2020-12-05 21:08:42 +00:00
|
|
|
"""authentik crypto app config"""
|
2022-08-01 21:05:58 +00:00
|
|
|
from datetime import datetime
|
|
|
|
from typing import TYPE_CHECKING, Optional
|
2021-10-09 17:14:39 +00:00
|
|
|
|
2022-08-29 19:20:58 +00:00
|
|
|
from authentik.blueprints.apps import ManagedAppConfig
|
2022-08-02 22:05:49 +00:00
|
|
|
from authentik.lib.generators import generate_id
|
2020-12-05 21:08:42 +00:00
|
|
|
|
2022-08-01 21:05:58 +00:00
|
|
|
if TYPE_CHECKING:
|
|
|
|
from authentik.crypto.models import CertificateKeyPair
|
2020-12-05 21:08:42 +00:00
|
|
|
|
2022-08-01 21:05:58 +00:00
|
|
|
MANAGED_KEY = "goauthentik.io/crypto/jwt-managed"
|
|
|
|
|
|
|
|
|
|
|
|
class AuthentikCryptoConfig(ManagedAppConfig):
|
2020-12-05 21:08:42 +00:00
|
|
|
"""authentik crypto app config"""
|
|
|
|
|
|
|
|
name = "authentik.crypto"
|
|
|
|
label = "authentik_crypto"
|
|
|
|
verbose_name = "authentik Crypto"
|
2022-08-01 21:05:58 +00:00
|
|
|
default = True
|
|
|
|
|
|
|
|
def reconcile_load_crypto_tasks(self):
|
|
|
|
"""Load crypto tasks"""
|
|
|
|
self.import_module("authentik.crypto.tasks")
|
|
|
|
|
|
|
|
def _create_update_cert(self, cert: Optional["CertificateKeyPair"] = None):
|
|
|
|
from authentik.crypto.builder import CertificateBuilder
|
|
|
|
from authentik.crypto.models import CertificateKeyPair
|
|
|
|
|
|
|
|
builder = CertificateBuilder()
|
|
|
|
builder.common_name = "goauthentik.io"
|
|
|
|
builder.build(
|
|
|
|
subject_alt_names=["goauthentik.io"],
|
|
|
|
validity_days=360,
|
|
|
|
)
|
|
|
|
if not cert:
|
|
|
|
|
|
|
|
cert = CertificateKeyPair()
|
|
|
|
cert.certificate_data = builder.certificate
|
|
|
|
cert.key_data = builder.private_key
|
|
|
|
cert.name = "authentik Internal JWT Certificate"
|
|
|
|
cert.managed = MANAGED_KEY
|
|
|
|
cert.save()
|
|
|
|
|
|
|
|
def reconcile_managed_jwt_cert(self):
|
|
|
|
"""Ensure managed JWT certificate"""
|
|
|
|
from authentik.crypto.models import CertificateKeyPair
|
2021-10-09 17:14:39 +00:00
|
|
|
|
2022-08-01 21:05:58 +00:00
|
|
|
certs = CertificateKeyPair.objects.filter(managed=MANAGED_KEY)
|
|
|
|
if not certs.exists():
|
|
|
|
self._create_update_cert()
|
|
|
|
return
|
|
|
|
cert: CertificateKeyPair = certs.first()
|
|
|
|
now = datetime.now()
|
|
|
|
if now < cert.certificate.not_valid_before or now > cert.certificate.not_valid_after:
|
|
|
|
self._create_update_cert(cert)
|
2022-08-02 22:05:49 +00:00
|
|
|
|
|
|
|
def reconcile_self_signed(self):
|
|
|
|
"""Create self-signed keypair"""
|
|
|
|
from authentik.crypto.builder import CertificateBuilder
|
|
|
|
from authentik.crypto.models import CertificateKeyPair
|
|
|
|
|
|
|
|
name = "authentik Self-signed Certificate"
|
|
|
|
if CertificateKeyPair.objects.filter(name=name).exists():
|
|
|
|
return
|
|
|
|
builder = CertificateBuilder()
|
|
|
|
builder.build(subject_alt_names=[f"{generate_id()}.self-signed.goauthentik.io"])
|
|
|
|
CertificateKeyPair.objects.create(
|
|
|
|
name="authentik Self-signed Certificate",
|
|
|
|
certificate_data=builder.certificate,
|
|
|
|
key_data=builder.private_key,
|
|
|
|
)
|