|
||||||
mixins.CreateModelMixin,
|
mixins.CreateModelMixin,
|
||||||
OutgoingSyncConnectionCreateMixin,
|
|
||||||
mixins.RetrieveModelMixin,
|
mixins.RetrieveModelMixin,
|
||||||
mixins.DestroyModelMixin,
|
mixins.DestroyModelMixin,
|
||||||
UsedByMixin,
|
UsedByMixin,
|
||||||
|
|||||||
@ -1,13 +1,12 @@
|
|||||||
"""GoogleWorkspaceProviderUser API Views"""
|
"""GoogleWorkspaceProviderUser API Views"""
|
||||||
|
|
||||||
from rest_framework import mixins
|
from rest_framework import mixins
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import GenericViewSet
|
from rest_framework.viewsets import GenericViewSet
|
||||||
|
|
||||||
from authentik.core.api.groups import GroupMemberSerializer
|
from authentik.core.api.groups import GroupMemberSerializer
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderUser
|
from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderUser
|
||||||
from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
|
|
||||||
|
|
||||||
|
|
||||||
class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
|
class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
|
||||||
@ -31,7 +30,6 @@ class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
|
|||||||
|
|
||||||
class GoogleWorkspaceProviderUserViewSet(
|
class GoogleWorkspaceProviderUserViewSet(
|
||||||
mixins.CreateModelMixin,
|
mixins.CreateModelMixin,
|
||||||
OutgoingSyncConnectionCreateMixin,
|
|
||||||
mixins.RetrieveModelMixin,
|
mixins.RetrieveModelMixin,
|
||||||
mixins.DestroyModelMixin,
|
mixins.DestroyModelMixin,
|
||||||
UsedByMixin,
|
UsedByMixin,
|
||||||
|
|||||||
@ -214,7 +214,3 @@ class GoogleWorkspaceGroupClient(
|
|||||||
google_id=google_id,
|
google_id=google_id,
|
||||||
attributes=group,
|
attributes=group,
|
||||||
)
|
)
|
||||||
|
|
||||||
def update_single_attribute(self, connection: GoogleWorkspaceProviderUser):
|
|
||||||
group = self.directory_service.groups().get(connection.google_id)
|
|
||||||
connection.attributes = group
|
|
||||||
|
|||||||
@ -119,7 +119,3 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP
|
|||||||
google_id=email,
|
google_id=email,
|
||||||
attributes=user,
|
attributes=user,
|
||||||
)
|
)
|
||||||
|
|
||||||
def update_single_attribute(self, connection: GoogleWorkspaceProviderUser):
|
|
||||||
user = self.directory_service.users().get(connection.google_id)
|
|
||||||
connection.attributes = user
|
|
||||||
|
|||||||
@ -31,58 +31,6 @@ def default_scopes() -> list[str]:
|
|||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
class GoogleWorkspaceProviderUser(SerializerModel):
|
|
||||||
"""Mapping of a user and provider to a Google user ID"""
|
|
||||||
|
|
||||||
id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
|
||||||
google_id = models.TextField()
|
|
||||||
user = models.ForeignKey(User, on_delete=models.CASCADE)
|
|
||||||
provider = models.ForeignKey("GoogleWorkspaceProvider", on_delete=models.CASCADE)
|
|
||||||
attributes = models.JSONField(default=dict)
|
|
||||||
|
|
||||||
@property
|
|
||||||
def serializer(self) -> type[Serializer]:
|
|
||||||
from authentik.enterprise.providers.google_workspace.api.users import (
|
|
||||||
GoogleWorkspaceProviderUserSerializer,
|
|
||||||
)
|
|
||||||
|
|
||||||
return GoogleWorkspaceProviderUserSerializer
|
|
||||||
|
|
||||||
class Meta:
|
|
||||||
verbose_name = _("Google Workspace Provider User")
|
|
||||||
verbose_name_plural = _("Google Workspace Provider Users")
|
|
||||||
unique_together = (("google_id", "user", "provider"),)
|
|
||||||
|
|
||||||
def __str__(self) -> str:
|
|
||||||
return f"Google Workspace Provider User {self.user_id} to {self.provider_id}"
|
|
||||||
|
|
||||||
|
|
||||||
class GoogleWorkspaceProviderGroup(SerializerModel):
|
|
||||||
"""Mapping of a group and provider to a Google group ID"""
|
|
||||||
|
|
||||||
id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
|
||||||
google_id = models.TextField()
|
|
||||||
group = models.ForeignKey(Group, on_delete=models.CASCADE)
|
|
||||||
provider = models.ForeignKey("GoogleWorkspaceProvider", on_delete=models.CASCADE)
|
|
||||||
attributes = models.JSONField(default=dict)
|
|
||||||
|
|
||||||
@property
|
|
||||||
def serializer(self) -> type[Serializer]:
|
|
||||||
from authentik.enterprise.providers.google_workspace.api.groups import (
|
|
||||||
GoogleWorkspaceProviderGroupSerializer,
|
|
||||||
)
|
|
||||||
|
|
||||||
return GoogleWorkspaceProviderGroupSerializer
|
|
||||||
|
|
||||||
class Meta:
|
|
||||||
verbose_name = _("Google Workspace Provider Group")
|
|
||||||
verbose_name_plural = _("Google Workspace Provider Groups")
|
|
||||||
unique_together = (("google_id", "group", "provider"),)
|
|
||||||
|
|
||||||
def __str__(self) -> str:
|
|
||||||
return f"Google Workspace Provider Group {self.group_id} to {self.provider_id}"
|
|
||||||
|
|
||||||
|
|
||||||
class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
|
class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
|
||||||
"""Sync users from authentik into Google Workspace."""
|
"""Sync users from authentik into Google Workspace."""
|
||||||
|
|
||||||
@ -111,16 +59,15 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
|
|||||||
)
|
)
|
||||||
|
|
||||||
def client_for_model(
|
def client_for_model(
|
||||||
self,
|
self, model: type[User | Group]
|
||||||
model: type[User | Group | GoogleWorkspaceProviderUser | GoogleWorkspaceProviderGroup],
|
|
||||||
) -> BaseOutgoingSyncClient[User | Group, Any, Any, Self]:
|
) -> BaseOutgoingSyncClient[User | Group, Any, Any, Self]:
|
||||||
if issubclass(model, User | GoogleWorkspaceProviderUser):
|
if issubclass(model, User):
|
||||||
from authentik.enterprise.providers.google_workspace.clients.users import (
|
from authentik.enterprise.providers.google_workspace.clients.users import (
|
||||||
GoogleWorkspaceUserClient,
|
GoogleWorkspaceUserClient,
|
||||||
)
|
)
|
||||||
|
|
||||||
return GoogleWorkspaceUserClient(self)
|
return GoogleWorkspaceUserClient(self)
|
||||||
if issubclass(model, Group | GoogleWorkspaceProviderGroup):
|
if issubclass(model, Group):
|
||||||
from authentik.enterprise.providers.google_workspace.clients.groups import (
|
from authentik.enterprise.providers.google_workspace.clients.groups import (
|
||||||
GoogleWorkspaceGroupClient,
|
GoogleWorkspaceGroupClient,
|
||||||
)
|
)
|
||||||
@ -197,3 +144,55 @@ class GoogleWorkspaceProviderMapping(PropertyMapping):
|
|||||||
class Meta:
|
class Meta:
|
||||||
verbose_name = _("Google Workspace Provider Mapping")
|
verbose_name = _("Google Workspace Provider Mapping")
|
||||||
verbose_name_plural = _("Google Workspace Provider Mappings")
|
verbose_name_plural = _("Google Workspace Provider Mappings")
|
||||||
|
|
||||||
|
|
||||||
|
class GoogleWorkspaceProviderUser(SerializerModel):
|
||||||
|
"""Mapping of a user and provider to a Google user ID"""
|
||||||
|
|
||||||
|
id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
||||||
|
google_id = models.TextField()
|
||||||
|
user = models.ForeignKey(User, on_delete=models.CASCADE)
|
||||||
|
provider = models.ForeignKey(GoogleWorkspaceProvider, on_delete=models.CASCADE)
|
||||||
|
attributes = models.JSONField(default=dict)
|
||||||
|
|
||||||
|
@property
|
||||||
|
def serializer(self) -> type[Serializer]:
|
||||||
|
from authentik.enterprise.providers.google_workspace.api.users import (
|
||||||
|
GoogleWorkspaceProviderUserSerializer,
|
||||||
|
)
|
||||||
|
|
||||||
|
return GoogleWorkspaceProviderUserSerializer
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
verbose_name = _("Google Workspace Provider User")
|
||||||
|
verbose_name_plural = _("Google Workspace Provider Users")
|
||||||
|
unique_together = (("google_id", "user", "provider"),)
|
||||||
|
|
||||||
|
def __str__(self) -> str:
|
||||||
|
return f"Google Workspace Provider User {self.user_id} to {self.provider_id}"
|
||||||
|
|
||||||
|
|
||||||
|
class GoogleWorkspaceProviderGroup(SerializerModel):
|
||||||
|
"""Mapping of a group and provider to a Google group ID"""
|
||||||
|
|
||||||
|
id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
||||||
|
google_id = models.TextField()
|
||||||
|
group = models.ForeignKey(Group, on_delete=models.CASCADE)
|
||||||
|
provider = models.ForeignKey(GoogleWorkspaceProvider, on_delete=models.CASCADE)
|
||||||
|
attributes = models.JSONField(default=dict)
|
||||||
|
|
||||||
|
@property
|
||||||
|
def serializer(self) -> type[Serializer]:
|
||||||
|
from authentik.enterprise.providers.google_workspace.api.groups import (
|
||||||
|
GoogleWorkspaceProviderGroupSerializer,
|
||||||
|
)
|
||||||
|
|
||||||
|
return GoogleWorkspaceProviderGroupSerializer
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
verbose_name = _("Google Workspace Provider Group")
|
||||||
|
verbose_name_plural = _("Google Workspace Provider Groups")
|
||||||
|
unique_together = (("google_id", "group", "provider"),)
|
||||||
|
|
||||||
|
def __str__(self) -> str:
|
||||||
|
return f"Google Workspace Provider Group {self.group_id} to {self.provider_id}"
|
||||||
|
|||||||
@ -1,13 +1,12 @@
|
|||||||
"""MicrosoftEntraProviderGroup API Views"""
|
"""MicrosoftEntraProviderGroup API Views"""
|
||||||
|
|
||||||
from rest_framework import mixins
|
from rest_framework import mixins
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import GenericViewSet
|
from rest_framework.viewsets import GenericViewSet
|
||||||
|
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.users import UserGroupSerializer
|
from authentik.core.api.users import UserGroupSerializer
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderGroup
|
from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderGroup
|
||||||
from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
|
|
||||||
|
|
||||||
|
|
||||||
class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
|
class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
|
||||||
@ -31,7 +30,6 @@ class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
|
|||||||
|
|
||||||
class MicrosoftEntraProviderGroupViewSet(
|
class MicrosoftEntraProviderGroupViewSet(
|
||||||
mixins.CreateModelMixin,
|
mixins.CreateModelMixin,
|
||||||
OutgoingSyncConnectionCreateMixin,
|
|
||||||
mixins.RetrieveModelMixin,
|
mixins.RetrieveModelMixin,
|
||||||
mixins.DestroyModelMixin,
|
mixins.DestroyModelMixin,
|
||||||
UsedByMixin,
|
UsedByMixin,
|
||||||
|
|||||||
@ -1,13 +1,12 @@
|
|||||||
"""MicrosoftEntraProviderUser API Views"""
|
"""MicrosoftEntraProviderUser API Views"""
|
||||||
|
|
||||||
from rest_framework import mixins
|
from rest_framework import mixins
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import GenericViewSet
|
from rest_framework.viewsets import GenericViewSet
|
||||||
|
|
||||||
from authentik.core.api.groups import GroupMemberSerializer
|
from authentik.core.api.groups import GroupMemberSerializer
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderUser
|
from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderUser
|
||||||
from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
|
|
||||||
|
|
||||||
|
|
||||||
class MicrosoftEntraProviderUserSerializer(ModelSerializer):
|
class MicrosoftEntraProviderUserSerializer(ModelSerializer):
|
||||||
@ -30,7 +29,6 @@ class MicrosoftEntraProviderUserSerializer(ModelSerializer):
|
|||||||
|
|
||||||
|
|
||||||
class MicrosoftEntraProviderUserViewSet(
|
class MicrosoftEntraProviderUserViewSet(
|
||||||
OutgoingSyncConnectionCreateMixin,
|
|
||||||
mixins.CreateModelMixin,
|
mixins.CreateModelMixin,
|
||||||
mixins.RetrieveModelMixin,
|
mixins.RetrieveModelMixin,
|
||||||
mixins.DestroyModelMixin,
|
mixins.DestroyModelMixin,
|
||||||
|
|||||||
@ -226,7 +226,3 @@ class MicrosoftEntraGroupClient(
|
|||||||
microsoft_id=group.id,
|
microsoft_id=group.id,
|
||||||
attributes=self.entity_as_dict(group),
|
attributes=self.entity_as_dict(group),
|
||||||
)
|
)
|
||||||
|
|
||||||
def update_single_attribute(self, connection: MicrosoftEntraProviderGroup):
|
|
||||||
data = self._request(self.client.groups.by_group_id(connection.microsoft_id).get())
|
|
||||||
connection.attributes = self.entity_as_dict(data)
|
|
||||||
|
|||||||
@ -66,26 +66,6 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
|
|||||||
microsoft_user.delete()
|
microsoft_user.delete()
|
||||||
return response
|
return response
|
||||||
|
|
||||||
def get_select_fields(self) -> list[str]:
|
|
||||||
"""All fields that should be selected when we fetch user data."""
