dad24c03ff
* outposts: initial cookie domain implementation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: add cookie domain setting Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: replace forward_auth_mode with general mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: rebuild proxy provider form Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: re-add forward_auth_mode for backwards compat Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix data.mode not being set Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * root: always set log level to debug when testing Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: use new mode attribute Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: only ingress /akprox on forward_domain Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: fix lint error Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix error on ProxyProviderForm when not using proxy mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix default for outpost form's type missing Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: add additional desc for proxy modes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts: fix service account permissions not always being updated Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outpost/proxy: fix redirecting to incorrect host for domain mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web: improve error handling for network errors Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outpost: fix image naming not matching main imaeg Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts/proxy: fix redirects for domain mode and traefik Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web: fix colour for paragraphs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/flows: fix consent stage not showing permissions correctly Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * website/docs: add domain-level docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * website/docs: fix broken links Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts/proxy: remove dead code Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/flows: fix missing id for #header-text Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
134 lines
4.3 KiB
Python
134 lines
4.3 KiB
Python
"""ProxyProvider API Views"""
|
|
from typing import Any
|
|
|
|
from drf_spectacular.utils import extend_schema_field
|
|
from rest_framework.exceptions import ValidationError
|
|
from rest_framework.fields import CharField, ListField, SerializerMethodField
|
|
from rest_framework.serializers import ModelSerializer
|
|
from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
|
|
|
|
from authentik.core.api.providers import ProviderSerializer
|
|
from authentik.core.api.utils import PassiveSerializer
|
|
from authentik.providers.oauth2.views.provider import ProviderInfoView
|
|
from authentik.providers.proxy.models import ProxyMode, ProxyProvider
|
|
|
|
|
|
class OpenIDConnectConfigurationSerializer(PassiveSerializer):
|
|
"""rest_framework Serializer for OIDC Configuration"""
|
|
|
|
issuer = CharField()
|
|
authorization_endpoint = CharField()
|
|
token_endpoint = CharField()
|
|
userinfo_endpoint = CharField()
|
|
end_session_endpoint = CharField()
|
|
introspection_endpoint = CharField()
|
|
jwks_uri = CharField()
|
|
|
|
response_types_supported = ListField(child=CharField())
|
|
id_token_signing_alg_values_supported = ListField(child=CharField())
|
|
subject_types_supported = ListField(child=CharField())
|
|
token_endpoint_auth_methods_supported = ListField(child=CharField())
|
|
|
|
|
|
class ProxyProviderSerializer(ProviderSerializer):
|
|
"""ProxyProvider Serializer"""
|
|
|
|
redirect_uris = CharField(read_only=True)
|
|
|
|
def validate(self, attrs) -> dict[Any, str]:
|
|
"""Check that internal_host is set when mode is Proxy"""
|
|
if (
|
|
attrs.get("mode", ProxyMode.PROXY) == ProxyMode.PROXY
|
|
and attrs.get("internal_host", "") == ""
|
|
):
|
|
raise ValidationError(
|
|
"Internal host cannot be empty when forward auth is disabled."
|
|
)
|
|
return attrs
|
|
|
|
def create(self, validated_data):
|
|
instance: ProxyProvider = super().create(validated_data)
|
|
instance.set_oauth_defaults()
|
|
instance.save()
|
|
return instance
|
|
|
|
def update(self, instance: ProxyProvider, validated_data):
|
|
instance = super().update(instance, validated_data)
|
|
instance.set_oauth_defaults()
|
|
instance.save()
|
|
return instance
|
|
|
|
class Meta:
|
|
|
|
model = ProxyProvider
|
|
fields = ProviderSerializer.Meta.fields + [
|
|
"internal_host",
|
|
"external_host",
|
|
"internal_host_ssl_validation",
|
|
"certificate",
|
|
"skip_path_regex",
|
|
"basic_auth_enabled",
|
|
"basic_auth_password_attribute",
|
|
"basic_auth_user_attribute",
|
|
"mode",
|
|
"redirect_uris",
|
|
"cookie_domain",
|
|
]
|
|
|
|
|
|
class ProxyProviderViewSet(ModelViewSet):
|
|
"""ProxyProvider Viewset"""
|
|
|
|
queryset = ProxyProvider.objects.all()
|
|
serializer_class = ProxyProviderSerializer
|
|
ordering = ["name"]
|
|
|
|
|
|
class ProxyOutpostConfigSerializer(ModelSerializer):
|
|
"""Proxy provider serializer for outposts"""
|
|
|
|
oidc_configuration = SerializerMethodField()
|
|
forward_auth_mode = SerializerMethodField()
|
|
|
|
def get_forward_auth_mode(self, instance: ProxyProvider) -> bool:
|
|
"""Legacy field for 2021.5 outposts"""
|
|
# TODO: remove in 2021.7
|
|
return instance.mode in [ProxyMode.FORWARD_SINGLE, ProxyMode.FORWARD_DOMAIN]
|
|
|
|
class Meta:
|
|
|
|
model = ProxyProvider
|
|
fields = [
|
|
"pk",
|
|
"name",
|
|
"internal_host",
|
|
"external_host",
|
|
"internal_host_ssl_validation",
|
|
"client_id",
|
|
"client_secret",
|
|
"oidc_configuration",
|
|
"cookie_secret",
|
|
"certificate",
|
|
"skip_path_regex",
|
|
"basic_auth_enabled",
|
|
"basic_auth_password_attribute",
|
|
"basic_auth_user_attribute",
|
|
"mode",
|
|
"cookie_domain",
|
|
# Legacy field, remove in 2021.7
|
|
"forward_auth_mode",
|
|
]
|
|
|
|
@extend_schema_field(OpenIDConnectConfigurationSerializer)
|
|
def get_oidc_configuration(self, obj: ProxyProvider):
|
|
"""Embed OpenID Connect provider information"""
|
|
return ProviderInfoView(request=self.context["request"]._request).get_info(obj)
|
|
|
|
|
|
class ProxyOutpostConfigViewSet(ReadOnlyModelViewSet):
|
|
"""ProxyProvider Viewset"""
|
|
|
|
queryset = ProxyProvider.objects.filter(application__isnull=False)
|
|
serializer_class = ProxyOutpostConfigSerializer
|
|
ordering = ["name"]
|