From 1ffb7efed6c3d2c243496794bcb1c9e29e1133af Mon Sep 17 00:00:00 2001
From: Jens L <jens@goauthentik.io>
Date: Wed, 30 Aug 2023 00:08:04 +0200
Subject: [PATCH] blueprints: fix policy exception causing password stage to be
 skipped after upgrade (#6674)

* blueprints: fix policy exception causing password stage to be skipped after upgrade

* make policy more fault tolerant

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 blueprints/default/flow-default-authentication-flow.yaml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/blueprints/default/flow-default-authentication-flow.yaml b/blueprints/default/flow-default-authentication-flow.yaml
index 47cf27863..123c4e5a7 100644
--- a/blueprints/default/flow-default-authentication-flow.yaml
+++ b/blueprints/default/flow-default-authentication-flow.yaml
@@ -51,6 +51,8 @@ entries:
     order: 20
     stage: !KeyOf default-authentication-password
     target: !KeyOf flow
+  attrs:
+    re_evaluate_policies: true
   id: default-authentication-flow-password-binding
   model: authentik_flows.flowstagebinding
 - identifiers:
@@ -69,10 +71,12 @@ entries:
     name: default-authentication-flow-password-stage
   attrs:
     expression: |
-      flow_plan = request.context["flow_plan"]
+      flow_plan = request.context.get("flow_plan")
+      if not flow_plan:
+          return True
       # If the user does not have a backend attached to it, they haven't
       # been authenticated yet and we need the password stage
-      return not hasattr(flow_plan.context["pending_user"], "backend")
+      return not hasattr(flow_plan.context.get("pending_user"), "backend")
 - model: authentik_policies.policybinding
   identifiers:
     order: 10