|
|
||||||
# TODO: Make this customizable in the future
|
|
||||||
return [
|
|
||||||
# Default fields
|
|
||||||
"businessPhones",
|
|
||||||
"displayName",
|
|
||||||
"givenName",
|
|
||||||
"jobTitle",
|
|
||||||
"mail",
|
|
||||||
"mobilePhone",
|
|
||||||
"officeLocation",
|
|
||||||
"preferredLanguage",
|
|
||||||
"surname",
|
|
||||||
"userPrincipalName",
|
|
||||||
"id",
|
|
||||||
# Required for logging into M365 using authentik
|
|
||||||
"onPremisesImmutableId",
|
|
||||||
]
|
|
||||||
|
|
||||||
def create(self, user: User):
|
def create(self, user: User):
|
||||||
"""Create user from scratch and create a connection object"""
|
"""Create user from scratch and create a connection object"""
|
||||||
microsoft_user = self.to_schema(user, None)
|
microsoft_user = self.to_schema(user, None)
|
||||||
@ -95,12 +75,12 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
|
|||||||
response = self._request(self.client.users.post(microsoft_user))
|
response = self._request(self.client.users.post(microsoft_user))
|
||||||
except ObjectExistsSyncException:
|
except ObjectExistsSyncException:
|
||||||
# user already exists in microsoft entra, so we can connect them manually
|
# user already exists in microsoft entra, so we can connect them manually
|
||||||
|
query_params = UsersRequestBuilder.UsersRequestBuilderGetQueryParameters()(
|
||||||
|
filter=f"mail eq '{microsoft_user.mail}'",
|
||||||
|
)
|
||||||
request_configuration = (
|
request_configuration = (
|
||||||
UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
|
UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
|
||||||
query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
|
query_parameters=query_params,
|
||||||
filter=f"mail eq '{microsoft_user.mail}'",
|
|
||||||
select=self.get_select_fields(),
|
|
||||||
),
|
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
user_data = self._request(self.client.users.get(request_configuration))
|
user_data = self._request(self.client.users.get(request_configuration))
|
||||||
@ -119,6 +99,7 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
|
|||||||
except TransientSyncException as exc:
|
except TransientSyncException as exc:
|
||||||
raise exc
|
raise exc
|
||||||
else:
|
else:
|
||||||
|
print(self.entity_as_dict(response))
|
||||||
return MicrosoftEntraProviderUser.objects.create(
|
return MicrosoftEntraProviderUser.objects.create(
|
||||||
provider=self.provider,
|
provider=self.provider,
|
||||||
user=user,
|
user=user,
|
||||||
@ -139,12 +120,7 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
|
|||||||
|
|
||||||
def discover(self):
|
def discover(self):
|
||||||
"""Iterate through all users and connect them with authentik users if possible"""
|
"""Iterate through all users and connect them with authentik users if possible"""
|
||||||
request_configuration = UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
|
users = self._request(self.client.users.get())
|
||||||
query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
|
|
||||||
select=self.get_select_fields(),
|
|
||||||
),
|
|
||||||
)
|
|
||||||
users = self._request(self.client.users.get(request_configuration))
|
|
||||||
next_link = True
|
next_link = True
|
||||||
while next_link:
|
while next_link:
|
||||||
for user in users.value:
|
for user in users.value:
|
||||||
@ -165,14 +141,3 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
|
|||||||
microsoft_id=user.id,
|
microsoft_id=user.id,
|
||||||
attributes=self.entity_as_dict(user),
|
attributes=self.entity_as_dict(user),
|
||||||
)
|
)
|
||||||
|
|
||||||
def update_single_attribute(self, connection: MicrosoftEntraProviderUser):
|
|
||||||
request_configuration = UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
|
|
||||||
query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
|
|
||||||
select=self.get_select_fields(),
|
|
||||||
),
|
|
||||||
)
|
|
||||||
data = self._request(
|
|
||||||
self.client.users.by_user_id(connection.microsoft_id).get(request_configuration)
|
|
||||||
)
|
|
||||||
connection.attributes = self.entity_as_dict(data)
|
|
||||||
|
|||||||
@ -22,58 +22,6 @@ from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
|
|||||||
from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction, OutgoingSyncProvider
|
from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction, OutgoingSyncProvider
|
||||||
|
|
||||||
|
|
||||||
class MicrosoftEntraProviderUser(SerializerModel):
|
|
||||||
"""Mapping of a user and provider to a Microsoft user ID"""
|
|
||||||
|
|
||||||
id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
|
||||||
microsoft_id = models.TextField()
|
|
||||||
user = models.ForeignKey(User, on_delete=models.CASCADE)
|
|
||||||
provider = models.ForeignKey("MicrosoftEntraProvider", on_delete=models.CASCADE)
|
|
||||||
attributes = models.JSONField(default=dict)
|
|
||||||
|
|
||||||
@property
|
|
||||||
def serializer(self) -> type[Serializer]:
|
|
||||||
from authentik.enterprise.providers.microsoft_entra.api.users import (
|
|
||||||
MicrosoftEntraProviderUserSerializer,
|
|
||||||
)
|
|
||||||
|
|
||||||
return MicrosoftEntraProviderUserSerializer
|
|
||||||
|
|
||||||
class Meta:
|
|
||||||
verbose_name = _("Microsoft Entra Provider User")
|
|
||||||
verbose_name_plural = _("Microsoft Entra Provider User")
|
|
||||||
unique_together = (("microsoft_id", "user", "provider"),)
|
|
||||||
|
|
||||||
def __str__(self) -> str:
|
|
||||||
return f"Microsoft Entra Provider User {self.user_id} to {self.provider_id}"
|
|
||||||
|
|
||||||
|
|
||||||
class MicrosoftEntraProviderGroup(SerializerModel):
|
|
||||||
"""Mapping of a group and provider to a Microsoft group ID"""
|
|
||||||
|
|
||||||
id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
|
||||||
microsoft_id = models.TextField()
|
|
||||||
group = models.ForeignKey(Group, on_delete=models.CASCADE)
|
|
||||||
provider = models.ForeignKey("MicrosoftEntraProvider", on_delete=models.CASCADE)
|
|
||||||
attributes = models.JSONField(default=dict)
|
|
||||||
|
|
||||||
@property
|
|
||||||
def serializer(self) -> type[Serializer]:
|
|
||||||
from authentik.enterprise.providers.microsoft_entra.api.groups import (
|
|
||||||
MicrosoftEntraProviderGroupSerializer,
|
|
||||||
)
|
|
||||||
|
|
||||||
return MicrosoftEntraProviderGroupSerializer
|
|
||||||
|
|
||||||
class Meta:
|
|
||||||
verbose_name = _("Microsoft Entra Provider Group")
|
|
||||||
verbose_name_plural = _("Microsoft Entra Provider Groups")
|
|
||||||
unique_together = (("microsoft_id", "group", "provider"),)
|
|
||||||
|
|
||||||
def __str__(self) -> str:
|
|
||||||
return f"Microsoft Entra Provider Group {self.group_id} to {self.provider_id}"
|
|
||||||
|
|
||||||
|
|
||||||
class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
|
class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
|
||||||
"""Sync users from authentik into Microsoft Entra."""
|
"""Sync users from authentik into Microsoft Entra."""
|
||||||
|
|
||||||
@ -100,16 +48,15 @@ class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
|
|||||||
)
|
)
|
||||||
|
|
||||||
def client_for_model(
|
def client_for_model(
|
||||||
self,
|
self, model: type[User | Group]
|
||||||
model: type[User | Group | MicrosoftEntraProviderUser | MicrosoftEntraProviderGroup],
|
|
||||||
) -> BaseOutgoingSyncClient[User | Group, Any, Any, Self]:
|
) -> BaseOutgoingSyncClient[User | Group, Any, Any, Self]:
|
||||||
if issubclass(model, User | MicrosoftEntraProviderUser):
|
if issubclass(model, User):
|
||||||
from authentik.enterprise.providers.microsoft_entra.clients.users import (
|
from authentik.enterprise.providers.microsoft_entra.clients.users import (
|
||||||
MicrosoftEntraUserClient,
|
MicrosoftEntraUserClient,
|
||||||
)
|
)
|
||||||
|
|
||||||
return MicrosoftEntraUserClient(self)
|
return MicrosoftEntraUserClient(self)
|
||||||
if issubclass(model, Group | MicrosoftEntraProviderGroup):
|
if issubclass(model, Group):
|
||||||
from authentik.enterprise.providers.microsoft_entra.clients.groups import (
|
from authentik.enterprise.providers.microsoft_entra.clients.groups import (
|
||||||
MicrosoftEntraGroupClient,
|
MicrosoftEntraGroupClient,
|
||||||
)
|
)
|
||||||
@ -186,3 +133,55 @@ class MicrosoftEntraProviderMapping(PropertyMapping):
|
|||||||
class Meta:
|
class Meta:
|
||||||
verbose_name = _("Microsoft Entra Provider Mapping")
|
verbose_name = _("Microsoft Entra Provider Mapping")
|
||||||
verbose_name_plural = _("Microsoft Entra Provider Mappings")
|
verbose_name_plural = _("Microsoft Entra Provider Mappings")
|
||||||
|
|
||||||
|
|
||||||
|
class MicrosoftEntraProviderUser(SerializerModel):
|
||||||
|
"""Mapping of a user and provider to a Microsoft user ID"""
|
||||||
|
|
||||||
|
id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
||||||
|
microsoft_id = models.TextField()
|
||||||
|
user = models.ForeignKey(User, on_delete=models.CASCADE)
|
||||||
|
provider = models.ForeignKey(MicrosoftEntraProvider, on_delete=models.CASCADE)
|
||||||
|
attributes = models.JSONField(default=dict)
|
||||||
|
|
||||||
|
@property
|
||||||
|
def serializer(self) -> type[Serializer]:
|
||||||
|
from authentik.enterprise.providers.microsoft_entra.api.users import (
|
||||||
|
MicrosoftEntraProviderUserSerializer,
|
||||||
|
)
|
||||||
|
|
||||||
|
return MicrosoftEntraProviderUserSerializer
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
verbose_name = _("Microsoft Entra Provider User")
|
||||||
|
verbose_name_plural = _("Microsoft Entra Provider User")
|
||||||
|
unique_together = (("microsoft_id", "user", "provider"),)
|
||||||
|
|
||||||
|
def __str__(self) -> str:
|
||||||
|
return f"Microsoft Entra Provider User {self.user_id} to {self.provider_id}"
|
||||||
|
|
||||||
|
|
||||||
|
class MicrosoftEntraProviderGroup(SerializerModel):
|
||||||
|
"""Mapping of a group and provider to a Microsoft group ID"""
|
||||||
|
|
||||||
|
id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
||||||
|
microsoft_id = models.TextField()
|
||||||
|
group = models.ForeignKey(Group, on_delete=models.CASCADE)
|
||||||
|
provider = models.ForeignKey(MicrosoftEntraProvider, on_delete=models.CASCADE)
|
||||||
|
attributes = models.JSONField(default=dict)
|
||||||
|
|
||||||
|
@property
|
||||||
|
def serializer(self) -> type[Serializer]:
|
||||||
|
from authentik.enterprise.providers.microsoft_entra.api.groups import (
|
||||||
|
MicrosoftEntraProviderGroupSerializer,
|
||||||
|
)
|
||||||
|
|
||||||
|
return MicrosoftEntraProviderGroupSerializer
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
verbose_name = _("Microsoft Entra Provider Group")
|
||||||
|
verbose_name_plural = _("Microsoft Entra Provider Groups")
|
||||||
|
unique_together = (("microsoft_id", "group", "provider"),)
|
||||||
|
|
||||||
|
def __str__(self) -> str:
|
||||||
|
return f"Microsoft Entra Provider Group {self.group_id} to {self.provider_id}"
|
||||||
|
|||||||
@ -3,18 +3,16 @@
|
|||||||
from unittest.mock import AsyncMock, MagicMock, patch
|
from unittest.mock import AsyncMock, MagicMock, patch
|
||||||
|
|
||||||
from azure.identity.aio import ClientSecretCredential
|
from azure.identity.aio import ClientSecretCredential
|
||||||
from django.urls import reverse
|
from django.test import TestCase
|
||||||
from msgraph.generated.models.group_collection_response import GroupCollectionResponse
|
from msgraph.generated.models.group_collection_response import GroupCollectionResponse
|
||||||
from msgraph.generated.models.organization import Organization
|
from msgraph.generated.models.organization import Organization
|
||||||
from msgraph.generated.models.organization_collection_response import OrganizationCollectionResponse
|
from msgraph.generated.models.organization_collection_response import OrganizationCollectionResponse
|
||||||
from msgraph.generated.models.user import User as MSUser
|
from msgraph.generated.models.user import User as MSUser
|
||||||
from msgraph.generated.models.user_collection_response import UserCollectionResponse
|
from msgraph.generated.models.user_collection_response import UserCollectionResponse
|
||||||
from msgraph.generated.models.verified_domain import VerifiedDomain
|
from msgraph.generated.models.verified_domain import VerifiedDomain
|
||||||
from rest_framework.test import APITestCase
|
|
||||||
|
|
||||||
from authentik.blueprints.tests import apply_blueprint
|
from authentik.blueprints.tests import apply_blueprint
|
||||||
from authentik.core.models import Application, Group, User
|
from authentik.core.models import Application, Group, User
|
||||||
from authentik.core.tests.utils import create_test_admin_user
|
|
||||||
from authentik.enterprise.providers.microsoft_entra.models import (
|
from authentik.enterprise.providers.microsoft_entra.models import (
|
||||||
MicrosoftEntraProvider,
|
MicrosoftEntraProvider,
|
||||||
MicrosoftEntraProviderMapping,
|
MicrosoftEntraProviderMapping,
|
||||||
@ -27,12 +25,11 @@ from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction
|
|||||||
from authentik.tenants.models import Tenant
|
from authentik.tenants.models import Tenant
|
||||||
|
|
||||||
|
|
||||||
class MicrosoftEntraUserTests(APITestCase):
|
class MicrosoftEntraUserTests(TestCase):
|
||||||
"""Microsoft Entra User tests"""
|
"""Microsoft Entra User tests"""
|
||||||
|
|
||||||
@apply_blueprint("system/providers-microsoft-entra.yaml")
|
@apply_blueprint("system/providers-microsoft-entra.yaml")
|
||||||
def setUp(self) -> None:
|
def setUp(self) -> None:
|
||||||
|
|
||||||
# Delete all users and groups as the mocked HTTP responses only return one ID
|
# Delete all users and groups as the mocked HTTP responses only return one ID
|
||||||
# which will cause errors with multiple users
|
# which will cause errors with multiple users
|
||||||
Tenant.objects.update(avatars="none")
|
Tenant.objects.update(avatars="none")
|
||||||
@ -374,45 +371,3 @@ class MicrosoftEntraUserTests(APITestCase):
|
|||||||
)
|
)
|
||||||
self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
|
self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
|
||||||
user_list.assert_called_once()
|
user_list.assert_called_once()
|
||||||
|
|
||||||
def test_connect_manual(self):
|
|
||||||
"""test manual user connection"""
|
|
||||||
uid = generate_id()
|
|
||||||
self.app.backchannel_providers.remove(self.provider)
|
|
||||||
admin = create_test_admin_user()
|
|
||||||
different_user = User.objects.create(
|
|
||||||
username=uid,
|
|
||||||
email=f"{uid}@goauthentik.io",
|
|
||||||
)
|
|
||||||
self.app.backchannel_providers.add(self.provider)
|
|
||||||
with (
|
|
||||||
patch(
|
|
||||||
"authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
|
|
||||||
MagicMock(return_value={"credentials": self.creds}),
|
|
||||||
),
|
|
||||||
patch(
|
|
||||||
"msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
|
|
||||||
AsyncMock(
|
|
||||||
return_value=OrganizationCollectionResponse(
|
|
||||||
value=[
|
|
||||||
Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
|
|
||||||
]
|
|
||||||
)
|
|
||||||
),
|
|
||||||
),
|
|
||||||
patch(
|
|
||||||
"authentik.enterprise.providers.microsoft_entra.clients.users.MicrosoftEntraUserClient.update_single_attribute",
|
|
||||||
MagicMock(),
|
|
||||||
) as user_get,
|
|
||||||
):
|
|
||||||
self.client.force_login(admin)
|
|
||||||
response = self.client.post(
|
|
||||||
reverse("authentik_api:microsoftentraprovideruser-list"),
|
|
||||||
data={
|
|
||||||
"microsoft_id": generate_id(),
|
|
||||||
"user": different_user.pk,
|
|
||||||
"provider": self.provider.pk,
|
|
||||||
},
|
|
||||||
)
|
|
||||||
self.assertEqual(response.status_code, 201)
|
|
||||||
user_get.assert_called_once()
|
|
||||||
|
|||||||
@ -3,12 +3,12 @@
|
|||||||
from django_filters.rest_framework.backends import DjangoFilterBackend
|
from django_filters.rest_framework.backends import DjangoFilterBackend
|
||||||
from rest_framework import mixins
|
from rest_framework import mixins
|
||||||
from rest_framework.filters import OrderingFilter, SearchFilter
|
from rest_framework.filters import OrderingFilter, SearchFilter
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import GenericViewSet
|
from rest_framework.viewsets import GenericViewSet
|
||||||
|
|
||||||
from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
|
from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
|
||||||
from authentik.core.api.groups import GroupMemberSerializer
|
from authentik.core.api.groups import GroupMemberSerializer
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.enterprise.api import EnterpriseRequiredMixin
|
from authentik.enterprise.api import EnterpriseRequiredMixin
|
||||||
from authentik.enterprise.providers.rac.api.endpoints import EndpointSerializer
|
from authentik.enterprise.providers.rac.api.endpoints import EndpointSerializer
|
||||||
from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
|
from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
|
||||||
|
|||||||
@ -8,11 +8,11 @@ from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_sche
|
|||||||
from rest_framework.fields import SerializerMethodField
|
from rest_framework.fields import SerializerMethodField
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.core.models import Provider
|
from authentik.core.models import Provider
|
||||||
from authentik.enterprise.api import EnterpriseRequiredMixin
|
from authentik.enterprise.api import EnterpriseRequiredMixin
|
||||||
from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
|
from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
|
||||||
|
|||||||
@ -1,9 +1,9 @@
|
|||||||
{% extends "base/skeleton.html" %}
|
{% extends "base/skeleton.html" %}
|
||||||
|
|
||||||
{% load authentik_core %}
|
{% load static %}
|
||||||
|
|
||||||
{% block head %}
|
{% block head %}
|
||||||
{% versioned_script "dist/enterprise/rac/index-%v.js" %}
|
<script src="{% static 'dist/enterprise/rac/index.js' %}?version={{ version }}" type="module"></script>
|
||||||
<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
|
<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
|
||||||
<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
|
<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
|
||||||
<link rel="icon" href="{{ tenant.branding_favicon }}">
|
<link rel="icon" href="{{ tenant.branding_favicon }}">
|
||||||
|
|||||||
@ -15,11 +15,12 @@ from rest_framework.decorators import action
|
|||||||
from rest_framework.fields import DictField, IntegerField
|
from rest_framework.fields import DictField, IntegerField
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
|
|
||||||
from authentik.admin.api.metrics import CoordinateSerializer
|
from authentik.admin.api.metrics import CoordinateSerializer
|
||||||
from authentik.core.api.object_types import TypeCreateSerializer
|
from authentik.core.api.object_types import TypeCreateSerializer
|
||||||
from authentik.core.api.utils import ModelSerializer, PassiveSerializer
|
from authentik.core.api.utils import PassiveSerializer
|
||||||
from authentik.events.models import Event, EventAction
|
from authentik.events.models import Event, EventAction
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -1,9 +1,9 @@
|
|||||||
"""NotificationWebhookMapping API Views"""
|
"""NotificationWebhookMapping API Views"""
|
||||||
|
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
|
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.events.models import NotificationWebhookMapping
|
from authentik.events.models import NotificationWebhookMapping
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -1,10 +1,10 @@
|
|||||||
"""NotificationRule API Views"""
|
"""NotificationRule API Views"""
|
||||||
|
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
|
|
||||||
from authentik.core.api.groups import GroupSerializer
|
from authentik.core.api.groups import GroupSerializer
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.events.models import NotificationRule
|
from authentik.events.models import NotificationRule
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -9,10 +9,11 @@ from rest_framework.exceptions import ValidationError
|
|||||||
from rest_framework.fields import CharField, ListField, SerializerMethodField
|
from rest_framework.fields import CharField, ListField, SerializerMethodField
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
|
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer, PassiveSerializer
|
from authentik.core.api.utils import PassiveSerializer
|
||||||
from authentik.events.models import (
|
from authentik.events.models import (
|
||||||
Event,
|
Event,
|
||||||
Notification,
|
Notification,
|
||||||
|
|||||||
@ -9,11 +9,11 @@ from rest_framework.fields import ReadOnlyField
|
|||||||
from rest_framework.filters import OrderingFilter, SearchFilter
|
from rest_framework.filters import OrderingFilter, SearchFilter
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import GenericViewSet
|
from rest_framework.viewsets import GenericViewSet
|
||||||
|
|
||||||
from authentik.api.authorization import OwnerFilter, OwnerPermissions
|
from authentik.api.authorization import OwnerFilter, OwnerPermissions
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.events.api.events import EventSerializer
|
from authentik.events.api.events import EventSerializer
|
||||||
from authentik.events.models import Notification
|
from authentik.events.models import Notification
|
||||||
|
|
||||||
|
|||||||
@ -16,10 +16,10 @@ from rest_framework.fields import (
|
|||||||
)
|
)
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import ReadOnlyModelViewSet
|
from rest_framework.viewsets import ReadOnlyModelViewSet
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.events.logs import LogEventSerializer
|
from authentik.events.logs import LogEventSerializer
|
||||||
from authentik.events.models import SystemTask, TaskStatus
|
from authentik.events.models import SystemTask, TaskStatus
|
||||||
from authentik.rbac.decorators import permission_required
|
from authentik.rbac.decorators import permission_required
|
||||||
|
|||||||
@ -75,10 +75,7 @@ def on_login_failed(
|
|||||||
**kwargs,
|
**kwargs,
|
||||||
):
|
):
|
||||||
"""Failed Login, authentik custom event"""
|
"""Failed Login, authentik custom event"""
|
||||||
user = User.objects.filter(username=credentials.get("username")).first()
|
Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **kwargs).from_http(request)
|
||||||
Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **kwargs).from_http(
|
|
||||||
request, user
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
@receiver(invitation_used)
|
@receiver(invitation_used)
|
||||||
|
|||||||
@ -3,10 +3,10 @@
|
|||||||
from typing import Any
|
from typing import Any
|
||||||
|
|
||||||
from rest_framework.exceptions import ValidationError
|
from rest_framework.exceptions import ValidationError
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
|
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.flows.api.stages import StageSerializer
|
from authentik.flows.api.stages import StageSerializer
|
||||||
from authentik.flows.models import FlowStageBinding
|
from authentik.flows.models import FlowStageBinding
|
||||||
|
|
||||||
|
|||||||
@ -7,22 +7,18 @@ from django.utils.translation import gettext as _
|
|||||||
from drf_spectacular.types import OpenApiTypes
|
from drf_spectacular.types import OpenApiTypes
|
||||||
from drf_spectacular.utils import OpenApiResponse, extend_schema
|
from drf_spectacular.utils import OpenApiResponse, extend_schema
|
||||||
from rest_framework.decorators import action
|
from rest_framework.decorators import action
|
||||||
from rest_framework.fields import BooleanField, CharField, ReadOnlyField, SerializerMethodField
|
from rest_framework.fields import BooleanField, CharField, ReadOnlyField
|
||||||
from rest_framework.parsers import MultiPartParser
|
from rest_framework.parsers import MultiPartParser
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer, SerializerMethodField
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
from authentik.blueprints.v1.exporter import FlowExporter
|
from authentik.blueprints.v1.exporter import FlowExporter
|
||||||
from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, Importer
|
from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, Importer
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import (
|
from authentik.core.api.utils import CacheSerializer, LinkSerializer, PassiveSerializer
|
||||||
CacheSerializer,
|
|
||||||
LinkSerializer,
|
|
||||||
ModelSerializer,
|
|
||||||
PassiveSerializer,
|
|
||||||
)
|
|
||||||
from authentik.events.logs import LogEventSerializer
|
from authentik.events.logs import LogEventSerializer
|
||||||
from authentik.flows.api.flows_diagram import FlowDiagram, FlowDiagramSerializer
|
from authentik.flows.api.flows_diagram import FlowDiagram, FlowDiagramSerializer
|
||||||
from authentik.flows.exceptions import FlowNonApplicableException
|
from authentik.flows.exceptions import FlowNonApplicableException
|
||||||
|
|||||||
@ -4,15 +4,15 @@ from django.urls.base import reverse
|
|||||||
from drf_spectacular.utils import extend_schema
|
from drf_spectacular.utils import extend_schema
|
||||||
from rest_framework import mixins
|
from rest_framework import mixins
|
||||||
from rest_framework.decorators import action
|
from rest_framework.decorators import action
|
||||||
from rest_framework.fields import SerializerMethodField
|
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer, SerializerMethodField
|
||||||
from rest_framework.viewsets import GenericViewSet
|
from rest_framework.viewsets import GenericViewSet
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
from authentik.core.api.object_types import TypesMixin
|
from authentik.core.api.object_types import TypesMixin
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
|
from authentik.core.api.utils import MetaNameSerializer
|
||||||
from authentik.core.types import UserSettingSerializer
|
from authentik.core.types import UserSettingSerializer
|
||||||
from authentik.flows.api.flows import FlowSetSerializer
|
from authentik.flows.api.flows import FlowSetSerializer
|
||||||
from authentik.flows.models import ConfigurableStage, Stage
|
from authentik.flows.models import ConfigurableStage, Stage
|
||||||
|
|||||||
@ -1,54 +0,0 @@
|
|||||||
{% load static %}
|
|
||||||
{% load i18n %}
|
|
||||||
{% load authentik_core %}
|
|
||||||
|
|
||||||
<!DOCTYPE html>
|
|
||||||
|
|
||||||
<html lang="en">
|
|
||||||
<head>
|
|
||||||
<meta charset="UTF-8">
|
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
|
|
||||||
<title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
|
|
||||||
<link rel="icon" href="{{ brand.branding_favicon }}">
|
|
||||||
<link rel="shortcut icon" href="{{ brand.branding_favicon }}">
|
|
||||||
{% block head_before %}
|
|
||||||
{% endblock %}
|
|
||||||
<link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
|
|
||||||
<meta name="sentry-trace" content="{{ sentry_trace }}" />
|
|
||||||
{% include "base/header_js.html" %}
|
|
||||||
<style>
|
|
||||||
html,
|
|
||||||
body {
|
|
||||||
height: 100%;
|
|
||||||
}
|
|
||||||
body {
|
|
||||||
background-image: url("{{ flow.background_url }}");
|
|
||||||
background-repeat: no-repeat;
|
|
||||||
background-size: cover;
|
|
||||||
}
|
|
||||||
.card {
|
|
||||||
padding: 3rem;
|
|
||||||
}
|
|
||||||
|
|
||||||
.form-signin {
|
|
||||||
max-width: 330px;
|
|
||||||
padding: 1rem;
|
|
||||||
}
|
|
||||||
|
|
||||||
.form-signin .form-floating:focus-within {
|
|
||||||
z-index: 2;
|
|
||||||
}
|
|
||||||
.brand-icon {
|
|
||||||
max-width: 100%;
|
|
||||||
}
|
|
||||||
</style>
|
|
||||||
</head>
|
|
||||||
<body class="d-flex align-items-center py-4 bg-body-tertiary">
|
|
||||||
<div class="card m-auto">
|
|
||||||
<main class="form-signin w-100 m-auto" id="flow-sfe-container">
|
|
||||||
</main>
|
|
||||||
<span class="mt-3 mb-0 text-muted text-center">{% trans 'Powered by authentik' %}</span>
|
|
||||||
</div>
|
|
||||||
<script src="{% static 'dist/sfe/index.js' %}"></script>
|
|
||||||
</body>
|
|
||||||
</html>
|
|
||||||
@ -16,7 +16,6 @@ from django.views.decorators.clickjacking import xframe_options_sameorigin
|
|||||||
from django.views.generic import View
|
from django.views.generic import View
|
||||||
from drf_spectacular.types import OpenApiTypes
|
from drf_spectacular.types import OpenApiTypes
|
||||||
from drf_spectacular.utils import OpenApiParameter, PolymorphicProxySerializer, extend_schema
|
from drf_spectacular.utils import OpenApiParameter, PolymorphicProxySerializer, extend_schema
|
||||||
from rest_framework.authentication import SessionAuthentication
|
|
||||||
from rest_framework.permissions import AllowAny
|
from rest_framework.permissions import AllowAny
|
||||||
from rest_framework.views import APIView
|
from rest_framework.views import APIView
|
||||||
from sentry_sdk import capture_exception
|
from sentry_sdk import capture_exception
|
||||||
@ -24,7 +23,6 @@ from sentry_sdk.api import set_tag
|
|||||||
from sentry_sdk.hub import Hub
|
from sentry_sdk.hub import Hub
|
||||||
from structlog.stdlib import BoundLogger, get_logger
|
from structlog.stdlib import BoundLogger, get_logger
|
||||||
|
|
||||||
from authentik.api.authentication import TokenAuthentication
|
|
||||||
from authentik.brands.models import Brand
|
from authentik.brands.models import Brand
|
||||||
from authentik.core.models import Application
|
from authentik.core.models import Application
|
||||||
from authentik.events.models import Event, EventAction, cleanse_dict
|
from authentik.events.models import Event, EventAction, cleanse_dict
|
||||||
@ -106,10 +104,6 @@ class FlowExecutorView(APIView):
|
|||||||
"""Flow executor, passing requests to Stage Views"""
|
"""Flow executor, passing requests to Stage Views"""
|
||||||
|
|
||||||
permission_classes = [AllowAny]
|
permission_classes = [AllowAny]
|
||||||
authentication_classes = [
|
|
||||||
TokenAuthentication,
|
|
||||||
SessionAuthentication,
|
|
||||||
]
|
|
||||||
|
|
||||||
flow: Flow
|
flow: Flow
|
||||||
|
|
||||||
|
|||||||
@ -1,41 +0,0 @@
|
|||||||
"""Interface views"""
|
|
||||||
|
|
||||||
from typing import Any
|
|
||||||
|
|
||||||
from django.shortcuts import get_object_or_404
|
|
||||||
from ua_parser.user_agent_parser import Parse
|
|
||||||
|
|
||||||
from authentik.core.views.interface import InterfaceView
|
|
||||||
from authentik.flows.models import Flow
|
|
||||||
|
|
||||||
|
|
||||||
class FlowInterfaceView(InterfaceView):
|
|
||||||
"""Flow interface"""
|
|
||||||
|
|
||||||
def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
|
|
||||||
kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
|
|
||||||
kwargs["inspector"] = "inspector" in self.request.GET
|
|
||||||
return super().get_context_data(**kwargs)
|
|
||||||
|
|
||||||
def compat_needs_sfe(self) -> bool:
|
|
||||||
"""Check if we need to use the simplified flow executor for compatibility"""
|
|
||||||
ua = Parse(self.request.META.get("HTTP_USER_AGENT", ""))
|
|
||||||
if ua["user_agent"]["family"] == "IE":
|
|
||||||
return True
|
|
||||||
# Only use SFE for Edge 18 and older, after Edge 18 MS switched to chromium which supports
|
|
||||||
# the default flow executor
|
|
||||||
if (
|
|
||||||
ua["user_agent"]["family"] == "Edge"
|
|
||||||
and int(ua["user_agent"]["major"]) <= 18 # noqa: PLR2004
|
|
||||||
): # noqa: PLR2004
|
|
||||||
return True
|
|
||||||
# https://github.com/AzureAD/microsoft-authentication-library-for-objc
|
|
||||||
# Used by Microsoft Teams/Office on macOS, and also uses a very outdated browser engine
|
|
||||||
if "PKeyAuth" in ua["string"]:
|
|
||||||
return True
|
|
||||||
return False
|
|
||||||
|
|
||||||
def get_template_names(self) -> list[str]:
|
|
||||||
if self.compat_needs_sfe() or "sfe" in self.request.GET:
|
|
||||||
return ["if/flow-sfe.html"]
|
|
||||||
return ["if/flow.html"]
|
|
||||||
@ -50,6 +50,7 @@ cache:
|
|||||||
timeout: 300
|
timeout: 300
|
||||||
timeout_flows: 300
|
timeout_flows: 300
|
||||||
timeout_policies: 300
|
timeout_policies: 300
|
||||||
|
timeout_reputation: 300
|
||||||
|
|
||||||
# channel:
|
# channel:
|
||||||
# url: ""
|
# url: ""
|
||||||
@ -115,9 +116,6 @@ events:
|
|||||||
context_processors:
|
context_processors:
|
||||||
geoip: "/geoip/GeoLite2-City.mmdb"
|
geoip: "/geoip/GeoLite2-City.mmdb"
|
||||||
asn: "/geoip/GeoLite2-ASN.mmdb"
|
asn: "/geoip/GeoLite2-ASN.mmdb"
|
||||||
compliance:
|
|
||||||
fips:
|
|
||||||
enabled: false
|
|
||||||
|
|
||||||
cert_discovery_dir: /certs
|
cert_discovery_dir: /certs
|
||||||
|
|
||||||
|
|||||||
@ -19,7 +19,6 @@ from structlog.stdlib import get_logger
|
|||||||
|
|
||||||
from authentik.core.models import User
|
from authentik.core.models import User
|
||||||
from authentik.events.models import Event
|
from authentik.events.models import Event
|
||||||
from authentik.lib.expression.exceptions import ControlFlowException
|
|
||||||
from authentik.lib.utils.http import get_http_session
|
from authentik.lib.utils.http import get_http_session
|
||||||
from authentik.policies.models import Policy, PolicyBinding
|
from authentik.policies.models import Policy, PolicyBinding
|
||||||
from authentik.policies.process import PolicyProcess
|
from authentik.policies.process import PolicyProcess
|
||||||
@ -217,8 +216,7 @@ class BaseEvaluator:
|
|||||||
# so the user only sees information relevant to them
|
# so the user only sees information relevant to them
|
||||||
# and none of our surrounding error handling
|
# and none of our surrounding error handling
|
||||||
exc.__traceback__ = exc.__traceback__.tb_next
|
exc.__traceback__ = exc.__traceback__.tb_next
|
||||||
if not isinstance(exc, ControlFlowException):
|
self.handle_error(exc, expression_source)
|
||||||
self.handle_error(exc, expression_source)
|
|
||||||
raise exc
|
raise exc
|
||||||
return result
|
return result
|
||||||
|
|
||||||
|
|||||||
@ -1,6 +0,0 @@
|
|||||||
from authentik.lib.sentry import SentryIgnoredException
|
|
||||||
|
|
||||||
|
|
||||||
class ControlFlowException(SentryIgnoredException):
|
|
||||||
"""Exceptions used to control the flow from exceptions, not reported as a warning/
|
|
||||||
error in logs"""
|
|
||||||
@ -62,7 +62,7 @@ class DomainlessURLValidator(URLValidator):
|
|||||||
r"^(?:[a-z0-9.+-]*)://" # scheme is validated separately
|
r"^(?:[a-z0-9.+-]*)://" # scheme is validated separately
|
||||||
r"(?:[^\s:@/]+(?::[^\s:@/]*)?@)?" # user:pass authentication
|
r"(?:[^\s:@/]+(?::[^\s:@/]*)?@)?" # user:pass authentication
|
||||||
r"(?:" + self.ipv4_re + "|" + self.ipv6_re + "|" + self.host_re + ")"
|
r"(?:" + self.ipv4_re + "|" + self.ipv6_re + "|" + self.host_re + ")"
|
||||||
r"(?::\d{1,5})?" # port
|
r"(?::\d{2,5})?" # port
|
||||||
r"(?:[/?#][^\s]*)?" # resource path
|
r"(?:[/?#][^\s]*)?" # resource path
|
||||||
r"\Z",
|
r"\Z",
|
||||||
re.IGNORECASE,
|
re.IGNORECASE,
|
||||||
@ -88,7 +88,7 @@ class DomainlessFormattedURLValidator(DomainlessURLValidator):
|
|||||||
r"^(?:[a-z0-9.+-]*)://" # scheme is validated separately
|
r"^(?:[a-z0-9.+-]*)://" # scheme is validated separately
|
||||||
r"(?:[^\s:@/]+(?::[^\s:@/]*)?@)?" # user:pass authentication
|
r"(?:[^\s:@/]+(?::[^\s:@/]*)?@)?" # user:pass authentication
|
||||||
r"(?:" + self.ipv4_re + "|" + self.ipv6_re + "|" + self.host_re + ")"
|
r"(?:" + self.ipv4_re + "|" + self.ipv6_re + "|" + self.host_re + ")"
|
||||||
r"(?::\d{1,5})?" # port
|
r"(?::\d{2,5})?" # port
|
||||||
r"(?:[/?#][^\s]*)?" # resource path
|
r"(?:[/?#][^\s]*)?" # resource path
|
||||||
r"\Z",
|
r"\Z",
|
||||||
re.IGNORECASE,
|
re.IGNORECASE,
|
||||||
|
|||||||
@ -59,9 +59,8 @@ def sentry_init(**sentry_init_kwargs):
|
|||||||
"_experiments": {
|
"_experiments": {
|
||||||
"profiles_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.1)),
|
"profiles_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.1)),
|
||||||
},
|
},
|
||||||
**sentry_init_kwargs,
|
|
||||||
**CONFIG.get_dict_from_b64_json("error_reporting.extra_args", {}),
|
|
||||||
}
|
}
|
||||||
|
kwargs.update(**sentry_init_kwargs)
|
||||||
|
|
||||||
sentry_sdk_init(
|
sentry_sdk_init(
|
||||||
dsn=CONFIG.get("error_reporting.sentry_dsn"),
|
dsn=CONFIG.get("error_reporting.sentry_dsn"),
|
||||||
|
|||||||
@ -4,11 +4,8 @@ from django.db.models import QuerySet
|
|||||||
from django.http import HttpRequest
|
from django.http import HttpRequest
|
||||||
|
|
||||||
from authentik.core.expression.evaluator import PropertyMappingEvaluator
|
from authentik.core.expression.evaluator import PropertyMappingEvaluator
|
||||||
from authentik.core.expression.exceptions import (
|
from authentik.core.expression.exceptions import PropertyMappingExpressionException
|
||||||
PropertyMappingExpressionException,
|
|
||||||
)
|
|
||||||
from authentik.core.models import PropertyMapping, User
|
from authentik.core.models import PropertyMapping, User
|
||||||
from authentik.lib.expression.exceptions import ControlFlowException
|
|
||||||
|
|
||||||
|
|
||||||
class PropertyMappingManager:
|
class PropertyMappingManager:
|
||||||
@ -60,7 +57,7 @@ class PropertyMappingManager:
|
|||||||
mapping.set_context(user, request, **kwargs)
|
mapping.set_context(user, request, **kwargs)
|
||||||
try:
|
try:
|
||||||
value = mapping.evaluate(mapping.model.expression)
|
value = mapping.evaluate(mapping.model.expression)
|
||||||
except (PropertyMappingExpressionException, ControlFlowException) as exc:
|
except PropertyMappingExpressionException as exc:
|
||||||
raise exc from exc
|
raise exc from exc
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
raise PropertyMappingExpressionException(exc, mapping.model) from exc
|
raise PropertyMappingExpressionException(exc, mapping.model) from exc
|
||||||
|
|||||||
@ -8,7 +8,7 @@ from rest_framework.fields import BooleanField
|
|||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
|
||||||
from authentik.core.api.utils import ModelSerializer, PassiveSerializer
|
from authentik.core.api.utils import PassiveSerializer
|
||||||
from authentik.events.api.tasks import SystemTaskSerializer
|
from authentik.events.api.tasks import SystemTaskSerializer
|
||||||
from authentik.lib.sync.outgoing.models import OutgoingSyncProvider
|
from authentik.lib.sync.outgoing.models import OutgoingSyncProvider
|
||||||
|
|
||||||
@ -54,17 +54,3 @@ class OutgoingSyncProviderStatusMixin:
|
|||||||
"is_running": not lock_acquired,
|
"is_running": not lock_acquired,
|
||||||
}
|
}
|
||||||
return Response(SyncStatusSerializer(status).data)
|
return Response(SyncStatusSerializer(status).data)
|
||||||
|
|
||||||
|
|
||||||
class OutgoingSyncConnectionCreateMixin:
|
|
||||||
"""Mixin for connection objects that fetches remote data upon creation"""
|
|
||||||
|
|
||||||
def perform_create(self, serializer: ModelSerializer):
|
|
||||||
super().perform_create(serializer)
|
|
||||||
try:
|
|
||||||
instance = serializer.instance
|
|
||||||
client = instance.provider.client_for_model(instance.__class__)
|
|
||||||
client.update_single_attribute(instance)
|
|
||||||
instance.save()
|
|
||||||
except NotImplementedError:
|
|
||||||
pass
|
|
||||||
|
|||||||
@ -9,9 +9,9 @@ from structlog.stdlib import get_logger
|
|||||||
|
|
||||||
from authentik.core.expression.exceptions import (
|
from authentik.core.expression.exceptions import (
|
||||||
PropertyMappingExpressionException,
|
PropertyMappingExpressionException,
|
||||||
|
SkipObjectException,
|
||||||
)
|
)
|
||||||
from authentik.events.models import Event, EventAction
|
from authentik.events.models import Event, EventAction
|
||||||
from authentik.lib.expression.exceptions import ControlFlowException
|
|
||||||
from authentik.lib.sync.mapper import PropertyMappingManager
|
from authentik.lib.sync.mapper import PropertyMappingManager
|
||||||
from authentik.lib.sync.outgoing.exceptions import NotFoundSyncException, StopSync
|
from authentik.lib.sync.outgoing.exceptions import NotFoundSyncException, StopSync
|
||||||
from authentik.lib.utils.errors import exception_to_string
|
from authentik.lib.utils.errors import exception_to_string
|
||||||
@ -92,7 +92,7 @@ class BaseOutgoingSyncClient[
|
|||||||
eval_kwargs.setdefault("user", None)
|
eval_kwargs.setdefault("user", None)
|
||||||
for value in self.mapper.iter_eval(**eval_kwargs):
|
for value in self.mapper.iter_eval(**eval_kwargs):
|
||||||
always_merger.merge(raw_final_object, value)
|
always_merger.merge(raw_final_object, value)
|
||||||
except ControlFlowException as exc:
|
except SkipObjectException as exc:
|
||||||
raise exc from exc
|
raise exc from exc
|
||||||
except PropertyMappingExpressionException as exc:
|
except PropertyMappingExpressionException as exc:
|
||||||
# Value error can be raised when assigning invalid data to an attribute
|
# Value error can be raised when assigning invalid data to an attribute
|
||||||
@ -114,8 +114,3 @@ class BaseOutgoingSyncClient[
|
|||||||
pre-link any users/groups in the remote system with the respective
|
pre-link any users/groups in the remote system with the respective
|
||||||
object in authentik based on a common identifier"""
|
object in authentik based on a common identifier"""
|
||||||
raise NotImplementedError()
|
raise NotImplementedError()
|
||||||
|
|
||||||
def update_single_attribute(self, connection: TConnection):
|
|
||||||
"""Update connection attributes on a connection object, when the connection
|
|
||||||
is manually created"""
|
|
||||||
raise NotImplementedError
|
|
||||||
|
|||||||
@ -6,21 +6,19 @@ from django_filters.filters import ModelMultipleChoiceFilter
|
|||||||
from django_filters.filterset import FilterSet
|
from django_filters.filterset import FilterSet
|
||||||
from drf_spectacular.utils import extend_schema
|
from drf_spectacular.utils import extend_schema
|
||||||
from rest_framework.decorators import action
|
from rest_framework.decorators import action
|
||||||
from rest_framework.exceptions import ValidationError
|
from rest_framework.fields import BooleanField, CharField, DateTimeField
|
||||||
from rest_framework.fields import BooleanField, CharField, DateTimeField, SerializerMethodField
|
|
||||||
from rest_framework.relations import PrimaryKeyRelatedField
|
from rest_framework.relations import PrimaryKeyRelatedField
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer, ValidationError
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
|
|
||||||
from authentik import get_build_hash
|
from authentik import get_build_hash
|
||||||
from authentik.core.api.providers import ProviderSerializer
|
from authentik.core.api.providers import ProviderSerializer
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
|
from authentik.core.api.utils import JSONDictField, PassiveSerializer
|
||||||
from authentik.core.models import Provider
|
from authentik.core.models import Provider
|
||||||
from authentik.enterprise.license import LicenseKey
|
|
||||||
from authentik.enterprise.providers.rac.models import RACProvider
|
from authentik.enterprise.providers.rac.models import RACProvider
|
||||||
from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
|
|
||||||
from authentik.outposts.api.service_connections import ServiceConnectionSerializer
|
from authentik.outposts.api.service_connections import ServiceConnectionSerializer
|
||||||
from authentik.outposts.apps import MANAGED_OUTPOST, MANAGED_OUTPOST_NAME
|
from authentik.outposts.apps import MANAGED_OUTPOST, MANAGED_OUTPOST_NAME
|
||||||
from authentik.outposts.models import (
|
from authentik.outposts.models import (
|
||||||
@ -50,10 +48,6 @@ class OutpostSerializer(ModelSerializer):
|
|||||||
service_connection_obj = ServiceConnectionSerializer(
|
service_connection_obj = ServiceConnectionSerializer(
|
||||||
source="service_connection", read_only=True
|
source="service_connection", read_only=True
|
||||||
)
|
)
|
||||||
refresh_interval_s = SerializerMethodField()
|
|
||||||
|
|
||||||
def get_refresh_interval_s(self, obj: Outpost) -> int:
|
|
||||||
return int(timedelta_from_string(obj.config.refresh_interval).total_seconds())
|
|
||||||
|
|
||||||
def validate_name(self, name: str) -> str:
|
def validate_name(self, name: str) -> str:
|
||||||
"""Validate name (especially for embedded outpost)"""
|
"""Validate name (especially for embedded outpost)"""
|
||||||
@ -89,8 +83,7 @@ class OutpostSerializer(ModelSerializer):
|
|||||||
def validate_config(self, config) -> dict:
|
def validate_config(self, config) -> dict:
|
||||||
"""Check that the config has all required fields"""
|
"""Check that the config has all required fields"""
|
||||||
try:
|
try:
|
||||||
parsed = from_dict(OutpostConfig, config)
|
from_dict(OutpostConfig, config)
|
||||||
timedelta_string_validator(parsed.refresh_interval)
|
|
||||||
except DaciteError as exc:
|
except DaciteError as exc:
|
||||||
raise ValidationError(f"Failed to validate config: {str(exc)}") from exc
|
raise ValidationError(f"Failed to validate config: {str(exc)}") from exc
|
||||||
return config
|
return config
|
||||||
@ -105,7 +98,6 @@ class OutpostSerializer(ModelSerializer):
|
|||||||
"providers_obj",
|
"providers_obj",
|
||||||
"service_connection",
|
"service_connection",
|
||||||
"service_connection_obj",
|
"service_connection_obj",
|
||||||
"refresh_interval_s",
|
|
||||||
"token_identifier",
|
"token_identifier",
|
||||||
"config",
|
"config",
|
||||||
"managed",
|
"managed",
|
||||||
@ -128,7 +120,7 @@ class OutpostHealthSerializer(PassiveSerializer):
|
|||||||
golang_version = CharField(read_only=True)
|
golang_version = CharField(read_only=True)
|
||||||
openssl_enabled = BooleanField(read_only=True)
|
openssl_enabled = BooleanField(read_only=True)
|
||||||
openssl_version = CharField(read_only=True)
|
openssl_version = CharField(read_only=True)
|
||||||
fips_enabled = SerializerMethodField()
|
fips_enabled = BooleanField(read_only=True)
|
||||||
|
|
||||||
version_should = CharField(read_only=True)
|
version_should = CharField(read_only=True)
|
||||||
version_outdated = BooleanField(read_only=True)
|
version_outdated = BooleanField(read_only=True)
|
||||||
@ -138,12 +130,6 @@ class OutpostHealthSerializer(PassiveSerializer):
|
|||||||
|
|
||||||
hostname = CharField(read_only=True, required=False)
|
hostname = CharField(read_only=True, required=False)
|
||||||
|
|
||||||
def get_fips_enabled(self, obj: dict) -> bool | None:
|
|
||||||
"""Get FIPS enabled"""
|
|
||||||
if not LicenseKey.get_total().is_valid():
|
|
||||||
return None
|
|
||||||
return obj["fips_enabled"]
|
|
||||||
|
|
||||||
|
|
||||||
class OutpostFilter(FilterSet):
|
class OutpostFilter(FilterSet):
|
||||||
"""Filter for Outposts"""
|
"""Filter for Outposts"""
|
||||||
|
|||||||
@ -12,13 +12,13 @@ from rest_framework.decorators import action
|
|||||||
from rest_framework.fields import BooleanField, CharField, ReadOnlyField
|
from rest_framework.fields import BooleanField, CharField, ReadOnlyField
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import GenericViewSet, ModelViewSet
|
from rest_framework.viewsets import GenericViewSet, ModelViewSet
|
||||||
|
|
||||||
from authentik.core.api.object_types import TypesMixin
|
from authentik.core.api.object_types import TypesMixin
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import (
|
from authentik.core.api.utils import (
|
||||||
MetaNameSerializer,
|
MetaNameSerializer,
|
||||||
ModelSerializer,
|
|
||||||
PassiveSerializer,
|
PassiveSerializer,
|
||||||
)
|
)
|
||||||
from authentik.outposts.models import (
|
from authentik.outposts.models import (
|
||||||
|
|||||||
@ -61,7 +61,6 @@ class OutpostConfig:
|
|||||||
|
|
||||||
log_level: str = CONFIG.get("log_level")
|
log_level: str = CONFIG.get("log_level")
|
||||||
object_naming_template: str = field(default="ak-outpost-%(name)s")
|
object_naming_template: str = field(default="ak-outpost-%(name)s")
|
||||||
refresh_interval: str = "minutes=5"
|
|
||||||
|
|
||||||
container_image: str | None = field(default=None)
|
container_image: str | None = field(default=None)
|
||||||
|
|
||||||
|
|||||||
@ -5,15 +5,13 @@ from collections import OrderedDict
|
|||||||
from django.core.exceptions import ObjectDoesNotExist
|
from django.core.exceptions import ObjectDoesNotExist
|
||||||
from django_filters.filters import BooleanFilter, ModelMultipleChoiceFilter
|
from django_filters.filters import BooleanFilter, ModelMultipleChoiceFilter
|
||||||
from django_filters.filterset import FilterSet
|
from django_filters.filterset import FilterSet
|
||||||
from rest_framework.exceptions import ValidationError
|
from rest_framework.serializers import ModelSerializer, PrimaryKeyRelatedField, ValidationError
|
||||||
from rest_framework.serializers import PrimaryKeyRelatedField
|
|
||||||
from rest_framework.viewsets import ModelViewSet
|
from rest_framework.viewsets import ModelViewSet
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
from authentik.core.api.groups import GroupSerializer
|
from authentik.core.api.groups import GroupSerializer
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.users import UserSerializer
|
from authentik.core.api.users import UserSerializer
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.policies.api.policies import PolicySerializer
|
from authentik.policies.api.policies import PolicySerializer
|
||||||
from authentik.policies.models import PolicyBinding, PolicyBindingModel
|
from authentik.policies.models import PolicyBinding, PolicyBindingModel
|
||||||
|
|
||||||
|
|||||||
@ -6,9 +6,9 @@ from drf_spectacular.utils import OpenApiResponse, extend_schema
|
|||||||
from guardian.shortcuts import get_objects_for_user
|
from guardian.shortcuts import get_objects_for_user
|
||||||
from rest_framework import mixins
|
from rest_framework import mixins
|
||||||
from rest_framework.decorators import action
|
from rest_framework.decorators import action
|
||||||
from rest_framework.fields import SerializerMethodField
|
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.serializers import ModelSerializer, SerializerMethodField
|
||||||
from rest_framework.viewsets import GenericViewSet
|
from rest_framework.viewsets import GenericViewSet
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
@ -18,7 +18,6 @@ from authentik.core.api.used_by import UsedByMixin
|
|||||||
from authentik.core.api.utils import (
|
from authentik.core.api.utils import (
|
||||||
CacheSerializer,
|
CacheSerializer,
|
||||||
MetaNameSerializer,
|
MetaNameSerializer,
|
||||||
ModelSerializer,
|
|
||||||
)
|
)
|
||||||
from authentik.events.logs import LogEventSerializer, capture_logs
|
from authentik.events.logs import LogEventSerializer, capture_logs
|
||||||
from authentik.policies.api.exec import PolicyTestResultSerializer, PolicyTestSerializer
|
from authentik.policies.api.exec import PolicyTestResultSerializer, PolicyTestSerializer
|
||||||
|
|||||||
@ -1,22 +1,16 @@
|
|||||||
"""Reputation policy API Views"""
|
"""Reputation policy API Views"""
|
||||||
|
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
from django_filters.filters import BaseInFilter, CharFilter
|
|
||||||
from django_filters.filterset import FilterSet
|
|
||||||
from rest_framework import mixins
|
from rest_framework import mixins
|
||||||
from rest_framework.exceptions import ValidationError
|
from rest_framework.exceptions import ValidationError
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import GenericViewSet, ModelViewSet
|
from rest_framework.viewsets import GenericViewSet, ModelViewSet
|
||||||
|
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.policies.api.policies import PolicySerializer
|
from authentik.policies.api.policies import PolicySerializer
|
||||||
from authentik.policies.reputation.models import Reputation, ReputationPolicy
|
from authentik.policies.reputation.models import Reputation, ReputationPolicy
|
||||||
|
|
||||||
|
|
||||||
class CharInFilter(BaseInFilter, CharFilter):
|
|
||||||
pass
|
|
||||||
|
|
||||||
|
|
||||||
class ReputationPolicySerializer(PolicySerializer):
|
class ReputationPolicySerializer(PolicySerializer):
|
||||||
"""Reputation Policy Serializer"""
|
"""Reputation Policy Serializer"""
|
||||||
|
|
||||||
@ -44,16 +38,6 @@ class ReputationPolicyViewSet(UsedByMixin, ModelViewSet):
|
|||||||
ordering = ["name"]
|
ordering = ["name"]
|
||||||
|
|
||||||
|
|
||||||
class ReputationFilter(FilterSet):
|
|
||||||
"""Filter for reputation"""
|
|
||||||
|
|
||||||
identifier_in = CharInFilter(field_name="identifier", lookup_expr="in")
|
|
||||||
|
|
||||||
class Meta:
|
|
||||||
model = Reputation
|
|
||||||
fields = ["identifier", "ip", "score"]
|
|
||||||
|
|
||||||
|
|
||||||
class ReputationSerializer(ModelSerializer):
|
class ReputationSerializer(ModelSerializer):
|
||||||
"""Reputation Serializer"""
|
"""Reputation Serializer"""
|
||||||
|
|
||||||
@ -82,5 +66,5 @@ class ReputationViewSet(
|
|||||||
queryset = Reputation.objects.all()
|
queryset = Reputation.objects.all()
|
||||||
serializer_class = ReputationSerializer
|
serializer_class = ReputationSerializer
|
||||||
search_fields = ["identifier", "ip", "score"]
|
search_fields = ["identifier", "ip", "score"]
|
||||||
filterset_class = ReputationFilter
|
filterset_fields = ["identifier", "ip", "score"]
|
||||||
ordering = ["ip"]
|
ordering = ["ip"]
|
||||||
|
|||||||
@ -2,6 +2,8 @@
|
|||||||
|
|
||||||
from authentik.blueprints.apps import ManagedAppConfig
|
from authentik.blueprints.apps import ManagedAppConfig
|
||||||
|
|
||||||
|
CACHE_KEY_PREFIX = "goauthentik.io/policies/reputation/scores/"
|
||||||
|
|
||||||
|
|
||||||
class AuthentikPolicyReputationConfig(ManagedAppConfig):
|
class AuthentikPolicyReputationConfig(ManagedAppConfig):
|
||||||
"""Authentik reputation app config"""
|
"""Authentik reputation app config"""
|
||||||
|
|||||||
@ -1,25 +0,0 @@
|
|||||||
# Generated by Django 5.0.6 on 2024-06-11 08:50
|
|
||||||
|
|
||||||
from django.db import migrations, models
|
|
||||||
|
|
||||||
|
|
||||||
class Migration(migrations.Migration):
|
|
||||||
|
|
||||||
dependencies = [
|
|
||||||
("authentik_policies_reputation", "0006_reputation_ip_asn_data"),
|
|
||||||
]
|
|
||||||
|
|
||||||
operations = [
|
|
||||||
migrations.AddIndex(
|
|
||||||
model_name="reputation",
|
|
||||||
index=models.Index(fields=["identifier"], name="authentik_p_identif_9434d7_idx"),
|
|
||||||
),
|
|
||||||
migrations.AddIndex(
|
|
||||||
model_name="reputation",
|
|
||||||
index=models.Index(fields=["ip"], name="authentik_p_ip_7ad0df_idx"),
|
|
||||||
),
|
|
||||||
migrations.AddIndex(
|
|
||||||
model_name="reputation",
|
|
||||||
index=models.Index(fields=["ip", "identifier"], name="authentik_p_ip_d779aa_idx"),
|
|
||||||
),
|
|
||||||
]
|
|
||||||
@ -96,8 +96,3 @@ class Reputation(ExpiringModel, SerializerModel):
|
|||||||
verbose_name = _("Reputation Score")
|
verbose_name = _("Reputation Score")
|
||||||
verbose_name_plural = _("Reputation Scores")
|
verbose_name_plural = _("Reputation Scores")
|
||||||
unique_together = ("identifier", "ip")
|
unique_together = ("identifier", "ip")
|
||||||
indexes = [
|
|
||||||
models.Index(fields=["identifier"]),
|
|
||||||
models.Index(fields=["ip"]),
|
|
||||||
models.Index(fields=["ip", "identifier"]),
|
|
||||||
]
|
|
||||||
|
|||||||
11
authentik/policies/reputation/settings.py
Normal file
11
authentik/policies/reputation/settings.py
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
"""Reputation Settings"""
|
||||||
|
|
||||||
|
from celery.schedules import crontab
|
||||||
|
|
||||||
|
CELERY_BEAT_SCHEDULE = {
|
||||||
|
"policies_reputation_save": {
|
||||||
|
"task": "authentik.policies.reputation.tasks.save_reputation",
|
||||||
|
"schedule": crontab(minute="1-59/5"),
|
||||||
|
"options": {"queue": "authentik_scheduled"},
|
||||||
|
},
|
||||||
|
}
|
||||||
@ -1,42 +1,40 @@
|
|||||||
"""authentik reputation request signals"""
|
"""authentik reputation request signals"""
|
||||||
|
|
||||||
from django.contrib.auth.signals import user_logged_in
|
from django.contrib.auth.signals import user_logged_in
|
||||||
from django.db import transaction
|
from django.core.cache import cache
|
||||||
from django.db.models import F
|
|
||||||
from django.dispatch import receiver
|
from django.dispatch import receiver
|
||||||
from django.http import HttpRequest
|
from django.http import HttpRequest
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
from authentik.core.signals import login_failed
|
from authentik.core.signals import login_failed
|
||||||
from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR
|
from authentik.lib.config import CONFIG
|
||||||
from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR
|
from authentik.policies.reputation.apps import CACHE_KEY_PREFIX
|
||||||
from authentik.policies.reputation.models import Reputation, reputation_expiry
|
from authentik.policies.reputation.tasks import save_reputation
|
||||||
from authentik.root.middleware import ClientIPMiddleware
|
from authentik.root.middleware import ClientIPMiddleware
|
||||||
from authentik.stages.identification.signals import identification_failed
|
from authentik.stages.identification.signals import identification_failed
|
||||||
|
|
||||||
LOGGER = get_logger()
|
LOGGER = get_logger()
|
||||||
|
CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_reputation")
|
||||||
|
|
||||||
|
|
||||||
def update_score(request: HttpRequest, identifier: str, amount: int):
|
def update_score(request: HttpRequest, identifier: str, amount: int):
|
||||||
"""Update score for IP and User"""
|
"""Update score for IP and User"""
|
||||||
remote_ip = ClientIPMiddleware.get_client_ip(request)
|
remote_ip = ClientIPMiddleware.get_client_ip(request)
|
||||||
|
|
||||||
with transaction.atomic():
|
try:
|
||||||
reputation, created = Reputation.objects.select_for_update().get_or_create(
|
# We only update the cache here, as its faster than writing to the DB
|
||||||
ip=remote_ip,
|
score = cache.get_or_set(
|
||||||
identifier=identifier,
|
CACHE_KEY_PREFIX + remote_ip + "/" + identifier,
|
||||||
defaults={
|
{"ip": remote_ip, "identifier": identifier, "score": 0},
|
||||||
"score": amount,
|
CACHE_TIMEOUT,
|
||||||
"ip_geo_data": GEOIP_CONTEXT_PROCESSOR.city_dict(remote_ip) or {},
|
|
||||||
"ip_asn_data": ASN_CONTEXT_PROCESSOR.asn_dict(remote_ip) or {},
|
|
||||||
"expires": reputation_expiry(),
|
|
||||||
},
|
|
||||||
)
|
)
|
||||||
|
score["score"] += amount
|
||||||
|
cache.set(CACHE_KEY_PREFIX + remote_ip + "/" + identifier, score)
|
||||||
|
except ValueError as exc:
|
||||||
|
LOGGER.warning("failed to set reputation", exc=exc)
|
||||||
|
|
||||||
if not created:
|
|
||||||
reputation.score = F("score") + amount
|
|
||||||
reputation.save()
|
|
||||||
LOGGER.debug("Updated score", amount=amount, for_user=identifier, for_ip=remote_ip)
|
LOGGER.debug("Updated score", amount=amount, for_user=identifier, for_ip=remote_ip)
|
||||||
|
save_reputation.delay()
|
||||||
|
|
||||||
|
|
||||||
@receiver(login_failed)
|
@receiver(login_failed)
|
||||||
|
|||||||
32
authentik/policies/reputation/tasks.py
Normal file
32
authentik/policies/reputation/tasks.py
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
"""Reputation tasks"""
|
||||||
|
|
||||||
|
from django.core.cache import cache
|
||||||
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
|
from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR
|
||||||
|
from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR
|
||||||
|
from authentik.events.models import TaskStatus
|
||||||
|
from authentik.events.system_tasks import SystemTask, prefill_task
|
||||||
|
from authentik.policies.reputation.apps import CACHE_KEY_PREFIX
|
||||||
|
from authentik.policies.reputation.models import Reputation
|
||||||
|
from authentik.root.celery import CELERY_APP
|
||||||
|
|
||||||
|
LOGGER = get_logger()
|
||||||
|
|
||||||
|
|
||||||
|
@CELERY_APP.task(bind=True, base=SystemTask)
|
||||||
|
@prefill_task
|
||||||
|
def save_reputation(self: SystemTask):
|
||||||
|
"""Save currently cached reputation to database"""
|
||||||
|
objects_to_update = []
|
||||||
|
for _, score in cache.get_many(cache.keys(CACHE_KEY_PREFIX + "*")).items():
|
||||||
|
rep, _ = Reputation.objects.get_or_create(
|
||||||
|
ip=score["ip"],
|
||||||
|
identifier=score["identifier"],
|
||||||
|
)
|
||||||
|
rep.ip_geo_data = GEOIP_CONTEXT_PROCESSOR.city_dict(score["ip"]) or {}
|
||||||
|
rep.ip_asn_data = ASN_CONTEXT_PROCESSOR.asn_dict(score["ip"]) or {}
|
||||||
|
rep.score = score["score"]
|
||||||
|
objects_to_update.append(rep)
|
||||||
|
Reputation.objects.bulk_update(objects_to_update, ["score", "ip_geo_data"])
|
||||||
|
self.set_status(TaskStatus.SUCCESSFUL, "Successfully updated Reputation")
|
||||||
@ -1,11 +1,14 @@
|
|||||||
"""test reputation signals and policy"""
|
"""test reputation signals and policy"""
|
||||||
|
|
||||||
|
from django.core.cache import cache
|
||||||
from django.test import RequestFactory, TestCase
|
from django.test import RequestFactory, TestCase
|
||||||
|
|
||||||
from authentik.core.models import User
|
from authentik.core.models import User
|
||||||
from authentik.lib.generators import generate_id
|
from authentik.lib.generators import generate_id
|
||||||
from authentik.policies.reputation.api import ReputationPolicySerializer
|
from authentik.policies.reputation.api import ReputationPolicySerializer
|
||||||
|
from authentik.policies.reputation.apps import CACHE_KEY_PREFIX
|
||||||
from authentik.policies.reputation.models import Reputation, ReputationPolicy
|
from authentik.policies.reputation.models import Reputation, ReputationPolicy
|
||||||
|
from authentik.policies.reputation.tasks import save_reputation
|
||||||
from authentik.policies.types import PolicyRequest
|
from authentik.policies.types import PolicyRequest
|
||||||
from authentik.stages.password import BACKEND_INBUILT
|
from authentik.stages.password import BACKEND_INBUILT
|
||||||
from authentik.stages.password.stage import authenticate
|
from authentik.stages.password.stage import authenticate
|
||||||
@ -19,6 +22,8 @@ class TestReputationPolicy(TestCase):
|
|||||||
self.request = self.request_factory.get("/")
|
self.request = self.request_factory.get("/")
|
||||||
self.test_ip = "127.0.0.1"
|
self.test_ip = "127.0.0.1"
|
||||||
self.test_username = "test"
|
self.test_username = "test"
|
||||||
|
keys = cache.keys(CACHE_KEY_PREFIX + "*")
|
||||||
|
cache.delete_many(keys)
|
||||||
# We need a user for the one-to-one in userreputation
|
# We need a user for the one-to-one in userreputation
|
||||||
self.user = User.objects.create(username=self.test_username)
|
self.user = User.objects.create(username=self.test_username)
|
||||||
self.backends = [BACKEND_INBUILT]
|
self.backends = [BACKEND_INBUILT]
|
||||||
@ -29,6 +34,13 @@ class TestReputationPolicy(TestCase):
|
|||||||
authenticate(
|
authenticate(
|
||||||
self.request, self.backends, username=self.test_username, password=self.test_username
|
self.request, self.backends, username=self.test_username, password=self.test_username
|
||||||
)
|
)
|
||||||
|
# Test value in cache
|
||||||
|
self.assertEqual(
|
||||||
|
cache.get(CACHE_KEY_PREFIX + self.test_ip + "/" + self.test_username),
|
||||||
|
{"ip": "127.0.0.1", "identifier": "test", "score": -1},
|
||||||
|
)
|
||||||
|
# Save cache and check db values
|
||||||
|
save_reputation.delay().get()
|
||||||
self.assertEqual(Reputation.objects.get(ip=self.test_ip).score, -1)
|
self.assertEqual(Reputation.objects.get(ip=self.test_ip).score, -1)
|
||||||
|
|
||||||
def test_user_reputation(self):
|
def test_user_reputation(self):
|
||||||
@ -37,16 +49,14 @@ class TestReputationPolicy(TestCase):
|
|||||||
authenticate(
|
authenticate(
|
||||||
self.request, self.backends, username=self.test_username, password=self.test_username
|
self.request, self.backends, username=self.test_username, password=self.test_username
|
||||||
)
|
)
|
||||||
self.assertEqual(Reputation.objects.get(identifier=self.test_username).score, -1)
|
# Test value in cache
|
||||||
|
self.assertEqual(
|
||||||
def test_update_reputation(self):
|
cache.get(CACHE_KEY_PREFIX + self.test_ip + "/" + self.test_username),
|
||||||
"""test reputation update"""
|
{"ip": "127.0.0.1", "identifier": "test", "score": -1},
|
||||||
Reputation.objects.create(identifier=self.test_username, ip=self.test_ip, score=43)
|
|
||||||
# Trigger negative reputation
|
|
||||||
authenticate(
|
|
||||||
self.request, self.backends, username=self.test_username, password=self.test_username
|
|
||||||
)
|
)
|
||||||
self.assertEqual(Reputation.objects.get(identifier=self.test_username).score, 42)
|
# Save cache and check db values
|
||||||
|
save_reputation.delay().get()
|
||||||
|
self.assertEqual(Reputation.objects.get(identifier=self.test_username).score, -1)
|
||||||
|
|
||||||
def test_policy(self):
|
def test_policy(self):
|
||||||
"""Test Policy"""
|
"""Test Policy"""
|
||||||
|
|||||||
@ -5,11 +5,11 @@ from django.db.models.query import Q
|
|||||||
from django_filters.filters import BooleanFilter
|
from django_filters.filters import BooleanFilter
|
||||||
from django_filters.filterset import FilterSet
|
from django_filters.filterset import FilterSet
|
||||||
from rest_framework.fields import CharField, ListField, SerializerMethodField
|
from rest_framework.fields import CharField, ListField, SerializerMethodField
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
|
from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
|
||||||
|
|
||||||
from authentik.core.api.providers import ProviderSerializer
|
from authentik.core.api.providers import ProviderSerializer
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.providers.ldap.models import LDAPProvider
|
from authentik.providers.ldap.models import LDAPProvider
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -7,11 +7,12 @@ from guardian.utils import get_anonymous_user
|
|||||||
from rest_framework import mixins
|
from rest_framework import mixins
|
||||||
from rest_framework.fields import CharField, ListField, SerializerMethodField
|
from rest_framework.fields import CharField, ListField, SerializerMethodField
|
||||||
from rest_framework.filters import OrderingFilter, SearchFilter
|
from rest_framework.filters import OrderingFilter, SearchFilter
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import GenericViewSet
|
from rest_framework.viewsets import GenericViewSet
|
||||||
|
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.users import UserSerializer
|
from authentik.core.api.users import UserSerializer
|
||||||
from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
|
from authentik.core.api.utils import MetaNameSerializer
|
||||||
from authentik.providers.oauth2.api.providers import OAuth2ProviderSerializer
|
from authentik.providers.oauth2.api.providers import OAuth2ProviderSerializer
|
||||||
from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
|
from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
|
||||||
|
|
||||||
|
|||||||
@ -4,10 +4,9 @@ from urllib.parse import urlencode
|
|||||||
|
|
||||||
from django.urls import reverse
|
from django.urls import reverse
|
||||||
|
|
||||||
from authentik.core.models import Application, Group
|
from authentik.core.models import Application
|
||||||
from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
|
from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
|
||||||
from authentik.lib.generators import generate_id
|
from authentik.lib.generators import generate_id
|
||||||
from authentik.policies.models import PolicyBinding
|
|
||||||
from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider
|
from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider
|
||||||
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
||||||
from authentik.providers.oauth2.views.device_init import QS_KEY_CODE
|
from authentik.providers.oauth2.views.device_init import QS_KEY_CODE
|
||||||
@ -78,23 +77,3 @@ class TesOAuth2DeviceInit(OAuthTestCase):
|
|||||||
+ "?"
|
+ "?"
|
||||||
+ urlencode({QS_KEY_CODE: token.user_code}),
|
+ urlencode({QS_KEY_CODE: token.user_code}),
|
||||||
)
|
)
|
||||||
|
|
||||||
def test_device_init_denied(self):
|
|
||||||
"""Test device init"""
|
|
||||||
group = Group.objects.create(name="foo")
|
|
||||||
PolicyBinding.objects.create(
|
|
||||||
group=group,
|
|
||||||
target=self.application,
|
|
||||||
order=0,
|
|
||||||
)
|
|
||||||
token = DeviceToken.objects.create(
|
|
||||||
user_code="foo",
|
|
||||||
provider=self.provider,
|
|
||||||
)
|
|
||||||
res = self.client.get(
|
|
||||||
reverse("authentik_providers_oauth2_root:device-login")
|
|
||||||
+ "?"
|
|
||||||
+ urlencode({QS_KEY_CODE: token.user_code})
|
|
||||||
)
|
|
||||||
self.assertEqual(res.status_code, 200)
|
|
||||||
self.assertIn(b"Permission denied", res.content)
|
|
||||||
|
|||||||
@ -11,11 +11,10 @@ from django.views.decorators.csrf import csrf_exempt
|
|||||||
from rest_framework.throttling import AnonRateThrottle
|
from rest_framework.throttling import AnonRateThrottle
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
from authentik.core.models import Application
|
|
||||||
from authentik.lib.config import CONFIG
|
from authentik.lib.config import CONFIG
|
||||||
from authentik.lib.utils.time import timedelta_from_string
|
from authentik.lib.utils.time import timedelta_from_string
|
||||||
from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider
|
from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider
|
||||||
from authentik.providers.oauth2.views.device_init import QS_KEY_CODE
|
from authentik.providers.oauth2.views.device_init import QS_KEY_CODE, get_application
|
||||||
|
|
||||||
LOGGER = get_logger()
|
LOGGER = get_logger()
|
||||||
|
|
||||||
@ -38,9 +37,7 @@ class DeviceView(View):
|
|||||||
).first()
|
).first()
|
||||||
if not provider:
|
if not provider:
|
||||||
return HttpResponseBadRequest()
|
return HttpResponseBadRequest()
|
||||||
try:
|
if not get_application(provider):
|
||||||
_ = provider.application
|
|
||||||
except Application.DoesNotExist:
|
|
||||||
return HttpResponseBadRequest()
|
return HttpResponseBadRequest()
|
||||||
self.provider = provider
|
self.provider = provider
|
||||||
self.client_id = client_id
|
self.client_id = client_id
|
||||||
|
|||||||
@ -1,9 +1,8 @@
|
|||||||
"""Device flow views"""
|
"""Device flow views"""
|
||||||
|
|
||||||
from typing import Any
|
|
||||||
|
|
||||||
from django.http import HttpRequest, HttpResponse
|
from django.http import HttpRequest, HttpResponse
|
||||||
from django.utils.translation import gettext as _
|
from django.utils.translation import gettext as _
|
||||||
|
from django.views import View
|
||||||
from rest_framework.exceptions import ValidationError
|
from rest_framework.exceptions import ValidationError
|
||||||
from rest_framework.fields import CharField, IntegerField
|
from rest_framework.fields import CharField, IntegerField
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
@ -17,8 +16,7 @@ from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO,
|
|||||||
from authentik.flows.stage import ChallengeStageView
|
from authentik.flows.stage import ChallengeStageView
|
||||||
from authentik.flows.views.executor import SESSION_KEY_PLAN
|
from authentik.flows.views.executor import SESSION_KEY_PLAN
|
||||||
from authentik.lib.utils.urls import redirect_with_qs
|
from authentik.lib.utils.urls import redirect_with_qs
|
||||||
from authentik.policies.views import PolicyAccessView
|
from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider
|
||||||
from authentik.providers.oauth2.models import DeviceToken
|
|
||||||
from authentik.providers.oauth2.views.device_finish import (
|
from authentik.providers.oauth2.views.device_finish import (
|
||||||
PLAN_CONTEXT_DEVICE,
|
PLAN_CONTEXT_DEVICE,
|
||||||
OAuthDeviceCodeFinishStage,
|
OAuthDeviceCodeFinishStage,
|
||||||
@ -33,52 +31,60 @@ LOGGER = get_logger()
|
|||||||
QS_KEY_CODE = "code" # nosec
|
QS_KEY_CODE = "code" # nosec
|
||||||
|
|
||||||
|
|
||||||
class CodeValidatorView(PolicyAccessView):
|
def get_application(provider: OAuth2Provider) -> Application | None:
|
||||||
"""Helper to validate frontside token"""
|
"""Get application from provider"""
|
||||||
|
try:
|
||||||
def __init__(self, code: str, **kwargs: Any) -> None:
|
app = provider.application
|
||||||
super().__init__(**kwargs)
|
if not app:
|
||||||
self.code = code
|
|
||||||
|
|
||||||
def resolve_provider_application(self):
|
|
||||||
self.token = DeviceToken.objects.filter(user_code=self.code).first()
|
|
||||||
if not self.token:
|
|
||||||
raise Application.DoesNotExist
|
|
||||||
self.provider = self.token.provider
|
|
||||||
self.application = self.token.provider.application
|
|
||||||
|
|
||||||
def get(self, request: HttpRequest, *args, **kwargs):
|
|
||||||
scope_descriptions = UserInfoView().get_scope_descriptions(self.token.scope, self.provider)
|
|
||||||
planner = FlowPlanner(self.provider.authorization_flow)
|
|
||||||
planner.allow_empty_flows = True
|
|
||||||
planner.use_cache = False
|
|
||||||
try:
|
|
||||||
plan = planner.plan(
|
|
||||||
request,
|
|
||||||
{
|
|
||||||
PLAN_CONTEXT_SSO: True,
|
|
||||||
PLAN_CONTEXT_APPLICATION: self.application,
|
|
||||||
# OAuth2 related params
|
|
||||||
PLAN_CONTEXT_DEVICE: self.token,
|
|
||||||
# Consent related params
|
|
||||||
PLAN_CONTEXT_CONSENT_HEADER: _("You're about to sign into %(application)s.")
|
|
||||||
% {"application": self.application.name},
|
|
||||||
PLAN_CONTEXT_CONSENT_PERMISSIONS: scope_descriptions,
|
|
||||||
},
|
|
||||||
)
|
|
||||||
except FlowNonApplicableException:
|
|
||||||
LOGGER.warning("Flow not applicable to user")
|
|
||||||
return None
|
return None
|
||||||
plan.insert_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
|
return app
|
||||||
request.session[SESSION_KEY_PLAN] = plan
|
except Application.DoesNotExist:
|
||||||
return redirect_with_qs(
|
return None
|
||||||
"authentik_core:if-flow",
|
|
||||||
request.GET,
|
|
||||||
flow_slug=self.token.provider.authorization_flow.slug,
|
def validate_code(code: int, request: HttpRequest) -> HttpResponse | None:
|
||||||
|
"""Validate user token"""
|
||||||
|
token = DeviceToken.objects.filter(
|
||||||
|
user_code=code,
|
||||||
|
).first()
|
||||||
|
if not token:
|
||||||
|
return None
|
||||||
|
|
||||||
|
app = get_application(token.provider)
|
||||||
|
if not app:
|
||||||
|
return None
|
||||||
|
|
||||||
|
scope_descriptions = UserInfoView().get_scope_descriptions(token.scope, token.provider)
|
||||||
|
planner = FlowPlanner(token.provider.authorization_flow)
|
||||||
|
planner.allow_empty_flows = True
|
||||||
|
planner.use_cache = False
|
||||||
|
try:
|
||||||
|
plan = planner.plan(
|
||||||
|
request,
|
||||||
|
{
|
||||||
|
PLAN_CONTEXT_SSO: True,
|
||||||
|
PLAN_CONTEXT_APPLICATION: app,
|
||||||
|
# OAuth2 related params
|
||||||
|
PLAN_CONTEXT_DEVICE: token,
|
||||||
|
# Consent related params
|
||||||
|
PLAN_CONTEXT_CONSENT_HEADER: _("You're about to sign into %(application)s.")
|
||||||
|
% {"application": app.name},
|
||||||
|
PLAN_CONTEXT_CONSENT_PERMISSIONS: scope_descriptions,
|
||||||
|
},
|
||||||
)
|
)
|
||||||
|
except FlowNonApplicableException:
|
||||||
|
LOGGER.warning("Flow not applicable to user")
|
||||||
|
return None
|
||||||
|
plan.insert_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
|
||||||
|
request.session[SESSION_KEY_PLAN] = plan
|
||||||
|
return redirect_with_qs(
|
||||||
|
"authentik_core:if-flow",
|
||||||
|
request.GET,
|
||||||
|
flow_slug=token.provider.authorization_flow.slug,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
class DeviceEntryView(PolicyAccessView):
|
class DeviceEntryView(View):
|
||||||
"""View used to initiate the device-code flow, url entered by endusers"""
|
"""View used to initiate the device-code flow, url entered by endusers"""
|
||||||
|
|
||||||
def dispatch(self, request: HttpRequest) -> HttpResponse:
|
def dispatch(self, request: HttpRequest) -> HttpResponse:
|
||||||
@ -88,9 +94,7 @@ class DeviceEntryView(PolicyAccessView):
|
|||||||
LOGGER.info("Brand has no device code flow configured", brand=brand)
|
LOGGER.info("Brand has no device code flow configured", brand=brand)
|
||||||
return HttpResponse(status=404)
|
return HttpResponse(status=404)
|
||||||
if QS_KEY_CODE in request.GET:
|
if QS_KEY_CODE in request.GET:
|
||||||
validation = CodeValidatorView(request.GET[QS_KEY_CODE], request=request).dispatch(
|
validation = validate_code(request.GET[QS_KEY_CODE], request)
|
||||||
request
|
|
||||||
)
|
|
||||||
if validation:
|
if validation:
|
||||||
return validation
|
return validation
|
||||||
LOGGER.info("Got code from query parameter but no matching token found")
|
LOGGER.info("Got code from query parameter but no matching token found")
|
||||||
@ -127,7 +131,7 @@ class OAuthDeviceCodeChallengeResponse(ChallengeResponse):
|
|||||||
|
|
||||||
def validate_code(self, code: int) -> HttpResponse | None:
|
def validate_code(self, code: int) -> HttpResponse | None:
|
||||||
"""Validate code and save the returned http response"""
|
"""Validate code and save the returned http response"""
|
||||||
response = CodeValidatorView(code, request=self.stage.request).dispatch(self.stage.request)
|
response = validate_code(code, self.stage.request)
|
||||||
if not response:
|
if not response:
|
||||||
raise ValidationError(_("Invalid code"), "invalid")
|
raise ValidationError(_("Invalid code"), "invalid")
|
||||||
return response
|
return response
|
||||||
|
|||||||
@ -6,11 +6,12 @@ from django.utils.translation import gettext_lazy as _
|
|||||||
from drf_spectacular.utils import extend_schema_field
|
from drf_spectacular.utils import extend_schema_field
|
||||||
from rest_framework.exceptions import ValidationError
|
from rest_framework.exceptions import ValidationError
|
||||||
from rest_framework.fields import CharField, ListField, ReadOnlyField, SerializerMethodField
|
from rest_framework.fields import CharField, ListField, ReadOnlyField, SerializerMethodField
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
|
from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
|
||||||
|
|
||||||
from authentik.core.api.providers import ProviderSerializer
|
from authentik.core.api.providers import ProviderSerializer
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer, PassiveSerializer
|
from authentik.core.api.utils import PassiveSerializer
|
||||||
from authentik.lib.utils.time import timedelta_from_string
|
from authentik.lib.utils.time import timedelta_from_string
|
||||||
from authentik.providers.oauth2.models import ScopeMapping
|
from authentik.providers.oauth2.models import ScopeMapping
|
||||||
from authentik.providers.oauth2.views.provider import ProviderInfoView
|
from authentik.providers.oauth2.views.provider import ProviderInfoView
|
||||||
|
|||||||
@ -1,11 +1,11 @@
|
|||||||
"""RadiusProvider API Views"""
|
"""RadiusProvider API Views"""
|
||||||
|
|
||||||
from rest_framework.fields import CharField, ListField
|
from rest_framework.fields import CharField, ListField
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
|
from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
|
||||||
|
|
||||||
from authentik.core.api.providers import ProviderSerializer
|
from authentik.core.api.providers import ProviderSerializer
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.providers.radius.models import RadiusProvider
|
from authentik.providers.radius.models import RadiusProvider
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -268,7 +268,7 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
|
|||||||
except ValueError as exc: # pragma: no cover
|
except ValueError as exc: # pragma: no cover
|
||||||
LOGGER.warning(str(exc))
|
LOGGER.warning(str(exc))
|
||||||
raise ValidationError(
|
raise ValidationError(
|
||||||
_("Failed to import Metadata: {messages}".format_map({"messages": str(exc)})),
|
_("Failed to import Metadata: {messages}".format_map({"message": str(exc)})),
|
||||||
) from None
|
) from None
|
||||||
return Response(status=204)
|
return Response(status=204)
|
||||||
|
|
||||||
|
|||||||
@ -1,12 +1,11 @@
|
|||||||
"""SCIMProviderGroup API Views"""
|
"""SCIMProviderGroup API Views"""
|
||||||
|
|
||||||
from rest_framework import mixins
|
from rest_framework import mixins
|
||||||
|
from rest_framework.serializers import ModelSerializer
|
||||||
from rest_framework.viewsets import GenericViewSet
|
from rest_framework.viewsets import GenericViewSet
|
||||||
|
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.users import UserGroupSerializer
|
from authentik.core.api.users import UserGroupSerializer
|
||||||
from authentik.core.api.utils import ModelSerializer
|
|
||||||
from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
|
|
||||||
from authentik.providers.scim.models import SCIMProviderGroup
|
from authentik.providers.scim.models import SCIMProviderGroup
|
||||||
|
|
||||||
|
|
||||||
@ -29,7 +28,6 @@ class SCIMProviderGroupSerializer(ModelSerializer):
|
|||||||
|
|
||||||
class SCIMProviderGroupViewSet(
|
class SCIMProviderGroupViewSet(
|
||||||
mixins.CreateModelMixin,
|
mixins.CreateModelMixin,
|
||||||
OutgoingSyncConnectionCreateMixin,
|
|
||||||
mixins.RetrieveModelMixin,
|
mixins.RetrieveModelMixin,
|
||||||
mixins.DestroyModelMixin,
|
mixins.DestroyModelMixin,
|
||||||
UsedByMixin,
|
UsedByMixin,
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user